Compliance focus shifts inwards
Amid all the emphasis on know your customer (KYC) initiatives in the wake of the Panama Papers, it is important that financial institutions do not lose sight of the need to apply equal scrutiny internally.
The Papers pointed to governance and control weaknesses within institutions as well among clients, lawyers and regulators, and raised questions about why built-in risk management controls apparently failed to flag possible lapses at local and large international entities alike. Going forward we therefore expect more regulatory activity around internal governance processes and employee and senior management accountability, in addition to tighter customer-related compliance demands.
What we broadly term "know your employee"™ (KYE) requirements can be more difficult than other regulatory mandates because they are ultimately rooted in corporate culture, or the philosophy and business practices that underpin an organization.
Culture is less tangible, and therefore trickier to track and implement, than things like reporting procedures. Nonetheless, it has a significant impact on how individuals within an institution behave and make decisions. In some institutions culture appears to have been focused on profit at the expense of ethics, and companies should take steps to codify and practice higher standards of culture and conduct. Regulators in jurisdictions such as Hong Kong are already shifting focus from credit and market risk and liquidity conditions to non-financial risk and governance principles.
Even the institutions with the strongest cultures will likely need to take steps to ensure employees are acting appropriately. On a broader scale, this means identifying and addressing any lapses of oversight in line management, adherence to internal controls or governance procedures. It is also important to understand regulatory mandates as they translate into obligations for employees, and how these can change as regulations continue to evolve.
Processes, not police
While KYE should not entail the institution acting as a â€˜police officerâ€™ that constantly watches over employees, it is likely to involve increased and more consistent monitoring of certain activities. Many institutions have already taken steps in this regard.
In a recent webinar on KYC and KYE in Asia Pacific staged by Wolters Kluwer and the Risk Management Institution of Australasia (RMIA), 50% of 130 respondents to a live poll said they had a manual process in place that assessed employee activities related to personal trading, personal account dealing, compliance certification and potential conflicts of interest on a regular basis. Another 34% reported having an online system that performed such assessments; only 16% said their institution seldom conducted evaluations of these activities. More companies are likely to opt for automated solutions in the future as a means to formalize the monitoring process, and reduce room for inconsistencies or errors.
Setting an example
Beyond governance procedures and auditing systems, perhaps nothing is more important in encouraging sound employee conduct as setting the tone from the top. Conscious of this, regulators globally are apportioning greater accountability to senior management, including CCOs, CROs and CFOs, to prevent and act against indiscretions.
The Senior Managers Regime and Certification Regime released by the UK Financial Services Authority, for example, hold senior executives personally responsible for strategic decision-making across the institution. They have to attest on an annual basis that (to the best of their knowledge) the institutionâ€™s practices are sound. If an incident occurs and they cannot prove they took reasonable steps to prevent it, they may be held personally liable or even banned from the industry altogether.
Asia Pacific regulators have demonstrated a willingness in past to hold senior management accountable for instances of market manipulation, anti-money laundering violations and insider trading. Taking a cue from their counterparts in the UK, we expect regulators in the region to examine tougher penalties specifically targeting senior executives for internal operational failures. This will prompt senior management at financial institutions to seek reassurances from their business units that they are equipped with a solid governance framework and have instituted ethical codes, controls and risk management procedures that employees adhere to.
The big questions for many institutions will be who is responsible for providing all this information, and how it can be verified. Overall there is likely to be more pressure on compliance, risk and related staff to report â€˜internallyâ€™ as well as to external regulators -- an additional argument for a well-established, technologically supported and flexible approach to governance, compliance and risk.