Compliance Risk and the Chief Compliance Officer (CCO)
Compliance risk is the risk of legal or regulatory sanctions, financial loss, or loss to reputation an entity may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organisation standards, and codes of conduct applicable to its activities. It includes the potential for an adverse impact to clients, stakeholders or to the integrity of the markets.
Compliance laws, rules and standards generally cover matters such as observing proper standards of market conduct, managing conflicts of interest, treating customers fairly, and ensuring the suitability of customer advice. They typically include specific areas such as the prevention of money laundering and terrorist financing, and may extend to tax laws that are relevant to the structuring of products or customer advice.
Compliance laws, rules and standards have various sources, including primary legislation, rules and standards issued by legislators and supervisors, market conventions, codes of practice promoted by industry associations, and internal codes of conduct. These are likely to go beyond what is legally binding and embrace broader standards of integrity and ethical conduct.
Compliance should be part of the culture of the organisation; it is not just the responsibility of specialist compliance staff.
Compliance risk management, example 1 - HSBC Holdings plc, Annual Report 2021
Regulatory compliance risk is the risk associated with breaching our duty to clients and other counterparties, inappropriate market conduct and breaching related financial services regulatory standards.
Regulatory compliance risk arises from the failure to observe relevant laws, codes, rules and regulations and can manifest itself in poor market or customer outcomes and lead to fines, penalties and reputational damage to our business.
Regulatory compliance risk is:
• measured by reference to risk appetite, identified metrics, incident assessments, regulatory feedback and the judgement and assessment of our regulatory compliance teams;
• monitored against the first line of defence risk and control assessments, the results of the monitoring and control assurance activities of the second line of defence functions, and the results of internal and external audits and regulatory inspections; and
• managed by establishing and communicating appropriate policies and procedures, training employees in them and monitoring activity to help ensure their observance. Proactive risk control and/or remediation work is undertaken where required.
Regulatory compliance risk
Identification and assessment
Compliance, as a sub-function within Group Risk and Compliance, continues to prioritise the identification and assessment of compliance risks that may arise from climate risk. Although not an exhaustive list, key regulatory compliance risks under consideration include those related to product management, misselling, marketing, conflicts of interest and regulatory change.
An area of particular focus is the risk of greenwashing. We regard greenwashing as the act of knowingly or unknowingly misleading stakeholders regarding our climate ambition, the climate impact/ benefits of a product or service or regarding the climate commitments of our customers. For the Compliance function, product-based greenwashing is a key area of focus. When considering product-based greenwashing, we seek to:
• effectively and consistently consider climate risk factors in the development and ongoing governance of new, changed or withdrawn products and services through the enhancement of existing risk management frameworks utilised within the Group’s operating entities and lines of business, enabling climate risks to be identified and assessed in a timely manner;
• ensure that climate-related products and services offered to customers are appropriately designed and that related sales practices and marketing materials are clear, fair and not misleading; and
• develop climate-related products and services consistent with the evolving expectations of the Group’s regulators and other relevant authorities.
We continue to develop our compliance policies and underlying measurement capability to enhance the management of climate risks in line with our climate ambition and risk appetite. As such, we have integrated and are continuing to enhance climate risk considerations within our product and customer life-cycle policies. Our policies set the minimum standards that are required to manage the risk of breaches of our regulatory duty to customers, including those related to climate risk, ensuring fair customer outcomes are achieved.
The Compliance sub-function placed significant focus in 2021 on supporting and improving the capability of Compliance colleagues through climate-specific training, communications and guidance materials to ensure the robust identification, assessment and management of climate risks.
Aggregation and reporting
The Compliance sub-function continues to operate an ESG and Climate Risk Working Group. This group tracks and monitors the integration and embedding of Climate risk within the management of regulatory compliance risks and controls more generally, and monitors ongoing regulatory and legislative changes across the sustainability and climate risk agenda.
We have also developed and implemented climate risk metrics and indicators aligned to wider regulatory compliance risks.
The Compliance sub-function is also represented at the Group’s Climate Risk Oversight Forum to ensure this risk type is considered.
Top and emerging risks
Our top and emerging risks identify forward-looking risks so that they can be considered in determining whether any incremental action is needed to either prevent them from materialising or to limit their effect.
Top risks are those that have the potential to have a material adverse impact on the financial results, reputation or business model of the Group. We actively manage and take actions to mitigate our top risks, Emerging risks are those that while they could have a material impact on our risk profile were they to occur, are not considered immediate and are under regular review.
Our suite of top and emerging risks is subject to regular review by senior governance forums. In December 2021, we amended our top and emerging risks. ‘Environmental, social and governance’ replaced ‘Climate-related risks’ to cover the wider scope of climate, nature and human rights risks. ‘Digitalisation and technological advances’ was added as a new risk to capture the emerging strategic and operational risks associated with the advancement of technology.
Regulatory compliance risk environment including conduct
We keep abreast of the emerging regulatory compliance and conduct agenda, which currently includes, but is not limited to: ESG matters; operational resilience; how digital and technology changes, including payments, are impacting financial institutions; how we are ensuring good customer outcomes, including addressing customer vulnerabilities; regulatory reporting; and employee compliance. We monitor regulatory developments closely and engage with regulators, as appropriate, to help ensure new regulatory requirements are implemented effectively and in a timely way.
The competitive landscape in which the Group operates may be impacted by future regulatory changes and government intervention. In the UK, potential regulatory developments include any legislative changes resulting from a statutory review of ringfencing, which has been undertaken by an independent panel appointed by HM Treasury. The panel has recommended several adjustments to the regime and HM Treasury is reviewing these recommendations. Legislative amendments may be proposed in due course.
• We monitor for regulatory developments to understand the evolving regulatory landscape and respond with changes in a timely way.
• We engage, wherever possible, with governments and regulators to make a positive contribution to regulations and ensure that new requirements are considered properly and can be implemented effectively. We hold regular meetings with relevant authorities to discuss strategic contingency plans, including those arising from geopolitical issues.
• We launched our simplified conduct approach to align to our new purpose and values, in particular the value ‘we take responsibility’.
Compliance risk management, example 2 - Royal Bank of Canada, Annual Report 2021
Regulatory compliance risk
Regulatory compliance risk is the risk of potential non-conformance with laws, rules, regulations and prescribed practices in any jurisdiction in which we operate. Issues regarding compliance with laws and regulations can arise in a number of areas in large complex financial institutions, such as ourselves, and are often the result of inadequate or failed internal processes, controls, people or systems. We currently are, and may be at any given time, subject to a number of legal and regulatory proceedings and subject to numerous governmental and regulatory examinations, investigations and other inquiries.
Laws and regulations are in place to protect the financial and other interests of our clients, investors and the public. As a large-scale global financial institution, we are subject to numerous laws and extensive and evolving regulation by governmental agencies, supervisory authorities and self-regulatory organizations in Canada, the U.S., the U.K., Europe and other jurisdictions in which we operate. Such regulation continues to become increasingly extensive and complex.
In addition, regulatory scrutiny and expectations in Canada, the U.S., the U.K., Europe and other jurisdictions for large financial institutions with respect to, among other things, governance, risk management practices and controls, and conduct, as well as the enforcement of regulatory compliance matters, has intensified. Failure to comply with these regulatory requirements and expectations or to resolve any identified deficiencies could result in increased regulatory oversight and restrictions. Resolution of such matters can also result in the payment of substantial penalties, agreements with respect to future operation of their business, actions with respect to relevant personnel, admission of wrongdoing, and guilty pleas with respect to criminal charges.
Operating in this increasingly complex regulatory environment and intense regulatory enforcement environment, we are and have been subject to a variety of legal proceedings, including civil claims and lawsuits, criminal charges, regulatory scrutiny, examinations and proceedings, investigations, audits and requests for information by various governmental regulatory agencies and law enforcement authorities in various jurisdictions, and we anticipate that our ongoing business activities will give rise to such matters in the future. The global scope of our operations also means that a single issue may give rise to overlapping regulatory investigations, regulatory proceedings and or civil litigation claims in different jurisdictions.
RBC can be subject to such proceedings due to alleged violations of law or, if determined by regulators, allegedly inadequate policies, procedures, controls or remediation of deficiencies. Changes to laws, including tax laws, regulations or regulatory policies, as well as the changes in how they are interpreted, implemented or enforced, could adversely affect us, for example, by lowering barriers to entry in the businesses in which we operate, increasing our costs of compliance, or limiting our activities and ability to execute our strategic plans.
In addition, the severity of the remedies sought in legal and regulatory proceedings to which RBC is subject have increased. Further, there is no assurance that we always will be, or be deemed to be, in compliance with laws, regulations or regulatory policies or expectations. Accordingly, it is possible that we could receive a judicial or regulatory enforcement judgment or decision that results in significant fines, damages, penalties, and other costs or injunctions, criminal convictions, or loss of licenses or registrations that would damage our reputation, and negatively impact our earnings and ability to conduct some of our businesses. We are also subject to litigation arising in the ordinary course of our business and the adverse resolution of any litigation could have a significant adverse effect on our results or could give rise to significant reputational damage, which in turn could impact our future business prospects.
Our Regulatory Compliance Management Framework outlines how we manage and mitigate the regulatory compliance risks associated with failing to comply with, or adapt to, current and changing laws and regulations in the jurisdictions in which we operate.
Regulatory compliance risk includes the regulatory risks associated with financial crimes (which include, but are not limited to, money laundering, bribery, and sanctions), privacy, market conduct, consumer protection, business conduct, as well as prudential and other generally applicable non-financial requirements. Specific compliance policies, procedures and supporting frameworks have been developed to manage regulatory compliance risk.
Compliance risk management, example 3 - Airbus Annual Report 2021
Specific directives have been adopted to address the Company’s key compliance risk areas. These include among others:
–Requirements for Gifts & Hospitality;
–Requirements for Sponsorships, Donations and Corporate Memberships;
–Requirements for the Prevention of Corruption in the Engagement of Sales Intermediaries;
–Requirements for the Prevention of Corruption in the Engagement of Lobbyists & Special Advisors;
–Requirements for Supplier Compliance Review;
–Requirements for Compliance Block List;
–Requirements for Preventing and Declaring Conflicts of Interest;
–Requirements for the Prevention of Corruption related to Mergers & Acquisitions, Joint Ventures, Partnerships and similar Transactions;
–Method for the Prevention of Corruption in the Context of International Cooperation & Offset Activities;
–Requirements for Anti-Money Laundering / Know your Customer;
–Guidelines for Competitive Intelligence Gathering Activities;
–Requirements for Export Control Sanctions, Embargoes and Screening;
–Requirements for Export Control Framework;
–Requirements for Export Control Escalation and Voluntary Disclosure;
–Requirements for Export Control Brokering;
–Requirements for Export Control Classification;
–Requirements for Export Control Licences and Agreements;
–Requirements for ITAR Part 130 Reporting;
–Personal Data Protection Directive, Method and Binding Corporate Rules.
The Ethics & Compliance organisation is charged with oversight and monitoring of these directives to ensure that they are being implemented effectively. Periodic controls on key processes are performed and reports provided to the Company’s Executive Committee and the ECSC, including recommendations to strengthen the Ethics & Compliance programme where necessary.
In addition, the Corporate Audit & Forensic Department conducts periodic, independent audits of the Company’s compliance processes to assess the effectiveness of internal controls and procedures and allow the Company to develop action plans for strengthening such controls.
Compliance risk management, example 4 - Citigroup Inc., Annual Report 2021
Compliance risk is the risk to current or projected financial condition and resilience arising from violations of laws, rules, or regulations, or from non-conformance with prescribed practices, internal policies and procedures or ethical standards. Compliance risk exposes Citi to fines, civil money penalties, payment of damages and the voiding of contracts.
Compliance risk can result in diminished reputation, harm to Citi’s customers, limited business opportunities and lessened expansion potential. It encompasses the risk of noncompliance with all laws and regulations, as well as prudent ethical standards and some contractual obligations. It could also include exposure to litigation (known as legal risk) from all aspects of traditional and non-traditional banking.
Citi seeks to operate with integrity, maintain strong ethical standards and adhere to applicable policies and regulatory and legal requirements. Citi must maintain and execute a proactive Compliance Risk Management (CRM) Policy that is designed to manage compliance risk effectively across Citi, with a view to fundamentally strengthen the compliance risk management culture across the lines of defense taking into account Citi’s risk governance framework and regulatory requirements. Independent Compliance Risk Management’s (ICRM) primary objectives are to:
• Drive and embed a culture of compliance and control throughout Citi;
• Maintain and oversee an integrated CRM Policy and Compliance Risk Framework that facilitates enterprise-wide compliance with local, national or cross-border laws, rules or regulations, Citi’s internal policies, standards and procedures and relevant standards of conduct;
• Assess compliance risks and issues across product lines, functions and geographies, supported by globally consistent systems and compliance risk management processes; and
• Provide compliance risk data aggregation and reporting capabilities. To anticipate, control and mitigate compliance risk, Citi has established the CRM Policy to achieve standardization and centralization of methodologies and processes, and to enable more consistent and comprehensive execution of compliance risk management.
Citi has a commitment, as well as an obligation, to identify, assess and mitigate compliance risks associated with its businesses and functions. ICRM is responsible for oversight of Citi’s CRM Policy, while all businesses and global control functions are responsible for managing their compliance risks and operating within the Compliance Risk Appetite.
Ongoing Interpretation and Implementation of Regulatory and Legislative Requirements and Changes and Heightened Regulatory Scrutiny and Expectations in the U.S. and Globally Have Increased Citi’s Compliance, Regulatory and Other Risks and Costs.
Citi is continually required to interpret and implement extensive and frequently changing regulatory and legislative requirements in the U.S. and other jurisdictions in which it does business, resulting in substantial compliance, regulatory and other risks and costs.
In addition, there are heightened regulatory scrutiny and expectations in the U.S. and globally for large financial institutions, as well as their employees and agents, with respect to governance, infrastructure, data and risk management practices and controls. These requirements and expectations also include, among other things, those related to customer and client protection, market practices, anti-money laundering and sanctions. A failure to comply with these requirements and expectations or resolve any identified deficiencies could result in increased regulatory oversight and restrictions, enforcement proceedings, penalties and fines (for additional information, see the legal and regulatory proceedings risk factor below).
Over the past several years, Citi has been required to implement a significant number of regulatory and legislative changes across all of its businesses and functions, and these changes continue. The changes themselves may be complex and subject to interpretation, and will require continued investments in Citi’s global operations and technology solutions.
In some cases, Citi’s implementation of a regulatory or legislative requirement is occurring simultaneously with changing or conflicting regulatory guidance, legal challenges or legislative action to modify or repeal existing rules or enact new rules. Moreover, in some cases, there have been entirely new regulatory or legislative requirements or regimes, resulting in large volumes of regulation and potential uncertainty regarding regulatory expectations for compliance.
Examples of regulatory or legislative changes that have resulted in increased compliance risks and costs include:
(i) various laws relating to the limitation of cross-border data movement and/or collection and use of customer information, including data localization and protection and privacy laws, which also can conflict with or increase compliance complexity with respect to other laws, including anti-money laundering laws;
(ii) the FRB’s “total loss absorbing capacity” (TLAC) requirements; and
(iii) the U.S. banking agencies’ regulatory capital rules and requirements, which have continued to evolve (for additional information, see the capital return risk factor and “Capital Resources” above).
In addition, the U.S. banking agencies have prioritized issues of social, economic and racial justice, and are in the process of considering ways in which these issues can be mitigated, including through rulemaking, supervision and other means.
Increased and ongoing compliance and regulatory requirements, uncertainties, scrutiny and expectations have resulted in higher compliance costs for Citi, in part due to an increase in risk, regulatory and compliance staff over the last several years. Extensive and changing compliance requirements can also result in increased reputational and legal risks for Citi, as failure to comply with regulations and requirements, or failure to comply with regulatory expectations, can result in enforcement and/or regulatory proceedings, penalties and fines.
Independent Compliance Risk Management
The ICRM organization actively oversees compliance risk across Citi, sets compliance risk and control standards for the first line of defense to manage compliance risk and promotes business conduct and activity that is consistent with Citi’s Mission and Value Proposition and the compliance risk appetite. Citi’s objective is to embed an enterprise-wide compliance risk management framework and culture that identifies, measures, monitors, controls and escalates compliance risk across Citi.
ICRM is aligned by product line, function and geography to provide compliance risk management advice and credible challenge on day-to-day matters and strategic decision-making for key initiatives. ICRM also has program-level Enterprise Compliance units responsible for setting standards and establishing priorities for program-related compliance efforts. These Compliance Risk Management heads report directly to the CCO.
Compliance risk management, example 5 - Daimler Group, Annual Report 2020
We examine and evaluate our Group companies and corporate departments systematically each year in order to minimize compliance risks. In this process we use, for example, centrally available information about the Group companies and corporate departments, such as revenue, business models and relations with business partners. If necessary, other locally sourced information is supplemented. The results of these analyses are the foundation of our compliance risk control.
Our compliance program comprises principles and measures that are designed to minimize compliance risks and prevent violations of laws and regulations. The individual measures are based on the knowledge gained through our systematic compliance risk analysis. We focus, among other things, on the following aspects: the continuous raising of awareness of compliance issues, the systematic tracking of information received regarding misconduct and the formulation of clear standards for the behavior of our business partners. We address all of these points in greater detail in a later section.
The whistleblower system BPO
The Business Practices Office (BPO ) whistleblower system enables all employees, business partners and external whistleblowers to report misconduct anywhere in the world. The BPO is available around the clock to receive information, which can be sent by e-mail or normal mail or by filling out a special online form. External toll-free hotlines are also available in Brazil, Japan, South Africa and the United States. Reports can also be submitted anonymously if local laws permit this. In Germany, whistleblower reports can also be submitted to an external neutral intermediary in addition to the BPO.
The information provided to the whistleblower system BPO enables us to learn about potential risks to the company and its employees and thus to prevent damage to the company and its reputation. A globally valid corporate policy defines BPO procedures and the corresponding responsibilities.
This policy aims to ensure a fair and transparent process that takes into account the principle of proportionality for the affected parties, while also giving protection to whistleblowers. It also defines a standard for evaluating incidents of misconduct and making decisions about their consequences.
If the initial assessment of an incident categorizes it as a low-risk rule violation, the BPO hands the case over to the responsible unit — for example, the HR department, Corporate Security or Group Data Protection. The respective unit investigates the incident and deals with the case on its own authority. Examples of low-risk rule violations include theft, breach of trust, and undue enrichment valued at less than €100,000 — if the violation does not fall into the category of corruption.
If the BPO ’s risk-based initial assessment categorizes an incident as a high-risk rule violation, the BPO hands the case over to an investigation unit. The BPO provides support for the subsequent investigation until the case is closed. Examples of high-risk rule violations include offenses related to corruption, breaches of antitrust law and violations of anti-money laundering regulations, as well as infringements of binding technical provisions or environmental protection regulations.
In an effort to constantly increase trust in our whistleblower system and make it even better known to our employees, we use a variety of communication measures. For example, we provide informational materials such as country-specific information cards, pocket guides and an instructional video. We also regularly inform employees about the type and number of reported violations and make case studies available on a quarterly basis.
Compliance on the part of our business partners
We expect not only our employees to comply with laws and regulations. We also require our sales partners and suppliers to adhere to clear compliance requirements, because we regard integrity and conformity with regulations as a precondition for trusting cooperation. In the selection of our direct sales partners and in our existing sales partnerships, we therefore ensure that our partners comply with laws and regulations and observe ethical principles.
In financial year 2020, we refined and made full use of our globally standardized process for the effective and efficient assessment of all new sales partners and the step-by-step re-evaluation of our existing sales partners (Sales Business Partner Due Diligence Process). Our continuous monitoring in this area is designed to ensure that we can identify possible integrity violations by our sales partners. We also reserve the right to terminate cooperation with, or terminate the selection process for, any sales partner who fails to comply with our standards. In addition, we work with our procurement units to continuously improve our processes for selecting and cooperating with suppliers.
Our global Daimler Sustainability Standards apply in this area. On the basis of these standards and our Integrity Code, we make available to each of our suppliers and sales partners a specific Compliance Awareness Module developed with their activities in mind. This module is intended to sensitize them to current integrity and compliance requirements such as those related to anti-corruption measures and technical Compliance. Through these measures we also offer our business partners assistance for dealing with possible compliance risks.
In the Reading Room (RR) of the association you can find our weekly newsletter - "Top risk and compliance management news stories and world events, that (for better or for worse) shaped the week's agenda, and what is next". Our Reading Room