Get Smart

ISSUE 37

YOUR MAGAZINE FROM THE INTERNATIONAL COMPLIANCE ASSOCIATION

inCOMPLIANCE ®

Go with the flow…

Through a wider lens

People, outcomes, principles

p.18 p.22

£4.95 where sold separately

p.28

inCOMPLIANCE®3

inCOMPLIANCE®3

inCOMPLIANCE®3

12-13 November 2018 Amsterdam

The premier European conference for compliance, risk, and ethics officers To Register, please go

online or call:events.complianceweek.com/cwe18

+1 (617) 570-8600

Powerful Insights. Pratical Ideas.

Real Solutions.

Thank you to our sponsors:

CD-10874

ICA members save €200 at registration.

CWE18ICA

Lisa Kristin Miller Head of Integrity Compliance OfficeWORLD BANK GROUP

Ventsislav Karadjov Vice ChairmanEUROPEAN DATA PROTECTION BOARD

Segev Shani Chief Compliance OfficerNEOPHARM

Robert Seibel Senior Compliance CounselABERCROMBIE & FITCH

Christine Uriarte Senior Legal Analyst, Anti-Corruption DivisionOECD

Karina Litvack Board of Directors ENI

Enhance your marketing efforts through event sponsorship and product promotion. To learn more, please contact Doug Juene-mann at (617) 570-8610 or doug@complianceweek.com

CWA10935_Fullpage.indd 1 9/4/2018 2:47:02 PM

inCOMPLIANCE®3

inCOMPLIANCE®3

inCOMPLIANCE®3

Editorial Board

Kathryn Cearns, Independent Consultant, kathryn.cearns@brixtonroaduk.com

Jee Meng Chen, Commerzbank, jeemeng.chen@commerzbank.com

Jacob Ghanty, Kemp Little LLP, jacob.ghanty@kemplittle.com

Tim Porter, Director, TPA (Consulting) Ltd, Tim.Porter@TPACLTD.com

Tom Salmond, Ernst & Young LLP, tsalmond@uk.ey.com

David Symes, Compliance Recruitment, david@compliancerecruitment.com

Rachel Waldren, Murray Waldren Consulting, contact@murraywaldren.com

inCOMPLIANCE®Issue 37

Publisher: International Compliance Associationica@int-comp.org

Editor: James Thomasjthomas284@btinternet.com

Design: Design & Document Servicesdesign.enquiries@wilmingtonplc.com

Production: Dorinda Gibbons & Sophy Lloyddgibbons@int-comp.org sophy.lloyd@int-comp.org

Advertising Queries: Dorinda Gibbonsdgibbons@int-comp.org

Executive President, International Compliance Association: Bill Howarthbhowarth@int-comp.org

ICA Membership Enquiries: Jo Lewismembership@int-comp.org

ICA Qualification Enquiries: Debbie Priceict@int-comp.com

Article Enquiries contributions@int-comp.org

International Compliance Association CPD - 2 points

Advice to Readers

inCOMPLIANCE® is published six times a year by the International Compliance Association. Reproduction, copying, extraction, or redistribution by any means of the whole or part of this publication must not be undertaken without the written permission of the publishers.

inCOMPLIANCE® is distributed as a free member benefit to all members of the International Compliance Association.

Articles are published in good faith without responsibility on the part of the publishers or authors for loss occasioned to any person acting or refraining from action as a result of any views expressed therein. Opinions expressed in this publication should not be regarded as the official view of the ICA or as the personal views of the Editorial Board members of inCOMPLIANCE®.

All rights reserved in respect of all articles, drawings, photographs etc published in inCOMPLIANCE® anywhere in the world. Reproduction or imitations of these are expressly forbidden without permission of the publishers.

Printed in England

We live in a complex, interconnected world in which risks (and opportunities) appear to emerge with ever greater frequency. Related to this complexity are the incessant demands made on our time, with our attention crowded by growing volumes of information from an increasing (and increasingly unfiltered and/or unregulated; p.18) range of sources. It is perhaps hardly surprising when individuals and organisations, struggling to operate in the face of such complexity, exchange ‘shades of grey’ for ‘black and white’, and reduce complex decisions into binary choices (intentionally or otherwise). Paradoxically, it is this approach that may introduce the greatest risks of all. Witness, for example, the binary solutions offered by some parties to what they perceived as the threat posed by immigration (“build a wall!”; “Brexit!”). Within the financial sphere a

parallel may be found in the recent practice of wholesale de-risking (p.22). Rather than adopting fixed, binary positions on complex issues there is a need to develop and implement more flexible, fine-grained, multi-dimensional approaches to understanding and assessing risk (and opportunity). Compliance practitioners have much to offer – both to their businesses and to society at large – in this regard.

Coping with complexity

James Thomas Editor

inCOMPLIANCE®5

inCOMPLIANCE®5

inCOMPLIANCE®

4inCOMPLIANCE®

5

Contents

3 Editor’s commentRather than adopting fixed, binary positions on complex

issues there is a need to develop and implement more flexible, fine-grained, multi-dimensional approaches to understanding and assessing risk (and opportunity), writes James Thomas

6 ICA News A roundup of the latest news and events from the ICA

8 Industry NewsA summary of recent developments affecting

Financial Crime Prevention, GRC, AML and CDD professionals

25Compliance Recruitment David Jackman

offers advice for those planning to recruit compliance staff, amidst the emergence of a ‘new compliance’

10ICA Singapore Award Ceremony

12 Join the conversationJames Thomas previews the

inaugural ICA Asia Pacific Conference

14 Get smartVivek Padmanabhan outlines the new frontier

of Smart Compliance: Holistic Cognitive Compliance 18 Go with

the flow...Vladimir Berezansky

considers the paradigm shift occurring at the nexus of people, money and data, and its implications for regulation

20 Get aheadZoë Newman outlines the challenges of and

approaches to anticipating, detecting, and responding to global risks

REGULAR FEATURES IN THIS ISSUE

PAGE 14

PAGE 22

PAGE 18

inCOMPLIANCE®5

inCOMPLIANCE®5

inCOMPLIANCE®5

22 Through a Wider LensEmily Arries considers the

practice and implications of de-risking

28People, outcomes, principles

Paul Asare-Archer highlights the importance of people, outcomes and principles in compliance

31 Data breaches in the ‘Golden Age’Within an environment of

increasing cybercriminal activity, the new civil claims that data subjects can bring for data breaches under GDPR create significant financial exposure for financial services companies. Ann Henry considers how to hedge this risk

34 Think inside the boxSimon Gray explores the

what, where, when, how, why and who of regulatory sandboxes

38 Towards transparencySvetlana Snezhko

considers trends around the disclosure of compliance information within companies’ public reports

41 The Big Compliance Conversation

The ICA, in collaboration with Broadgate, considers whether Manchester is the new London

Have you thought about writing an article for inCOMPLIANCE®?Writing an article is a great opportunity to raise your profile within ICA and present a topic of relevance to your fellow members. Writing an article on anti-money laundering, compliance, financial crime or associated disciplines will also earn you valuable CPD!

Visit tinyurl.com/writeanarticle and download our document on Article writing tips and Blogging Best Practice to enhance your skills in this area and learn about structure, themes and writing style.

Please note: you don’t have to be an ICA Member to register your interest in submitting.

If you are interested in writing an article for inCOMPLIANCE, email us at: membership@int-comp.org and remember to include your full name and your topic of interest.

PAGE 31

PAGE 34

inCOMPLIANCE®7

Truly international

ICA Qualification Series Launch in CambodiaThis new launch is part of ICA’s geographic expansion into the APAC region and signifies an exciting period of growth, as well as the growing demand for skilled compliance professionals in the region.

The ICA International Advanced Certificate in Anti Money Laundering (AML) will ensure that compliance professionals have the required understanding and tools to meet ongoing regulatory compliance challenges. Firms who have enrolled on the programme will be able to utilise their Staff Development Fund.

ICA qualifications are offered through the International Compliance Training Academy (ICTA), the Association of Banks in Cambodia (ABC) and the Institute of Banking and Finance Cambodia (IBF). IBF was established in 2015 as the international standard, offering locally affordable training, for ABC’s members, who comprise Cambodia’s commercial banks, specialised banks, and microfinance institutions. The IBF is initiated and supported by ABC and the National Bank of Cambodia (NBC). The strategic vision of IBF is to provide quality education at the highest standard to local bankers in Cambodia. Based on a common goal, IBF and ICA came together to raise awareness of good anti money laundering practice in the financial services sector. With the right training and education, the partnership will help to achieve goals and improve standards. We welcome all of our new students and wish them every success in completing their qualification.

inCOMPLIANCE®

6

In this edition I would like to focus on the international nature of the ICA and the many thousands of members that the Association has in the APAC region.

I am delighted that the ICA has attracted more than 10,000 new members globally over the last year and currently we have members in more than 100 countries worldwide.

The ICA will be running its first APAC conference in November in Singapore, where the ‘Big Compliance Conversation’ will focus on the opinions of our APAC members.

We have had a significant presence in APAC for more than a decade from the time we entered into an an agreement in 2007 with the Monetary Authority of Singapore (MAS) through its Institute of Bankers and Finance (IBF) to train several thousand new compliance officers in Singapore. To date, more than 3,000 new compliance professionals have been trained.

Significant programmes have also been developed in Malaysia and Hong Kong and a number of initiatives in China and Vietnam are underway.

In Malaysia, Bank Negara, the banking regulator, has made it compulsory for those working in compliance to be professionally competent and qualified. Working with the Asian Institute of Chartered Bankers (AICB), our partner in Malaysia, we have provided a range of qualifications and training in both AML and regulatory compliance.

The ICA’s senior staff continue to globe-trot as part of the mission to spread the ‘Big Conversation’, and senior staff and myself will be speaking and promoting the Association in a range of jurisdictions over the next couple of months, including Dubai, Egypt, Cyprus, Georgia, the Ukraine, Singapore and Malaysia, Hong Kong, Ireland and the Channel Isles.

Bill Howarth Executive President

inCOMPLIANCE®7

ICA NEWS

Events ReviewHong Kong

On the evening of 4 July 2018, ICA Regional Director, Andrew Glover, gave a presentation to more than 240 members of the Hong Kong Institute of Certified Public Accountants (HKICPA), on “Anti-Money Laundering and Counter-Terrorist Financing: From A Practical Perspective”.

Andrew clarified some common misunderstandings of AML/CTF and discussed AML policies and procedures, risk assessment and a range of compliance issues. Andrew also highlighted the benefits of ICA qualifications and the provision of AML training to enhance staff capabilities in managing current fast-paced regulatory requirements and future AML/CTF challenges. The session raised many questions amongst the participants, which resulted in some great feedback. The Chairman of HKICPA is looking forward to organising similar seminars again in Hong Kong.

The ICA Hong Kong briefing session took place on 31 July at the Hong Kong Monetary Authority, followed by an Alumni Sharing session run by ICA graduates from various sectors including legal, insurance, securities and regulators.

Singapore

ICA and the Institute of Banking and Finance (IBF) Singapore co-organised a Masterclass on the Senior Management Regime on 7 August 2018. The event was officiated by the Deputy CEO of the IBF, followed by a successful panel moderated by Andrew Glover that comprised:

• Chen Jee Meng, Country MLRO, Commerzbank AG

• Jon Yeo, Chief Compliance Officer, Maybank

• Lim Siew Lee, Group AML/CFT/Sanction Head, UOB

• Andrew Kwek, Independent Director, Pilgrim Partners Asia (Pte.) Ltd

By the end of the event all participants could identify key areas of impact and an implementation plan.

The ICA briefing session took place on 14 August with over 200 attendees interested in finding out more about how an ICA qualification could add value to their career. IBF Deputy Chief Executive, Lydia Wee, also gave a presentation on ‘IBF Career Connect’; a new careers advice and jobs initiative for the financial sector.

Look out for further briefing sessions (and member hot topic events) due to take place in September in London, Jersey, Guernsey, Isle of Man, Dublin, Madrid and Cyprus.

inCOMPLIANCE®9

inCOMPLIANCE®

8inCOMPLIANCE®8

INDUSTRY NEWS

UK: FCA rules to promote "seamless customer experience"UK current account providers will be required to publish information to help customers compare bank accounts from different providers, following the introduction of new rules by the UK Financial Conduct Authority. Banks will have to publish contact centre numbers, opening hours, complaints records, and security breaches, as well as specifying how long it will take to open accounts.

https://www.fca.org.uk/news/news-stories/making-it-easier-use-and-compare-current-accounts

Industry News

German regulator to step up Facebook data collection probeGermany’s antitrust regulator, the Federal Cartel Office, has announced that it expects to take “first steps” in its investigation into Facebook later this year, according to Reuters.

In a preliminary assessment published last year, the regulator reported its concerns over the social media giant’s data collection practices, its President Andreas Mundt suggesting that: “The extent and form of data collection violate mandatory European data protection principles.” The Federal Cartel Office is also considering a broader investigation into e-commerce platforms – such as Amazon – that host third party traders.

The data practices of social media platforms have come under increasing scrutiny following the Cambridge Analytica scandal, and Facebook CEO Mark Zuckerberg’s subsequent appearances before American Congressional and EU Parliamentary committees. As Vladimir Berezansky writes in this edition of inCOMPLIANCE® (p.18): “In both instances, it appeared as though the august legislators were only beginning to get their heads around the concept of regulating platforms such as Facebook … A social media network is not the same thing as a securities exchange, and new approaches, methods and tools will need to be devised and deployed – together with the inevitable lag time for trial and error.”

“Tactically, I find it interesting that the German government has chosen to engage Facebook on the anti-monopoly front,” he adds. “Regardless of how this dialogue (or confrontation) starts out, it will inevitably lead to a broad range of points of engagement. Indeed, this process could easily take several years before a firm new set of rules (of engagement) are hashed out.”

https://www.bundeskartellamt.de/EN/Home/home_node.html

Australia: Banks to improve fraud protection Five Australian banks will be required to improve their compliance measures and controls for deposit accounts, following a review by the Australian Securities & Investments Commission (ASIC). The review looked at the policies, procedures and controls that banks have in place to prevent fraud and unauthorised transactions for consumers who have deposit accounts that can be operated by their adviser.

inCOMPLIANCE®9

INDUSTRY NEWS

FATF reports on PMLs, beneficial ownership and human traffickingThe Financial Action Task Force (FATF) published a series of reports over the summer. Its report on Professional Money Launderers (PMLs) identifies the specialist skillsets that PMLs offer their clients to hide or move their proceeds, and provides a detailed explanation of the roles performed by PMLs to enable authorities and reporting entities to identify and understand how they operate.

A joint FATF-Egmont Group study on Concealment of Beneficial Ownership Information considers the mechanisms and techniques that can be used to obscure beneficial ownership and control of illicitly obtained assets.

Finally, a joint FATF-APG report analyses financial flows associated with human trafficking, both as an ML predicate and a potential source of terrorist financing. It provides good practices and indicators specific to the type of human trafficking as specified in the Palermo Protocol.

The reports are available from the FATF website: http://www.fatf-gafi.org

Singapore: MAS revises Code of Corporate Governance The Monetary Authority of Singapore (MAS) has revised its Code of Corporate Governance.

In announcing the revised Code, Ong Chong Tee, Deputy Managing Director, MAS, explained: “Important baseline market practices that should apply to every firm – or CG 'hygiene' requirements – are hardened by their inclusion in the SGX [Singapore Exchange] Listing Rules. Indeed, twelve basic requirements previously couched as guidelines have been shifted from the Code to the Listing Rules. In other aspects, the Code has been streamlined and elaborated in the Practice Guidance.”

Moreover, MAS has also undertaken to establish a Corporate Governance Advisory Committee in response to “concerns that some of the principles in the Code are subject to interpretation and gaming”.

1MDB: Money laundering charges brought against former PMFormer Malaysian Prime Minister, Najib Razak, has been charged with three counts of money laundering, in the ongoing 1MDB scandal. The ex-premier already faced charges of corruption and criminal breach of trust. He has denied all charges.

It is alleged that Najib Razak transferred 42m Malaysian ringgit ($10m) from a subsidiary of the government-run strategic development company, 1MDB, into his personal bank accounts.

With its investigation now approximately 60% complete, the Malaysian Anti-Corruption Commission (MACC) is now shifting its focus overseas, according to a Bloomberg report. MACC is reported to be working with cooperation from authorities in the US and Singapore to gather the remaining evidence.

UK: FCA enforcement activity “rockets” post-SMCRThe number of Financial Conduct Authority (FCA) enforcement actions has “rocketed” following the introduction of the Senior Managers & Certification Regime (SMCR), with the number of investigations into governance issues and financial crime “soaring”, according to law firm Pinsent Masons.

Citing the FCA’s annual report 2017/18, the firm noted a 23% increase in enforcement activities during the last 12 months. "The markedly increased number of investigations relating to culture and governance reflects the high priority the FCA is placing on this area," suggested Ben Brown, Pinsent Masons, adding that, "It is clear that the regulator is now holding firms and senior managers to account for culture and governance failings."

https://www.fca.org.uk/annual-report-and-accounts-2017-18

inCOMPLIANCE®11

SINGAPORE AWARD CEREMONY

inCOMPLIANCE®

10inCOMPLIANCE®

11

Singapore Award Ceremony Roll of Honour

ICA hosted its bi-annual award ceremony in Singapore at the NTUC building, where students

celebrated their achievements. It was gratifying to see lots of pictures being taken with family, classmates and the teaching faculty to record the event. Thank you to everyone who attended and we congratulate all our students once again on their fantastic achievements.

ICA Advanced Certificate in Governance, Risk &

Compliance IBF Level 1

Sze Pheng LimPauline Tan

Sek Leong ChanChoon Guan TanFung Soon ChinQinni, May LaiCheng Hui SngPoi Yan Tham

Da Pei TanBoon Kiat, Edmund Lim

Yi Xuan TeyJi Hsien Lim

Wenqiang, Marc TanNicholas Sean Chien Loong Tan

Shaik Imran Bin ZeyawdinShin Thai, Keith Lim

Tessa Karina LimShalini Sharon Gupta

Francesca Xiaowei LinZhen Guang Ong

Chin Hong HoMohamed Haris Mohamed Rafeeq

Sherlynn TeoRachel Kai Yi Lim

David Jedidiah Han Yuen OngJames Teo

Tiantian, Jasmin CaiXue Ni LoyN Raman

Nelson LauJoanna Lestari Lim

Siqin MaRavichandran R

Terasa LimShio Fong Chan

Noor Syuhada Mohamad RafeekJonathan Chin Chin

Poh Heng TioWilliam Tan

Jia Fang Celestine KohYu Qian Evon Lim

May Sze TeoSharifah Akidah Mohamed

Eunice OoiShin Yi Lee

Zhi Qing TanXiaolei ZhangSong Thai Go

Lok Yu WuAakash DadlaniXue Ling Yeong

Dawn ChewMuhammad Ismadi Johari

Solomon John RoyKah Seng TanWee Ling Ng

Widyasari TriyonoSharon Lee Mui TingSok Jen Audrey Tay

Jasmine CheanIsabelle SumarliHuizhen Zhong

Kai Ting, Malvina LowRichard Martin

Jing Jesper TongPei Shan Lee

Chong Sian LimKimberley GohYuanyuan YeJunhong Tan

Quah CarolineMadeleine Fangping NgWeiqiang Vincent Chen

Lim TonyJovett Tan

Rita Marie LinJuna Joe Tan

Meng Sunn Khan

inCOMPLIANCE®11

SINGAPORE AWARD CEREMONY

inCOMPLIANCE®11

Stanley ChewBenjamin LimShashi Kumar

Avan LimWen Jun Chow

Chester LimFathima NazreenLucia Cordeschi

Lifeng LowWen Wei LeeGordon YenDanny Toh

Serena ChinShu Zhen (Suz) Lim

Wen Ting YiongMuhammad Daanish Mohammad

NoorjasahPeiyi Lisa Huang

Pi Hann KohHwee Lian ChuaRip Chong Ng

Eve LauYin-Chia Peng

Li Ping LowRoyston Wei

Catherine ChongAshraf YahyaCarlyn Huang

Charmaine SngDaniel Tolentino

Narendernath BaskarHuayan Lawrence Lin

Kian Peng LeeSharmila Banu Tajudeen

Jasmine QuekChia Yee Jennifer Lai

Klaus AngRuiqian Liao

Pauline Wan WanJosh SumJopie Tan

Durjoy BasuJames Ho

Basheer Ahamed Mohamed IsmailTerence Deng

Xinru ChenTing Ha WongSiu Fai Chan

Joanne Feng Chun TanLeila AlievaFayas KhanHui Hui GohPei Chin Ong

Yoke Tin Chow

ICA Diploma in Anti Money Laundering / Counter

Financing Terrorism - IBF Level 2

Syen Kai LuiEllson Tuang Wei BohZhiwei Benedict Hong

Li Yuan CuiXuming Tan

Su Leng ChanLi Ming Tong

Siti Nadiah OngRaymond Zi Jian LiowBing Wei, Gabriel Tan

Choon Yen ChoeyKelsonn Yi Long Tan

Qiu Ling TeoGwen Lee

Theng Hwee TanWei Sheng, Aloysius Chin

Xiuzhen Rachel TanMohammed Reza Mohamed Anuar

Sharon Toh Ping PingHuan Jing, Matilda Lee

Marcus TanHow Khiang Chua

Nadirah RahimBoon Shoo NgBi Rong Chia

Shun Deng ChanYuk Chun Chung

Felicia Xin Ying ChiuSi Han Chua

Rajkumar Murugan

Siang Dat LimJennifer Sei Yieh Sia

Choo Ching PohSethulakshmi Kathiresan

Chu Kheng ChuaMinghan Lin

Mohamed Samir KazuraCharmaine Lee

Aloysius MunAruvin NathanSiew Hwa Lam

Nisha Abdul Salam Ahamed Sze-Yin Yap

Pei Lee ChuaMarco Sambiagio

ICA Diploma in Governance, Risk & Compliance - IBF

Level 2

Jyotimaya MohantyJaishree Sadhwani

Hsiow Hua TanWei Xiang Ang

Zhiyong Ronnie SohYuhan Ooi

Boon Boon TehArun Balagi Sundaramurthy

Jane Sze SohElaine Shee Wong

Chin Wee OngYichen Ye

Hazel San San ChaiCheng Chuan, William Chua

Virgil Ramos QuiogueLorrene Ling Yan Lee

Chew Hong LeePeishan, Lavina Lee

Felicity ChowWei Jian TeoBena Yeong

Dora TanShao Jie Ng

Bakthavatsala SrinivasamurthyAmelia Tan

Andrew Chin Phang GohMabel ChooRui Qin Poh

Hui Shan KhooPi Yuan Gideon Teo

Fion LekChoon Yong Philip Ang

Marilyn LeeWeng Tang, Keith Choo

Rick HartonoKok Hoe Loke

Jiwu YapHiu Man YeungWai Sin Chee

inCOMPLIANCE®13

inCOMPLIANCE®

12

ICA ASIA PACIFIC CONFERENCE

ICA’s inaugural Asia Pacific conference:The BIG Compliance Conversation

is coming to Singapore! 20-21 November 2018, Marina Bay Sands

We’re delighted to be presenting a range of speakers and topics that resonate right across the international regulatory and financial crime compliance community.

Gain practical insight and skills; broadening the considerations of the role of compliance and what you can achieve - broadening the considerations of the role of compliance and what can be achieved by proactive, knowledgeable compliance professionals.

The conference will feature speakers from IBF Singapore, CSFC Singapore, New Development Bank, Citi Private Bank, KPMG, Barclays, our very own MICA’s and FICA’s and many more.

There are various streams to choose from depending on your preference of hot topic, including:

The line up features our Keynote Speaker Lydia Wee, Deputy CEO, IBF Singapore who will be asking the question ‘Has the role of Compliance changed beyond recognition?’

• Secondary sanctions - do you recognise your risks? with Dane Shelly, Director, FCC,• Sanctions Investigations, ASEAN and South Asia, Financial Crime Compliance• Does having a great compliance culture guarantee success? with Rachel Waldren,• Senior Executive, Murray Waldren Consulting Pty Ltd• How can data analytics and AI reinvent financial crime compliance? with Richard• Carrick, Regional Head of Financial Crime Assurance, Barclays Bank PLC• and many more!

With limited space for each stream it’s essential that you book early to secure your first choice.

We are looking forward to welcoming our members and the wider regulatory and financial crime compliance community to a day packed full of practical insight.

Find out more: www.int-comp.org/conference-singapore

ICAA10862inCOMPLIANCE®

12

Following the success of the ICA’s 10th annual conference comes the ICA’s inaugural Asia Pacific Conference. In keeping with the spirit of the ICA’s Big

Compliance Conversation initiative, the conference will offer delegates the opportunity to network with ICA Members and the wider compliance community and to discuss the latest risks, challenges and opportunities in the world of regulatory and financial crime compliance.

The programme provides a mixture of practical insight and thought leadership, covering the key issues confronting the compliance community today, and in the future. Thought provoking keynote presentations by industry leaders will offer inspiration and stimulate debate, while break-out sessions will offer practical insight into key challenges, allowing individuals to participate, interact and learn from each other (see Box). This will be a conference “by members, for members” with many of the sessions being delivered by ICA Fellows.

Pre-conference masterclasses in AML and governance, risk and compliance will also take place on 20 November. These are a great opportunity for those who have completed an ICA Diploma to refresh the knowledge gained on their course. They are also suitable for any compliance or AML professional looking to keep up to date with the fast-paced regulatory environment and to network with like-minded individuals.

We’ll look forward to you joining the conversation on 20-21 November 2018, at Marina Bay Sands, Singapore

Join the conversation

James Thomas previews the inaugural ICA Asia Pacific Conference

Break-out streams• Secondary sanctions – do you recognise your risks?

– Dane Shelly, Director, FCC, Sanctions Investigations, ASEAN and South Asia, Financial Crime Compliance

• How does geopolitics influence your risk agenda? Nick Harrison, FICA, Regional Head of AML Compliance Risk Management, Citi Private Bank

• Why is collaboration the strongest weapon in fighting financial crime? Laura Newton, Manager – Forensics, KPMG

• RegTech for FinTech: How can compliance work more effectively? – Chionh Chye Kit, FICA, Co-Founder and Managing Director, Cynopsis Solutions (Sponsored by Cynopsis)

• Does having a great compliance culture guarantee success? – Rachel Waldren, Senior Executive, Murray Waldren Consulting Pty Ltd

• How can data analytics and AI reinvent financial crime compliance? – Richard Carrick, Regional Head of Financial Crime Assurance, Barclays Bank PLC

• Common Reporting Standards (CRS) – are enhanced levels of transparency helping to prevent wider financial crime? David James, Her Majesty’s Revenue & Customs Fiscal Crime Liaison / ASEAN Lead (Tax Evasion and Money Laundering)

• What will compliance look like in 2040? – Stafford Neil (Sponsored by Deloitte)

• Cryptocompliance: how do you keep ahead of change? – Srinivas Yanamadra, FICA, Chief, Compliance, New Development Bank

• How do you deal with known unknowns? – practicalities of risk management – Speaker TBC

• How do you place compliance at the heart of your business? – Dilani Sooriyaarachichi, FICA, Head of Compliance, Seyland Bank Plc

• Is conduct risk now your greatest risk? – Claire Miller, Senior Manager, Deloitte Singapore. (Sponsored by Deloitte)

Attending the Conference is worth 6 CPD points.For further details, and to reserve your place, go to:https://www.int-comp.org/events/ica-conference-singapore/

inCOMPLIANCE®13

ICA’s inaugural Asia Pacific conference:The BIG Compliance Conversation

is coming to Singapore! 20-21 November 2018, Marina Bay Sands

We’re delighted to be presenting a range of speakers and topics that resonate right across the international regulatory and financial crime compliance community.

Gain practical insight and skills; broadening the considerations of the role of compliance and what you can achieve - broadening the considerations of the role of compliance and what can be achieved by proactive, knowledgeable compliance professionals.

The conference will feature speakers from IBF Singapore, CSFC Singapore, New Development Bank, Citi Private Bank, KPMG, Barclays, our very own MICA’s and FICA’s and many more.

There are various streams to choose from depending on your preference of hot topic, including:

The line up features our Keynote Speaker Lydia Wee, Deputy CEO, IBF Singapore who will be asking the question ‘Has the role of Compliance changed beyond recognition?’

• Secondary sanctions - do you recognise your risks? with Dane Shelly, Director, FCC,• Sanctions Investigations, ASEAN and South Asia, Financial Crime Compliance• Does having a great compliance culture guarantee success? with Rachel Waldren,• Senior Executive, Murray Waldren Consulting Pty Ltd• How can data analytics and AI reinvent financial crime compliance? with Richard• Carrick, Regional Head of Financial Crime Assurance, Barclays Bank PLC• and many more!

With limited space for each stream it’s essential that you book early to secure your first choice.

We are looking forward to welcoming our members and the wider regulatory and financial crime compliance community to a day packed full of practical insight.

Find out more: www.int-comp.org/conference-singapore

ICAA10862

inCOMPLIANCE®15

inCOMPLIANCE®15

HOLISTIC COGNITIVE COMPLIANCE

Get SmartVivek Padmanabhan outlines the new frontier of Smart

Compliance: Holistic Cognitive Compliance

inCOMPLIANCE®

14

inCOMPLIANCE®15

inCOMPLIANCE®15

HOLISTIC COGNITIVE COMPLIANCE

Compliance, as a key risk management function within the financial services industry,

has undergone a steep evolutionary curve over the last several decades. Since the 2008 global financial crisis, in particular, there has been an ever-increasing number of regulations, including global regulations with extra-territorial impact. Regulators have come under significant pressure to enhance their oversight of firms and their demands and expectations of firms are increasingly complex and multi-faceted. Since 2008, the total monetary value of global regulatory fines amounts to approximately $321bn, and we continue to see and hear of more individuals and firms being held to account for their conduct and mis-management of compliance.1

In this environment of exacting compliance and individual accountability, traditional compliance operating models have been challenged. The strategy of throwing more people to patch-fix compliance problems together with ad hoc process re-engineering and cyclical ‘efficiency’ programmes, outsourcing initiatives and basic automation of manual processes, has muted benefits. Compliance, as a function, has reached a mission critical point and needs to re-think its modus operandi and not work harder, but get smarter.

Smart Compliance has a number of attributes including: • the full integration of compliance

into the enterprise-wide risk management and governance framework with end-to-end visibility of key regulatory risks

• a robust policy and procedure framework with regulatory control mapping

• efficient utilisation of the data repository to manage regulatory change and detect crystalised and emerging risks relating to people, products, processes, clients and associated parties.

Compliance technology – the status quoThe key to Smart Compliance lies in the innovative utilisation of technology. But let us initially take stock of the status quo. Compliance has traditionally

been quite rudimentary in its use of technology. Most compliance officers use standard software such as Microsoft Word, Excel and PowerPoint for their routine reports and presentations. Microsoft Outlook or Lotus Notes are the main email tools and a large constituent of daily workload. Their use of such software is typically relatively simplistic. It would not be commonplace for compliance officers to be experts in creating macros, logical and financial formulae or pivot tables, or in configuring conditional formats on Microsoft Excel. Tools such as SharePoint and Microsoft Access are also used by compliance officers but typically with active technology specialist support and primarily to enable multi-party information access.

From a systems perspective, most financial services firms have incorporated systems to conduct anti-money laundering (AML) transaction monitoring, market abuse surveillance, sanctions screening, Know Your Customer (KYC) repositories, regulatory and transaction reporting tools, complaints management tools, and online compliance training modules, to name but a few. More recently, systems have also been developed for conduct metrics, reporting and monitoring, but these are primarily information aggregation tools with limited ability for automated information analysis. Regulatory hot topics, such as conflicts of interest, which have gained increasing attention amongst regulators, are, however, still hosted on complex unwieldy Excel sheets.

The status quo of technology within compliance is therefore not optimum for a number of reasons. Many systems have limited functionality and are typically siloed, single purpose systems that are not connected into impeding legacy systems. Banks in particular have core banking and payments systems that are archaic and continue to be patch-fixed. A number of systems require significant levels of manual intervention, are fragmented and do not provide a holistic risk perspective to senior management.

Emerging technology functionalities and RegTechAs technology has evolved, there are a number of emerging

inCOMPLIANCE®17

inCOMPLIANCE®

16inCOMPLIANCE®

17

HOLISTIC COGNITIVE COMPLIANCE

inCOMPLIANCE®17

functionalities that may be considered by the compliance profession. These include2:• Cloud computing – Cloud, open

platforms and networks for sharing of data, format standards and common processes.

• Blockchain – Technology allowing the creation and verification of transactions on a network instantaneously, without a central authority. Used to track and speed up the transaction lifecycle and cut costs while lowering the risk of fraud.

• Application programming interface (API) – Software ‘intermediary’ allowing off-the-shelf technology tools to interact directly with regulatory reporting systems.

• Machine learning – Technology that learns data and allows automatic reassessment and refinement of processes in reaction to input from users.

• Big Data – Real-time processing tools and techniques of Big Data to create value out of the massive amount of available heterogeneous and textual data.

• Data mining and analytics – Use of machine learning and behavioural analysis that offers the potential of powerful data mining and simulation techniques to enhance decision-making and artificial intelligence.

• Predictive analysis – A solution that looks to identify patterns of activity, such as unusual use of communications, non-routine patterns of leaving the office, non-completion of training, or missing mandatory leave, which may flag potential conduct concerns.

• Smart contracts – Computer programmes to enforce the negotiation or performance of a contract. Smart contracts aim to provide security that is superior to traditional contract law and to reduce other transaction costs associated with contracting through automation.

• Visualisation solutions – New technical solutions for user-friendly data presentation in order to make sense of and speed up the understanding of complex, heterogeneous, and abundant data.

Leveraging these new technology functionalities, there is now a plethora of ‘RegTech’ firms who have created a wide range of technology solutions to serve various compliance purposes. This is no longer a novel trend and, according to a Deloitte survey3, there are now over 200 such firms. The choice of tools and systems available are vast and individual RegTech firms have identified their own niche of solutions and technology product offerings. They range from regulatory reporting tools, transaction monitoring systems and sanctions screening tools to more complex systems that provide a broader compliance risk management function. Some examples of the latter are shown in Box 1.4

Holistic cognitive complianceThe term ‘cognitive compliance’ was originally coined by Gene Ludwig of Promontory (an IBM Company).5 This is the intelligent digitisation of compliance processes, reporting and monitoring, together with scalable and adaptable solutions and the utilisation of machine learning, artificial intelligence, natural language processing and ‘smart assists’. The effective implementation of cognitive

compliance can only be achieved with deep regulatory domain knowledge and expertise, which is required to ensure the technology targets the spirit of a regulation and not just the letter. The adage of ‘data is king’ remains true where quality and quantity is key, but identifying the hidden insights in both structured and unstructured data requires cognitive technology that can understand, reason and learn.

The challenge for the compliance profession, and RegTech vendors, is that the vast array of individual and siloed technology solutions has created an environment of ‘solutions overload’ and complexity. Some consultancy firms have more recently got into the act of cutting through this maze of complexity by offering consultancy services and thought leadership to the financial services industry. Whilst this is useful, it is vital that an enterprise-wide approach is taken to technology utilisation. If RegTech vendors can bring together disparate solutions to create a holistic cognitive compliance framework that is tailored to a firm’s regulatory risk profile, that would be the authentic implementation of Smart Compliance (i.e. ‘Holistic Cognitive Compliance’). Such a framework would comprise the intelligent

inCOMPLIANCE®17

Box 1: Examples of RegTech product offerings

Firm Solution

Continuity Control Automates the compliance management process, offering workflow solutions and regulatory alerts

Darktrace Enterprise Immune System technology uses AI and machine learning, which detects and responds to previously unidentified threats to data security

RequirementONE Cloud-based centralised, access-controlled environment for creating and storing compliance controls, policies and procedures

Tillr Web-app that automates and optimises audits, assessments and inspections to assist with regulatory compliance

Netguardians Automated compliance management software and real-time human behaviour analysis to detect fraud

Behavox Compliance reporting and assessment tools, holistic employee monitoring and risk scoring

inCOMPLIANCE®17

inCOMPLIANCE®17

SM&CR

inCOMPLIANCE®17

digitisation of multiple data points as envisioned in Figure 1.

New frontiersAs technology continues to evolve and get smarter, the prospect of Smart Compliance is achievable. Indeed, IBM Watson is leading the way in this space and is breaking new frontiers in terms of artificial intelligence and its application to the management of compliance risk. It is now an opportune time for other RegTech vendors to innovate in this space and offer competitive solutions to the financial services industry.

Heads of Compliance and Chief Technology Officers need to increasingly have a joined-up strategic vision and be bold and long-term in their decision making to create sustainable change. Cost considerations are a key barrier to the implementation of new technological concepts and there is a need for strong leadership and a clearer articulation of the value proposition of Smart Compliance. Equally, the technology

needs and levels of sophistication will vary from firm to firm depending on size, jurisdictional footprint and product profile, and the needs of a local country compliance officer will be different from those of a global compliance officer. As the financial services industry graduates from traditional business models to innovative FinTech based business models, compliance will need to adapt and evolve. Smart Compliance is a key solution to managing compliance risk within a FinTech environment.

Notwithstanding all the smart technology that a firm may adopt, the role of the compliance officer is here to stay. The compliance officer of the future will, however, need to understand the technology framework and be able to explain it to their Board of Directors and regulators. Earning the confidence of the regulators in the integrity of the technology framework is a critical factor to success. There may even come a day when compliance officers will be able to converse fluently with technology coders

and be well versed in C++, HTML5, VBA, Java and Python (artificial intelligence programming languages)!

Vivek Padmanabhan is Head of Compliance – Transaction Banking, Africa & Middle East

at Standard Chartered Bank. He is a Fellow Member of the International Compliance Association

inCOMPLIANCE®17

HOLISTIC COGNITIVE COMPLIANCE

Compliance Assurance Reviews

Risk Assessment

Behavioural and Conduct

analysis

Business MI

Regulatory Findings

Compliance Alerts

Regulation Auto-Analysis

Information Controls

Audit Findings

Sta� Communications

Holistic Cognitive Compliance

Figure 1: A Holistic Cognitive Compliance framework

1. Boston Consulting Group2. Deloitte: Inside Magazine (2017)

– RegTech Universe on the Rise3. ibid.4. ibid.5. Regtech in the cognitive era –

Insights from Gene Ludwig and Bridget van Karlingen (June 2017)

inCOMPLIANCE®19

inCOMPLIANCE®19

TECHNOLOGICAL CHANGE

inCOMPLIANCE®

18

Technological breakthroughs cause displacement. Whether we welcome or fear change, it is an inevitability with which we

must eventually become reconciled. The Industrial Revolution drained farmlands of the peasant class; refinement of the internal combustion engine destroyed equine-based transportation, on which humans had relied for millennia; and indoor electricity decimated the gas lamp industry. Today, we are reading reams of handwringing over the advent of artificial intelligence (AI) and its likely effect on our competitiveness in the workforce.

Change begets change. Geopolitically, we are witnessing the end of Pax Americana. The other Western democracies – the ‘West,’ in this case, includes Japan, South Korea and Singapore – are sounding more like orphans who recently lost their remaining parent. Cue the EU Greek chorus: “Who will take care of us, now? WAAAHH!!” Eldest daughter Angela: “We’ll just need to become grown-ups and look out for ourselves.” Second eldest daughter Theresa: “I’m sick of living with you lot. I’m leaving!” And so it goes ...

What is ‘real’?Several layers beneath this breathless 24-hour news cycle, it is possible to perceive subtler – and, perhaps, more deep-seated – paradigms of change. Beginning, as a point of reference, with the American president who has introduced the expression ‘fake news’ into contemporary social discourse, his favourite expression of derision begs the question: “What is ‘real’ news? What is ‘accurate’ information and – more to our purposes – who makes these determinations?”

At the risk of carbon dating myself, I grew up in an America that had three television channels, each with its own news broadcasts. Although very few thought much about it back then, this amounted to a de facto cartel. The concept of ‘fake news’ couldn’t have surfaced a priori, because all the news was filtered through three television news editorial staffs. (For the record, the printed press was similarly hierarchical and monolithic; I still remember the now-outdated joke told at the expense of The New

York Times: “All the news that fits, we print.”)Leaping forward to today, I am pleasantly

surprised that the three original US television channels, together with their respective news gathering functions, have managed to survive the dissolution of the information cartels of yesteryear. (In the UK, the BBC is another worthy survivor from a simpler, more ordered world of journalism; but Britain’s socio-cultural tradition is more receptive to such quasi-official institutions than America’s.)

In the intervening years, we have experienced the destruction of rigid, hierarchical pyramids, not only in the realm of journalism, but across the entire gamut of political, economic and societal institutions. Thirty years ago, if the average European or North American were asked whether they maintained personal websites, the result would have been a blank stare. Today, there are apps that can be downloaded to assist Smartphone-aholics in weaning themselves away from unhealthy dependencies on their Apple or Samsung of choice.

The value of informationIf asked to list the top three or four defining events of the past five decades, many would likely cite the most obvious geopolitical and/or scientific achievements: the collapse of Soviet Communism, putting a man on the moon, etc. However, for our purposes, perhaps the most significant development of the passing generation is the quantification of information, otherwise known as information theory.

This is not the forum for a detailed discussion of information theory or the manifold technological benefits that it has yielded; but among the key concepts that this discipline has provided is that information can be reduced to a quantifiable base unit that can be measured and manipulated. A single bit (or ‘binary digit’) of information now has the same tangible elements – conceptually – as a unit of three-dimensional space (e.g. a cubic centimetre) or a unit of currency (e.g. a penny). This seminal intellectual achievement has had – and will continue to have – a more profound significance to human history than “Mr Gorbachev, tear down this

Go with the flow…Vladimir Berezansky considers the paradigm shift

occurring at the nexus of people, money and data, and its implications for regulation

inCOMPLIANCE®19

inCOMPLIANCE®19

TECHNOLOGICAL CHANGE

wall!” or “One small step for man...”Prior to the advent of the bit, the most readily

available and widely used standard of measure in societal interaction was money. For millennia, everything could be and was measured by its perceived monetary value. Indeed, money itself can be measured by money (on foreign currency exchanges). Long before the bit was devised, information had a monetary value – hence, the logic behind such abuses as bribery and trading on insider information.

In a monetised world, the worst possible crisis is devaluation of a common currency – think of Weimar Germany in the 1930s or Russia in the 1990s. Regardless of whether or when a given currency might suffer such a drastic loss in value (such as, most recently, the Venezuelan bolivar or the Turkish lira), such events and their aftermaths were measured within the same intellectual construct within which these dramas occurred – i.e. a sudden drop in the value of a given currency as measured against the relative values of competing currencies.

This self-referencing metric changed suddenly with the introduction of blockchain technology and cryptocurrencies. In a classic example of paradigm change, currency issued by a sovereign (or even a collective sovereign, such as the European Union) went from being the only conceivable option to one of many options. Over time, and during the course of numerous refinements and regulatory controls, cryptocurrencies will eventually decouple fiat currencies from their current place at the top of an extremely hierarchical pyramid of perceived intrinsic value. Indeed, sovereign currencies may eventually come to be perceived as quaint and antiquated holdovers from past centuries, very much like buying gold or silver bars and storing them in a bank vault for safekeeping.

Information: the new currency?This brings us ineluctably back to information as a metric of human commerce. Now that data have precisely defined units of measure, it is entirely foreseeable that data flows as such could meld with – i.e. become fungible with – currency flows. This would be a far more precise and tangible iteration of the old truism that information is power. Indeed, in these lights, the core relationship between information and currencies could easily reverse polarities. If information is the coin of the realm, and information has a precise, quantifiable value that can be stored for future gain or traded as needed, then what is the purpose or utility of currency?

To cover distances that couldn’t be walked, humans rode on or behind horses – until we didn’t need them anymore. During the course of the Industrial Revolution, nature’s power was harnessed first by steam engines, and then, successively, by engines that burned coal and oil.

Now we have solar cells and, perhaps in the near future, hydrogen power. If currencies collectively become little more than a dim reflection of the true source of energy in the broadest context of human interaction – i.e. information – then will we really need to hang on to the slips of colourful paper and tiny pieces of alloyed metal that currently line our pockets and purses?

Regulatory implicationsIn painting this picture of our future, I am more than likely misreading or misinterpreting factors that are driving today’s dynamics. But even if only the broadest tendencies that I have identified as being paramount are accurate – i.e. the ascendancy of information and data flows as both the means and ends of human interaction – then what are the ramifications for the regulatory community?

Clearly, we are already seeing a focus of attention away from regulating funds flows and towards regulating information flows. The concepts, metrics, rights and duties contained in the General Data Protection Regulation are seminal and will likely become a template for future, similar initiatives in many other jurisdictions. Future, as yet unforeseen, technological developments will require an adequately informed regulatory response in order to balance the interests and concerns of all stakeholders.

Mark Zuckerberg’s recent appearances before American Congressional and EU Parliamentary committees in quick succession were equally enlightening. In both instances, it appeared as though the august legislators were only beginning to get their heads around the concept of regulating platforms such as Facebook (i.e. open fora for private and public exchanges of information that would require careful and adequate – but not overly invasive – monitoring and control). A social media network is not the same thing as a securities exchange, and new approaches, methods and tools will need to be devised and deployed – together with the inevitable lag time for trial and error.

These trends and processes are still in their formative stages, but it is necessary to cast our gaze ahead of our current position in this arc of intellectual discovery and technological development in order to ensure maximally beneficial outcomes for society as a whole. Our goal must be to ride this wave of technological transformation and not to sink in its wake.

Vladimir Berezansky was one of the first foreign professionals to bring Western (US, UK, EU) regulatory compliance leadership to the Russian/CIS/CEE financial services market

inCOMPLIANCE®21

inCOMPLIANCE®

20

RISK MANAGEMENT

Bribery and corruption, data breaches, fraud, IP infringement, employee

malfeasance, regulatory breaches… Chief Compliance Officers (CCOs) and General Counsel (GCs) are often asked what keeps them awake at night, but in today’s ever-changing business environment, perhaps the question they should be asking themselves is ‘what isn’t keeping me awake at night?’

The role of the CCO has always been critical in managing enterprise risks. But CCOs today are dealing with ever broader, more complex risks as business becomes more globalised, digitalised and, of course, regulated. No matter the size of a corporate compliance department, it’s easy to get caught up in day-to-day firefighting. As such, it’s essential that the relevant functions within your organisation proactively prevent and detect risks as they emerge in order to formulate an appropriate response.

How confident are you of your organisation’s ability to anticipate and assess its evolving risk profile as it expands into new service lines,

jurisdictions, or customer and third party relationships? Consider the following scenario: You finalise an acquisition of an owner-managed business in Eastern Europe. Fast forward three years and its finance systems are still completely independent of your organisation, with its financial reports coming through on Excel spreadsheets. Would this situation even be on your radar? More so, would you or anyone at headquarters realise if several of its suppliers were connected to local management and that it had recently entered into major government contracts thanks to the help of a local business introducer?

It’s easy to dismiss such scenarios and assume that such red flags would be picked up. But the fact is, we are called in to investigate these kinds of situations every day by organisations of all sizes and maturity.

So, what are smart organisations doing to protect themselves?

AnticipatingEnterprise Wide Risk Assessment (EWRA) is becoming something of an overused phrase of late, and all too often its practical application takes a ‘one and done’ turn. Documents are not maintained or updated, and consequently only provide a moment-in-time snapshot of a business’ risks. Frequently, the GC’s role in the process is also limited. However, when done properly, the EWRA is an invaluable tool to the business.

Because businesses evolve every day, there should be a process for regular review and updates with input from the CCO and GC. Equipped with timely, on-the-ground knowledge of how the business truly operates across functions, service lines, and jurisdictions, the business will be better able to identify potential risks that may not be obvious to local staff.

Get aheadZoë Newman outlines the challenges of – and approaches to – anticipating, detecting, and responding to global risks

Equipped with timely, on-the-ground knowledge of how the business truly operates across functions, service lines, and jurisdictions, the business will be better able to identify potential risks which may not be obvious to local staff

Get more on the CPD Portal• Compliance Risk Management and Monitoring Framework

https://www.int-comp.org/cpd/crmmonitoring• The Future Financial Crime Professional: More Than a Risk Manager?

https://www.int-comp.org/cpd/futurefcp• The Role of Transaction Monitoring in Enterprise-wide AML Risk Management

https://www.int-comp.org/cpd/transacmonitoringrole

Not a member?For access to the ICA CPD Portal, among other benefits, become a member today: www.int-comp.org/membership/why-become-a-member

inCOMPLIANCE®21

RISK MANAGEMENT

Once risks are anticipated, appropriate preventative measures can be put in place that are tailored to each risk. A one-size-fits-all approach to controls is destined for failure. What is necessary and appropriate at a shiny corporate headquarters location might be completely ineffective for a small subsidiary in a high-risk jurisdiction. When controls are implemented according to a well-thought-out and regularly updated EWRA, you can at least be reassured that the framework addresses specific risk, be it from a regulatory, intellectual property, or some other perspective.

DetectingThere’s no doubt that the empowerment of the compliance function has helped mitigate risk to an organisation, but as compliance becomes smarter, so do wrongdoers. Increasingly, fraudsters are aware of what comprises a ‘red flag’, be it a transaction, third party, or commercial relationship. More than ever, it is critical that an organisation uses the wealth of information available internally to detect and respond to potential risks.

What data is relevant will depend on your organisation. However, the continuous and evolving detection of fraud risks is an integral part of any robust fraud risk management strategy.

Best practices include: analysing data, conducting site visits and third party audits, and reviewing books and records for red flags of fraudulent activity.

Regulators continue to stress that the level of monitoring and detection activity needs to be proportionate and customised to the specific business and the specific risk areas identified. With some careful and diligent consideration, an effective monitoring programme can be implemented in a targeted way without incurring massive cost and can play an important role in highlighting potential risks.

Another valuable source of help to the CCO and GC is the internal audit function, particularly in performing a detection role. These colleagues often have the most practical understanding of the nuances of different areas of a business and what constitutes a red flag. As such, formal measures should be taken to ensure the insights and findings gained from implementing their audit plan are communicated to the compliance and legal functions and incorporated into the EWRA itself.

RespondingNo matter how proactive a company is in its risk management,

it is impossible to anticipate and detect all potential risks. There will inevitably remain issues of varying magnitude that land on the desk of the GC that were either overlooked or could not have been anticipated. Whilst a plethora of advice is available on how to manage such investigations, the fact of the matter is that each one is different. Companies can certainly apply some best practices, but as with the risk management process, each investigation has to be tailored to the issue in hand.

Ultimately, in the relief of reaching the conclusion of an internal investigation, many neglect asking themselves a key question: “How did this happen and what lessons can we learn to prevent it happening again?” The answer should be used to update the relevant control framework way before the investigation is concluded and, likewise, be fed into the EWRA, which should be a well-thumbed document on your desk as opposed to sitting dusty on a shelf.

Zoë Newman is a Managing Director in Kroll’s Investigations and Disputes practice and co-heads the Financial

Investigations team across the EMEA region. She has extensive experience in leading complex, cross-border forensic investigations into matters of fraud, corruption, and potential regulatory breaches, including those relating to the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. She also advises clients on how to best implement controls to mitigate these risks

As compliance becomes smarter, so do wrongdoers. Increasingly, fraudsters are aware of what comprises a ‘red flag’, be it a transaction, third party, or commercial relationship

No matter the size of a corporate compliance department, it’s easy to get caught up in day-to-day firefighting. As such, it’s essential that the relevant functions within your organisation proactively prevent and detect risks as they emerge in order to formulate an appropriate response

inCOMPLIANCE®23

inCOMPLIANCE®23

inCOMPLIANCE®

22

DE-RISKING

Recent years have witnessed a change in risk appetite for certain market segments due to rising compliance costs, regulatory woes and, alongside this, a progression towards risk-averse decision making. De-risking practices

have been a part of this movement, which the Financial Action Task Force (FATF) has defined as “situations where financial institutions terminate or restrict business relationships with categories of customer”1, often leading to certain products or clients being exited by banks. It may seem from the outset that such practices reduce financial crime risk. However, the implications of de-risking should be seen through a wider lens.

If certain segments or demographics of the financial system are exited through de-risking practices, this may ultimately reverse the objective of financial regulations. Moreover, it will also have a negative economic impact through pushing activity into the unregulated sector where screening of payments is not possible.

So, which segments of the world’s economy have been most affected by today’s de-risking phenomenon? Why are financial institutions becoming progressively more reluctant to mitigate risks? Impact can be seen predominantly in four main areas, outlined below.

Emerging nationsCorrespondent banking plays a vital role in global economic growth, especially for developing nations. It is also key for global trade and allows funds to reach individuals and corporations located in all corners of the world through smaller local banking networks. The inherited financial crime risk is greater through correspondent banking than other products due to the partial transfer of responsibility and risk to respondent banks. Vulnerability may also result from the nature of the jurisdictions in which correspondent bank networks operate; often through expanding banking services to countries that may have less stringent AML/CTF controls or that operate within markets prone to corruption and bribery.

These risks for correspondent banking service providers – and additional pressures such as the cost of regulatory compliance – have resulted in global banks de-risking. Subsequently, financial institutions are withdrawing correspondent bank relationships in order to protect themselves. This increasing trend is concerning for emerging nations and has been highlighted by The World Bank’s ‘Financial Inclusion Not Exclusion’ campaign, which promotes the importance of extending bank access to the estimated two billion adults globally who don’t use formal financial services.2

Humanitarian aidGlobal conflicts and natural disasters have displaced millions of vulnerable people across the world who rely on invaluable humanitarian aid for survival, largely delivered through Non-Profit Organisations (NPOs) and Disaster Relief Operations (DROs). Often, those jurisdictions in which aid is most needed are also at a heightened risk of financial crime activity (such as terrorist financing within conflict

Through a Wider Lens

Emily Arries considers the practice and implications of de-risking

zones). Banks’ de-risking practices have restricted the flow of funds into these areas, creating obstacles to the provision of finances to support lifesaving aid.

Large international humanitarian organisations typically have exceptions allowing them to conduct transactions with conflict zones, with extensive compliance checks in place. However, often overlooked are the impacts of financial restrictions on smaller NPOs and businesses, who require funds to allow economic rehabilitation through business trading and to help families grow their household income.

In 2018, the Overseas Development Institute (ODI) reported that restrictions within the formal banking system have resulted in the growth of unregulated money transfer routes, including through brokers who are thriving on the war in countries such as Yemen.3 Such voids in access to the financial system will always be filled, often by criminals who subsequently fuel crime and corruption. For the 25.9m refugees and asylum seekers globally4, it is vital that these essential lifelines of finance are not severed through exiting whole segments in the charitable and aid sectors by de-risking.

Migrant reachGlobal remittances are showing a rising trend – particularly in low and middle-income countries – and grew by 7% to $613bn in 2017.5 This can partially be attributed to the number of international migrants worldwide, a figure that continues to increase rapidly. According to the United

inCOMPLIANCE®23

inCOMPLIANCE®23

DE-RISKING

Nations there were an estimated 258 million migrants globally in 20173, whose income remitted back home is critical to the livelihoods of their families. Developing nations rely on these remittance influxes. For some countries remittance inflows account for as much as 35% (Kyrgyzstan), or 33% (Tonga) of GDP.6

Money service businesses (MSBs) play an essential role in delivering these remittances. To succeed in distributing funds to beneficiaries, MSB’s rely on extensive correspondent banking networks to exchange currencies and provide access to smaller local banks. Given the characteristics of MSB operations, there are often several parties within a single transaction chain. This can lead to non-transparency of underlying identities and challenges in identifying the true source of funds, making the sector more susceptible to money laundering and terrorist financing.

These financial crime risks partially account for a decline in risk appetite of conventional banks to maintain existing MSB relationships or initiate new ones. De-risking of this sector ultimately has the potential to push MSB activity further into the unregulated sector through means of cash trade or alternative remittance systems, such as Hawala. The demand for MSBs is expected to continue to rise as populations become increasingly mobile, so a cultural shift is needed in financial institutions from de-risking to risk mitigation and a drive for the transparency of payments.

Technological changeNew products, new money laundering methods, new financial crime risks to mitigate. This year’s compliance hot topics have centred around technological progress in areas such as FinTech, digital currencies, challenger banks and electronic remittances. Recently, a shift appears to be underway in traditional banks towards welcoming partnerships with tech. However, de-risking activities by banks are often practised for certain segments in FinTech considered high-risk, such as cryptocurrencies and electronic remittance platforms. These new advances in financial technology

inCOMPLIANCE®25

inCOMPLIANCE®

24

DE-RISKING

often present higher money laundering risks as they provide a certain level of anonymity and some firms use loopholes in regulations to operate ‘under the radar’ of compliance monitoring.

Such de-risking practices can stifle innovation and progress within the FinTech space, creating friction for new competitors trying to enter an industry sector that now contributes £6.6bn annually to the UK economy and employs over 60,000 people.7 Regulators and governing bodies are struggling to advance at the same rapid pace as technological developments. Some progression has been made, such as the creation of a new task force7 focusing on Crypto assets, attended by the Treasury, Bank of England and Financial Conduct Authority (FCA). However, regulators and bodies need to remain aware of financial product advancements and solutions in a sector in which technology is becoming king.

SolutionsThe perils of de-risking and the effects it has on both the integrity of financial markets and financial inclusion of vulnerable people worldwide are often overlooked. Regulations that aim to protect and supervise the industry can inadvertently result in financial institutions becoming more risk averse and subsequently stepping away from certain segments or client types.

There are resolutions to slow down and mitigate de-risking practices and drive down the costs of compliance for certain market segments. Technology should be included as a prime solution for financial institutions to lower costs through improving transaction monitoring methods and enabling more effective due diligence on client segments considered ‘high-risk’. To maintain correspondent bank relationships in high-risk jurisdictions with less stringent AML/CTF controls, banks should develop strong relationships with respondents and ensure client banks have sufficient financial crime knowledge. This will provide more comfort in maintaining correspondent relationships. Financial institutions should also strive to show compassion towards jurisdictions in conflict areas and, within regulatory guidelines, consider payment exceptions to certain humanitarian aid organisations to help those in desperate need of financial reach.

The information and views set out in this article are solely those of the author.

Emily Arries (CAMS, AICA), FCC is Associate Director at an FCA Regulated Bank and an Associate of the International Compliance Association

1. http://www.fatf-gafi.org/media/fatf/documents/reports/Guidance-Correspondent-Banking-Services.pdf

2. http://www.worldbank.org/en/events/2016/10/07/financial-inclusion-not-exclusion-managing-derisking

3. https://www.odi.org/sites/odi.org.uk/files/resource-documents/12047.pdf

4. http://www.un.org/en/development/desa/population/migration/publications/migrationreport/docs/MigrationReport2017_Highlights.pdf

5. http://www.worldbank.org/en/news/press-release/2018/04/23/record-high-remittances-to-low-and-middle-income-countries-in-2017

6. https://www.forbes.com/sites/niallmccarthy/2018/04/26/the-countries-most-reliant-on-remittances-infographic/#3978017277b7

7. http://uk.businessinsider.com/uk-chancellor-treasury-cryptocurrency-task-force-2018-3

A cultural shift is needed in financial institutions from de-risking to risk mitigation and a drive for the transparency of payments

Get more on the CPD Portal• Correspondent Banking – Making Relationships Work

https://www.int-comp.org/cpd/correspondentbanking• De-risking – A Look at the Global Concerns and Impact

https://www.int-comp.org/cpd/deriskingconcerns• Financial Inclusion – A Basic Means of Survival for Fragile States

https://www.int-comp.org/cpd/financialinclusion

Not a member?For access to the ICA CPD Portal, among other benefits, become a member today: www.int-comp.org/membership/why-become-a-member

inCOMPLIANCE®25

COMPLIANCE RECRUITMENT

inCOMPLIANCE®25

In with the new

David Jackman offers advice for those planning to recruit compliance

staff, amidst the emergence of a

‘new compliance’

inCOMPLIANCE®27

COMPLIANCE RECRUITMENT

inCOMPLIANCE®

26

Probably the subject of most interest to readers is how to recruit good compliance staff and, naturally, from time to time, how to secure the ideal

compliance role! Obviously, there are two sides to this quest: the employing

firm and the candidate. This article will consider recruitment from the employer's perspective, and will outline some of the steps that employers should go through to find a suitable candidate, in what can be a lengthy – and costly – process. We might also consider along the way why the hiring process can be relatively complicated and perhaps increasingly fraught for compliance roles. It is also important to know that the criteria for a successful compliance hire, at all levels, may (indeed probably should) change and evolve as compliance itself changes and what I describe as a ‘new compliance’ emerges.

Establishing the business caseFirstly for the firm, it is necessary to establish the business case for making a new compliance hire in the first place. This can be the most difficult hurdle to overcome for anyone advocating new or additional compliance resource.

You would imagine by now that all firms are familiar and comfortable with the idea of having at least one or a number of specialist risk and compliance staff. However, in my experience, firms still try to find ways of avoiding hiring a compliance professional, and many would prefer to add compliance as an adjunct to another role. Compliance is often seen as a cost rather than a value add, and this is a problem partly of the profession’s own making. In an effort to emphasise a set of specialist skills, compliance departments can become detached, insular, poor communicators and infamously ‘tick-box’ orientated. This is ‘old compliance’, the so-called ‘business prevention’ department.

To overcome this hurdle, the first step is to present compliance in a way that is integrated in the business at a strategic level, suggesting new opportunities, helping to design products, focusing on upside as much as risk, open, part of quality enhancement, mentoring, educating and inclusive. I’m not sure that the first, second and third line of defence model helps us much here, as compliance as a whole is all of these three, getting its hands dirty at the business/technical ‘sharp end’, as well as providing vision and leadership. It is important to emphasise that, in most jurisdictions, the Board is responsible for ensuring the level of compliance resource is sufficient and effective. This responsibility will be even clearer under the UK's Senior Management & Certification Regime (SM&CR) as it sets out lines of accountability. The message even now to the Board needs to be: ‘new compliance’ makes money as well as safeguarding reputation and brand position.

Selecting the right levelThe second step is choosing the right level. We can envision three general levels:• Director/ Head of Compliance• Compliance Manager• Compliance Analyst/Administrator

The size and resources of the firm, the complexity and riskiness of its business, its regulatory history and position, and its ambition will all have an impact on the number of staff that are really necessary and the respective levels required to ensure that compliance can connect with rest of the business. In general terms, the compliance manager is the hub because they may be asked to conduct all three levels within a small business. They may need to:• Liaise with the Board and senior management team• Report to the regulator and perform a controlled function

(or senior manager function), horizon scan, and interpret relevant regulation and legislation

• Establish, monitor and improve levels of compliance across the organisation

• Ensure the necessary records are kept correctly.

The key to success is to shoot high. Compliance for too long has been seen to be happy with, or has simply accepted, a more subservient or operational level. However, what we need as a profession and as an industry is compliance engagement at the more senior level. If this means bidding up to resource, then do it, so long as the potential candidates are aware that they cannot afford to be ‘precious’ and will have to get involved in everyday business discussions as much as filling in forms.

This is particularly important when establishing or expanding a compliance department. To have

Compliance is seen as a cost, not a value add, and this is a problem partly of the profession’s own making. In an effort to emphasise a set of specialist skills, compliance departments can become detached, insular, poor communicators and infamously ‘tick-box’ orientated

The first step is to present compliance in a way that is integrated in the business at a strategic level, suggesting new opportunities, helping to design products, focusing on upside as much as risk, open, part of quality enhancement, mentoring, educating and inclusive

inCOMPLIANCE®27

COMPLIANCE RECRUITMENT

compliance as a member of the senior management team – or even on the Board – is essential if new compliance is to work properly.

Gaps can be filled in around such an appointment. I have found that Board representation can be boosted by a Non-Executive Director with specialist compliance experience, while at the other ‘end’ of the scale some compliance jobs or tasks can be merged into the line and, if necessary, compliance consultants can provide technical input on a part-time basis.

The ISO audit standard for compliance, ISO 16, provides a useful framework for justifying a compliance structure that is integrated with other governance functions. The more input you can obtain from surrounding functions, the more buy-in the eventual new recruit will have and the more effective they will then be able to be.

Writing the job description As the amount of resource agreed for compliance expands, roles can separate out and a certain division of labour is possible. This becomes clear in writing the job description where the exact matrix of responsibilities needs to be set out (i.e. horizontal and vertical, dotted and solid reporting lines). Here is the place to document the skills needed in

an imaginative and expansive way, possibly using, in the same way as ICA does for assessing its examinations, the compliance National Occupational Standards (NOS). This should be communicated to the candidate.

Compliance and/or riskVery often compliance and risk roles are combined in practice. This is perfectly normal, but the balance between the two needs to be carefully thought through and reflected in the ordering of the title: 'compliance' first or 'risk' first?

This can become a philosophical discussion, but ‘risk’ is very broad theme across the business and seems to have the greater technical and professional respectability. The danger of allowing risk to predominate is that it can undermine the very core of compliance’s technical knowledge, strategic understanding, integrity and independence. Without an independent position and perspective, really compliance does not have a professional identity.

Recruitment methodThere are two main models of recruitment according to an experienced recruiter and former regulatory colleague, Jerry Goldsmith – the contingent database recruitment agency or the retained search and selection recruitment consultant.

The former manages a live database of candidates, is faster and is ideal for more junior roles but, as Jerry Goldsmith points out: “If there are no quality candidates registered on the database, a search and selection recruitment consultant can dedicate their time to help find a suitable candidate, approaching them confidentially, recommending a shortlist and managing the process from start to offer stage”.

This method is better suited to more senior posts and should offer a greater alignment with the firm’s requirements and ethics. As search and selection compliance specialists, Colyer Dodd believe they can spot “the critical nuances which will create a cultural fit … that even the firm might not be aware of.”

Stephen Colyer has learnt over 20 years that the key is “the business needs to have clear goals” and these are often hard to pin down. The existing compliance professionals or non-executives must be steadfast in keeping these goals front of mind throughout the whole process.

In the next edition we will consider recruitment from the other perspective – through the eyes of candidates.

David Jackman is Strategic Adviser to ICA, Chair of three regulated financial services firms, and was previously head of FSA Training and Competence and Business Ethics. He is the author of The Compliance Revolution (2015) and Corporate Maturity and the Authentic Company (2018)

Compliance for too long has been seen to be happy, or simply accepted, a more subservient or operational level. However, what we need as a profession and as an industry is compliance engagement at the more senior level

The ISO audit standard for compliance, ISO 16, provides a useful framework for justifying a compliance structure that is integrated with other governance functions. The more input you can obtain from surrounding functions, the more buy-in the eventual new recruit will have and the more effective they will then be able to be

inCOMPLIANCE®29

inCOMPLIANCE®

28

THE COMPLIANCE PROFESSION

Compliance as a profession continues to evolve, aided and abetted by the superb

International Compliance Association, which continues to set the standard in compliance as the leading global provider for professional, certificated qualifications.

Whilst the experience of compliance and compliance officers varies considerably depending on the regulator, industry, and business culture within which one operates, the most successful compliance programmes have now established consistent themes. Compliance programmes that are fully embedded within an organisation and are recognised as an integral part of the business have focused on the following three areas:• People – What is the impact of the

compliance programme on your employees? Is the end goal (for example) to ensure that eLearning statistics are high enough to satisfy internal metrics? Or is the training in place designed to genuinely ensure a better adherence to, and awareness of, compliance?

• Outcomes – Are good customer outcomes an integral part of the compliance programme? Is the customer journey designed solely to encourage sales or to ensure that the customer receives the product that they need and want?

• Principles – Business principles must underpin all compliance programmes. A compliance culture is nothing without a genuine cultural and business-wide

commitment to do the right thing and to act consistently in an ethical way. Have clear principles been established?

In this way compliance has moved from being a separate science to an integral part of the organisational strategy of a business.

Organisation structure This increased prioritisation of compliance as an integral part of operational strategy has also necessitated a review in many businesses about where compliance sits within the organisation. This process has been complicated further of late as compliance and ethics have become increasingly synonymous.

In the past, businesses have wrestled with the issue of whether compliance should be part of Legal, the CEO’s office, Audit, Ethics or a stand-alone Compliance team. Either way, what is consistent is that compliance is now placed within a senior part of an organisation, thus making compliance as attractive as it ever has been to new entrants seeking a dynamic and exciting career path.

Are CBTs dead?Rather than the discussion of compliance being solely focused on Computer Based Training (CBTs) and policies, it is now just as likely to be part of a conversation about business ethics, sustainability, and culture. This is demonstrated by the many talks and presentations I have been asked to

contribute to and / or lead this year, which have included:• A panel discussion in Paris at the

OECD about gender in compliance• A panel discussion at Fieldfisher

in London about ethnic equality in compliance

• A presentation to the pharmaceutical community about culture

• A panel discussion hosted by Convercent about ethics.

The breadth of these conversations demonstrates clearly how all-encompassing compliance has become and continues to be. Whilst the detail in these sessions has differed, the core has been consistent. Audiences are interested to understand compliance from the perspective of people, outcomes and principles.

As a Director of Compliance at a leading company, the continued line of questions that I receive invariably relates to the art of cultural transformation and the desire for the compliance leader to be an enabler in that transformation. In discussions with senior thought leaders across respected organisations, such as Transparency International and the Institute of Business Ethics, I have not once been asked about last year’s CBT rates or the latest policy I have drafted. Rather, the discussion has always centred on the ingredients needed for an effective compliance programme and the importance of softer skills, such as strong leadership and an effective communication strategy, which will help to inspire and lead a business.

People, outcomes, principles

Paul Asare-Archer highlights the importance of people, outcomes and principles in compliance

inCOMPLIANCE®29

THE COMPLIANCE PROFESSION

Evolution not revolution This change in focus in compliance over the past 20 years or so has been an evolution rather than a revolution, but it has been fascinating to watch it unfold nonetheless. This evolution has shown that compliance is now an embedded part of the framework of an organisational strategy.

My own career trajectory has reflected this emergence. Over the past 18 years I have worked in three industries across six companies. I have sat in a number of different reporting lines as businesses have considered and reflected on the optimum position for compliance.

The Financial Conduct Authority has long since encouraged the prominence of the compliance professional, through the Approved Persons and more recently the Senior Managers Regime. However, increasingly, even those companies where a Compliance Officer is not mandated have identified the benefit of compliance and given it greater prominence.

Of all the top FTSE 100 companies the vast majority have a common thread. They have a prominent ‘speak up’ programme and a visible commitment to compliance, with a compliance professional being a key part of their senior leadership.Whilst some of these requirements are admittedly mandated and prescribed, not all are.

It appears that companies are seeing the benefit of winning sustainable business, having a diverse workforce and an ethical core. Whilst scandals such as Enron have long since faded in the memory, recent fallouts such as Rolls Royce, Libor and Volkswagen

remain fresh in the mind and highlight the importance for the long-term growth of businesses of keeping compliance and ethics at their heart.

This is where compliance and the focus on people, outcomes and principles is vital. CBTs are important, as are policies. However, culture and people are the real key ingredients. In 18 years’ experience I’ve never known something to go materially wrong within a business because of failure of an individual to complete a CBT or to read a policy.

The challenge for businesses is perennially how the business acts when compliance is not in the room. Do people have the autonomy, knowledge and empowerment to make the right decisions when left to their own devices? Do they refer to policy or, better still, are they able to draw the right conclusions based on the ethics and principles of an organisation?

The team I currently have the honour to lead is by far the best I have worked with. I have leaders, advocates, technocrats and a passionate group who have a genuine commitment to helping and supporting the business. They also have the confidence to challenge where necessary.

This comes with time, and no compliance team or culture is immune from making mistakes. The challenge is, however, whether the mistakes can be minimised by creating an ethical environment.

Building cultureThere is quite a big difference between a compliant organisation and one with a compliance culture. The easiest way to have a compliant organisation is to not sell any products at all! This may

achieve the first aim of being compliant, but it is clearly unrealistic. A compliance culture, however, is an appreciation that a company is there to offer products and services to its customers, but with a realisation that this must be done in a certain way. Companies that recognise this, and are able to build such a culture, have a strong effective and entrepreneurial compliance leadership, which sees compliance as a value add rather than a hindrance.

In building this culture it is important to understand your business’ perception of compliance. Is it seen as a safety vehicle in front of 18 turbo-charged Formula One cars, holding them all up? Or is it regarded as the seatbelt, allowing innovation and speed but with proportionate controls?

For me, compliance is the seatbelt and, increasingly, compliance professionals are innovators who are part of the overall race strategy.

The futureSo, what next? Over time I predict that a Compliance Director will be represented on the Board of almost every single FTSE 100 company. I also predict that the term ‘compliance’ will evolve. In the same way that ‘speak up’ has usurped ‘whistleblowing’ I sense that the term ‘compliance’ will increasingly be replaced by the term ‘business ethics’, with a broad mandate covering sustainability, ethics and training, in addition to the traditional compliance commitments prescribed by regulation.

This evolution continues at a frantic pace, as compliance becomes an increasingly attractive profession with an ever-improving calibre of new entrants. Whilst businesses develop at different paces – and understandably so – the profession continues to grow to such an extent that it is unrecognisable from the profession it was 20 years ago. Here’s to the next 20.

Paul is Director of Compliance at Telefónica UK Limited (O2). All views expressed are his own and not those of his employer

The challenge for businesses is perennially how the business acts when compliance is not in the room. Do people have the autonomy, knowledge and empowerment to make the right decisions when left to their own devices? Do they refer to policy or, better still, are they able to draw the right conclusions based on the ethics and principles of an organisation?

inCOMPLIANCE®

30inCOMPLIANCE®

31inCOMPLIANCE®

31

It’s time to continue with your learning journey. Have you considered the next steps for you or your team? Upskilling is vital to the advancement of your career; learning and growing enables you to see the bigger picture, enabling big ideas that can lead to big changes at your firm. Be one step ahead and take the next step in your career.

• Benefit from career progression in a competitive market by gaining another internationally recognised qualification

• Develop your specialist knowledge and leadership skills

• Discover the latest industry insight and learn more about international best practice

Big thinkingBig ideas Big changes

Enrolment is now open for the Autumn intake of qualifications. Face to face workshops are available in London, the Channel Islands, Dublin, Madrid, Cyprus, Dubai, Bahrain, Oman, Moscow, Singapore, Hong Kong, Australia, New Zealand, Mauritius and Cambodia. Or study online www.int-comp.org/qualifications-homepage

Find out more about how ICA qualifications can add value to your career at one of our free global briefing sessions.

Why attend?• Find out which subject matter and level is right

for you• Learn more about the course format and your

study options• Ask questions to our subject matter experts• On hand career advice• Discover the many benefits of ICA membership• Learn why regulators and employers the world

over considers ICA qualifications as the pinnacle of high standards and best practice

Your future, today.Knowledge. Recognition. Community. Study for an ICA qualification www.int-comp.org/qualifications/attend-a-free-briefing-session/

ICAA10957

inCOMPLIANCE®31

inCOMPLIANCE®31

DATA PROTECTION

Data breaches in the ‘Golden Age’

In an environment of increasing cybercriminal activity, the new civil claims that data subjects can bring for data breaches under

GDPR create significant exposure for financial services companies. Ann Henry considers how to hedge this risk

“Powered by shifting demographics and new technology, the post-global financial crisis stall has been replaced by a new golden age in global financial interconnectedness”.1

Few of us believed in the midst of the banking crisis in 2008 that the World Economic Forum (WEF) would be publishing a White Paper ten years later predicting a 'golden age' in financial services. The good times are back. Yes, there are many significant challenges, such as long-term low interest rates, the risks inherent in decentralised financial systems, and the upheaval of the political system as power shifts to non-state actors. However, the convergence of payments disintermediation, data aggregation and digitisation – all of which will be optimised through the use of artificial intelligence (AI) – brings a certainty to the trajectory of significant revenue growth opportunities for technologically-savvy banking and insurance providers.

CybercrimeIt is a truism that where there is money there is crime. For the first time, “cyber attacks” in addition to “data fraud or theft” have been identified as the top five risks to world

economic growth in terms of “likelihood”, in the WEF Global Risks Report 2018.2 Any senior executive engaged in horizon scanning will be concerned about the number of reliable third parties raising the red flag around the threat of cyberattacks to critical infrastructure and strategic industrial sectors, aimed at causing a material disruption to economic activity.3

As a risk professional, this translates into the need to ensure that the c-suite carves out time in the diary to practice the incident response plan. As a commercial litigator, this translates into ensuring that you have an operational disaster recovery plan and an IT back up plan to help restore access to your critical data and, importantly, access to personal data in a timely manner. That is a key requirement under the General Data Protection Regulations (GDPR). Yet the insurers tell us that, in their experience, back-ups (or rather the lack of them) are too often the issue that paralyses the business.

It is important that someone in the c-suite takes responsibility for ensuring that, on a day-to-day basis, access to critical data/personal data can be restored.

According to a recent report by PwC in Ireland, “cybercrime has taken over from asset misappropriation

inCOMPLIANCE®33

DATA PROTECTION

inCOMPLIANCE®

32inCOMPLIANCE®

33

as the most prevalent economic crime. In fact, the incidence of cyber crime (61%) in Ireland is double that experienced by global companies (31%).”4 Whilst financial institutions are turning to robotic process automation to seek to detect emerging cyber crime threats, cyber criminals are likewise turning to early stage AI technology tools to perpetrate their crimes. As noted, "[t]he cost of the computing power needed for many AI applications has previously been a barrier to all but the most sophisticated, well funded criminal players, but that is coming down rapidly … We are beginning to see both offence and defence using automation, machine learning and artificial intelligence to counter each other's moves."5

Data breachesData breaches are one of the most common forms of cybercrime. There can be some confusion about what does and does not constitute a data breach. Breaches can be categorised according to the following three, well-known information security principles.6 It should also be noted that, depending on the circumstances, a breach can concern any combination of these:• Confidentiality breach – Where there is an unauthorised

or accidental disclosure of, or access to, personal data. An example of this would be where information on pay and benefits of staff are accidentally disclosed externally.

• Availability breach – Where there is an accidental or unauthorised loss of access to, or destruction of, personal data. Ransomware is an example of such a breach. Another example would be the destruction of the incorrect data set as part of a deletion/destruction process on foot of a data retention policy.

• Integrity breach – Where there is an unauthorised or accidental alteration of personal data. An example of this would be where the incorrect set of data subjects has changes made to their personal data automatically.

Typical examples of data breaches cited by the Irish Data Protection Commissioner in her recent annual report include:7 • Inappropriate handling or disclosure of personal data (e.g.

improper disposal, third party access to personal data — either manually or online — and unauthorised access by an employee)

• loss of personal data held on smart devices, laptops, computers, USB keys and paper files; and

• network security compromise/website security breaches (e.g. ransomware, hacking, website scraping).

FinesData breaches do, and will, happen, as more and more of our daily activities become digitised. This reality is reflected in the GDPR, which provides for two tranches of regulatory fines with data breaches attracting the lower tranche of fines, of up to €10m or 2% of worldwide turnover, whichever is higher. Whilst much has been written about the significant levels of regulatory fines that GDPR introduced for infringements, less has been mentioned of the new private rights of action that GDPR created.

Compensation claims in the courtsUnder Article 82 of GDPR “any person” who suffers material or non-material damage (i.e. distress) as a result of an infringement

(such as a data breach) has the right to compensation. It is important to note that non-material damage and so distress is ahead of loss (i.e. pecuniary loss does not need to be shown by a claimant). Keeping data safe and secure is one of the core principles of GDPR (Article 5[f] – Principles). All companies are required to have adequate security in place to make sure that happens (Article 32 – Security of processing) and to have considered data security when they initially collected the personal data, and during its processing (Article 25 – Data Protection by design and by default).

Importantly, the right to compensation does not appear to be limited to the data subject and so could potentially include a spouse or children. Likewise, it appears to cover a legal or natural person and so could potentially include a compensation claim by a business partner or company. It remains to be

Box 1: Practical advice around data breaches

“The DPC … saw an increase in the use of social engineering and phishing attacks to gain access to enterprise infrastructure. While many organisations initially put in place effective ICT security measures, we identified that organisations were not taking pro active steps to review these measures or to train staff to ensure they were aware of evolving threats. In these instances, we recommended that organisations implement periodic reviews of their ICT security measures and effect a comprehensive training plan for employees supported by refresher training and awareness programmes to mitigate the risks posed by an evolving threat landscape.

“During 2017, we investigated a number of data breaches involving ransomware attacks. In many instances, we identified a lack of awareness on the part of data controllers that ransomware attacks constitute a breach of the Data Protection legislation. In such attacks, personal data was subject to unauthorised processing and as a result, individuals could potentially be denied the exercise of their rights under the legislation.

“We established that where organisations had been attacked by ransomware, the following poor governance and practices were identified:1. a lack of staff training and awareness regarding

threats posed by ransomware;2. poorly configured email and web filtering

environments or security appliances;3. not ensuring that all computing devices, including

servers, were regularly updated with manufacturers’ software and security patches;

4. poor password policies and a lack of multifactor authentication for remote access;

5. poor access controls, specifically the use of shared accounts (roles), and elevated or super user ccounts (administrator accounts) on devices without a business need; and

6. failure to update antivirus and anti-malware software with the latest definitions.”

Source: Irish Data Protection Commissioner, Annual Report 2018

inCOMPLIANCE®33

seen how widely “any person” will be interpreted by the Courts, but commercial litigators are already considering its potential from a litigation strategy perspective for clients. It is foreseeable that the damage that might flow from a data breach could affect more than the data subject concerned. The GDPR specifically makes reference to a number of examples of damage that might flow from a data breach, such as discrimination, identity theft or fraud, damage to reputation, or loss of control over personal data. Financial services and insurance companies hold a lot of personal data, so data security is an ongoing priority for them.

Going forward, data breaches are likely to result in proceedings in the civil courts by individuals affected. The proceedings may well involve discovery and so a company's 'fitness for purpose' when it comes to GDPR compliance may well come into the public domain, thus potentially triggering a regulatory investigation if it falls short of the legal standard. In Ireland these proceedings will be brought in the Circuit Court or the High Court.

The question many practitioners are asking is: “what level of compensation awards will be made by the courts?” It was initially thought that a schedule of damages would be recommended at European level, but it now looks like this will be left to the Member State courts. That in itself is expected to lead to ‘forum shopping’ by litigants to jurisdictions that tend to give more generous damages awards. Even if the award was €750 per person for a data breach that would be a significant unanticipated cost for a company if 100,000 people were involved. What if it happened twice? As the responsible senior executive you would certainly want a paper trail to evidence that you had taken all reasonable measures to prevent the breach.

Hedging the riskSo what steps can and should you take to hedge the risk from data breaches? It has to be a given that companies have already checked with their insurers that they are adequately covered for the new compensations claims that may flow from data breaches under GDPR. In addition to ensuring that you have adequate insurance cover, the Irish Data Protection Commissioner (DPC) provided some useful and practical advice around data breaches in her most recent annual report. She made clear that many organisations were ignoring staff training and the importance it played in preventing data breaches given that social engineering plays such a significant role in cybercrime. All c-suite executives should satisfy themselves that their company does not fall foul of the poor governance and practices identified in points 1 to 6 by the DPC (see Box 1).

The first line of defenceIn the new GDPR environment data breaches will open organisations up to greater public scrutiny around their fitness to handle personal data and greater exposure to financial losses from data breaches on foot of compensation claims. A company's staff are either the first line of defence or the weakest link and training in the proper handling of personal data is key to making sure they are the former.

Companies will hedge their exposure to the risks if they make sure that they address the areas of governance and practice highlighted by the DPC on an ongoing basis. The proper management of personal data has a capital cost attached to it but personal data is also the new ‘oil’ of our age, so having the skills internally to manage it will be the differentiator of businesses going forward.

Ann Henry is a Partner in Data and Intellectual Property litigation with Pinsent Masons at their new Dublin office. She is a Fellow of the ICA and Chairperson of the Data Protection and Intellectual Property Law Committee of the Law Society of Ireland. Email: ann.henry@pinsentmasons.com

DATA PROTECTION

inCOMPLIANCE®33

1. World Economic Forum, Global Future Council on Financial and Monetary Systems, 'The Global Financial and Monetary System in 2030', May 2018. Available at: http://www3.weforum.org/docs/WEF_Global_Future_Council_Financial_Monetary_Systems_report_2018.pdf

2. World Economic Forum, 'The Global Risks Report 2018, 13th Edition', Available at https://www.weforum.org/reports/the-global-risks-report-2018

3. ibid at 2 and Experian, Data Breach Industry Forecast 2018, Available at http://www.experian.com/blogs/insights/2018/01/data-breach-industry-forecast-2018/

4. PwC, 'Shining a light on fraud, Irish Economic Crime Survey 2018' Available at https://www.pwc.ie/reports/irish-economic-crime-survey-2018.html

5. Forbes, 'AI Cyber Wars: Coming Soon To A Bank Near You', 21 July 2017, contributed by Steve Culp Senior Managing Director of Accenture Finance and Risk Services. Based in Chicago. Available at https://www.forbes.com/sites/steveculp/2017/07/21/ai-cyber-wars-coming-soon-to-a-bank-near-you/#548bb37a2959

6. See Article 29 'Guidelines on Personal data breach notification under Regulation 2016/679' 6 February 2018. Available at http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612052. Please note the Article 29 Working Party was an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. On 25 May 2018, it has been replaced by the European Data Protection Board (EDPB).

7. Irish Data Protection Commissioner, Annual Report 2017, page 24. Available here: https://www.dataprotection.ie/docimages/documents/DPC%20Annual%20Report%202017.pdf

A company's 'fitness for purpose' when it comes to GDPR compliance may well come into the public domain, thus potentially triggering a regulatory investigation

inCOMPLIANCE®35

inCOMPLIANCE®

34

REGULATION AND INNOVATION

Think inside the box

Simon Gray explores the what, where, when, how, why and who of regulatory sandboxes

Regulators are sometimes unkindly criticised for having predicted all six of the last three recessions.

Although it sometimes pays to be cautious, it is important that excessive caution does not stifle innovation and progress. Increasingly, leading regulators are seeking to engineer a smart financial centre where innovation is ever-present and technology is used extensively to enhance value, increase efficiency, manage risks better, and create new opportunities – invariably with the consumer in mind.

This article demonstrates how a number of leading regulators, supported by academics and consultants, are helping financial services to innovate by preparing today for tomorrow’s regulatory environment.

Where did this come from and why did it start?Context is always important. Traditionally, licensees have experimented with new financial services or products in a production environment, for example by limiting an innovative product to a specific category of customer or setting a threshold on transaction values. However, against the background of a swiftly evolving financial technology (FinTech) environment, emerging financial services that utilise FinTech are becoming increasingly sophisticated, creating potential uncertainties over whether an innovation satisfies regulatory requirements. Indeed, what about the ‘silicon valley’ type of start-up operations, which just want to test their visions without the shackles of being stifled

inCOMPLIANCE®35

REGULATION AND INNOVATION

by existing regulatory requirements? This is where the idea of a sandbox kicks in.

Thankfully, in the past two years regulators have taken a far more proactive approach in fusing financial technology with regulatory technology (RegTech). Rather than playing the pre-global financial crisis historic norm of ‘catch-up’, increasingly regulators are showing initiative and leadership, in part led by the regulatory standard-setters, such as IOSCO1, IAIS2, the Basel Committee (BIS)3 and the FSB.4 Thus far, market leaders seem to be the UK’s Financial Conduct Authority (FCA), the Monetary Authority of Singapore (MAS), the Australian Securities and Investments Commission (ASIC), the Dubai Financial Services Authority (DFSA) and the Abu Dhabi Global Market (ADGM), with other regulators largely silent on any specifics, preferring to adopt a flexible ‘wait and see’ approach.

Notably, the new Astana International Financial Centre (AIFC) has launched its FinTech Stars Accelerator programme, intended as “a meeting point for innovative solutions, worldwide collaboration and new ideas to drive the economic growth and development of the country.” The British Virgin Islands is also showing great initiative, with BVI Finance hosting its conference, entitled ‘Think Differently! The Great Digital Disruption and the New Internet Economy’, which provided attendees with a better understanding of FinTech and the role it will play in improving the BVI economy. A similar event took place in Singapore earlier in 2018.

What is a sandbox?Remember playing in a sandbox as a kid – using your imagination to create shapes and implement vision but in a safe and controlled environment? Well, metaphorically, a regulatory sandbox is no different, only this sandbox is where FinTech innovation meets RegTech.

The sandbox aims to promote more effective competition in the interests of consumers by allowing both existing and prospective licensees to test innovative products, services and business models in a live market environment, while ensuring that appropriate safeguards are in place. To this end, a sandbox can help to encourage more FinTech experimentation within a well-defined

space and duration, where the regulator will provide the requisite regulatory support, with the fourfold aim of: increasing efficiency; managing risks better; creating new opportunities; or improving people’s lives. The sandbox is an experiment for both regulator and regulated alike. It is the first time that many regulators have allowed licensees to test in this way, and interest is growing exponentially.

It is expected that such initiatives will be of particular interest to licensees that are looking to apply technology in an innovative way to provide financial services that are likely to need to be regulated in due course. The target audience includes, but is not limited to, licensees, FinTech firms, and professional services firms partnering with or providing support to such businesses. Regulators are now teaming up with prominent universities to fashion the best-fit solutions for the future. A good example is the FCA’s partnership with University College London (UCL), with their Computer Science team led by Professor Phillip Treleaven and the regulatory expert, Sally Sfeir-Tait, a specialist in RegTech consulting, thereby demonstrating the harmonious marriage of tech and reg.

How does it work?Any interested firm can apply to enter a regulatory sandbox to experiment with innovative financial services in the production environment but within a well-defined space and time horizon. The sandbox will include appropriate safeguards to contain the consequences of failure and maintain the overall safety and soundness of the financial system.

Depending on the financial service to be experimented with, the applicant involved, and the application made, the regulator will determine the specific legal and regulatory requirements that it is prepared to relax. Likely non-relaxation of rules will include the usual suspects, for example: confidentiality of customer information; fit and proper criteria, particularly on honesty and integrity; handling of customers’ moneys and assets by intermediaries; and, of course, the prevention of money laundering and countering the financing of terrorism. No great surprises there!

On the other hand, good examples of what may be relaxed include: asset

maintenance requirements; board composition; cash balances; credit rating; financial soundness; fund solvency and capital adequacy; license fees; management experience; guidelines, such as technology risk management and outsourcing; minimum liquid assets; minimum paid-up capital; relative size; reputation; and track record.

Benefits and limitationsThe benefits of the sandbox include: reducing the time and cost of getting innovative ideas to market; helping facilitate access to finance for innovators; enabling products to be tested and introduced to the market; and, of course, allowing regulators to work with innovators to build appropriate consumer protection safeguards into new products and services.

Inevitably limitations exist. For example, the sandbox may not be suitable under the following circumstances: • where the proposed financial service is

similar to those that are already being offered (unless the applicant can show that either a different technology is being applied, or the same technology is being applied in a different way)

• where the applicant has not demonstrated that it has conducted its due diligence, including testing the proposed financial service in a laboratory environment and knowing the legal and regulatory requirements for deploying the proposed financial service.

How is a sandbox application evaluated?In terms of evaluation feasibility, the regulator will wish to establish whether the proposed financial service addresses a problem, or brings benefits to consumers or the industry, as well as establishing if the applicant has the intention and ability to deploy the proposed financial service in the jurisdiction on a broader scale after exiting the sandbox.

The regulator will also want to test scenarios. Expected outcomes of the sandbox experimentation should be clearly defined, and the sandbox entity should report to the regulator on the test progress based on an agreed schedule and should impose appropriate boundary conditions making sure that these are clearly defined. This will

inCOMPLIANCE®

36inCOMPLIANCE®

37

FREE RISK INSIGHTS MAGAZINE60+ pages of thought leadership articles, interviews and reports.

ACCESS ISSUE EIGHT, PLUS ALL PREVIOUS AND FUTURE ISSUES HERE: www.cefpro.com/magazine

ISSUE EIGHT INCLUDES AUTHORS FROM:

Prudential | UBS | MUFG Americas | Freddie Mac | HSBC | Nordea | Barclays | Bank of Ireland | National Fraud Intelligence Bureau | Genworth Financial | Citi | RBSCredit Agricole | Gatecoin and more.

KEY TOPICS THAT ARE ADDRESSED IN ISSUE EIGHT:

Banking Risk & Regulation | Vendor & Third Party Risk | Operational Risk | IFRS 17 | Liquidity Risk | and more

RISK INSIGHTS MAGAZINE

JULY - SEPTEMBER 2018ISSUE EIGHT

Real world perspective on financial risk and regulation Written by the industry, for the industry

IFRS 17 LIQUIDITY

OPERATIONAL RISK

FEATURED ARTICLE

WOMEN IN FINANCE TECHNOLOGY

SECTIONS IN THIS ISSUE:

BANKING RISK & REGULATION

VENDOR & THIRDPARTY RISK

REGULATION AND INNOVATION

allow for the sandbox to be meaningfully executed while sufficiently protecting the interests of consumers and maintaining the safety and soundness of the industry.

All significant risks arising from the proposed financial service should be assessed and mitigated and an acceptable exit and transition strategy should be clearly defined in the event that the proposed financial service has to be discontinued, or can proceed to be deployed on a broader scale after exiting the sandbox.

Finally, it is important that the proposed financial service includes new or emerging technology, or uses existing technology in an innovative way. This also assumes that the regulator has its own ‘savvy’ teams of tech specialists to help in these evaluations (one reason some regulators, such as the UK FCA, with its Project Innovate initiative, are establishing core partnerships with prominent universities such as UCL).

How to extend a sandboxAt the end of the agreed sandbox period, the legal and regulatory requirements relaxed by the regulator will expire and the sandbox licensee must exit the sandbox. In the event that the sandbox applicant requires an extension to the sandbox period, the applicant should apply to the regulator before the expiration of the sandbox period and provide reasons to support the application. For example, additional time may be needed to make changes to the financial service under experimentation after taking into account customer feedback or to rectify flaws; or the sandbox applicant may need more time to fully comply with the relevant legal and regulatory requirements. The regulator will review the application and approval will be granted on a case-by case basis.

How do you exit the sandbox?Upon exiting, the sandbox firm can proceed to deploy the financial service under experimentation on a broader scale, provided that both the regulator and the sandbox firm are satisfied that the sandbox has achieved its intended test outcomes and the sandbox firm complies with the relevant regulatory requirements.

The sandbox can end under the following circumstances:• Where the regulator is not satisfied

that the sandbox has achieved its intended purpose, based on the latest test scenarios, expected outcomes and schedule mutually agreed with the sandbox entity.

• Where the sandbox firm is unable to fully comply with the relevant legal and regulatory requirements at the end of the sandbox period. If such a situation is anticipated, the sandbox firm is encouraged to engage the regulator earlier.

• Where a flaw has been discovered in the financial service under experimentation where the risks posed to customers or the financial system outweigh the benefits of the financial service under experimentation, and the sandbox firm acknowledges that the flaw cannot be resolved within the duration of the sandbox.

• Where the regulator terminates the sandbox due to reasons such as the sandbox entity breaching any condition imposed for the duration of the sandbox, or the sandbox entity has informed the regulator of its decision to exit the sandbox at its own discretion.

The sandbox licensee should ensure that any existing obligation to its customers of the financial service under experimentation must be fully fulfilled or addressed before exiting the sandbox.

Who’s who and what’s next?The situation remains fluid with increasing signs of international coordination, which is most welcome. For example, the FCA has taken a lead in many FinTech initiatives, most recently in its collaboration with 11 financial regulators and related organisations to create the Global Financial Innovation Network5 (GFIN), building on its earlier proposal to create a ‘global sandbox’.

The GFIN is designed with three main functions in mind, namely: acting as a regulatory network for collaboration and shared experience of innovation in

respective markets, including emerging technologies and business models; providing a forum for joint policy work and discussions; and providing firms with an environment in which to trial and test cross-border solutions.

The group is also seeking views on the final GFIN mission statement, its proposed functions, and where activity should be prioritised. It is also keen to hear from other interested regulators or related organisations who wish to become involved. Furthermore, the network is seeking a more efficient way for innovative firms to interact with regulators, helping them navigate between jurisdictions as they look to test and demonstrate new ideas. It will also create a new framework for co-operation between financial services regulators on innovation-related topics, sharing different experiences and approaches and minimising duplication. The GFIN is designed to be an inclusive community of financial services regulators and related organisations. Regulatory membership is likely to expand.

This is a brave new world and certainly one in which some regulators are taking the lead! However, as Winston Churchill said: “Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning.” A fine start has been made, with much still to be done, but in terms of marks some regulators and universities deserve an A* for thinking inside the box!

Simon Gray is a Fellow of the ICA and Founder and Managing Partner of AGORA Consulting, an international regulatory and

compliance advisory firm. He currently acts as Special Advisor to the Financial Services Commission of the BVI and is a Board member of the Dubai based Regional Advisory Board of the Chartered Institute for Securities & Investment

1. https://www.iosco.org/library/pubdocs/pdf/IOSCOPD554.pdf2. https://www.iaisweb.org/page/news/other-papers-and-reports//file/65625/

report-on-fintech-developments-in-the-insurance-industry3. https://www.bis.org/bcbs/publ/d431.pdf4. http://www.fsb.org/wp-content/uploads/Cambridge-Centre-for-Alternative-

Finance-Regulatory-and-Supervisory-Issues-from-FinTech.pdf5. https://www.fca.org.uk/publications/consultation-papers/global-financial-

innovation-network

inCOMPLIANCE®37

FREE RISK INSIGHTS MAGAZINE60+ pages of thought leadership articles, interviews and reports.

ACCESS ISSUE EIGHT, PLUS ALL PREVIOUS AND FUTURE ISSUES HERE: www.cefpro.com/magazine

ISSUE EIGHT INCLUDES AUTHORS FROM:

Prudential | UBS | MUFG Americas | Freddie Mac | HSBC | Nordea | Barclays | Bank of Ireland | National Fraud Intelligence Bureau | Genworth Financial | Citi | RBSCredit Agricole | Gatecoin and more.

KEY TOPICS THAT ARE ADDRESSED IN ISSUE EIGHT:

Banking Risk & Regulation | Vendor & Third Party Risk | Operational Risk | IFRS 17 | Liquidity Risk | and more

RISK INSIGHTS MAGAZINE

JULY - SEPTEMBER 2018ISSUE EIGHT

Real world perspective on financial risk and regulation Written by the industry, for the industry

IFRS 17 LIQUIDITY

OPERATIONAL RISK

FEATURED ARTICLE

WOMEN IN FINANCE TECHNOLOGY

SECTIONS IN THIS ISSUE:

BANKING RISK & REGULATION

VENDOR & THIRDPARTY RISK

inCOMPLIANCE®39

inCOMPLIANCE®

38

NON-FINANCIAL REPORTING

inCOMPLIANCE®39

Towards transparency

Svetlana Snezhko considers trends around the disclosure of compliance information within companies’ public reports

Governments, businesses and public interest bodies are increasingly accepting the

importance of non-financial reporting, and global conversations are ongoing regarding the type of information that such reporting should include. Although in recent years different countries and institutions – such as stock exchanges – have developed standards for certain companies and industries with regards to their corporate social responsibility (CSR) activities, non-financial reporting varies considerably at the global level. Even mandatory requirements issued by governments and stock exchanges are general and ambiguous, giving companies discretion as to the kind of information that they report, and the extent of such disclosure. Nevertheless, the relevance of non-financial reporting is on the rise.

Recent surveys by Ernst & Young and KPMG suggest that stakeholders’ inquiries regarding sustainability reporting are on the increase, particularly around issues such as the management and mitigation of business risks, reputation and compliance. Stakeholders are increasingly selecting compliance as a material issue within materiality assessments, and compliance is becoming a more influential factor within sustainability strategies. Many companies now distinguish components of compliance risk – such as reputational risk and conduct risk – among their broader sustainability-related risks, and are regarding compliance and ethical issues as core constituents of their CSR.

A growing trendIn 2016 we conducted research to identify trends and to measure progress made around the disclosure of compliance information within companies’ public reports. We reviewed several internationally-accepted guidelines for non-financial reporting, such as the OECD Guidelines, UNGC principles, ISO 26000, AA1000, ISAE3000, Integrated Reporting (IR), and GRIG4 (now the ‘GRI standards’), which has been regarded as a universal standard regarding non-financial report information. We found that there are no detailed recommendations for disclosing information on compliance, although some of these standards relate to certain compliance issues such as anti-corruption and ethics.

GRI remains the leading standard on the disclosure of compliance issues. Following an update in 2018, the GRI standards now place greater attention on compliance. New topics have been introduced: ‘socioeconomic compliance’, which addresses an organisation’s overall compliance record, and ‘environmental compliance’. The topic of ‘anti-corruption’ has also been expanded to include more indicators, including: the reporting of recommendations on risk assessment procedure; managing conflicts of interest; procedures and controls in respect of charitable donations and sponsorships; delivery of communications and training on anti-corruption to third parties; and information on company participation in collective actions against corruption.

The issue of ethics and anti-corruption is already rooted in sustainability reports. Since 2008 Transparency International

has been evaluating reporting on anti-corruption programmes, together with further transparency practices by the largest publicly-listed and traded companies. The disclosure of anti-corruption practices has become more obligatory than optional. EU Directive 2014/95/EU, which specifies that the public-interest entities are expected to report on anti-corruption and bribery matters, is further evidence of this trend.

FindingsSo, how do companies represent compliance information within their public reports? Below are the results of a review of the approximately 1,000 non-financial reports of the G2501 (the 250 leading companies on the Global Fortune 500 list, based on their 2015 ranking; see also Box 1). Reports for two different years were analysed: reports published in 2016 for 2015 (or the most recent reports) and reports for 2011.

In most cases, companies reported on their code of conduct, anti-corruption practices, training and hotlines. Data privacy ranked second amongst disclosed compliance programmes.2

Less than half of companies published details on their compliance function (composition, position within the organisation’s structure, competences etc) and a smaller number disclosed information regarding the body / committee that defines strategy and coordinates activities to manage compliance risk. We also noticed a tendency for companies to distinguish a separate paragraph for compliance issues, often named ‘Ethics’ or ‘Business Integrity’.

inCOMPLIANCE®39

NON-FINANCIAL REPORTING

inCOMPLIANCE®39

Information on ‘tone from the top’ practices was less frequently disclosed. BMW provided a good example of such an initiative, in which managers sign a declaration implementing this principle.

Companies also disclosed information on other compliance programmes such as AML, antitrust, and insider trading, with a smaller number reporting on environmental compliance. Human rights was not regularly included in a report section devoted to compliance. Only rarely did companies publish information about other elements of their compliance system (risk-assessments, audits, due diligence, etc).

Best practiceThe companies that provided the most informative reports included details demonstrating the dynamics of

compliance within their organisations; progress made; and successes or failures in compliance outcomes over the period.

They did not only evidence the presence of a compliance function but provided broader details to assess its operation and effectiveness, including: results, number of trained employees, and their contribution to external projects with other organisations. Examples of the latter included:• Siemens’ integrity initiative against

corruption• the Daimler Compliance Academy

annual compliance seminar• the Hitachi Group Compliance

Conference • Deutsche Telecom’s international

collaboration on compliance• Participation in collective action

initiatives on business ethics and anti-corruption by BHP Billiton

• IBM’s collaborations with universities to deliver ethics and integrity seminars.

Best practices include: plans and strategies on compliance; disclosure of information on legal proceedings, fines or investigations; details of achievements and awards; and the sharing of different activities to promote compliance (e.g. surveys of employee awareness, promotion of compliance days, distribution of compliance materials). Companies in Box 2 provided examples of such approaches.

Walmart is worth a separate mention. Since 2014 the company has been issuing a ‘Global Compliance Programme Report’ in line with enhancing its anti-corruption programme following the revelation of corrupt practices involving the granting of licenses and permits for opening new stores in Mexico. In its report, Walmart declares what it has done to improve its compliance programme since the violations were exposed and an investigation was launched in cooperation with the US Department of Justice (DOJ) and the Securities and Exchange Commission (SEC).

The 2014 report is the most detailed, containing information on the development of Walmart’s compliance programme, in particular: • how the compliance function has

been reorganised• a description of its structure• who the company has hired • increases in compliance staff• a review of compliance training • an update of policies and procedures• the enhancement of compliance-

related systems • an overview of all (14) compliance areas

within a compliance programme, and brief information on the main changes and improvements in each area.

Box 1: General findings and results: some statistics

Most disclosed information

Code of Conduct and values 65 %*

Anti-bribery & corruption 52%

Communications & training 54%

Hotline 55%

* % calculated from the sample (250 companies)

Other results on disclosure

Data privacy 36%

Compliance functionCompliance or Ethics Committee

33%15%

Separate paragraph on compliance and Ethics over 40%

Other disclosed issues

Tone from the top

Other compliance programmes:Antitrust, AML, Insider compliance

Human rights

Other elements of compliance system: risk-assessment, due diligence, compliance audits, compliance system effectiveness assessment

Box 2: Companies that explicitly provide information on compliance

Walmart, Volkswagen, Siemens, Bayer, Samsung Electronics, Citigroup, BMW, Societe General, HP, JP Morgan Chase, Bank of America, Hitachi, Deutsche Telecom, Deutsche Post, Sony, Vodafone, BHP Billiton, Toshiba, Deutsche Bank, Intesa Sanpaolo, Renault, Lockheed Martin Corporation, Sanofi.

inCOMPLIANCE®41

inCOMPLIANCE®

40

NON-FINANCIAL REPORTING

The report focuses on anti-corruption practices as the priority activity in light of the investigation, and highlights the appointment of a separate Global Anti-corruption Compliance Officer for the group of companies. Reports for 2015 and 2016 include information on further measures taken to improve compliance.

ShortcomingsAnalysis of public reports also revealed certain shortcomings regarding the disclosure of information on compliance (see Box 3). Chiefly, there is a disparity in the information provided within reports: information is often not consistently or transparently reported, making it difficult

to understand the compliance system in the company as a whole.

Moreover, information on the subject of ethics and compliance is often simply duplicated from the company’s Code of Ethics, is not always updated, and is a frequently repeated from previous years’ reports, meaning that the content of the compliance sections of such reports is not always informative, and is often presented in the form of general abstractions and statements of compliance with the requirements of the law. There is much less information about specific achievements, innovations, changes, successes or plans, which describe the company’s progress in the field of compliance. These

observations raise the issue of the quality of information disclosed, which is a general concern in non-financial reports.

Looking aheadThe reports of approximately 50 companies (20% of the sample) demonstrated obvious expansion or greater inclusion of information devoted to compliance in reports. Among them are the leading companies in disclosing information on compliance, demonstrating a considerable increase in the amount of information provided: Samsung Electronics (an increase from 4 to 20+ pages on compliance issues); Sony (from 1 to 8 pages); Toshiba (from 4 to 14 pages).

The majority of companies (60%) demonstrated stable disclosure of an unchanged quantity of information on compliance. This provides evidence in support of the view that it has become conventional practice to disclose compliance information.

Some 20% of companies (mostly Chinese) demonstrated no progress on disclosure and provided no information on compliance in their reports

A review of current trends and the findings of the study can serve as an incentive for companies to disclose information on compliance in a more detailed, structured and explicit way, to follow best practices, and to improve the content of the information they demonstrate in their public reports.

Svetlana Snezhko PhD is a Compliance Manager of one of the largest Russian Telecom operators and is an ICA graduate

Box 3: The good and the bad

Best practice Negative aspects/ shortcomings

• Highlights in reported period• Detailed statistics on training

and messages or incidents reported to a hotline

• Participation in external activities and initiatives

• Plans and strategy on compliance

• Litigations and investigations• Activities in compliance:

Corporate Ethics week, Compliance/ Integrity week, Ethical surveys, Compliance Handbook or Manual

• Awards

• Information on compliance is dispersed throughout the reports, not structured

• Information repeats from year to year

• Information duplicates Ethics code or Code of Conduct

• The content is not informative, often just statements about compliance with the law and legal requirements or mentioning of particular compliance aspects without details.

1. KPMG’s approach to studying corporate sustainability reporting was followed.

2. The reports analysed were issued before the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) was adopted on April, 27, 2016 (Article 71 obliges the Board to report on data protection and compliance with guidelines and best practices in respect to data privacy)

References• KPMG (2013), The KPMG Survey on Corporate Social Responsibility: https://

assets.kpmg.com/content/dam/kpmg/pdf/2015/08/kpmg-survey-of-corporate-responsibility-reporting-2013.pdf

• KPMG (2015), Current of change: The KPMG Survey on Corporate Social Responsibility: https://home.kpmg.com/content/dam/kpmg/pdf/2015/12/KPMG-survey-of-CR-reporting-2015.pdf

• Ernst&Young & GreenBiz (2013), Six growing trends in corporate sustainability: http://www.ey.com/Publication/vwLUAssets/Six_growing_trends_in_corporate_sustainability_2013/$FILE/Six_growing_trends_in_corporate_sustainability_2013.pdf

• Ernst&Young & Boston College Center for Corporate Citizenship (2016), Value of Sustainability Reporting: https://www.ey.com/Publication/vwLUAssets/EY_-_Value_of_sustainability_reporting/%24FILE/EY-Value-of-Sustainability-Reporting.pdf

• English, S. & Hammond, S. (2015), The Cost of compliance. Thomson Reuters: https://thegrcbluebook.com/wp-content/uploads/2015/05/Cost-of-Compliance-2015-Thomson-Reuters.pdf

• Trafigura 2015 Responsibility Report• Cisco 2015 Corporate Social Responsibility Report• Toshiba 2015 Corporate Social Responsibility Report• Metro Group Corporate Responsibility Report 2015/16

inCOMPLIANCE®41

5th Edition

FRAUD, ASSET TRACING AND RECOVERY

ASIA

7th Edition

FRAUD, ASSET TRACING AND RECOVERY

MIAMI

International Disputes and Asset Recoveryinvolving Russian and CIS Parties

13th Edition

FRAUD, ASSET TRACING AND RECOVERY

GENEVA

29 – 30 October 2018 MiamiC5-Online.com/FraudMiami

3 – 4 June 2019 Hong KongC5-Online.com/FraudAsia

14 – 15 March 2019 GenevaC5-Online.com/FraudGeneva

29 – 30 January 2019 LondonC5-Online.com/IDAR

ICA members receive an exclusive 15% discount upon registration with code D15-999-ICA19

FRAUDSeries

The International Compliance Association is a proud partner of C5 Group’s Fraud Series Portfolio

Find out more about the series at C5-Online.com/Fraud

inCOMPLIANCE®43

inCOMPLIANCE®

42inCOMPLIANCE®

43

The Big Compliance Conversation: Is Manchester the new London?

27th September 2018Manchester

18:00 - 21:00Hosted by: wework

#BigCompConvo

THE BIG COMPLIANCE CONVERSATION

inCOMPLIANCE®43

inCOMPLIANCE®43

Are you part of the compliance community in Manchester? The ICA is working in collaboration with Broadgate Search and hosting a networking event in

Manchester that will bring together compliance thought leaders and practitioners for a series of light-hearted conversations.

Those attending will hear from three speakers on their experiences of living and working in compliance in Manchester, and will explore the key industry trends and themes impacting business dynamics.

This is a fantastic opportunity to meet other like-minded professionals from the North-West region in this highly interactive session.

We would like to welcome everyone along to this event, whether you’re new to the Association, or a long term member.

Is Manchester the new London?

Speakers:

Will Newby – The Evolution of Compliance Culture in Manchester

Julian Davenport – The Dawn of Career Diversification and Risk Takers

Sarah Nield – But There’s Something About Yorkshire…

Refreshments will be provided and there will be an opportunity to network with your fellow members after the presentations.

Visit: www.meetup.com/meetup-group-mjSPBkre/events/252699365/

for further information and to reserve your place.

THE BIG COMPLIANCE CONVERSATION

inCOMPLIANCE®44

Head OfficeWrens Court | 52-54 Victoria Road |

Sutton Coldfield | Birmingham | B72 1SX | UNITED KINGDOMTel: +44 (0) 121 362 7747

Email: ica@int-comp.org www.int-comp.org

International Compliance Association CPD - 2 points

Advice to Readers

inCOMPLIANCE® is published by the International Compliance Association. Reproduction, copying, extraction, or redistribution by any means of the

whole or part of this publication must not be undertaken without the written permission of the publishers.

inCOMPLIANCE® is distributed as a free member benefit to all members of the International Compliance Association.

Articles are published in good faith without responsibility on the part of the publishers or authors for loss occasioned to any person acting or refraining

from action as a result of any views expressed therein. Opinions expressed in this publication should not be regarded as the official view of the ICA or as the

personal views of the Editorial Board members of inCOMPLIANCE®.

All rights reserved in respect of all articles, drawings, photographs etc published in inCOMPLIANCE® anywhere in the world. Reproduction or imitations of these

are expressly forbidden without permission of the publishers.

Printed in England

ICAB10801