COMPLIANCE and LEGAL (Part 1)
Summary
The compliance function is often faced with difficulties of work overload, associated with random delegation of duties by the management board (or their administration) and by other senior management, leading to constant increase of the scope of work for compliance, at equal or sometimes even reduced staff and lack of other resources. At the same time, there are also gaps in understanding within the company about what are supposed to be duties and responsibilities of compliance function, and how our role differentiate from legal and other functions in practice. While compliance professionals rightfully understand their work as risk-based, cross process and as a mixture of advisory-controlling independent activity, others may think of it more linearly and narrow, legalistically and silo-based. We are talking about organizational silo, when certain area of expertise is limited to a specific, disconnected department with fixed, narrow boundaries, although it concerns the company as a whole and does not lead to integration and cooperation, which compliance function definitely should be. This article discusses these challenges in more details and presents proven practical approaches for facing them effectively.
Key words
Compliance, legal, risk, corporate governance, internal control system, effective management
Compliance vs. Legal
In many cases, companies are facing issues concerning differentiation of roles and responsibilities between the compliance and legal function, consequently arranging the workload between them becomes difficulty. Solutions for this should be based on respecting the three lines of defence principles, risks based approach and effective management, but instead specific current situation, silo thinking, perceiving compliance as some variation of legal function, game of power and domination even, may lead the decisions around it. This eventually has negative impact on effective and transparent governance, causes bad risk management and inappropriate internal controls system, exposing the company to liability and losses.
This kind of situation may be explained with the fact that especially in regulated financial industries, the compliance function is performed by experts, who have legal background. Consequently, the lawyers in the legal department may completely desert risk areas “covered” by the compliance, in a way that compliance function suddenly takes over all the legal support for the certain area, too. An attitude of other functions can be similar.
Unlike legal, the compliance function is one of the key functions in internal governance, as part of the internal control system and the second line of defence against risks. This key difference can be practically explained, as follows. While the same would apply for various compliance risk areas (like prevention of money laundering, fraud etc.), let us take privacy data protection for an example. If this is the area primarily assigned to the compliance function, your problem may be that all other functions tend to “hand over” all the issues connected to privacy over to compliance, including the legal support in ensuring concrete compliance requirements in day-to-day operations (which is the basic task of legal function and the business management). Also, all the professional and operational issues in relation to the privacy data protection tend to be handed over to compliance in isolation, even if there are not only questions of compliance, but of specific expert field or implementation in the specific field of operation. For example, the risk of privacy data breach in the sales process is fully a domain of managers and sales staff. They need to put in place and maintain the privacy requirements and controls in sales and prevent breaches. The compliance function helps them to identify and assess the risks of breaching privacy data, but the responsibility regarding specific knowledge of how the sales activities are carried out and therefore, where and which breaches of privacy data protection may occur in doing so, is in the hands of the process owners (the sales in this case). The compliance function will primarily ensure that significant changes in the legal environment are detected and will in this respect, for example, educate the sales staff so they will be able to identify specific privacy risks associated with their activities, and help the management to adopt and implement appropriate rules and measures. Also, compliance may recommends specific contractual provisions in general terms and conditions of sales for example, but the legal support for assuring data privacy in individual cases, should be provided by the legal department. As compliance needs to remain impartial and available to conduct compliance checks and audits of these processes. If compliance would take part in day-to-day operations too broadly, assuring compliance ‘on the filed’, it would not be able to control compliance of these processes, which it should be doing as a control function. This is based on the governance principles of the three lines of defence against risks. Where the first line represents management of business areas and functions, including the legal function and other supporting functions. The second line includes the risk management function, cyber security, quality management etc. and the compliance function. And the third line, represented by an internal audit. The superior body to these lines of defence in the internal governance system is the board, which all three lines of defence (should) report to directly and independently from each other.
The compliance function in this system of three lines of defence, unlike legal, operates within the second line:
(1) As an advisory point of contact, focused on supporting the organization to systematically ensure and manage the compliance with the requirements that apply to the organization, based on regulations, requirements or recommendations of a regulator etc. and
(2) As an internal control function, focused on identifying compliance issues, evaluating and managing compliance risks.
In case of privacy data protection described above, the compliance function’s activities should be focused on advising and assisting in:
- Detecting, identifying the novelties of regulations (GDPR)
- Organizing of internal processes of (i) identifying the gaps between the organization’s current state of compliance and the new requirements and (ii) preparing the action plan to close these gaps (concrete activities for compliance regarding the gaps identified; including description of the activities, definition of engaged persons and the execution deadline)
- Preparing presentation materials for the management board , senior management and others
- Preparing educational material and implementation of the education for the defined target groups of employees, contractors, etc.
*In the activities described, the role of the compliance function should be organizational, initial and controlling, while the role of the legal function is already known – support and participation in the implementing business operational activities.
Secondly, the compliance function should carry out the following controlling activities and activities of risk management, too:
- Monitoring of the implementation of planned activities to comply with regulatory requirements (based on reporting regarding appointed areas of the first line of defence against risks, including the legal function) and reporting to the administration about the state of compliance (readiness level for the new reg). For the compliance function to maintain its controlling nature, impartiality as well as timely availability for assuring control, it is not recommended for the function to be an operationally executing these activities.
- Conducting monitoring regarding compliance of actual processes and identifying and reporting, monitoring of the measures taken to mitigate risks or to assure compliance.
The compliance function must perform both parts in balance: consulting – preventive as well as the controlling function. The controlling part of the function must not be neglected due to excessive burden of performing operational tasks for the first line, because then the company as such does not assure efficient operation of a significant part of the internal control system (which is prescribed in the financial sector by the EU regulation, including the compliance function). Consequently, the legal function must not hand its legal support in the first line over to compliance function, where the legal function itself has no internal-controlling tasks and responsibilities (as the compliance function has). The compliance function in this part does not replace or complement the legal function, but adds to the entire system of the internal governance in the field of risk management and internal controlling. It is different therefor in its nature and in basic mandate, compared to legal function.
Sometimes it helps to explain the reasons why the role and responsibilities of the compliance function are differently and wrongly understood by the management and other functions, which subsequently imposes too many tasks outside of compliance basic sphere of responsibility.
Below, you can find these reasons presented in more details and also some practical suggestions how to resolve them, as proven in practice.
The cause |
The solution example |
The compliance function is a new function, often still unrecognised, therefore its understanding by the various departments within the company can be very different. You might be also facing improper position or insufficient authority in the organizational structure. |
|
Poorly defined compliance function in the internal documents (classification, management policies). |
|
The lack of compliance risk assessments. |
|
The lack of the annual plan of operation or insufficiently specified and planned activities of the compliance function. |
|
The desire to shift the liability is also a common reason. |
|
A key tools, especially in communication with the management board (CEO, senior management) when presenting argumentation of the role and differentiation of the compliance function, are:
– Systematic and regular planning of compliance tasks and activities and
– Management reporting by the compliance function, based on clear and comparable indicators (like: the scope of provided advice, necessary and achieved alignments, compliance checks and investigations, the training performed etc.). This way, management becomes gradually more aware of what you do and of the benefits.
Other critical resources and arguments for clearly perceived compliance function:
- The argument of the regulated function. Derived from the EBA (European Banking Authority) guidelines on the internal governance, Basel Guidelines (Compliance and the Compliance Function in Banks), guidelines of the banking and other financial sector regulators on the internal governance and the role of the compliance function.
- Your company’s own internal acts – definition in the Compliance Policy, Rules on the operation of the compliance function.
- Annual work plan of the compliance function (you may even have the business compliance strategy) based on the defined tasks and responsibilities and on the compliance risk assessment.
- Allocation plan of the existing compliance staff to all required activities and tasks, in the annual planning – using FTE = Full Time Equivalent (according to the max. available resources, calculated precisely according to the time, this is the one way to very transparently and mathematically demonstrate the scope of work that is possible to manage with existing staff).
- Evaluation and reporting about the suitability and sufficiency of all resources (staff, finances, IT, power of authority etc.) for performing the compliance function, given the regulatory requirements and compliance risks specific for the company. Compliance should present this to the management and offer proposals regarding potential gaps. This is also good tool to confront the board with a necessary decision about what should be the priorities in your company’s compliance program, what compliance should or should not be doing according to them, given the limited resources (compliance should hereby clearly explain to the board, what the compliance function must be doing, according to the regulations and risks).
- Self-assessment of the compliance programme and eventually conducting an external, independent and professional assessment of the compliance programme (delivery of the Compliance Policy and Code of Conduct). This should be presented to the board, together with proposals based on the gaps (which may include e.g. better differentiation of functions, exclusion of certain activities from the compliance function or the inclusion of some other, supplementation of available resources, new or improved policies and processes, etc.)
Originally published in Association of Serbian Banks Magazine, June, 2020
Copyright © 2024 Andrijana Bergant. All rights reserved.
Permission is granted to use, distribute, and reproduce this article in any medium, provided the source is properly cited and a link to the original article is included. Unauthorized use or duplication without proper citation is prohibited.