Over a dinner this week, there was a fascinating discussion about the role of compliance.
Compliance.
A culture or a function?
A view of complying and being subservient or of being proactively compliant.
Compliance as a painful enforced change or an opportunity to re-engineer and improve.
Compliance.
Threat or opportunity?
To be truthful, compliance can be all of the above or none. It is all down to attitude.
During the discussion, it reminded me a lot of the recent spat over our political affairs.
Our politicians have been caught with their hands in the till.
They haven’t been fiddling expenses as it has all been within the rules ... except that this policy may be within the rules, but not within the spirit of the rules.
And this is the heart of compliance.
Interpreting rules as both the meaning and the intention.
This is why the phrase “legal but not legitimate” came up several times during the conversation on compliance.
The leverage of the bank was legal but not legitimate.
The CEO’s lack of knowledge of investment markets allowed products to be sold that were legal, but not legitimate.
The intention of best execution was to sell products that were appropriate, not high risk products that were legal but not legitimate.
And so on and so forth.
So the core of compliance is to look at the rule in both its meaning and intention, as well as its working.
This, to me, was the spirit of principles-based regulation but that’s gone away now.
The light touch approach is no longer relevant.
It’s gotta be hardline now.
But what is hardline?
The FSA define it as focusing upon outcomes-based regulation, rather than principles.
And complying with outcomes-based regulation means seeing the end-goal and working to achieve it, rather focusing upon the idea, the theory, the principle.
But whatever the approach, compliance can never really work whilst people see the ways to interpret the rules and bend them to their own way of working.
Like the politicians who can buck the system by working within the rules but not the spirit of the rules, compliance has to be more than just an idea, a theory, a principle.
It has to be a culture.
It has to be led from the top.
It has to be endemic to the whole way the institution works.
You see a business rots from the head, just as a fish does.
If the head of the business believes it is ok to buck the rules and interpret them to your own maximum advantage, then the culture of the business will be the same.
If the head of the business believes it is ok to use the expense system to line his or her pockets, then everyone who works for the business will be told this is the way to do things.
If the head of the business believes it is a good thing to leverage the bank to the hilt to gain maximum returns at maximum risk, then the rest of the business will do the same.
This came home to me when i think of our politicians, but also our banks.
For example, i worked with two banks last year that were merging.
One had a Chief Risk Officer (CRO) who made the final decision on every major investment or trade finance agreement with the bank. The CRO would be where the buck stopped and the CEO would defer to their judgement.
The other bank had a CRO who made a recommendation to the CEO on every decision of the bank, but the CEO made the decision.
The latter bank acquired the former.
The latter bank is now defunct.
It failed because the CEO was an ultimate risk-taker and, as it turns out, megalomaniac.
This is why compliance and risk need to be viewed as one and the same.
Compliance.
It is a culture, not a function.
The Finanser is sponsored by Vocalink
For details of sponsorship email us.
Great post and I couldn't agree more. This is something we are trying to work towards by infusing collaboration into the compliance effort and instead of having a limited few handling compliance to decentralize the process across the organization and throughout the year to be continuously compliant instead of the 'hills and valleys' of today.
The collaboration piece of it is no question a cultural thing and is one of the most difficult pieces of the continuous compliance process we find.
Posted by: Brad Garland | June 13, 2009 at 03:39 PM
Good to have this discussion. From my study on compliance in the payment industry I came to the recommendation of a 'trust' officer or a trust function within companies and self regulatory bodies as trust is a/the key asset in the payment, and banking, industry. Trust involves elements such as e.g. perceived risk and integrity, thus also with cultural elements. As such a compliance officer follows regulation but a trust officer will more pro-actively set up a framework of trust matching industry and regulatory compliance.
Posted by: Pierre Karsten | June 16, 2009 at 07:39 PM