Enterprise Compliance Risk Management E-Book

Table of Contents

Advance Praise

Title Page

Copyright

Dedication

Preface

Acknowledgments

About the Author

Opening Notes

Design and Structure of the Book

Part One: Introduction to Compliance in Financial Services

Chapter 1: An Overview of Compliance in Financial Services

A Brief History and Evolution of Compliance

Chapter 2: Compliance in the Twenty-First Century

Drivers of Compliance

Broad Areas of Regulation and Supervision in Financial Services

Major Bodies That Define Compliance Boundaries for Financial Services

Part Two: The What, Why, and Who of Compliance

Chapter 3: What Is “Compliance”?

Compliance in the Context of Banking and Financial Services

Understanding the Semantic Maze of Compliance

Interconnects

Chapter 4: Why Is Compliance Needed?

Why Regulate?

Why Comply?

Consequences of Noncompliance

Cost-Benefit Analysis of Active Compliance

Interrelationship between Business Model, Strategy, and Compliance

Active Compliance—a Strategic Tool in Value Creation, Preservation, and Enhancement

Chapter 5: Who Are the Players in the Compliance Universe?

The Universe of the Financial System—A Bird's-Eye View

Primer on Major Players in the Financial System

Stakeholders of the Compliance Universe

Compliance Roles

Part Three: The How of Compliance

Chapter 6: Compliance Framework

Managing the Compliance Maze

Chapter 7: Operationalizing Compliance

Operational Framework

Points to Note

Compliance Culture Dimension

Part Four: The Compliance Risk Dimension

Chapter 8: Exploring the Concept of Compliance Risk

Defining Risk

Overlap of Financial Risks and Compliance Risk

Compliance Risk—An Introduction

Defining Compliance Risk

Subcategories of Compliance Risk

Compliance Risk and Organizational Complexity Scale

Chapter 9: Compliance Risk Management

Risk Appetite

Risk Identification

Risk Assessment

Risk Mitigation

Risk Monitoring

Risk Remediation

Compliance Risk Reporting

Regulatory Dialogue

Part Five: The Real World of Compliance in Financial Services

Chapter 10: Real-Life Issues of Managing Compliance in Financial Services

Myths vs. Reality

Overlaps and Conflict Zones

Some Important Distinctions

Chapter 11: Lessons Not Learned

Real-World Examples

The Shifts

Chapter 12: Practical Solutions to Some Important Operational Challenges

Challenge: Building Business Integrity into Organization's Fabric

Challenge: Building Compliance-Aware Organization (CAO)

Challenge: Compliance Reach to All

Challenge: Managing Regulatory Dialogue

Closing Notes

Regulatory Coherence

Compliance Coherence

Building a Learning Organization

Index

End User License Agreement

Pages

i

vi

vii

xi

xii

xiii

xiv

xv

xvii

xviii

xix

xx

xxi

5

6

7

8

9

10

11

12

13

15

16

17

18

19

20

21

22

23

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

179

178

180

181

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

Guide

Cover

Table of Contents

Preface

Part One: Introduction to Compliance in Financial Services

Begin Reading

List of Illustrations

Chapter 1: An Overview of Compliance in Financial Services

Figure 1.1 Simplified Picture of the UK Regulatory Framework

Chapter 2: Compliance in the Twenty-First Century

Figure 2.1 Objectives of Regulation

Figure 2.2 Classes of Regulation

Figure 2.3 Twin Peak Supervisory Model 1–Australian Model

Figure 2.4 Twin Peak Supervisory Model 2–The Netherlands Model

Chapter 3: What Is “Compliance”?

Figure 3.1 Regulatory Focus on Fair Treatment of Customers through Product Life Cycle

Figure 3.2 Compliance Semantics—Conceptual Set

Figure 3.3 Compliance Semantics—Operational Set

Figure 3.4 Compliance Interconnects

Figure 3.5 The GRC Venn

Chapter 4: Why Is Compliance Needed?

Figure 4.1 Structural Regulations

Figure 4.2 Enforcement Options

Figure 4.3 Relationship between Noncompliance and Enforcement Options

Figure 4.4 Value of Fines Imposed by FSA across Years

Figure 4.5 Proportion of Fines Imposed by FSA across Years

Figure 4.6 Number of Fines Imposed by FSA across Years

Figure 4.7 Comparison between Amount of Fines and Number of Fines Imposed by FSA

Figure 4.8 Business Consequences for Organizations

Figure 4.9 Business Consequences for Individuals

Figure 4.10 Different Cost Classes

Figure 4.11 Indicative Benefits

Figure 4.12 Relationship between Compliance and Revenue Maximization

Chapter 5: Who Are the Players in the Compliance Universe?

Figure 5.1 Ecosystem of Finance

Figure 5.2 Assets of Financial Intermediaries—20 Jurisdictions and Euro Area

Figure 5.3 Financial Assets

Figure 5.4 Movement of Funds from Savers to Users

Figure 5.5 Fund-Raising—Sample Options for Firms and How the Investor Is Compensated for Funds Made Available

Figure 5.6 Global Financial System

Chapter 6: Compliance Framework

Figure 6.1 Compliance Program Components

Figure 6.2 Compliance Maturity Scale—Macro-View

Figure 6.3 Compliance Program Maturity Matrix

Figure 6.4 Strategic Framework

Figure 6.5 Broad Blocks of the Compliance Universe

Figure 6.6 Structural Framework

Figure 6.7 Sample Hierarchical Structure

Figure 6.8 Sample Matrix Structure

Figure 6.9 Compliance Calendar Sign-Off by LOBs and Support Teams

Figure 6.10 Sample Annual Plan and Implementation Sign-Off

Chapter 7: Operationalizing Compliance

Figure 7.1 Operational Framework

Figure 7.2 High-Level Compliance Process Flow

Figure 7.3 Obligations Register Template

Figure 7.4 Obligations Register Template Continued

Figure 7.5 Regulatory Change Management

Figure 7.6 Breach Management

Figure 7.7 Compliance Breach Report Template

Figure 7.8 Compliance Breach Report Template (Continued)

Figure 7.9 Representation of Communication Stakeholders

Figure 7.10 Representation of the Reporting Map

Chapter 8: Exploring the Concept of Compliance Risk

Figure 8.1 Compliance Complexity Scale

Chapter 9: Compliance Risk Management

Figure 9.1 Compliance Risk Classes or Blocks

Figure 9.2 Compliance Risk Identification Tools

Figure 9.3 Compliance Risk Assessment Process

Figure 9.4 Compliance Risk Scorecard Build Flow

Figure 9.5 Unadjusted Risk Score (Graphic)

Figure 9.6 Risk Score Adjusted for Risk Factor Significance

Figure 9.7 Remediation Standards Matrix

Figure 9.8 Reporting Levels and Possible Content

Chapter 10: Real-Life Issues of Managing Compliance in Financial Services

Figure 10.1 Over- and Under-Regulated Segments—Sample Representation

Chapter 11: Lessons Not Learned

Figure 11.1 Compliance Reporting Structures

Chapter 12: Practical Solutions to Some Important Operational Challenges

Figure 12.1 Communications between Compliance Staff and Regulators

List of Tables

Chapter 2: Compliance in the Twenty-First Century

Table 2.1 Comparison of the Macro- and Micro-Prudential Perspectives

Table 2.2 Sample List of Regulations

Table 2.3 Regulatory Models

Table 2.4 Federal Financial Regulators and Organizations of United States

Table 2.5 Objective, Content, and Tools Used in Prudential and Financial Conduct

Table 2.6 Agency Roles in Macro-Prudence through the Economic Cycle

Chapter 3: What Is “Compliance”?

Table 3.1 Illustrating the Five Aspects with a KYC Example

Chapter 4: Why Is Compliance Needed?

Table 4.1 Stylized Comparison of Selected Structural Reform Proposals

Table 4.2 Foreign Corrupt Practices Act (FPCA) Fines Structure

Table 4.3 Comparison between Amount of Fines and Number of Fines Imposed by SEC

Table 4.4 Year-by-Year SEC Enforcement Statistics

Table 4.5 Sample Costs by Cost Classes

Table 4.6 Indicative Cost Items for a Technology Initiative (Systems Costs)

Table 4.7 Benefits of Positive and Active Compliance

Table 4.8 Cost-Benefit Analysis

Table 4.9 Building Blocks of Business Model

Table 4.10 Operationalizing Business Model

Table 4.11 Compliance and Business Model

Chapter 5: Who Are the Players in the Compliance Universe?

Table 5.1 Characteristics of the Components of the Financial System

Table 5.2 Indicative Market Structure and Sample Instruments

Table 5.3 Global Foreign Exchange Market Turnover (net-net basis,

i

daily averages in April, in billions of US dollars)

Table 5.4 Financial Intermediaries and Their Functions

Table 5.5 Functions at a High Level of Financial Intermediaries

Table 5.6 Market Participants

Table 5.7 Compliance Stakeholders

Chapter 6: Compliance Framework

Table 6.1 Indicative Compliance Areas

Table 6.2 Outline of Compliance Charter

Table 6.3 Sample Compliance Coverage

Table 6.4 Risk Activities Outside the Scope of Compliance Department

Table 6.5 Compliance Department—Expectations

Table 6.6 Sample of Responsibilities of Different Role Holders

Table 6.7 Sample of Responsibilities of Different Role Holders

Chapter 7: Operationalizing Compliance

Table 7.1 Sample Registers of Compliance

Table 7.2 Compliance Master Structure

Table 7.3 Obligation Master Structure

Table 7.4 Compliance Risk Master

Table 7.5 Controls Master

Table 7.6 Breach Master

Table 7.7 Training Master

Table 7.8 Communications Master

Table 7.9 Reports Master—Reports to Be Submitted

to

the Compliance Department

Table 7.10 Reports Master—Reports to Be Submitted

by

the Compliance Department

Table 7.11 Remediation Master

Table 7.12 Compliance to Obligations Map

Table 7.13 Risk to Control Map

Table 7.14 Breach to Remediation Mapping

Table 7.15 Responsibility Mapping

Table 7.16 Complaints Master

Table 7.17 Breach Management Master

Table 7.18 Reporting Level Based on Breach Severity

Chapter 8: Exploring the Concept of Compliance Risk

Table 8.1 Causes of Noncompliance

Table 8.2 Consequences of Noncompliance

Table 8.3 Map of Consequences of Noncompliance to the Sub-Risk Categories

Table 8.4 Subcategories of Compliance Risk

Table 8.5 Compliance Complexity Scale with Added Dimensions of Regulators

Chapter 9: Compliance Risk Management

Table 9.1 Risk Identification Map

Table 9.2 Geography View across Financial System Abuse

Table 9.3 Sample of LOB (Line of Business View)

Table 9.4 Comparison of Risk Profile across Two Time Periods

Table 9.5a Impact Scale

Table 9.5b Likelihood Scale

Table 9.5c Inherent Risk Computation

Table 9.6 Heat Map of Inherent Risk

Table 9.7a Design Effectiveness Scale

Table 9.7b Implementation Effectiveness Scale

Table 9.7c Heat Map of Control Assessment

Table 9.8 Template for Residual Risk

Table 9.9 Compliance Risk Fitness Barometer

Table 9.10 Sample of Residual Compliance Risk Report

Table 9.11 Building a Scorecard

Table 9.12 Metrics for Each of the Risk Attributes

Table 9.13 Example of Compliance Risk Scorecard

Table 9.14 Example of Compliance Risk Scorecard

Table 9.15 Example of Compliance Risk Scorecard

Table 9.16 Summary of Compliance Risk Scorecard

Table 9.17 Unadjusted Risk Score (Tabular)

Chapter 10: Real-Life Issues of Managing Compliance in Financial Services

Table 10.1 Myths and Facts of Compliance

Table 10.2 Three Lines of Defense Model

Chapter 11: Lessons Not Learned

Table 11.1 FSA Fines 2014

Table 11.2 FDIC (Federal Deposit Insurance Corporation) Failed Bank List

Table 11.3 Fines Table—Individuals Fined 2013

Table 11.4 Fines Table—Companies Fined 2013

Chapter 12: Practical Solutions to Some Important Operational Challenges

Table 12.1 Severity Frequency Matrix

Advance Praise

Enterprise Compliance Risk Management: An Essential Toolkit for Banks and Financial Services is truly a practitioner's handbook peppered with appropriate templates, tools, scorecards, and framework to manage compliance in a structured way. The hallmark of the book is how Ms. Saloni Ramakrishna connects with her readers through her characteristic flowing and easy to comprehend narration of a layered, multifaceted, and nuanced subject like compliance. Her deep understanding of the risks as well as the opportunities for financial services institutions to better manage those risks for the benefit of customers, employees, and shareholders is well encapsulated in the central theme of the book—active compliance management.”

—Peter Hill, Investment Banker and one of Risk.net's “Top 50 Faces of Operational Risk”

Through the book Enterprise Compliance Risk Management: An Essential Toolkit for Banks and Financial Services, Ms. Saloni Ramakrishna brings to bear her extensive hands-on experience as a practitioner in detailing how technology needs to be weaved intrinsically into a compliance program for it to be successful. Her emphasis on the role and relevance of a well thought out, appropriately designed technology framework as the bedrock of creating and perpetuating an active compliance is spot on.

—Stuart Houston, Global Solution Director—Analytics, Oracle Financial Services Global Business Unit

Enterprise Compliance Risk Management

An Essential Toolkit for Banks and Financial Services

Copyright © 2015 by John Wiley & Sons Singapore Pte. Ltd.

Published by John Wiley & Sons Singapore Pte. Ltd.

1 Fusionopolis Walk, #07-01, Solaris South Tower, Singapore 138628

All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as expressly permitted by law, without either the prior written permission of the Publisher, or authorization through payment of the appropriate photocopy fee to the Copyright Clearance Center. Requests for permission should be addressed to the Publisher, John Wiley & Sons Singapore Pte. Ltd., 1 Fusionopolis Walk, #07-01, Solaris South Tower, Singapore 138628, tel: 65– 6643– 8000, fax: 65– 6643– 8008, e-mail: [email protected].

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor the author shall be liable for any damages arising herefrom.

Other Wiley Editorial Offices

John Wiley & Sons, 111 River Street, Hoboken, NJ 07030, USA

John Wiley & Sons, The Atrium, Southern Gate, Chichester, West Sussex, P019 8SQ, United~Kingdom

John Wiley & Sons (Canada) Ltd., 5353 Dundas Street West, Suite 400, Toronto, Ontario, M9B 6HB, Canada

John Wiley & Sons Australia Ltd., 42 McDougall Street, Milton, Queensland 4064, Australia

Wiley-VCH, Boschstrasse 12, D-69469 Weinheim, Germany

Library of Congress Cataloging-in-Publication Data is Available

ISBN 9781118550281 (Hardcover)

ISBN 9781118550328 (ePDF)

ISBN 9781118550311 (ePub)

Cover image: Business Analysis ©iStock.com/Artzone

Cover design: Wiley

To, my father—my Guide and GuruSh. Pisipati SriRama Chandra MurthyFor ingraining in me the confidence and courage to be myself

Preface

The first known compliance breach and regulation violation is that of Adam eating the forbidden apple. Since then, multiple compliance breaches have occurred, with challenging to catastrophic outcomes. Banks and financial services are more vulnerable to the effect of breaches and their consequences, given that they deal in the financial well-being of individuals and the economy. It is slowly dawning on the stakeholders of the industry that proactive management of compliance and the associated risks will be a business multiplier.

Compliance risk management, as a distinct subject, in banks and financial services is young and evolving. Complying with authority, in a narrow sense, has been in place for ages now, but the many dimensions and nuances added due to the exponential increase in the complexity of the financial world have greatly expanded its scope and have brought it to center stage. The creation and elevation of the role of chief compliance officer—the journey from a dusty table in a corner of the office to a place at the C level executives table in the boardroom—speaks volumes about this transition. However, the systemic integration of compliance into the business and strategic fabric of the organization is yet to happen.

In the face of an anemic global recovery and lack of alignment of business models with active compliance, this field justly demands that it be treated as a discipline in its own right—more so now than ever. There is insufficient literature and a lack of comprehensive references in compliance risk management. This book is intended to address that gap.

This book seeks to provide an essential toolkit for navigating the compliance universe, aligning itself with and enhancing the fundamental business objectives of value creation, preservation, and enhancement of organizations. It provides a broad view of managing compliance and compliance risk holistically in the financial services space. Multiple facets of the subject and their interrelationships are explored. Important aspects covered are the use of active compliance management as a strategic tool, cost benefits of active compliance management, and connections with other traditional and evolving risk disciplines.

The purpose is to rise above mere evangelizing and move into the realm of operationalizing compliance in the real world. The three areas of focus are: (1) detailing the how of compliance, including discussions on compliance framework and operationalizing compliance; (2) the hitherto largely underexplored life cycle of compliance risk management from risk definition to regulatory dialogue; and (3) real-life challenges in the world of compliance such as areas of conflict, myths, gray/overlap areas, as well as some innovative yet practical strategies that practitioners have developed to meet these challenges. Templates, tools, and a framework to manage compliance in a structured way will help readers to jump-start or refine compliance initiatives in their organizations. Instead of the traditional foreword by one expert, this book is peppered with five Practitioner's Notes—thoughts and views on the subject of compliance by industry experts, adding to the real-world perspectives that the book brings to the table.

Saloni Ramakrishna

Acknowledgments

Book writing is a challenging expedition with demands not only on the author in terms of vision, fortitude, and persistence but also on others who support and guide the initiative. I would like to express my gratitude to the amazing people and organizations that have made this expedition a great learning and sharing experience. The credit for seeding the thought of writing a book goes to Nick Wallwork of John Wiley & Sons, who casually asked if I would consider writing a book for them, almost as if he knew I could and would. Thanks, Nick.

A very special acknowledgment goes to Srikar Gullapalli for making this book possible by being such an incredible motivator, critic, collaborator and editor all rolled into one. My gratitude to my anchor and life partner, Sh. Ramakrishna Gullapalli, for keeping me on course with his encouragement at every step. Thank you Sravani Gullapalli, for powering my effort with your infectious energy, optimism, and encouragement. Sudhir Pisipati, my confidant, and the family—thank you for creating and reinforcing the positive energy circle around me. I offer my respectful tribute to my mother, Smt. Suguna Pisipati, for supporting and celebrating all my achievements, big or small.

My appreciation and sincere thanks go to the senior practitioners, Dr. Colin Lawrence, Tsuyoshi Oyama, Dr. Ranee Jayamaha, Benjamin Frank, and Peter Hill. Each of these experts have, in their own way, added to the industry's dialogue. I am grateful for their Practitioner's Notes that prefix the five parts of this book. All of these industry veterans have readily agreed to share their distilled wisdom and bring to bear their real-life experiences through these notes. My thanks also go to K. S. Gopal, head of the Regulatory desk of ING-Vysya bank for being part of many animated conversations on the subject. Thanks are due to the regulatory bodies for creating a learning ecosystem through their websites by sharing industry information in an open and transparent manner.

I wish to place on record my gratitude to my organization, Oracle Financial Services Software Limited, and thanks to Stuart Houston for encouragement and support. In the 15 years of my association with Oracle, the information company, I have learned to truly appreciate the critical role technology plays in enabling businesses to build a robust, active, positive risk and compliance program.

A special note of thanks to the team at Wiley—Jeremy Chia, my development editor; the editorial team; and the entire production team. There are many others who have added to my learning canvas whom I need to thank: bankers, regulators, consultants, IT professionals, self-regulatory body representatives, financial services industry association members, friends, colleagues, and customers with whom and through whom I have seen, learned about, appreciated, and loved this industry.

About the Author

Saloni Ramakrishna has nearly three decades of experience in financial services, contributing to the industry dialogue across different platforms. She has been invited to share her thoughts and views on industry trends surrounding compliance, risk, customer centricity, performance, and data management in the analytics space, by national and international banking and finance forums such as the Global Association of Risk Professionals (GARP), Ops Risk Asia, Asian Banker events, and CXO roundtables.

Saloni Ramakrishna's ideas have appeared as articles and quotes in regional newspapers, journals, magazines, and television interviews. She has presented papers at national and international seminars and conferences. Since 2012, she has been a columnist for one of India's leading monthly magazines, Andhra Bhoomi.

Saloni Ramakrishna is currently the Senior Director with Oracle. In her role as Global Solutions Architect of Oracle Financial Services Analytical Applications, she frequently interacts with top and senior management of banks, consulting professionals, financial services bodies, and senior regulators across multiple countries. In her 15-year tenure with Oracle Financial Services she has designed, developed, architected, and implemented analytical solutions for the industry.

Saloni Ramakrishna is a double master's degree holder—Master of Business Administration in Finance and Master of Arts. As a banker, with a deep and broad landscape of banking experience spanning almost 15 years with specialization in risk, performance, and compliance, she was part of policy-making bodies, both at the banks where she has worked, as well as on industry-level committees.

In Enterprise Compliance Risk Management: An Essential Toolkit for Banks and Financial Services, she brings this kaleidoscope of rich hands-on experience of real-life financial services knowledge, distilled wisdom of interactions with different stakeholders of the industry, and experience of technology power to create a vibrant canvas of comprehensive yet practical solutions for the compliance-related business challenges of the financial services.

Opening Notes

When I first thought of writing a book, the advice from a friend (an author himself) was “Don't do it!!” Don't do it: It is not as romantic as it appears; it is too demanding; you are on your own, plodding through thousands of pages that take you off on a tangent. New ideas fight to find expression only to have most of your writing and rewriting edited later. Days get longer and slip from your hands while fighting deadlines. You will become a recluse as all your time is occupied with digesting the mountain of information and plethora of thoughts. Don't do it if you think there is money or fame in it—there may not be. Don't do it, except if the subject interests you and you are excited about sharing it with others. Thanks, Chris Marshall, for that sane advice!

Flowing from that advice, I chose compliance risk management, a young, evolving, layered, and intricate discipline. As a hands-on practitioner in the financial services industry for almost three decades, I have interacted with different stakeholders—seniors from banks and financial institutions, regulators, business consulting, technology providers and industry bodies—and have garnered a distinct canvas of knowledge in the compliance field that needs to be shared through a credible medium (and, thus, this book). I truly believe that done right, active and positive compliance is a value multiplier for business. The content is a blend of the body of knowledge gained through first-hand experience and wisdom from industry participants though interactions with relevant stakeholders, which gives it a distinct real-world perspective.

Demystifying a subject like compliance risk management, a fabric with many hues, at once an art, a craft, and a science, was demanding to say the least. The task was challenging and therefore creatively stimulating. The attempt is to go beyond evangelizing the relevance of compliance to bring real-world experiences in the arena of banking and financial services and to capture the changing contours of the subject as well as draw out compliance risk as a distinct risk discipline, thus enriching the dialogue and contributing to the healthy growth of this young and dynamic subject.

The narrative is shaped by the distinct influences of two of my mentors, the first one taught me that “all fundamentals are simple and straightforward and do not need the garb of jargon to claim their rightful place. You resort to jargon when you want to camouflage the fact that you are not clear.” The mantra of the second mentor was “Elevate the debate, energize the dialogue, and go from what it is to what it can be. That is how growth and progress happens.” The tone of the book, therefore, is simple and straightforward. The attempt is to elevate the context of compliance from its current reactive stance to how a proactive strategy can create a clear differentiator in a largely undifferentiated market and become a powerful competitive weapon for the organization.

The main theme underlying the book is that it pays to responsibly grow business by enhancing stakeholder value. It encapsulates the following subthemes:

Integrity at the core of responsible business

The distinction between business and “healthy” business

“Win-Win” approach for all stakeholders as the secret for sustainable growth

Active compliance management as “strategic tool” in value creation, preservation, and enhancement

This book contains relevant information for all of the stakeholders of the financial services industry.

Design and Structure of the Book

This book seeks to address three principal objectives:

To serve as a practitioner's handbook by detailing the process, content, and operations of compliance while acknowledging real-life issues

To transcend the rhetoric and move compliance into a business model and business operations arena by bringing to the fore the role and relevance of positive and active compliance management in value creation for organizations

To contribute to the growth of the narrative of this young, evolving discipline and serve as a reference literature on compliance and its risk management in financial services

The book is divided into five parts: To set the real-world context, every part is prefixed with Practitioner's Notes, thoughts shared by real-world practitioners from the financial services on the themes of compliance. Each of them has experienced compliance from different perspectives. Three of them have been senior regulators of their respective countries in addition to other roles, and two of them are senior bankers. They bring their experience to bear through their notes.

The first part is an introduction to the compliance universe. This section seeks to set the context of compliance and its risk management in banks and financial services. It provides a bird's-eye view of the landscape. It traces the history through some significant events/accords that have played a pivotal role in the evolution of formal compliance function as we see it today. It looks at the drivers, both direct and indirect, that are shaping the contours of this young discipline. It explores the broad areas of regulation and supervision, including the major bodies that define boundaries of compliance.

The second part covers the What, Why, and Who of compliance. The What section breaks the understanding of compliance free from the narrow confines of merely being “compliant” to take it to its higher potential of being a critical element of holistic and healthy growth of the enterprise. It addresses the semantic maze in the space and delineates the oft-used terms and their relevance within the overall context of subject. It explores interconnections with other related aspects of the organization like ethics, governance, and risk management.

The Why section makes a strong business case for active compliance management, as its positive alignment with the organization's business model will enhance both the top line and the bottom line. The attempt here is to unveil the umbilical cord between the success of the business objectives and proactive compliance as a strategic intervention. This leads to a conversation on cost-benefit analysis as also the relationship between the business model, strategy, and compliance.

The Who section looks at the canvas of players in the financial services space. It covers the entire ecosystem of stakeholders of the industry, not just the designated compliance officers. The discussion covers the expectations from these players—their responsibility, accountability, and the interrelationships. It rounds off the conversation with the lines of defense an organization has for proactive compliance management.

The third part addresses the important How question: How do we create a positive and active compliance management (PAC-M) program? It covers the entire gamut of such a program, starting from defining the policy statement. Various compliance models, training, communication plan, boundary definitions, and compliance reporting are discussed. It explores the strategic and structural framework inclusive of structure and content of the compliance charter.

The book then dovetails the various aspects of operational framework like the compliance masters and compliance maps with indicative templates for each of them. Operations and management of various aspects like breaches, complaints, remediation, and more are discussed. The “multi” maze that large organizations have to handle, like multiple jurisdictions, multiple laws and regulations, and multiple regulators and authorities, is briefly explored. The third part addresses the entire life cycle of compliance right up to building a learning organization.

The fourth part examines the concept of compliance risk, one of the youngest forms of risk in the family of risks. This section takes a comprehensive look at the manifold aspects of the concept. It endeavors to expand the scope and depth of compliance risk definition, exploring the range of subrisks under its umbrella.

This conversation then covers the complete life cycle of management of compliance risk. Various aspects like risk appetite, risk identification, risk measurement, mitigation, monitoring, action tracking for remediation, and regulatory dialogue are examined. Sample scorecards and the process of building them are detailed with examples.

The fifth part of the book covers the real-life aspects and challenges of compliance management within financial services organizations. The focus is to succinctly bring in the real-world issues that industry participants struggle with while translating an ostensibly foolproof plan into practice. I have drawn from my own experience and that of other practicing professionals to share challenges being faced as they are, without sugarcoating any of the issues.

The conversation delves into the various challenges and their ramifications: the gray areas, overlaps, conflict zones, and myths associated with compliance. Lessons the industry has not learned are examined through a sample of actual incidents and experiences that shook the industry. Practical solutions to some of the operational challenges are also explored.

The last three parts (How, Compliance Risk Management, and Real-Life Issues) together are the essential toolkit of the book. These parts with their templates, score cards, models, formats, and real-life examples will, I hope, help practitioners both in realistically understanding the field and in effective execution of their responsibilities.

In the closing notes I share my thoughts on how compliance risk management is likely to evolve and my views on what will aid in the healthy growth of the discipline.

Part OneIntroduction to Compliance in Financial Services

Practitioner's Note: The umbilical cord between business model and compliance

As a regulator and practitioner I have seen that organizations that miss or ignore the vital link between business model and compliance have had higher cost of compliance and lower return on investment, not to mention reduced business opportunities. Like Ms. Saloni Ramakrishna persuasively articulates, it is vital to understand the umbilical cord between business model and compliance.

There are two critical aspects to the business model (BM) of a bank. The first is the strategic business model defining what products, markets, customers, and regions the bank would like to be in subject to the Board's risk appetite. The second underpinning is the target operating model (TOM), which covers governance, decision making, recruiting, technology, human capital, legal structure, and operations. The objective of the bank is to execute its business strategy with an optimal TOM. Compliance lies at the heart of the TOM. The BM/TOM constrained by regulation must maximize its risk-adjusted return on capital (RAROC).

Compliance costs have spiraled upwards across the globe. The estimate is that over 30 percent of costs are spent on compliance. This has lowered revenue/cost ratios significantly, and it is estimated that compliance costs drive down ROE (Return on Equity) by a full six percentage points among the GSIFIs (Global Systemically Important Financial Institutions) and DSIFIs (Domestic Systemically Important Financial Institutions). Hence, it is critical as a long-term strategic imperative to get these costs down through changing the BM and ensuring that a firm has selected the most cost-effective TOM.

There are three core channels of impact on the financials. In simple terms, risk-adjusted profitability equals (R − C)/K, where R is revenues, C is costs, and K is a measure of risk-weighted assets (RWAs). Spending on projects drives up C. Furthermore, if the control framework and risk management are still poor, then the firm will suffer a drop of revenue through fines, penalties, licenses revoked, and lost customers. Firms that are found to have weak governance structures and incompetent risk management will be hit by both pillar one and pillar two capital charges. Finally, the valuation of share price will be lower if any of the aforementioned impacts are volatile. For example, continual penalties (like PPI (Payment Protection Insurance) or AML (Anti–Money Laundering) violations) will create excessive volatility, and profits will not be perceived as sustainable. The proactive compliance driven by business integrity that Ms. Saloni Ramakrishna strongly advocates as the vehicle for value creation is rooted in the impact it has on all of the three variables (R, C, and K) that have a bearing on the risk-adjusted profitability.

Given that compliance is in itself expensive, it makes sense to ensure that money is spent wisely so that major risks are avoided before they become a problem. Prevention is much cheaper than remediation, so choose the areas that give rise to the biggest risks and do not assume that the TOM is a given. It always pays to create a specific blueprint for the industry and firm and implement projects once! The three lines of defense model has its drawbacks. Often, the front office takes no responsibility for operational failures. Regulators are forcing changes in compliance where senior managers are being held accountable and have to self-attest that systems and controls are in order. For example, see the senior managers regime (SMR) in the UK: It is important that every control has an owner, a challenger, and assurance that this process is implemented. The blueprint that Ms. Saloni Ramakrishna details in the How part of the book captures these principles elegantly and fleshes them out through actionable templates.

Firms should adopt compliance as a core strategy, and expenditures should be targeted in the areas that have the largest breach risks such as mis-selling. In a compliance strategy the following three factors are critical. Firstly, a firm must account for compliance in their TOM and the knock-on impact on the BM. Secondly, compliance must not be executed as a box-ticking exercise, but rather project budgets should be aligned with the greatest risks to the bank in an optimal control framework. Finally, given the huge drain of resources, banks should prioritize projects. A bank that desires a stable profit stream needs to ensure that this can be delivered by a compliant target operating model. The new agenda for compliance is to ensure that it is in sync with the risk appetite of the firm, the conduct strategy, and the axis of the BM/TOM. “Active and positive compliance” is the core of sustained healthy growth of a financial organization and the theme of this book.

—Dr. Colin Lawrence

Dr. Colin Lawrence has a PhD in Economics from the University of Chicago. He is a partner with EY LLP, UK; former director of the Risk Specialists Division (FSA and PRA); and former strategic risk advisor to the Deputy Governor, Bank of England. Dr. Lawrence is a well-known practitioner with varied experience as a regulator, a banker (he was managing director in derivative trading at UBS and Global Head of Risk at Barclays), a consultant, and an academic.

Chapter 1An Overview of Compliance in Financial Services

“Money plays the largest part in determining the course of history.”

—Karl Marx

It is a chicken-and-egg story: “Regulation influences banks' behavior by shaping the competitive environment and setting the parameters within which banks are able to pursue their economic objectives.”1 Interestingly, however, banking crises have been the trigger for many, nay most of the regulations, more so in recent times. So it is difficult to say whether it is the regulations that are shaping the behavior of banks or banks breaching the expected fair business practices that is shaping the structure and content of regulations. Or it is the interplay of both that has created the complex structure and behavior of the banking industry and by extension the financial services and its regulations?

It is not an exaggeration to say financial services is perhaps the most regulated industry in recent years. There are more regulations, more expectation of compliance, and more supervision to ensure compliance. There is unprecedented scrutiny of the industry at national, regional, and global levels. This scrutiny and the host of far-reaching regulations together are of topical interest not only for the stakeholders but also to policy makers, politicians, and media, thus putting the spotlight on adherence or lack thereof to the set expectations.

“Financial services” is a broad umbrella term that covers different subsectors like banking, insurance, securities, investment management, and so on. The division into subsectors is more of academic interest, given the changing contour of financial services industry like:

The emergence of financial conglomerates that are growing both in size and numbers

Bank, insurance, and market intermediary linkages that are becoming commonplace

Abolition of barriers/restrictions on investment/commercial banking combinations

2

Unified or stand-alone, these sectors combine to form the economic vehicle of a country, a group of countries, or the entire globe to facilitate movement of capital and currency across. They help channel money from lenders to borrowers and vice versa through financial intermediation. It is no exaggeration, therefore, to say that they are responsible for the financial well-being of not just individuals and firms but also countries.

Given the criticality of the industry, it is understandable that the environment it operates in and its various stakeholders have expectations in terms of dos and don'ts from the industry. These dos and don'ts are spelled out in the form of laws, regulations, standards, and codes of conduct. Financial services organizations are expected to comply with these requirements in such a way that there is order in the system and all stakeholders are protected, including the financial services organizations themselves.

Regulatory change is the only constant across industries. The rate of change is what differentiates financial service regulations of recent times. The debate on regulation versus deregulation, market maturity versus too big to fail, less regulation versus excess regulation, and regulatory gap versus regulatory overlap continues to rage.

Be that as it may, it has resulted in a tidal wave of regulations, which some of my banker friends call a tsunami of regulations. Add to this the increasing stakeholder demands for scrutiny, and one would understand the colossal challenges that the industry faces in managing its environment. This also explains why compliance activities have moved from being transaction-focused to becoming integral elements of business management. In spite of the multiplicity of regulations, the paradox of their coverage is that there are pockets of over-coverage like those for deposit-taking institutions and for traditional products, typically for the “on–balance sheet items.” In contrast, there are less regulations of firms that pass under the radar while dealing in huge volumes of money, value, and instruments. An example of this category are the hedge funds that deal in innovative off–balance sheet products or derivatives. This leads to a regulatory imbalance that affects both ends.

The purpose of regulation is essentially sixfold, and here I use the term “regulation” broadly to encompass laws, statutes, regulations, standards, and codes of conduct. They are:

To ensure fair market conduct and protect the various stakeholders, particularly consumers and the markets

To reduce, if not completely take away, information asymmetry between the financial services and the customers who buy products or services from these organizations

To protect financial services from unwittingly becoming conduits for financial crimes such as channeling money for antisocial activities like money laundering and terrorist financing

To reduce the probability and /or impact of failure of individual financial services firms, especially the “too big to fail” category firms, which could trigger a contagion effect

To ensure the safety and stability of the financial system

To create a level playing field that reduces monopolistic, anticompetitive situations that would result in less choice and higher price points for customers

All these seem like noble objectives. If that is so, where is the challenge in adopting these measures is a question that requires exploring. As businesses have become more complex, so have the regulations and the resulting obligations. Interestingly, compliance or noncompliance is the outcome of an organization's meeting or not meeting those obligations. The maze gets multiplied with the multiplicity of regulators. Should a country have a single regulatory body for all the components of financial services like the United Kingdom (until March 31, 2013, when it was split into two regulatory bodies with distinct areas of operation, one focused on Prudential regulations and the other on Conduct), Japan, and Indonesia (Indonesia adopted this model in 2011)? Or should there be multiple regulators, with the USA being the lead example? Both have their pros and cons.

The focus should be on how regulation is conducted and not so much on who regulates or how many regulators. There is a constant debate as to whether more regulations or a more effective mechanism for implementing the existing regulations could solve the problem. This is a difficult question and merits a closer look, something we will attempt in a subsequent chapter. The relevance of this question is that more the regulators potentially more the regulations that require more effort at planning and executing compliance.

A disturbing trend over the past few decades is that the system has gotten into a vicious cycle of financial services organizations breaching the rules and regulations both overtly and covertly with serious and negative impact not just to themselves but also the system in which they operate. Like Newton said, “Every action has an equal and opposite reaction.” These breaches and their resultant impact have typically been met with two obvious responses:

More and more regulations (the newer regulations are getting broader and deeper)

More supervision (both off-site and on-site) by the lawmakers and regulators

As a natural outcome of the two responses, compliance over the last decade has become, or more appropriately been made to become, a fundamental component of financial services by taking on a more formal shape and structure. The challenge that this evolving structure is grappling with is to “comply” with an ever-expanding plethora of regulations. That leads us to two interesting questions: What is compliance? Where does it start and stop? There is apparently a simple answer to the first and a not-so-clear one for the second. Two definitions or descriptions of compliance provide a good starting point for the conversation. It is important to understand that present-day compliance, particularly in the regulatory context, has two aspects:

The actual adherence to standards and regulations

Demonstrated

adherence to standards and regulations

The first is an understood and accepted high-level expectation from the compliance function. It is the second that is worth a closer look. The compliance universe will be increasingly tasked with the responsibility of “demonstrating compliance.” Demonstration at a fundamental level makes two demands on the system. The first is the expectation of transparency and free flow of information. The second is the tracking and recording of proof of compliance. It is these aspects that will increasingly challenge organizations on multiple fronts. Starting from information and people silos, to lack of proof points, to deficient communication, and to actual noncompliance, there are many systemic issues that need addressing.

The emphasis is both on increased transparency as well as on greater enforcement. We will revisit this aspect under the section on real-life issues of compliance. The relevance of this definition is to illustrate the point that the understanding of and expectation from “compliance” is expanding manifold. The Australian standards discussed next add additional depth to the conversation.

Australian Standard AS 3806—.2006 describes compliance as “adhering to the requirements of law, industry and organizational standards and codes, principles of good governance and accepted community and ethical standards.” As a practitioner, I see this as a more appropriate and encompassing definition. Particular mention needs to be made of the last part of the aforesaid description. The specific callout of “principles of good governance and accepted community and ethical standards” interests me, because the earlier part is the “letter” aspect of compliance, and the latter one is the “spirit” aspect. The overemphasis on the first across time has, as we have seen, not been effective. This definition puts the focus where it should rightfully be—on the intention to encapsulate principles of good governance and business ethics at the core of compliance.

The 2012 LIBOR (London Interbank Offered Rate) scandal is an example where a highly respected body of bankers flouted basic business ethics and took the entire system for a ride. We will discuss the scandal itself in some detail under the Real-Life Cases. For now, the reference is to highlight the fact that the foundation of positive compliance is good governance and sound business ethics. It is the bedrock of sustained and balanced growth. The absence of this bedrock could give monetary gains in the short term but would collapse like a pack of cards when it is discovered that the “business ethics” foundation was faulty or nonexistent. There are proof points galore on this from Northern Rock to Bear Stearns to Countrywide Financial to Washington Mutual to Lehman Brothers, apparently infallible organizations whose names do not exist anymore because of one crisis.

Impact and acceptance of compliance risk as a critical risk in a short period of under a decade is evident through the fact that it is today considered at the top of the risk table. This is because of the challenge of balancing business objectives and the environmental expectations as detailed through several laws and regulations. Imbalance leads to compliance risk. Compliance function is tasked with managing the conflict of interest and to ensure that a win-win situation is created, which is a tall order to say the least.

The other fundamental challenge of compliance risk is that it cannot be addressed through a capital cover, a fixed percentage of capital say, the 8 percent prescribed for the traditional risks like credit, market, and operational risks. There is no “fixed downside” that can be provided for. This is because it is difficult to both quantify the quantum of compliance risk that a bank carries and truly provide for a worst-case scenario. This aspect will be discussed in some detail in the section on risk management.

From an evolution perspective compliance expectations have always been associated with every passing regulation. In the earlier times different disciplines within the organizations would subsume the responsibility of fulfillment of the related obligations. Formation of a compliance function can be traced to the late nineties when regulators like Reserve Bank of India called for the introduction of a “compliance officer,” a trend reflected in other countries like UK's MLRO, where it was made mandatory to have a “nominated officer” in 2007.

But most of these measures were disjointed and sporadic responses, and both regulators and industry soon realized that the area of operations of compliance “needed not only to be enlarged but very clearly defined.”3 What all of the recent regulations topping off with the BCBS 2005 guidelines have done is to establish compliance and compliance function as a necessary part of the industry. As one regulator put it, “In a sense, the need for compliance can, effectively, be equated to the frictional force which, though it impedes the progress a bit, is still necessary for movement. Compliance works more as a lubricant which oils the business machinery and keeps it going.”4

A Brief History and Evolution of Compliance

For a better appreciation of the context, it is important to look at both the past and present events that have shaped the content and structure of compliance in financial services. From there, it will be possible to look at the possible future more realistically. I must confess that my respect for historians went up manifold as I realized how difficult it is to get comprehensive and objective information chronologically, if at all, as you try to wade through pages of history and stitch them together in a logical and cohesive way.

Tracing the history of formal compliance initiatives in the financial services industry will not take us too far back because compliance as a distinct subject is fairly young. An attempt at formally defining “compliance risk” and acknowledgment of its place among the risk categories is as recent as the BIS definition in 2005. But rules and the expectation that they be complied with and the breaches thereof are as old as mankind itself. How old? Well, the first known compliance breach, like I mentioned in the preface, is as old as Adam eating the forbidden apple!

Through history there have been rules as well as people and organizations that have broken them, leading at times to dire consequences. The concern is that people and organizations have not learned from these consequences. It almost seems like organizations have developed a sense of selective amnesia with respect to the possible negative outcomes. They tend to do the same or similar mistakes, both consciously and unconsciously. Later in the book I will discuss examples of some of the large and prospering organizations that have disappeared from the face of the earth because of breaches explicit and implicit, under the heading “Lessons Not Learned.” For now the focus is on gaining a peek into the history of compliance in financial services.

Tracing the word compliance per the Merriam Webster dictionary, the first known use of the word is circa 1630. The first known use of its base word comply was 1602. The origin is from the Italian complire and from Spanish cumplir, which means to complete, perform what is due, be courteous, a modification of Latin complēre. Each of these components is applicable even in today's organizational context. However, since the effort here is to trace the concept in the context of financial services, the start date will be the twentieth century forward.

In financial services, it is not an exaggeration to say that the history of compliance is closely connected with regulations; and regulations have, more often than not, been after-effects of scandals or crises, incidents that shook the economy (call it panic or recession). In a way, tracing financial crisis points across time gives a fair idea of the development of regulatory framework and, by extension, implicit and explicit compliance expectations. The structured regulations for financial services have started evolving from the 1980s onward. The explicit callout of compliance with a formal structure is of a more recent origin, essentially a twenty-first-century phenomenon. This is because compliance is a post-regulation process and hence lags it.

The period from 1980 until now has seen more legislation and regulations affecting financial services industry than all other times put together. This directly correlates to the growth in complexity of the industry as well as breaches of expected fair business practices. A consequence, unintended of course, is the fact that compliance, once considered a dusty corner table function—dry, soporific, and uninspiring—is now animatedly debated among not just financial industry and regulators but also political and media circles as well. The effect is that both the industry and its regulators have to assimilate and adapt to the rapid changes and intense scrutiny.

As a representative sample of the evolution I have taken two sample countries, USA and UK, as they have been frontrunners of newer and deeper regulatory frameworks, which were largely followed with regional modifications by other geographies. I have focused on BIS norms at a global level as indicative of the history of growth of active regulation of the banking industry. These frameworks are shaping the formal compliance structures and expectations. I have, for completeness, added one sample each of the regional and industry bodies to illustrate the point that there are others that are joining the formal role holders in shaping the narrative of the compliance landscape globally.

United States of America

Tracing the history of recessions in the United States, their root causes, and the resultant regulations is a fascinating journey and provides some interesting insights. There have been recessions across time, like the recession of 1818 to 1819 that had claimed the Second Bank of the United States as its casualty, though how much of it was due to banking crisis and how much due to disagreement between the then-President of the United States and the head of the Second Bank is a historical debate. However, since the focus here is to understand the historical perspectives with respect to the growth of compliance, I am picking a few that had a direct or indirect impact on the industry's compliance culture and processes.

The first one on that list is the Panic of 1907 as it was the genesis of the Federal Reserve, one of the most important institutions that influence both regulation and deregulation of financial services. During the 1907 financial crisis the New York Stock Exchange fell by almost 50 percent of its previous-year peak with runs on banks and trust companies. This crisis strongly brought home the need for a central banking authority to ensure a healthy banking system. “The Federal Reserve Act was signed as a law by President Woodrow Wilson on December 23, 1913,”5 and the rest, as they say, is history.

The years 1929 to 1935 is the next period I chose as part of tracing the lineage of financial services regulations, as it had a significant regulatory impact for the United States with a lag for the rest of the globe. “In October 1929, the stock market crashed and the US fell into the worst depression in its history. From 1930 to 1933, 10,000 banks failed.”6 As an aftermath, significant changes in the regulatory landscape came about. The Banking Act of 1933, better known as the Glass Steagall Act, the establishment of the Federal Deposit Insurance Corporation (FDIC), the 1935 Banking Act, and the creation of the Federal Open Market Committee (FOMC) were all of this period.

During the same period, two significant acts to regulate the markets were passed. The first, the Securities Act of 1933, often referred to as the “Truth in Securities act,” had two basic objectives:

Require that investors receive financial and other significant information concerning securities being offered for public sale.

Prohibit deceit, misrepresentations, and other fraud in the sale of securities.

7

The second was the Securities Exchange Act, which was enacted on June 6,1934. It established the Securities and Exchange Commission (SEC) that is responsible for enforcement of the act. “The act empowers the SEC with broad authority over all aspects of the securities industry. This includes the power to register, regulate, and oversee brokerage firms, transfer agents, and clearing agencies as well as the nation's securities self-regulatory organizations (SROs).”8 These regulations and the authorities tasked to ensure the compliance of those regulations played and continue to play a very important role in setting and shaping compliance expectations not just of the United States but the rest of the world as well.