With expanded regulations going into effect as a result of the Dodd-Frank Wall Street Reform and Consumer Protection Act, financial services organizations must not only show that they have compliance and ethics programs in place, but also be capable of demonstrating that their programs are actually working.

Regulatory scrutiny of corporate compliance programs is shifting from a focus on policies, procedures and retrospective audits to proactive measures of effectiveness and desired results. Regulators are increasingly working to prevent organizations from "going through the motions" of compliance, and instead requiring them proactively to show the substance behind their programs. Many financial companies now seek to adopt measurements that will help them demonstrate the effectiveness of their compliance and ethics programs.

Current examples of increasing regulatory scrutiny include the whistleblower provisions finalized by the Securities and Exchange Commission in May 2011 and the Commodity Futures Trading Commission in August.

Whistleblower allegations, motivated by "bounty hunter" payments from enforcement agencies, are likely to grow significantly as a result of these new programs. For example, if a whistleblower claims that a financial services organization has violated privacy laws, the whistleblower can receive a percentage of the fine levied, if the investigators determine that the claim is valid and are successful with a lawsuit.  A concern in the industry is that due to these financial rewards, rather than calling an internal company hotline to report a suspected issue, whistleblowers will call a regulator instead. The regulator may in turn demand evidence of an effective compliance program from the organization.

There are several guidelines and tools available for financial services organizations to use as they strive to demonstrate the effectiveness of their compliance programs. The most commonly cited resource is the list of seven elements of effective compliance and ethics programs that were revised in 2010 by the United States Sentencing Commission when it modified the Federal Sentencing Guidelines. These provisions set forth the attributes of effective compliance and ethics programs. There are also tools and checklists available for self-assessment that often build on these seven elements, adding specific assessment questions for each of the elements.

Procedural Steps

For any compliance self-assessment, facilitated by the use of one of these tools or some other means, the depth and timeliness of the evidence is critical to success. For instance, consider a common process such as managing a firm's code of conduct. In this example, we shall look at various techniques, progressing from very basic and potentially high-risk, up through highly effective approaches offering increased protections and the potential for reduced sanctions and fines resulting from audits and reviews.

At the most basic level, a financial services organization should publish a code of conduct and revise periodically.  However, if this is the extent of the organization's management of the code of conduct, an audit or review is likely to identify significant deficiencies, leaving the organization exposed to the possibility of severe penalties in terms of fines and sanctions.

The next step should be to distribute the code of conduct directly to all employees and collect attestations indicating that the code has been read and understood.  Any compliance gaps identified should be remediated, possibly through enhanced training and additional outreach. Going to this level is certainly an improvement but may still leave an auditor wanting to know how the organization knows that employees really read and understood the code of conduct.

Further, the employee attestations could also include subject matter questions with scored results, allowing compliance officers to make an objective assessment of each employee's understanding of the code of conduct. As sub-par scores are logged, remediation tasks can be initiated, completed and logged. This approach provides a more compelling body of evidence showing that the organization is proactively focused on assessing the effectiveness of the code of conduct and using quantified measures to address potential shortcomings.

Documentation

Being able to log, investigate and track any incidents related to the code of conduct, and monitor for recurring issues or trends that might require corrective actions, can also contribute to the body of evidence of a commitment to compliance. Additionally, having the ability to make this evidentiary information available to auditors in a well-organized, easily accessible manner is important. Maintaining time-based snapshots of this information can allow organizations to demonstrate the effectiveness of their compliance programs for any point in time.

Producing the evidence of compliance is typically the greatest challenge for a financial services organization. This requires a determination of what the evidence needs to be, how the organization will monitor it and how often to update it, so that the organization has the ability at any point in time to say, "Here is the evidence we have in place now, and here's the evidence that was in place during the time period in question."

Some may wonder why organizations would need to maintain this historical information. It is critical because allegations of compliance breakdowns are seldom processed with expediency. For instance, when a whistleblower submits an allegation to the government, due to bureaucracy or work backlogs, it can take regulators months or even years to come back with a lawsuit or claim of a compliance or ethics breach. It is critical that the organization have the ability to look back to the timeframe in question and say, "Here are the regulations that were in effect at that time, and here is the evidence of what we were doing to comply with those regulations." This information must be provided accurately, consistently and confidently to the regulators in order for it to be effective - even if the whistleblower's allegation is upheld.

1 | 2 Next Page ►