463 APRIL 2011

Articles

Global Reflections on Compliance FunctionDr. V.R. Narasimhan*, ACS, Kotak Mahindra Group (Compliance Division), Mumbai.

e-mail :

narasimhan.vr@kotak.com

The law relating to securities transactions as contained in the SEBI Act and thevarious rules and regulations issued there under involve compliance of numerouslegal and procedural requirements, through a specifically appointed ComplianceOfficer. This article explains the salient findings of a working group of IOSCO whichwent into the compliance function relating to the securities market.

There is no doubt that compliance function has a permanentand critical place in securities market intermediaryorganizations. As can be seen from the following table most

*Opinions expressed in this article are personal opinions of the author and do not in any way represent employer's views.

of the SEBI Regulations require appointment of a ComplianceOfficer under those regulations.

Regulation and the relevant clause Text of the clause in the RegulationSEBI (Merchant Bankers) Regulation. Every Banker to the issue shall appoint a compliance officer who shall beRegulation 28A. responsible for monitoring the compliance of the Act (SEBI Act), rules

and regulations, notifications, guidelines, instructions, etc. issued by theBoard or Central Government and for redressal of investors’ grievances.The compliance officer shall immediately and independently report to theBoard (SEBI) any non-compliance observed by him and ensure that theobservations made or deficiencies pointed out by the Board or/in the draftprospectus or the letter of offer as the case may be do not recur.

SEBI (Stock Broker and Sub broker) Note : The language relating to appointment of compliance officer isRegulations; SEBI (Bankers to the Issue) same in all the Regulations excepting that the name of the intermediary.Regulations; SEBI(Portfolio Managers) Every Banker to the Issue (respective intermediary name to be inserted asRegulations, SEBI (Custodian of Securities) the case may be) shall appoint a compliance officer who shall be responsibleRegulations; SEBI (Credit Rating Agency) for monitoring the compliance of the Act (SEBI Act), Rules andRegulations; SEBI(Foreign Institutional Regulations, Notifications, Guidelines, instructions, etc. issued by the BoardInvestor) Regulations. or the Central Government and for redressal of investors’ grievances.

The compliance officer shall immediately and independently report to theBoard (SEBI) any non-compliance observed by him.

SEBI (Debenture Trustee) Regulations Every debenture trustee shall appoint a compliance officer who shall beresponsible for monitoring the compliance of the Act (SEBI Act), Rulesand Regulations, Notifications, guidelines, instructions, etc. issued by theBoard or Central Government and for redressal of investors’ grievances.

(A - 146)

APRIL 2011464

Articles

The compliance officer shall immediately and independently report to theBoard (SEBI) any non-compliance observed by him.The Compliance officer shall report any non-compliance, of therequirement specified in the listing agreement with respect to debentureissue and debenture holders, by the body corporate to the Board.

SEBI (Depositories & Participants) Regulations Need for appointment of compliance officer not specified.SEBI (Collective Investment Schemes) Need for appointment of compliance officer not specified.RegulationsSEBI (Mutual Funds) Regulations Trustee shall ensure before launch of any scheme, that the asset management

company, has appointed a compliance officer who shall be responsiblefor monitoring the compliance of the Act (SEBI Act), Rules andRegulations, notifications, guidelines, instructions, etc. issued by the Boardor Central Government and for redressal of investors’ grievances.The compliance officer appointed shall immediately and independentlyreport to the Board any non-compliance observed by him.

report submitted by the working group and summarizes thegist of the responses to the questionnaire in an attempt to giveclarity to Compliance Function as perceived by the securitiesmarket participants’ world over. This article focuses only onfour topics and not all the topics discussed in the report. Thefull length questionnaire, names of the respondents and exactresponses can be read by accessing the report on IOSCO website.

Compliance Function at Market IntermediariesIntermediation in securities market broadly brings together theissuer and investor. Investor seeks to invest in securities marketwith a view to earn returns better than the returns from bankingand government schemes. In the process investor takes risksrelating to the instruments in which investment is made, riskrelating to the issuer and risks relating to security marketprocesses. Intermediaries are expected to present the correctperspective of these risks to investor and consummate theinvestment. However, the process of intermediation can bringits own share of risks of mis-selling, overcharging fees, andnon-disclosures. The securities market regulations/rules/codeof conduct by whatever name called endevour to minimize therisks emanating from intermediation and facilitate passing ononly market risk (price risk) to the investor. Therefore, it isnecessary that market intermediaries should conduct themselvesin a way that protects the interests of the investors and helps topreserve the integrity of the markets by strictly complyingwith securities laws, regulations is part of the essential foundationof fair and orderly markets as well as investor protection.Market intermediaries have become more innovative on howthey structure their businesses in order to maximize profitsand provide different services to their clients. The complexity

While there is adequate clarity on the need for a ComplianceOfficer under various Regulations, there is no clarity as towhat are the elements in the functions of a compliance officer,what should be his qualifications/qualities, how a complianceofficer should be empowered to discharge the responsibilityassigned, how the functioning of the compliance officer shouldbe assessed. As can be seen from the above, monitoringcompliance and reporting of non-compliance to SEBI isbroadly stated but regulations do not require the complianceofficer to ensure compliance.Lack of clarity is not an Indian specific phenomenon but it isa global issue. IOSCO, an international organization ofsecurities market regulators, laid down 33 principles relatingto regulation of securities markets. Principle 23 deals withthe compliance obligation of securities market intermediariesin the following words: “Market intermediaries should berequired to comply with standards for internal organizationand operational conduct that aim to protect the interests ofclients, ensure proper management of risk, and under whichmanagement of the intermediary accepts primary responsibilityfor these matters.” However this principle does not throwany light on how to accomplish the suggested compliance.IOSCO embarked upon a study to reflect on the issue relatingto what should be compliance function and constituted atechnical committee for the purpose. The technical committeeissued a Discussion Paper in 2005 which also contained aquestionnaire covering Definition of compliance function,Independence and ability to act, Qualifications of compliancepersonnel, Assessment of effectiveness of compliance function,Regulator’s supervision, Cross border issues and Outsourcingof compliance function and administered the same acrossdifferent continents. This article is based on the technical

Global Reflections on Compliance Function

(A - 147)

465 APRIL 2011

Articles

of their business has increased, which makes the compliancefunction both increasingly important as well as morecomplicated. The questions that need to be answered, amongseveral others, are

� What is the definition of compliance function?� What should be the qualifications and qualities of the

staff handling the compliance function?� How to empower the compliance officer to discharge

the compliance function independently?� How to assess the effectiveness of compliance function.

These questions are dealt with in this article keeping in viewthe issues raised in the IOSCO discussion paper, responsesreceived and the Indian regulatory scene. The questionnairewas circulated to about 25 prominent industry bodies acrossthe world. In this article, responses from National Associationof Independent Broker Dealers, USA (NAIBD), InvestmentManagement Association, Singapore (IMAS), AustralianCompliance Institute (ACI), and Investment ManagementAssociation, UK are considered.

Definition and Scope of Compliance functionThe discussion paper released by IOSCO defined compliancefunction as “A function that, on an on-going basis, identifies,assesses, advises on, monitors and reports on a marketintermediary’s compliance with securities regulatoryrequirements, including whether there are appropriatesupervisory procedures in place”. Responses were invited tothe following specific questions:

1. Do you agree with the definition and description of thescope of a compliance function?

2. What is the relationship between the compliance functionand risk management function? For example, is thecompliance function part of or separate from the riskmanagement function; and if they are separate, how dothey interact when dealing with compliance issues?

ResponsesNAIBD: “We note that the definition of compliance functionas presented in the Report is meant to describe the staff orgroups of staff responsible for carrying out certain specificactivities and responsibilities. For small firms, the effort toseparate functions such as risk management from compliance,and compliance from supervision is often simply a questionof available personnel.We ask that the definitions allow for an independent thirdparty, such as an auditor or compliance professional, to beassigned duties of monitoring and reporting. Further, we feel

that it is important for the definition to contemplate the realitythat one individual may carry out multiple functions, andtherefore request that “size” or “numbers of availablepersonnel”, in addition to nature, scale and complexity, beadded throughout the Report wherever applicable, and inparticular, in the definitions.”IMAS: “The scope should include understanding ‘bestpractices’ in terms of compliance policies and hence,compliance with ‘best practices’. It should not be restricted toregulatory compliance, instead, include investment complianceand compliance with internal procedures. A compliancefunction should also engage in the identification and preventionof violations of these securities regulatory requirements andthat this could involve compliance input when the new businesslines are considered so that any potential requirements orcompliance concerns posed by the new business lines arehighlighted early on.Risk management is indeed the more generic term andcompliance risk is but one of several risks (e.g market,investment, legal, operations, reputational etc.) faced by amarket intermediary. Compliance related issues are morespecific and should be handled by a compliance professional.Inevitably, because of the monitoring role performed bycompliance in order to provide management with the comfortthat the system of internal controls implemented is operatingeffectively, it therefore means that there is an overlap betweenthe compliance and the Risk function. There should becommunication lines between the two functions to identifypotential risks, report breaches, detail rectification action takenetc.”IMA, UK: “IMA does not agree with IOSCO’s definitionand description, which fails to emphasise that primeresponsibility for compliance with securities regulatoryrequirements rests with line management of the business areasconcerned. IMA supports the position taken by the EUCommission’s Working Paper prepared by the EuropeanSecurities Committee (“ESC”) in its recently issued DraftCommission Document on “Organisational requirements andidentification, management and disclosure of conflicts ofinterest by investment firms”. ….The ESC paper goes on to state that an investment firm shouldmaintain a permanent and effective compliance function, and,in contrast with the IOSCO paper, more narrowly defines thatfunction’s responsibilities to:(1) Monitoring on an ongoing basis, the adequacy and

effectiveness of the measures and procedures put in placeby the firm for ensuring compliance with relevantregulations and client mandates; and actions taken by

Global Reflections on Compliance Function

(A - 148)

APRIL 2011466

Articles

the firm to address any deficiencies in its compliancewith those regulations.

(2) Advising and assisting persons responsible for carryingout investment services and activities on behalf of thefirm, to promote compliance with the regulations.

In line with the stance in the ESC paper, IMA suggests thatthe compliance function should have a responsibility foridentifying relevant securities regulations, advising businessmanagement of the impact on their particular operations,identifying regulatory risks, and supporting and advisingbusiness management during the design of internal controls inrespect of such regulatory risks. …. Responsibility forprevention of breaches of regulations, and day-to-dayidentification of those instances when controls have beenineffective, lies with line management of the particularbusiness area concerned.As compliance/regulatory risk is a specialist segment withinoverall business risk, focusing more on risk to clients thanrisk to the business, the compliance function usually forms adiscrete unit, either within, or external to the risk managementfunction. Whether or not the compliance function is locatedwithin the risk management function, there will be close liaisonbetween the two units, with the compliance function providingexpert/specialist input.”ACI: “ACI takes a broader view of compliance. The viewexpressed above is a narrow black letter law approach that willsalways categories compliance as a cost centre, rather than as astrategic enabler. Compliance should be a strategic, value addingprocess that improves organizational performance - not aninefficient supra-system that inhibits the proper operation andpurpose of an organisation. Compliance is the managementdiscipline of identifying the ongoing obligations andrequirements, exposures, risks and opportunities arising underLaws and Regulations, Contracts, Codes (legal & voluntary),Fiduciary Duties and Stakeholder, Community and Socialexpectations, and then designing and implementing an effectiveassurance system and culture so that the obligations, exposures,risks and opportunities are properly met and managed.Compliance is more than black letter law - it is the spirit andintent of the law in the context of society’s expectations.If there is a conflict between compliance requirements andbusiness objectives, it is the compliance professional’sresponsibility to assess the commercial and legal risks of non-compliance objectively and ensure that the Board and SeniorManagement are advised of these risks.The discipline of risk management involves the identificationof the different types of risks that an organization faces inconducting its business, assessing the impact of those risks on

the organisation, determining the risk appetite of theorganisation and putting in place appropriate risk managementprocedures and controls. The risks faced by an organisationare varied and can include operational risk, fiduciary risk,market risk, credit and counterparty risk, legal risk andreputation risk. Compliance is about meeting particularacknowledged obligations that may have a mandatorycomponent to them. Risk management does not have amandatory component to it, as the organisation may determinehow it wishes to deal with risky situations.”

TakeawayIt is clear that ‘risk function’ is not a part of compliance function.Though there is no consensus on the scope and definition ofCompliance Function, it emerges that the definition proposedin the discussion paper is not good enough. There appears ageneral opinion that compliance function should:

� not be restricted to monitoring only regulatorycompliances but also focus on compliance with internalprocedures/codes/policies

� support and advise business management in designingof internal controls/procedures that prevent occurrenceof regulatory risks

� help designing and implementing an effective assurancesystem and culture so that the obligations, exposures risksand opportunities are properly met and managed.

� uphold the spirit and intent of the law in the context ofsociety’s expectations.

SEBI Regulations consider monitoring adherence to theregulations/rules, etc. and reporting the same to the Regulator(SEBI) as the scope and function of compliance officer.

Qualifications and Qualities of Compliance StaffThe Discussion Paper initiated the discussion by stating that “Staffexercising compliance responsibilities should have the necessaryqualifications, experience and professional and personal qualitiesto enable them to carry out their duties effectively.” Further marketintermediaries should consider subjecting persons responsible forcompliance activities to the following:

(a) Completion of relevant courses and/or training prior toaccepting compliance responsibilities;

(b) Successful completion of prescribed examinations thatwill confirm their knowledge and experience concerningsecurities regulatory requirements;

(c) Continuing education requirements; and/or(d) Relevant work experience.”

Global Reflections on Compliance Function

(A - 149)

467 APRIL 2011

Articles

The respondents were asked to answer the following specificquestions in this context:

� What are the appropriate qualifications for complianceprofessional?

� Should the qualifications vary depending on functions,responsibility or seniority?

� How do you evaluate the adequacy of courses andtraining for compliance personnel?

ResponsesNAIBD did not respond to the above questions.IMAS: “Minimum of tertiary education or professionalqualification. Further requirements depend on seniority ofposition. Appropriate qualifications for compliance personnelmay include individuals who are legally qualified or who havean accounting or financial background.Qualifications may vary depending on the function performed.For compliance staff performing monitoring activities, an auditbackground may be appropriate, however for compliance staffperforming a consultative role or those who conduct trainingfor staff, a legal background may be more appropriate.Difficult to evaluate but it should not be based on number ofhours. The adequacy of courses and training for compliancepersonnel will be crucial in ensuring that compliance personnelreceive continuing education and are kept up to date withchanges in applicable rules and regulations. Courses and/ortraining seminar should be made available every time thereare material changes in applicable rules and regulations andthese should be conducted appropriately by qualifiedindividuals such as compliance professionals from the industry,legal practitioners or consultants who specialize in securitiesand regulatory compliance issues. It may be useful for anindustry body to organize such courses or training forcompliance professionals in the investment industry. Singaporeis implementing a certification program - perhaps that mayassist in determining this issue.”ACI: ACI has developed a comprehensive accreditationframework. The key principles are:

� Compliance is a complex discipline requiring a broadrange of hard and soft skills to enable compliance to beperceived as a valuable strategic asset rather than animpediment to business

� Compliance does not require a law degree, rather anappreciation of how to secure compliant behaviour

� There should be levels of accreditation reflecting thestructured nature of the profession. There should alsobe comprehensive pathways for career development.

� The core compliance skills are common across the globeand across industries and laws. What varies is the legalrequirement, or cultural context, but the principlesthat

� Licensing will lead to a lowering of professionalstandard. Accreditation allows for defined standards thatare internationally transportable.

There should also be industry specific requirements e.g. finance,pharmaceutical, health which are added as technical disciplines.ACI has developed a comprehensive set of learning outcomes.These are defined for every subject area. We have alsodeveloped a five tier system which sets out the complexity ofknowledge required for each subject. This framework allowsACI assessors to examine a course and rank it as to the levelof complexity. As a rule of thumb a level 1 course is for frontline staff who need to be made aware of their obligations, butat a purely operational level.Level 2 courses are the base line for our entry level ofaccreditationLevel 3 is for senior compliance staffLevel 4 is for the most senior and is only delivered in a fewsubject areas.Existing course providers may have their material assessed.They can also have the learning outcomes provided so thatthey can redesign their courses to meet higher or lower levelsaccording to the market requirements.All courses must be assessed. Attendance is not adequate.Assessment is carried out after the course (usually theexamination becomes available several days after the courseas we are assessing retained knowledge). Assessment takes theform of multiple choice, short text and complex assignmentsdepending on the level of the program.”IMA: In the UK there are currently no widely acceptedprofessional qualifications specifically for compliancepersonnel. Typically, however, compliance personnel areeither, qualified accountants/internal auditors, or lawyers, orhave established a proven track record working within theinvestment industry. We are aware however that the UKFinancial Skills Council (FSC) has recently consulted on theskills and expertise required of compliance officers, perhapsas the basis for a qualification, although this is very muchwork in progress and we would not support the basis of anumber of the suggestions made by the FSC.Where there are qualifications elsewhere in the world, thesenaturally focus on technical knowledge of the regulations, andthis is clearly the bedrock of compliance. However,particularly at senior levels, the quality of judgment is what

Global Reflections on Compliance Function

(A - 150)

APRIL 2011468

Articles

marks a good from a bad compliance officer. We wouldsupport the recognition of technical qualifications (which wouldneed to have a degree of internal mutual recognition), butwith the caveat that this has to be employed alongside, and aspart of, other qualities to be effective.Whilst, as noted in Q15 above, there are currently no widelyaccepted professional qualifications specifically for compliancepersonnel, certain qualifications clearly are particularlyappropriate for specialised compliance functions, e.g.accounting/auditing in relation to compliance monitoring, oran understanding of the functioning of capital markets forthose dealing in such markets.Managers of compliance functions generally get to know thetraining providers and the quality/content of their courses,matching this to the individual requirements of their compliancestaff. Whilst much compliance training quite correctly focuseson team management and interpersonal skills, none of theavailable compliance specific courses or qualifications hasattained any universal level of acceptance which would tendus to think that they do not serve all needs, even if they maybe regarded as adequate for some purposes. While exams areone way of demonstrating competency there is still a lot to besaid for experience when it comes to compliance.”

TakeawayWhile there is a realization that there is a need for somequalifications, none of the jurisdictions have specified thequalifications. Some jurisdictions have accepted surrogateslike qualifications in law, auditing as good enough, othershave evolved their own courses which a complianceprofessional is expected to qualify. There is also a view thatrelevant industry body may organize programs for ongoing/continuing education of compliance professional.In the Indian context, Institute of Company Secretaries ofIndia, at the Executive level (Level 1 or Intermediate level)has a course titled “Securities Laws and Compliances” whichcovers regulations and legislation relating to securities marketsand intermediaries operating in securities market. Further, sincethey also study Company Law and Company Accounting, theyhave adequate exposures to financial instruments and relatedlegal position. Persons qualifying this examination can berecruited into compliance function. However, none of theregulations relating securities market mention the expectedqualification for a compliance officer. The Institute ofCompany Secretaries and Securities and Exchange Board ofIndia may take a closer look at the curriculum and work towardsmaking this course as the appropriate qualification for acompliance officer.

Securities and Exchange Board of India has established“National Institute of Securities Market” (NISM). NISM isplanning several compliance examinations for variousintermediaries in Capital Markets. Further, it is learnt thatNISM is formulating policies for development andadministration of Continuing Professional Education programs.It will be helpful if NISM and the Institute of CompanySecretaries coordinate their efforts in establishing a standardprogram for compliance function.

Independence of Compliance FunctionThe compliance function should be able to operate on its owninitiative, without improper influence from other parts of thebusiness, and should have access to and should report to theboard of directors or senior management.Independence of the compliance function is critical to ensuringthat the Board of Directors or senior management, who areultimately responsible to regulators, receives accurate andunbiased reports on the market intermediary’s compliance withsecurities regulatory requirements. Independence of theCompliance Function can be ensured if it reports directly tothe Board of Directors and not to any Line Manager or theChief Executive of the organization.Independence means that a compliance function should be ableto operate without improper or undue influence by other partsof the business. Improper influence is mitigated by providingthe compliance function with the authority and resources(including human resources) to carry out their responsibilities,and by allowing them access to all level of the organization.In addition, in order to ensure that a market intermediary canhire and retain highly qualified compliance personnel, theircompensation and opportunities for advancement should notbe directly dependent on the performance and/or opinion of aspecific business line, product or transaction.Based on the above thought processes, IOSCO posed thefollowing questions to the respondents to understand therespondents’ point of view on the independence of theCompliance Function.

� What requirements relating to independence and abilityto act are relevant to a small firm?

� In cases where individuals perform both business andcompliance activities, should they be allowed to supervisetheir own business activities? If so, how can the regulatorsensure that they supervise their own business activitiesin an objective manner?

� Are the means of implementation of independence setout above sufficient to achieve independence?

Global Reflections on Compliance Function

(A - 151)

469 APRIL 2011

Articles

� How do you ensure that compensation of compliancepersonnel is not subject to undue influence?

ResponsesNAIBD: “It is our observation that small firms haveexperienced success in their efforts to address objectivity andindependence through effective means of internal checks andbalances, and in some cases through outsourcing.In any event, we feel strongly that specific granularrequirements that would impose certain cycles, percentagesor document requirements are just as likely to fail as to succeedin enhancing compliance.”IMAS: The same individual should not perform both businessand compliance activities, as there are a lack of objectivity.The regulators can require more frequent reviews by internal/external audit; regulatory inspections or more frequent contactbetween the company and the regulator.A compliance officer should be allowed to operate in theknowledge that any action he/she takes in good faith whichmay have a negative effect on the firm’s business or a particularindividual will not be held against him/her. More generallyfirms should consider implementing a ‘whistle blower’ policyto protect anyone who speaks out in good faith againstperceived failings of the firm or any of its individuals.Independent review for consistency with market/industry rates.Compensation to be reviewed by independent directors.ACI: “It is common for compliance officers in small companiesto have multiple roles. Some subsume compliance, risk andaudit, others have operational roles. In practical termsindependence may be a fiction where the Board and CEO arecontrolling shareholders. Where the Board is independent onemethod for assisting independence is to create a direct reportingline to the independent directors for the compliance officerwhen acting in that capacity. Independence is not assisted bysimply appointing external providers as their appointment andcontinued fee income is normally controlled at a level abovecompliance. It is possible that there is a role for professionalindependent compliance committees to be established tosupport the compliance officer.Self supervision is not adequate. There is an inherent conflictthat cannot be managed in any meaningful way. There needsto be an independent monitoring and reporting function, thoughprimary responsibility for compliance can rest with theoperations person.In large organisations where there is a decentralized structure,but a central compliance function in support, the final

remuneration decision should be established by the centralposition. Where all compliance is centralized there is less of aproblem. Remunerating compliance is difficult as performanceis difficult to assess.”IMA : “The ESC paper described in Q1 above, and whichIMA supports, states that compliance personnel should not beinvolved in the performance of services or activities theymonitor in the course of carrying out duties related to thecompliance function. It may be possible to address such issuesin smaller firms through the use of external auditors carryingout checks.IMA would not promote the NASC model as suited to alltypes of firm and all types of environment. Firms which aremembers of the NASD or NYSE are already of a relativelysophisticated and complex character. Such a model would nottransfer to the world of the niche investment manager or smallpersonal financial adviser, for example.The ESC paper described in Q1 above, and which IMAsupports, states that investment firms should ensure that themethod of determining the remuneration of compliancepersonnel does not and is not likely to compromise theirobjectivity. This does not mean that compliance personnelshould not share in the success of the firm. If IOSCO subscribesto the notion that good compliance is good business, then thecompliance function will play a role in the commercial successof an organisation over the long term, and should be rewarded.It is also important that compliance personnel are remuneratedon a comparable basis to staff in other areas so that goodquality recruits and entrants are attracted to the role. In manyorganisations, the compliance function is within a discrete costcentre, with its own budget, which can be helpful in achievingindependence.As with many things, it becomes a matter of degree. We wouldnot support, for example, compliance personnel beingremunerated on a commission basis for sales volume. However,we see no reason why there could not be a bonus scheme orparticipation that was based on profitability, which is in partdriven by sales volume.There is no foolproof means by which any remunerationpackage can be ensured not to have a particular effect, as thisinvolves a response by the individual to a particular systemand individuals will have individual circumstances andindividual responses. We would suggest that, in the firstinstance, senior management with its responsibility forcompliance is best placed to judge.We would also caution against any assumption that the other“direction” to worry about is an undue influence for a

Global Reflections on Compliance Function

(A - 152)

APRIL 2011470

Articles

compliance officer to say “Yes” to the business, when he shouldsay “No”. We believe that there are dangers also in undulyinfluencing compliance officers to always say “No”.

TakeawayWhereas in India, compliance officer does not discharge anyother executive or line function, it appears from the responsesthat compliance officers in other countries do have otherresponsibilities to discharge.Independence and ability to act to fulfill the compliance relatedobligations requires support/pressure in the form of externalaudit and regulatory supervision. Such support helps thecompliance officer, the first line regulator, to insist up on thecompliances as required by regulation.There is a common opinion that the power to determineremuneration can affect independence. The suggestions offeredto resolve this issue are remuneration to be determined by theindustry bench mark remuneration, central compliance incharge to determine the remuneration of compliance personnel,etc. and that the compliance personnel may be paid incentivesrelatable to performance of the firm.

Effectiveness of Compliance FunctionEach market intermediary should periodically assess theeffectiveness of its compliance function.In addition to any internal evaluations, the compliance functionshould be subject to periodic review by independent thirdparties, such as the intermediary’s external auditors, SROs orregulators.In order to ensure that a compliance function is adequatelyidentifying, assessing, advising on, monitoring and reportingon the market intermediary’s compliance with securitiesregulatory requirements, its effectiveness should beperiodically assessed.Based on the above thought processes, IOSCO posed thefollowing questions to the respondents to understand therespondents’ point of view on the Effectiveness of theCompliance Function.

� Who, within or external to a market intermediary, isbest placed to assess the effectiveness of the compliancefunction?

� What should be the role of an external party in assessingthe effectiveness of a compliance function?

� What are the practical concerns of requiring an externalparty to conduct periodic assessment of a compliancefunction?

� What should be the scope and frequency of the assessmentby an internal party and/or an external party?

ResponsesNAIBD: There was no direct response.IMAS: Regulators and internal auditors are best suited tomake the assessment. Independence is key here and internalauditors should have excellent knowledge of the company’sbusiness to make such as assessment. Regulators are alsosuitable as they can compare and contrast with other industryplayers. Consultants may be engaged in highlighting bestpractices.However, engaging external consultants result in cost anduncertainty about knowledge and expertise of the third parties.Further, trade secrets shown to such third parties, potentialdisruption to the day-to-day business.Dependent on the compliance culture and control environmentof the company, under normal circumstances, an annualassessment should be sufficient.ACI: ACI has just completed the development to a ComplianceReview Protocol. The reviewing process is complex as it isnot a simple historical audit and unlike a quality systemnormally has too small a data set to provide reliableperformance measures. In a recent study we completed onCompliance in 7 major Banks, we determined that there isinadequate knowledge on effectiveness and efficiencymeasures. While there are a number of “existence measures”,these alone provide little proven relationship to ultimateeffectiveness. Part of the reason is that compliance is ultimatelybehavioral outcome and most audits ignore behaviour andbehavioral precursors and indicators.Notwithstanding the above the ACI Protocols provide a guidefor not only who should conduct a review, but how it shouldbe conducted. The “who” will depend on the purpose of thereview? Is it part of “normal maintenance”? If so then it couldbe conducted internally by the compliance team, or properlybriefed internal audit. If it is in relation to an enforcementaction then the independence and qualification of the reviewerbecome critical. In all situations, compliance reviews cannotbe undertaken by individuals without compliance expertiseand preferable practical compliance exposure.The ACI Compliance Audit Protocol can be provided isrequired on limited license for IOSCO for the purposes ofthis study and is not for general distribution. The role of theexternal party in assessing the effectiveness of compliancefunction is discussed in detail in the protocols.

Global Reflections on Compliance Function

(A - 153)

471 APRIL 2011

Articles

The practical concerns of requiring an external party to conductperiodic assessment of a compliance function have also beenaddressed in the protocols. The critical factors are the purpose,the defined scope, the budget and level of access.There is no recommended frequency of assessment. In practicethere will be programmed reviews and reviews triggered byfailures or “near misses”. The survey indicates annual review,but not of the same part of the compliance framework. Thefocus may be on new or modified areas, or areas of higherrisk, as well as areas which have not been reviewed for sometime. Good practice would suggest that a program of reviewbe coordinated with the internal audit and risk review tominimise disruption to the business.IMA: In the first instance judgement has to be made by thesenior management of the firm that is relying upon thecompliance function to assist it in fulfilling a keyresponsibility. We also see that external auditors have a roleto play. Indeed, the level and type of auditor reporting in anumber of countries, including the UK, obliges the externalauditor to comment on aspects of compliance that will reflectin one way or another on the compliance of the firm, andindirectly on the compliance function. Clients of a marketintermediary will also have valuable input on theeffectiveness of a compliance function.There are several ways in which an external party might beused to assess a compliance function, but the IMA does notbelieve any of these should be mandated. They wouldinclude:

� the use of external auditors to test compliance criticalfunctions such as the compliance risk assessment processon which the monitoring programme is based, compliancereporting to senior management, and the effectivenessof client money reconciliations

� the use of external lawyers/accountants to review clientdocumentation and promotional material

� the use of external specialists in the areas of review ofbest advice, CIS pricing etc.

� the use of consultants and research firms to benchmarkagainst other compliance functions.

Many of the services on offer are relatively expensive andoffer limited recourse should they miss a significantproblem. It is also a continuing challenge to tailor what areessentially off-the-peg assessment models to thecircumstances and culture of a particular firm, bearing inmind that any external party will understand the businessless than the compliance function. Obtaining an unbiased/

objective view of the efficiency of the compliance functionis therefore very difficult. It is also notoriously difficult tomeasure the success of the compliance function as there areno obvious metrics.Accordingly, the usefulness of such services is constrainedand management need to understand the inherent limitationsof such an approach. Such external services should never beused as a proxy for the governing body to have an informedopinion on the adequacy and effectiveness of its owncompliance function.Senior management should have discretion as to the scope ofsuch assessments. It would seem impractical and unnecessaryfor this to be stipulated in regulation as necessarily needing tobe more frequent than annual for internal reviews and bi-annual for external reviews. If firms believe it appropriate incertain circumstances and in certain areas to conduct morefrequent assessment, that is a matter for them and is fullycommensurate with a risk-based approach.

TakeawayThere is a consensus that compliance function should beassessed, at least once in a year if not more frequently.The assessment should be done by an external expertwho has specialized knowledge in compliance function.However, it appeared that availability of experts to assesscompliance effectiveness and cost associated with it are someconcerns.

ConclusionCompliance function has come to stay as a distinctrequirement in securities market and though its scope androle is evolving, monitoring compliances and assuring thatthe firm is not taking compliance risks seem to be thesubstance of the function of compliance officer. In Indiancontext, in addition to the above, regulator expects thatcompliance function oversees the investor complaint redressalobligation of the firm. Though there is no formal university/institution based qualification for the compliance officer,different markets have different approaches to the issue ofcompliance. In India, an attempt should be made to seewhether the course offered by Institute of CompanySecretaries of India is comprehensive enough to address thequalification issue and prescribe the same as the mandatoryqualification. Authority to determine remuneration can affectthe independence of compliance function but regular reviewof compliance performance by external agencies/regulatorscan help strengthen the hands of compliance officer to insistup on the desirable levels of compliance. �

Global Reflections on Compliance Function

(A - 154)