Effective compliance function by improving compliance norms, compliance monitoring, culture and compliance technology
Nowadays, if an organisation strives to be successful in the long-term, it is not enough for it to have effective marketing, communication, operational, finance and information management. It also must have effective risk management systems. When we speak about compliance risk we should think about effective compliance function, compliance norms, compliance monitoring and compliance technology
Almost any organisation is exposed to compliance risk. In broad terms, the compliance risk is defined as
the risk of regulatory or legal sanctions leading to significant financial losses, reputational losses or any other problems the organisation may experience due to its failure to comply with laws, regulatory requirements, or any other rule the organisation is subject to
Indeed, the extent of the compliance risk depends on the size of an organisation, its activity, its jurisdiction, regulatory status and regulators. In any case, an adequate response to the compliance risk is crucial for anybody exposed to the risk.
This article focuses on compliance risks that regulated financial institutions undergo. The main idea of the article is to assess critically how financial institutions can undertake compliance function more effectively and what are critical elements of effective compliance. However, the article also may be useful for any organisation willing to improve its compliance function.
Compliance function in a nutshell
Effectiveness is about producing a result that was intended. To understand how we can undertake the compliance function effectively, we need to understand what is compliance function and what it is usually aimed to achieve.
The compliance function is to make sure that the organisation is complying with all applicable laws, regulations and rules together with the organisation’s compliance norms. The definition of compliance norms is also essential. Compliance norms are
a set of interrelated norms obliging addressees to behave in a certain way such as internal standards, principles, rules, policies, codes of conduct, manuals, personalised and general instructions, recommendations and guidelines.
Compliance function responsibilities
In 2005, the Basel Committee on Banking Supervision identified five responsibilities of compliance function such as advising on laws and rules applicable; educating staff; constant identification, measurement and assessment of compliance risks; сompliance monitoring, testing and reporting to senior management adherence to the rules; statutory responsibilities (e.g., fulfilling the role of MLRO) and liaison with regulators, third-party consultants and other relevant external experts.
Today, after the financial crisis and regulatory reforms, attitude to compliance has changed. In 2013 both FCA and PRA adopted a judgement-focused approach to supervision, which, in fact, means that it is not enough to follow regulations blindly. Now, regulated companies must think in terms of ‘should we’ rather than ‘could we.’ Judgement-based supervision, strengthening of senior management’s accountability and more superior role of Chief Compliance Officer (CCO) in contemporary regulated institutions contributed to the reinforcement of responsibilities of the effective compliance function.
Today, the compliance function also influences the organisation’s strategy and business model. Not only is it responsible for creating compliance norms, but also it is responsible for the creation of effective mechanisms, systems and culture stimulating willingness of employees to comply and think in a way that would foster compliance.
How to improve the effectiveness of the compliance function
There are many ways to look at how the effectiveness of the compliance function can be improved. Firstly, each responsibility of the compliance function discussed above can be carried out more effectively. For example, by improving compliance training, an organisation can expect fewer breaches of compliance norms due to a better understanding of them by its employees. Secondly, there are their own best practices for each area of compliance.
This article focuses on three paramount responsibilities that significantly affect the overall effectiveness of the compliance function. These are drafting and management compliance norms, creation of compliance monitoring systems, shaping the culture of compliance.
The article explains why these responsibilities are essential and how they can be undertaken to contribute to the overall effectiveness of the compliance function in general, without going into details relevant for each compliance area. Additionally, the article explains why the compliance function cannot be undertaken as effective as possible without the utilisation of new technology solutions. Finally, the limitations of compliance technology and its potential adverse effect on decision-making are discussed briefly.
Effective compliance starts with the creation of effective compliance norms. Compliance norms must clearly define the responsibilities and competencies of the senior management and staff to be useful. An organisation should have a compliance structure and non-overlapping division of duties between different compliance structural units.
Additionally, addressees of compliance norms should understand the consequences of their action (both internal and external). An employee is more likely to stop or avoid breaching the norms if there are clear explanations on what constitutes a breach and if employees are aware of the internal or external penalties and sanctions they will incur if the breach occurs or continues. Finally, norms must be up to date and readily available for familiarisation to relevant employees.
The norms should be drafted following the most recent laws and regulations in each jurisdiction; industry best standards and practices (eg., COSO guidance), recommendations from intergovernmental organisations (e.g., FATF recommendations) and relevant legal and compliance literature (e.g., books cited in this article). To guarantee the effective impact of compliance norms, it is not enough for them to be well-formulated. Each firm should have a mechanism ensuring that existing compliance norms are periodically reviewed and tested for their effectiveness.
Periodical tests and reviews should include the assessment of how the addressees of the norms comply with the norms; whether there should be a re-assessment of risks, whether the norms are up to date with the applicable laws, case law, supervisory regulations, legal literature and market practises. In complex organisations, such tests, reviews and audits should be conducted by both second and third (Internal Audit Department) lines of defence.
Figure 1 shows that the management of compliance norms should result in a constant improvement cycle.
Fortunately, there is a lot of compliance management system software available that can help to spot regulatory and industry practice changes. Such software is usually integrated into the organisation’s compliance IT platforms. Such IT platform can be purchased (e.g., IBM OpenPages with Watson Regulatory Compliance Management (RCM)) or developed internally. Its goals are the maintenance and communication of compliance norms. Such platforms include a framework to manage operational risks, define policies and supporting controls to meet risks, conduct control self-assessments to validate control implementation and efficiency, and track control gaps and incidents in the environment.  More information about the use of capabilities of technology is provided in Section Technology and software.
Compliance monitoring mechanism
When does a CO understand that a breach has occurred? Without an internal monitoring program, there is a higher chance that she/he spots a violation at the same time as other employees (when it is already too late). Hence, a functional monitoring mechanism is must-have to undertake compliance function effectively. Furthermore, the presence of a monitoring mechanism itself is capable of increasing the effectiveness of the compliance function. At least in some areas of compliance, deterrence positively impacts compliance intentions of employees.
Ongoing compliance can be monitored manually or automatically through software (e.g., ERP software or trading surveillance software for MIFID II compliance) Compliance management should review the performance of employees and contractors compliance review to ensure that its compliance function is effective. At the same time, the audit department should regularly check the performance of compliance management. There are many monitoring solutions for different areas of compliance. However, the article focuses on the solution (Peer-Reporting System) that is relevant to all areas of compliance.
Many organisations overlook peer-to-peer monitoring by focusing too much on vertical monitoring and automatic monitoring by software. Any organisation willing to be compliant must have an effective Peer-Reporting System (PRS or Whistleblowing System). While many organisations do have a PRS, employees may still have low willingness to report despite the monetary incentive and regulatory protection (e.g., by Public Interest Disclosure Act or by the national implementation of the EU Whistleblower Directive 2019/1937). Moreover, in some organisations, there may be a high risk of collusion between employees.
According to various studies, employees are reluctant to report when they have a reason to think that the organisation will not stop wrongdoing and remedy the situation. Even the risk of retaliation while being a significant deterrence against whistleblowing is not a decisive factor for a person to report. Moreover, willingness to report correlates with the clearness of compliance norms and effective compliance training as almost nobody wants to report a breach when she/he is not sure whether there was a breach.
Hence, for whistleblowing to be an effective element of compliance, employees must be sure that their voice will be heard and that they will be safe from direct and indirect forms of retaliation and harm. An organisation should recognise and address risks whistleblowers are exposed to and make sure that each report is responded and each significant breach is addressed. An organisation should have a transparent peer-to-peer reporting system that employees are not afraid to use. Asymmetric (public key) cryptology can become a basis for IT reporting to ensure anonymity and option to reveal personality to collect a reward.
Additionally, a company should have a proper ethical environment. Employees’ decisions whether to report are more dependant on their ethical values and general ethics of their companies rather than on monetary rewards paid for reporting. Ideally, in addition to the code of ethics, an organisation should have inspirational senior management known for their high moral and ethical standards.
Finally, research shows that fair and high wages and bonuses reduce the risk of collusion and increase honest behaviour. When employees believe that they are treated fairly, they are more likely to treat their company fairly too and report wrongdoing committed by their colleagues.
Additionally, a share-compensation scheme may help. Equity-based rewards while increasing attractiveness of breach for some employees, make other employees associate themselves more with a company they work in and treat it fairly.
Compliance сulture and adaptability
As we have already discussed, cultivating ethical values and strict attitude to wrongdoings increase the probability that an employee will report about wrongdoings. Ethics, fairness, consistent enforcement of compliance norms and a zero-tolerance policy for non-compliant, immoral or unethical conduct are part of a broader concept called ‘compliance culture.’
Even in an organisation that has the most comprehensive policies and
the best monitoring systems, employees may find ways around to breach compliance norm or to use a loophole. Aligning interests of addressees of compliance norms with aims of the compliance function is crucial. In big organisations, honesty, integrity and ethics should be a responsibility of the designated Reputational Risk and Ethics Committee. The committee should be responsible for drafting the Code of Ethics and its promotion. ,
Promotion of ethical values is not an easy task. It is also not an easy task to hire only ethical employees. Moreover, using the human resources department as an “ethical gatekeeper” may potentially lead to discrimination and biases in hiring practices.
It is not sufficient for a company to promote compliance culture if the compliance department does not have the skills of leadership and the capacity to motivate others, including the governing body. Therefore, CCO and relevant COs must have not only practical and theoretical knowledge but also they must have interpersonal skills and the capability to understand the business and company operations as well as what inspires employees and senior management to be compliant.
The promotion of ethical values should be a task not only of compliance department but of all senior managers. Senior management plays the most crucial role in cultivating the culture of compliance within an organisation. Senior executives should lead all members of a company by their example.Additionally, both the compliance department and senior management are responsible for the consistent enforcement of compliance norms and punishment of wrongdoers. Only by punishing wrongdoers and rewarding compliant employees, the effective culture of compliance can be achieved.
Unfortunately, the old Latin proverb ‘piscis primum a capite foetat’ which means ‘the fish rots from the head’ is relevant in the context of effective compliance too. Even initially ethical employees can be later corrupted under the influence of unethical company leaders.
Compliance culture can also be improved by aligning interests of employees and their company. Equity-based compensations make employees feel like owners of an organisation and care more about its interests. Compliance training explaining the potential effect of non-compliance on stock price and employees positions is capable of inspiring employees not only to report wrongdoing but also to be more careful. Correct utilisation of equity-based rewards may be a useful tool to improve the compliance culture.
Finally, adaptability to changes and flexibility should form an important part of an effective compliance culture. Compliance function effectiveness is under threat if a company fails in time to adapt to changes in regulatory requirements and practises. Moreover, the capability of employees to adapt to a newly implement compliance technology increases the effectiveness of compliance.
The effective compliance function is taking into consideration the bigger picture of how the company accepts changes. If a change to compliance norms is not readily accepted, a breach is more likely to occur. General mentality and the company’s viewpoint towards changes should be taken into consideration.Communication, training campaigns and improvement of the company’s general adaptability and attitude to changes may help to avoid non-compliance with newly adopted norms.
The cost of a change that is not managed correctly can be quite high both in terms of expenses, lost time and effect on trust in the organisation’s compliance culture. Each change, whether it is an introduction of a new norm, software or structural alteration, should begin with prior planning. It is a responsibility of the compliance function to make sure that changes slowly become a part of the culture and that reasons and justifications for such changes are communicated to employees.Moreover, when such planning is present, it automatically reduces the number of unnecessary changes as during the planning process it may become evident that some changes are redundant.
Compliance technology and software
The article discusses compliance technology and software a lot as it is a crucial component of compliance practice. While, in theory, compliance is possible without fancy software, in practice, the more complex is an organisation, the more technology solutions it needs for its compliance function to be undertaken more effectively. Nowadays, even financial organisations authorised for only one financial service (e.g., Money Service Businesses) utilise some sort of low-tech compliance solution. The FCA underlines that usage of the software to ensure compliance is a good practice.
Technology can improve the effectiveness and efficiency of compliance function a lot. Unsurprisingly, currently, the market for compliance is continuously growing. Companies providing compliance software can be called Regulatory Technology or RegTech companies. According to Deloitte, there are at least 362 RegTech companies in 2020 helping companies to make its compliance function more effective.
Almost every if not all areas of compliance have various software solutions. For anti-money laundering (AML) compliance alone various companies provide different technological solutions that can automatically verify the identity of a client, check whether she/he is under sanctions or present in watchlists, check whether there is negative media publicity, verify the place of residence (e.g., via Facebook and by connecting through API to utility companies), monitor clients transactions including blockchain transactions and many other things. It takes ages for a human to perform analysis, while the software programs are capable of doing the same within seconds.
There are solutions to ease the administrative tasks of compliance workers. As it was discussed in Section Compliance norms, there are different compliance management systems that can digitalise administrative aspects of compliance and risk management. There is also software that makes it easier and more efficient for the effective compliance function to perform its responsibility of communicating with a regulator by automating data distribution and reporting.
Many organisations heavily rely on software to undertake the compliance function. The question is, how effectively they do it? Some organisations still rely too much on ‘old-school’ technology, such as offline Microsoft Office suite. While there are no requirements to use the most modern technology, companies that fail to use new developments either are not willing to grow the number of clients they have or sacrifice the effectiveness of their compliance.
Contemporary compliance software programs are designed to help organisations to be compliant while working with a lot of data and clients. Moreover, some new technology solutions are created specifically to mitigate high risks that cannot be mitigated manually or by using outdated technology.
Technology may provide accessibility, user-friendliness, much greater control at less cost, the ability to monitor, analyse, extrapolate information that can help to shape compliance norms and compliance strategy. It can ease dissemination of information, create content, improve risk assessment and approval workflows. Companies use compliance management software to track assignment of responsibility to specific personnel and manage accountability.
Data is the new oil. Like oil, it should be collected correctly and accurately processed to be useful. One of the most valuable use cases for compliance technology is transforming raw data into meaningful information. Still, any information should be interpreted correctly to lead to effective results in compliance. It is almost impossible to avoid false-positives.
False-positive results are not the only pitfalls and limitations of technology. Firstly, the technology is not omnipotent. It is not possible to solve certain problems with technology solutions, and many issues cannot be solved without adequate data input. For example, practise shows that currently, transaction monitoring software cannot always automatically correctly identify suspicious activity or that automatic onboarding software is not of much help when you deal with complex corporate clients.
Secondly, it is not always reliable. Software solutions can be unreliable not only due to poor programming but also due to poor tuning. It should never be forgotten that compliance norms are core for effective compliance. With poor-drafted policies, software solutions cannot be used effectively. Moreover, software solution usage and functionality must correctly reflect relevant policies.
For example, each company sets up its own red flags in transaction monitoring software based on its AML policies. Ignorance of inconsistencies between software functionality and policies may lead to breaches and fines. For instance, the FSA fined the Royal Bank of Scotland (RBS) as it failed to ensure its ‘fuzzy matching’ software remained effective, and, in many cases, did not screen the names of directors and UBOs of customer companies.
Thirdly, it is expensive, time-efficient and hard to implement new software. For example, it may take a financial institution around 18 months to implement an enterprise relationship management system. The process of implementation also involves a shift in the attitude of how decisions are made on a day-to-day basis.As discussed, new software may require careful planning and change in the organisation’s work culture. Furthermore, many small companies cannot afford software and are forced to perform most of the tasks manually. Fortunately, compliance software becomes more affordable over time and even small companies can make its compliance function more effective.
Finally, reliance on technology can be an obstacle to effective compliance function as humans are prone to automation bias. Therefore, the usage of technology should be meticulously assessed. Compliance technology solutions have bugs, and automatic reliance may lead to overlooked breaches. Compliance norms should form the utilisation of technology and not vice versa.
If the compliance function can successfully achieve its aim, an organisation is safe from penalties, liabilities and other damage such as reputation damage. Therefore, it is vital to undertake the compliance function effectively.
The first step to achieve compliance is to know rules that can be potentially violated. A contemporary financial institution may be subject to thousands if not hundred thousands of different rules by different regulators in different jurisdictions. Furthermore, these rules change from time to time. How is it possible to navigate through all applicable laws, regulatory standards? It is challenging without the help of compliance technology and dedication of the staff.
Knowledge of the most recent and relevant industry standards and legal literature helps to understand applicable rules. It is essential to understand the rules, as, without their understanding, it is impossible to draft clear and precise compliance norms that are the cornerstones of the effective compliance function.
Additionally, compliance norms must be up to date, communicated and explained to addressees to be able to prevent breaches of rules. When there is a variety of different regulations applicable to an organisation, there may be even more compliance norms applicable to its employees, contractors, and partners. Sometimes following with the requirements of compliance can be compared to managing the legal system of a small country. Therefore, the organisation and structurisation of the norms are required. With this task compliance management software can assist as well.
Unfortunately, it is not enough to create clear and conformant rules for people to obey them. Otherwise, we would not have police and other enforcement agencies. An organisation may use surveillance and other various manual and automatic methods to monitor compliance and penalise spotted non-compliance. Like legal and justice systems, compliance function also relies on reports and evidence derived from people. PRS is an essential tool in the arsenal of a company to spot and prevent wrongdoings.
It also takes some effort to have a functioning PRS. Employees are willing to report when they feel that their report can bring a result. To achieve the feeling, an organisation must have explicit norms and adequate training so an employee can be reasonably sure that there is a violation.
Additionally, a compliance department and senior managers must act on the reports and punish wrongdoers. More feelings should be cultivated for a functioning RPS. Firstly, the feeling of safety and the absence of fear of retaliation help to achieve a higher percentage of employees willing to report. Secondly, employees should feel unity with their company.
When an organisation has compliance norms and more or less effective compliance monitoring mechanisms, it can start to improve compliance norms. Compliance is an ongoing process, and there is an effect only when compliance norms are periodically reviewed, tested, and identified deficiencies are fixed.
Unsurprisingly, reviewed, improved and tested compliance norms together with compliance monitoring systems are not capable of completely stopping violations of compliance norms and subsequent breaches of laws and regulations. There are always workarounds. No IT system can be 100% resistance to hacking (at least theoretically), and there are always ways to breach compliance norms without being noticed. Nevertheless, there is a way how to achieve an effective compliance function. The culture of compliance should be achieved in each organisation.
All senior managers and compliance departments are responsible for achieving the culture of compliance. Such values as fairness, honesty and integrity should be cultivated within the company. One of the keys to successful shaping of ethical culture is to lead people by your own positive example. Without a strong leader, it is hard to achieve the culture of compliance. Therefore, COs must train the skill to lead and inspire people.
Additionally, senior managers and COs should be able to prepare an organisation to changes in compliance norms and software. Flexibility and adaptability are characteristics of an effective compliance culture and compliance function.
Finally, size does matter for effective compliance. At a small company, effective compliance norms, compliance monitoring systems, and compliance culture may suffice to achieve effective compliance. A big company with an abundance of clients and data to manage, cannot achieve effectiveness in compliance without software. Modern technology solutions and adequate plans for their implementation are required if a company wants to scale its business without sacrificing compliance.
However, software alone is not a panacea that is capable of solving all company’s gaps in compliance. Research of automation bias shows that many people forget that technology is just a tool that is designed and tuned by people. Therefore, various compliance technology solution is a prerequisite for the effective compliance function only when its implementation is carefully planned, when it is checked for its effectiveness and consistency with compliance norms, and when people do not automatically rely on its conclusions.
 Braun, and Tomasz, Compliance Norms in Financial Institutions (Springer Books 2019) 247-253
 Basel Committee on Banking Supervision, ‘Compliance and the compliance function in banks’ ( BIS Publications, 29 April 2005) <https://www.bis.org/publ/bcbs113.htm> accessed 14 May 2020
 For for more information see RM Lastra, ‘Defining forward looking, judgement-based supervision’  14(3-4) Journal of Banking Regulation 221-227
 Centre for Regulatory Strategy, EMEA, ‘The changing role of compliance’ (Deloitte Articles, 2015) <https://www2.deloitte.com/content/dam/Deloitte/gr/Documents/financial-services/gr_fs_the_changing_role_of_compliance_en_noexp.pdf> accessed 14 May 2020
 Braun, supra note 1 at 219
 Ibid., 220
 Ibid., 305
 Michael Rasmussen, ‘Seven Habits Of Highly Effective Compliance Programs’ (Forrester Best Practices, July 12, 2005) 6 <http://www.atlantaresources.com/articles/sevenhabits.pdf> accessed 14 May 2020
 T Herath and HR Rao, ‘Protection motivation and deterrence: a framework for security policy compliance in organisations’  18(2) European Journal of Information Systems 106-125, 118
 For more information see J Mundy and CA Owen, ‘The Use of an ERP System to Facilitate Regulatory Compliance’  30(3) Information Systems Management <DOI: 10.1080/10580530.2013.794601> accessed 14 May 2020
 For more information see Chartis Research and EY, ‘The Future of Trader Surveillance’ (Chartis Research Papers, 2017) <https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/emeia-financial-services/ey-trader-surveillance-report.pdf> accessed 14 May 2020
 Eva Tsahuridu, ‘Whistleblowing Management is Risk Management’ in David Lewis & Wim Vandekerckhove (eds) Whistleblowing and Democratic Values (International Whistleblowing Research Network 2011) 61-62
 Eva Tsahuridu, ‘Whistleblowing: The Neglected Facilitator of Compliance’ in Maria Krambia-Kapardis (eds) Financial Compliance: Issues, Concerns and Future Directions (Palgrave Macmillan 2019) 181
 Bruns, S. M., Jackson, C., & Zhang, Y., ‘Designing an effective peer-reporting system’  13(2) Management Accounting Quarterly 8,10 < https://www.imanet.org/-/media/c4692fc2b08e4ee4926f73070b5838f9.ashx page > accessed 14 May 2020
 Ibid., 11-12
 Villegas, Lloyd, Vengrouskie, ‘Human Resources as Ethical Gatekeepers: Hiring Ethics and Employee Selection’  16(2) Journal of Leadership, Accountability and Ethics 80-88, 84<https://www.researchgate.net/publication/334067754_Human_Resources_as_Ethical_Gatekeepers_Hiring_Ethics_and_Employee_Selection> accessed 14 May 2020
 Tsahuridu, supra note 13 at 189
 Mills et al., Essential strategies for financial services compliance (2nd edn, John Wiley & Sons 2015) 132-133
 Kobayashi E and Kerbo H.R, ‘Human Resource. Punishment for noncompliance and reward for compliance: a comparison of Japanese and American workers’  47(2) NUCB Journal of Economics and Information Science 125 <https://digitalcommons.calpoly.edu/cgi/viewcontent.cgi?article=1065&context=ssci_fac> accessed 14 May 2020
 Villegas, supra note 16, at 86
 Page S.B and Page S., Achieving 100% Compliance of Policies and Procedures (Process Improvement Publishing 2000) 264
 Marchetti A.M., Beyond Sarbanes-Oxley compliance: Effective enterprise risk management ( John Wiley & Sons 2005) 72
 See for example FCA 2018/54: Financial Crime Guide (Insider Dealing and Redesignation) Instrument 2018, Chapter: FCTR 6.3.6 Consolidated examples of good and poor practice
 Deloitte, ‘RegTech Universe 2020’ (Deloitte Articles, 3 January 2020) <https://www2.deloitte.com/lu/en/pages/technology/articles/regtech-companies-compliance.html> accessed 14 May 2020
 Hayward A. and Osborn T., The Business Guide to Effective Compliance and Ethics: Why Compliance isn’t Working – and How to Fix it (Kogan Page 2019) 345
 Steinberg, Richard M., Governance, risk management and compliance (Hoboken (NJ): Wiley & Co 2011) 114
 FCA, ‘FSA fines Royal Bank of Scotland Group £56m for UK sanctions controls failings’ (FCA Press Releases, 8th of August) <https://www.fca.org.uk/news/press-releases/fsa-fines-royal-bank-scotland-group-%C2%A356m-uk-sanctions-controls-failings> accessed 14 May 2020
 Steinberg, supra note 26 at 115
 For more information about automation bias and hot to avoid it see Skitka et al., ‘Does automation bias decision-making?’  51(5) ” International Journal of Human-Computer Studies 991-1006