Personal Liability - Thomson Reuters Cost of Compliance 2015 Report 7 June 2015 Statistics can reveal many things, but when the data all points in the same direction it may be time to take action: in this instance the focus on, and concern about, personal liability in financial services. The Thomson Reuters Cost of Compliance 2015 report showed that 59 percent of compliance officers expect their personal liability to increase in 2015, with 15 percent expecting a significant increase. In the global systemically important financial institution (G-SIFI) population those expecting a significant increase in personal liability rose to 21 percent. At the Thomson Reuters New York customer summit held in April 2015 there were two related "ask the audience" polling questions. When asked which role now carried the most personal liability, 67 percent responded by saying it was the compliance officer; the chief executive came in second place with 22 percent. The point was made even more strongly in the responses to a question about whether the personal liability of compliance officers would increase in the next year. Sixty-four percent responded "yes, significantly" and a further 30 percent of the audience responded "yes, slightly". The results of another survey gave an insight into one of the reasons behind the anticipated increase in personal liability. The Thomson Reuters Conduct Risk Report 2014/5 survey showed that 67 percent believed the regulatory focus on conduct risk would increase the personal liability of senior managers. The figure rose to 75 percent in the G-SIFI population. It not all simply perception. In the last year or so, compliance officers at firms as diverse as Swinton Insurance, MoneyGram, Bank Leumi, Bank of Tokyo-Mitsubishi, Brown Brothers Harriman, Deutsche Bank and BlackRock have all be fined, banned or dismissed (or a combination). All of this combined with the implementation of the new Senior Managers Regime in the UK in March 2016 means the need to identify, manage and mitigate any and all personal regulatory risks has become a necessity in 2015. It can be carved up a number of ways but there are three main aspects to the consideration of personal regulatory risk management. The extent to which each area or issue is considered will depend on the individual's role within the firm. The chief executive is not expected to be an expert on the granular detail of risk and compliance but he or she must be aware of the issues, able to set an appropriate risk appetite, drive a strong compliant culture, understand and challenge all risk and compliance reports and also engage appropriately with regulators. Equally, the head of compliance needs to be able not only to support the firm and other senior managers in the identification, mitigation and management of risks but also to be the acknowledged expert on all things regulatory risk. 1. External environment The external environment for financial services firms has shifted profoundly as governments, supranational policy makers and regulators have acted to try to repair and rebuild economies and balance sheets. Blame for the crisis, as well as the subsequent Libor and FX scandals, have resulted in "banker bashing" becoming a national pastime in many jurisdictions. As a result, financial services firms face a complicated raft of changes to the rulebook and supervisory expectations with the stated intention of holding more individuals personally accountable for regulatory failings, particularly those which result in customer detriment. In the increasingly harsh spotlight focused on senior individuals there needs to be a greater appreciation of the impact of the changes to both the rulebook and the more qualitative regulatory expectations. There are a number of points for firms and senior individuals to consider: The need to raise awareness about the external regulatory environment may mean changes to reporting and the inclusion of a standing update item on relevant meeting agendas. Firms need to be aware that it is not just mainstream financial services regulatory changes which may affect the business. As just one example, in February 2015 in the UK it was announced that the Information Commissioner's Office would have wider fining powers with regard to direct marketing breaches, and the UK government also confirmed that it would look at introducing measures to hold "board-level executives responsible for nuisance calls and texts". All relevant regulatory information needs to be, and to be seen to be, considered including supranational or cross-border regulatory changes, the lessons to be learned from enforcement actions against firms undertaking similar business activities and the messages conveyed in speeches and other regulatory publications. Senior individuals need to be able to discuss all major relevant regulatory changes with the supervisor, and to understand the likely impact on the firm and its customers. Anyone meeting with or speaking to the regulator should be expected to make and maintain comprehensive notes of the discussion, and to keep a record of any documents or other information exchanged. In particular, any requests or expectations stated by the regulator should be noted and as a matter of best practice confirmed in writing to ensure clarity of understanding. All information provided to the regulator must be accurate and able to be substantiated, and all actions and time scales agreed must be met and reported on both internally and externally. If a firm does not already have a lobbying programme in place it may want to consider investing in its ability to influence the external regulatory environment. While lobbying is a medium- to long-term investment the current mismatch and divergence of rules between jurisdictions (the issues in the derivatives marketplace between the European Union and the United States are a particular case in point) are proving to be expensive and distracting for firms. It is entirely possible that the over- and under-lap of the current international patchwork of rules may lead some firms to choose to breach some conflicting rules, which could in turn raise further supervisory questions for senior managers. 2. Internal environment In theory senior individuals should have much more control over the internal environment of their firm than they do over the external. The levels of line of sight and control can, however, be illusory in large, complex organisations. Senior managers need to be realistic about the implications of their accountability and their ability to discharge their role and responsibilities. There are a number of points for firms and senior individuals to consider: The current regulatory buzz words are culture and conduct risk, with a focus on the "how" business is conducted as well as the "what". Firms need to ensure that the discussions on culture, risk appetite and setting the tone from the top have happened at a suitably senior level and, critically, that consensus has been reached. It is not necessarily a given that all senior individuals will agree on what "good" looks like for the firm. Indeed, anecdotally there have been some widely differing opinions and views aired at board meetings where the subject was raised. Any discussion, challenge and constructive criticism should be documented and the final agreed position needs to be given, and be seen to be given, support from all senior managers. Given the survey results highlighting the expected link between conduct risk and personal liability, it will be a worthwhile investment for many firms to ensure comprehensive, consistent documentation on all aspects of the development, implementation, embedding and testing of conduct risk. All senior managers, and compliance officers in particular, need to have a solid understanding of the business being conducted. There needs to be a thorough, in-depth understanding of all products, activities and processes but all too often enforcement actions show that as people and businesses change, knowledge levels become severely depleted with the inevitable regulatory consequences. Particular care needs to be taken over any new areas of business or products, whether the change is by acquisition or internal development. Regulatory approvals and registrations need constant maintenance, and in a large international firm visibly adequate resourcing will be essential. It is imperative that the employee structure chart is kept up-to-date. The vast majority of regulatory bodies around the world have the concept of authorised or registered persons and it is essential that there is an accurate central record for all employees in all firms. This is particularly true for international groups where employees may hold a number of directorships and/or registrations in a number of different legal entities in a number of different jurisdictions. Firms may wish to ask certain regulators for a full list of all registered persons to check that the records at the firm and the regulator can be reconciled; it is not, for instance, unheard of for a regulator to fail to update its own records even if it has been informed of changes. It is far better for both the individual and the firm to be active in undertaking such checks, rather than discrepancies coming to light as part of, say, an intrusive supervisory visit and there being some kind of misunderstanding as to which senior manager is registered where and responsible for what. Job descriptions are often only considered in detail when someone is new in their role, and even then they tend to be high-level , general documents. Almost nowhere is the interlinking between roles, job descriptions and accountabilities routinely considered. All senior managers should review and document exactly what their role covers and how those obligations are discharged. This activity needs to be done on a firm-wide basis to ensure that the resulting aggregation of all the (much) more detailed job descriptions come together into a seamless whole. For the whole process to be effective it then needs to be kept up-to-date. Good management information is the life-blood of any firm and in the current regulatory environment management information could be seen as the need for evidence, evidence and more evidence that a firm and the senior managers running it have done all of the right things in all of the right ways. Part of high-quality management information is the need to challenge constructively the assumptions, scope and limitations on all reporting. In today's world the challenge needs to extend to all areas of the business and not just those that are overtly or directly regulated. A case in point is that of the Nationwide Life Assurance Company, which in May 2015 was fined $8 million by the U.S. Securities and Exchange Commission for breaches regarding the processing and pricing of subsequent purchase payments and redemption orders for variable insurance contracts and underlying mutual funds. The issue at the heart of the enforcement action was something as apparently mundane as the procedures governing the collection of mail. Although this is not an area directly covered by the rule books, in this instance procedures had not changed for almost six years, and this ultimately led to Nationwide Life being in breach of its regulatory obligations. 3. Personal archive Senior managers not only need to contribute to their firm being compliant but must also be able to demonstrate their own discharge of their personal regulatory obligations and accountabilities. As part of the required core competency of senior persons being able to manage their own personal regulatory risk there are a number of elements to consider: In a somewhat different angle to the use of job descriptions as part of the internal environment, it is clear that the job description of the future will be significantly more detailed than those previously used, and for the protection of both the individual and the firm it is critical that all regulatory criteria and expectations are included. As part of the daily management of the firm senior individuals will routinely need to collect and maintain the evidence to show how they discharged all of their obligations and responsibilities. Consideration should in particular be given to the need for a "decision register" to help all senior managers to evidence the decisions taken and also the basis on which they were taken. Similarly, when roles change, detailed documented handovers need to become the norm to ensure that all concerned can manage their personal regulatory risk. It could easily be seen as a cottage industry but the greater level of documentation regarding job descriptions is an essential part of enabling senior managers to demonstrate the appropriate discharge of their responsibilities. Another valuable investment would be to build knowledge and awareness of the implications of the changing regulatory environment. Engaging in a rolling regulatory training programme is one option: apart from anything else there is a significantly greater likelihood of enforcement action for any unprepared or unaware individual. Given the global political will and the changing regulatory approach, senior managers who ignore regulatory developments are likely to feel the full brunt of supervisory enforcement. Even if a senior manager is not banned as part of any enforcement action it is unlikely that an individual who has "only" been fined will work again in a senior capacity in financial services. Senior managers need to build and maintain their own personal archive of evidence to demonstrate the full and complete discharge of their regulatory obligations. For some quantitative elements that is likely to be a relatively simple process but there are often challenges when culture is added into the mix. Rather like a decision register, one quick win could be to gather together all board and other meeting minutes which evidence the challenge and engagement by the individual. Last but not least is a point on intellectual property. When a senior manager changes firms it is entirely reasonable that he or she should be able to maintain a suite of documents to support his or her compliance behaviour, but given that at least some of the documents could be business-sensitive and the intellectual property of the firm, sensible arrangements will need to be made to enable the senior manager to access the documents under certain circumstances as and when they are no longer employed by the firm. Susannah Hammond is a regulatory intelligence expert in the Enterprise Risk Management division of Thomson Reuters Regulatory Intelligence; the views expressed are her own.