Compliance monitoring best practices
by Hansi Mehrotra
15th April 2015
Using a tick-the-box approach for monitoring of conflicts of interests will probably lead to regulatory issues and reputational disasters. Wealth firms will need to have code of conduct and conflict of interests programmes adjusted so as to be appropriate for their business model.
Conflicts of interests are everywhere. Firms in financial services, especially in wealth management, cannot avoid them; it’s how they manage them that matters. Managing them well requires a monitoring program that is practical. A compliance policy declared by the firm that is too difficult to monitor is self-destructive. Firms are better off without a policy rather than one that is not monitored, which is easily discovered in an exam by modern day regulators. That’s the key message from Brian Fahey, CEO of TerraNua, which has formed an alliance with Thomson Reuters to offer compliance monitoring tools in India.
Conflicts of interest
Conflicts of interest can arise out of multiple areas. Some like gifts and entertainment, personal trading/account dealing, political contributions, use of intermediaries/introducers/lobbyists, outside business activities, anti corruption etc exist in most businesses. Then there are specific issues in the investment industry like research notes, soft dollars, Chinese walls etc.
The first step towards any successful model of compliance is to have a code of conduct policy document. Fahey stresses that this policy document should be practical. Some considerations to include are given in the table.
Factors to consider in Code of Conduct policy
|Factor to Consider||Example|
|Do not make policy unrealistic.||“Return all gifts” is not a realistic policy where gifts are part of culture and may only lead to everyone ignoring the policy. A policy not implemented is worse than no policy at all|
|For policy decisions that have a value component, determine when value is large enough to create a conflict.||If gifts are standard culture, don’t disallow them if value is not material and does not create a conflict. Receiving a hamper in December from a vendor as a thank you for business may not be considered to have sufficient value to have any influence on a decision. Deminimus is common in policies e.g. if gift is below X, then it is OK to proceed with gift.|
|Make the parameters precise and practical for systems to automate*.||With precision of rules, the tool can help with quick response to employees. E.g. if gift less than $50, then system says yes. Quick response helps with enterprise satisfaction with policy and with quick adoption|
|Ensure data is available for the comparison you want to make.||If no “energy” trades are allowed, will you know the industry for each security that employees submit to trade?|
|Keep it simple enough for employees to understand..||Making special cases for derivatives is often beyond understanding of employees. Tools can have online help.|
|Use certifications / affirmation policies to get employees to sign off what occurred||If an employee has been receiving gifts or not reporting an outside business activity, if they have to regularly sign off on what they did report, it will make them more aware, much less likely to breach the rules and it helps to change the culture, thereby redacting the need for ongoing monitoring|
|Get independent verification of what actually occurred where possible||Get employee trading activity directly from brokerage firms. May not be practical for many conflicts of interest e.g. gifts. But tools can prompt employee to verify|
The next step would be to have a monitoring process in place to ensure, as best you can or at least be able to defend to regulator that you have done as much as you can do. While doing so, it is essential that monitoring and systems go beyond a checkbox tool. Sometimes it becomes difficult to identify a conflict of interest or compliance issue, as certain activities / instances may border acceptable norms in a given situation and environment.
Fahey recommends for business leaders think about monitoring such that ethical decisions are deeply embedded in the organisational culture, and become a way of life in the firm. It then requires less compliance office time to monitor lapses with the self imposed discipline / regulation in the work culture. He observes, “Even when there is no clear guideline or any enforcement in a particular country regarding gifts or kickbacks in other forms, most global organizations have an ethics culture applied from tone, from the top down, code of conduct document or norms within the firm to keep conflicts of interest in check”.
Despite a code of conduct being in place, there are often instances of violation. A firm must then utilize the provisions laid down under the code of conduct policy to enforce compliance. Enforcement will instil the fear of consequences and contribute toward that ongoing change in culture.
Maturity levels in codes of conduct
There are different levels of maturity that firms can be at when it comes to codes of conduct. Partly this depends on the regulatory environment, but individual firms often take leadership beyond what the regulations specify.
Fahey’s experience of advising firms who have implemented code of conduct policies has given the him a unique insight into the corporate culture of businesses which have adopted an ethics culture.
The compliance software expert benchmarks non-compliant or compliant firms against a seven point scale. He says; “those firms which merely pay lip service to a financial regulator’s rules, whilst ignoring their own code of ethics, if they exist at all, are overly dependent on the owner’s attitude alone”, a state of affairs which can drift into non-compliance very quickly. For this reason a zero scoring on the maturity model’s scale reflects the reality of ad hoc compliance at the business with just token lip service to regulatory rules.
The basic level is where the policies are written down but not implemented and there is no support from executive management. The next step is the initial stage where some attestation of policies and / or code of ethics are in place in the form of training. There is limited support for code of conduct policies in these stages from the executive management.
Firms at the emerging stage may employ some automation tools but paper, email and wet signatures are used extensively, whilst firms at the monitored stage use more automation tools. However, there may be a lot of data without an integrated compliance office review of employee activities.
The pervasive stage is quite a mature program level with integrated tools for compliance automation and usually an active hotline for reporting any lapses, which may include voluntary reporting of incidences.
A firm at the Leader level has pushes direct customers and stakeholders to apply appropriate code of conduct in all their dealings and transactions. Corporate social responsibility is taken very seriously across all levels.
Fahey believes there are number of factors that affec the level of maturity model.
Factors affecting level of maturity model
Regulatory environment (principle vs rule based)
Defined rules and regulations
Extent of regulatory examinations
Scale of fines and penalties
Degree of concern about reputation
Amount of money involved in transactions
Capability of monitoring systems
Availability of data for evaluation
Board and executive management sponsorship (Tone from the top)
The decision to adopt automated compliance software tools versus a manual documented process depends on volume of activity within the firm checking for any conflict of interest issues, compliance reporting and querying needs but then also a degree of subjective vs automated compliance office review etc. Obviously the usual factors of cost, time and non-compliance risk also influence any decision to automate the compliance office activity of a firm.