Regulatory risk is no different from any other type of risk in that it is impossible to adequately mitigate from a position of ignorance and it is the extent of this ignorance which defines the level of risk we take. It is not sufficient to know that you risk regulatory censure for non compliance. You have to know the rules, requirements, restrictions and, in particular, the regulator’s expectations in order to ensure you comply. Yet twenty years into the UK regulatory system, the FSA still spends most of its enforcement effort, not on crooks and conmen hell bent on deliberately breaching the rules, but on firms and individuals who are in breach because they have insufficient knowledge of the requirements to adequately manage their risks.
Managing regulatory risk is extraordinarily simple yet so many firms and individuals do it badly. They confuse compliance with honesty and although one can probably mitigate 70% or 80% of their regulatory risk by having high standards of honesty and integrity and a sense of fair play (many of the regulatory requirements simply codify these qualities), good compliance still requires you to know, do and refrain from doing certain things. So why are so many firms and individuals unaware of what these things are?
In simple terms, people only take time to learn things if they perceive a significant risk in not doing so. In the alternative asset management sector, why would firms and individuals rank regulatory risk as significant when for years the FSA has been telling them they are ‘low risk’ (the standard FSA categorisation of a hedge fund) and have reinforced that view by taking a hands off approach to enforcing the rules and regulations. In 2001, not only did the FSA stop its programme of standard inspections of hedge fund managers but it even stopped asking these firms for the standard annual self certification of compliance. In short, there was almost no regulatory risk of non-compliance, or at least many firms saw it this way.
Over the past 2 years the FSA has been changing all that, as it finally wakes up to hedge funds. Alternatives firms are now firmly on their radar. Hedge fund managers need to be acutely alert to that fact.
After years of enjoying a relatively easy compliance life, management and staff now need to adapt to the changing regulatory environment and take more time to understand their regulatory obligations. The regulatory approach has changed steadily over the years and, combined with MiFID, now goes far beyond the traditional rules, which were primarily all linked to the management of one conflict or another.
They are now also about organisational behaviour, business and operational strategy, risk management, allocation of responsibilities, training, supervision and management reporting. It is about achieving the right outcome rather than following a defined process.
As the FSA Handbook gets smaller, firms are being challenged by the FSA to grasp the regulatory Principles and develop their own rules, to identify what compliance policies, procedures and controls they should have in place in order to best mitigate the risks they face. And they are being asked to implement them not so much in accordance with a set of prescriptive rules but in the spirit of the Principles and in a way which suits them, given the size, nature and complexity of their business.
Compliance is becoming a management theory and business philosophy; something which is much harder to codify in a traditional compliance manual. The FSA has traditionally set prescriptive rules to address the key and most obvious conflicts facing firms but its new rules, in recognition of an almost infinite risk of conflicts, requires firms to think harder and more laterally about their own conflicts and to design their own internal rules and procedures to manage these.
In order to do so effectively, staff need both knowledge of the Principles relevant to their area of the business and an understanding of the business, investment and operational issues which might bring them into conflict with the Principles. To do this, many staff will also require a broader understanding of the business than that required merely to perform their specific functions.
Compliance staff require an in-depth knowledge not just of the business but of business management and corporate governance. Compliance is no longer a box-checking exercise. Without senior business management experience it is difficult to see how they can properly advise management on how to develop a control infrastructure across the business capable of mitigating the risks faced by the business. In fact, without an intimate knowledge and experience of the asset management industry and an understanding of its interactions and relationships with other parts of the financial services industry, it is difficult to see how they can even assist in the identification of the risks to be mitigated.
It is interesting to note how many of the large London-based hedge funds have traded up and hired high level ‘grey haired’ Compliance Officers in the past 12 months, people with the aforementioned qualities who are capable of adding real value.
Investing in good compliance resource, whether internal or via external consultants, is of course vitally important but management also needs to invest more of their own time in compliance and require their staff to invest more of theirs. They need to understand the FSA’s new approach to compliance and the emphasis on the Senior Management Responsibility (SYSC) rules. And they need to invest time reading these rules in order to understand them and take time discussing their response at Board level. SYSC cannot be delegated to a Compliance Officer; SYSC is about how a firm is organised and managed and that is a function of the Board as a whole.
As for other employees, they will also need greater awareness of the FSA Principles and SYSC as they apply to them. From a staff perspective, they need greater awareness and better training. This is not a significant commitment and is perhaps measured in hours a year rather than days or weeks. They need quality awareness and training. Thirty minute induction sessions and 30 minute anti-money laundering CBT is no longer the answer, as many firms seem to have realised with the explosion in demand in 2007 for ‘alternative’ compliance training. And there needs to be an agreed programme for continuous training and awareness as the regulatory regime as expectations change and develop.
Compliance Officers need to get their heads out of endless, and frequently, pointless paperwork and focus more on learning the business and advising, training and supporting staff. Management need to look carefully at the way in which compliance is structured within their firm and have a means of measuring its effectiveness. And more compliance staff is not the answer. Too many cooks don’t always make a better compliance broth.
Craig Nichols is a consultant with IMS Consulting Ltd, a specialist firm of asset management compliance consultants