1
INTRODUCTION
Responsibility
The central issue with compliance in banking can be best summed up in an exchange before Parliamentary Commission on Banking Standards between a member of the Commission and the then Group Head of Compliance at Barclays Bank.
This exchange highlights both skepticism as to the effectiveness of the compliance function and confusion over its role: what is the extent of its responsibility? This raises the question of why have a compliance function if the scope of its role is too narrowly drawn? Does having a compliance unit add any real value? This book will explore these issues and suggest possible remedies.
The over-arching context is that the regulators need to operate via the compliance function and that of other controls since it is well-nigh impossible for regulators to operate directly upon a regulated firm. They do not know the processes, nor the products and services in any detail; and they lack both the resources and inclination to be ever present on site. They need to delegate the day-to-day job of regulation to the firm itself – it is for others, such as the compliance officer, within the firm to put the regulations into effect within the business. This is undertaken through the boards of the regulated firm, other senior executives and the various control functions. Of the latter, the compliance function is central.
What is meant by the term ‘compliance’ varies across jurisdictions, regulatory regimes and the types of businesses and markets involved. The next sections look at what may be encompassed by the term ‘compliance’ (largely in the United Kingdom and the United States), what the compliance function within a business is meant to do and the challenges faced by the function – including the need to improve the level of professionalism in compliance.
The aim of this book is to produce a conceptual framework for compliance. This concept must be capable of being set out clearly to staff within both the compliance function and the business and to other stakeholders, such as customers and regulators. Without this clear understanding of what compliance is trying to do and why, there is a strong risk of it losing direction and drifting towards ineffectiveness.
This work focuses on the United States and the United Kingdom but the issues have broader application. In addition, this work concentrates on financial services, and in particular, banking regulation. However, many of the issues have much wider application and may apply to other highly regulated industries such as pharmaceuticals, aerospace and the extractive industries.
A recent example of the how the themes in this book may apply to other industries can be seen in the action taken by Ofwat, the UK’s statutory water regulator, against Southern Water in 2019. The company has had to pay a £3m fine and a further £123m in redress to its customers.2 The firm had failed in its statutory duties to treat sewage and had dumped ‘untreated effluent into beaches, rivers and streams’ and misreported the relevant data. It had ‘manipulated water samples for 7 years until 2017 so that the true performance of its sewage treatment works was hidden’.3 The issues were the result of ‘poor management and a failure to make the necessary investment in sewage treatment works’. ‘Southern Water, which is owned by a consortium of private equity and infrastructure investors including UBS Asset Management and JPMorgan Asset Management, now faces a criminal investigation by the Environment Agency, a separate regulator, which began investigating in 2016’.4
The water company suffered from poor corporate governance, a weak corporate culture and the lack of an adequate compliance function.5 The investigation found that ‘senior management within the Wastewater Operations division colluded to conceal the actual performance of [the treatment plants]. A culture of data manipulation was the norm and was accepted by staff across the division’.6 There were also ‘deficiencies in [Southern Water’s] organisational culture which prevented employees from being comfortable with speaking out about inappropriate or non-compliant behaviours’.7 These are all common themes which continue to reoccur in a variety of organisations considered in this book, including the scandal at the UK’s National Health Service Mid Staffordshire Trust and the circumstances leading to the Herald of Free Enterprise ferry disaster in Zeebrugge, Belgium in 1987, as well as in the UK and US financial services industry.
By way of clarification, throughout this work the term ‘compliance’ is used to cover both the compliance function within a bank, no matter how it may be described in the organisation charts within individual firms, and also the task of undertaking the compliance role.
What is required of ‘compliance’?
The Basel Committee requires that each ‘bank should have an executive or senior staff member with overall responsibility for co-ordinating the identification and management of the bank’s compliance risk and for supervising the activities of other compliance function staff’.8 This individual is known as the ‘head of compliance’ or ‘compliance officer’. The international standards set by the Basel Committee are then enacted by individual jurisdictions.
The UK’s Financial Conduct Authority (FCA) requires that all regulated firms ‘must establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees’ and so on.9 Firms ‘must, taking into account the nature, scale and complexity of its business, and the nature and range of financial services and activities undertaken in the course of that business, establish, implement and maintain adequate policies and procedures designed to detect any risk of failure by the firm to comply with its obligations under the regulatory system, as well as associated risks, and put in place adequate measures and procedures designed to minimise such risks and to enable the FCA to exercise its powers effectively under the regulatory system’.10
There is also a requirement for an individual who carries out the ‘compliance oversight role’ (i.e. the ‘compliance officer’) to be a ‘Senior Management Function 16’ under the Senior Manager and Certified Person Regime’.12 Besides these requirements the rules are somewhat vague about the role of the compliance officer.
The US Securities and Exchange Commission (SEC) requires investment companies and ‘investment advisers to adopt written compliance procedures, review the adequacy of those procedures annually, and to designate a chief compliance officer responsible for their administration’.13
The US Federal Reserve explained its approach and expectations of banks and compliance officers in a letter in 2008.14
What is the compliance function meant to achieve?
Put simply, regulated firms are required to comply with the regulations. However, attempting to comply with the ‘black-letter’ law of regulations is not sufficient. There needs to be both an analysis and understanding of what the rules are trying to achieve. Sometimes this is called following the ‘spirit’ as well as the ‘letter’ of the regulations. Simply ‘monitoring, assessing and advising’ sets a very low standard. In reality the regulators, rightly, expect much more. Further, the regulators constitute only one of the stakeholders; albeit very a very important one. Others – such as customers, the media and politicians – with an interest in the regulated firm are likely to have their own expectations which may go beyond those of the regulators.
Compliance is much more than monitoring, assessing and advising – important though these tasks are. This book covers some of the basic requirements but also focuses on four broad, but central, expectations. These are to:
All these roles may be negated by numbing ones’ thoughts and instead going along with the drift, abandoning the exercise of authority and instead, keeping quiet and avoiding taking a stand.
Compliance function challenges
There have been many major compliance failures over the years in both the United Kingdom and the United States. Sharon Gilad in her empirical work found that firms, generally, have a considerable ability to self-justify and to rationalise their actions.15 For example, The Financial Services Authority (FSA) launched a major project in the early 2000s that required regulated firms to ‘treat their customers fairly’ (TCF). Her work found that in many regulated firms: