All of the signs are that 2013 will stretch risk and compliance functions further still. A number of regulatory changes will move to the implementation phase while others are being delayed, argued over and interpreted on a jurisdiction-by-jurisdiction basis. 2013 may well prove to be the ultimate juggling act for compliance officers as they advise on and oversee fundamental reforms within their firms while managing the external regulatory issues.
To increase the chances of a successful 2013 compliance officers should assess the following:
- 1. Preparedness for the new UK regulatory regime
- 2. Compliance coordination
- 3. FATCA
- 4. Data protection
- 5. Culture
Firms with authorized business in the UK should already be aware whether they will be regulated by the Financial Conduct Authority (FCA) alone or jointly with the Prudential Regulation Authority (PRA) from April 2013. The legal "cut-over" has been designed to minimize the immediate changes. While this should ease the transition it does, by definition store up even more change for later on in 2013.
There are two key areas in particular for firms to consider. The first is grandfathering of employees into the new regime. If it has not already happened, firms would be well advised to build and maintain a single central record of all employees in all parts of the group. This is particularly true of international groups where employees may hold a number of directorships and/or registrations in a number of different legal entities in a number of different jurisdictions.
The other key area is that new regulators will have the power of "direction" over the holding companies of authorized firms. It is a distinct change to the approach to regulation in the UK that the FCA and PRA are to be given the power to look at non-authorised UK bodies and parent entity individuals across borders. UK compliance officers need to ensure that all UK and overseas entities likely to be affected are fully aware of the planned reach of the new regulatory regime.
It is an accepted universal truth that the benefits of a strong working relationship between firms and regulators are manifest and well worth the investment from both sides. This is even more pertinent when managing the compliance and regulatory relationships in an international firm when the information flows, lines of communication and authorizations may be at a number of different levels and across multiple borders.
Firms would be well advised to build the infrastructure needed to exercise central control over both regulatory relationship management and information flows to and from regulators, but that control must take into account all applicable rules and requirements in all the jurisdictions in which a firm operates.
Developing best practice is for the firm to have a central point for all regulatory relations and to coordinate and track all major information flows. This does not refer to the regular electronic position reporting of information flows, but rather to visits, one-off information requests, senior manager meetings and lobbying, either in person or by responding to consultations.
Being able to aggregate the fact that several different regulators are all asking about the same issue in several jurisdictions, for instance, could give a valuable insight into a developing regulatory concern. With information flowing the other way, group compliance would be able to inform local compliance functions about a significant issue elsewhere in the world of which local regulators may need to be made aware.
The implementation of the U.S. Foreign Account Tax Compliance Act has been delayed until the beginning of 2014 and, while the longer time scales will help firms, the challenges associated with FATCA compliance remain significant. At its heart, FATCA requires all firms no matter where in the world they operate to identify and report on U.S. persons and assets. The identification element requires firms to extend their "know your customer" procedures to include nationality and the reporting obligation could put many firms in conflict with local data protection requirements.
In many firms the compliance function has been involved in the analysis and development of the policies and procedures required to comply with FATCA. For single jurisdiction businesses FATCA compliance should (assuming no conflict with local laws) be a relatively simple extension to existing KYC procedures together with the associated information capture and reporting. For multiple jurisdiction businesses however FATCA compliance is likely to be anything but simple particularly given the multiplicity of intergovernmental agreements.
Firms would be well advised to consider implementing a single global approach to KYC to capture all required information and then also to build a central FATCA compliance function which can track and advise on the practical implications of each jurisdiction. Issues with FATCA non-compliance could all too easily spill over into other regulated areas and vice versa.
Good data protection is a core competency for all financial services firms. Customers of all sorts entrust firms with confidential often sensitive information which must be kept securely, only used for the purpose collected and potentially deleted upon request. The data protection regulator is, more often than not, separate from the financial services regulator(s) but should be treated with the same approach to relationship building and management as the financial services supervisors.
The UK Information Commissioner's Office has been given ever-increasing powers to impose fines and in November 2012 imposed the first monetary penalty for the breaches of the fourth data protection principle which states that "personal data shall be accurate and, where necessary, kept up to date".
Firms subject to the UK data protection requirements should consider asking the ICO to undertake a "consensual audit" of its data protection arrangements. Any lessons learned could usefully be shared across the wider, international group and should stand the firm in good stead with regard to being seen to take "reasonable steps" with regard to its data protection arrangements.
The myriad scandals still hitting financial services firms around the world have caused politicians and regulators to focus on what has been dubbed the "rotten" culture at the heart of too many firms. Culture is nebulous and very difficult to evidence effectively but in 2013 compliance officers and other risk and control functions need to focus on helping their board build a positive, compliant culture and being able to evidence that culture in action. A strong positive compliant culture goes hand in hand with effective corporate governance and risk management within a firm.
Good culture can be supported by appropriate structures and staffing such as high-quality non-executive directors undertaking constructive criticism and challenge roles on all key management committees. Firms may even wish to consider creating a committee to oversee expressly the implementation and embedding of the proper culture.