Regularly reviewing your compliance framework not only helps you to ensure you are meeting your regulatory requirements but also provides you with peace of mind that you have the right compliance policies, processes, systems and controls in place. Through regularly undertaking compliance healthchecks or ‘deep dives’ for our clients, we’ve identified a number of common areas where improvements are necessary:
-
Weak governance: A significant component of robust governance is evidenced oversight. In other words, frequent review by the management body on all areas of the business, proper minute taking, delegation of actions and follow up on those actions in subsequent meetings. Too often, many firms either do not have detailed minutes evidencing what was discussed and/or evidence of tracking issues to closure
-
Risk management weaknesses: This is an area that often receives insufficient attention at many small to medium sized firms. It is common to hear small firm CEOs and compliance officers state that they actively manage risk, however they have no documentation that evidences what they do, how frequently and how issues are dealt with. The old mantra holds true - if it is not documented, it did not happen. Failures expose the firm and the responsible senior manager to charges of negligence and failing to act with due care
-
Compliance monitoring and reporting: Many firms either do not have a fit for purpose compliance monitoring programme or are not able to demonstrate through documented files what was reviewed, when, the findings and remedial actions taken. Compliance discussions in formal meetings should also be much more than a cursory ‘all is well’ statement. Suitable management information on compliance issues such as complaints, employee training, or best execution monitoring, should be reported to and considered by management
-
Weak conflicts management processes: Every business is exposed to actual or potential conflicts. These conflicts may arise from outside business interests, remuneration structures, information flows, or personal relationships. Often, firms are unable to demonstrate that staff understand what conflicts are and how to report them. Therefore, the firm is unable to identify and effectively manage the conflict. An empty Conflicts Register often points to weaknesses in conflicts management
-
Breach and other notification failures: Certain breaches, for instance breaches of the Senior Manager & Certification Regime (SMCR) conduct rules, need to be reported to the Financial Conduct Authority (FCA). Aside from breaches, significant developments in a business, for example new product or service lines; new critical third-party service provider appointments; or capital adequacy issues need to be notified under Principle 11. Some firms are unable to demonstrate an awareness of what issues need reporting or documenting rationale for non-disclosure
-
Undated, undocumented or out of date policies and procedures: The regulations are constantly changing and staying abreast of the developments can be a challenge. It is therefore unsurprising to see, as an example, best execution policies still refer to ‘reasonable’ steps whereas the current standard is ‘sufficient’ steps, i.e. requiring a greater level of endeavour to meet best execution obligations. Just as importantly, and yet often neglected, is the documentation of processes. Key processes should be documented to ensure consistency and support business continuity. Failure to properly document key policies or processes; or reviewing and updating them as necessary heightens operational and regulatory risk
-
Transaction reporting errors and omissions: Some firms erroneously think that simply engaging a third-party specialist to help with filing T+1 transaction reports is a sufficient action. Recent comments from the FCA have, however, shown that many firms’ transaction reports were either incomplete, inaccurate or over-reported. Firms need to undertake their own initial and ongoing due diligence to verify the accuracy and completeness of the transaction reports submitted to the FCA
-
Financial crime risk assessment: The regulations require that firms carry out a robust risk assessment of their business and client-base on an annual basis to ensure sources of financial crime risk are identified and suitable prevention and detection controls implemented. We often come across a risk assessment based solely on the jurisdiction of the client. This is not best practice, a customer risk assessment should consider not just where they live but also what sector they work in, their occupation, transaction patterns, etc. Many firms equally don't have a documented business wide risk assessment, a requirement for in scope firms under the Money Laundering Regulations
-
Weak suitability and appropriateness assessments: Suitability and appropriateness assessments are required for clients receiving advisory/discretionary management and execution-only services, respectively. Some firms have assessment criteria that fail to robustly consider clients’ knowledge and experience, risk appetite, investment objectives and capacity for loss. Such weaknesses expose the firm to complaints and fines
-
Weak fitness and propriety assessments: SMCR requires firms to assess senior managers and certifications annually. The deadline for assessing senior managers as fit and proper was December 2019 and certification staff must be assessed by March 2021. Despite the deadlines, there is an ongoing obligation on firms to ensure their staff are of the right quality. This means robust recruitment processes, performance management and training frameworks. Often, there is neither a documented training and competence scheme that spells out what knowledge different staff need to have, nor robust recruitment and appraisal processes that ensure staff are suitable for their roles. These weaknesses in the control environment could have a detrimental impact on culture and overall conduct, an area of substantial FCA focus
-
Housekeeping: It can be embarrassing when firms have not carried out the basics. For example, incorrect address details on the FCA Register; failing to update the senior manager records on the FCA Register following staff resignations; failing to ensure the permissions profile of the firm represents its current business; lapsed ICO or LEI registrations; etc. These hygiene indicators are the low hanging fruit for regulators with concerns over the adequacy of systems and controls
It is advisable for firms to undertake regular reviews of their compliance. A good starting point is a Compliance Healthcheck, which involves a high-level review of your firm’s compliance processes, manuals and documentation to ensure they are sufficient against regulatory obligations. Alternatively some firms may prefer a 'deep dive', a more detailed evaluation of the effectiveness of the compliance framework in place with support to address any issues that are identified.
Compliancy Services offer both Compliance Healthchecks and 'deep dive' services to help firms assess their compliance, if you'd like to discuss how we can support your firm please contact us.
Book a healthcheck or deep dive
Related resources
All resourcesManaging reputational risk
Identifying the weaknesses in firms’ transaction reporting governance and control frameworks
Operational Resilience: regulatory guidelines for critical third parties aim to avoid systemic disruption
The FCA cracks down on illegal finfluencers…again!