From New York to Hong Kong and everywhere in between, the recent levying of fines worth many million or even billions of dollars against some of the world's largest financial institutions has put compliance squarely in the spotlight.
But compliance creates something of a conundrum these days. When done properly, there is no problem, but as the regulatory burden grows, so does the risk of running afoul of new rules. Compliance departments in large multinationals have limited annual budgets and must cope with a constantly evolving regulatory environment in each country where they have operations.
Compliance issues may have initially gained prominence in the financial sector, but non-financial organizations from Wal- Mart to FIFA – the scandal-laden international football organisation – are finding themselves under increasing regulatory scrutiny and subject to major fines, or worse.
"The trend doesn't just apply to banks and financial institutions any more, it also applies to corporates, it also applies to the gaming industry," says Antonia Thompson-Carey, Market Development Manager for Risk at Thomson Reuters. "A lot of people are thinking, 'I'm not a bank, it's not going to affect me', but it's just a matter of time – nobody's going to be exempt."
DO THE DUE
One of the biggest issues in the compliance space is the intensifying focus on know-your customer (KYC) requirements. This trend puts pressure on customers and suppliers to open up to due diligence that now probes deeper than ever before.
"There are so many examples of suppliers and other vendors getting companies into trouble – through data breaches, for example – that it is understandable that regulators are putting emphasis on this," says Zachariah Ezekiel, AVP and Head of Compliance at Manulife in Singapore.
"Similarly, the bar is going up on client due diligence," Ezekiel adds. "FATCA is an obvious example of this trend, as is the increased emphasis on tax crimes by antimoney laundering authorities. I believe that governments and regulators are responding to a public perception that some people aren't paying their share of the tax burden."
Although few question the rationale behind the growing emphasis on due diligence of customers and suppliers, it is creating vastly larger workloads for large companies operating in numerous markets and dealing with a vast number of suppliers and customers.
To add another layer of complexity to the mix, due diligence work can no longer be a one-time effort. And for in-house practitioners, the bar can be quite high.
"Third-party due diligence is the biggest problem I face," says Scott Baucum, Global Director of Monsanto's Business Conduct Office.
"We have to know who we're doing business with. We have to know who owns or controls them, whether they're on a list of enforceable sanction on prohibitied parties. We have to know a lot of information about someone before we can even negotiate with them," Baucum explains. "Additionally, we're facing the onset of procurement-managed contracting – that results in higher provider and supplier turnover, which increases our third-party due diligence and documentation."
Needless to say, this is creating a rapidly growing demand for professionals who can competently navigate the constantly shifting compliance space.
"I think a major consideration for compliance leaders will be attracting and retaining talent," says Ezekiel of Manulife. "The demand for skilled compliance professionals continues to exceed supply, particularly as banks continue to staff up in response to recent regulatory enforcement actions."
"The winners of the battle for talent will be those that can think creatively about sourcing talent from within the business and other control functions, rather than only sourcing recruits from diminishing pools of experienced compliance officers," he adds. "Non-legal or compliance hires can bring great insight, practical experience, and rapport with business leaders."
THE TECH IMPERATIVE
In addition to having the right staff in place, companies also need the right tools to facilitate their challenging job requirements. Tools such as the World-Check due-diligence database service offered by Thomson Reuters are helpful in the seemingly endless pursuit of full regulatory compliance.
However, given the mind-bending complexity of coordinating, confirming and updating across multiple departments in multiple countries with differing regulatory environments, it should not be surprising that there is no one-size-fits-all solution.
"Technology is transforming almost every aspect of business, and compliance is no different," Ezekiel says. "Areas such as anti-money laundering, sanctions and trade surveillance, and fraud management are already very systems-dependent, and getting more so."
The growing reliance on technology for compliance work is not just creating the need for IT literacy, but also for a shift in how employees are trained and even how they approach their roles.
"We're going to need to pay attention to training in terms of the next generational workforce change because employee thought processes are very different regarding all these things," says Baucum.
This shift in individual training will also be concomitant with evolving relations across different departments that perhaps had previously operated with more independence.
"In the past I was more on the enforcement side of compliance," Baucum says. "But in the future, I'm going to have to have much tighter partnerships with my controllership, much tighter partnerships with my substantive regulatory compliance groups, and we're going to really need our systems to be integrated so we can ensure compliance over all these areas."
With growing integration and reliance on technology, however, comes additional risk.
"It's interesting to see the growing nexus between privacy and information security," says Ezekiel. "Asia is seeing new privacy laws and heightened public awareness of identity theft and data security. This means that compliance professionals are increasingly being pulled into less familiar, technical discussions. As a profession we are going to need to adapt in order to adequately support the business."
"From a compliance standpoint, keeping data safe and making sure that people cannot penetrate our organisation and steal assets and cash as well as intellectual property – that is something that we're really going to have to watch, as statistically, it is on the rise," says Baucum.
Simply having the means to collect large amounts of data is not enough, Baucum notes. Real value is created when that data is properly analysed and presented in a way that reduces redundancy while tightening the net.
"If mergers and partnerships take place in the States, we need providers to stay focused on bringing the procurement operations together with third-party due diligence, and the reporting and metrics tracking pieces have to move toward the analytics element, not just telling me how many claims I had in a country last month," he says. "The ability to manage risk from distilled data is huge. Data alone is not going to be enough."
CULTURE IS CRUCIAL
Although the administrative and technical demands of staying on top of one's compliance game can be daunting, organizations should take solace in noting that one of the biggest factors in ensuring compliance comes down to the most basic element of a group working together – culture.
"There are huge requirements to knowing your customer, and the evidence points to the fact that different organisations have different cultures," says Thompson-Carey.
"Compliance becomes difficult if you don't have a culture of doing the right thing, if you don't have systems in place, if upper management isn't engaged and switched on, if you don't have a code of conduct."
In his report "Ten Regulatory Risk Insights for Asia Pacific in 2015," Niall Coburn of Thomson Reuters Accelus puts it simply: "The culture within a firm is a barometer that dictates the need and intensity of the amount of regulation and supervision required."
"Firms must concentrate on improving culture and aligning the firm's interest with those of the customer in the way business is being done," Coburn notes. "If there are customer complaints or issues, firms must have an effective way of handling them, acting in the customer's interests to fix issues in an effective way that brings matters to resolution."
"Compliance exists because somewhere along the line somebody treated others poorly or abused the system," says Baucum, noting that an emphasis on treating people fairly goes a long way in reducing the chances of compliance issues cropping up.
"Establishing a culture of honesty and integrity – and respect – is a big part of avoiding compliance issues," he adds. The huge influence of social media can also provide a helpful feedback loop for organisations, he adds. By pressuring organisations to focus on sustainability and corporate social responsibility, social media can alert companies to issues early on.
Where is this all headed? Nobody can answer this question with any certainty, but one of the big issues that should become clearer in the short term is the degree to which personal liability will become attached to compliance failures.
"I remember personal liability being a topic of discussion in North America a decade ago," says Ezekiel. "If it isn't taken to extremes, it is probably a useful reminder to individual leaders within organizations that they are accountable for their decisions and responsible for implementing appropriate controls."
If rulings trend toward increased personal liability for the C-suite and other top-level management in the compliance space, however, there will be major ramifications within companies, says Baucum.
"If executives are prosecuted, I think we're going to see this have an impact on the budgeting process, and I think we're going to see more attention on compliance excellence in companies," he says. "Executives pay attention when executives go to prison."