ISSUE 46

YOUR MAGAZINE FROM THE INTERNATIONAL COMPLIANCE ASSOCIATION

inCOMPLIANCE ®

Strength and support

Open to abuse

The ability to change

p.11 p.24

£4.95 where sold separately

p.36

What price is right?

inCOMPLIANCE®3

We are excited to introduce our brand new Specialist Certificate in Money Laundering Risk in New Technology.

• Designed for AML and compliance professionals who need to be able to have informed discussions with IT teams

• Understand essential financial crime concepts linked to technology

• Get to grips with how technology is impacting firms like yours

• Understand the influence technology has on your business model

Find out more https://compassoc.org/MLR-New-Tech

New for 2020ICA Specialist Certificate in Money Laundering Risk in New Technology

ICAA13201

inCOMPLIANCE®3

Editorial Board

Kathryn Cearns, Independent Consultant, kathryn.cearns@brixtonroaduk.com

Jee Meng Chen, Commerzbank, jeemeng.chen@commerzbank.com

Jacob Ghanty, Kemp Little LLP, jacob.ghanty@kemplittle.com

Tim Porter, Director, TPA (Consulting) Ltd, Tim.Porter@TPACLTD.com

Tom Salmond, Ernst & Young LLP, tsalmond@uk.ey.com

David Symes, Compliance Recruitment, david@compliancerecruitment.com

Rachel Waldren, Murray Waldren Consulting, contact@murraywaldren.com

inCOMPLIANCE®Issue 46

Publisher:

International Compliance Association

Editor: James Thomasjthomas284@btinternet.com

Design: Design & Document Servicesdesign.enquiries@wilmingtonplc.com

Production: Claudia Dymondcontributions@int-comp.org

Advertising Queries: Sarah Walsh+44 (0) 121 362 7659 (3133)sarah.walsh@int-comp.org

Executive President, International Compliance Association: Bill Howarthbhowarth@int-comp.org

ICA Events Enquiries: Jo Lewisevents@int-comp.org

ICA Membership Enquiries: Tom Perrymembership@int-comp.org

ICA Qualification Enquiries: Debbie Pricestudentservices@int-comp.org

Article Enquiries contributions@int-comp.org

International Compliance Association CPD - 2 hours

Advice to Readers

inCOMPLIANCE® is published six times a year by the International Compliance Association. Reproduction, copying, extraction, or redistribution by any means of the whole or part of this publication must not be undertaken without the written permission of the publishers.

inCOMPLIANCE® is distributed as a free member benefit to all members of the International Compliance Association.

Articles are published in good faith without responsibility on the part of the publishers or authors for loss occasioned to any person acting or refraining from action as a result of any views expressed therein. Opinions expressed in this publication should not be regarded as the official view of the ICA or as the personal views of the Editorial Board members of inCOMPLIANCE®.

All rights reserved in respect of all articles, drawings, photographs etc published in inCOMPLIANCE® anywhere in the world. Reproduction or imitations of these are expressly forbidden without permission of the publishers.

Printed in England

Recent months have been characterised by major, disruptive challenges, often at a global scale. For example, the impact of the ongoing spread of coronavirus (COVID-19) is currently being felt all over the planet (see p.8), cutting across all sectors of society and the economy. Meanwhile, environmental impacts associated with climate change have also been experienced worldwide. The UK is reeling from the effects of three major storms within the space of a month, while the bushfires that ravaged Australia have only recently receded.

Extreme environmental events, in particular, look set to become more prevalent: climate change and related environmental issues occupied the top five spots within the World Economic Forum’s (WEF) Global Risks Perception Survey, “the first time in the survey’s history that one category has occupied all five of the top spots” (WEF Global

Risk Report 2020, p.4). WEF’s annual Global Risk Report further highlights how the instability resulting from ongoing global political fragmentation and polarisation may serve to increase the difficulty of overcoming such challenges, by providing obstacles to co-operation and progress.

Amidst this cocktail of interacting risks, resilience is essential, not only for organisations but, moreover, for individuals (see p.11). For compliance practitioners, community may play a significant role in cultivating and maintaining such resilience, both for individual compliance officers and compliance teams.

A cocktail of riskJames Thomas

Editor

inCOMPLIANCE®5

3 Editor’s commentRecent months have been characterised by major,

disruptive challenges, often at a global scale, writes James Thomas

6 ICA news A roundup of the latest news and events from ICA

8 News insightJune JA Lau explains how compliance is working in the

fight against the coronavirus

11Compliance talks Helen Langton considers how both individuals and teams

can develop and maintain resilience in a challenging world

14Beyond compliance David Jackman considers

the possible directions for regulation and compliance in a post-Brexit world

17What price is right? Nathan Willmott considers

the emerging regulatory approach to fair pricing

21 Thinking differently Stella Mourouzidou Damtsa

and Marianna Costea share their experience of the ICA’s Professional Postgraduate Diploma, and of the changing role of compliance, with James Thomas

24 Open to abuseAnuradha Shaw discusses the risks that

charitable foundations pose for money laundering, terrorism financing and other crimes

29 A disguised threatNoel Bartolo considers

evolving sanctions evasion typologies using a hypothetical case study of North Korean coal

inCOMPLIANCE®

4inCOMPLIANCE®

5

ContentsREGULAR FEATURES

PAGE 17

IN THIS ISSUE

PAGE 32

inCOMPLIANCE®5

32 Embracing the potentialLee O’Connell discusses

the challenges and opportunities of implementing new technology from the perspective of inhouse legal and compliance teams

36 The ability to changeGeetha

Kanagasingam Tizi explores key challenges facing compliance professionals, and suggests some solutions

40Destination: dataMichael Duran

tells Jaclyn Jaeger the lessons 3M has learned in its journey towards predictive analytics

inCOMPLIANCE®5

Have you thought about writing an article for inCOMPLIANCE®?Writing an article is a great opportunity to raise your profile within ICA and present a topic of relevance to your fellow members. Writing an article on anti-money laundering, compliance, financial crime or associated disciplines will also earn you valuable CPD!

Visit tinyurl.com/writeanarticle and download our document on Article writing tips and Blogging Best Practice to enhance your skills in this area and learn about structure, themes and writing style.

Please note: you don’t have to be an ICA Member to register your interest in submitting.

If you are interested in writing an article for inCOMPLIANCE, email us at: membership@int-comp.org and remember to include your full name and your topic of interest.

PAGE 36

PAGE 40

inCOMPLIANCE®7

????????????????????????????

inCOMPLIANCE®

6

Having come back from a welcomed winter break on the ski slopes of Italy with damaged ribs and a bruised ego, I have had time to ruminate, more than usual, about the role of ICA and our strategic direction.

As ICA continues to expand, both in terms of members and the number of training options we provide, the following development areas are at the forefront of future plans:

• We have applied to be a main provider of apprenticeships in and around the compliance discipline in the UK. ICA qualifications are already part of a number of apprenticeships and ICA is a registered End Point Assessor (EPA). More and more firms are utilising apprenticeships to train and upskill their compliance staff

• We are expanding our audit and corporate certification functions, mapping firms against ISO 19600 (compliance management systems) and ISO 37001 (anti bribery management systems), by formalising our UKAS application for certification

• We are introducing a new Honorary Fellow designation for exceptional individuals (new criteria are being designed)

• The new joint MSc programme with the University of Manchester has been approved and will be available for registration in Spring 2021

• We are constructing a new International Competency Framework for the compliance industry. Major international organisations have been asked to contribute and this will build upon the work completed by ICA, in association with the Skills Council / Skills for Justice, in 2015

• We are in the process of creating a new digital hub as the centrepiece of our learning and competency framework to modernise and enhance our services to members and students

Bill Howarth ICA President

Strategic priorities

inCOMPLIANCE®7

ICA NEWS

ICA 12th Annual Conference looks to the futureICA’s Annual Conference will return to London for its 12th edition on 12-13 May, under the theme ‘Compliance is Changing’. The conference will provide a look into the next decade of compliance and beyond, with a range of future-gazing topics from business ethics, to technology and compliance, to the skills required for the future.

While technology presents a variety of opportunities to mitigate financial crime risks, it also brings a complex set of challenges related to cyber-security, ethics and data protection. The conference arrives at just the right time to explore these challenges and to provide a platform for the compliance community to come together and exchange best practice and possible solutions.

The conference will attract world-class speakers from the UK and the rest of the globe to share their insight on key issues currently facing financial crime and compliance professionals, including the two keynote speakers: David Blunt, Head of Conduct Specialists, Financial Conduct Authority, and Graham Barrow, Director, The Dark Money Files Ltd. We are pleased to welcome other distinguished speakers from O2, Royal Mail Group, Refinitiv, OneTrust, LexisNexis, NAVEX Global, Diligencia and other world-leading firms to discuss and debate the latest topics on the compliance stage.

Pre-conference workshops in anti money laundering and governance, risk and compliance will take place on 11 May, providing an ideal opportunity for delegates to take a deeper dive into the latest local and global issues.

ICA announces partnership to develop best practice in the Czech Republic We are pleased to announce that we have signed a new strategic partnership with the Compliance Academy, a private educational institution for compliance, risk and governance professionals, to develop compliance best practice in the Czech Republic.

As part of the agreement, we will offer our full suite of accredited qualifications covering financial crime prevention, governance, risk and compliance, and anti money laundering to Compliance Academy members.

In line with our efforts to help advance professional education in compliance and empower global professionals to manage risk more effectively, we will also offer two ICA diploma scholarships each year to Compliance Academy members.

The agreement will help meet the organisations’ shared values to help companies conduct business in the right way and grow through the adoption of internationally-recognised best practice by going beyond simply meeting regulatory requirements. Furthermore, it will provide an invaluable opportunity for financial services firms and other regulated sectors in the Czech Republic to upskill their employees and safeguard their business from criminal, financial and reputational risk.The partnership comes at a time of increased scrutiny of ongoing efforts in the country to prevent financial crime following FATF’s 2019 Mutual Evaluation Report.

Helen Langton, CEO, ICA, commented: “At ICA, we put the value of education and continuous professional development as enablers of sustainable business growth at the heart of everything we do, and I am especially delighted to be collaborating with the Compliance Academy to help develop the competencies and capabilities of financial crime and compliance professionals and their firms in the region.”

Michal Moroz, Co-founder of Compliance Academy, added: “Compliance Academy was launched with a clear mission in mind – to bring together professionals from various areas of expertise in order to cultivate the local business environment, promote ethical and just standards for the fight against corruption, and attract new talent to this rapidly-growing industry. We are excited to be working with ICA, a professional association that aligns with this ethos.“

inCOMPLIANCE®9

????????????????????????????NEWS INSIGHT

We live in an increasingly vulnerable world. As I write this article (26 February),

China’s National Health Commission has reported an additional 508 new cases of confirmed infections of the coronavirus (COVID-19) and 29 deaths in mainland China. To date, the Chinese government has received 78,497 reports of confirmed cases and 2,744 deaths have been confirmed nationwide. With more than 1,100 people infected, South Korea now has the second-worst coronavirus outbreak in the world, surpassed only by China. In Japan, apart from the 704 reported from an outbreak on the Diamond Princess cruise liner that was

quarantined off Tokyo, the number of cases has now risen to more than 200. By the time you read this, these figures will, no doubt, have changed as the situation is evolving rapidly.

COVID-19 has threatened our environment, our way of living and our loved ones. As compliance practitioners, how can we help the situation?

Mindset changeCompliance practitioners should ‘JUMP’ ahead to assist their organisations in fighting against the coronavirus. Applying our ‘JUMP’ mantra (which stands for: ‘Just ask, Understand and be understood, change your Mindset to be

Proactive and persevere’) our integrated team is collaborating closely with global, regional and local management teams to manage the crisis. This includes monitoring and reviewing daily public health and travel advisories, the impact on our business continuity and disaster recovery plans, technological incidents, activities that need to be moved or changed, and the overall impact on compliance risks. Where we are unsure, we ask questions in order to understand the situation. We explain the potential compliance impacts associated with any change and initiate regulatory engagement plans with the business. It is important for us to explain the

Coronavirus: a practitioner’s fight

June JA Lau explains how compliance is working in the fight against the coronavirus

inCOMPLIANCE®9

inCOMPLIANCE®

8

inCOMPLIANCE®9

rationale so that it is understood by management. Compliance professionals cannot be reactive. We must play a proactive role and persevere with our close involvement and partnerships with other internal and external stakeholders to manage the crisis.

Compliance enablerIn the current situation, we need to re-prioritise our compliance deliverables. We must ask ourselves whether internal certifications, compliance training, policy updates and consultation deadlines can be extended to help our colleagues who are facing incremental workload increases due to workload swap arrangements from China, and colleagues who are working from home and facing potential latency network issues or application access issues.

Regulatory bridgeAs compliance enablers, compliance practitioners should bridge the gap between institutional and regulatory requirements to achieve win-win outcomes. This entails analysing any potential compliance and regulatory impacts resulting from changes in business activities, employees or workflows which could trigger required licensing and risk assessment such as outsourcing; the establishment of interim privacy and banking secrecy controls; and regulatory reporting.

For example, the activation of a business continuity plan to move licensed representatives from one location to another could trigger onshore licensing. However, given the interim arrangement it may not be realistic to apply for a license for the representative. The implementation of the business continuity plan is immediate, but the time from

application to license approval may take a few months. When the license is approved, the business continuity plan may no longer be required. Compliance practitioners can help by liaising with the regulators for a more practical solution, which may include the restriction of certain onshore activities such as meeting clients with a local licensed chaperone, or the maintenance of Chinese walls among others as mitigating controls in lieu of a license.

Based on my experience with regional regulators, they are collaborative and open to discussions with the industry. They understand organisations’ immediate concerns of ensuring that they can operate normally without material impact on the market, their clients, or employees. However, such understanding from regulators may not be forthcoming if compliance practitioners do not offer alternative solutions to ensure that risk management and market conduct controls continue to operate effectively when the business continuity plan is triggered.

Compliance practitioners should also ensure that incidents that result in material client, business, market or employee impact are reported to the regulators in a timely manner. Regulators expect institutions to keep them updated on such incidents and also appreciate proactive outreach to inform them of how the institution is dealing with the situation. This includes the business continuity plan that has been activated (for example, working from home, operating split-site operations, imposing travel restrictions, or conducting health monitoring checks). Most importantly, they want to know how the institution is preparing for a potential significant and prolonged period of disruption.

Stay connectedStaying connected with our industry partners is essential to create early awareness of potential industry disruptions, as well as to understand and exchange best practice and issues that other industry partners are facing. If there is an industry problem that requires a discussion with the regulators (including, for example, appealing for leniency in meeting regulatory reporting deadlines) it is easier to achieve a win-win outcome if the regulators are approached by a group of partners rather than a sole contributor.

COVID-19 is not the end. As we face similar biological or other resiliency threats in the future, the roles that we play as a regulatory bridge, compliance enabler and industry partner – all while applying the JUMP mindset – are vital and must be sustainable. More importantly, we should take care of our health and our loved ones by maintaining an active lifestyle and good personal hygiene to continue our fight against the coronavirus.

June JA Lau is a Senior Vice President and the Head of APAC Compliance for State Street. In this

role, June is responsible for building a strong culture of compliance risk management and strengthening State Street’s position with regulators. She is a member of State Street’s APAC Executive Committee. June rejoined State Street in 2018. Prior to that, she was with BNP Paribas Securities Services (BP2S) as the Head of Compliance Singapore and Financial Security APAC. Before BP2S, June spent 10 years at State Street in the Compliance department, supporting Global Markets, Global Services, Alternative Investment Solutions and Global Exchange. She has previously held the role of Assistant Director at the Monetary Authority of Singapore and also worked as a Senior Auditor at Deloitte.

June graduated from the Nanyang Technological University with a Bachelor of Accountancy. She is also an ICA Fellow and a certified non-practising accountant.

NEWS INSIGHT

inCOMPLIANCE®9

Understanding from regulators may not be forthcoming if compliance practitioners do not offer alternative solutions to ensure that risk management and market conduct controls continue to operate effectively when the business continuity plan is triggered

inCOMPLIANCE®

10inCOMPLIANCE®

11

????????????????????????????

ICA 12th Annual Conference:Compliance is Changing11 - 13 May 2020, London

The only constant is change and the future is now.

How do you as a regulatory or financial crime compliance professional keep up?

Join us at our 12th Annual Conference in London to explore this question and work collaboratively to find solutions.

Register your place today to receive our member discount london.int-comp.org

ICAA13199

http://london.int-comp.org

inCOMPLIANCE®11

COMPLIANCE TALKS

Strength and support

Helen Langton considers how both individuals and teams can develop and maintain resilience in a challenging world

In some of the pieces I have written for inCOMPLIANCE we have looked at what it means to be a successful compliance practitioner in today’s ‘VUCA’ (volatile,

uncertain, complex and ambiguous) world. Through the focus groups we ran last year, we learnt a great deal regarding the challenges you face and how you feel about the changing role of compliance. Success, it appears, is not only about keeping up with the ever-expanding regulatory agenda, having a handle on the rapidity of technological change, and learning how to speak ‘compliance’ to non-compliance colleagues. It is also about how you, as individuals, cope. We learnt that many of you sometimes have a sense of isolation, of being alone in trying to bridge the gap between what needs to be done in terms of compliance with regulation and meeting the needs of your business. It is a fairly unique role in this respect and the need for sharing likeminded experiences with a community that ‘gets it’ is increasing. And I think the need for that collegiate community is growing as a direct reflection of our modern world.

A focus on the individualI’ve been reflecting about what it means to be a compliance officer in a VUCA world. What should a compliance officer do and how should they prepare? There is a myriad of resources that consider various business-related strategies. The word ‘compass’ comes up a lot in terms of helping to describe how firms should ‘navigate’ the unknown. However, for the purposes of this article I wanted to concentrate on individual resilience as opposed to operational resilience. What does ‘resilience’ mean from the individual’s perspective? What work habits can one cultivate in order to build and maintain resilience? What part does community play within that and how can one monitor and support the resilience of one’s colleagues and team?

For me, resilience and mental wellbeing are strongly connected. The awareness of mental health has increased dramatically and is now recognised as something very real, not something to be disregarded and minimised in terms of its importance and impact in the workforce. I myself have mental

health issues and have done ever since I can remember. In my case it manifests in the form of depression and it appears that I am not the first in my family to have experienced this. My grandfather was committed to an asylum just after the end of the second world war with depression, but of course at that time it didn’t have a name. For him, the tipping point was the revelation of how the Jews had been treated. The inhumanity that was reported at that time eroded his resilience completely. Thankfully my aunt, a senior nurse at the time, was able to get him discharged from that institution; I dread to think what would have happened to him otherwise.

Chronic depression has a significant impact on an individual’s ability to execute the roles of office. I was at one time taking medication for the condition but found that, for me, that was not a sustainable and long-term option. I’ve had several hours of counselling, which helped enormously in terms of understanding the mental health issue, its cause and effect as well as how to manage it including, perhaps most importantly, how to spot the signs of when the ‘black dog’ is approaching. But most of all, I had my community made up of my family, my friends, my colleagues and my old boss, Bill Howarth, all of whom did everything they could to support me through some pretty turbulent and dark times. Even now, when my mental health deteriorates – and there are many triggers – I have this incredible network around me that props me up! Mental health used to be something that was brushed under the carpet, but I feel, as a long-time sufferer, that it’s important to share one’s own experience in order to bring it into the light, hence my revelation in this article. I hope you can forgive me if you think it indulgent.

Getting back upIndividual resilience involves behaviours, thoughts, and actions that promote personal wellbeing and mental health. People can develop the ability to withstand, adapt to, and recover from stress and adversity – and maintain or return to a state of mental health wellbeing – by using effective coping strategies. At ICA’s forthcoming London conference we will be exploring the topic of ‘healthy minds, healthy workforce’

inCOMPLIANCE®

12inCOMPLIANCE®

13

inCOMPLIANCE®12

COMPLIANCE TALKS

inCOMPLIANCE®13

COMPLIANCE TALKS

and what that means in practice. As a player in the global compliance community, we at ICA want to do our bit to help individuals working in and connected to compliance. How does an individual stay resilient and mentally healthy? The importance of this cannot be underestimated, especially if you are in a leadership role, as your behaviours inevitably have an impact on those around you.

In preparing for this article, I read many pieces around the subject of building individual resilience. In one piece, life was likened to a river, a river that has slow, deep running places as well as fast-moving rapids. As you set out on your journey down this river what do you have in your raft? An extra life jacket? An experienced guide? Trusted companions? I quite liked the piece because it creates a mental image that we can all relate to. White water rafting down the Ardeche in France in my mid-twenties was one of the most exhilarating experiences of my life. I was accompanying a few teachers on a school trip. We had a map (good), an experienced guide (better), provisions (feeling prepared now!), and 10 kids all between 11 and 12 years of age! We toppled over and all of us except for the guide ended up in the glacial river. Strangely it was one of the kids who reminded me to float on my back, legs stretched out in front and to drift to a calmer stretch of water where we all returned to the raft. I guess the moral of the story is that you can be very well-prepared but, still, life happens to you. What matters is how you get back up again. And that is resilience and, in this case, both individual and team.

Get connectedThere are many aspects of your life that you can control and, through life experience, you can grow. Becoming more resilient is like building a muscle. It takes time and can often be painful. The American Psychological Association recommends “focusing on four core components – connection, wellness, healthy thinking and meaning”1 as a means of increasing your resilience.

As far as connections are concerned, aside from those that you build within your personal and working environment, you also have those through your professional association with ICA. The connection with individuals who understand and can empathise with your situation can be incredibly cathartic and this is where connecting to ICA can add value. We are not suggesting we become counsellors for you, rather that we continue to provide and develop platforms, both virtual and physical, where problems and issues can be shared. Often in times of stress a typical response can be to isolate oneself and it seems that many of you are already there in this respect! Individual resilience necessitates reaching out and accepting support.

Physical wellness is important. I have in previous articles referred to the ‘corporate athlete’. In order for an athlete to compete at the highest level there needs to be a balance between intense periods of training and competition, and rest. Without the rest you cannot achieve optimal performance. The connection between feeling physically healthy and mental wellbeing is an established and proven fact. Doing it, however, I appreciate is not always easy! Sleep is key – often elusive in times of stress and depression – and the lack of sleep causes distortion of responses. So sleep is vital.

A sense of purposeIndividual resilience can often be boosted if you find a way to help others too. You can garner a sense of purpose and positive self-worth through connections with people. That may manifest itself through helping a colleague or member of your team or indeed another from the compliance community.

In terms of individual resilience in the workplace, it is so easy to feel overwhelmed with the enormity of the workload and the challenges it brings. Resilience building can be achieved if you are able to step back from the noise and set yourself realistic, achievable daily goals, however small. The achievement of said goals fosters a sense of accomplishment, which helps with mental wellbeing and thus your ability to face it all again tomorrow! And let’s not forget something else we have mentioned in previous articles, the moment to pause and reflect on what has been achieved and accomplished before delving head-first into the next thing. This is so often overlooked and is increasingly important in our fast-paced world. And the workforce needs it. Generations coming into the workforce today demand recognition, sometimes if only for turning up!

Managing changeChange is a part of life and learning how to manage change is crucial. We have talked about change management theories in previous articles too. Certain goals or projects may no longer be attainable as a result of all sorts of different situations. Accepting circumstances that cannot be changed can help you focus on circumstances that you can alter.

We set out in this article to identify what individual resilience means and we have provided a definition. We have provided some ideas around habit forming connected primarily to the workplace, which hopefully will be useful too. We live in a VUCA world and we will need a compass to navigate it. But we also need to make sure we have it within ourselves to take on the journey for our own sakes as well as those around us.

Helen Langton, Chief Executive Officer, ICA

Becoming more resilient is like building a muscle. It takes time and can often be painful

1. https://www.apa.org/topics/resilience

inCOMPLIANCE®

14inCOMPLIANCE®

15

BEYOND COMPLIANCE

Which way next?David Jackman considers the possible directions

for regulation and compliance in a post-Brexit world

I remember clearly the moment when the United Kingdom left the European Union at 11pm on 31st of

January 2020 – and probably always will. Following the rather sad ‘bongs’ in Downing Street on TV, I set off out into the garden and on to the hills, as I often do at the end of the day. As we live at the end of a valley surrounded by high Lakeland fells there is barely a single light in sight. I recall that it was decidedly pitch black that night with little moonlight and, although I know the way well, I managed to fall over a low wall painfully. It was quite blustery and I can recall the wind rushing through the trees and the sound of the waterfall beyond.

It felt a little more desolate than usual and, thinking about the day’s events, I had that sense of being a little bit more alone than usual, rather more vulnerable … we had cut ourselves adrift and here we were, for the first time in a long time, sailing alone. What would happen next? The feeling of discomfort actually did not last long, for fairly swiftly I’d begun thinking about what the future might hold and how the UK could best make use of a new position. Then the questions arose: ‘How would others react?’, ‘What opportunities might lie ahead?’, and ‘How does tonight affect compliance and regulation?’

A grown-up viewIt might be suggested that thinking ahead is something that we all should have been doing for some time. However, in my experience for most of the last three and a half years many people have tried to avoid thinking past ‘Brexit-day’, to the extent that any reasonable conversation has been shut down, almost as though people became unwilling to hear another point of view. This has made planning ahead quite difficult.

In some senses this narrow view has been going on for a very long time. I’m old enough to remember when the UK joined the trade bloc of the European Economic Community (EEC) and then the confirmation referendum in ’75. The discussions split our family at the time – my father being in favour, my mother seeing only the pitfalls. Not much changes.

But we have to move past that

mental block now and take a grown-up view about what comes next. I don’t mean just during the political UK-EU negotiations over the next 10 months or so, although these will set out what is possible. There will also need to be parallel, strategic discussions within the industry about what the long-term regulatory landscape in the UK could or should look like and, by implication, how these conscious and deliberate choices will affect our businesses. This is important for UK firms and for those that seek to do business in the UK.

Clearly, in compliance, we are not able to influence very much the strategic choices to be made regarding the degree of overall alignment with the EU’s (and US) standards, which may be shaped by trade-offs in other areas on completely different issues (e.g. fishing or Gibraltar). But whatever the outcome of these high-level

We should be asking from first principles what methods will produce the best results for UK businesses and consumers. Methodologies and philosophies of compliance and regulation will become key here

inCOMPLIANCE®15

BEYOND COMPLIANCE

agreements there will still be scope for more practical decisions to be made regarding areas of the financial services rulebook and how we choose to apply and operate these rules in the UK.

This is a conversation in which both compliance as a profession, and individual compliance departments, must be engaged and must make a professional contribution. We need to ‘do policy’. I’m not suggesting for one moment that everything is ‘up for grabs’. The Financial Conduct Authority (FCA) will have to set out an overall framework first. But there is a debate that every compliance officer can have some part of.

A clean sheet?I also remember well the end of the 1990s and early 2000s when we were establishing the Financial Services Authority (FSA) and writing a new Financial Services and Markets Act (FSMA) rulebook to replace the myriad

rulebooks of the previous self-regulatory organisations (10 constituent bodies). In Training and Competence (TC), for which I became responsible (then a new and important area), I had around 500 pages of pre-existing rules and guidance inherited from pre-existing bodies such as the Personal Investment Authority (PIA) and Investment Management Regulatory Organisation (IMRO). I had a choice then whether to preserve the old with a ‘mix and match’ approach, or to start again afresh. I chose to start again. Although I could not ignore the past, I had what was as close as you can get to a ‘clean sheet of paper’. It was a battle, but we took the opportunity to do things differently.

It will not be the same now. There will be many more constraints and political considerations this time around scope and substance so we may not be discarding slices of the existing handbook (although I am sure nearly everyone can think of their favourite EU Directive to delete). But we really ought to have a choice about style and the way in which we write and implement rules and guidance. We should be asking from first principles what methods will produce the best results for UK businesses and consumers. Methodologies and philosophies of compliance and regulation will become key here.

We already have some indication of FCA’s thinking. There’s not much to go by beyond two seminal speeches made last year by the CEO of FCA and, of course, the new Bank of England Governor, Andrew Bailey, in April 20191 and October 2019.2 These both set out something we can see as a proto-agenda that very definitely indicates that post-Brexit UK regulation will focus on ‘outcomes’. Now, I know from conducting ICA professional postgraduate diploma classes that the topic of ‘outcome’ is not always well understood or applied as yet. It will need to become central for all of us.

In the firms that I am closely involved in, in which we deal almost entirely with vulnerable customers, outcome is king. We’ve moved away from seeing processes as being any kind of endpoint in compliance towards trying to establish the most effective measures of consumer long-term impact and using

these to drive everyday business and monitoring (and internal audit). It is outcome that the Board is interested in, quite correctly, and it is outcome that forms the basis of reporting and evaluation.

Maturity and sophisticationIf outcome is to become the basis of a post-Brexit UK approach then this may allow a freeing from a great deal of bureaucratic and prescriptive regulation. A focus on outcome offers the UK the opportunity to develop a distinctive and progressive style that ought to be attractive to a great number of businesses. It is not synonymous with ‘light touch’ regulation. This is not ‘Singapore-on-Thames’. It is about a more sophisticated and mature form of regulation and compliance that focuses on what really matters.

Importantly for ICA such a transition will have implications for education and competence. A new outcomes regime will need compliance professionals to embrace new techniques and approaches and to demonstrate a high degree of integrity, professionalism and skill in applying what is a more difficult set of methodologies. Compliance would need to interact more closely with the Board and other senior colleagues to establish what aspects of consumer (and market) outcomes should be a priority and how they should be measured. Measurement is a difficult area, as we have covered in these pages before.

I invite readers of inCOMPLIANCE to forward their ideas about the detail of what they would like to see or expect to see in a long-term post-Brexit regime and how they could practically change the approach in their firm. All views are welcomed!

David Jackman is Strategic adviser to ICA, Chair of Profile Pensions Ltd and Co-chair of Pay Plan

Ltd, and Formerly Head of T&C and Ethics at FSA (now FCA)

If outcome is to become the basis of a post-Brexit UK approach then this may allow a freeing from a great deal of bureaucratic and prescriptive regulation. A focus on outcome offers an opportunity to develop a distinctive and progressive style that ought to be attractive to a great number of businesses. It is not synonymous with ‘light touch’ regulation

1. https://compassoc.org/fca-brexit-financial-markets

2. https://compassoc.org/fca-brexit-financial-services

inCOMPLIANCE®

16inCOMPLIANCE®

17

ICAA13203

TRAINING FORYOUR FIRMOur Knowledge, Your WayWith our in-house training options we can create a tailored training programme for your firm and your people. We adopt a partnership approach throughout the training process, consulting with you all the way to ensure you get exactly what you want.

• Increase the knowledge, skills, performance and confidence of your staff• Enhance your firm’s risk management systems• Gain competitive advantage and retain the best talent

Our in-house training is available worldwide. We have worked with hundreds of firms, big and small, including BP, HSBC, PwC, Vodafone and PayPal and we can do the same for you.

Find out more https://compassoc.org/corporate-training

inCOMPLIANCE®17

FAIR PRICING

What price is right?Nathan Willmott considers the emerging

regulatory approach to fair pricing

The remit and approach of the UK’s financial regulators has evolved and expanded in the two decades since the Financial Services & Markets Act 2000 received

royal assent. In its twin guises as the Financial Services Authority (FSA) and subsequently the Financial Conduct Authority (FCA), the UK conduct risk regulator has been subject to a series of major expansions in scope, taking on the regulation of mortgages, general insurance sales, consumer credit and payment services. It has also taken on wider responsibilities, such as becoming a concurrent competition regulator from 2015. The FCA is now responsible for regulating 58,000 financial services firms.

Alongside this expansion in scope, the UK regulators have significantly evolved their approach to regulating firms, in particular the sale of products and services to consumers. The FSA was principally focused on what happened at the point of sale – namely whether the consumer was given appropriate information about a product to enable him or her to make an informed decision about whether or not to buy it. If appropriate information had been provided, and the consumer chose to make a bad purchase, then it was not for the regulator to intervene. Under the leadership of Sir Howard Davies, the FSA repeatedly stated that it had not been set up to be a price regulator and so it steered well clear of interfering with the way in which firms set their prices.

Changing expectationsExpectations have certainly changed since the move to dual regulation by the Prudential Regulation Authority (PRA) and FCA in 2013, when the expression ‘conduct risk’ was added to our lexicon. The FCA’s revised approach – based largely on the lessons from PPI misselling – was to place much greater focus on product providers rather than customer-facing distributors, requiring them to have in place effective oversight and governance to ensure that their products served a useful purpose for the specific target market that they were aimed at. If they did not, or were being sold to those outside the target market, then product providers were expected to intervene to stop further sales. This has undoubtedly resulted in better outcomes for consumers.

More recently, however, the FCA’s view of its own remit has expanded yet further and it has become heavily focused on the fairness of pricing practices for consumer products. Over the last 18 months it has published a series of papers on fair pricing in financial services, and it now sees fairness in pricing of financial products as a key element in its role.

This is a complete reversal of the historic approach in relation to price regulation. This article considers the causes behind this change of approach, what specific concerns the FCA has about the way that firms are pricing their products, whether the FCA currently has the necessary powers to operate as a price regulator, and what steps firms should be taking to manage these new regulatory risks.

What has caused this change of approach?There are several reasons why the FCA has moved into this new sphere of price regulation. One positive aspect is that firms’ selling standards in retail markets have improved significantly over the last two decades, and therefore the regulator is looking to new areas where it may be able to deliver ‘better’ outcomes for consumers. The FCA is likely to view fair pricing as a natural next step in its oversight of whether product providers are designing products that provide a valuable service to the target market.

Equally, fair pricing is a core issue for competition authorities, and the FCA’s new responsibilities from 2015 as a concurrent competition regulator for financial services has led it to examine much more closely pricing practices across the sector. This new competition responsibility and mindset has caused the FCA to think afresh about its overarching duties as a regulator. As it stated in its July 2019 feedback paper FS19/041, fair pricing is “directly relevant to our strategic objective to make the markets we regulate work for consumers, cutting across our consumer protection, competition, and market integrity operational objectives.”

In addition, retail markets have changed very significantly over the last 20 years. Now that consumers routinely purchase financial products over the internet or through mobile apps, firms have the ability to call on huge datasets as well as artificial intelligence (AI) to utilise a much wider range of factors

inCOMPLIANCE®19

FAIR PRICING

inCOMPLIANCE®19

inCOMPLIANCE®

18

inCOMPLIANCE®19

FAIR PRICING

in the ultimate pricing of a financial product. The FCA recognises that this means that issues of fairness in pricing are likely to become increasingly prevalent and complex in the future.

Finally, the FCA has pointed to the fact that, over recent years, there is much greater public interest in fair pricing and that the Government and other regulators such as the Competition and Markets Authority (CMA) are taking actions to ensure that pricing practices are fair – one example being the Citizens Advice response to the super-complaint to the CMA on loyalty pricing.

What concerns does the FCA have?In a series of publications, the FCA has outlined its areas of concern in relation to fair pricing. These include:• Loyalty pricing – The practice of charging new customers

less for financial products than established customers are charged. Firms wish to attract new customers through offering attractive rates and then take advantage of their propensity to stick with the same product provider when products are auto-renewed rather than switching to a different firm offering better prices. As the FCA’s October 2019 interim report on general insurance pricing practices (MS 18/1.2)² observed with concern, “firms use complex pricing practices that allow them to raise prices for consumers that renew with them year on year [referred to as ‘price walking’]”.

• Use of AI and Big Data – The regulator is concerned that firms are using AI and Big Data in ways that could be viewed as unfair to consumers. Pricing of products may be based not just on traditional factors (such as the risk of making a claim in the context of an insurance product) but also take into account factors such as the extent to which the consumer is likely to be price-sensitive. Such factors may be based on the use of Big Data, potentially coupled with assessments based on the speed with which a consumer answers questions when providing information as part of the online purchase process. The use of such factors would result in some consumers being charged more than others with the same risk profile, simply because of the firm’s assessment of how willing the consumer would be to pay a higher price. These are not isolated cases: the FCA’s October 2019 report noted that “most firms, when setting a price, include their expectations of whether a customer will switch or pay an increased price”.

• Price discrimination based on protected characteristics – Where firms are improperly pricing their products based on characteristics that are protected by law, such as race, religion, gender, disability, or sexual orientation, the FCA will be keen to ensure that the approach followed by the firm is consistent with firms’ legal obligations.

While there are pre-existing legal boundaries on price discrimination based on protected characteristics, the question of how far the FCA should properly be restricting the freedom of firms to price products based on Big Data and AI, and more broadly on an assessment of the consumer’s price sensitivity, is a difficult one.

Does the FCA have the powers to operate as a price regulator?This new focus on fair pricing raises the question of whether the FCA has the powers it needs to pursue this agenda, not least given that its predecessor organisation regularly asserted that price regulation fell squarely outside its remit.

The FCA has been given discrete statutory powers to impose price caps in relation to certain products where Parliament has identified specific risk of harm. These impose restrictions on high-cost short-term credit from 2014, on workplace personal pension schemes from 2015, and on early exit pension charges from 2016. However, there is no general power to impose price caps on other types of financial products.

The FCA does have a statutory objective to promote effective competition in the interests of consumers and has been given competition powers under the Enterprise Act 2002 as a concurrent competition authority. As a result, it can investigate whether any market for financial services is working well and can make a market investigation reference to the CMA to investigate a particular market or sector in more depth. It can also make new rules under FSMA in order to promote effective competition.

To date it has relied principally on its pre-existing rulebook to pursue its agenda on fair pricing. Firms’ duty under Principle 6 of the FCA’s Principles for Businesses – to pay due regard to the interests of customers and treat them fairly – has been cited as a basis for requiring firms to have in place fair pricing practices. Similarly, since October 2018 the FCA has also pointed to insurance firms’ duties under the Insurance Distribution Directive to act honestly, fairly and professionally in the best interests of consumers, as a basis for imposing a duty of fair pricing.

However, the FCA does not feel comfortable relying on these rules in order to require firms to have in place

While high level principles on fair pricing may suit the FCA, they will not deliver the necessary level of clarity to firms on exactly what they are (and are not) permitted to incorporate into their pricing methodologies. As a result, firms facing the risk of punitive supervisory measures or even enforcement action may well prefer these more specific requirements which would provide greater certainty and more of a level playing field among competitors

inCOMPLIANCE®19

inCOMPLIANCE®

20inCOMPLIANCE®

21

FAIR PRICING

effective processes for ensuring that the way in which consumers are charged is ‘fair’ in the eyes of the regulator. If the FCA needed to pursue a disciplinary case against a firm for ‘failing’ to have in place a fair approach to pricing (for example, by including in the price formation process an assessment of the consumer’s tolerance for paying a higher price) then it would face the prospect of having the case struck out by the FCA’s own Regulatory Decisions Committee or the Upper Tribunal.

As a result, the FCA is looking at new rules on which to ensure that firms are subject to binding duties to apply fair pricing processes. It is currently undertaking a review of its Principles for Businesses, and a discussion paper is expected by the end of the first quarter of 2020. This is very likely to include new comprehensive principles explicitly requiring firms to adopt fair pricing practices. As the issue of what is ‘fair’ is rather subjective and is likely to evolve over time, the FCA favours a higher-level obligation which it is free to interpret as such views develop.

What does ‘fair’ pricing look like?The FCA’s July 2019 paper revealed its thinking in this area: “Assessing whether a particular pricing practice is unfair can be complex and the issues can vary from market to market. So, there is no simple formula that determines whether a practice is unfair and we will use our judgment to balance the considerations in specific context. This implies that prescriptive rules are unlikely to be sufficient to incorporate our thinking into a regulatory approach.”3

The FCA’s thinking as to what ‘fair’ pricing looks like is still at a developing stage, and so imposing vaguer, higher level, duties would meet its need to have flexibility in the future. As a result, the FCA has taken the view that “at this stage … a principles-based approach may be more effective in driving appropriate outcomes, so we will incorporate our work on fair pricing into the review of our principles, which will be the first strand of our Handbook Review.”

In parallel, Lloyd’s of London has described fair value in consumer products as a ‘priority focus’, and its 2020 Market Oversight Plan identified that it will be introducing changes to its oversight framework that are designed “to provide the market with more certainty regarding Lloyd’s approach, our stated appetite and expectations surrounding [the pricing of] consumer products”. New high-level obligations are being considered, including to require firms to ensure that products are reasonably priced reflecting the level of cover provided.

Also in the field of general insurance, the FCA’s October 2019 interim report, following its market study on general insurance pricing practices (MS 18/1.2)4, suggested that more specific measures might be needed to deal with certain areas of concern. These included:• Limiting pricing practices that allow firms to charge higher

prices to consumers who do not switch. This may include restricting or banning margin optimisation based on consumers’ likelihood of renewing.

• Requiring firms to engage with customers to give them information about alternative deals and identify those who may need help in moving to better priced products with equivalent cover.

• Automatic switching of consumers paying high prices to

lower priced products that provide equivalent cover.Consultation on the proposals set out in the FCA’s interim

report has now closed and final measures are due to be published by the end of March 2020.

While high level principles on fair pricing may suit the FCA, they will not deliver the necessary level of clarity to firms on exactly what they are (and are not) permitted to incorporate into their pricing methodologies. As a result, firms facing the risk of punitive supervisory measures or even enforcement action may well prefer these more specific requirements which would provide greater certainty and more of a level playing field among competitors .

How should firms manage the relevant risks?First, product providers should already have in place effective governance arrangements to assess the value of their products to the target market. In part, this would have involved an assessment of historic performance of the product and whether the purposes for which consumers have bought the product have been properly served. It should have also included analysis of the profitability of the product and the proportionality of the level of commission paid to intermediaries.

Second, it is important that those forming part of the product governance and oversight forum within product providers understand how prices are reached on each of the firm’s products. Being able to demonstrate to the FCA that the governance forum has a full understanding of the inputs to the pricing process and the impact that different factors have on the final price – including on renewals or repurchases for existing customers – will be important in demonstrating that the governance forum is properly informed to assess the position.

Third, pending more specific rules from the FCA, firms will need to reach their own view on which elements of the pricing process they are comfortable with. This will need to consider the reputational / brand risk as well as the regulatory risk of adopting practices that are deemed by some to be ‘unfair’. These issues of principle will need to be escalated to the Board for a decision on appropriate pricing methodologies, taking into account the FCA’s emerging views on pricing practices.

Finally, firms will need to monitor closely the draft new Principles for Businesses and final rules on general insurance pricing practices that the FCA will soon be publishing and provide feedback to the regulator on unintended consequences that such new rules might lead to. Given that this is such an uncertain area for the FCA, it is likely to pay careful attention to the responses it receives from the industry and mould its new rules accordingly.

Nathan Willmott is a Partner and Head of Financial Regulation at the global law firm Bryan Cave Leighton Paisner

1. https://compassoc.org/fca-fair-pricing 2. https://compassoc.org/fca-insurance-pricing3. Ibid. note 14. Ibid. note 2

inCOMPLIANCE®21

CYPRUS

Thinking differentlyStella Mourouzidou Damtsa and Marianna Costea share their experience of the ICA’s Professional Postgraduate Diploma, and of the changing role of compliance, with James Thomas

Cyprus has witnessed considerable change in regulation and compliance in recent years,

perhaps exemplified by the strategic alliance agreed between ICA and the Institute of Certified Public Accountants of Cyprus (ICPAC) last October, requiring all compliance and anti money laundering professionals working at ICPAC-regulated firms to hold a certification provided by ICPAC and ICA. Such developments demonstrate a clear elevation in the status of regulatory compliance within the country in the aftermath of the Cypriot financial crisis of 2012-13 and are part of ongoing initiatives to rebuild trust in the financial system in Cyprus, in part through the implementation of higher standards of professional competence.

I spoke with two recent recipients of ICA’s Professional Postgraduate Diploma (PPgDip) in Governance, Risk and Compliance1, both based in Cyprus, to find out how regulation and compliance have changed since the crisis, to identify their personal and professional reasons for attaining the qualification, and to discover what they gained from the experience.

Journey to changeStella Mourouzidou Damtsa, FICA, is Regional Manager, Nicosia, at Bank of Cyprus, the country’s largest bank. Notably, not only does she operate at a

senior strategic level within the bank but, moreover, her role is predominantly a frontline one. As she explains: “I’m front office, responsible for individuals who are client-facing. In the past, my team has occasionally had different opinions from Compliance, so I decided to take things into my own hands and learn more about the subject of compliance. Enrolling on the PPgDip was therefore my own personal decision.”

That decision is indicative of a broader change in mindset within the organisation, post-crisis. “I think that compliance is for everybody, especially for the frontline,” she continues. “Regulation is part of our lives. Banking is heavily regulated, so we need to be aware of and to keep up with regulatory developments, and to be able to make decisions without necessarily having to consult Compliance. Although we do always talk to Compliance, it is important that we have our own knowledge of regulation as well. As a result of taking the course I feel more equipped to do my job and, in terms of compliance, to manage the first line of defence.”

Regular readers will be familiar with the bank’s journey towards culture change, as described by ICA International Advisory Board member Marios Skandalis.2 Indeed, Stella highlights how far Bank of Cyprus has come in the relatively short timeframe

since the crisis. “Our relationship with Compliance was very different in 2013,” she continues. “Back then Compliance was a very small department in the bank, but since 2013 it has been one of the departments that has grown, in order to monitor increasing regulatory developments, while other departments have shrunk.”

Changing perceptionsKey to this growth has been a change in perception regarding the value of compliance to the business. “Marios has been a leader in this matter,” Stella explains. “In the past we used to think about Compliance as a ‘business prevention unit’. But now regulatory compliance has been embedded into our daily lives, because good compliance enables us to serve the customer more effectively. Not only do we know our customers better, but our customers also have more information about the bank, which builds trust. And trust in banking is essential. Therefore, we don’t consider regulatory compliance as a burden, but quite the opposite: it has helped us to grow the business.” Indeed, independent surveys, as well as those undertaken by bank’s corporate affairs department, demonstrate that customer trust has increased steadily since 2013.

In addition to improving trust, integrating compliance into the daily functioning of the front office has

inCOMPLIANCE®23

had the added benefit of improving job satisfaction and understanding amongst frontline staff. “The diploma itself encouraged me to think critically,” Stella recalls. “Because of my position, I need to make decisions and approve customers. The diploma taught us to think differently and to ask the right questions. Asking such questions and discussing them with my colleagues has made the whole team feel more empowered.”

The diploma not only enabled candidates to acquire new knowledge, but, moreover, to develop their decision making, problem solving, evaluation and analysis skills, for example through the provision of case studies and through the requirement for candidates to keep a ‘reflective journal’ identifying the main points of each module of the course and how these related to their job description. Bringing these skills back to the workplace has “made the job much more interesting” Stella adds, because “you have a better idea of why you are doing things and of why procedures are how they are”. As a result, her team has moved from a ‘tick-box’ approach towards a situation in which “compliance is embedded in our daily lives”.

An academic stampMarianna Costea, FICA, Compliance Senior Manager at Alter Domus, tells a similar story, albeit from a Compliance rather than a front office perspective. For example, she too found that the requirement of keeping a reflective journal throughout the course helped her to sharpen her skills and map her day-to-day activities and technical knowledge to the knowledge acquired through the course. “Getting in the process of writing up and researching deeper on our daily tasks gives us the opportunity to re-think, re-discover and in many cases re-vamp long-established processes with updated, modernised and more efficient ones,” she explains. “In essence, this is the way forward for growth and change both for corporations, as well as for individuals.”

Once again, the fallout from the crisis, and the increasing regulatory burden thereafter, provided a backdrop to, and motivation behind, her decision to pursue the PPgDip qualification. In the last five years, in particular, she has witnessed “tremendous change” in the legal and policy landscape, with Cyprus making considerable efforts to reinforce the fight against the use of the financial sector for money laundering

and terrorist financing. This, in turn, has translated into a greater emphasis upon certification amongst compliance professionals. “Ten years ago, I was working for a bank in Cyprus when things began to change, just prior to the financial crisis,” she recalls. “Things had started evolving as far as regulation was concerned, and I got a chance to get more involved in compliance. I was trained on the job in compliance and, with a view to growing as a professional, last year I thought the time was right for me to get some compliance qualifications on my CV: an ‘academic stamp’ to validate my knowledge.”

The value of such academic accreditation is clear, given the increasing profile of compliance and the greater scrutiny that accompanies this. “In recent years, we have had an evolution of compliance standards globally,” Marianna explains. “Regulation and technology have been transformed to such extent that one could say that compliance as a profession has been re-invented. These changes have made the effective management of risk a competitive advantage in all industries. Nowadays, the duties of compliance leaders go beyond ensuring their firms comply with regulations. They are also responsible for protecting the reputation of the organisation and for monitoring bottom lines. With that in mind, it is no surprise that, for a number of Boards and senior management teams, compliance leaders are becoming important associates.”

“Academic accreditation has always been important in the field of financial services,” she continues. “In addition, regulators today, at a global level, expect the compliance officer to have stature, access, influence and impact. Therefore, as a compliance officer within an industry in which accreditation is of key importance, pursuing a compliance accreditation was, for me, an easy decision and a positive change.”

The attainment of qualifications, in her view, also supports the case for compliance professionals to assume stronger leadership positions and influence within their organisations. “As compliance practitioners, we need to make sure that we are ready

inCOMPLIANCE®

22

CYPRUS

Mourouzidou Damtsa: Compliance is for everybody

inCOMPLIANCE®23

to undertake more responsibility,” she suggests, “Today’s requirement of Compliance to be omnipresent at various stages of a firm’s activities, by identifying, assessing, advising, monitoring and reporting, makes it clear that the bar is set higher than ever and that the role of the Compliance function is being transformed into a more complex system. Compliance officers need to be more involved in decision and policy making, not only for the corporations that we work for, but also at a national level. This is particularly important for Cyprus, which has, in recent years, undergone various audits on AML and compliance by European and other international bodies. It is therefore important for young professionals to validate their knowledge through attaining qualifications as this provides a means of demonstrating both nationally and internationally that there are people working in the right direction to make the changes needed for the future.”

Stella agrees that the role of compliance is changing. “I think that Compliance should become a strategic adviser to the business and that, at the same time, frontline staff should take greater responsibility for day-to-day compliance issues,” she says. “At the moment, Compliance is acting in an advisory manner while the business side is making the decisions. Looking forward, the business should be more involved in compliance, and Compliance should take a more strategic role in the business.”

A bird’s eye viewIf Compliance is to assume this greater strategic responsibility, then the development of a compliance community may be of fundamental importance, providing practitioners with a support network and a platform for sharing ideas and experiences. Both PPgDip candidates valued the opportunities that the course offered for real-world networking and for providing

reassurance that others in their position had similar experiences and concerns, and, potentially, alternative solutions to these shared problems.

“I’m happy I enrolled in the course as I now have a wider network,” says Stella. “The really positive experience was that other people had the same challenges as myself and my colleagues. It was also a pleasant surprise to find that participants on the course were not all from banking, but were also from other sectors, which gave me a broad, bird’s eye view of what was happening in the wider world. You got the message that compliance is in everyone’s life… it’s a culture, a way of thinking.”

Marianna agrees. “The course was an amazing experience. I got the chance to network and meet with other, successful compliance officers from various industries and countries and to exchange ideas,” she recalls. “If I could summarise my ICA diploma experience, having Cyprus in mind, I would say that while Cyprus has been a strong example in the recent past of how corporate governance shortcomings can be an important factor of a financial crisis situation, stricter frameworks and higher standards of corporate governance have already been adopted. There has also been an effort to promote correct behaviour in the interest of all stakeholders. The role of ethics in business and the importance of gaining the Boards’ support for the organisations’ culture, ethos and strategy for countering financial crime have come to the fore. Coming together with my fellow colleagues on the ICA diploma provided a way for me to understand that corporate ethics and compliance is universal. Cultural change is a complex issue and requires the coordinated action by all stakeholders, and it is actually happening in Cyprus as we speak.”

CYPRUS

1. https://compassoc.org/ppg dip-grc

2. See, for example, “Adding Value” inCOMPLIANCE, issue 39, p.22; “How to be right!” inCOMPLIANCE, issue 44, p.28; https://compassoc.org/inCOMPLIANCE

Costea: Compliance as a profession has been re-invented

inCOMPLIANCE®25

Open to abuseAnuradha Shaw considers the risks that charitable

foundations pose for money laundering, terrorism financing and other crimes

CHARITABLE FOUNDATIONS

inCOMPLIANCE®24

inCOMPLIANCE®25

Charitable foundations often serve as the charitable arm of a corporate entity or family enterprise and are designed to contribute to the health and

vitality of the communities in which such entities operate. Large corporate charitable foundations – such as the Bill and Melinda Gates Foundation, the Clinton Foundation, The Arts Council of England, Cancer Research UK, or The Wellcome Trust UK – have stood the test of time with their extraordinary commitment to providing financial support for liberal and democratic organisations globally.

Charitable foundations use philanthropy, crowdfunding, volunteerism, and advocacy to strengthen community values; to support civil rights and economic justice; to encourage economic mobility and the inclusion of disenfranchised individuals; to address health and social inequities; to champion the cause of those marginalised from basic human rights due to political, social, gender, racial or other factors; or to alleviate hunger and poverty across the globe.

PhilanthrocapitalismIn recent years there has been a trend towards wealthy CEOs pledging to give away large parts of their fortunes through corporate charitable foundations, resulting in a newly-emerging culture of ‘philanthrocapitalism’, which blends the entrepreneurial ‘CEO approach’ of the super-rich 1% with the simple act of ‘giving’. This essentially transfers the responsibility of delivering public welfare goods and services to an ‘executive class’ trained in the CEO culture of building business models based on markets, efficiency, measurable costs and benefits, and overtly or covertly quantified returns.

The immediate problem with this is that the billions of dollars floated as philanthropic pledges by large corporate foundations (apart from conferring enormous tax advantages to the giver) may not specify exactly what such donations will be used for. Nor are they legally binding. They are, by and large, a moral commitment to use private wealth for ostensibly public good. There is a long list of pledgors, including Mark Zuckerberg and Priscilla Chan, Richard and Joan Branson, David Rockefeller and about 174 others1, who account for hundreds of billions of dollars in pledges. Such pledges have successfully served the interests of shareholders while achieving positive social and economic impacts … what is otherwise known as the ‘triple bottom line’. This triple bottom line approach to corporate foundations has given rise to another new concept in facilitating the flow of charitable giving through a new investment vehicle, very popular in the United States, known as Donor Advised Funds (DAFs).

What are Donor Advised Funds?DAFs have mushroomed in recent years through ‘sponsoring organisations’ such as Vanguard Charitable and Fidelity Charitable (the latter appearing at the top of the Chronicle’s ranking of the Philanthropy 4002), which operate on a non-profit basis and accept donations from private donors and corporations. Once a fund is established, the donors decide which charity initiatives

CHARITABLE FOUNDATIONS

inCOMPLIANCE®27

CHARITABLE FOUNDATIONS

inCOMPLIANCE®

26

they would like to donate to from their accounts over an unspecified period of time.

DAFs generally fall into three main categories: ‘commercial’, ‘community foundations’ and ‘single issue funds’. Large commercial funds, such as Fidelity Charitable, Goldman Sachs Charitable Gift Fund, Schwab Charitable, and Vanguard Charitable, are initiated by financial services firms as separate non-profit establishments with the charitable assets in management operated by the related investment company. These funds offer ease of use and low management fees. They are also subject to less rigorous compliance requirements than normal investment fund vehicles.

The organising principles behind DAFs are as follows;1. DAFs are structures organised as investment vehicles

and accept donations in the form of cash (cash donations offer a potential immediate tax deduction of up to 60%), stocks, mutual funds, or privately-traded assets (all also qualifying for tax deduction).

2. Donations can grow tax-free through investment activity of the sponsor while the donor decides over time the causes that they would eventually like to support.

3. The structure also offers long-term capital gains tax deductions for donors giving long-term appreciated securities.

4. DAFs are not required by law to disclose how much of their stockpile of cash and other assets have been disbursed from individual accounts.

Due to the nature of the above structuring principle, a so-called “warehouse of wealth” has been accrued, totalling some USD110bn in DAF assets.3 However, as a recent lawsuit4 revealed:1. Donors cannot access the funds but with limited

pressure to spend the money within their lifetimes for charitable ‘giving’ they can let it stay in the fund and allow it to grow as ‘inheritance’ for their descendants, who can disburse it later.

2. Meanwhile the sponsors tend to make money in the form of fees on the warehouse of wealth that they manage and invest.

3. The DAF sponsors offer a highly turbocharged incentive: ‘Invest the money now, get windfall tax breaks now, donate the money later, or not at all in your lifetime’!!!!

4. Many DAFs have remained dormant for years, stockpiling cash, depriving their governments of a huge source of tax revenues, and providing little money to charity as there is no legal burden of proof of disbursement.

5. This ultimately defeats the very purpose of charity and philanthropy as, theoretically, no money may be disbursed unless the donor authorises it. Thus, this system is very popular as it allows for long-term investment and fabulous returns through attractive tax breaks for the donors over time.

6. For this reason, DAFs have grown and outpaced many traditional charitable organisations built on direct giving, including United Way, The Salvation Army and The Red Cross.

7. In the US, legislation and policy initiatives on minimum payout requirements have languished for years in Congress and therefore most DAFs remain largely unregulated.

Risk and compliance considerationsThe OECD’s Report on Abuse of Charities for Money Laundering and Tax Evasion5 states unequivocally that “the abuse of charities occurs when the sanctioned government status of a charitable organisation is abused either by the charitable organisation, by taxpayers and donors, or third parties, such as fraudsters who pose as charitable organisations or tax return preparers who falsify tax returns to defraud the government.”

The following are real world examples of how such abuse occurs, with each case positioned against a specific abuse typology provided and detailed in the OECD report:• Scenario: Individual(s) set(s) up a charity; issue(s)

receipts; but do(es) no charity work; use(s) funds for personal benefit. Countries in which similar scenarios have been identified: Canada, Czech Republic, Spain, USReal world example (from the US): The recent case of Jeffrey Epstein, who committed suicide while in US custody under unrelated charges. As reported by The Wall Street Journal6, Epstein’s Gratitude America Foundation, managed by Deutsche Bank, reported several listed recipients of donations amounting to several million dollars since its inception in 2012, with more than USD1.8m in charity disbursement in the period 2016-2017 alone. However, several supposed recipients of this largesse reported that they never received the funds! The falsified charitable donations, it is believed, yielded massive tax benefits to donors to the Gratitude America Foundation and the funds were mainly used for political contributions and peddling political influence in an election year fraught with multiple (and as yet unresolved) questions of suspicious activities.

The billions of dollars floated as philanthropic pledges by large corporate foundations (apart from conferring enormous tax advantages to the giver) may not specify exactly what such donations will be used for. Nor are they legally binding. They are, by and large, a moral commitment to use private wealth for ostensibly public good

inCOMPLIANCE®27

• Scenario: Many entities are registered as exempted from the VAT before the Federal Administration of Public Revenues when actually they perform taxed activities. Non-commercial entities and ‘Non-profit organisation of social utility’ (‘Organizzazione non lucrativa di utilità sociale’ [ONLUS]). are set up in order to benefit from tax benefits in spite of performing a real business activity.Countries in which similar scenarios have been identified: Argentina, Italy Real world example (from Italy): As per recent reports7, the Vatican is in the process of unravelling how USD200m received by the Holy See as donations from Catholics around the world and parked in a Swiss Bank was used to finance a luxury condominium development in the upscale district of Chelsea in London. Meanwhile, the scandal associated with this type of misappropriation of funds through an investment fund called Athena Capital, to ostensibly engage in a high-income business activity and garner large profits, has resulted in police raids on the Holy See and suspension of top officials and a monsignor.

• Scenario: In the US, it is evident from the designation, prosecution and investigation of charitable organisations either based in the US or conducting operations within the US that terrorist abuse of US charities exists. False charities are a traditional method of individual contributions for terrorist groups.Countries in which similar scenarios have been identified: Canada, Italy, USReal world example of financing of terrorism globally: According to author Robert O. Collins, in his book Alms for Jihad, some of the wealthiest charities in the world raise funds with the express purpose of financing terrorist activity, often based upon specific political and ideological stances. Donations from believers in specific ideological concepts have always been a major source of donor contributions masked as charities (using the very powerful mantra of ‘winning the hearts and minds’ of believers) and they continue to flourish despite careful monitoring by banks and financial institutions through which these funds flow to the receiving entities, which in turn are bent upon enforcement of ideology through terror and mayhem.

RecommendationsDue diligence is accorded to any activity that is perceived to be operating below the radar of identifying beneficial ownership and source of funds. Within our financial system, individual charitable foundations set up by wealthy customers are accorded a high level of due diligence and scrutiny, given that they are subject to massive tax breaks and, as demonstrated through the above few selected examples, they may be a preferred vehicle for depositing dark money for political influence peddling, money laundering, terrorist financing and other financial crimes.

The OECD’s Tax Policy recommendations8 conclude with the following steps to be taken by tax authorities to combat abuse of the tax enforcement system:a. Maintain a central registry of all suspicious activities

to identify and analyse trends (within the charitable foundation structures)

b. Maintain reliable information on the real level of threat, vulnerability and compliance

c. Implement cross-functional teamsd. Implement an automated cross-check system e. Identify and develop relevant data sourcesf. Exchange information and good practices on an

ongoing basis g. Input an abuse of charities indicator on suspicious files; and h. Establish a mechanism to facilitate the exchange of

information between tax authorities, law enforcement agencies, the financial system etc.

Banks and other financial institutions would be well-advised to incorporate the above recommendations within their compliance framework to combat the risks they face as frontline managers of the corpus of wealth that funds DAFs and other charitable foundations.

For the past five years Anuradha Shaw has been working out of Toronto, Canada, as an Accredited External Trainer and Training Programmes Content Developer with the ICA. She has forty years of international

banking and business management experience across several continents and the arctic region

Many DAFs have remained dormant for years, stockpiling cash, depriving their governments of ahuge source of tax revenues, and providing little money to charity as there is no legal burden of proof of disbursement

CHARITABLE FOUNDATIONS

1. https://compassoc.org/guardian-charitable-billionaires 2. https://compassoc.org/fidelity-charitable 3. https://compassoc.org/vox-silicon-valley-donor 4. Ibid. note 35. https://compassoc.org/oecd-tax-information 6. https://compassoc.org/epstein-tax-benefits 7. https://compassoc.org/vaticans-luxury-development 8. Ibid. note 5

inCOMPLIANCE®29

ICA Award CeremonyJoin us at one of our upcoming global award ceremonies to receive your ICA award. All graduates who have successfully completed an ICA Advanced Certificate, Diploma, Professional Postgraduate Diploma and Fellowship Status are invited to attend.

These ceremonies are truly a wonderful evening to celebrate your achievement in front of family and friends and a chance to meet up with fellow students once again.

23 April 2020Whitworth HallManchester18:00 – 20:00

13 May 2020Middle TempleLondon18:00 – 20:00

Book your place now www.int-comp.org/awardceremony

ICAA13227

inCOMPLIANCE®29

Sanctions are aimed at preventing trade (or a specific type of trade) with a defined country to ensure

that such country obeys international law. Such action places a ‘disobeying country’ in trade isolation, thus restricting its ability to exchange excess product or resources. The effects of trade sanctions on a country’s economy can be devastating over the long term. For example, there is little value in being oil-rich if such oil cannot be exported and exchanged for other goods.

Trade is based on the simple principle of supply and demand. Therefore, as long as a country has something to offer, and there is demand for such resource, there will always be an interested party to balance off these two factors. Unfortunately, despite the presence of international sanctions prohibiting trade, for the right price, there will always be those prepared to go to great lengths to evade those sanctions, disguising such activity under the umbrella of ‘legitimate business’.

The 2010 scandal revolving around Barclays “knowingly and wilfully” violating international sanctions by handling hundreds of millions of dollars in clandestine transactions with banks in Cuba, Iran, Libya, Sudan and Burma sent a strong message that sanctions are to be rigorously observed. Nevertheless, was this enough to persuade entities and individuals to steer clear of sanctions evasion?

Example: North Korean coalIt is very difficult to live in economic isolation. When one considers Iran or North Korea, it is hard to comprehend

how these countries have managed to survive in so-called isolation for such a long time. In practice, of course, the major hardship is suffered by the nation at large, whilst those in power are typically able to maintain a life of luxury. Indeed, it is remarkable how individuals such as North Korean leader, Kim Jong-Un, manage to acquire luxury goods that in principle should never have been traded with the country in the first place. I am not referring to luxury watches, which can be easily smuggled across borders. I refer instead to a 200-foot yacht and, as reported in The Telegraph, up to 100 cars (with his favourite brand being Mercedes-Benz).

Sanctions evasion involving North Korea extends beyond satisfying the supreme leader’s taste in cars and boats. On 9 May 2019, the US seized a North Korean cargo ship, Wise Honest, that was used to violate international sanctions, in a first-of-its-kind enforcement action. According to the complaint, the 581-foot (177 metre) vessel was used to transport coal to ports in China, Russia and other countries, generating much-needed revenue for a country that is under UN sanctions due to its nuclear weapons programme. The ship also delivered heavy machinery back to North Korea. By what mechanisms could such sanctions evasion take place?

Disguising provenanceTo render a product marketable, one must first ensure that it has an attractive wrapping. For a product originating from a sanctioned country it is therefore important to disguise

the product’s origin. Coal, as a bulky commodity product, does not go easily unnoticed. The following sequence of events outlines how, hypothetically, sanctions might have been avoided by disguising the provenance of the North Korean coal, thus rendering it marketable and increasing the margin of profit.

Russia is a neighbouring country of North Korea and both countries happen to have a coal export business. Thus, an initial step for those seeking to smuggle coal out of North Korea would be to find an associate company dealing with coal in Russia that would be willing to rubber stamp the origin of the coal, certifying its origin from a Russian coal mine. Although this might sound a far-fetched approach, similar activities were reported in a New York Times article, dated 10 August 2018.1

Naturally a suspicious geologist could detect the true origin of the coal from its chemical composition. Therefore, mixing the provenance of the North Korean coal with the Russian Coal is a recommended further step, although this would depend on the ultimate acquirer of the commodity. The higher the diligence level, the higher the cost of the ultimate product, since the profit margin needs to remain high enough to justify the additional risk incurred in breaking the law.

Transporting the coalHow then, hypothetically, could the coal have been transported from North Korea to Russia? Looking at the infrastructure available between Rajin (North Korea) and Khasan (Russia), it is possible that the coal

SANCTIONS EVASION

A disguised threatNoel Bartolo considers evolving sanctions evasion typologies

using a hypothetical case study of North Korean coal

inCOMPLIANCE®31

SANCTIONS EVASION

could have been moved by rail, using a longstanding railway link that was renovated as recently as 2013. Upon reaching Khasan, the land connections are considerable, with a direct rail link to Vladivostok as well as road links to Posyet and the Port of Zarubino. All three ports have the capability for loading coal, although my preferred option would be to continue to move the coal directly via the railway link towards Vladivostok (see Figure 1).

North Korea, being unable to freely trade the coal excess commodity, could therefore benefit from this rail link to move the coal into Russian ownership. Indeed, it is widely understood that, in spite of the UN sanctions, North Korea and Russia do conduct mutual trade. The Moscow Times reported that, between January and November 2019, Russian imports from North Korea totalled USD 2.3m, whilst exports towards North Korea amounted to USD 42m. This raises the question: how would North Korea be able to set-off the import of USD 42m, considering the limited partners available to trade with due to the UN sanctions?2

From coal to cokeMost countries interested in importing coal for use in the metallurgical industry are not actually interested in the raw material but in its refined product, coke, which is produced by carbonizing coking coals in a coke oven. As an essential ingredient in the production of steel, global demand for coke is high and although the process of producing coke leaves an

environmental impact, the only existing alternative is to use recycled steel for which demand currently far outweighs supply.

The process of turning coal into coke changes its chemical composition and, in the process, alters its original properties, rendering it harder to establish the geographical origin of the coal, particularly if it now carries a Russian certificate of origin. At this point the ‘Russian’ coke can be exported in line with the existing main flow of demand, handled by Russia, towards the rest of the world. Naturally, countries such as Japan, China or South Korea may be unknowingly facilitating this illicit traffic, and endorsing the UN sanctions breach, by importing metallurgical coke. Media reports confirm that the Russian coal market is blooming3, whilst at the same time North Korea has been unable to export its coal to China since February 2017.

Based on the above hypothesis, the economic sanctions currently imposed on North Korea may be counterproductive. The individuals that are really suffering are the people of North Korea, while the country may in reality be handling out its coal resources to unscrupulous businessmen, at a heavily

discounted price, in view of its inability to trade directly in this very sought-after commodity.

Indeed, during 2017, North Korea was reportedly caught sending coal to Russia, which was then delivered to South Korea and Japan, in an apparent breach of sanctions. The Washington Post reported that: “at least four ships delivered North Korean coal to a port in Kholmsk, Russia, during August and September 2017. They were quickly followed by more ships that picked up parts of the load and sold it as Russian coal.”

The Washington Post also reported that: “North Korea reportedly transported its coal to Kholmsk on seven different occasions, using three North Korean ships and one Chinese-owned ship. The latter used the flag of Togo and turned off its transponder while picking up its cargo in North Korea. Several ships also turned off their responders when picking up the coal in Russia – a port none of the ships had visited in the previous two years – and five ships took North Korea's coal cargo to

inCOMPLIANCE®31

inCOMPLIANCE®

30

inCOMPLIANCE®31

SANCTIONS EVASION

Incheon, South Korea, and another to Rumoi, Japan.”4

Considering that transport at sea is doubtless under closer scrutiny following these reported events, I am sure that the perpetrators of such activities are considering alternative mass transport by land, especially since trains do not have transponders that need to remain switched on all the time.

Ensuring effectivenessSanctions evasion is a criminal act and the funds generated through this illicit activity represent the proceeds of crime. The failure to detect such illegal activities jeopardises the efficacy of the sanctioning regime and potentially places global stability at risk. The sanctions monitoring process

is an ongoing obligation on all subject persons and the decisions/escalation events triggered by MLROs, sanctions monitoring officials and all employees may be critical to ensure the future effectiveness of the sanctions regime. As approaches to facilitating sanctions evasion grow increasingly diverse and sophisticated, the challenge of detecting such actions will increase.

Noel Bartolo occupied the role of Head – AML investigations & Deputy MLRO

for HSBC Bank Malta plc and has over 20 years’ experience in the banking industry. Following the implementation of the Fourth Anti Money Laundering Directive, he joined

the gaming industry in order to widen his exposure to money laundering typologies. Noel is currently the MLRO for Gaming Innovation Group

inCOMPLIANCE®31

1. https://compassoc.org/ nytimes-illegal-coal

2. https://compassoc.org/ russia-northkorea-trade-up

3. https://compassoc.org/ russia-coal-industry

4. https://compassoc.org/northkorea-laundered-coal

Figure 1: North Korea local geography

inCOMPLIANCE®

32inCOMPLIANCE®

33

TECHNOLOGY

The business landscape for all sectors is changing rapidly. Digitalisation and the use of Big Data, enhanced technology, profiling tools and Artificial

Intelligence (AI) are all poised to transform the way that in-house corporate teams function, enabling businesses to achieve process improvements, to reduce costs, and to obtain a valuable understanding of their customers’ needs.

Financial services and the legal and compliance functions of large corporates are forecast to be the leaders of this digital and data-driven revolution. However, the degree and pace of technological change can be overwhelming, and in-house legal and compliance teams, known for being prone to caution, are yet to lead this charge. This needs to change if businesses are to secure the potential competitive advantages offered by new technology.

Why adopt? Financial services and other large corporates are increasingly appreciating that regulation, data and technology can lead to profit and growth. In-house legal and compliance teams are continually being asked to do more with less and to deliver increased output. There is a need to develop people and to continue to deliver quality, cost-effective work, whilst managing volume and complexity. Additionally, the in-house team needs to be at the forefront of strategic work, to manage potential business risk and to ensure the business stays aligned with continuing regulatory change.

In response to such developments, a range of regulatory technology (RegTech) solutions has emerged aimed at resolving both complex and simple regulatory or compliance issues. Businesses – and particularly legal and compliance teams – must identify those solutions that provide real added

inCOMPLIANCE®33

TECHNOLOGY

Embracing the potentialLee O’Connell considers the challenges and opportunities of implementing new

technology from the perspective of inhouse legal and compliance teams

value, demonstrate efficiencies and support long-term cost savings. This can be achieved by maintaining a curious outlook about the various technologies on the market, looking at ways of improving people skills and exploring the opportunities presented.

Compliance is now gaining a reputation as somewhere that the business can go to for valuable customer or client data, which can help to create a competitive advantage internally and for the business as a whole. Understanding the value of customer data and its ability to support commercial growth through meeting customers’ individual needs is therefore key to the adoption of technologies based on AI and Big Data.

The use of diagnostic data or predictive analytics for the identification, investigation and projection of barriers to workflow efficiency and risk factors, either real-time

or forecasted, provides invaluable insight for all the business teams, and a further incentive for the adoption of such technologies. Legal is being seen as an area that can provide real cost savings through transforming the way it undertakes contract drafting and review; the rise of smart contracts using blockchain technology for the automatic verification or even enforcement of a contract; advancements in E-Discovery for assisted litigation review; and the use of outsourced legal managed services for all the high volume, low value transactional work (e.g. T&Cs, NDAs to name a few).

Regulation and compliance is now so much more than a pure box-ticking exercise and, with customer attitudes becoming more sophisticated and tech-savvy, businesses are having to step up to meet the customer and client demands through the use of data and new technology.

inCOMPLIANCE®

34inCOMPLIANCE®

35

TECHNOLOGY

Taking advantageThe use of new technologies, smart data analytics, and innovative partnerships with third party suppliers will release time for senior in-house lawyers and compliance professionals to focus more on strategic risk priorities.

The consensus within many corporate sectors is that technological transformation and advances in data management will play a pivotal role within in-house legal and compliance functions. In-house teams are therefore looking closely at the latest developments in AI and smart contract innovation to plug the gap between declining resources and reducing legal costs, with many considering the increased use of effective automation, outsourcing to alternative legal services providers (ALSP) or hybrid legal managed services, utilising both in-house and external counsel.

Furthermore, we are seeing increased recruitment of tech-centric employees across the board, including within the legal sector and particularly within in-house teams and large corporates; the rise of ‘legal and compliance technologists’. Through such activities, firms are aiming to develop internally (or through work with a law firm partner) their own technology to lean and streamline current processes.

Corporates are also looking for the ability to self-serve. This is being achieved through intuitive or online portals or chat-bots that use algorithms to provide instant legal information without direct interaction with a lawyer, to allow routine contracts to be obtained with minimal resource effort, and to facilitate decisions that are driven with objective data at the click of a button.

It is well known that efficiencies can be created through the automation of simple but resource-hungry tasks, and AI and automation of rote work practices are seen as a significant solution in this regard. The use of contract AI is becoming a huge external market, due to the tangible and easily identifiable time and resource savings that can be demonstrated by the in-house teams, both in cost and time available for more strategic initiatives.

Varied approachesIn 2019 we commissioned research to identify some of the pressures that in-house legal teams are facing from this rapidly-changing landscape. The report – ‘The New Landscape: An In-house Perspective’1 – revealed the ways in which teams’ use of technology and their approach to processes, people and suppliers has been impacted as the digital revolution takes hold.

The report also uncovered the main priorities of in-house teams and examined how they will be supported by the external legal sector in the future, identifying key areas that many teams will be focusing on in the coming 12 months. For example, 48% of respondents were looking to provide

proactive and holistic risk management. Respondents were also looking at new ways to manage legal risk and to protect the organisation through engagement with the business through enhanced processes, technology and data. Some 39% of those surveyed planned to make more effective use of data, through more organised and efficient data management within the team to improve efficiency, better manage risk and demonstrate value. This is coupled with 33% wanting to digitise the function and increase the level of technology utilised within the function to improve team performance.

It is worth noting that almost half (49%) said that technology is required to act as a solution for routine and lower-value tasks and work, with 69% feeling that, without relevant consultative expertise, any technology strategy is likely to fail.

These results demonstrate the varied approaches that in-house legal teams are taking, not just wanting a commoditised technological solution, but envisaging a more holistic approach by combining data, technology and AI. The wide-reaching conclusion of the study is that the ability of teams to move to a more strategic business role depends upon the appropriateness of the alternative solutions adopted and the quality of the technology or expertise delivering transformational change.

Transformation takes timeDigitalisation of these functions and of legal and compliance tasks will not only improve operational efficiency, increasing revenues, but will also provide an opportunity for the collection and analysis of key data and management information. Moreover, providing greater visibility to key customer data for senior managers will ensure, in future, the relevance of the services being provided.

With constant regulatory change and customers becoming increasingly connected to technology and data, all that is required now is for the in-house teams of large corporates to move forward and fully embrace the potential of data analytics, new technology and the cost-effective use of ALSPs.

Transformation of this magnitude takes time. It requires a strong commitment from any corporate and cannot be simply about buying new software and presenting to employees. It may in the very short-term further intensify an already expanding regulatory workload of the in-house team. However, businesses that ignore these advances run the risk of falling behind the competition.

It is envisaged that this expertise will drive forward tech initiatives to their full strategic growth potential, balancing the cost to income ratio. Therefore, in-house teams must remain flexible in their approach to processes, people, third parties and technology in order to position themselves at a C-suite level, with a Chief Legal/Compliance Officer, and assume their new strategic role.

Lee O’Connell MSc CIA is Director, Konexo

1. https://compassoc.org/konexco-new-landscape

Businesses – and particularly legal and compliance teams – must identify those solutions that provide real added value, demonstrate efficiencies and support long-term cost savings

inCOMPLIANCE®35

????????????????????????????

ICAA13230

BECOME A FINANCIAL CRIME COMPLIANCE LEADERThe ICA Professional Postgraduate Diploma in Financial Crime Compliance is an executive programme for senior industry practitioners. The course will enable you to operate at the highest level within your organisation and provide you with unique skills to drive your leadership ambitions.

• Enhance your international profile• Develop new ideas to accelerate your effectiveness as a senior manager• Learn from and share experiences with a global network of

likeminded individuals• Become eligible for ICA Fellowship (the highest grade of membership)

Find out more https://compassoc.org/postgrad-fcc

inCOMPLIANCE®

36inCOMPLIANCE®

37

The ability to change

Geetha Kanagasingam Tizi explores key challenges facing compliance professionals, and

suggests some solutions

inCOMPLIANCE®37

COMPLIANCE AND RISK MANAGEMENT

F inancial crime, and specifically anti-money laundering and terrorist financing, remains a

major problem for many businesses today. According to research conducted by North Carolina State University’s ERM Initiative and Protiviti (see Box 11), many of the top risks facing businesses relate, either directly or indirectly, to financial crime. It has become a part of doing business that business leaders cannot ignore or ‘turn a deaf ear to’.

Furthermore, regulators are keeping a watchful eye as advancing technologies provide more platforms for sophisticated financial criminals. As a recent example, on 28 January 2020, the Monetary Authority of Singapore (MAS) enforced the new Payment Services Act, which enhances the regulatory framework for payment services in Singapore to strengthen consumer protection and promote confidence in the use of e-payments.

It is worth remembering the purpose of such regulatory scrutiny, from the perspective of both the business and broader society. For a relatively new FinTech, for example, complying with such regulatory requirements will inevitably be costly but it will protect their business, customers and reputation. More broadly, financial crime – including drug trafficking, human trafficking, modern slavery, child labour, forced prostitution, illegal arms/terrorism, environmental crime and wildlife trafficking – has a damaging impact on society. The reality is that behind all the tools, regulations, requirements and reporting there are real human beings.

Evolving role of compliance Businesses today are operating in an increasingly risky and dynamic environment, characterised by changing business models, digital transformation, a shifting regulatory landscape and expanding costs. These are key driving forces behind the evolving role of the compliance professional. Other influencing factors include the rising focus on corporate assurance by assurance providers and the growing expectations of key internal and external stakeholders (Boards and senior management, employees, investors, customers, regulators, government and the general public). As a result, the pressure on compliance professionals to demonstrate value has grown exponentially.

Compliance professionals face considerable challenges in implementing and maintaining an effective and robust compliance programme. In the absence of regulatory censure or detected breaches of compliance, it may be tempting for the business to conclude that ‘no news is good news’. However, the reality is that, by the time a shortcoming in a compliance programme does come to light it may be too late, resulting in material financial losses (e.g. huge fines/penalties) and/or reputational damage. A compliance programme that had seemed to be working fine may actually have been ineffective. In short, it is

necessary to avoid complacency. This article explores key challenges

that most compliance professionals will be familiar with and proposes some practical solutions to these.

Key challenges 1. Weak tone at the top disintegrating

the foundation of a robust compliance culture. Despite the risks outlined above, and the growing importance of regulation and compliance in navigating the current business environment, research suggests that some Boards have been actually reducing the amount of time they spend on governance and compliance matters. For example, research by McKinsey into over 1,000 leading companies revealed that Boards devote a relatively small amount of time to governance and compliance. Significantly, the amount of time spent reduced considerably by 17% in 2017 from 2015, as shown in Figure 1. Indeed, research suggests that so-called ‘Gold Medal’ Boards (i.e. “those that rate themselves as operating in a highly effective manner and that oversee a high-performing company”) may spend even less time – about 6% – on compliance-related activities.2

2. Adopting a ‘business unit’ approach that is siloed from the rest of the organisation. Many of the requirements and procedures of the compliance programme

Box 1: Executive Perspectives on Top Risks 2020

Rank Top Risks For 20201 Impact of regulatory change and scrutiny on operational resilience,

products and services

2 Economic conditions impacting growth

3 Succession challenges: ability to attract and retain top talent

4 Ability to compete with ‘born digital’ and other competitors

5 Resistance to change operations

6 Cyber threats

7 Privacy/Identity management and information security

8 Organisation’s culture may not sufficiently encourage timely identification and escalation of risk issues

9 Sustaining customer loyalty and retention

10 Adoption of digital technologies may require new skills or significant efforts to upskill/reskill existing employees

Source: North Carolina State University ERM Initiative & Protiviti

Regulators are keeping a watchful eye as advancing technologies provide more platforms for sophisticated financial criminals

inCOMPLIANCE®39

inCOMPLIANCE®38

AFFOSCOMPLIANCE AND RISK MANAGEMENT

may be implemented with minimal or no consultation. This can create considerable tension amongst the affected key stakeholders who must adhere to these requirements and procedures. This results in stakeholders regarding compliance as an inhibitor or hindrance to their normal operations.

3. ‘Management and/or relationships override’ may compromise the compliance programme. What took months or even years to develop can be undermined in seconds.

4. Inability to keep pace with rapid changes in the regulatory landscape and business climate. Heightened regulatory scrutiny has affected the way we do business and launch products and services. In this digital era, have compliance professionals sufficiently embraced digital thinking and increased their capabilities to meet changing expectations?

5. Lack of risk assessment activities in developing compliance solutions. Too much focus may be placed on complying with regulatory requirements rather than addressing the critical risks the business may be exposed to. In this way, potential risk exposures may be underestimated.

6. Being ‘textbook focused’ and failing to ‘think out of the box’. Too much attention may be placed on fulfilling the mechanics rather than taking into account viable solutions, considering risk appetite and appropriate allocation of resources.

7. Lack of awareness of roles and responsibilities between first and second lines of defence (LoD). A lack of clarity around respective roles and responsibilities can cause compliance activities to ‘fall between the cracks’ as one LoD might assume that the other has completed a particular activity, resulting in non-compliance.

8. Lack of engagement and collaboration. This may be exacerbated by the siloed approached identified in 2 above.

9. Poor quality reporting. The high volumes of data and transactions that businesses must now deal with can make or break the quality of reporting. Poor management of data and a failure to properly identify users and their respective needs will result in unsatisfactory and substandard reporting.

Key solutions and recommendations The driving forces outlined above, coupled with the complexities of operations, have raised stakeholders’ expectations. Compliance professionals are expected to be proactive, to be equipped with diverse talents, to conduct risk assessments/analyses, to continuously engage, monitor and

Figure 1: McKinsey Global Board Survey

"Please indicate the % of time your board spends on the following topics during its meetings"

2015, % (n = 1,119) 2017, % (n = 1,126)

Strategy

Performance management

Organization structure, culture, and talent management*

Investments and M&A

Core governance and compliance

Risk management

Shareholder and stakeholder managament

Note: Figures may not sum to 100%, because of rounding*In the past, this category was called "organizational health and talent management."

Source: McKinsey Global Board Survey, April 2015 and 2017

27

22

9

10

12

10

9

27

20

13

12

10

9

9

Compliance professionals are expected to be proactive, to be equipped with diverse talents, to conduct risk assessments/analyses, to continuously engage, monitor and provide assurance that key regulatory risks are being adequately managed within the business

inCOMPLIANCE®39

COMPLIANCE AND RISK MANAGEMENT

provide assurance that key regulatory risks are being adequately managed within the business. A change in behaviour and mindset is required to enable compliance professionals to meet these demands. Key solutions include:

1. Boards and senior management should set a firm tone underscoring the organisation’s commitment to full compliance with internal policies, legal and regulatory requirements, which promotes a culture of ethical conduct. A ‘reward system’ may be introduced rewarding efforts to promote continuous improvement. This can help to set the right tone and cultivate a culture that discourages employees from engaging in misconduct.

2. The compliance function should adopt an integrated approach. Views of key stakeholders must be sought and appropriately considered in establishing the compliance programme. This builds a sense of inclusiveness and ownership amongst those affected by compliance activities, thus promoting compliance.

3. Compliance professionals must keep abreast of current and future changes affecting the operations and strategies of the organisation. This should not be limited to the regulatory environment as compliance professionals must also be able to recognise the implications, interdependencies and interconnectivity of operations (including broader supply chain issues) within the business

4. Consideration must be given to the risk universe and appetite of the business in developing the compliance programme. Risk appetite is the type and amount of risk, determined at the Board

level, that the organisation is willing to accept in pursuit of value. It is strategically aligned with clear risk-taking boundaries. The compliance programme must be tailored to specific business needs and business

realities. It should be designed to address the organisation’s risk profile and to detect and prevent wrongdoing. Compliance policies should be reviewed regularly to assess their effectiveness and ensure they focus on the business’ current compliance risks with the necessary improvements made.

5. It is vital to develop a common understanding of purpose and roles, ensuring consistency. There must be clarity in roles and responsibilities with clear explanation of the purpose of compliance activities, enabling better understanding by all stakeholders.

6. Adopt a coordinated and collaborative methodology. Compliance professionals should not only consider single events but must also take into account risk scenarios and the interaction of multiple risks (i.e. the concepts of ‘risk grouping’ and adopting a ‘portfolio approach’ to risk). Communication should be enhanced by establishing clear communication lines and engagement models to facilitate regular, continuous and effective engagement. This should include interactive training and clearly written materials.

7. Leveraging data and technology to facilitate analyses, communication, monitoring and effective reporting. Investing in digital technologies (e.g. AI, robotics and data analytics) can improve the effectiveness

and efficiency of the compliance programme. Major efforts may be required to upskill and reskill compliance professionals to address the demands of the digital era.

8. Sharing resources and effective partnership. The Compliance function should embrace a more holistic approach, partnering with the Risk and Internal Audit functions (2nd and 3rd LoDs respectively) where necessary and sharing resources. The resulting synergies should improve efficiency whilst avoiding any duplication of resources/efforts.

I conclude by emphasising that change begins with oneself. To be a successful compliance professional, change is critical to growth and development. As Albert Einstein said: “The measure of intelligence is the ability to change.”

Geetha Kanagasingam Tizi is an experienced managing consultant with FGR Solutions. She has over 25

years experience in risk, audit and compliance having held leadership positions in Barclays Bank, Cadbury, Singapore Airlines and PwC. She holds a professional certification in Financial Crime (Anti Money Laundering and Counter Financing of Terrorism) with the ICA and is a council member of the Risk and Insurance Management Association of Singapore (RIMAS)

1. https://compassoc.org/proviti-top-risks

2. Going for Gold: Global Board Culture and Director Behaviours Survey, Harvard Law School Forum on Corporate Governance, Rusty O’Kelley, Anthony Goodman, and PJ Neal, Russell Reynolds Associates, 7 April 2019, https://compassoc.org/going-for-gold

Heightened regulatory scrutiny has affected the way we do business and launch products and services. In this digital era, have compliance professionals sufficiently embraced digital thinking and increased their capabilities to meet changing expectations?

inCOMPLIANCE®41

inCOMPLIANCE®40

CASE STUDY: PREDICTIVE ANALYTICS

Destination: dataMichael Duran tells Jaclyn Jaeger the lessons 3M

has learned in its journey towards predictive analytics

inCOMPLIANCE®41

CASE STUDY: PREDICTIVE ANALYTICS

A truly modernised compliance department not only manages vast amounts of data, but also leverages that data in a proactive way, watching the road

ahead, driving insight, and teaming with the business and the Board to more efficiently and effectively reduce risks. Global conglomerate 3M is one company currently on that journey.

Implementing a modernised Compliance department at a company the size of 3M is no easy task. After all, we’re talking about a company that made $32.8bn of revenue in 2018, which operates in 70 countries, and has roughly 90,000 employees globally. Founded in 1902, however, you might say the global powerhouse knows a little bit about changing with the times.

In this article 3M Chief Ethics and Compliance Officer, Michael Duran, shares lessons learned on the company’s journey towards predictive analytics, an evolution from a labour-intensive collection and metrics-reporting system to the adoption of automated dashboards and scorecards.

An activity-reporting phaseFunctionally, 3M is organised into four diverse business groups: safety and industrial; transportation and electronics; healthcare; and consumer. Each group creates a very different, unique risk profile and different types of compliance risk. As Duran explains: “We have to be dynamic in how we address these types of risk.”

When Duran joined 3M eight years ago, the company was in what he refers to as an “activity-based reporting” phase, meeting on a quarterly basis with key stakeholders, including the Audit Committee of the Board and the Business Conduct Committee, made up of senior executives and business leaders. At these meetings, stakeholders would be provided with basic metrics concerning current compliance initiatives and programme highlights, for example, the number of employees who completed online training courses or the number of people who completed the annual conduct certification course.

These key stakeholders were also briefed on third-party risk and provided with information about the third-party risk management programme. “We have a pretty robust third-party due diligence programme, and we’ve internally built the workflow to support that,” he says. “We’ve centralised the use of it into our workflow system, where we get a great deal of data out of it.”

The data generated from this internal workflow system is provided to the business stakeholders. It includes, for example, the number of third parties who have gone through the due diligence programme; how many are at each risk level; and what the status is of any mitigation plan. 3M risk-ranks all its third parties, with some requiring enhanced due diligence, Duran adds.

Also, at this basic activity-based reporting stage, stakeholders were provided data from 3M’s global case management system generated from its hotline reports. The type of data reported includes the number of hotline calls, the type of reports being made, the substantiation rate of these reports, and the number of employees who have decided to remain anonymous.

All the examples of activity-based reporting mentioned above marked “the start of our use of data,” Duran says. It opened the dialogue to what eventually evolved into the next stage of maturity, the “business insight and influence” phase.

Business insight and influenceAs 3M evolved, different stakeholders and partnerships were folded in to help develop, enhance, and deploy the compliance programme, Duran recalls.

Within 3M, its four core business groups have several business divisions underneath them, each of those divisions being associated with different products or operations. Thus, compliance ambassadors play an important role in helping to design and deploy the compliance programme globally. Duran describes these individuals as “stewards of our programme” who are separate and distinct from 3M’s regional compliance officers. These compliance contacts have “insight and influence” in their country’s operations and are typically nominated by a business division head or leader within each country’s operations, he says.

3M holds monthly calls reporting to these contacts similar metrics as it does with the Board, albeit slightly modified to be more relevant to them. Duran cites the following questions as examples: “‘Here is an initiative we are doing. What will be the receptiveness within your region? What will be the challenges? What are your observations locally? How can we make enhancements to the overall programme?’”

That would lead to some seeking additional information to delve deeper into the data. “Honestly, we welcome that, because that, to me, shows engagement,” he explains.

As one way to progress and start to influence change behaviour, scorecards were then created which certain parties were measured against, using a colour-coding system of green, yellow, and red. 3M’s country operations and divisional operations were then given this scorecard.

“This was a large undertaking,” Duran explains. “We were getting data from multiple, different sources.” These sources included 3M’s online training platform, its case management system, its third-party due diligence platform, its HR system, and its annual certification system.

By hiring a data scientist, 3M was effectively able to automate its data-gathering exercise from one that used to involve a labour-intensive, manual process of gathering the data, putting it all into an Excel spreadsheet, creating a PowerPoint slide, and then sending it out to the business leaders for them to validate

inCOMPLIANCE®43

CASE STUDY: PREDICTIVE ANALYTICS

inCOMPLIANCE®

42

As just one example, 3M requires annual third-party certification. If certification was done on time it was scored ‘green’, if done late it was scored ‘yellow’, and if it still hadn’t been completed in an allotted amount of time it was scored ‘red’.

Additionally, company leaders could see how they measured up against their peers. Each country’s operations were also measured, meaning that all the countries in the APAC region, for example, would be measured against each other.

“When you’re measuring business leaders in each country, when you’re colour-coding them, they consider it a reflection upon them, so it’s a great influencing tool,” Duran suggests. If someone was in the red, for example, the business leader would say, “Give me the list of people who have not done this. I’m going to make sure they get it done,” he adds. “We found this to be a very effective tool to help drive our programme and drive engagement, as well.”

Process optimisation phaseThe next phase in 3M’s data analytics maturity journey was the hiring of a data scientist. “Because we were sitting on so much data, we thought it would be helpful to hire someone with data expertise,” Duran says. “This was a big evolution in our programme.”

This involved a steep learning curve for the data scientist. “We wanted this individual to learn and understand 3M,” Duran explains. This individual needed to be educated on where data was sourced and how the data correlated to 3M’s business operations. Moreover, the compliance reasoning behind the placing of metrics around the data was important.

By hiring this data scientist, 3M was effectively able to automate its data-gathering exercise from one that used to involve a labour-intensive, manual process of gathering the data, putting it all into an Excel spreadsheet, creating a PowerPoint slide, and then sending it out to the business leaders for them to validate. “An exercise that took a month was cut by half,” Duran recalls. “So, the value benefit we got was simplification of our processes.”

For some companies, making the business case for hiring a data scientist can pose a challenge, but for 3M the hire came at an opportune time: a position within its Compliance function had become available and Compliance decided to do some reshuffling of its team to fill that position with someone with a data science background.

Predictive and strategic analyticsThe final phase of 3M’s journey is the predictive and strategic analysis stage. Within this stage, suggests Duran,

“understanding the data first and foremost is important.”Because concerns about conflicts of interest are a

frequently raised issue, analysing 3M’s conflicts of interest data is “one of the first big projects we gave our data scientist,” he says. The first stage of this process has involved the collation of all the data from 3M’s conflicts of interest disclosure platform, HR data, its case management system, as well as external benchmarking data and then analysing how the data correlates with substantiated conflicts of interest investigations. Duran explains that 3M is using the findings to help prioritise how to address – and, furthermore, get ahead of – conflict of interest matters, as well as where compliance needs to spend more time on education and training.

In terms of compliance using the data in a more predictive and strategic way, 3M also undertakes compliance evaluations, which Duran describes as “audit-like exercises, where we visit our various operations.” A select number of these visits, which span one to two weeks, are made each year to certain regions. The data helps prioritise where to perform these evaluations.

“We partner with internal audit to do books and records testing,” Duran explains. “What we’re looking for is how effectively our compliance programme has been deployed.” More time can now be spent analysing the data and more clearly seeing where there may be broader trends or trouble spots in certain countries or regions that need more attention, he suggests.

In this way, the business is also able to provide more thoughtful analysis to the Board to show them what is driving certain trends. “That’s where we’re going with the data,” Duran says. “We’re explaining to them what we are doing with the data and how it is driving the direction of our programme, and they’re giving us feedback as well. They’re expecting us to continue to evolve and improve. Like all of us, we are on a continuous evolution and journey with the data. We look forward to the next direction we go.”

Jaclyn Jaeger is an Editor with Compliance Week and has written on a wide variety of topics, including ethics and compliance, risk management, legal, enforcement, technology, and more.

Michael Duran is Vice President and Chief Ethics & Compliance Officer for 3M, where he leads 3M’s global ethics & compliance programme driving innovations and enhancements to our programme to mitigate, identify and address risk and build upon 3M’s strong ethical culture of Be 3M

This article has been republished with permission from Compliance Week, a US-based information service on corporate governance, risk, and compliance. Compliance Week is a sister company to the International Compliance Association. Both organisations are under the umbrella of Wilmington plc. To read more visit www.complianceweek.com

More time can now be spent analysing the data and more clearly seeing where there may be broader trends or trouble spots in certain countries or regions that need more attention

inCOMPLIANCE®43

This is notjust a pieceof paperIt’s the power to makebetter decisions.It’s the way to driveeffective change.It’s you makingan impact.

Find out more at:www.int-comp.org/paper

Qualifications awardedin association with:

ICAA13202

Head OfficeWrens Court | 52-54 Victoria Road |

Sutton Coldfield | Birmingham | B72 1SX | UNITED KINGDOMTel: +44 (0) 121 362 7747

Email: ica@int-comp.org www.int-comp.org

International Compliance Association CPD - 2 hours

Advice to Readers

inCOMPLIANCE® is published by the International Compliance Association. Reproduction, copying, extraction, or redistribution by any means of the

whole or part of this publication must not be undertaken without the written permission of the publishers.

inCOMPLIANCE® is distributed as a free member benefit to all members of the International Compliance Association.

Articles are published in good faith without responsibility on the part of the publishers or authors for loss occasioned to any person acting or refraining

from action as a result of any views expressed therein. Opinions expressed in this publication should not be regarded as the official view of the ICA or as the

personal views of the Editorial Board members of inCOMPLIANCE®.

All rights reserved in respect of all articles, drawings, photographs etc published in inCOMPLIANCE® anywhere in the world. Reproduction or imitations of these

are expressly forbidden without permission of the publishers.

Printed in England

ICAB13174