Publishing information about enforcement warning notices

What and When the FCA can do

By the

Don't forget, Compliance Consultant can provide a whole range of services including:

Initial Risk Assessment or audit an initial analysis to identify higher risk areas of the

business and weaknesses in procedures.

Design Risk Management build a system with your business, for your business showing

complete audit trail of risk areas of the business and identifying any weaknesses in

procedures.

Business Development business analysis advice or advice on particular issues for

example, how your firm is Treating Customers Fairly and an action plan for implementing TCF

across your business.

Conduct Risk Development Identify where, when and how clients interact with your staff and

identify weakness or non-TCF issues and help develop an action plan across your business.

Governance Templates Policies, Logs, Minutes, Terms of Reference and other items

available from our IP library.

Help with setting up procedures for example procedural manuals for recruitment, training

and competence, complaints handling and anti-money laundering. May also include templates

for disclosure documents, fact-finds and registers.

File audits checks to ensure that procedures are being followed and identify good practices

and weaknesses

Complaints Handling cost effective and project managed from start to finish making your

response robust and consistent

Technical support may include advice on particular products or regulatory reporting. May

be available in various formats, including website, helpdesk and individual technical advice.

Training for example competency assessments, training opportunities or product risk

guidance. May be online support, regulatory updates or seminar based.

Support on individual issues for example in dealing with a complaint, a financial

promotion or a particular suitability letter.

Financial promotions (all areas of advertisement) - full support which would include

websites, brochures, DVD's, email templates, client mail shots, adverts, contacting existing

clients and so on.

Remedial work helping to action remedial work required by the FCA.

Ensuring you are aware of Handbook changes and the specific impact on your business.

Your responsibilities and liabilities under SYSC and the recent changes. And

much more ... just ask! Email info@complianceconsultant.org

The FCA has confirmed that it will start to publish information about warning notices it issues in enforcement cases

Although nothing new (originally announced 15th October 2013) when deciding whether or not to publish any information relating to warning notices, the regulator will start from the presumption that it will normally be appropriate and fair to publish a summary of the allegations made against a firm or an individual in an enforcement warning notice.

If the subject of the warning notice is an individual the Financial Conduct Authority (FCA) will only identify that individual in exceptional circumstances, such as if it is necessary to do so in order to prevent or dispel potentially harmful market rumours as to the identity of the subject of the warning notice. However, if the FCA decides not to identify a specific individual it may still publish the identity of the firm that they are employed by even if that firm is not the subject of an FCA enforcement investigation.

If the subject of the warning notice is a firm, it is more than likely that the FCA will want to identify that firm.

Acting in haste This then means that in the event that the FCA thinks that it is then appropriate to publish information relating to a particular warning notice, the person indicated in the warning notice and any parties it may be copied to, will be notified of this. The subject will be given 14 days to make any representations to the FCA stating why they wish to challenge the FCAs decision to publish the information. This provides a facility to focus representations on whether it is fair or otherwise appropriate for the FCA to publish information about a warning notice.

On consideration of the appropriate representations, the regulator still thinks that it is appropriate to publish information about a warning notice, the publication will appear on its website.

What if the enforcement action is discontinued? Should the enforcement case regarding the published information at the warning notice stage is then subsequently discontinued; the regulator has clearly stated that it does not intend to remove any information from its website. What the FCA will do is to take steps to make it clear that the action has been discontinued but will not give any reason for the eventual discontinuance. Background Until 2010, the regulator, the then Financial Services Authority (FSA) could only publish details about enforcement action against a firm or an individual at the conclusion of a case when a final notice was published. In 2010, the point at which the FSA could publish information about its enforcement cases was brought forward to the stage at which the FSAs Regulatory Decisions Committee (the RDC) issued a decision notice (i.e. after the firm

or individual had made representations to the RDC in response to a warning notice but before the Upper Tribunal had made a decision). New powers were introduced in the Financial Services Act 2012 which gave the FCA the green light to publish information about a matter in relation to which a warning notice has been issued. This power then allowed the FCA to publish details about an enforcement action against a firm or an individual at a much earlier stage than was previously permitted and notably before a firm or an individual under investigation has had an opportunity to formally challenge the FCAs case against them. With the advent of the new regulators taking over, the FSA published a consultation paper (CP13/8) in March 2013, where it set out proposals as to how the new FCA would exercise its new power. Understanding what a serious and sensitive subject this could be, the consultation paper clearly and expressly stated that the FCA would not start to use its new power until it had confirmed how it would go about exercising it. FCA Policy Statement PS13/9 was born The FCA published a policy statement (PS13/9) on 15th October 2013 which confirmed the regulators policy for publishing information about enforcement warning notices. The approach to publishing such information included some significant changes from the FCAs original proposals set out in the March Consultation Paper. The FCA stated that it intended to publish information about enforcement notices in accordance with the approach set out in the Policy Statement from the date of issue, but in actual fact did not do so until the 3rd February 2014. The exact detail of the power to publish warning notices was granted under section 391(1) of the Financial Services and Markets Act 2000 (FSMA), stated that the FCA has the power to publish information about a matter in relation to which a warning notice has been issued, provided that: the person or persons to whom the warning notice has been issued or copied are consulted prior to publication (section 391(1)(c) FSMA); and publication of information about the warning notice would not be unfair to the subject of the warning notice, prejudicial to the interests of consumers or detrimental to the stability of the UK financial system (section 391(6) FSMA). Built in as a safeguard for minor offenders is that the FCAs power to publish information only applies to warning notices which include a disciplinary outcome (i.e. an intention on the part of the FCA to censure, fine or suspend a firm or an individual section 391(1ZB) FSMA). The FCA continues to believe that the purpose of the new power justifies an approach of normally publishing information about warning notices. Early transparency of enforcement proceedings has several benefits and, to be clearer, they have amended the policy to highlight some of them:

Consumers, firms and market users will be able to understand the types of behaviour that we consider unacceptable at an earlier stage, which in turn should encourage more compliant behaviour.

By showing at an earlier stage that we are taking action, confidence in the FCA and the regulatory system should be enhanced.

There will be more openness in respect of the enforcement process, which will generally be in the public interest.

And it aligns the stage at which publicity is given in regulatory cases with the stage at which publicity is given in civil and criminal cases.

So effectively, the FCA explained that these actions are intended to create a more transparent enforcement process and to inform consumers, firms approved persons and the market at the earliest possible stage about types of conduct that the FCA finds unacceptable and give them notice to address any internal issues they may have. Steps to the FCA publishing warning notices? The approach outlined in the PS13/9 is replicated as guidance in the FCAs Enforcement Guidebook (paragraph 6.7 onwards). When the FCA decides to issue a warning notice in an enforcement matter, it will consider whether it should publish information relating to the warning notice. The FCA has stated that it will start from the presumption that it is appropriate to publish information relating to a warning notice so as to enable consumers, firms and market users to understand the nature of the FCAs concerns in a particular case. However, the FCA has also said that it will consider the circumstances of each case. Identifying the subject of a warning notice If and when the FCA considers that it may be appropriate to publish information about a warning notice, it will then consider whether it is also appropriate to identify the subject of the warning notice (i.e. the firm or individual against whom the FCA proposes to take action). When making this decision, the FCA has noted that it intends to take different approaches to firms and individuals. In the PS they state; Whether the subject of the warning notice is a firm or an individual will also continue to be relevant to our assessment of unfairness. Our presumption that it will not normally be appropriate to identify an individual is based on our view that the relative harm from publication is likely to be greater for an individual than for a firm and, in line with this, our expectation is that it would be more difficult for a firm to demonstrate unfairness than an individual. We will also have regard to the size of a firm. We consider this is a relevant consideration because the impact of publication on a small firm is likely to be of a different nature to the impact on a large firm, and in some cases could resemble the impact on an individual. So we expect that larger firms will find it more difficult to demonstrate unfairness than smaller firms. This approach is noticeably different to the FCAs original proposal outlined in the Consultation Paper which indicated that an individual who was the subject of a warning notice would be identified, except in exceptional circumstances. The FCA cites comments received in response to the Consultation Paper as the reason for the change in approach towards identifying individuals who are the subject of warning notices. In the Policy Statement, the FCA accepts that in most cases the harm that an

individual may suffer by being identified in information published about a warning notice will outweigh the benefits that publishing this information may have in terms of improving the transparency of the FCAs enforcement process. However, the FCA notes some situations in the Policy Statement where it would still consider identifying the subject of a warning notice. These situations include where it is necessary to identify an individual in order to:

adequately describe the nature of the FCAs concerns;

avoid other individuals being mistakenly believed to be the subject of the warning notice or to otherwise dispel rumours in the market (the FCA has indicated that this factor may be of particular relevance where a prominent member of a firms senior management is the subject of a warning notice, due to the heightened risk that others may be mistakenly believed to be the subject of the warning notice);

help protect consumers; and/or

maintain public confidence in the financial system or market. Consultation with the subject of an enforcement warning notice Respondents to the CP raised concerns that the period of 14 days may be too short to prepare and submit appropriate representations to the FCA concerning why they should not publish information relating to the proposed warning notice. The regulators answer to this was that if the subject of a warning notice or a party to whom it is copied thinks that there is a possibility that they are likely to challenge the publication of information relating to the warning notice, they would be well advised to consider the representations they do may make and any evidence they may use to support these representations in advance of the FCA issuing a warning notice. Despite the regulator stating in the PS that it expects representations primarily to focus on the issue of whether it would be specifically unfair to the subject of the warning notice to publish information, the FCA has said that it will also take into account other representations that provide other reasons as to why it would be inappropriate for the FCA to publish information about a warning notice. A point to consider for any respondent is that if the FCA indicated that they did not intend to publish the identity of any individual who is the subject to a warning notice, that individual may still wish to make representations at this stage. This could mean that they may wish to make representations relating to the way in which they could be anonymously referred to in the information published or whether there should be publication of any information about their case at all. Consideration of grounds that may prohibit publication of information Once the FCA has received representations from the subject and/or third parties, it will then be in a position to consider whether there are any factors which would prohibit the publishing of information relating to a warning notice. There are three grounds which, if applicable, would prohibit the FCA from publishing information relating to a warning notice (section 391(6) FSMA). These grounds are if publication of information relating to a warning notice would be:

i. Unfair to the subject of the warning notice: In the Policy Statement, the FCA has stated that in order to demonstrate that publication of information relating to a warning notice would be unfair, a firm or individual must provide clear and convincing evidence of how that unfairness may arise and how they could suffer a disproportionate level of damage. The FCA has indicated that the following factors may be relevant to the issue of whether publication of information about a warning notice would be unfair to the subject of the warning notice:

Firm or individual: Whether the subject of the warning notice is an individual or a firm. The FCA has indicated that it is likely to be more difficult for a firm to establish that it would be unfair for the FCA to publish information relating to it than it would be for an individual. This is because the FCA acknowledges that the relative harm from publishing such information is likely to be greater for individuals than for firms.

Size of a firm: If the subject of a warning notice is a firm, the size of the firm will be a relevant consideration for the FCA when it is considering the issue of fairness. The FCA has indicated that larger firms may find it harder than smaller firms to show that publishing information relating to a warning notice would be unfair. This is because the FCA recognises that in some cases smaller firms may suffer a similar level of harm from publishing such information as individuals.

Risk of reputational damage: The FCA has not ruled out the possibility that the risk of reputational damage to the subject of a warning notice by itself may be enough to prevent publication of information relating to it. The FCA has also stated that it is likely to find arguments along these lines more compelling if a person is able to provide evidence of the harm that they would suffer as a consequence of the damage to their reputation. However, it remains to be seen how easy it will be in practice for persons to evidence the risk of reputational damage that they may suffer as a result of publication.

Personal circumstances: If publishing information about a warning notice could materially affect the subjects health, result in bankruptcy or insolvency, a loss of livelihood or a significant loss of income.

The subjects awareness of the case: The extent to which the subject of the warning notice has been made aware of the FCAs case against them, for example via a preliminary findings letter.

Criminal proceedings: If there are on-going criminal proceedings to which the subject of the warning notice is a party and these proceedings may be prejudiced if information relating to the warning notice is published.

The FCA has made it clear that arguments relating to the fairness of FCAs power to publish information relating to warning notices or the merits of the warning notice itself will not be material to the FCAs decision as to whether such information should be published. ii. Prejudicial to the interests of consumers.

iii. Detrimental to the stability of the UK financial system. The FCA expects that circumstances which may give rise to grounds ii) and iii) above will rarely arise when it is considering whether to publish information in relation to a warning notice. For this reason, the FCA has not provided any guidance or examples as to when publication of information relating to a warning notice may be prejudicial to the interests of consumers or detrimental to the stability of the UK financial system. Publication of information relating to a warning notice If, having gone through the steps outlined above, the FCA still considers that it is appropriate to publish information relating to a warning notice, it will publish this information on its website. What information about enforcement warning notices will the FCA publish? The FCA does not have the power to publish warning notices in their entirety. Rather, the FCA may only publish such information about a matter to which a warning notice relates. The FCA has stated that it intends to exercise this power by publishing the following information:

Summary of the alleged misconduct and breaches: A brief summary of the alleged misconduct which forms the basis of the warning notice, including the rules and/or Principles for Business or Approved Persons which the FCA allege have been breached.

The identity of the subject: If it is considered appropriate, the FCA will publish the identity of the subject of a warning notice. If the FCA decides not to identify the subject, they will be referred to as a firm or an individual or, where appropriate, the type of person, for example, a bank or a trader. Even if the FCA decides not to identify an individual who is the subject of a warning notice, it may still consider whether to publish the identity of the individuals employer, even if the employer is not the subject of an FCA investigation in relation to the matter.

Status of the matter: The FCA has stated that each time it publishes information relating to a warning notice, it will include a prominent statement which makes clear that: (a) a warning notice does not represent a final decision made by the FCA and there is a possibility that the matter may be discontinued, (b) the subject of the warning notice has not yet had the opportunity to make representations to the RDC in relation to the matter, and (c) at a later stage, the subject of the warning notice may refer the matter to the Upper Tribunal.

The Policy Statement states that the FCA does not intend to publish any details about the sanction it is intending to impose upon the subject of a warning notice. Subsequent discontinuance of an enforcement action In the event that the enforcement case to which a warning notice relates is discontinued at a later date, the FCA has explained that it will not remove the information about the warning notice from its website. Rather, the FCA will add a note to the information published about the warning notice to say that the enforcement action has been discontinued and, if the subject of the warning notice consents, also publish the notice of

discontinuance on its website, along with an accompanying press release. This means that even if the FCA decides not to proceed with a case or the Upper Tribunal directs the FCA to take no action, the allegations made in the summary of the warning notice published on the FCAs website will continue to be publicly available. Furthermore, the FCA has made it clear that in the event that it does discontinue a case in relation to which information about the warning notice has been published, it will not publish the reasons for the discontinuance. Not only does this approach seem at odds with the FCAs underlying objective for publishing information relating to warning notices in the first place (to improve the transparency of its enforcement process), but it may also give rise to confusion amongst consumers, firms and approved persons. This is because it may not be clear why the FCA had concerns about the conduct of a firm or an individual when it issued a warning notice but eventually decided not to take any enforcement action in relation to the matter. Comment The FCAs decision to publish information relating to warning notices constitutes a significant change to its enforcement process. Approved Persons of all categories need to be aware of these changes and, if necessary, the stage or stages at which the FCA may publish information in relation to any on-going enforcement cases. The adopted approach by the FCA in their Policy Statement is also different to the original proposals outlined in the Consultation Paper, in particular, relating to the identification of individuals who are the subjects of warning notices. This change in approach may be beneficial to some individuals who, under the FCAs new policy, may not be identified if information relating to a warning notice is published. There is still a risk that senior individuals will be identified in information published relating to warning notices in order to help avoid confusion or market rumour regarding the identity of the subject of a warning notice. All Senior Managers ned to understand their potential risk of involvement and identify ways to mitigate their position by ensuring that their processes and procedures are correctly assessed and controls are appropriate. The FCAs ability to publish information about an on-going enforcement case before the subject has an opportunity to formally challenge the FCAs findings will, in turn, also impact the strategy employed by the subject of an FCA investigation and their advisers. For example, it will be more important for the subject of an FCA investigation and their advisers to engage with the FCA as to the merits of their case at an earlier stage instead of waiting until the FCA issues a warning notice before doing so. Doing so may help to ensure that representations made to the FCA before the warning notice stage are taken into account in the information published about the warning notice. The FCA may also use their ability to publish information about on-going enforcement cases at the point at which a warning notice is issued as a negotiating tool in order to encourage the subject of an FCA investigation to settle their case at an earlier stage. This is because if a firm or an individual shows willingness to settle a matter at the warning notice stage, the FCA may decide not to publish information relating to the warning notice and instead wait until the final notice can be published.

Looking more broadly, the FCAs power to publish information relating to warning notices may also lead to an increased and earlier litigation risk for firms and/or individuals who are connected to a warning notice. For example, a claimant may base their claim against a firm on the basis of allegations included in the summary of the warning notice published by the FCA. Even if the allegations made by FCA are changed or dropped at a later date, the firm may still have to expend significant sums to defend or apply for a stay of the litigation in the meantime.

Steps To Help You Succeed as a Regulatory Chief Compliance Officer and Keep Out Of The FCA Warning Notices

"Risk is like fire: If controlled it will help you; if uncontrolled it will rise up and destroy you." - Theodore Roosevelt, 26th President of the United States. While there is not a discrete or succinct formula that guarantees success of the CCO, there are essentially three steps that can be taken that will prove to be instrumental in obtaining the desired success. Step 1: Creating a "Right" Culture Principle to your success as a CCO is the creation of the "right" culture, and this can be demonstrated by this example: You are driving in your car down the street towards a traffic light controlled junction. As you approach the intersection, the traffic light turns from green to amber then to red. What do you do? You arrive at the intersection and stop your car. Do you wait until the light turns green again and then proceed through? Do you pull up to the lights, look all ways for other vehicles or the police and if none are around, then proceed on through? The reason we don't go for the second option is "Culture". Your action of stopping and waiting for the green light is "built" in because somebody at some stage in your life provided you with a set of values that dictated how you responded to the traffic light event. They gave you a values blueprint that you abide to, creating your own "culture". With the "right" culture or values blueprint one acts with honesty, integrity and high ethical standards. Therefore, with a vales blueprint, your behaviour comes naturally and is done without much thought. Without the majority of people having the "right" culture, in the traffic light example we would have streets of chaos. No society, and certainly no Financial Services Institution or firm can operate, nor survive, under a system of chaos. Ideally we want officers and employees, right from the top to the bottom, to act with utmost integrity, honesty and high ethical standards. We want them all to behave

accordingly, not necessarily because they feel that they are being checked up on, but almost subconsciously knowing what the right thing to do is, whether or not they may have controls in place. We want them to behave in the right way as second nature and not having to think about it, or check in a policy somewhere, to know the proper action. Worse still, we don't want people making decisions "on the fly" without understanding the ramifications of their actions. Personal responsibility for one's actions has to be the core of the "right" culture. Any regulatory compliance officer should not want to have to position a control or check-point at every juncture of the business. It would cost too much and in the end, would fail as people would find a way to circumnavigate the cumbersome and clumsy rules. So as the CCO you must work to build a culture where "doing the right thing" is expected from all officers and employees. Consequently, behaving badly should be penalised and the right behaviour should be rewarded, but this can only happen at the time of the behaviour taking place: praising or punishing afterwards is pointless and a waste of time, or our judicila system would have eradicated crime hundreds of years ago. It is important to note, however, that while personal responsibility is definitely the core element of the "right" culture, the CCO can not simply operate with blind faith and a prayer book. The system and framework of internal control must include detection as well as a prevention element so those who violate the culture are identified. Tone from the top. To succeed, there must be a consistent and robust tone from the top must be one that communicates and supports the "right" culture. A zero tolerance standard must be adopted with senior managers and leaders as well as demonstrated by their own words and actions. Alone, even the most correct tone from the top can not create the "right" culture. There are many steps and activities that the CCO must instigate and support to create, foster and maintain culture that results in doing the right thing, first time, all the time. Actions and Steps to Build the "Right" Culture

Get buy-in not just from executive or senior management, but from all levels and all employees. The CCO should be a partner with all; not just senior management.

Act so that everybody feels comfortable approaching compliance function, not only to report exceptions, breaches or violations, but more importantly to seek advice and sage counsel. The CCO should be proactive in offering advice and be seen as part of the solution that supports the business's objectives. That advice is better when provided up-front where new processes, sales, etc., are being proposed and planned.

Consequently, the CCO should make every attempt to say "yes." When the regulations prohibit a "yes," the CCO needs to say no offer alternatives and other options, working with the business on finding an answer.

Develop, coach, communicate, and train, etc., on the standards, the rules, the policies, the expectations and rationale behind the rules and guidance.

Be approachable and interesting to work with. The CCO should be easily and readily available.

Act with speed; act fast. The CCO does not want to be seen to slow the business down; to be viewed as a "cog." Undoubtedly compliance with all laws, rules, and policies is seen as the primary responsibility of the CCO. An environment of zero tolerance for absolute risks should be the case without exception. Beyond that, the CCO should establish an acceptable risk appetite and risk mitigation process to manage those inherent risks. Such a culture and environment ensures compliance with all mandatory laws, rules, regulations, public policy standards, and internally generated standards such as policies and procedures, codes of conduct, etc. And it provides for an internal control system where risks are identified up-front and managed in furtherance of business success. It pays to ensure that absolute risks such as laws, regulations, rules and policies are interpreted in a clear and easily understood way; violations should never be tolerated. Inherent risks may or may not happen and in a well run and compliant culture, controls are designed and built to manage and mitigate inherent risks. Creating the "right" culture is an absolutely critical role for a CCO. It may well require hard work, but without a culture where honesty and integrity are the norms a CCO will not succeed. Achieving the "right" culture will not in itself guarantee success, but it will at least put you well on the path to achieving a compliant firm. "Take calculated risks; that is quite different from being rash." General George S. Patton, World War II General Being a Chief Compliance Officer (CCO) or having to establish (or refresh) a risk function can be a daunting challenge. The second step for your achievement is the development of a practical risk based environment and management system. Here are some practical advice tips for success of the second step. Step 2: Developing a Risk Based Environment and Management System Compliance is a lot more than just adhering to laws and regulations: it is making sure that risk culture, policies, procedures, and controls are being properly adhered to. The CCO should steer and direct the organisation to stay within mandatory boundaries of laws and regulations as well as the voluntary boundaries of risk culture, tolerance, appetite, and corporate as well as (hopefully) personal values. So how do you do this? First and foremost, you should establish a clear and practical risk based environment and management system with a mandated and supported zero tolerance for absolute risks. An environment of zero tolerance for all absolute risks such as laws, regulations, rules and policies should be the case without exception. Compliance with these risks is mandatory;

absolute risks must be avoided. They are never acceptable risks since to do so would violate the law. An effective and quality risk based environment and management system communicates and ensures absolute compliance with all mandatory laws, rules, regulations, public policy standards. You have to recognise that not all risks can be avoided or eliminated, nor would you want to. Many risks are needed for the upside to be managed in a business, and to provide some element of skill in their management. Thus, the CCO should establish an acceptable risk appetite and risk mitigation process to manage these risks. Inherent risks are intrinsic to a business activity and arise from exposure to, and uncertainty from, possible future events, or changes in business or economic conditions. Inherent risks may or may not happen. Under a risk management system, controls are designed and built to identify, anticipate, manage, monitor and mitigate inherent risks. The risk management system is ultimately the systematic application of processes and structures that enable an organisation to mitigate, accept, improve, or transfer risk. The only way an organisation can manage risk appropriately is if acceptable and unacceptable risk is defined. The CCO and Chief Risk Officer (CRO) should clearly define, establish and communicate the environment of risk taking, acceptance, tolerance, and appetite not only to the board, but throughout the business appropriately. If the CCO does not do this, risk taking is seen to fall to individuals and often in a less than coherent strategy and this places the integrity of the organisation in jeopardy. Actions to Build a Risk Based Environment and Management System Initially the development a risk based environment is to identify the risks and potential areas of vulnerability in the business. The high-level rules map is going to be fairly similar for all UK regulated firms. Once you start increasing the depth of information you may well find that not all parts of each law will apply to every section of your firm. Whereas it will appear to be a bit of skipping from one relevant law to another, it is also important to realise that your firm has existing policies and procedures in place that may reference out of date legislation these are obviously risk areas for you to address. If your firm is a small concern with one main line of business then a single regulatory rules map is more likely to be applicable however when you link up to the FCA handbook you will find that not all sections within these sourcebooks will necessarily apply to your firm so you could end up with large gaps or blanks in your matrix. To construct your matrices correctly there are two methods you can use one being the bottom-up approach, which are self-explanatory insomuch as you start at the activity level and consider all the legislative and regulatory impacts that may apply. The top-down approach is a more detailed and time-consuming rules mapping exercise where you may be searching for applicability to a certain law which may, not actually apply to your type of business. If you're a large company and operate in diverse fields such as

running distributor influenced funds or even a stockbroking facility then the top-down approach may well be more applicable. Although this can be tedious it can also be worthwhile if you have the time. Typical sample rules map If you drew yourself a spreadsheet with the headings from the left-hand side of reference, rules, life sales, pensions sales, investment sales, mortgages etc. across the top. Each line would have a reference under the first heading starting with SYSC, PRIN, COBS1, COBS2, etc., and the section heading under the rules: your matrix will be formed. From this basic matrix you can identify where the sourcebook would apply to your firm if it is not applicable, why not. If you had offices or branches in other jurisdictions this very simple matrix could be replicated for the local regulator or judiciary that may impact it. Full details can be found in the Compliance Managers Guidebook available at the end of this document. Risks can also be identified from many sources including the following;

Internal & External Audit Reports

Ethics Reports

Regulatory Examinations and Inquires

Management Reports

Self-initiated Risk Assessments

Results from preventive controls

Information gleaned from Business Partnerships Secondly, once the risks have been identified, the CCO needs to determine the proper action regarding the risk. This requires the CCO to establish an acceptable risk appetite. There are three options for managing inherent risks:

(1) Reduce or mitigate; (2) Transfer or (3) Retain and accept; cost benefit analysis for positive exposure.

Reduce and Mitigate. This option is chosen for those risks that are too great to accept. Action and strategies are developed and implemented to reduce or mitigate exposure. Transfer. The exposure for some risks can be transferred with outsourcing or by the purchase of insurance. Retain and Accept. Some risks will be acceptable without any mitigation efforts. However, the organisation should consider reasonable budgeting for the exposure. Each identified risk should be evaluated to determine the desired course of action. One of the three above courses should be applied to each risk.

Finally, once the risks have been identified, a risk appetite has been determined and a management plan has been implemented, a monitoring and reporting process needs to be instituted. This is an iterative process: it never ends. The CCO must continually identify risks, determine risk treatment, implement and monitor. "We are constantly working towards the highest level of compliance possible." Mike Davidson, 20th Century American Author Step 3: Building an Internal Control Framework Along with a comfortable compliant culture and an effective risk management system, the CCO will need to build a framework and process of internal controls. A framework of internal control is the process by which they can obtain reasonable assurance that the culture and risk management system is working. The CCO needs to construct an internal control framework that surrounds the compliant culture and environment created in the first two steps to ensure that the information received will indicate that the efforts in compliance works "first time and every time", or if not, where it has failed. Elements of an Internal Control Framework Policies and Procedures: The CCO should formulate a set of policies and procedures and other internal guidelines and standards to reflect the regulatory or legal requirements. Policies and procedures are a set of documents that describe an organisation's rules or practices for operation of the business and the procedures to implement or fulfill them. These rules should be distributed or made available to all the organisation's employees. Awareness training for all relevant policies and procedures should be provided to all employees. Workplace Code of Conduct: The CCO should formulate a code of conduct that details the basic ethical behaviours expected of the firm's employees. Potential topics for inclusion on Workplace Code of Conduct are: Compliance, Conflict of Interest, Equal Employment Opportunities, Sexual, diversity and other Discriminatory Harassments, Gifts and Entertainment, Government or high profile contacts, Political or Press Activity, Fair Dealing, Respect, Whistleblowing and Nepotism. The Workplace Code of Conduct should be designed seeking input from all areas and then distributed to all the organisation's employees and any relevant mandatory training should be provided. Operational Process Maps: The compliance function, along with business should map out or outline all operational processes at least to a high level. The results should be reviewed for compliance and risk identification and control application and ensure that there are no "corner cutting" or heuristics used; if necessary to correct any areas out of compliance. The CCO should require the maintenance of the maps and operational adherence to the mapped processes. The business should use the maps as a tool when any process is being changed to verify the new or changed elements, as well as other processes that may be impacted, of the process are accurate and compliant.

Front-end controls. The CCO should build effective controls into front-end processes. Front-end controls are "preventive" in that they should prevent non-compliant actions or transactions before they occur. Back-end controls. The CCO should build effective controls into back-end processes. Back-end controls are "detective" in that they detect compliance violations after the action or transaction has occurred. This could be an oversight role or audit, even a quality assurance check. Please Note: Any system of front-end and back-end testing should place a greater emphasis on front-end preventive controls over back-end detective controls. Business is best served by prevention of non-compliant actions and not waiting to mop up mistakes, regulatory breaches or accidents. Back-end controls should be a second check for errors, breaches or other violations. Compliance Charter: The compliance charter expands the concepts within the mission statement and can be used to serve both as a promotional piece and a high level contract for services between the compliance department and the rest of the firm. Senior management should then endorse this charter so that everybody is aware of the role of the department and the services it provides. This will be key in future when additional resource or external consultancy is a recommended, in the event of disputes or requirements for material corrective action. There is no point in wording the compliance charter in regulator speak nor is there any need for people to have studied English language at University before reading your charter. There is always a tendency to use jargon, MBA speak etc. But you'll find if you use the house language option the charter will not only be understood better but staff are more likely to accept and recall it. Full details can be found in the Compliance Managers Guidebook available at the end of this document. Breach/Error Reporting Process: The CCO should create a process for employees to ask questions and to report potential violations. This process should be easy to use and should allow for anonymous reporting. A good approach is three pronged and consist of:

A hard copy set of forms;

A telephone hotline; and

An e-mail address. The process for reporting should be communicated to all the firm's employees. Management Information (MI): The CCO should communicate to management, as well as all levels of employees, throughout the organisation on the successes and failures of the risk management system. To do this effectively, accurate and pertinent MI should be created and cascaded appropriately.

Risk Management Committee: The CCO should establish a risk management committee. This group should meet regularly to review projects, proposals, proposed rules and policies, etc. All functions and disciplines should be represented on the risk management committee. An effective internal control framework allows the CCO to have and exercise reasonable oversight. Under an internal control system risks are identified. Plans to eliminate, mitigate or transfer are implemented. Monitoring is utilized to ensure that the laws, rules and internal policies are being followed. Summary Succeeding as a CCO will be not an easy task. But it is necessary role requisite for a business to succeed today. Following these three steps:

(1) Creating the Right Culture; (2) Developing a Risk Management System and (3) Building an Internal Control Framework

All these will not guarantee success of the CCO but, if followed, these steps can provide the robust tools needed to stay out of being mentioned in despatches from the FCA. Good luck!

Lee Werrell

Tel: 07092 289901

Lee is compliance professional with over 25 years experience in the financial services industry,

including roles at board and senior executive level for a bank, bancassurer and a major IFA. Lee

has also advised numerous businesses on Financial Services Authority regulatory issues and

developments including how to modify and adapt their strategy and procedures accordingly.

With a range of expertise provided to FTSE 100 institutions and a variety of banks and retail

operations, working with governance, risk and compliance functions and has been nominated as a

skilled person by the FSA. Lee has set up a foreign sponsored bank and worked with local

authorities.

Lee is Fellow of Chartered Fellow of the Chartered Institute for Securities & Investment and a

Fellow of the Institute for Sales & Marketing Management, and a Member of the Association

of Professional Compliance Consultants.

Companies we have worked with in the last 11 years

Interact with the author, Lee Werrell

https://www.facebook.com/ComplianceDoctor http://www.google.com/profiles/lee.werrell http://wattpad.com/LeeWerrell http://www.youtube.com/leewer100 uk.linkedin.com/leewerrell

Twitter

@leewerrell

@complianceconst @s166reports

Tel +44 7092 289901

We provide email courses for people who are interested

in various evergreen issues.

Contractor to Consultant course http://wp.me/p2B1Xd-5I

3 Common Mistakes Compliance risk http://wp.me/p2B1Xd-5o

Outsourcing Requirements http://wp.me/p2B1Xd-5v

Financial Promotions http://wp.me/p2B1Xd-5y

On Becoming An eSmart Consultant Any Industry http://goo.gl/YqZn3L

FREE DOWNLOADS

20 Page PDF on Conduct Risk: http://goo.gl/y9E2pl

Proprietary Books (Available as PDF)

90+ Page Template Compliance Manual http://goo.gl/X9RjnI

Other titles by Lee Werrell Click on the link and be taken to your countrys Amazon site (defaults to Amazon.com). For Google Books, just search on Google using the code.

Personal Development EBooks

10 Golden Rules for Developing Charisma http://bookgoodies.com/a/B00AOQZL90

10 Myths of Success http://bookgoodies.com/a/B007OIBAP0 or

Google Books pSDMAAAAQBAJ

11 Golden Keys to Building Credibility http://bookgoodies.com/a/B00AOCNMPY

11 Secret Steps to Success in Anything You Want in Life http://bookgoodies.com/a/B00APL4E88

21 Easy Ways to Improve Your Business and Personal Life http://bookgoodies.com/a/B00B0OTB3M

5 Golden Secrets to running a Fee Based Consultancy http://bookgoodies.com/a/B00AP8F75K

9 Easy Ways to Set Yourself Up For Success http://bookgoodies.com/a/B00B0GTNUQ

How To Develop Your Natural Charisma http://bookgoodies.com/a/B00CPN8B1A

Learn How To Practice Personal Development Easily: Project Success http://bookgoodies.com/a/B00CF3XFHA

Six Golden Keys to the Persuasion Game of Selling http://bookgoodies.com/a/B00ANXV2YW

Success in a Month http://bookgoodies.com/a/B007W4M5QO

or Google Books CSHMAAAAQBAJ

The Universal Laws of Success http://bookgoodies.com/a/B00772CM3W

Ultimate Traffic Secrets http://bookgoodies.com/a/B00771BNZQ

Unlock Your Success Secrets http://bookgoodies.com/a/B007A3AQ7W

or Google Books hV3lAQAAQBAJ

70 Tips on Persistence http://bookgoodies.com/a/B00HOIH8CE

How & Why Ebooks

5 Top Reasons Why You Should Use Social Media in Your Business http://bookgoodies.com/a/B00E80EZW2

6 Major Secrets to Handling Objections http://bookgoodies.com/a/B00AQ4TT16

7 Key Ways to Become a Trusted Adviser http://bookgoodies.com/a/B00AVLI2CQ

70 Social Networking Tips To Boost Your Online Business and Brand http://bookgoodies.com/a/B00H5WJMQY

Exposed! Top Secrets of Setting Up and Running a Consultancy http://bookgoodies.com/a/B00B6UFSDC

Golden Rules for Developing and Setting Strategy in the 21st Century http://bookgoodies.com/a/B00B070CP0

How to Get New Business, Acquire Customers and Build Your Client List http://bookgoodies.com/a/B00ATQVYPK

How to Quickly CopyWrite http://bookgoodies.com/a/B0078OKMIQ

How to Quickly Master Time Management http://bookgoodies.com/a/B007B44RYI

How To Use Social Media in Financial Services

http://bookgoodies.com/a/B00CLD7CIW

Secrets of PDF, Mobi, Kindle and Other EBooks Advertising, Marketing and Promotions Resources http://bookgoodies.com/a/B00CVZK53E

Business Bloggers: The Best Businesses Social Media Tool http://bookgoodies.com/a/B00FA63CCC

Technical EBooks

ARMS http://bookgoodies.com/a/B008PEC65A

Compliance Manager Guidebook http://bookgoodies.com/a/B00CH22066

IFA Risk Management http://bookgoodies.com/a/B008OKFFAS

ENovels

Global Crossing http://bookgoodies.com/a/B00E3BVUKQ

The Baram Venture http://bookgoodies.com/a/B0077VP1MC

You might like to find out about EBooks available from Amazon

Just CLICK HERE

Don't forget, our Consultants can provide a whole range of services including:

Initial Risk Assessment or audit an initial analysis to identify higher risk areas of the

business and weaknesses in procedures.

Design Risk Management build a system with your business, for your business showing

complete audit trail of risk areas of the business and identifying any weaknesses in

procedures.

Business Development business analysis advice or advice on particular issues for

example, how your firm is Treating Customers Fairly and an action plan for implementing TCF

across your business.

Conduct Risk Development Identify where, when and how clients interact with your staff and

identify weakness or non-TCF issues and help develop an action plan across your business.

Governance Templates Policies, Logs, Minutes, Terms of Reference and other items

available from our IP library.

Help with setting up procedures for example procedural manuals for recruitment, training

and competence, complaints handling and anti-money laundering. May also include templates

for disclosure documents, fact-finds and registers.

File audits checks to ensure that procedures are being followed and identify good practices

and weaknesses

Complaints Handling cost effective and project managed from start to finish making your

response robust and consistent

Technical support may include advice on particular products or regulatory reporting. May

be available in various formats, including website, helpdesk and individual technical advice.

Training for example competency assessments, training opportunities or product risk

guidance. May be online support, regulatory updates or seminar based.

Support on individual issues for example in dealing with a complaint, a financial

promotion or a particular suitability letter.

Financial promotions (all areas of advertisement) - full support which would include

websites, brochures, DVD's, email templates, client mail shots, adverts, contacting existing

clients and so on.

Remedial work helping to action remedial work required by the FCA.

Ensuring you are aware of Handbook changes and the specific impact on your business.

Your responsibilities and liabilities under SYSC and the recent changes. And

much more ... just ask! Email info@complianceconsultant.org

Now

Available as Kindle or EBook Download

Is your Compliance Department as

compliant as it should be?

Are your Compliance Risk

Assessments accurate?

Is your Annual Monitoring Plan as

comprehensive as it should be?

CLICK HERE

Also Available At Last, a Risk Management System that means you

DO NOT have to buy any software. ARMS is a system that shows you how to identify your processes and the inherent risks within.

identify your risks

step by step guidance

fast 8 step guide to record future risks

If you want demonstrate your risk management system for reputation, insurance and regulatory

needs, quickly manage all your operational risks, or even if you just want a suite of templates

designed to provide a complete package of demonstrable results, then this is the most important

book you'll buy all year! CLICK HERE