-The Auditor of the Future
Compliance, risk and control functions continue to be the focus as a result of continued regulatory demands imposed on the financial services community. As regulators become more punitive, financial services organizations of all sizes are striving to overhaul their compliance, risk and audit departments. Building robust internal programs by hiring subject matter experts, re-organizing reporting structures and examining third-party vendors have become priorities.
Regulators have made it clear that any company that has not been examined under the Dodd Frank Act, will be examined soon, and without notice. Therefore, organizations, particularly smaller investment advisory and mutual fund companies, need to ensure that compliance and risk management programs are in line with expectations. Encouraging a comprehensive, firm-wide compliance program will organize operations and put the organization at ease. These programs should also include a process for re-examining procedures to account for changes in regulation over time.
In 2015, there were record setting fines and criminal prosecutions against financial organizations for violations of Bank Secrecy Act/Anti-Money Laundering (BSA/AML) sanctions and laws. This is expected to continue and global banks are seeing the need to hire experts in these key compliance areas. Given the high level of regulatory examination, BSA/AML compliance will continue to be a focus of boards of directors and senior management. Organizations must be aware of their vulnerabilities and take action to mitigate risks in this area. [1]
In addition to building out dedicated compliance and risk operations, some large banks are re-structuring their existing compliance programs. This re-structure involves moving the compliance function out of legal and into risk. This creates a new reporting hierarchy which would have business unit Chief Compliance Officers ultimately reporting into the firm’s Chief Risk Officer. This kind of reporting structure creates the view both internally and externally that compliance is a control mechanism rather than simply an advisory function. [2]
Firms that use consultants or electronic programs for their control function often have significant inconsistencies between their policies and procedures and their actual business practices. Organizations relying on templates to conduct risk and compliance assessments often have deficient compliance programs which would not be considered to be aligned with OCIE’s expectations. While firms may pay more upfront by investing in knowledgeable compliance professionals, in the long run, this investment could save the company money in fines and possible legal actions. [3]
Managing third-party vendors is increasingly important to organizations since the SEC has made it clear that companies must have a thorough compliance program with a Chief Compliance Officer that has total understanding of the entire firm’s compliance functions, even if the firm uses third-party vendors. The CCO and the firm will be held responsible for how the third party is managing compliance. Some small and mid-sized investment adviser companies may not want to hire a CCO because they may not be seen as generating revenue for the firm. Larger firms often outsource certain compliance functions to ensure an independent third party perspective.
However, SEC rules require financial organizations to have policies and procedures that are designed to prevent violations of federal securities regulations. The SEC’s Office of Compliance Inspections and Examinations (OCIE), sent a risk alert to investment advisors, hedge funds and private equity funds that outsource their CCOs. This notice encouraged firms to appoint an enterprise CCO that will administer, review and enforce SEC regulations.
Financial organizations are facing intense regulatory scrutiny and are highly focused on re-vamping and re-organizing their compliance and risk functions. For smaller organizations this could mean building a new compliance program with a dedicated firm CCO to manage internal and external risk more directly. Larger banks are faced with aligning with a new school of thought which will require an organizational restructure to bring compliance out of an advisory role and into a functioning control mechanism for the organization. No matter what approach financial institutions choose to take, one thing is clear, regulatory scrutiny is not only here to stay, but will continue to dictate organizational hiring programs for the foreseeable future.
[1] Davy, Elizabeth, Sullivan and Cromwell LLP. 2015 Review of BSA/AML and Sanctions Developments. 2016.
[2] Kaminski, Piotr and Kate Robu. McKinsey and Company. A Best-Practice Model for Bank Compliance. 2016.
[3] Giachetti, Thomas. Think Advisor. Advisors, Own Your Compliance. 2015.