System International (SI) is a growing financial institution which well-renowned for its products and services in the financial sector of Malaysia. For SI to advance and distinguish from other competitors in the same sector, a good compliance is substantial for the present and in the future. As the Chief Compliance Officer (CCO) of SI, it is my obligation to explain to the board and senior management of the importance of compliance for SI.
Regulations are important as they can lead an organisation to be fair, efficient and transparent in the market, protecting the consumers and investors, helping to reduce systemic risk and maintaining consumer confidence (IOSCO 2003). Regulatory framework differs from one country to another country, and it continues to evolve due to few factors i.e. past regulatory failures, influence from the international and European communities, domestic and international political pressure, development of complex products in the market or evolution of new technologies.
Malaysia operates under a dual regulatory framework and systems and it has multiple key regulators i.e. Bank Negara Malaysia (BNM), Securities Commission Malaysia etc. BNM, also known as the Central Bank of Malaysia, its role is to promote monetary and financial stability, which aimed at providing a conducive environment for the sustainable growth of the Malaysian economy (BNM 2018). BNM is empowered under the Financial Services Act 2013 (FSA), the Islamic Financial Services Act 2013 (IFSA) and the Central Bank of Malaysia Act 2009 (CBA), to act as the regulator of banking institutions. In Malaysia, BNM has gradually moved from a risk-based and enhanced principles-based approach to an outcome-focused regulatory approach. This evolvement influence all the companies in the financial sectors, including SI on how to adopt the same approach when comes to the subject of compliance.
In BNM’s Compliance Paper (10 May 2016), CCO refers to the senior officer who is the central point of authority for a financial institution’s compliance matters and is responsible for providing an institution-wide view on the management of compliance risk (BNM 2016). Basel Committee and Banking Supervision (BCBS), who is the primary global standard setter for the prudential regulation of banks, defines compliance risk as the risk of legal or regulatory sanctions, material financial loss, or reputational loss which a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organisation standards and codes of conduct applicable to its banking activities (BCBS 2005). Both BCBS and BNM refers compliance function to officers carrying out compliance function responsibilities (BCBS 2005; BNM 2016).
Due to the rapid changes in financial environment, there is a rising demand for compliance role to meet a chain of complex compliance requirements from enforcement and regulators. In general, the role of CCO is to ensure an organisation complies with the rules and regulations issued either from Malaysia or globally. This is to avoid any violations which could result in hefty fines, legal complications or tarnish the organisation’s reputation. However, the CCO’s role and compliance function is more to this. Usually, the role of CCO is appointed to be responsible for the compliance function and compliance activities for an organisation. However, SI should understand that CCO is appointed to act as an advisory and to assist the board and senior management in complying with the SI’s obligations under the regulatory system instead of the CCO is being personally liable for the organisation’s compliance.
A paper was published by BCBS on August 2008 where a survey was conducted with some jurisdictions on the contributing factors for major compliance related incidents occurred in their banks. In the paper, the jurisdictions responded that the most significant contributing factors were the failure to introduce, maintain or enforce compliance policies and procedures on a consistent basis throughout the firm, insufficient compliance culture, training or awareness and failure to identify or address emerging firm-wide compliance risks (BCBS August 2008). The other jurisdictions also responded that part of the non-compliance is due to insufficient board oversight and involvement by senior management in compliance matters.
Governance, risk management and compliance (GRC) framework is commonly used by other financial institutions in meeting their compliance objectives. GRC is a set of functions that oversees and manages risks and compliance across an organisation to reach its objectives. It involves strategy, processes, people and technology in the GRC structure. The board and senior management have the responsibility to oversee GRC in order for it to be effective within SI. BNM’s Risk Governance (1 March 2013) and Concept Paper on Corporate Governance (11 March 2016) brings out the board and senior management responsibilities on corporate governance and their expectations on this matter. The GRC structure is useful and beneficial to SI if adopted as it can streamline the governance, risk management and compliance initiatives by enabling different functions working in a collaborative and coordinated way. If implemented, it reduces or eliminates duplication and work redundancy which can save time, money and resources for SI. For CCO, its role is to identify and mitigate compliance risk together with the management and business units by ensuring SI has a robust system of internal control. Nevertheless, CCO also performs monitoring and reporting on the SI’s compliance. CCO can help SI to be the important contact point with the regulators which involves handling and responding to regulatory inquiries and examinations (SIA 2005). BNM’s Compliance Paper (10 May 2016) indicated a strong compliance culture reflects a corporate culture of high ethical standards and integrity in which the board and senior management lead by example. To achieve this objective, CCO is to assist the board and senior management in forming a strong compliance culture and high ethical standards which can contribute to an effective corporate governance. Without an ethical and compliant culture, SI will be at risk.
The responsibilities as a CCO is extensive and some of them are listed as follows:
?To interpret the rules and regulations which applicable to SI and to guide management and business units on its application to daily operations. CCO also to provide information to the board and senior management on rules and regulations which applicable to SI in order to assist them with their compliance responsibilities.
?To create and implement policies and procedures which fit SI and its business strategy. CCO also to guide management in terms of new development of policies and procedures, its implementation and maintenance to ensure its robustness within SI.
?If there are any changes or updates in the current rules and regulation announced by the regulators, CCO can help to support the business units by assessing the impact of these changes on daily operations and accommodate them.
?To build, implement and monitor an internal compliance risk-control framework that is comprehensive, dynamic and customisable for SI to operates accordance to it.
?To develop a risk-based compliance plan which set out the programme of compliance activities to be undertaken for the year. The compliance plan must be consistently reviewed and updated to ensure it addresses the compliance risks identified by the internal compliance framework. The plan also helps to allocate the resources required to adhere to the plan. The compliance plan can be delivered in the form of compliance manual or handbook.
?To identify and assess the compliance risks by performing detailed analysis of the likelihood, the reasons it may occur and the potential impact of each risks. Understand of these inherent risks could allow SI to plan for mitigation strategies should the risks materialised (Deloitte 2015).
?Implementing and maintaining a compliance monitoring and testing programme that is real time, regular and risk based approach. The programme is to identify potential risks and detect any gaps in internal controls and procedures. The monitoring also helps to reveal any deficiencies in daily operations which could expose SI to compliance risk. It also facilitates ongoing compliance with SI’s policies and regulatory requirements which aid the CCO to keep the board abreast of the effectiveness of the existing compliance control framework in place.
?Perform compliance gap analysis to measure SI’s existing policies and procedures against the best practices, rules and regulations. This exercise helps to identify potential areas with compliance risks and vulnerability and would be able to take corrective measures to solve them and mitigate the risks.
?To collaborate with other risk function units i.e. Risk Management and Internal Audit in identifying, assessing and managing regulatory risk. Any identified risks is to be escalated to the board and senior management.
?To initiate business reviews and offering advice to other business units on areas which can help them to make changes or improvement. Reviewing of business activities can help to identify potential regulatory, compliance and reputational risks and to develop a plan to minimize risk (SIA 2005). The continuous reviews can help SI to be proactive in front of the regulators.
?To develop a system to evaluate any breaches or non-compliances in order to initiate investigative procedures.
?To prepare and present accurate reports on a regular basis to the board and senior management on regulatory and compliance matters i.e. any significant breaches, regulatory non-compliances or the operation and progress of compliance efforts.
?To support board and senior management in establishing and maintaining good relationships with the regulators, this is to foster a good and open regulatory relationships.
?To provide reasonable assurance to the board and senior management that there are effective and efficient policies and procedures in place within SI, and that SI is complying with all regulatory requirements.
?To provide training and educational programmes for employees to improve their understanding of related regulatory requirements. CCO also to educate and encourage them the importance of compliance and how to incorporate the values of compliance when conducting business activities. Regular scheduled updates, e-learning modules or enhanced training sessions can be the channel to train and educate the employees.
For a CCO to effectively manage and mitigate the compliance risk, the support from the board and senior management is essential. BNM’s Compliance Paper stated that it is the responsibility of the board to oversee the management of the financial institution’s compliance risk (BNM 2016). Board is to specify the role of the CCO and appoint the CCO to represent the compliance function at the highest level within SI. For senior management, they are held responsible for the effective management of a financial institution’s compliance risk. For examples, senior management must establish a compliance policy and deliver to all employees, also to establish a compliance function proportionate with SI’s size, nature of operations and complexity and etc.
With the support from the board and senior management, the CCO must demonstrate the following knowledge and skills to maximise his or her compliance effectiveness to SI:
?Regulatory and compliance knowledge
CCO must have a sound regulatory knowledge which covers a certain level of understanding on principles and management of compliance, and also knowledge on the SI’s business. Only with these knowledge, CCO would have the ability to apply the rules and regulation to SI. Besides that, having foresight and knowledge of emerging trends and developments (i.e. trade-based money laundering, online buying and exchanges, financial-technology and etc.) enable CCO to be proactive in compliance matter.
To handle the compliance function effectively, one must be comfortable in building relationships with both internal and external stakeholders. The CCO role is required to deals with variety of people with important roles i.e. board, senior management, employees, customers and regulators. Interpersonal skills include listening and decision making to effectively carry out the compliance process. If CCO detected potential lapses from the business units, CCO should be non-confrontational and non-aggressive when communicating with them in order to form an understanding that CCO is not finding fault but to educate them importance of complying.
The skill is important to influence the board and senior management to do the right thing i.e. key decision making when come to compliance matter. The skill also helps the CCO to embed compliance culture across SI.
It is essential for a CCO to possess written and verbal communication skills as one of the function is to communicate to all level of employees in the SI. The written communication skill is important as CCO often need to deliver compliance information accurately to all employees. CCO also need to communicate with regulators on compliance issues. Any information delivered within SI or to regulators must be clear, concise and not open to misinterpretation.
Good and effective listening skills can help the CCO to be fully understand the issues which can generate focused and relevant advice to the business units. The skill also allows early detection of issues or potential issues.
?Business awareness and pragmatism
Ability to understand the financial environment which the SI is operating. This skill can help the CCO to assess and find the best approach to achieve compliance. Being pragmatic, the CCO could achieve SI’s strategic objectives at the same time.
CCO often need to come out with recommendations to the business units which can deemed not practical for their daily operations, and usually the first response from the business units is resistance to recommendations. The CCO must have a good negotiation skills and resilient to criticism in order to help the business units to understand and appreciate the implementation of recommendations.
The management would usually require the CCO to handle more than one review/assessment/report at any one time. Thus, ability to multi-task is important i.e. meeting challenging deadlines and to remain calm and positive when managing multiple tasks.
?Risk assessment capabilities
CCO must understand and operate well in the risk management process that involves identification, analysis, planning, monitoring, reporting and control. For example, ability to assess the alternatives and come out with a solution based on the risk which suit the SI’s risk appetite.
?Analytical and investigative skills
CCO must always keep abreast to regulatory changes and developments. Thereafter, he or she must able to analyse and interpret accurately on the rules and regulation from the perspective of how it affects on SI. Failing to have the analytical skill, the CCO could have misinterpreted the regulatory requirements and risk SI falling into serious offence.
Integrity is the utmost important skill for the CCO. One must with strong moral principles, honest quality and without prejudice when executing tasks. Any identified findings or breaches should not be covered up and must rectify them or notify the management.
The key challenges which can restrict the effectiveness of a CCO to carry out his/her duties are as follows:
?Independence and autonomy
To carry out compliance function in SI, CCO must have certain level of independence and autonomy from the business activities to carry out its compliance activities independently. The compliance function should have a formal status within SI and its role is clearly defined and must be documented in SI’s compliance policy (BCBS 2005). The status of the compliance function should be made known to all the employees within SI. The CCO must have direct and unrestricted access to the board and senior management, a clear reporting line and should not be refrained from highlighting any compliance issues to the management. CCO should have the authority to access and obtain the documents, data and information and also the authority to speak with any employee. The compliance function should have the rights to conduct investigation of possible breaches of internal controls.
?Conflicts of interest
The compliance function should not be placed in a position where there are potential conflicts of interest in concerning to the compliance’s scope of responsibilities, reporting lines or remuneration (BNM 2016). CCO and the compliance team must avoid any undue influence which can cause conflict of interest with the business units or external party. The remuneration package of the CCO should not linked to the SI’s financial performance.
Sufficient and appropriate resources should be provided to the compliance function to ensure it was carry out effectively in the SI. BCBS indicated that CCO and the compliance team should have the required qualifications, experience and personal qualities to enable them to carry out their duties (BCBS 2005). As they are the key person to compliance matters, they must be well equipped with compliance’s knowledge and keep abreast on the latest developments in rules and regulations, which can be done through regular and systematic education and training.
There are few elements required in order for me to succeed as CCO and assisting the board and senior management to have effective oversight of SI’s compliance arrangements. Any established policies and procedures would be useless or not effective if there is no strong compliance culture, value, ethics and integrity in the firm. A healthy culture can be embedded in SI if there is support from the board and senior management. It would not be feasible should there be no support from the management as the support can help to cultivate and strengthen the compliance culture within the SI. The board and senior management acceptance and support will aid me, the CCO to establish the “tone from the top” mind-set and strong compliance culture which our regulators consistently seek for and expect. For example, the expectation from the management should be delivered to all employees of SI that everyone (including the management) will comply to the SI’s internal controls, rules and regulations when carrying out business activities. By doing so, the management had demonstrated their commitments (both actions and words) on this matter.
Besides that, the board and senior management should provide resources on hardware i.e. latest technology, governance and management structures, analytics software and automated systems to carry out complicated compliance processes such as identification, assessment, monitoring, testing and reporting. Manual intervention in compliance processes could be time, money or resources consuming and it should be reduced or discontinued to effectively carry out compliance activities. It is strongly recommended to involved employees in the SI to carry out some compliance works as they are the ones who involved in daily operational activities. Employees can be great asset to contribute compliance efforts. The board and senior management should provide adequate and ongoing compliance training to employees to maximise the achievement in compliance objectives.
The importance of compliance can be evidenced as there were financial institutions imposed with hefty fines from the regulators for not complying to rules and regulations. On 4 November 2016, Agricultural Bank of China (ABC) is reported in the news to pay USD215 million penalty for violating New York state’s anti-money laundering law (Barlyn 2016). It was reported in the said article that the bank officials engaged in intentional wrongdoing by masking possibly suspicious transactions at ABC’s New York Branch. The New York bank examiners discovered nearly 700 potentially suspicious transactions which yet to be investigated by the bank.
Another more recent example is Raiffeisen Bank International AG (RBI) has been fined 2.75 million euros by Austria’s Financial Market Authority (FMA) for a breach of due diligence requirements for the prevention of money laundering and terrorist financing. Reuters indicated in its article that the fine was imposed on RBI for inadequate checking of the identity of the beneficial owner and failure to regularly update the necessary documents, data and information required to be able to understand ownership and control structures with regard to high risk customers in specific individual cases (Reuters 2018). Thus, the CCO carries an important role to help the board and senior management to instil good compliance within SI and prevent any non-compliances.
All employees should understand that each of them is individually responsible for complying the rules and regulations, and the controls which have been put into place. However, the responsibility for SI’s overall compliance lies on the board and senior management. The management must be actively and personally committed to ensure SI complies with the rules and regulations and also actively promoting compliance culture at all levels in SI. Failing to comply the rules and regulations will lead to reputational risk, legal risk, financial risk and the possibility of revocation of SI’s license to carry out financial activities in Malaysia.