The event in Amsterdam in October 2022 brought global heads of compliance together for a wide-ranging and engaging panel discussion. Richard Middleton, the MD of AFME, chaired the panel covering subjects including upskilling the compliance function; embracing innovation and technology; new working models and structures; and what keeps compliance heads awake at night.
He started by asking his panel to give a description of their compliance program. Jacqueline Joyston-Bechal, MD at JP Morgan (JPM), kicked off and said the views were her own and not those of JPM. Her firm had one department that combined compliance conduct and operational risk, all wrapped into one management structure that reports into one person. This is all within the broader risk world. The theme continues with one risk management framework, one system, one risk taxonomy, one controls library and one reporting structure. All that covers all of the businesses globally across all JPM entities, providing a framework and structure for all assessment, identification and mitigation of risk. It is well assimilated between operational risk and compliance.
“Compliance has traditionally been more of an advisory function and mainly resourced by lawyers. But it has become much more of a risk management function.”
Jacqueline Joyston-Bechal, MD, JP Morgan
Compliance has traditionally been more of an advisory function and mainly resourced by lawyers. But it has become much more of a risk management function. The combination of conduct risk, operational risk and compliance risk is a recognition of that. It is an acknowledgement that everything compliance does, whether providing expertise or navigating regulatory change, is viewed through the lens of risk identification and how to assess it. It is a risk-based approach.
Not everything can be covered – there is a need to prioritize. But having that risk management lens is a protection so all that is coming can be analyzed to provide an early warning. There is a lot to manage but a framework that can process operational risk and compliance helps.
The framework, systems and process are all global. But the way it is interpreted (whether by legal entity, metrics, governance, legal entity reporting to boards and regulators) is all done very much by that legal entity which is fully accountable. The center only provides the framework through which the legal entity teams operate. It is a tricky balance of the need for standardization and equality in a large organization, but there is still legal entity autonomy which requires execution.
Seung Earm, Head of Regulatory & Territory Office, BNP Paribas, offered her view next. The roles of compliance have evolved in the last two decades and she has experienced these across many institutions. Compliance started to work more with risk management and that has grown to work with legal and operational risk. Risk management is the watchword where there are no right or wrong answers on set-up or how to manage the compliance risk.
“The compliance framework has evolved significantly in terms of where legal risk and conduct might occur, and how the three lines operate, and the nature of the tasks in each line.”
Seung Earm, Head of Regulatory & Territory Office, BNP Paribas
Trends tend to evolve rather like the three lines of defense, especially if looking back across a 20+ year career in compliance. This is now very different. The first line is handling so many new risks, such as complaint handling and financial security. Second line people have started to move to the first as they need much more expertise for first-line risk management so that second-line monitoring and testing becomes more efficient.
There are so many changing regulations coming from so many different directions and the volume is overwhelming. The risks that result require prompt attention with less resource as these departments are under cost pressure, so prioritization is crucial. It is essential to identify the key risks that are attached to the sort of business sought. Outsourced compliance functions offer a different set of challenges from an oversight and supervisory perspective.
The compliance framework has evolved significantly in terms of where legal risk and conduct might occur, and how the three lines operate, and the nature of the tasks in each line. Regulators will expect the same level of responsibility for business and compliance whether it is outsourced or not.
Guillaume Loeuille, CCO, Global Financial Services, Natixis said his firm has a more traditional compliance framework and responsibility for the second line in terms of conduct and even technology risk management, so it is a very wide remit. Compliance is not yet fully integrated with Legal or Risk but obviously works closely with colleagues there. His firm operates one compliance risk framework across a group of entities. It is a process to develop what was a retail banking framework and adopt the right approach here to inform the board about compliance risk in a credible and meaningful way.
“Offshoring is bringing new capabilities to the compliance function but requires more control centrally to manage and oversee.”
Guillaume Loeuille, CCO, Global Financial Services, Natixis
They also invested significantly in an offshoring project in Portugal. This started three years ago to outsource compliance processes from surveillance to compliance reporting and now financial crime. This is bringing new capabilities to the compliance function but requires more control centrally to manage and oversee this activity. It is an exciting challenge as so much is moving and the goal is to ensure all the pieces fit together. His team is generating a lot more data and need better skills to analyze it to identify blind spots and be more proactive.
Seung Earm said there is plenty to do on key trends and risks. Market abuse regulation was implemented in 2016 and has seen lots of challenges from regulators quite consistently. So the questions posed are;
- is your market abuse surveillance working?
- are you looking at the controls?
- when you look at the market abuse framework, do you do a check and challenge, as for some this was originated as long as six years ago to ensure it helps to preserve market integrity.
Many have been involved with pre-hedging and what is insider information, an issue that is coming back as a very sensitive issue. Seung Earm also highlighted the importance of quality data. Some might feel compliance is involved with data but compliance does not have ultimate responsibility for it. There is a need to work with a diverse group of functions within the firm to produce better data – this might be in transaction reporting where there are multiple stakeholders involved and it does originate from compliance.
The quality and accuracy of transaction reports was mentioned in the latest FCA MarketWatch newsletter. No one should ignore the data held within the firm from communication channels in terms of what is approved and what is not. This is so topical and brought into more focus by hybrid work and new tech. What works for the firm and the level of risk and what is required to give management the comfort they need? Seung Earm’s personal view is that some unthinkable developments may emerge based on previous regulatory change. A good example is how investment banks and analysts were previously engaging in the dotcom boom until the global settlement established by Eliot Spitzer. Compliance needs to be ready to accept significant change.
“Compliance has historically always filled gaps. But it does need to retreat and do what it is supposed to do. That is the challenge – provide expertise but the challenge function is key and more and more important.”
Jacqueline Joyston-Bechal, MD, JP Morgan
Jacqueline Joyston-Bechal turned her attention to trends and risks. She said there is no need to repeat market abuse which is so topical in the UK but globally the key question is what is the second line actually doing. If an issue occurs related to market abuse or surveillance, it is a first line responsibility? What was the second line doing, where was compliance, should the compliance framework have spotted this and was testing being done to monitor this? Was it reported to senior management? Who was responsible and accountable?
Looking at the second-line buffer between the first-line activity and the regulator is very much the focus especially in the US over the last three years, and now in the UK and EU too, she said. There is real clarity now about what should sit in the first and second line. The first line is responsible for their businesses. Period. Whether for complying with regulations, putting controls in place, monitoring issues, the first line is absolutely responsible.
Compliance has historically always filled gaps. But it does need to retreat and do what it is supposed to do. That is the challenge – provide expertise but the challenge function is key and more and more important. The three lines of defense have been in play for years now but compliance is still gap filling. It must provide value while the first line matures. Control functions are maturing significantly. It is the duty of compliance to take a step back and reply to regulators to explain the challenge and what was done to mitigate the risks.
“The role of compliance is to be a risk monitor and to help the business to understand the compliance framework, as well as regulatory expectation. This is a challenge because so much is changing in every field.”
Guillaume Loeuille, CCO, Global Financial Services, Natixis
Guillaume Loeuille said it had been noted that those in the business do sometimes struggle with what they are accountable for and what is good practice. This often gets revealed when reporting is discussed. It is the next step in terms of the right process around this activity and the best controls where they need the guidance.
So the role of compliance is to be a risk monitor and to help the business to understand the compliance framework, as well as regulatory expectation. This is a challenge because so much is changing in every field such as market abuse or transaction reporting. With reporting, how do we use the data available to the firm in a meaningful way? How do you get value from the two different processes and outputs from transaction reporting and surveillance? How are these reconciled? It is fulfilling.
The moderator asked the panel how they could best challenge the business in new areas such as crypto or ESG where the concepts are so nascent and unestablished?
Guillaume Loeuille thought that the compliance team needed to be fully aware of its role. In the past the advisory nature of compliance as a trusted partner perhaps meant that the business was not aware of its responsibility in ownership. Compliance needed to be part of the discussions, and the business is more aware of the change as they are more exposed to the regulators directly now. They are asked about their view on certain topics and risks. This reveals if the business understands the regulatory framework. Compliance also exerts more pressure to get the business to equip itself – working with the first line over the last three years to develop risk ownership.
“Conduct and culture are both key – it does not matter how the second line performs if there is no fundamental will in the first to do the right thing.”
Seung Earm, Head of Regulatory & Territory Office, BNP Paribas
Seung Earm said compliance needs to upskill and be aware of trends and new areas. Conduct and culture are both key – it does not matter how the second line performs if there is no fundamental will in the first to do the right thing. No system or control, monitoring or testing, can make up for that.
Before the hybrid environment, business people were meeting clients off site or in a meeting room where there were no chaperones or recordings. People were coached on expected conduct. These principles need to continue, there needs to be a little trust, and the right culture with appropriate training. More controls can be put in for this new environment,, including new technology but conduct and culture is such an important element for the business to adopt. There is a balance between the control framework, work with compliance, and a strong monitoring structure.
Jacqueline Joyston-Bechal turned her attention to compliance resources management. She said the skills required for a compliance officer have changed and evolved quite dramatically over the last few years as they become less advisory and more of a risk management function. To be a good risk manager you need the expertise to properly challenge as well as measure and assess the risk, and to properly understand what the regulations actually mean and require, what regulators expect. So the need for certain skills is growing.
“The skills required for a compliance officer have changed and evolved quite dramatically over the last few years as they become less advisory and more of a risk management function.”
Jacqueline Joyston-Bechal, MD, JP Morgan
There are still advisory and data risk management skills, the ability to challenge. Sometimes the simplest questions are the most effective. Even where expertise is limited, you can carve out the right questions. Data analytics capability is vital as better tech is deployed. This encompasses getting new data points to manipulate that data, provide the right focus, prioritize reporting, connect systems and report data so that a compliance person can apply their judgment. This is a talent war as other industries want these quality people too.
The moderator concluded the event by asking the panel what kept them awake at night.
Seung Earm said the question was tough to answer this as there are so many things! The sheer volume of regulations is overwhelming. No one can honestly claim to have full coverage and compliance. How do firms deal with all of the regulatory change and manage the risks when all are expected to do more with less? EU/UK divergence is a challenge as new regulations emanate from both and many firms with offices in the UK are required to comply with both. They can be quite different and this can be operationally burdensome to follow and implement on time. It makes it an uneven playing field for those that have to comply with both regimes.
Data and its quality is a big concern, and the increased reliance on information technology. It needs constant investment and update to ensure systems are compatible, whether front-end booking or downstream, so that reports are consistent. Ultimately a robust framework is needed so all of this is working. Controls/monitoring and risk management are all so important for multi-function responsibility.
“The geopolitical mix creates challenges for firms right now, especially for sanctions compliance. There are so many high-risk areas such as sub accounts, custodians and omnibus accounts.”
Seung Earm, Head of Regulatory & Territory Office, BNP Paribas
She said the geopolitical mix creates challenges for firms right now, especially for sanctions compliance. There are so many high-risk areas such as sub accounts, custodians and omnibus accounts. Monitoring is not a new one but most are still struggling to get it right. Finally, the need to focus on consumer duty and what is a proportionate approach for wholesale firms and the risk of indirect retail interactions that must be right. This is a concern when faced with a principles-based regulatory regime.
Guillaume Loeuille told the audience he seems to sleep very well as he is so exhausted each day. He provided a similar list as Seung Earm. The resourcing challenge is one of the hardest, especially as expectations from the compliance team rise – often needing to look at doing things differently (eg near-shoring or data-driven compliance approach) that requires different skillsets but must not distract from the usual compliance program needs. Budgets are not huge to allow transforming this overnight so the right choice of use case is important to demonstrate to stakeholders, investors, management and regulators that the investment improves the quality of the team and its output. Compliance process around financial crime and market abuse needs to move away from false positive reduction to quality time on effectiveness. The balance is not breaking things while upskilling and embracing new challenges. Much of it depends on finding the right people.
Jacqueline Joyston-Bechal said financial crime is usually the top risk for any financial institution. However impressive your controls, the risk is always there as it is so complex, whether sanctions, KYC, AML etc. What concerns her most are the surprises where the risk framework has not identified or has wrongly assessed a risk that has then blown up. Most senior management and boards can cope with risks if they have been reported, discussed and mitigated so they can be dealt with. There is so much to deal with but that is why it is such an exciting job and compliance people never get bored! Keep going, and get that framework right as that is the best protection.
Please note this is not an exact transcription of what was said at this event and has not been approved by the speakers – it is a report of the discussion by the reporter who attended the event.