It's safe to say that compliance is becoming less and less about rules and more and more about standards.
Regulators across the globe increasingly expect firms to demonstrate they're making compliance an integral part of their decision-making processes.
More to the point, compliance programs now have to — as the US Department of Justice puts it — "...give both content and effect to ethical norms..." Which means firms must demonstrate they're not just following the letter of the law, but fostering a culture of compliance at every level.
Needless to say, giving practical effect to ethical norms and ensuring everyone in the firm believes in and sticks to them creates its own unique set of challenges.
In our latest webinar, Policy management, governance, and leveraging your culture of compliance, Volkov Law Group, CEO Michael Volkoff, Nvayo Limited's Global Chief Compliance and Risk officer and UK MLRO Willem Wellinghoff, and Clausematch's EVP of Sales Jeff Weiss discuss:
According to Wellinghoff, firms with a strong culture of compliance have two hallmarks.
Firstly, people at every level understand what their roles are, who is accountable, and for what. This means policy documents are readily accessible so they can be consulted when needed. And, crucially, staff's engagement is continuously measured.
"Regulators," explains Wellinghoff, "expect companies to keep track of metrics like how many times people look at your policies and which parts they're reading. What are they interested in? And where are they asking questions?... Words are cheap... You need to show there's genuine interaction and engagement... "
Secondly, staff training isn't a once-and-done deal.
The regulatory landscape, firms' risk profiles, and, in turn, the contents of policy documents change over time. At the risk of stating the obvious, staff can't stay compliant if they're not informed and clued up about these changes.
But regular evaluations have another key role. "Regular risk assessments," notes Wellinghoff, "pick up your weaknesses, so you can mature."
In other words, by objectively looking at what you're doing right and where you could improve on an ongoing basis, you can enhance and reinforce the importance of compliance across your firm.
If well-written, easily accessible policies and continuous improvement strengthen your culture of compliance, building that culture in the first place requires vision and an overall strategy.
In this regard, the U.S. Department of Justice lays down two requirements for an effective compliance program.
Firstly, you need a code of conduct that proves you're compliant with the law.
Secondly, you need policies and procedures that incorporate compliance into the firm's day-to-day operations.
But how do the two fit together?
According to Weiss, the code of conduct "sets out the organizations' overarching expectations."
But to ensure a compliance program is well-designed, he argues, "we need to take a step back, even from the code of conduct itself, and put in place a policy about policies."
A policy about policies is crucial, he explains, because "You really need to standardize how you're going to go through the process of creating and managing policies and the lifecycle of those policies within your organization."
In other words, having a policy that governs both how policies are managed and how they're written simplifies the compliance process and ensures consistency in tone, language, and approach across the firm.
Unfortunately, codes of conduct and policies are surprisingly easy to get wrong.
"I've seen some great codes of conduct," says Wellinghoff, "But I've also seen huge documents no-one would ever read because they've become so unwieldy they've lost the essence of what they're designed to do."
Volkoff wholeheartedly agrees. "I think the code of conduct is an important enough policy statement that it should be on both the firm's intranet and their customer-facing website. It should be written for a basic audience, be available in foreign languages, and contain no legalese."
"We also need to establish some kind of framework for updating it, making sure there's a regular cadence," he continues.
Put another way, because codes of conduct promote firms' ethics, they should be clear, concise, accessible, and be regularly reviewed.
But what about policies and procedures?
The US Department of Justice sets out five key elements for well-written policies:
It's not surprising that these echo what Volkoff and Wellinghoff observe about what makes good codes of conduct.
"Policies are core documents which you use to evaluate your employees' performance on," notes Wellinghoff. “so they should be clear and concise.”
"The acid test should be that, if you give it to an 11 year old and they understand it, you've got a good document. Not always easy when you're talking about regulation, but possible."
Similarly, making both your policies and your policy management process as accessible as possible helps ensure there's no confusion, which makes it easier for staff and for the firm to stay compliant.
"You need to have a clearly defined process for designing and developing and approving policies, depending on what the policy is and how integral it is to the organization," says Weiss.
"And then, how to document it and have a single source for your employees to go to to find those policies. This is critical to the comprehensiveness of the program and also to the development of the policies themselves."
But perhaps the most overlooked aspect of an effective compliance program is the need for operational integration, not just within the firm itself, but also with the business partners to whom critical functions are outsourced.
The regulatory consequences of poorly-managed outsourcing arrangements are well-documented. With this in mind, Volkoff argues that involving business partners is beneficial because it makes them "feel they have a stake in the process, I think that's going to help. We can't have 3,000 compliance officers watching everybody every day."
A recurring theme in modern compliance is the size and ever more complex, challenging, and business-critical nature of the workload.
Experts have been arguing that technology has become a must in compliance for years. But regulators' growing emphasis on ethical behavior has made the case for it more urgent than ever.
"RegTech solutions like Clausematch," says Willem Wellinghoff, "allow organizations to literally upload new legislation, tag it, and immediately see its impact on their current policies and procedures.
"That's extraordinarily powerful.... You can get an understanding of how your policies are worded on a consistent basis. And, using tagging, you can build a governance map —creating a web of policies and statements and how they fit all together."
That power, notes Weiss, becomes even more critical for firms with an international presence.
"It's not just language... it's really localization and making business decisions on how you're going to implement things like data privacy," he elaborates.
"Firms often have a master policy and variations based on the territory they operate in. You can't manage and enforce the policy effectively if you don't understand the maze of linkages between the master policy and all the localized versions."
Ultimately, says Willemhoff, "it's almost impossible to stay on top of regulatory change on an international, or even on a national level if you're managing many different portals and reviews aren't happening consistently. You need a really good control system..."
Moving from prescriptive rules to a culture that prioritizes 'doing the right thing' is beneficial for everyone — regulated firms, customers, and society at large.
But it's also easier said than done.
To have a strong culture of compliance, leaders need to set the tone from the top and norms of expected conduct should be crystal clear to everyone.
But, most important of all, everything has to be documented and regularly reviewed. Which means technology is essential.
"Regulators won't take your word for it that you've done something," concludes Volkoff. "If it's not documented, it didn't happen."
Having the right technology in place ensures you have a system of record to prove this accurately, cost-effectively, and with less effort.
Want more insights about the key role of culture in staying compliant and how technology can help?