A friend of mine, a Chief Risk and Compliance Officer within a financial services firm, recently told me about his dilemma with his board of directors. Compliance monitoring had uncovered a control failing that meant his firm seemed to be in breach of a regulatory policy. The requirement was for the manufacturing firm to collect information regarding fees charged to customers along the whole of the supply chain.
The intent of the rule was obvious – for the manufacturing firm to assess whether the ultimate price charged for the product was fair and good value.
The board’s decision was to ignore the requirement, their reasoning being that collecting and maintaining the information across all of its distribution channels, partners, and products would be onerous and disproportionate.
Compliance With The Rules
Furthermore, the impact on intermediaries in the supply chain would be even more burdensome. Each would be expected to report on its product fees to each of the manufacturers it dealt with, even when it had no direct relationship with the manufacturer, and that would be a tough sell to the firm’s partners. In a market where no other manufacturer seemed to be demanding such data, the board declined my colleague’s request for compliance with the rule.
The True Risk Appetite
Although we, as risk and compliance professionals, would like to think otherwise, such risk decisions are common in our industry. A quick scan of UK Financial Conduct Authority (FCA) Final Notices reveals multiple examples.
Non-disclosure of key financial facts so as to avoid share price drops, weak AML processes to accept lucrative business, and deliberate misadvising pensions transfers demonstrate willful non-compliance in pursuit of profit.
That such scenarios appear common is a testament to the enormous challenge of supervising a market. Many regulators are under-resourced, have difficulty recruiting skilled staff, face limited and expensive legal interventions, and are required to regulate very large numbers of market participants.
The blunt truth is that in every regulated market, only a small number of the most significant breaches will face any censure.
Anti-Regulatory Decisions From The Board
When making anti-regulatory decisions, a board is expressing its real risk appetite. Despite what it probably outwardly expresses as a ‘minimal’ appetite for regulatory breaches, the cost of mitigating controls is considered too great compared to the risk of regulatory intervention.
This situation can be frustrating, even bewildering, for compliance professionals, especially when rules are clear and explicit in their expectations. It is, however, the board’s role to make such decisions and, uncomfortable though that may be for GRC staff, such decisions set the strategy and culture of the firm.
Practical Steps To Avoid Regulatory Censure
What are we to do when we find ourselves in this situation? Our role, especially if we are a regulatory approved person, is to challenge. This takes independence, bravery, and a broad range of influencing skills.
Five Approaches to Deal With the Regulatory Censure Issue
The following approaches may help once you decide what you feel is the correct course of action.
- Look for factors the board should have considered during the decision-making process. The board likely considered only those arguments that supported the financial aims of the firm. After all, that is what most boards are there to achieve – profitable growth for stakeholders and investors. Listen to their position carefully. Our GRC role is to bring in opposing perspectives and arguments, but we can only do that if we understand what they have already considered and not ‘The rule is there to deliver fairness for our customers’; ‘AML checks prevent our firm being used for terrorism and organized crime’; ‘dishonesty in the market makes us like Enron.’ Such alternative positions can prevent ‘groupthink’ – where cohesive teams reinforce each other’s ideas, disregard pertinent information, and seek only confirmation.
- Challenge some of the underlying but untested assumptions in the board’s reasoning. Boards can often develop unchallenged beliefs about a market or business which turn out to be inaccurate. It may be, for example, that several of the firms in the supply chain have information readily available but have never been asked for it. Some may even be supplying it to others without issue, but the board is unaware. Assumptions about the ways in which a business operates tend to be cemented in a firm’s beliefs but have never been investigated or tested.
- Consider whether you can take actions that will go some way to mitigating the impact of the decision. There may be some occasions when you have to live with the board’s decision, but even here, you can take steps to reduce the impact of a breach. Clearer statements regarding fees in customer literature, managing fee data from larger distribution partners, and speaking with peer compliance officers in the supply chain, will all go some way to minimizing the impact of the risk without full mitigation. The extent to which you undertake such mitigations will depend on how serious you consider the breach. However, such ‘halfway house’ solutions may make you feel too uncomfortable when managing serious risks.
- Appeal to individuals on the board whose role includes expectations of regulatory adherence. Several board roles are designed to provide checks and balances for regulatory purposes. Audit committee chairs, senior non-executive directors, and chief risk and compliance officers should all have components of their role profiles that are designed to maintain regulatory balance in board decision-making. A reminder of that obligation would be timely.
- Consider appealing to a higher authority than the local board. Should all else fail, and you consider the potential breach suitably serious, look to authorities higher than your board. This could be an owning group or a higher board in the governance structure. It may even be a regulator. Needless to say, such a step should not be taken lightly. Even though you see this as an imperative escalation given the seriousness of the breach, your local board (who are, let’s face it, your employer) is likely to close ranks and see it as ‘trouble making.’
The Challenge Of GRC
A career in GRC is challenging. You are the person walking towards issues when others are walking away from them; it is you asking difficult questions and challenging the cozy status quo of the group. Success in the role requires strength of character, influencing skills, and a strong moral compass. Only then will we be capable of balancing regulatory risk with an opportunity within our organizations.
Written by Paul Eccleson
This article was first published by the International Compliance Association (ICA), the leading professional body for the global regulatory and financial crime compliance community. For more information on the benefits of becoming an ICA member, including access to the ICA’s complete content library of articles, videos, podcasts, blogs, and e-books, visit: Become an ICA Member – Application Form (int-comp.org)