Transcript Slide 1

Compliance : key component to a
clean administration
22 May 2014
Compliance best practice
Generally Accepted
Compliance Practice
Framework (GACP) –
Compliance Institute
Southern Africa
King Report and Code on
Corporate Governance,
2009 (King III) – Institute of
Directors
Significant Legislation that
requires compliance
function/activities
2
Brief History of Compliance in SA
1989
South African Futures Exchange Rules require member firms to appoint a
registered compliance officer to ensure compliance with SAFEX rules
1994
King I highlighted the importance of governance and compliance
1995
The Johannesburg Stock Exchange Rules required member firms to
employ a registered compliance to ensure that the member firm
complied with the JSE Rules.
1999
Strate Rules required the appointment of a registered compliance officer.
2000
Regulation 47 to the Banks Act introduced. This regulation required all
South African banks and foreign banks with South African branches to
appoint a compliance officer and establish a compliance function.
3
Brief History of Compliance in SA
2001
The Policyholder Protection Rules issued under the Long-term Insurance
Act and the Short-term Insurance Act require insurers to appoint a
compliance officer to monitor compliance with the rules.
2001
Introduction of the Financial Intelligence Centre Act (FICA), aimed at combatting
money laundering. FICA requires accountable intitutions to appoint a compliance
officer to ensure compliance by the institution with the Act and by its employees
with the Act and the institutions internal rules.
2002
King II highlighted the importance of corporate governance and compliance, but
does not yet formally recommend that organisations consider establishing a
compliance function.
2002
The Financial Advisory and Intermediary Services Act (FAIS) requires all licensed
financial services providers to appoint an approved compliance officer. The
compliance officer can be either an employee or an outsourced independent
compliance practitioner. This requirement becomes effective in 2004.
4
Brief History of Compliance in SA
2009
King III – Code of Governance for South Africa is an updated version of King II that
is aligned to the Companies Act and extends its application to all entities, both
public and private. King III has significantly strengthened requirements for
organisations to develop and implement an appropriate compliance policy and
framework to manage compliance risks, and recommends that all organisations
consider establishing a compliance function.
2011
Regulation 49 to the Banks Act came into existence - replacing the old Regulation
47
5
GACP: Core Principles & Standards
1. Governance
2. Compliance Policy
3. Responsibility of Management
4. Establishment of a Compliance Function
5. Status
6. Independence
7. Roles and Responsibilities
8. Head of Compliance
6
GACP: Core Principles & Standards
9. Fit and Proper
10. Resources
11. Appointment and Termination
12. Compliance Culture
13. Outsourcing
14. Independent Review
15. Materiality
16. Compliance Process
7
GACP: Applicability
• Increasingly gaining recognition as the primary source
of compliance best practice
• Being used more frequently to guide the evaluation
and assessment of organisations’ compliance
structures, frameworks and activities by:
o Regulators,
o Internal audit functions,
o External compliance practitioners, and
o Organisations themselves
8
King III: Overview
• King III is owned by the Institute of Directors in Southern
Africa (IoD) and is the primary source of corporate
governance best practice
• Focuses on corporate governance as a whole (of which
compliance is a part) so does not address compliance as
extensively as GACP (which is specifically focused on
compliance)
• Is also another important source of compliance best
practice and guidance for organisations across all industries
and sectors
• Released in September 2009 and became effective in
March 2010
9
King III: Compliance Aspects
• Chapter 6 of King III deals with “Compliance with laws,
rules, codes and standards”
• When considering the compliance chapter it is also
important to understand how it inter-relates with other
chapters
• Each version of King has placed more emphasis on
compliance as an essential element of good corporate
governance. In King III, the compliance principles and
recommendations have been significantly enhanced and it
is recommended that organisations consider appointing a
compliance officer/establishing a compliance function
10
King III: Applicability
• Applies to “all entities regardless of the manner and
form of incorporation or establishment and whether in
the public, private sectors or non-profit sectors”
• The terms ‘company’, ‘boards’ and ‘directors’ should be
substituted with the relevant terms of those with
functional responsibility for governance in entities
other than companies as appropriate e.g. a Public
Entity under PFMA should substitute ‘board’ with
‘accounting authority’
11
Applicability of Compliance Best Practice
• Last few years has seen a significant shift in compliance
being primarily a feature of the financial services
industry to many other industries and sectors
• GACP and King III are applicable across all sectors and
industries
• Despite having initially been developed based on the
needs and experiences of the financial services
industry, compliance best practice was developed
based on generic and widely accepted principles and
practice e.g.:
12
Applicability of Compliance Best Practice
o Best practice around compliance structures, governance
and oversight is based largely on general corporate
governance principles that are also applicable to other
risk management and assurance disciplines e.g. risk
management functions and internal functions; and
o The compliance risk management process is based on a
general risk management approach of identify, assess,
manage and monitor. This approach has been widely
accepted and applied by many different types of
organisations universally
13
Compliance & Ethics: Compliance Culture
& Definition: Compliance Culture
“The culture of shared values, beliefs, assumptions and
behaviours existing within an organisation that
characterises the organisation, especially in relation to
compliance obligations.”
- GACP
• Compliance culture is critical to the success of overall
compliance risk management programme
14
Compliance & Ethics: Compliance Culture
Compliance
Culture
Responsibility of
Top Management
Facilitated &
emphasised by
Governance
Structure
Promoted by
Compliance
Function
15
Compliance & Ethics: Compliance Culture
• Compliance culture needs to be emphasised at all levels
of the organisation – not only the top
• Establishing and re-inforcing should include consideration
of, inter alia:
o Clear expectations of all levels of staff regarding their
compliance responsibilities;
o Training and awareness of compliance matters;
o Appropriate disciplinary policies and procedures that are
effectively, consistently and fairly applied; and
o Compliance as an element of the performance measures and
the remuneration/incentive/reward systems of all relevant
levels of staff
16
Identifying Applicable Regulatory Requirements
Legislated Requirements
National Laws
Actual laws
e.g. Acts of Parliament
Subordinate legislation
e.g. Rules, Regulations and Codes
Provincial Laws
Municipal By-Laws
Supervisory requirements
e.g. Notices, Directives and guidelines etc.
License conditions
if applicable
17
Complex and Changing Regulatory Environment
• Organisations are challenged with regulatory
requirements that are increasing in volume and
complexity
• Between 1994 and 2012, South Africa introduced
>1150 new Acts (including Amendment Acts but
excluding subordinate legislation)
• Regulatory oversight and enforcement is evolving and
improving
18
Complex and Changing Regulatory Environment
• Not unusual for organisations to identify anywhere
between about 50 and a few hundred applicable
regulatory requirements, depending on factors such as:
o The industry within which they operate;
o Their size;
o The nature and complexity of their business operations,
transactions and activities; and
o The geographic spread of their business
19
Complex and Changing Regulatory Environment
• Large volumes and complexity poses challenges for
organisations:
o Consequences of non-compliance
o Cost of compliance e.g.
 Implementing new processes and systems;
 Training staff
o Correctly interpreting and applying new requirements
o Inconsistent application across industry/ies
o Competitive challenges
20
Some Major Influences on Regulatory Development
• Government Policy
• International developments
• Corporate failures
• Questionable Market Conduct and Business Practices
21
Examples of Stakeholders whose Interests are protected by
Regulation
Consumers/
Customers
e.g. Consumer
Protection Act and
FAIS
The State
Investors
e.g. Securities Services
Act and Companies
Act
e.g. Income Tax Act and
Value-Added Tax Act.
Public Interest
Society as a whole or
specific sections thereof
e.g. The Prevention and Combating of
Corrupt Activities Act and Promotion of
Equality and Prevention of Unfair
Discrimination Act
Individual laws may be
aimed at more than one
group
Communities
e.g. National
Environmental
Management Act
Employees
e.g. Labour Relations Act and
Basic Conditions of
Employment Act
Other industry
organisations
e.g. Competition Act
22
Objectives of Regulation
Responsibility
Accountability
Regulation aims to
ensure adherence
to key principles
Transparency
Fairness
23
Objectives of Regulation
• Identify objectives of specific legislation whose
interests it seeks to protect from preamble or within
the legislation itself e.g. The preamble to the
Occupational Health and Saftey Act states:
“To provide for the health and safety of persons at work and for
the health and safety of persons in connection with the use of
plant and machinery; the protection of persons other than
persons at work against hazards to health and safety arising out
of or in connection with the activities of persons at work; to
establish an advisory council for occupational health and safety;
and to provide for matters connected therewith.”
24
Compliance is Mandatory
• The need for organisations to comply with legislation is not
new
• From a legal standpoint, organisations do not have a choice
as to whether or not they should comply with the law
o As recognised legal persons, compliance with all laws that
apply to them is mandatory
o Failure to comply renders the entity liable to any fines,
penalties, civil liabilty and other of non-compliance
• Using compliance functions (imposed by law or voluntarily)
and frameworks to assist in addressing compliance risks is a
relatively recent development
25
Compliance is Mandatory
• Many organisations comply (or try to) with many laws even if
they don’t have a compliance function and/or framework
• Consider: Before your own organisation had a compliance
function:
o Did your organisation never meet any of it’s tax obligations in terms of
the VAT Act and Income Tax Act?
o Did your organisation not have any regard for the requirements of the
Labour Relations Act and Basic Conditions of Employement Act in dealing
with employees and their recognised representative organisations?
o If you belong to a company, did your organisation not meet any of the
Companies Act requirements?
26
Regulators: Overview
• There are many different regulators covering a large
variety of industries, sectors, professions and activities
• Their specific role and objectives are derived from their
legislated mandate. Individual roles may vary
significantly
• Regulators
may
be
established
as
departments/functions/agencies of government or as
independent bodies
• For non-legislated regulatory requirements, the
“regulator” could be the relevant industry body,
association, organisation etc.
27
Regulators: Roles & Objectives
Developing
regulatory
requirements (or
assisting/ advising)
Promoting,
monitoring, and
enforcing
compliance
Issuing appropriate
guidance notes
and/or directives
Regulator roles
and objectives
may include
Maintaining stability,
confidence and
competitiveness
Licensing/
authorising
Protecting or
assisting affected
stakeholders
28
Engagement with Regulators
• Many regulators would rather work constructively with
regulated organisations to pre-empt and resolve
challenges and problems in a manner that is in the best
interests of all stakeholders
• Organisations should maintain a professional and
courteous relationship with relevant regulators
• Develop
trust
communication
through
open
and
• Demonstrate co-operation. Assurances
regulators should be backed by action
honest
given
to
29
Non-Compliance: Enforcement & Sanctions
Non-compliance may result in:
•
•
•
•
•
Fines,
Imprisonment,
Administrative penalties,
Other Administrative sanctions,
Loss of authorisation to operate e.g. a license
suspension/ withdrawal.
• Liability for losses suffered by affected parties
30
Non-Compliance: Enforcement & Sanctions
• Regulator’s approach to applying or seeking the
imposition of a penalty or sanction may be influenced
by:
o The extent of non-compliance and the specific results
thereof,
o Organisations track record in respect of compliance, and
o Willingness and commitment to co-operate and resolve
the matter in the interests of affected stakeholders and
in accordance with the regulator’s mandate
31
Non-Compliance: Enforcement & Sanctions
• Challenges for regulators:
o Administrative sanctions and penalties may be subject
to prescribed appeal processes or challenged through
the courts
o Some sanctions/measures are subject to lengthy and
uncertain judicial processes e.g. criminal liability (fines &
imprisonment) – Need to be referred to NPA for decision
to prosecute, followed by trial and imposition of penalty
by a court
32
Non-Compliance: Enforcement & Sanctions
• Increasing statutory establishment of alternative
dispute resolution and complaints handling bodies:
o Ombuds, commissions, tribunals etc.
o Quicker and cheaper means for affected parties to seek
recourse and recover losses from regulated entities
33
Non-Compliance: Impact on Reputation
Noncompliance
Publicity
Negative
impact on
reputation
• In addition to a regulators response to non-compliance
organisations should also be concerned about the
response of other relevant stakeholders such as
investors, customers/clients, employees, community
members etc.
34
Non-Compliance: Impact on Reputation
• Information is spread quickly in todays digital age
• Reputational impact may in some instances have far
greater consequences for the organisation than the
penalties, fines or other consequences that could be
imposed
• Reputation may be impacted by actual or perceived
non-compliance
35
The Need for Compliance Functions
Legislated Requirement
Other High Profile Legislation
e.g. Banks Act
e.g. CPA
FAIS
FICA
PFMA
Why have a compliance
function?
Business Ethics
King III
36
Structure of the Compliance Function may Differ
Across Organisations
GACP
“The structure, nature and extent of the compliance function should be
appropriate to the organisation’s business, considering the nature, scale
and complexity of the business with regard to:
– Product and service offerings;
– Structure and diversity of the organisation’s operations; and
– Risks associated with the different product and service offerings.”
King III
“Each company should consider the suitable structure and size of its
compliance function, considering what is appropriate for the adequate
management of the compliance risk of the particular company and
having regard to the legislative requirements that apply to the
compliance function. The structure of the compliance function, its role
and its position in terms of reporting lines, should reflect the company‘s
decision on how compliance is integrated with its ethics and risk
management.”
37
Independence
“Principle and standards 6 : Independence” of the GACP
states:
“Principle: The compliance function should be sufficiently
independent of business activities to be able to discharge
its responsibilities objectively.
Explanation: The required independence includes the
ability to operate and communicate in an unhindered
manner. This level of independence must be clearly
specified and formalised in the compliance policy and/or
charter.”
38
Independence
• Compliance functions should be able to carry out their
responsibilities without undue influence, fear of
interference or recrimination
• Top management should ensure the independence of
the compliance function
39
Independence is Facilitated by:
Reporting
Lines
Identifying &
Managing
Conflicts of
Interest
Governance
Structures
Independence
of Compliance
Function
40
Independence: Governance Structures
• Compliance responsibilities of governance structures
should be formally established and recorded in their
respective mandates
• Compliance function should have direct access to top
management, governance structures and executive
management
41
Independence: Reporting Lines
Governance Structure
e.g. Audit/ Risk
Committee
Management e.g.
CEO/ CFO etc.
Recommended reporting lines
Functional
Compliance
Function
Operational
Irrespective of actual reporting lines, the compliance function
should have direct access to and demonstrable support from the
CEO and top management (board or equivalent)
42
Conflicts of Interest
• Real and perceived conflicts of interest should be
avoided wherever possible
• Where they cannot be avoided, they should be
identified, disclosed and managed
43
Conflicts of Interest
Common causes of conflict of interest for compliance functions:
Reporting Lines
Conflicting/Dual Roles
Remuneration Policies
• E.g. When need to
report/provide assurance
on compliance matters
that are responsibility of
their own reporting line
• May be addressed by
dual reporting lines but
may not always remove
the conflict effectively
(see activity)
• Ideally, compliance staff
should not have any
other responsibilities
• When they do, conflicts
of interest must be
avoided, consider:
o Will they monitor
their own work?
o Will
they
assess/judge
decisions made by
themselves?
• Remuneration/ incentives
of compliance staff should
not be directly related to
the performance of the
business area for which
they have compliance
responsibilities
• When
linked
to
performance
of
of
business as a whole, less
likely to cause conflict
44
Independence & Advice
• The “advice” role of the compliance function does not
impair independence, provided that:
o Compliance staff member providing the advice is not the
decision-maker or implementer i.e. only makes
recommendation
• Compliance function needs to maintain close working
relationship with other areas of the business and not
be seen as “outsiders”
• Some organisations with larger compliance functions
separate roles within the team e.g. Regulatory
Analysis, Risk Management and Monitoring
45
Compliance Function: Other Considerations
Regulatory requirements which must be
met and adhered to regarding the
governance, structure, operation or
organisation of the compliance function
The function should
be subject to
regular
independent review
Other considerations
in implementing and
maintaining a
compliance function
Compliance should
form part of the
overall risk
management
framework
Resources &
Competencies
46
Resources & Competencies
• An effective compliance function requires adequate
resources to fulfil its function
o Responsibility of top management supported by
management
• The resourcing of the compliance function should
consider:
o Human resources;
o Financial resources; and
o Operational capacity
47
Reviewing Effectiveness of the Compliance Function
• Top management should ensure that the compliance
function is subject to regular independent review
• Review objectives:
o Function is operating effectively and as intended
o Facilitate the continual improvement
• Reviews can be carried out by internal audit, an
independent compliance officer or other suitably
qualified professionals
48
Reviewing Effectiveness of the Compliance Function
• Reviews should include all key compliance processes and
areas of activity
o Should consider both the adequacy and the effectiveness
o Deficiencies identified should be addressed in a timely
manner
• Also consider informal self assessment based reviews
• Consider extending scope of reviews to include all aspects
of compliance management across the organisation and
not necessarily limit the reviews to the “compliance
function” to recognise the key responsibilities of others in
managing compliance risks e.g. management
49
Overview of Compliance Roles & Responsibilities
Top$Management
Management
Employees/$Staff
Carry out activities in accordance with
regulatory requirements
• Apply compliance controls and measures
• Must adhere to compliance policy,
framework, processes and procedures
• Should escalate/ report identified/known
compliance breaches and exposures
Compliance$Func8on
•
Primary role is to assist top management, management and relevant staff members to discharge their responsibility to comply with
applicable regulatory requirements through the provision of compliance risk management services
50
Compliance Documents: Overview
Compliance
Policy
Compliance
Framework/Charter
Other compliance enabling
documents
Compliance Process Documents
Other compliance guidance/supporting
documents
Business and operational documents (policies,
procedures, rules etc.) addressing compliance with
specific regulatory requirements
51
Compliance Policy: The Need
GACP
“A written compliance policy should exist, which sets out the
organisation’s commitment and approach to compliance, as
well as what is expected of all employees. The compliance
policy should include a compliance policy statement.”
King III
“The board should ensure that a legal compliance policy,
approved by the board, has been implemented by
management.”
52
Compliance Policy: Responsibilities
Develop &
Maintain
Approval &
Review
• Management responsibility
• In practice done by compliance function in consultation with management
• Top management
• At least annually
• Should be board or equivalent itself & not governance structure e.g.
risk/audit committee
• Management
Implementation
& Adherence
53
Relationship Between Policy & Framework
Compliance
Policy
• Principles
• High level
Compliance
Framework
• Principles &
standards
• More
detailed level
• Framework includes charter – terms often used
interchangeably (Some organisations even have both)
• Different approaches across organisations e.g.
o Short policy supported by more detailed framework (the basis
followed by this material), or
o Lengthy policy and no framework
o Somewhere inbetween
54
Content of Compliance Policy
& Definition: Compliance Policy
“A policy which establishes the principles of, and
commitment to, the management of compliance risk by
an organisation. It also sets out the expected
performance of all staff members in relation to the
maintenance of compliance procedures and overall
governance of the organisation.”
- GACP
55
Compliance manual
• The compliance function should develop a
compliance manual or other suitable reference
documents/sources that is readily accessible and
guides the organisation and staff on all aspects of
compliance management
• Compliance manual is essentially a collection of the
documents described above together with relevant
compliance risk management plans
56
CRMP Overview
• Formats, content, structure, detail & complexity may
differ across organisations
• CRMPs form the basis for risk-based compliance
monitoring
• CRMPs consider compliance risks and apply the key
activities at a more detailed level i.e. the specific
provisions, sections, rules, regulations etc. that are
contained and set out within applicable regulatory
items
57
CRMP Overview
Compliance Risk Identification
• Identify all applicable provisions that have a compliance obligation for the,
Industry Codes etc.
• Analyse and interpret provisions
• Restate in simple language for business purposes (if required)
Compliance Risk Assessment
• Identify existing controls in place to meet the requirement/s
• Estimate the adequacy and effectiveness of existing controls
• Apply risk assessment scales to the various requirements
• Prioritise items for further attention
Compliance Risk Management
• Identify control enhancements required
• Allocate responsibility and timeframes for control enhancements
CRMP
• Agree plans with management
• Track and monitor implementation of the plan. Report and escalate where
required (based on materiality levels)
• Maintain based on regulatory developments and changes in business
environment
58
CRMP: Basic Example
Ref
Requirement
Interpretation
Existing Controls
Residual Risk
Ser
Reg
4
Every employer with
five or more persons
in his employ shall
have a copy of the act
and the relevant
regulations readily
available at the work
place: provided that,
where the total
number of employees
is less than five, the
employer shall, on
request of an
employee, make a
copy of the act
available to that
employee
Because we
have more than
5 employees,
the act and
relevant
regulations
need to be
readily available
and not just
made available
on request.
1. A copy of the act
and relevant
regulations is
available on the
company intranet
site
(An inspection
identified that not all
staff have access to
the intranet and that
some staff who do
have access are not
aware of the act
being on the
intranet)
M
Prob
H
Control Enhancements
Responsible &
Target
Over
H
1. Posters of the printed act
and regs to be obtained
and placed in strategic
locations throughout the
premises
2. Posters will be regularly
checked to ensure that
they have not been
removed or damaged
3. Staff to be made aware
through e-mail and
verbal communication
by managers of both the
posters (and their
locations) and the
intranet link to the act
and regs
Health & Safety
Officer (Insert
date)
Health & Safety
Officer – Monthly
Check
Health & Safety
Officer – prepare
communication
and email (Insert
date)
All managers –
Communicate
verbally (Insert
date)
59
Compliance Monitoring
• Critical component of the compliance process
• King III requires boards to both monitor and receive
assurance on compliance
• Compliance monitoring should be carried out in
accordance with a risk-based compliance monitoring
programme agreed with and approved by top
management and management
• Monitoring results should form part of compliance
reporting
• Organisations should develop an appropriate
monitoring approach and process
60
Compliance Monitoring
• Compliance monitoring can take on various forms
depending on factors including:
o
o
o
o
The monitoring objectives;
The monitoring scope;
The level of assurance to be obtained;
Who is carrying it out
61
Compliance Training: What should it Cover?
• Compliance training for staff should cover all aspects of
compliance, including, but not limited to:
o The compliance policy, framework, and processes;
o Compliance roles and responsibilities, both in general as well as
their own specifically;
o Applicable regulatory requirements;
o Consequences of non-compliance, to both the organisation and
the staff;
o Relevant controls, business processes and operating procedures
related to compliance with regulatory requirements within their
area of responsibility;
o How to identify, report and resolve compliance breaches and
exposures; and
o Where and how to seek guidance on compliance matters
62
Compliance Reporting
• Essential for effective oversight, governance and
management of compliance risks
• Each organisation should develop its own reporting
framework
• A process should also be developed for overseeing and
managing all regulatory reporting requirements
63