Professional Documents
Culture Documents
The Future of Compliance Compliance Functions As Strategic Partners in The New Regulatory World
The Future of Compliance Compliance Functions As Strategic Partners in The New Regulatory World
The Future of Compliance Compliance Functions As Strategic Partners in The New Regulatory World
Compliance
Compliance functions as
strategic partners in the
new regulatory world
kpmg.co.uk
2
The Future of Compliance
CONTENTS
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
4
Introduction
8
Risk Management Framework 3
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
4
The Future of Compliance
INTRODUCTION
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
5
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
6
“”
The Future of Compliance
How regulated firms (re-)structure their We believe that there has rarely been a
Compliance functions to respond to, more opportune time for firms to rethink
or preferably pre-empt, these complex or build upon their compliance approach,
challenges will encompass the range of assessing whether it is fit for purpose
culture, strategy and people. Not only in the new regulatory environment and
the function’s composition, but also its whether it will remain so in light of
role and voice within the business and developments looming over the horizon.
overall risk management framework,
should be considered. Drawing on research, insights and
experiences of working with financial
Although it is difficult to quantify the institutions to explore the current and
value added by Compliance, fines and potential impacts of their Compliance
censure can highlight the potential functions, this report suggests ways
cost of non-compliance. The number of in which firms might engage with
regulatory disciplinary cases initiated emerging issues in order to ensure that
by the FSA has increased over recent their Compliance expertly and safely
years – 66% in 2011 v 58% in 2010. guides them through turbulent times.
In 2010/11 the FSA also issued a
record level of fines - £98.5m. Over Having reviewed current and impending
more recent months, substantial changes to the UK regulatory framework,
fines have also been levied by the we provide an assessment of how we
FSA on firms for large-scale failures in believe these changes will in practice
controls and oversight. These statistics impact the role and nature of Compliance
point towards increased regulatory within regulated firms.
expectations on firms.
Regulatory and Compliance
An effective Compliance function is key arrangements are driven by the impact
to identifying and mitigating risk and of regulation on the organisation and
protecting the business from regulatory their risk appetite. The precise design of
censure and protecting brand and a compliance framework will therefore
reputation. vary for individual firms. While there is
no ‘one size fits all’ solution, our analysis
Leading firms will see these external focuses on the core considerations in
changes as an opportunity to how a Compliance framework may
enhance the value-adding aspects of need to change in order to cope with
Compliance. Seeing the potential, but regulatory change:
also recognising the limitations, in their
Compliance functions will help them in Risk Management Framework
the pursuit of growth as well as dealing
with threats, creating competitive Role of Compliance within the business
advantage and improving corporate Compliance structure
value and reputation in line with growing Compliance strategy
stakeholder demands around integrity,
Compliance monitoring
accountability and financial stability.
Compliance Management Information
Resourcing
Interaction with regulators
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
7
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
8
The Future of Compliance
RISK
MANAGEMENT
FRAMEWORK
The FSA has been active
in voicing its concern that
Compliance functions should be
independent from the business
to ensure their effectiveness
as risk management and
corporate governance tools.
In addition, firms are under
pressure from the regulator
to ensure that Compliance is
a standing agenda item for
senior management and the
board to enable proactive
management of regulatory
risks – the criticism sometimes
levelled being that regulatory
compliance is a secondary
concern for senior executives.
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
9
RISK MANAGEMENT FRAMEWORK are exposed, firms must take a more
Set the tone from the top A board’s ability to oversee and
manage regulatory compliance can
Discuss and establish risk appetite only be as good as the information it
Monitor key business risks and the receives. Involved parties therefore
business’s performance against risk need to know which regulatory
compliance matters are reserved for
appetite.
the board if a compliant culture is to
be effected.
Key to this is the setting of ‘tone’
from the top of the business, as the KEY QUESTIONS TO CONSIDER
FSA identified a primary contributor
to the recent financial crisis as being Do you have accountability for Risk and
the lack of a compliance culture within Compliance running throughout the
firms. Consequently, assessment of a organisation, and how do you ensure this?
firm’s compliance culture is attaining Do you have a clear structure of ‘risk
prominence in the FSA’s supervisory owners’ within the business?
approach. Supervisory framework
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
10
The Future of Compliance
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
11
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
12
The Future of Compliance
ROLE OF
COMPLIANCE
Firms need to have a clear
vision concerning the role
of Compliance. The debate
can often be whether it
should act in an advisory
capacity supporting first
line business management
in discharging the firm’s
regulatory obligations or
whether it should have an
oversight and enforcement
role in monitoring business
activities. In practice,
future developments in
the regulation space are
most likely to require a
combination of the two.
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
13
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
14
The Future of Compliance
With the impending move to twin-peak relationship stakeholder. For firms REGULATORY RISKS
regulation, consideration needs to be that are regulated solely by the FCA, We observe growing regulatory
given to how and where prudential the regulatory relationship should be scrutiny of the manner in which firms
risks will be managed. owned by Compliance with the support identify and manage regulatory risks.
of the Risk and/or Finance function. As a key element of the current
The FSA has confirmed that retail This arrangement would ensure that supervisory framework reviews, it will
deposit-takers, insurers and major there is a single, primary point of become increasingly important in the
investment firms will be dual-regulated contact for the regulator through whom near future with the rising weight of
going forward. Where this is the correspondence and dialogue can pass new regulatory legislation with which
case, we believe that prudential risk in order to ensure the firm adopts a firms must comply.
management should be performed consistent stance.
outside of Compliance. It should Going forward, regulatory risk
rather be owned by Risk, Finance KEY QUESTIONS TO CONSIDER assessment should be undertaken
or a combination of the two due to by the first line in the business but
their more appropriate skill-sets and Has your business clearly split responsibility lies with Compliance,
expertise. responsibilities for the ownership of which must conduct due oversight and
prudential compliance? challenge. Under this arrangement,
Interaction with the two regulatory Have you considered how these the first line would be able to apply its
bodies is a further area for discussion. responsibilities will look in the new world knowledge of its specific operations,
We believe that for firms that are of twin-peak regulation and which function operating environment and market to
dual regulated, the relationship with will be the primary contact for the PRA and assess the regulatory risks to which
the PRA should be owned by Risk FCA respectively? it is exposed. Compliance would
and/or Finance with oversight from then oversee this process in order to
challenge the business on the identified
risks, overlaying its knowledge to
identify additional, non-operational
specific risks.
Key to this operating effectively is clear
allocation of responsibilities between
the first line and Compliance, ensuring
they are understood.
“”
WE WANT FIRMS TO HAVE A CULTURE WHICH
ENCOURAGES INDIVIDUALS TO MAKE THE
APPROPRIATE JUDGMENTS AND DELIVER THE
OUTCOMES WE ARE SEEKING. AT ALL TIMES WE
WANT AN INSTITUTION TO ACT WITH INTEGRITY.
Hector Sants, FSA CEO, October 2010
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
15
role of compliance
and insurance, responsibility for
the identification, assessment and
measurement of regulatory risks rests
with Compliance in around half of
organisations, while in the other half it
lies with line management, supported
and challenged by Compliance.
In all cases, Compliance is involved in
identifying and assessing regulatory
risks in each business line, whether
directly or through providing
assistance, support and challenge to
line management.
The board should review, challenge
and ultimately sign-off on regulatory
risk assessments. This evidences good
governance, oversight and the active
involvement of senior management.
In order to comply with expected
European Commission legislation,
we expect this risk assessment and
understanding of regulatory risk profile
to be an annual exercise.
The majority of financial services
firms currently involve the board via
board sub-committees (risk and/or
audit committees) in the oversight
and governance of regulatory risks
identified by the business. What will
be important in the future is the extent
to which the committees understand
their role in ensuring a sound
regulatory control environment and in
challenging senior management.
KEY QUESTIONS TO CONSIDER
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
16
The Future of Compliance
STRATEGY
A viable and effective
Compliance strategy
should be driven
by the business’s
regulatory risk
profile and the risk
appetite set by the
board, ensuring
an appropriate
Compliance role,
adequately resourced
and directed in
enabling the business
to manage and
mitigate its regulatory
risks.
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
17
In addition, recent FSA supervisory KEY QUESTIONS TO CONSIDER Compliance plays a critical role in all of
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
18
The Future of Compliance
STRUCTURE
Compliance function
structures have come into
greater focus over recent
years, tending to adhere
to either a centralised or
decentralised model, the
choice of which is dictated
largely by the extent of
the organisation’s global
presence and diversity of
its business operations.
CENTRALISED
Centralised model
MODEL DECENTRALISED
Decentralised model
MODEL
Board and board sub-committees CEO
Group Compliance
Compliance
Compliance
A B C A B C
In analysing the structure of Compliance within firms reviewed we have sought to
understand the impact of regulatory change on the following elements:
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
“”
The importance of designing and Financial institutions therefore need to In reviewing their Compliance
operating the right compliance model is ensure that they not only have a well- structures, firms must retain the
growing. Compliance models serve to designed compliance structure tailored delicate balance between advice and
flesh out and articulate a firm’s overall to the specifics of the business, but also oversight.
regulatory compliance framework. that this is clearly set out and articulated.
The increasingly intensive and A solution could be to ensure that
intrusive supervisory approach under KEY QUESTIONS TO CONSIDER formal reporting lines are in place
twin peak regulation will look at the whereby those Compliance resources
appropriateness of firms’ compliance How have you ensured that your embedded in the first line report only to
models in the context of the size and compliance model is fit for purpose for the Compliance, with no formal reporting
scale of the business. This may provide business in the new regulatory world? to business line management.
the regulator(s) with comfort that Are you confident that the level of Remuneration should also remain the
not only are the firm’s key regulatory compliance oversight and monitoring is domain of Compliance, with resources
risks being identified, monitored adequate, and that there are clear reporting not being assessed against objectives
and mitigated, but that the senior lines to the board? or Key Performance Indicators (KPIs)
management team has adequate that are inconsistent with the wider
oversight over this process. DIVISIONAL COMPLIANCE Compliance team.
PRESENCE The majority of financial services
Our opinion is that there is no single
optimal Compliance model. Models The majority of organisations should firms presently operate a Compliance
tend to be tailored to firms’ specific have some degree of Compliance presence within their various locations
profiles. Global, diverse operations representation within divisions and/ and/or divisions, while to a lesser
tend to be organised on a decentralised or business units. This can range from extent some firms have no local
basis, as this provides the business embedded Compliance resources Compliance presence and rely on a
with a greater degree of compliance within the business lines to divisional central Compliance function to oversee
insight into, and oversight over, local Compliance teams advising and the entire operations of the business.
operations. overseeing the business lines’ KEY QUESTIONS TO CONSIDER
activities.
Due to the increased regulatory
supervisory focus on firms, we are Of increasing importance going Are the roles and responsibilities of
seeing a notable increase in the extent forward is that firms ensure group and divisional Compliance clearly
to which the regulator challenges firms’ Compliance retains a strong presence articulated and understood within your
Compliance structures. In part, the throughout the business, while business?
regulator is seeking to assess the retaining the independence necessary How have you defined the role of group and
extent to which a compliance model of a second line monitoring and divisional Compliance, and do the defined
is sufficiently well designed and oversight function. This may give rise to roles provide comfort that regulatory risks
resourced to enable the identification, particular problems where firms have are being managed effectively?
management, monitoring and reporting compliance resources embedded in the
of regulatory risks posed as a result of first line of the business.
the structure and operations of the
business.
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
20
“”FIRMS SHOULD ENSURE THAT
The Future of Compliance
MONITORING
Compliance monitoring
is central to providing
assurance to senior
management that the
business is adequately
managing its regulatory
risk exposure and that the
controls and policies in
place to manage these risks
are effective. The recent
financial crisis has led to
a growing appreciation
of regulatory risk as a key
component of a business’s
overall risk profile. A clearly
defined programme of
risk monitoring is vital
and without this, the
identification of risks, which
is a core element in risk
management, means little.
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
21
Indeed, a key requirement of the FSA’s DESIGN AND DIRECTION Where the compliance monitoring function
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
22
The Future of Compliance
RESOURCING
FSA rules require firms to ensure that
the Compliance function has the
necessary resources to undertake its
responsibilities and to provide relevant
assurance to the business. Indeed,
quality and quantity of resourcing is a
critical success factor for any Compliance
function to fulfil its responsibilities within
the agreed risk appetite.
Profit and capital protection has
recently been behind a freeze on hiring
and discretionary spend within many
financial institutions. However, evolving
UK regulation requires firms to invest in
their control and assurance functions, not
least Compliance. As a result, firms are
attempting to strike a balance between
reducing overheads and maintaining a
robust and effective Compliance function.
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
23
This inherent tension can best be Although Compliance teams may resourced. We would expect the Head
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
24
The Future of Compliance
MANAGEMENT
INFORMATION
Much criticism has been
levelled at financial
institutions following
the financial crisis to the
effect that Compliance
information was of
insufficient detail and
not escalated to senior
management when
appropriate.
The regulator’s
expectation of Compliance
Management Information
(MI) broadly extends to
ensuring that firms have in
place a reporting framework
that seeks to ensure
the proper and effective
reporting of key regulatory
risks and issues, with
escalation to the appropriate
board committee.
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
25
In analysing the nature of Compliance Compliance MI should also be Material regulatory compliance matters
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
26
The Future of Compliance
INTERACTION
WITH
REGULATORS
Given the changes in the
regulatory environment,
supervisors are emphasising
stress-testing of business
plans, reviewing business
models and scrutinising
corporate governance and
remuneration incentives.
In this uncertain and
shifting landscape, financial
institutions need to develop
closer relationships with
supervisors and reach a
shared understanding of
what is required to meet
these higher standards.
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
27
Regulators are unsurprisingly among the interest to avoid the development RESPONSIBILITY FOR INTERACTION
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved.
Please contact
Tim Howarth
Partner, Regulatory Risk Consulting
T: +44 (0) 20 7311 6640
E: tim.howarth@kpmg.co.uk
Iestyn Evans
Senior Manager, Regulatory Risk Consulting
T: +44 (0) 113 231 3173
E: iestyn.evans@kpmg.co.uk
The information contained herein is of a general nature and is not intended to address the
circumstances of any particular individual or entity. Although we endeavour to provide accurate
and timely information, there can be no guarantee that such information is accurate as of the
date it is received or that it will continue to be accurate in the future. No one should act on
such information without appropriate professional advice after a thorough examination of the
particular situation.
© 2012 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and
a member firm of the KPMG network of independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights reserved. Printed in the United Kingdom.
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks
of KPMG International.
www.kpmg.co.uk RR Donnelley | RRD-272306 | September 2012 | Printed on recycled material.