For many Compliance Officers and Managers, having a vision of providing the very best compliance service that is possible for their firm each and every day, is commendable and noble, provided they understand how and where their firm stands.

The first step is identifying the high-level activities and then to tease out from that data the more detailed aspects and responsibilities of exactly where compliance is or could be impacted. This will then help with future audits or regulatory visits, as well as provide compliance and the rest of the business exactly where everything fits in.

This activity, although vast and sometimes complicated, is a fundamental necessity to ensure that the foundations of any compliance department and all the ideas, policies, controls, processes and procedures that you implement are not ‘built on sand”.

To start this it would be advisable to take a new notebook and cover the following rough sections;

  • each entity within your group including appointed reps, introducer appointed representatives or other subsidiary or joint-venture partners that your firm may have entered into business with.
  • each business unit and support departments within each entity.
  • external service providers including anything that maybe outsourced from IT to Para-planning, Legal to Banking.
  • the regulatory jurisdiction in which you are operating, for most this will be the UK and at most Europe however many firms these days offer offshore investment services. Within your jurisdiction you need to identify all of the regulators and any standards or best practice setting, parties that may contain a quasi-regulator status as well as the obvious legislation, regulation and code etc.
  • product services and specific business activities across the range from front, middle and back office, as well as any general insurance, mortgages, financial and investment planning
  • common documentation used within the businesses across all entities for regulatory matters such as disclosure, financial promotions et cetera and any other relevant areas that may apply in the periphery

Now your list may look something like this for a medium to large organisation, perhaps a group.

  • Executive Committee
  • Retail/Group Functions
  1. Business Continuity Stakeholders (telephony, WAR site, utilities etc)
  2. Business Protection
  3. Internal Audit
  4. Group/Legal & Compliance (GC)
  5. Reporting & Tax (Financial & Regulatory, Trading etc)
  • Finance & Specialised Support (internal or external/outsourced)
  1. Financial Performance Analysis
  2. Group Intermediary Sales
  3. Subsidiary or AR Financial Planning Solution Firms
  4. Centralised Distribution Services
  5. Branch Network (Split regionally or by jurisdiction; i.e. IOM, CI etc)
  6. Operational Risk & Controls
  7. Lending Control
  8. Customer Strategy & Marketing
  9. Banking, Insurance & Investments
  10. Mortgages & Savings
  11. Digital Banking & Self Service
  • Risk
  1. Secured Credit Risk
  2. Commercial Credit Risk
  3. Unsecured Credit Risk
  4. Data, Systems & Organisation (internal, external exposures, shared or JV)
  5. Compliance Oversight
  6. IT Framework, Storage & Data Protection
  • Operations
  1. Operational & IT Strategy
  2. Business Transformation
  3. Customer Service & Operations
  4. Business Continuity
  • Extended Operations/Development
  1. Enterprise Development
  2. Group Services
  3. Digital Development
  • People Management – Corporate, Customers and Staff
  1. Operational Governance & Risk Management
  2. Business Partnering & Operations
  3. Corporate HR
  4. Customer Experience/Journey
  5. Corporate Communication & Corporate Social Responsibility
  6. Commercial
  7. Strategy & Planning (Disaster Recovery/Business Continuity)

Beneath these headline activities you will obviously have the “Heads of Department” or regulatory responsibility type of functions, most of whom, under the impending Senior Managers & Certification Regime (SM&CR) will more likely be “Certified Persons” and reporting to a Senior Management Function (SMF) of the above. It is worth noting that people in these positions after the implementation of the SM&CR will fall under the definition in the new Code of Conduct Rules, COCON 1.1.2d a certification employee employed by a relevant authorised person, even if the certification employee has not been notified that COCON applies to them or notified of the rules that apply to them”. A point worthy of remembering.

You will gather from this exercise that the requirements to be a good Compliance Officer or Manager takes you beyond the normal scope of compliance into legal, marketing as well as governance, company secretarial and office management. As it’s in your interest to leverage these additional areas from a relationship point of view, it is often best not to approach these with all guns blazing.

In gathering this information and immersing yourself in the knowledge of these other departments you will find that others will be asking you why you need to know how the IT system works, a subordinated loan is treated for the owners or even just how the HR recruitment process works, and you need to be confident in your response that by having even a broad understanding of the firm’s involvement will help put your own activities into context and therefore assist you in identifying compliance risks or potential breach areas.

When you are conducting your data gathering or fact-finding, you sometimes find you experience difficulty obtaining some of the information. There are usually only two reasons for this, and they are;

  • the information is not relevant to your business, for example you may not have the background or remit to cover these areas in any shape or form therefore strikeout and continue; or
  • The information is not readily available but is relevant to your business, for example you have an outsourced agreement but there seems to be no feedback, management information, or data available regarding their business activities other than level of activity. This obviously needs further investigation after your data gathering exercise, so that you can find what is going on and implement any remedial action necessary.

I then like to map out by business process/department, the handbook impacts (COND, SYSC, COCON, PRIN, COBS etc) that I need to consider and do this on a spreadsheet. Secondly I then note the actual chapter and rules or guidance that is relevant; see below.

I cannot reinforce enough that at this stage you should only be data gathering and recording, not forming opinions, criticising, providing solutions or anything else that would jeopardise the overall exercise, your credibility or respect from your peers.

Until you understand completely how everything inter-relates or conversely doesn’t inter-relate then mapping out your territory so that you can see the bigger picture is a far higher priority than putting out bushfires that may randomly appear.

Mapping not only the regulatory but also the legislature impacts on your business helps provide an overview of the position of your company. This work is a fundamental step and could be vital in the preparation of the SM&CR in the next 12 months.

Contact Compliance Consultant to discuss how we can help you map your territory and build the foundations for a more robust compliance and risk function.

Author: Lee Werrell. Owner & Principal Consultant, CEO – Compliance Consultant

Lee has nearly 30 years Financial Services Experience and much of that in governance, compliance and risk areas. He achieved the Diploma in Investment Compliance in 2006 and was one of the first members of the Securities & Investments Institute to be Chartered when they received their Royal Charter in 2010.

Pages of interest:

Have you an opinion on the above or got an article you wish to share? We’re love to hear from you. Contact us and get in touch today.