The Future of Compliance Compliance Functions As Strategic Partners in The New Regulatory World

The Future of
Compliance
Compliance functions as
strategic partners in the
new regulatory world
kpmg.co.uk
2
The Future of Compliance
CONTENTS
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
4
Introduction
8
Risk Management Framework 3

12
Role of Compliance
16
Strategy
18
Structure
20
Monitoring
22
Resourcing
24
Management Information
26
Interaction with regulators
“Firms need to adapt to a new regulatory framework while dealing simultaneously

with a vast range of other national and international regulatory reforms.”
4
INTRODUCTION
5

The global regulatory landscape is
currently undergoing a fundamental
change. In response to the recent
financial crisis, regulators across the
globe are focussing on a programme
of more robust supervision of financial
services firms whilst also introducing
a raft of new regulatory initiatives to
bolster the regulatory framework
Changes in the UK regulatory

architecture, with the moves towards
‘twin peak’ regulation and the Financial
Services Authority (FSA) committing
to a more intensive and intrusive
supervisory approach focussing on
both prudential and conduct risk, show
that profound changes to the regulation A strong focus on improving
of the global financial services industry transparency in markets and products,
are unlikely to let up any time soon. providing greater investor and
consumer protection are central to the
substantial new regulation and updates
to existing rules that are bearing down
on the industry.
In the UK, firms need to adapt to a new

regulatory framework while dealing
simultaneously with a vast range
of other national and international
regulatory reforms: Basel 3’s higher
capital and liquidity standards (for
banks and investment firms), Solvency
II reforms (for insurance companies),
recovery and resolution plans, the
final recommendations of the UK’s
Independent Commission on Banking
and additional requirements being
discussed for systemically important
financial institutions (SIFIs), among
many others.
Recent experience has shown that

even those firms that appeared well
capitalised and risk aware have been
subject to regulatory censure. No firm
is exempt from the need for constant
change and renewal. Failure to adapt to
Amid expectations of greater transparency of board-level the changing regulatory requirements
compliance reporting and pressures on the board to ‘own’ could have serious impacts for firms,
compliance, more needs to be done to position the function both in their relationship with the
regulator and potential sanctions
as an integral and strategic element of business imposed by the regulator.
6
“”
THE FINANCIAL CRISIS HAS TESTED THE

RESILIENCE OF SOME OF OUR MOST TRUSTED
FINANCIAL INSTITUTIONS. CONSUMERS’ TRUST
IN THESE INSTITUTIONS HAS ALSO BEEN TESTED
BY, AMONGST MANY THINGS, THE FACT THAT
PRODUCTS HAVE BEEN DESIGNED IN WAYS THAT
DID NOT MEET THEIR NEEDS, AND SOME SALES
PROCESSES HAVE PUT THE PROFIT OF THE FIRM
AHEAD OF THE BENEFITS FOR ITS CUSTOMERS.
Martin Wheatley, FSA MD and CEO designate of the FCA, July 2012
How regulated firms (re-)structure their We believe that there has rarely been a
Compliance functions to respond to, more opportune time for firms to rethink
or preferably pre-empt, these complex or build upon their compliance approach,
challenges will encompass the range of assessing whether it is fit for purpose
culture, strategy and people. Not only in the new regulatory environment and
the function’s composition, but also its whether it will remain so in light of
role and voice within the business and developments looming over the horizon.
overall risk management framework,
should be considered. Drawing on research, insights and
experiences of working with financial
Although it is difficult to quantify the institutions to explore the current and
value added by Compliance, fines and potential impacts of their Compliance
censure can highlight the potential functions, this report suggests ways
cost of non-compliance. The number of in which firms might engage with
regulatory disciplinary cases initiated emerging issues in order to ensure that
by the FSA has increased over recent their Compliance expertly and safely
years – 66% in 2011 v 58% in 2010. guides them through turbulent times.
In 2010/11 the FSA also issued a
record level of fines - £98.5m. Over Having reviewed current and impending
more recent months, substantial changes to the UK regulatory framework,
fines have also been levied by the we provide an assessment of how we
FSA on firms for large-scale failures in believe these changes will in practice
controls and oversight. These statistics impact the role and nature of Compliance
point towards increased regulatory within regulated firms.
expectations on firms.
Regulatory and Compliance
An effective Compliance function is key arrangements are driven by the impact
to identifying and mitigating risk and of regulation on the organisation and
protecting the business from regulatory their risk appetite. The precise design of
censure and protecting brand and a compliance framework will therefore
reputation. vary for individual firms. While there is
no ‘one size fits all’ solution, our analysis
Leading firms will see these external focuses on the core considerations in
changes as an opportunity to how a Compliance framework may
enhance the value-adding aspects of need to change in order to cope with
Compliance. Seeing the potential, but regulatory change:
also recognising the limitations, in their
Compliance functions will help them in Risk Management Framework
the pursuit of growth as well as dealing
with threats, creating competitive Role of Compliance within the business
advantage and improving corporate Compliance structure
value and reputation in line with growing Compliance strategy
stakeholder demands around integrity,
Compliance monitoring
accountability and financial stability.
Compliance Management Information
Resourcing
Interaction with regulators
7
8
RISK
MANAGEMENT
FRAMEWORK
The FSA has been active
in voicing its concern that
Compliance functions should be
independent from the business
to ensure their effectiveness
as risk management and
corporate governance tools.
In addition, firms are under
pressure from the regulator
to ensure that Compliance is
a standing agenda item for
senior management and the
board to enable proactive
management of regulatory
risks – the criticism sometimes
levelled being that regulatory
compliance is a secondary
concern for senior executives.
In analysing firms’ risk management frameworks we considered in particular the

impact of regulatory change on:
The structure of each organisation’s risk management framework, including whether or

not they adopt the FSA’s traditional ‘3-Lines of Defence’ model, and where Compliance
sits within the framework of each organisation
The ownership of risk within the business
Risk governance structures, including reporting lines for Compliance and where
regulatory compliance risks and issues are considered within each business.
9
RISK MANAGEMENT FRAMEWORK are exposed, firms must take a more

The FSA is already applying greater holistic view of their risk management
scrutiny to firms’ risk management framework in order to ensure that
frameworks. This is evident from The all risks to which their business is
FSA’s supervisory framework (new exposed are captured. Firms will also
ARROW) approach and it is likely to be need to understand where there are
a continued area of scrutiny for both ‘touch points’ within the model, for
the Prudential Regulatory Authority example where a change in the risk
(PRA) and the Financial Conduct profile of one part of the business will
Authority (FCA) following the transition impact on other business areas.
to twin peak regulation in 2013, The increasing weight of new
although each entity will engage with regulatory legislation from the
the issue from different perspectives. European Commission, coupled with
In our experience, the vast majority of the increasingly diverse and complex
UK financial services firms employ the risks to which firms are exposed,
traditional ‘3-Lines of Defence’ model, means that firms need to ensure that
with clear demarcations between no risks fall between the cracks.
each line in the management of risk: Undertaking annual exercises such as
a Risk Inventory Assessment would
First line: Business line management
provide comfort to both the board and
Second line: Risk and Compliance FSA that the business has identified
functions all the risks to which it is exposed and
is able to map those risks to where
Third line: Internal Audit and how within the business they are
managed and monitored. Firms that are
Issues with these models tend to be able to demonstrate evidence of such
around unclear or ill-defined spans of risk mapping should ensure that they
control and responsibilities between are on the front foot with the regulator.
the lines of defence. In order that the
risk management framework may
OWNERSHIP OF RISK
operate effectively, it is vital for each
element within the framework to have Following the fallout of the recent reviews are interviewing a broader
a clear understanding of its role, the financial crisis and criticism from the spectrum of individuals than previously;
risks it is tasked with managing, the FSA that risk was not a sufficiently although the focus remains on senior
tools at its disposal and how these prominent feature of boardroom management, interviews are being
can be deployed. The board and discussions, a clear expectation of the increasingly conducted across and
senior management team have a key FSA is that Risk and Compliance is now down through the business. This is set
role to play in setting the framework owned by the board, with due attention to continue with the FCA’s forward-
for their business and assigning on board agendas. looking, judgment-based approach
responsibilities. to supervision.
Current supervisory framework visits
While we believe the 3-Lines of have reinforced this expectation. FSA In order to establish a truly compliant
Defence model will continue to be investigations regarding governance culture, boards need to drive evaluation
the most appropriate model to allow require clear evidence of the extent to of culture on an ongoing basis.
firms to adequately identify, manage, which the board has not only assumed
ownership for Risk and Compliance There does not necessarily need to
and mitigate the risks to which they be a single common mechanism by
but also actively considers matters
such as risk appetite, risk profiles, which boards exercise ownership of
and challenges risk and compliance risk. Oversight may be delegated to a
management information. board sub-committee such as a Risk
Committee. Ultimate responsibility
In demonstrating ownership of risk must not be delegated, however, and
within the business, the regulator clear defined reporting lines must exist
expects boards to: for the escalation of key issues.
Set the tone from the top A board’s ability to oversee and
manage regulatory compliance can
Discuss and establish risk appetite only be as good as the information it
Monitor key business risks and the receives. Involved parties therefore
business’s performance against risk need to know which regulatory
compliance matters are reserved for
appetite.
the board if a compliant culture is to
be effected.
Key to this is the setting of ‘tone’
from the top of the business, as the KEY QUESTIONS TO CONSIDER
FSA identified a primary contributor
to the recent financial crisis as being Do you have accountability for Risk and
the lack of a compliance culture within Compliance running throughout the
firms. Consequently, assessment of a organisation, and how do you ensure this?
firm’s compliance culture is attaining Do you have a clear structure of ‘risk
prominence in the FSA’s supervisory owners’ within the business?
approach. Supervisory framework
10
STRUCTURE AND REPORTING The absence of a reporting

risk management framework
LINES intermediary serves to provide comfort

It is important that firms are able to to the regulator that Compliance has
demonstrate the independence of the unfettered access to the board when
Compliance function, showing that it is the escalation of issues is warranted.
a separately identifiable function within Those firms which currently are best
the organisation, led by a dedicated able to demonstrate this clarity in
Head of Compliance and with clear reporting have clear mechanisms via
reporting lines to senior management. which the Head of Compliance reports
There is a range of possible to the Board. Where this reporting is
Compliance reporting lines, some being a standing agenda item on the Board
stand-alone, others reporting through agenda this clarity in reporting to senior
Risk and still others via Legal Counsel. management will be further enhanced.
Paramount is that firms must be able KEY QUESTIONS TO CONSIDER
to demonstrate that reporting lines are
clearly articulated and operationally Do clear reporting lines exist for
effective. Compliance? And how do you monitor the
In addition, Compliance should enjoy effectiveness of these?
direct access to the board (or to a Does your Head of Compliance feel he/she
board sub-committee tasked with has adequate access to the board should
overseeing regulatory risk) in the event there be a need to swiftly and directly
that issues need escalating. Such direct escalate issues?
access would be defined as the facility Is compliance a standing board agenda
to approach the board (or board item? Does the Head of Compliance (or GOVERNANCE STRUCTURES
sub-committee) other than via a equivalent) routinely and regularly provide
third-party such as senior management. A clearly defined risk management
an update? governance structure is a key element
in demonstrating an effective compliance
reporting framework and is an area of
increasing focus by the FSA in order
to assess relationships between key
regulatory oversight bodies within
the firm.
In the interests of clarity, firms should
ensure that they have - as a minimum –
an executive-level Risk and Compliance
Committee tasked with monitoring and
overseeing the regulatory compliance
risks to which the business is exposed.
The terms of reference of this
“”FIRMS NEED TO TAKE

committee should clearly set out the
committee’s oversight role, matters
reserved for the committee, and not
only the management information the
committee should receive but how the
RESPONSIBILITY FOR THE WAY committee should use such data.
THEY TREAT THEIR CUSTOMERS

AND MAKE SURE THAT GOOD
CONSUMER OUTCOMES ARE
EMBEDDED THROUGHOUT THEIR
BUSINESS MODELS.
Martin Wheatley, FSA MD and CEO designate of the FCA, July 2012
11

risk management framework
Depending on the size and scale of
the business, a number of committees
may be needed in order to consider the
disparate exposures and risks.
The committee(s) should report to a
board sub-committee that is similarly
responsible for the oversight and
management of regulatory compliance
risks, and ultimately up to the Board.
Such a clearly defined risk governance
structure provides evidence of strong
ownership and accountability for
compliance throughout the organisation.
KEY QUESTIONS TO CONSIDER
Does your governance structure evidence

strong ownership and accountability for
compliance within the business?
How many and what composition of
committees are required to effectively handle
the range and extent of risks and exposures
the scale of your business generates?
12
ROLE OF
COMPLIANCE
Firms need to have a clear
vision concerning the role
of Compliance. The debate
can often be whether it
should act in an advisory
capacity supporting first
line business management
in discharging the firm’s
regulatory obligations or
whether it should have an
oversight and enforcement
role in monitoring business
activities. In practice,
future developments in
the regulation space are
most likely to require a
combination of the two.
With an overarching goal of helping to guide organisations through regulatory

changes and safeguarding them from the far-reaching implications of non-compliance
(including but not limited to financial and reputational consequences), its role must
evolve in line with regulators’ expectations and the emergence of new obligations.
In the context of the Compliance function’s role, we sought to analyse the impact of
regulatory change on:
The vision of Compliance within the business, including responsibilities and its operational
mandate
Management of regulatory compliance risks within the business.
13

VISION OF COMPLIANCE PRAGMATISM SHOULD PREVAIL To get the balance right, therefore,
At the highest level, the strategic vision In considering the future role of pragmatism may dictate a combination
of Compliance should be defined and Compliance, firms must determine of guidance and monitoring activities,
set by the board in formal terms of whether Compliance should act as whereby Compliance takes both an
reference. a review, oversight and monitoring advisory and monitoring role:
body, independent from the first Advisory: to partner with the business and
Broadly speaking, the role of
line or whether it should act as a provide guidance on the interpretation of
Compliance should be to take the
partner to the first line, being a guide regulatory requirements, and delivery of
lead in identifying and managing the
and sounding-board to help prevent operations in line with the firm’s regulatory
significant regulatory compliance risks
regulatory breaches from occurring. risk appetite
to which the business is exposed,
including: The debate must also take into account
the function’s level of independence: Monitoring: to undertake independent
Designing and supporting a regulatory risk compliance monitoring of the business
while distance from the first line
framework for the business against the firm’s regulatory risk appetite.
enhances objectivity and independence
of oversight and monitoring, a closer
Supporting and challenging business To retain the independence of each of
working relationship with the business
line management regarding the these activities, however, it is important
allows greater direct involvement in
completeness and accuracy of compliance that these activities are undertaken by
avoiding regulatory problems.
risk management activities, including separate teams within the Compliance
identification and measurement The stated objective of the FCA to take function.
a more “forward-looking, proactive,
Providing advice to business units on judgment-based (approach to) Horizon scanning is a further, crucial
regulatory obligations and on the creation supervision…crystallisi(ng) the change area of responsibility for Compliance,
and implementation of regulatory compliant from the old style reactive approach particularly so in a fast-moving
policies and procedures to the new style proactive approach” regulatory environment. Timely
would imply that there is a strong case identification of legislation that will
Monitoring the organisation’s compliance for Compliance functions to act as a have a direct or indirect impact on the
with relevant laws, regulations and internal partner to the business in explaining business is vital, with subsequent
risk policies the regulatory responsibilities of the escalation to senior executives,
business, helping to frame regulatory assessment of the likely impact on
Reporting on compliance matters that compliance policies and acting as the business and its risk profile, and of
warrant the attention of senior executives. a guide to help prevent regulatory course designing the firm’s response.
breaches from occurring within the Only a minority of firms current set an
KEY QUESTIONS TO CONSIDER business. The recent fall-out from explicit expectation that Compliance
Payment Protection Insurance (PPI) should actively review upstream risks
Do you have a formally stated, clearly and pension mis-selling makes a strong and assess the impact of ongoing
articulated vision for Compliance? case for more direct involvement of regulatory developments.
Has the board approved the strategy for Compliance in the business.
Compliance to meet its objectives? Financial institutions will increasingly
Does the business have clear mechanisms rely on Compliance functions to
for measuring the performance of help them interpret and apply new
Compliance against strategy? legislation arising from the European
Commission. However, to ensure
compliance, the monitoring role
remains key.
14
PRUDENTIAL RISK MANAGEMENT Compliance as a key regulatory IDENTIFYING AND MANAGING

role of compliance
With the impending move to twin-peak relationship stakeholder. For firms REGULATORY RISKS
regulation, consideration needs to be that are regulated solely by the FCA, We observe growing regulatory
given to how and where prudential the regulatory relationship should be scrutiny of the manner in which firms
risks will be managed. owned by Compliance with the support identify and manage regulatory risks.
of the Risk and/or Finance function. As a key element of the current
The FSA has confirmed that retail This arrangement would ensure that supervisory framework reviews, it will
deposit-takers, insurers and major there is a single, primary point of become increasingly important in the
investment firms will be dual-regulated contact for the regulator through whom near future with the rising weight of
going forward. Where this is the correspondence and dialogue can pass new regulatory legislation with which
case, we believe that prudential risk in order to ensure the firm adopts a firms must comply.
management should be performed consistent stance.
outside of Compliance. It should Going forward, regulatory risk
rather be owned by Risk, Finance KEY QUESTIONS TO CONSIDER assessment should be undertaken
or a combination of the two due to by the first line in the business but
their more appropriate skill-sets and Has your business clearly split responsibility lies with Compliance,
expertise. responsibilities for the ownership of which must conduct due oversight and
prudential compliance? challenge. Under this arrangement,
Interaction with the two regulatory Have you considered how these the first line would be able to apply its
bodies is a further area for discussion. responsibilities will look in the new world knowledge of its specific operations,
We believe that for firms that are of twin-peak regulation and which function operating environment and market to
dual regulated, the relationship with will be the primary contact for the PRA and assess the regulatory risks to which
the PRA should be owned by Risk FCA respectively? it is exposed. Compliance would
and/or Finance with oversight from then oversee this process in order to
challenge the business on the identified
risks, overlaying its knowledge to
identify additional, non-operational
specific risks.
Key to this operating effectively is clear
allocation of responsibilities between
the first line and Compliance, ensuring
they are understood.
“”
WE WANT FIRMS TO HAVE A CULTURE WHICH
ENCOURAGES INDIVIDUALS TO MAKE THE
APPROPRIATE JUDGMENTS AND DELIVER THE
OUTCOMES WE ARE SEEKING. AT ALL TIMES WE
WANT AN INSTITUTION TO ACT WITH INTEGRITY.
Hector Sants, FSA CEO, October 2010
15

Currently within both retail banking
role of compliance
and insurance, responsibility for
the identification, assessment and
measurement of regulatory risks rests
with Compliance in around half of
organisations, while in the other half it
lies with line management, supported
and challenged by Compliance.
In all cases, Compliance is involved in
identifying and assessing regulatory
risks in each business line, whether
directly or through providing
assistance, support and challenge to
line management.
The board should review, challenge
and ultimately sign-off on regulatory
risk assessments. This evidences good
governance, oversight and the active
involvement of senior management.
In order to comply with expected
European Commission legislation,
we expect this risk assessment and
understanding of regulatory risk profile
to be an annual exercise.
The majority of financial services
firms currently involve the board via
board sub-committees (risk and/or
audit committees) in the oversight
and governance of regulatory risks
identified by the business. What will
be important in the future is the extent
to which the committees understand
their role in ensuring a sound
regulatory control environment and in
challenging senior management.
Are responsibilities for identifying

regulatory risks within the business clearly
allocated?
How do you ensure regulatory risks are
adequately identified? Does Compliance
have a prominent role?
Are committee responsibilities for the
oversight of regulatory risks clearly
defined?
Are there any potential areas of overlap or
a danger that risks may fall between the
cracks?
16
STRATEGY
A viable and effective
Compliance strategy
should be driven
by the business’s
regulatory risk
profile and the risk
appetite set by the
board, ensuring
an appropriate
Compliance role,
adequately resourced
and directed in
enabling the business
to manage and
mitigate its regulatory
risks.
“”WE WILL HAVE A GREATER

EXPECTATION OF A STRATEGIC
APPROACH TO THE CONDUCT AGENDA
AND SENIOR MANAGEMENT AND
BOARD ENGAGEMENT IN IT.
Clive Adamson, Director of Supervision, Conduct Business Unit, FSA, January 2012
17
In addition, recent FSA supervisory KEY QUESTIONS TO CONSIDER Compliance plays a critical role in all of

activity has shown a distinct these considerations.
expectation of the board’s involvement Does your business have a clear and
in developing and approving the effective structure and process for the CUSTOMER-CENTRICITY
Compliance strategy, thereby helping design and approval of risk and compliance Of particular concern to firms will be
the board to discharge its responsibility policies? the regulator’s renewed focus on the
to oversee and manage the risk profile Is there also a clear and regular process customer agenda, especially with the
of the business. for the on-going monitoring of risk policies FCA’s remit to ensure fair customer
to ensure that they remain appropriate and outcomes and protecting and enhancing
In analysing the Compliance strategies the integrity of the financial system.
employed by firms reviewed, we have robust?
sought to understand the impact of Press coverage over PPI mis-selling
regulatory change on the following COMPLIANCE STRATEGY has demonstrated the cost of getting
elements: 2011 was a year of substantial change compliance wrong in the customer
and forward planning across regulatory sphere. As the eye of the FCA becomes
Formulation and communication of risk systems and approaches and in the increasingly trained on the way in
policies nature, scope and reach of the overall which firms interact with customers,
Development of an overarching Compliance regulatory environment. firms need to recognise the role of
strategy for the business. Compliance in monitoring interactions
From a strategy perspective, the role with customers; also to ensure this role
of a financial institution’s Compliance is built into the Compliance charter and
TAILORED RISK POLICIES function needs first and foremost to strategy.
As the regulatory environment evolves, be mindful of the four pillars around
the development and maintenance regulatory change: Far from being a ‘tick the box’ function,
of risk policies becomes increasingly Compliance is key to protecting brand
important. A formal process for policy 1 Prudential implications: values and reputations in managing
design and approval will enable firms to - Determining who is accountable the way the business interacts with
put in place policies that are robust and for what in terms of the prudential customers – from the perspectives
appropriate, whilst on-going monitoring side of, inter-alia, planning asset of advisory (developing risk policies
and maintenance will facilitate them and cash management and liquidity and procedures, etc.) and oversight
remaining appropriate. management (monitoring and upward reporting).
Risk policies should reflect the - Understanding what challenges the It is therefore essential that firms have a
regulatory environment of the regulator is likely to set in terms of clear idea of the role of the Compliance
individual firm, mitigating the regulatory the amounts of capital firms must function in customer interaction,
risks to which it is exposed through its hold – in both Pillar 1 and Pillar 2. that this is clearly articulated and
operations. understood throughout the business,
2 Firms’ approaches to: and that Compliance is equipped with
Firms that recognise the link between the necessary tools to meet these
regulatory risk assessment and the - Governance and decision-making
expectations.
development of risk policies may better - Planning and strategic execution.
tailor policies to specific risks. We observe in most cases that firms
3 Understanding the customer have a compliance strategy in place, in
With increasing expectations from the agenda: which the board is involved and approves
regulator that senior executives will be via its Risk Committee. Such strategies
involved in the oversight of regulatory - In terms of customer covenants,
are typically in place either via a charter
compliance matters, a process for which flows in terms of Europe
or a mandate and, in some cases, as part
senior management approval for all risk from PRIPS, the IMD, MiFID 2 and
of the annual compliance plan.
policies is essential. other regulations likely to concern
relevant products such as mortgages. KEY QUESTIONS TO CONSIDER
Risk policies of the majority of financial The focus is generally on customer
services firms with which we have engagement and is increasingly on
worked are currently designed at group Does your business have a clear Compliance
firms ‘getting it right’ with minimal strategy with a robust, proactive mechanism
level by a Group Risk Committee. This adjustment where necessary - failure
risk function typically owns the risk for ensuring that applicable regulatory
to do so invites considerable pressure change is implemented and embedded in a
policy, being responsible for identifying from the applicable regulatory body,
risk and reviewing risk assessments timely manner?
raising questions about strategic
carried out by individual business decision-making. Does your Compliance function have a
segments. prominent and defined role in overseeing
4 Firms’ control infrastructures, customer interaction to ensure that good
Responsibility within a small number comprising: customer outcomes are achieved?
of organisations is held at board Risk
Committee level, while an even smaller - Internal infrastructure: internal sys
proportion delegate it to individual tems and controls
business segments.
- External infrastructure – external /
In the vast majority of firms, risk third-party systems such as BACS
policies are ultimately approved by the and BCP exchanges. Firms will be
board through its Risk Committee. required to demonstrate and evidence
how external systems are engaged
as part of business-as-usual and how
they are integrated and managed
accordingly.
18
STRUCTURE
Compliance function
structures have come into
greater focus over recent
years, tending to adhere
to either a centralised or
decentralised model, the
choice of which is dictated
largely by the extent of
the organisation’s global
presence and diversity of
its business operations.
CENTRALISED
Centralised model
MODEL DECENTRALISED
Decentralised model
MODEL
Board and board sub-committees CEO
Group Compliance
Group Compliance Division A Division B Division C

senior senior senior
management management management
Division Division Division Division Division Division

Compliance
Compliance
Compliance
A B C A B C
In analysing the structure of Compliance within firms reviewed we have sought to
understand the impact of regulatory change on the following elements:
- Whether organisations employ a centralised or decentralised Compliance structure

- Compliance presence within divisions and reporting by divisional teams to Group Compliance
- Interaction between Group Compliance and divisional Compliance teams.
“”
WHAT WE HAVE LEARNT FROM 19

THE PAST IS THAT THINGS GO
WRONG WHEN BUSINESS MODELS
ARE NOT BASED ON A SOUND
FOUNDATION OF FAIR TREATMENT
OF CONSUMERS, AND A STRONG
CULTURE THAT SUPPORTS THIS,
LEADING TO PRODUCTS BEING
SOLD THAT ARE NOT SUITABLE
FOR THOSE BUYING THEM.
Clive Adamson, Director of Supervision, Conduct Business Unit, FSA, June 2012
The importance of designing and Financial institutions therefore need to In reviewing their Compliance
operating the right compliance model is ensure that they not only have a well- structures, firms must retain the
growing. Compliance models serve to designed compliance structure tailored delicate balance between advice and
flesh out and articulate a firm’s overall to the specifics of the business, but also oversight.
regulatory compliance framework. that this is clearly set out and articulated.
The increasingly intensive and A solution could be to ensure that
intrusive supervisory approach under KEY QUESTIONS TO CONSIDER formal reporting lines are in place
twin peak regulation will look at the whereby those Compliance resources
appropriateness of firms’ compliance How have you ensured that your embedded in the first line report only to
models in the context of the size and compliance model is fit for purpose for the Compliance, with no formal reporting
scale of the business. This may provide business in the new regulatory world? to business line management.
the regulator(s) with comfort that Are you confident that the level of Remuneration should also remain the
not only are the firm’s key regulatory compliance oversight and monitoring is domain of Compliance, with resources
risks being identified, monitored adequate, and that there are clear reporting not being assessed against objectives
and mitigated, but that the senior lines to the board? or Key Performance Indicators (KPIs)
management team has adequate that are inconsistent with the wider
oversight over this process. DIVISIONAL COMPLIANCE Compliance team.
PRESENCE The majority of financial services
Our opinion is that there is no single
optimal Compliance model. Models The majority of organisations should firms presently operate a Compliance
tend to be tailored to firms’ specific have some degree of Compliance presence within their various locations
profiles. Global, diverse operations representation within divisions and/ and/or divisions, while to a lesser
tend to be organised on a decentralised or business units. This can range from extent some firms have no local
basis, as this provides the business embedded Compliance resources Compliance presence and rely on a
with a greater degree of compliance within the business lines to divisional central Compliance function to oversee
insight into, and oversight over, local Compliance teams advising and the entire operations of the business.
operations. overseeing the business lines’ KEY QUESTIONS TO CONSIDER
activities.
Due to the increased regulatory
supervisory focus on firms, we are Of increasing importance going Are the roles and responsibilities of
seeing a notable increase in the extent forward is that firms ensure group and divisional Compliance clearly
to which the regulator challenges firms’ Compliance retains a strong presence articulated and understood within your
Compliance structures. In part, the throughout the business, while business?
regulator is seeking to assess the retaining the independence necessary How have you defined the role of group and
extent to which a compliance model of a second line monitoring and divisional Compliance, and do the defined
is sufficiently well designed and oversight function. This may give rise to roles provide comfort that regulatory risks
resourced to enable the identification, particular problems where firms have are being managed effectively?
management, monitoring and reporting compliance resources embedded in the
of regulatory risks posed as a result of first line of the business.
the structure and operations of the
business.
20
“”FIRMS SHOULD ENSURE THAT
THEIR SYSTEMS AND CONTROLS,

INCLUDING COMPETENCE
OF EMPLOYEES, KEEP PACE
WITH ANY CHANGES IN THEIR
STRATEGY AND BUSINESS
MODEL, AND WITH ANY NEW
SERVICES THE FIRM IS OFFERING.
Retail Conduct Risk Outlook, 2012
MONITORING
Compliance monitoring
is central to providing
assurance to senior
management that the
business is adequately
managing its regulatory
risk exposure and that the
controls and policies in
place to manage these risks
are effective. The recent
financial crisis has led to
a growing appreciation
of regulatory risk as a key
component of a business’s
overall risk profile. A clearly
defined programme of
risk monitoring is vital
and without this, the
identification of risks, which
is a core element in risk
management, means little.
21
Indeed, a key requirement of the FSA’s DESIGN AND DIRECTION Where the compliance monitoring function

‘SYSC’ rules is that Compliance monitors sits within an organisation (should it be an
and assesses the adequacy and The Compliance function has advisory or a monitoring department
effectiveness of the risk management traditionally been concerned primarily or both?)
measures in place. Some tensions may with advice and monitoring around
arise, however, between Compliance’s conduct. This raises the question Is monitoring akin to audit or day-to-day
roles in providing advice and guidance how it ensures a compliance culture oversight?
to the business and that of performance is embedded within a firm, in turn
monitoring. In this respect, it is important ensuring the constituent parts of the Which elements of the Compliance function
that firms are able to demonstrate that business are joined-up. This is set to sit within the Compliance department and
monitoring is independent. grow as a challenge and compliance which within the business?
monitoring must come to terms with
Reporting of compliance monitoring the ‘new normal’ of tougher, more In terms of the direction of compliance
activity is also an important aggressive supervision. Partly as a monitoring, how is the related information
consideration, especially how and to result, firms are expressing concern collated, irrespective of where it sits,
whom results are reported. The FSA’s over booming legal and non-legal both in terms of responsibility and
expectation is that monitoring activity compliance costs. accountability?
will be reported in some format to the
board, however the content and format The fact that cultural change is Formally approved compliance
of this reporting varies between firms. embedded in the firm must be clearly monitoring plans are a must, as are the
In analysing the activity of compliance demonstrated. Looking at the change right resources in terms of quantity and
monitoring within firms reviewed, we process relating to regulatory change quality to deliver the plan. Beyond this,
have sought to understand the impact around for instance RRP if the business it is the risk appetite statement and the
of regulatory change on: is not fully engaged, it will fail to be tolerance levels underpinning it, as set
fully effective. There is thus a need by the board, that drives compliance.
The design and direction of compliance for an understanding of the change Well articulated statements and
monitoring activity process throughout the business. tolerance levels provide a clear view
regarding the level of risk a company
Reporting of compliance monitoring results. A further major issue that firms must is willing to take, consequently setting
consider is how to determine the firm’s Compliance a clearer remit when
compliance universe: performing its monitoring activities.
What does it look like in its entirety? REPORTING OF MONITORING
RESULTS
How are monitoring accountabilities
and responsibilities allocated through Given the FSA’s increased focus on the
the business (e.g. clear demarcations involvement of senior management in
between Compliance and Internal Audit the oversight of regulatory compliance,
responsibilities)? it is imperative that firms build a clear
reporting structure into compliance
How does the firm define qualitative and monitoring plans in order that instances
quantitative measures to provide assurance of non-compliance can be escalated
that applicable compliance risks are to senior management once they are
being captured and monitored? Some identified.
responsibility may lie with the Compliance
department, some on other parts of the While the exact nature of this reporting
business such as Operations Risk. can be established according to
each firm’s specific needs, as a
How does it all fit together – who will be the minimum Compliance functions
‘ring-master’, ensuring that when people should report instances of non
need to be engaged, they fully understand compliance via the Risk & Compliance
the agenda? Committee, Executive Committee
and, subsequently, the Board Risk
Compliance monitoring must get Committee or Board Audit Committee.
tougher if it is to meet the challenges This reporting mechanism allows senior
and adequately cover the areas in management teams to be aware of
which the FSA will show greater instances of non-compliance as they
interest, such as: occur and to assess the potential
impact on the firm.
Product governance
Outsourcing (particularly data security risk
and business continuity on termination of Do you have a risk-based compliance
a contract) monitoring plan in place to guide
compliance monitoring activity within the
Deep dives into client assets and the new firm?
realm of suitability and appropriateness Is this plan subject to regular review to
(i.e. looking not just from a sales advice ensure that it remains appropriate for the
perspective, but earlier in the process risk profile of the business?
from development, target markets and
distribution channels)
22
RESOURCING
FSA rules require firms to ensure that
the Compliance function has the
necessary resources to undertake its
responsibilities and to provide relevant
assurance to the business. Indeed,
quality and quantity of resourcing is a
critical success factor for any Compliance
function to fulfil its responsibilities within
the agreed risk appetite.
Profit and capital protection has
recently been behind a freeze on hiring
and discretionary spend within many
financial institutions. However, evolving
UK regulation requires firms to invest in
their control and assurance functions, not
least Compliance. As a result, firms are
attempting to strike a balance between
reducing overheads and maintaining a
robust and effective Compliance function.
23
This inherent tension can best be Although Compliance teams may resourced. We would expect the Head

summarised by a consideration of: not necessarily need expanding even of Compliance to present at least
given the new regulatory supervisory annually to senior management on
Costs of compliance, including staff salaries, approach, they will need to ensure resourcing matters. In this respect we
benefits and training as well as space and they have sufficient experienced would also expect to see resourcing
associated technology costs; versus Compliance officers with the right mix overseen by formal committees at
Costs of non-compliance, including financial of skills to cope with new regulatory either executive or board level.
penalties, remediation costs, suspension of initiatives (e.g. Solvency II, RDR etc)
and who are capable of challenging the KEY QUESTIONS TO CONSIDER
business/business disruption, impacts on
cost of capital and market share. business effectively.
Is your Risk & Compliance function
From our work in the industry we sufficiently robust to challenge the business
Given the FCA has been clear that have found that there is no optimum effectively?
supervision will be more intrusive Compliance resourcing model. Risk
and they will be making pre Have you recently revisited your
and Compliance resources are, instead, Compliance resourcing model? Do you feel
emptive judgments on products and largely dictated by the size of a business
circumstances deemed unsuitable, it you have sufficient coverage to manage
and the regulatory risks it faces: the regulatory risks to which you are
is increasingly vital that Compliance
functions employ experienced Size of the business exposed, as well as increased regulatory
Compliance Officers who are able to supervision?
challenge the business prior to the FCA Structure of the business
seeing a need to. Nature of the products sold by the business SETTING COMPLIANCE
REMUNERATION
In analysing firms’ current Wider risk management structure
arrangements we have sought to The Head of Compliance should
Nature of the distribution network. be responsible for setting the
understand the impact of regulatory
change on: Our review of current arrangements responsibilities of Compliance Officers,
shows that the majority of thereby protecting the Compliance
The number of FTEs within Compliance organisations in the retail banking function’s independence by ensuring
functions sector employ 51 to 100 FTEs in that first line senior management does
Responsibility for resourcing and their Risk and Compliance functions. not dictate the remit of Compliance.
remuneration of Compliance. The largest resource pool identified As regulatory risk should be afforded the
was in excess of 500 FTEs. Of those same importance as credit or market
retail banks analysed that have a wide risk, we would expect remuneration of
RESOURCING global presence, 60 percent had more the Head of Compliance to be reviewed
than 200 FTEs within their Risk & and set by one of the Audit Committee,
Despite the greater supervisory Compliance functions.
challenge expected from the FCA, Risk or Remuneration board sub
a knee-jerk reaction of increasing committees and to be in line with other
Compliance resourcing may not RETAIL BANKS department heads.
necessarily be right. Firms should Having a board sub-committee be
instead spend the meantime re Responsibility for ensuring adequate responsible for remuneration helps to
evaluating the role of Compliance and appropriate resourcing of the maintain Compliance’s independence
and ensuring that its remit is well Compliance function should lie with from business line management.
articulated and embedded within the the Head of Compliance. Emerging UK
business. Only when such decisions and European regulations re-shaping Increasingly, firms include Compliance
have been made by the board can the market will affect banks, insurers, soft metrics in a balanced scorecard
firms turn their attention to required investment firms and corporates. to appraise and evaluate business
resourcing levels. Throwing resources The skills profile of a well designed line management. This move towards
at the problem will not fix it if the Compliance function should be tailored compliance-based remuneration is an
framework itself is broken. into the regulatory initiatives on the effort to embed a compliant culture
horizon with which Compliance will within firms. Given the increased
An important area for firms to consider have to deal. If Compliance functions emphasis on regulatory compliance
their Compliance resourcing is in fail to retain the right skill sets they within firms and the increasingly
the split between their advisory and will not be able to provide the advice intensive and intrusive supervisory
monitoring teams. As discussed earlier required by the business. The Head approach of the regulator in the UK, we
in this report, an effective Compliance of Compliance must ensure that their would expect to see an increase in this
function must strike the right balance team has the right skill set mix to be measurement of compliant culture and
between advice and monitoring. able to deliver a holistic approach to behaviours in remuneration.
Ensuring the correct split of resources these inter-connected regulations.
Equally, the Head of Compliance must KEY QUESTIONS TO CONSIDER
between these two teams will
permit more rigorous testing and be able to recruit the right people that
set the tone and culture to enable them Have you considered the ‘compliance’
additional reviews to be undertaken impact on remuneration within your
to provide assurance to stakeholders to lead their part of the business.
business?
(backward-looking – ‘reactive’) and to Regulatory risk should be afforded as Are employees appraised using a balance
ensure potential issues are dealt with much importance as credit or market scorecard which includes ‘compliance’
proactively (forward looking – risk and, as such, the Board Risk metrics?
‘pro-active’). Committee and senior management
must be satisfied that it is adequately
24
MANAGEMENT
INFORMATION
Much criticism has been
levelled at financial
institutions following
the financial crisis to the
effect that Compliance
information was of
insufficient detail and
not escalated to senior
management when
appropriate.
The regulator’s
expectation of Compliance
Management Information
(MI) broadly extends to
ensuring that firms have in
place a reporting framework
that seeks to ensure
the proper and effective
reporting of key regulatory
risks and issues, with
escalation to the appropriate
board committee.
25
In analysing the nature of Compliance Compliance MI should also be Material regulatory compliance matters

MI within firms reviewed we have calibrated so that it is consistent with
sought to understand the impact of the risk appetite set by the board. This Details of regulatory contact (including
regulatory change on: will ensure that the business reviews inspection, disciplinary matters and
these metrics which best align to the emerging development)
Where and to whom Compliance MI is risk appetite of the firm. Calibrating
reported Risk assessment results
RAG triggers and including forward-
The content of Compliance MI looking metric will also be essential in Compliance monitoring exceptions/any
ensuring senior management receive other monitoring of regulatory controls
How senior management is appraised Compliance MI that is of maximum use
of regulatory compliance risks and any Updates on risk mitigation actions.
to the business.
identified material breaches of FSA rules. USE OF COMPLIANCE MI
MI should be tailored to the size and
EXECUTIVE LEVEL REPORTING operations of the business, with An observable focus of FSA
organisations having a global presence supervisory framework visits is not
The sign of an effective Compliance and wide service offerings generating a only on the quality of Compliance MI
culture is not necessarily the structure greater level of MI. provided to senior management and
in place but the quality of Compliance Typically, Compliance MI should the board, but also how that MI is
MI generated and reported upwards. If be presented to executive level used and challenged. Compliance MI
the MI quality is poor or is not reported committees by the Head of therefore needs to be useable above
through the appropriate channels, Compliance (or equivalent member all else.
senior management cannot have a of the management team tasked
clear understanding of how well the If Compliance MI is neither challenged
with responsibility for regulatory nor acted on by the business then it
organisation manages its regulatory risks. compliance). is debatable whether the Compliance
All organisations should operate a environment is subjected to sufficient
reporting mechanism for Compliance BOARD COMMITTEES senior management scrutiny.
MI to executive level committees,
which should be either Executive Risk Submitting Compliance MI to the If firms are unable to demonstrate to
Committees or dedicated Compliance board, primarily via board sub the FSA examples of when Compliance
Committees, ensuring the information committees (Risk Committee, Audit MI presented has caused debate
reaches the appropriate audience. Committee, or both), ensures key and challenge within executive level
Compliance MI and regulatory committees and the board, it is likely
Where necessary, Compliance MI compliance matters are escalated to the FSA will view the MI as unfit for
should be escalated to more than one board level attention. purpose or raise concerns over senior
of the Executive Committee and other management’s oversight. Ensuring
executive level committees such as the In the majority of financial services that MI is not only escalated but also
Risk Committee and Operational Risk organisations both the Board Risk actively debated is essential.
Committee. Committee and the Board Audit
Committee have a role in the oversight of The frequency of board sub-committee
The format and content of Compliance Compliance matters and have some form meetings is also a key determinant in
MI provided to executive level of Compliance MI reporting into them. assessing how well Compliance MI
committees should focus on is used by senior management. We
demonstrating the effectiveness of Where Compliance MI is provided would expect board sub-committees
established processes in order to to both the Risk and Audit sub tasked with the oversight of regulatory
ensure the business’s compliance with committees, information tends to be compliance to meet at least four
relevant laws and regulations. split as follows: times per annum. This would be
Compliance MI should encompass Risk Committee: Regulatory risk MI the minimum frequency required
consolidated Compliance reports from to demonstrate active and engaged
Audit Committee: MI regarding the senior management oversight of
individual business units and locations effectiveness of regulatory framework
where appropriate. regulatory risks. The FSA’s opinion
controls. notwithstanding, we believe this
Effective Compliance MI presented to Compliance MI presented to board sub minimum frequency of meetings to be
Executive committees by organisations committees should be less detailed good business practice as it allows for
should include: than that presented to executive level regular analysis and understanding of
committees. However, its quality and the firm’s risk profile.
Regulatory risk assessment results and KRIs
quantity should be sufficient to enable KEY QUESTIONS TO CONSIDER
Results from compliance monitoring activity senior management to understand
Updates on risk mitigation actions how well the business is managing the Does your Compliance MI cover the range
regulatory risks to which it is exposed. of regulatory risks to which the business is
Updates of Compliance issues exposed and is it calibrated risk appetite?
Typically, Compliance MI presented
Policy breaches and notifiable events to these committees will be a Does it provide to the senior management
summarised format of the information team a detailed understanding of whether
Treat Customer Fairly (TCF) metrics the firm is compliant with the FSA’s rules?
provided to executive level committees
Incident reporting and should include: Given the FSA’s expectation that risk will
Product complaint trends be ‘owned’ by the board, are you confident
that the level and detail of Compliance MI
Regulatory fines presented to the board is adequate to meet
this expectation?
Consideration of new/revised regulatory
requirements (horizon scanning)
Compliance training actions.
26
“”FOR THOSE FIRMS SUBJECT

TO DUAL REGULATION BY
[PRA] AND FCA, THEY WILL
RECEIVE INDEPENDENT BUT
COORDINATED SUPERVISION
FROM FCA/PRA.
Clive Adamson, Director of Supervision, Conduct Business Unit, FSA, January 2012
INTERACTION
WITH
REGULATORS
Given the changes in the
regulatory environment,
supervisors are emphasising
stress-testing of business
plans, reviewing business
models and scrutinising
corporate governance and
remuneration incentives.
In this uncertain and
shifting landscape, financial
institutions need to develop
closer relationships with
supervisors and reach a
shared understanding of
what is required to meet
these higher standards.
27
Regulators are unsurprisingly among the interest to avoid the development RESPONSIBILITY FOR INTERACTION

industry’s most important stakeholders, of a chasm. We would expect this ON PRUDENTIAL MATTERS
although the degree to which firms have ultimate responsibility for liaising
in the past proactively fostered open and with the regulator to lie with the Our observations across retail banking
on-going communication with them has Head of Compliance, who has a full and insurance show that it is common
varied. Going forward, firms will need understanding of the organisation’s for Finance to have responsibility for
to ensure they have a defined protocol regulatory affairs. prudential matters, due to the nature
for managing their interaction with of the work. As such, conversations
regulators, especially where oversight Most important in designing a firm’s with the regulator are held directly with
will be undertaken by both the PRA and regulatory relationship structure is the Finance division, though it remains
the FCA. In general, the Compliance a clear understanding of roles and important that such conversations are
function should be the central hub via responsibilities. A key future aspect of shared with the Head of Compliance on
which all interaction with the regulator interacting with the regulator(s) is the a regular basis to facilitate awareness of
is channelled, ensuring that there is one need to present a consistent message all potential issues and coordination of
contact with a full understanding of the as to the firm’s regulatory risks and consistent messages.
regulator’s approach and of the standards how these are being managed.
to which the firm is held to account, and This consistent message cannot be Firms should develop a more joined-
aware of all issues and communications achieved if senior management is up approach to interacting with
between the various bodies. unclear who owns the relationship. the regulator(s), which involves a
collaborative approach between
Fostering this relationship, Currently ultimate responsibility for the Finance, Risk and Compliance.
encompassing open dialogue and relationship with the regulator is with
on-going communication, should help one of the following: OVERSIGHT OF INTERACTION WITH
firms navigate the changing regulatory THE REGULATOR
landscape and mitigate the potential Chief Risk Officer
for mis-interpretation of the regulatory We recommend that a committee, such
rules and approach. Board or Board Risk Committee as the Board Risk Committee, takes
Head / Regional Heads of Compliance. a role in the oversight and on-going
In analysing responsibilities for monitoring of regulator interaction.
interacting with the regulator within In the majority of cases in the The terms of reference of this
the firms reviewed, we have sought financial services sector, the committee should formally include the
to understand the impact of regulatory Compliance function presently owns oversight of regulatory interaction and
change on: the relationship and reports to the communication.
FSA on non-prudential matters.
Responsibility for interaction with the More often than not it is the Head of This requirement would provide a
regulator Compliance who interacts with the formal senior management forum which
regulator, however some firms have a could assess on-going communication
Responsibility for interaction with the with the regulator(s) and also assess
regulator on prudential matters decentralised approach whereby the
FSA maintains contact with individuals the cumulative impact of regulatory
Board and senior management oversight of in each business area / function, communication on the firm.
interaction with the regulator. meeting the Head of Compliance on a
quarterly basis. Currently, oversight is predominately
RESPONSIBILITY FOR REGULATOR achieved via the Board Audit or Risk
INTERACTION KEY QUESTIONS TO CONSIDER Committee, which receive regular
reports from Compliance with a
Maintaining open and constructive lines Are there clearly defined responsibilities for summary of communications with the
of communication with the regulator(s) interaction with the regulator within your regulator. In some cases this varies
is increasingly important. Firms that are business? by virtue of executive committee
best able to manage their relationship members conducting private meetings.
with regulatory stakeholders are Is there a central point of contact who We recommend that regulatory
likely to best adapt to changes in the owns the relationship with your regulatory interaction is reviewed and assessed
regulatory structure. supervisor? If not, how does the business at least monthly in order to provide
ensure that consistent messages are being to senior management a regular
Where a firm is dual regulated, we relayed to the regulator? understanding of the messages
believe there should be one contact communicated to the regulator(s) and
holding the relationship for both the How are you planning for regulatory all current open issues.
PRA and FCA matters, as the two are interaction in the ‘twin peaks’ regulatory
often inter-linked. For example, any environment? Do you understand how this KEY QUESTIONS TO CONSIDER
systemic failure with payment systems might work in practice, particularly in the
would affect prudential matters, event of dual regulation? Does your board exercise oversight of the
and equally liquidity management firm’s relationship with the regulator?
and resolution recovery will have an
impact on conduct. With the PRA If not, how does the business ensure the
and FCA’s divergent objectives, it is engagement of the board in communication
key that one person acts in the firm’s with the regulator?
Please contact
Tim Howarth
Partner, Regulatory Risk Consulting
T: +44 (0) 20 7311 6640
E: tim.howarth@kpmg.co.uk
Iestyn Evans
Senior Manager, Regulatory Risk Consulting
T: +44 (0) 113 231 3173
E: iestyn.evans@kpmg.co.uk
The information contained herein is of a general nature and is not intended to address the
circumstances of any particular individual or entity. Although we endeavour to provide accurate
and timely information, there can be no guarantee that such information is accurate as of the
date it is received or that it will continue to be accurate in the future. No one should act on
such information without appropriate professional advice after a thorough examination of the
particular situation.
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and
a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved. Printed in the United Kingdom.
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks
of KPMG International.
www.kpmg.co.uk RR Donnelley | RRD-272306 | September 2012 | Printed on recycled material.

The Future of Compliance Compliance Functions As Strategic Partners in The New Regulatory World

Uploaded by

Copyright:

Available Formats

You might also like

The Future of Compliance Compliance Functions As Strategic Partners in The New Regulatory World

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Future of Compliance Compliance Functions As Strategic Partners in The New Regulatory World

Uploaded by

Copyright:

Available Formats

The Future of

The Future of Compliance

“Firms need to adapt to a new regulatory framework while dealing simultaneously

The Future of Compliance

Changes in the UK regulatory

In the UK, ﬁrms need to adapt to a new

Recent experience has shown that

THE FINANCIAL CRISIS HAS TESTED THE

The Future of Compliance

In analysing firms’ risk management frameworks we considered in particular the

The structure of each organisation’s risk management framework, including whether or

The Future of Compliance

STRUCTURE AND REPORTING The absence of a reporting

LINES intermediary serves to provide comfort

“”FIRMS NEED TO TAKE

THEY TREAT THEIR CUSTOMERS

The Future of Compliance

Does your governance structure evidence

With an overarching goal of helping to guide organisations through regulatory

Management of regulatory compliance risks within the business.

The Future of Compliance

PRUDENTIAL RISK MANAGEMENT Compliance as a key regulatory IDENTIFYING AND MANAGING

The Future of Compliance

Are responsibilities for identifying

“”WE WILL HAVE A GREATER

The Future of Compliance

Group Compliance Division A Division B Division C

Division Division Division Division Division Division

- Whether organisations employ a centralised or decentralised Compliance structure

WHAT WE HAVE LEARNT FROM 19

The Future of Compliance

THEIR SYSTEMS AND CONTROLS,

The Future of Compliance

The Future of Compliance

The Future of Compliance

“”FOR THOSE FIRMS SUBJECT

The Future of Compliance

You might also like