Question One
The regulatory demands in the business environment have gone through a radical change, and so has the role of the compliance function to enable firms to remain successful in the highly regulated environment. For example, unlike before, when compliance was mainly a one-off task, the paradigm has evolved significantly, requiring constant review of current and new regulations, thereby making compliance a more sophisticated approach. Based on a comparison of the compliance function today and a decade ago, it is visible that the operation has developed into an innovation-fueled practice, broader in terms of mandate and formality.
An analysis of the GRC and synthesis of expert opinion in the field of compliance suggests that the role of the compliance function has developed from a human to an innovation-fueled practice over the last decade to help firms succeed in today’s highly regulated environment. As observed by industrial experts, regulatory technology has, and continues to have a seismic impact on the compliance function (Summerfield). A 2018 compliance risk study conducted among compliance officers at financial and health institutions revealed that compliance technology transformation would account for approximately 57% of the spending in 2019 (Culp). Before, the compliance function was centered in human capital, whereas today, regulatory technology is slowly taking over the operation. Most notably, the automated process is now widely used in monitoring, reporting, and compliance with regulatory demands.
Furthermore, the role of the compliance function has developed mandate-wise to help protect firms against legal pitfalls more adequately. Scholars observe that the traditional expectation is that the compliance operation advises senior management on various regulations, monitors, and reports adherence to regulatory requirements (Brener 965). About a decade ago, the compliance operation was mandated to act as an advisory function to companies and their employees. For example, the compliance officers could advise businesses about external rules imposed by regulatory bodies and ensure that proper internal systems are developed to facilitate compliance. Over the years, this mandate has evolved to integrate a risk management role for efficient compliance. Besides being an advisory function, the compliance function is today obligated to analyze risks that are likely to face a company concerning external rules and mitigate them accordingly.
Additionally, the role of the compliance function has dramatically evolved over the last decade from a subset of the legal department to a business area that is closely linked to the executive functions. Unlike before, when the compliance function would undertake its tasks at an operational level, its reach has expanded to the strategic level. Most notably, the operation is today significantly involved in strategic decision making in companies.
As a result of the massive development of the compliance function, the technical and personal skills for competent compliance officers have also developed significantly in breadth and complexity. For example, due to the ongoing digital transformation, compliance officers are today expected to have adequate technical skills to deploy and utilize regulatory technology. Additionally, the changing mandate of the compliance function has also been a critical driver in the broadening of personal skills that compliance officers should possess. For example, today, these officers are required to have effective communication skills to help articulate their ideas to board members about compliance programs and enterprise risks and leadership skills to guide others into adhering to rules and policies. Overall, the evolution of the compliance function over the last decade has led to the development of more complex and broader skills requirements for compliance officers.
Question Two
As an entity operating in the financial sector, International Firm (FI) is susceptible to multiple compliance risks, which are mainly driven by the changing nature of the legal landscape. If unmanaged, these risks can lead to material financial loss and acquisition of a bad reputation by the firm (Losiewicz-Dniestrzanska 801; Sandford et al.). Therefore, the compliance function should follow the following four steps of the risk management process- identification, measurement, monitoring, control, and mitigation- to avoid the compliance risks associated with the financial industry.
The first stage of the risk management process is risk identification. As stated by the New South Wales government, this stage entails actively identifying and documenting historical, current, and emerging risks within the firm (8). According to Hillson, risk identification exposes an opportunity for the firm and should be encompassed as part of the overall measurement outcome (cited by O’Neil 347). In this context, the function heads should identify all relevant external and internal legal obligations that relate to their respective operations. Some of the sources that the functions may use to identify these risks include historical audit reports and consumer lawsuits.
After risk identification, the firm’s functions should proceed to the next stage of risk measurement. The identified risks should be assessed in respect of their relevance to aid in the differentiation of their strength (Losiewicz-Dniestrzanska 801). For example, the identified risks could be categorized according to their likelihood of occurring and the impact- minor, moderate, major, and catastrophic- they may have on the firm’s operations. Like the first phase, risk assessment is crucial because it will help the compliance function heads prioritize risks and effectively allocate the firm’s limited resources to mitigate them.
The third stage of the risk management process is risk control and mitigation. In this phase, the compliance function heads should focus on reducing the likely causes of the risks and their adverse effects (Losiewicz-Dniestrzanska 802). Some of the initiatives that may be established at this stage include training employees on the existing legal landscape to ensure operational compliance and establishing internal procedures to facilitate adherence to internal and external legal obligations. It is worth noting that reducing risks to a “zero” level is almost impossible to achieve (Losiewicz-Dniestrzanska 802). Therefore, the compliance function should aim at reducing the likelihood of the occurrence of the risks.
The fourth stage of risk management should involve risk monitoring. At this stage, the compliance function heads should cooperate with other units in the financial institution to audit the key areas of business activities relative to the established initiatives (Losiewicz-Dniestrzanska 802). Most notably, it is at this juncture that the functions should assess whether the identified and mitigated risks are within an acceptable level.
Overall, the proposed approach would be useful in risk management of the compliance function because it meets the requirements established by the International Organization for Standardization (ISO), and it contains actionable information. Most notably, ISO, which is an advisory standard for a compliance management system, states that managing risk should imitate a process that constitutes risk identification, analysis, evaluation, and treatment (“ISO 3100:2018”). The four requirements are adopted in the proposed approach, which suggests that it will be effective in risk management. Besides, all the proposed information in the risk management process, such as training employees and establishing internal compliance procedures, are actionable, thereby making the approach effective for the entity.
Question Three
The selected case scenario highlights some significant concerns evident in the current approach utilized by EveryFirm International (EI), a company that operates in the financial sector. Most notably, the firm conducts a one-off vetting process for its employees, while restricting the practice to some specific positions. Also, there lacks proper record keeping of staff training, and poor compliance records are not reflected in the workers’ appraisals and remuneration.
Drawing on the content of the scenario, it is evident that EI’s approach to recruitment, vetting, and training of both junior and senior staff in key roles is not acceptable because it is non-compliant to the regulations of the Financial Conduct Authority (FCA). Most notably, FCA requires regulated financial firms to conduct enhanced vetting for staff in roles with access to large amounts of customer data (“Data Security in Financial Services” 6). This vetting includes checking the staff’s criminal and credit records.
In most cases, employee vetting should be a regular process for the firm to keep an updated record of the staffs’ profile. This principle is evident in FCA’s handbook, which requires the establishment of formalized procedures to assess regularly whether staff in higher-risk positions are vulnerable to committing fraud or being coerced by criminals (“Data Security in Financial Services” 6). However, as can be seen from the case scenario, EI conducts a one-off vetting exercise, which is unacceptable in the financial sector because the practice fails to provide the firm with a progressive image of the employees’ credit status and criminal record while working in the entity. Besides, EI’s enhanced vetting is limited to specific roles, and all senior management roles are not included in the process, which is unacceptable. Most notably, failure to vet all senior staff may expose the firm to financial losses due to the increased likelihood of vulnerability of the executive team to indulge in illegal activities such as fraud. Therefore, besides being unacceptable in a legal context, EI’s vetting process is likely to increase the entity’s susceptibility to financial losses caused by undetected senior staff’s lack of integrity in their positions.
Furthermore, an analysis of EI’s recruitment process reveals that the firm fails to keep abreast of FCA guidelines. Most notably, the regulator recommends firms to have an appropriate recruitment process to review the fitness and propriety of employees (“Operational Risk” 13). The process may include proper identification of job vacancies, analysis of job requirements, methods of reviewing applications, shortlisting, and selecting candidates. The regulator also requires the financial firms to assess candidates’ honesty and competence at the point of recruitment to ensure that they are fit for the job position (“Systems and Controls” 3). An in-depth analysis of EI’s operations suggests that there lacks an appropriate recruitment process because the appointment of an interim head of compliance is only discussed when the need for a new candidate arises.
Besides recruitment and vetting, EI’s current approach to the training of senior and junior staff is unacceptable, notably because it is infrequent. As the literature suggests, a continuous process of training interventions in banks is a must to help build the right mix of skills, attitude, and conceptual understanding amongst employees (Afroz 111). Arguably, employees can quickly develop a bad attitude towards work if there lacks effort by the management to train them in their areas of need. Furthermore, the financial sector is fast-changing, fueled partially by the infiltration of technology. Therefore, without proper training, staff, regardless of their positions in the financial industry, may encounter challenges in undertaking their duties effectively. With this in mind, it is blatant that EI’s infrequency to train senior and junior staff is unacceptable because it may incapacitate their employees to keep abreast of the ever-changing financial environment.
Furthermore, EI’s failure to consistently keep updated training materials, logs, and track employees’ training history is unacceptable because it violates FCA’s record-keeping guidelines. According to the FCA, regulated firms must make an up-to-date record of the continued professional training and development completed by each relevant employee in every 12 months (“SYSC 28.4 Record-Keeping Requirements”). The regulator also requires firms to retain the records for not less than three years after the relevant employee stops carrying on the assigned activity (“SYSC 28.4 Record-Keeping Requirements”; “Training and Competence” 3). While keeping training records is a legal requirement established by the FCA, it is also a beneficial practice to firms as it aids in the identification and alignment of incentives with employee merits. Besides, record-keeping is among the many tools a company can use to identify employees that have the essential skills to fill a job position. Therefore, the failure of EI to keep a proper training record is unacceptable because it violates the FCA requirement on training and record keeping. Besides, without correct records, EI may assign duties to employees that lack the skills to undertake the tasks efficiently.
Question Four
Legal frameworks such as General Data Protection Regulation (GDPR) impose a strict obligation on EI to ensure organizational compliance with external specifications, policies, and standards. Besides the external legal frameworks, EI also has internal policies and standards that govern its operations, which, if violated, can result in financial losses. Although compliance officers are the primary individuals tasked with ensuring that EI complies with both external and internal policies, this report will illustrate the manner in which recruitment, vetting, and training activities can also support effective compliance and risk culture within the firm and make recommendations regarding the recruitment of the interim head of compliance and risk.
Role of Recruitment, Vetting, and Training Activities in Supporting Effective Compliance
Recruitment is among the primary practices likely to either mitigate or promote compliance risk within a firm. Most notably, it is through recruitment that EI can acquire the human capital required to undertake various activities and provide services to customers. Arguably, if recruitment is conducted as per the guidelines established by regulators such as FCA, the firm can acquire a competent workforce that is fit for the job positions. In turn, a qualified workforce is more likely to comply with both internal and external policies and bylaws compared to a less-competent human capital because the former has a better understanding of the job requirements. Besides, if appropriate recruitment is conducted for every job position, EI can efficiently build a culture of compliance because all employees will share in the values of adhering to the firm’s internal laws and those established by regulators. Some examples of good practices in recruitment that can support effective compliance and risk culture include having a well-designed recruitment process to ensure that EI hires individuals that are fit for various job positions.
Besides recruitment, vetting can also support effective compliance and risk culture by enabling EI to eliminate candidates that may be a source of regulatory risk. Arguably, employees with a poor credit history are likely to ignore compliance established by regulators to benefit from fraudulent transactions. Similarly, employees that develop a criminal record before or after being hired in EI are at risk of violating regulations that govern the industry for personal benefits. However, vetting can play a critical role in promoting compliance in EI by ensuring that only a pool of individuals, free of vulnerability to fraudulent practices, remain in the entity. Some good practices regarding vetting that EI may undertake include establishing a formalized procedure for regularly assessing whether the staff is vulnerable to committing fraud or being coerced by criminals (“Data Security in Financial Services” 6). As emphasized, the vetting should be frequent to help EI maintain an updated record of the employees. Also, the formalized vetting procedure should not be limited in scope- it should be used to assess employees in all job positions.
Besides recruitment and vetting, training can also play a critical role in supporting compliance by reinforcing adherence to external and internal laws. As opined by scholars, training is the most commonly suggested approach to facilitate compliance with information system security policies (Puhakainen and Siponen 757). If employees receive proper and frequent training, they become more familiar with the legal expectations and are less likely to commit mistakes that may have negative implications on the firm. Similarly, training both new and existing employees in EI can equip the individuals with knowledge of current and updated policies in the financial industry, which can, in turn, foster compliance among the workers. Among good training practices that EI can adopt are conducting frequent training programs to ensure that all the workers keep pace with the ever-changing regulatory framework. Also, EI can ensure that proper training records are maintained to act as a guide when identifying employees that are yet to receive training and those that have participated in all sessions.
As an international company, it is vital to recognize that the regulator is interested in the topic of recruitment, vetting, and training because of the current regulatory emphasis placed on individual employees within regulated entities. As the literature shows, regulators, particularly in the United States, continue to focus on individual bad actors within companies (Summerfield). Therefore, more interest is vested in understanding whether inappropriate recruitment, improper vetting, and lack of training are linked to non-compliant behaviors among employees.
Recommendations
The management of EI must understand the criticality of competence in the compliance function as it prepares to appoint an interim head of compliance and risk. Most notably, the hired individual will protect not only the firm’s bottom line but also its employees against legal pitfalls (Summerfield). Besides, as an international firm, it will be vital to have a compliance officer that is well oriented with compliance risks associated with the domestic and foreign countries. Therefore, the recruitment process must be appropriate to ensure the selection of a competent interim that will protect and guide the firm through the regulatory landscape.
One of the recommendations for the management of the firm is that it should develop a comprehensive recruitment process to act as a guide in hiring the interim head of compliance. Having a well-established recruitment process that outlines the job description, required skills, and abilities will help EI examine candidates adequately without omitting essential aspects that may be detrimental to the organization’s operations. Besides, a documented recruitment process will help ensure that a standard procedure, which is free of bias, is utilized in the examination of all applicants.
Furthermore, it is recommended that vetting be done at the initial stage of recruitment to ascertain the candidate’s legal and credit status before joining the organization. As an intervening head of compliance and risk, it is expected that the candidates will have a history in the function and the required knowledge, skills, and abilities to undertake their duties. However, besides reviewing their professional qualifications, the recruiters must vet the candidates thoroughly to help maintain an updated profile of their status.
Additionally, it is recommended that during recruitment, the candidates should not only be assessed according to their professional competency but also their flexibility to fit in the firm’s operational context. As is apparent from the firm’s profile, EI has an international client base, which implies that foreign policies may also influence the entity’s practices. EI’s scope of operations means that failure to consider international regulations may subject the firm to legal pitfalls that may not only lead to financial losses but also a bad reputation. Therefore, during the recruitment process, EI must evaluate the candidates’ flexibility to protect the firm’s bottom line both in the domestic and foreign markets. If the proposed approach is adopted, EI will survive in the international financial regulatory landscape.
Works Cited
“Data Security in Financial Services.” FCA, 2008, www.handbook.fca.org.uk/handbook/FCTR/6.pdf. Accessed 12 Apr. 2020.
“Guidance for Regulators to Implement Outcomes and Risk-based Regulation.” NSW, Oct. 2016, productivity.nsw.gov.au/sites/default/files/2018-05/Guidance_for_regulators_to_implement_outcomes_and_risk-based_regulation-October_2016.pdf. Accessed 12 Apr. 2020.
“ISO 3100:2018 (en) Risk Management- Guidelines.” ISO, www.iso.org/obp/ui/#iso:std:iso:31000:ed-2:v1:en. Accessed 12 Apr. 2020.
“Operational Risk: Systems and Controls for Insurers.” FCA, www.handbook.fca.org.uk/handbook/SYSC/13/6.pdf. Accessed 12 Apr. 2020.
“SYSC 28.4 Record-keeping Requirement”. FCA, 1 Oct. 2018. www.handbook.fca.org.uk/handbook/SYSC/28/4.html. Accessed 12 Apr. 2020.
“Systems and Controls.” FCA, www.handbook.fca.org.uk/handbook/SYSC/3/2.pdf. Accessed 12 Apr. 2020.
“Training and Competence”. FCA, www.handbook.fca.org.uk/handbook/TC.pdf. Accessed 12 Apr. 2020.
Afroz, Nushrat Nahida. “Effects of Training on Employee Performance- A Study on Banking Sector, Tangail Bangladesh.” Global Journal of Economics and Business, vol.4, no.1, 2018, pp.111-124. pdfs.semanticscholar.org/4105/9ff9ef39a9d54ab024e0ae08792b67284ecd.pdf. Accessed 12 Apr. 2020.
Brener, Alan. “The Role of Compliance as a ‘Gate-keeper’ Function in Financial Services: Reality vs Regulatory Conception.” European Business Law Review, vol. 30, no. 6, 2019, pp.965-984.
Culp, Steve. “How the Compliance Function is Evolving in 2018: Five Key Findings.” Forbes, 27 Mar. 2018, www.forbes.com/sites/steveculp/2018/03/27/how-the-compliance-function-is-evolving-in-2018-five-key-findings/#411d31631654. Accessed 12 Apr. 2020.
Losiewicz-Dniestrzanska, Ewa. “Monitoring of Compliance Risk in the Bank.” Procedia Economics and Finance, vol. 26, no. 1, 2015, pp. 800-805.
O’Neil, Allen. “An Action Framework for Compliance and Governance.” Clinical Governance: An International Journal, vol.19, no.4, 2014, pp.342-359.
Puhakainen, Petri and Siponen, Mikko. “Improving Employees’ Compliance Through Information Systems Security Training: An Action Research Study.” MIS Quarterly, vol. 34, no. 4, 2010, pp. 757-778.
Sandford, Nicole et al. “Compliance Risks: What you Don’t Contain Can Hurt You.” The Wall Street Journal, 30 Jul. 2018, deloitte.wsj.com/riskandcompliance/2018/07/03/compliance-risks-what-you-dont-contain-can-hurt-you-3/. Accessed 12 Apr. 2020.
Summerfield, Richard. “The Evolution of Compliance.” Financer WorldWide, Apr. 2019, www.financierworldwide.com/the-evolution-of-compliance#.X1irSItRW00. Accessed 12 Apr. 2020.