Protecting the brand

The evolving role of the compliance function

and the challenges for the next decade*

*connectedthinking
PricewaterhouseCoopers on Governance, Risk and Compliance
The PricewaterhouseCoopers Governance, Risk and Compliance (GRC) approach and operating model are founded on
three core principles

1. Integrity-Driven Performance requires that organisations integrate their approach to GRC. Such an approach is
critical as effective integration fosters a culture of business integrity and accountability.

2. An integrated model should link to shareholder value and effectively coordinate an organisations people, process
and technology capabilities so that Integrity-Driven Performance is embedded in the fabric of the organisation
acting to support the achievement of strategic objectives.

3. Integrity-Driven Performance requires a new vision of business conduct and compliance - one that understands
stakeholders needs and supports compliance with both the letter and spirit of relevant obligations. This includes
compliance with internal policies and procedures as well as managing expectations of stakeholders such as
regulators, customers, business partners, employees, investors and society as a whole.

To attain a level of Integrity-Driven Performance, we believe that organisations need to get four fundamental enablers right:
Address and effectively manage the change to a culture of business integrity and ethical values
Embed an integrated GRC approach into core business processes
Deploy the capability to measure performance and calculate value through the right metrics and dashboards
Leverage technology to enable effectiveness and efficiency.

1See Integrity-Driven PerformanceTM - A New Strategy for Success Through Integrated Governance, Risk and Compliance Management: A White Paper, January 2004, available on the PricewaterhouseCoopers
website at www.pwc.com
 *
Protecting the brand
Foreword

The financial services sector is grappling with the biggest shake-up in regulation for a generation, including the growing shift
from rules-based to principles-based supervision. Compliance teams have an increasingly important role to play in
protecting and enhancing corporate value and reputation in the face of stakeholder demands for greater integrity,
accountability and financial stability. Indeed, recent experience indicates that even if certain dealings comply with the letter
of the law, they may still fall foul of what may ultimately prove to be the more damning court of market and public opinion.
An organisations ultimate goals should be:
A strong, flexible and cost-effective platform of compliance capable of meeting changing business, regulatory and
stakeholder expectations
Achieving compliance as an integral feature of a well-managed business, capable of creating value through enhanced
reputation, investor confidence and lower cost of capital.

Culture of compliance
Many respondents recognise that Compliance cannot be expected to police todays increasingly diffuse corporations and
that the business needs to take ownership of the necessary controls. However, with 30% rating incomplete
acceptance/understanding by the board/senior management of their compliance responsibilities as a significant hurdle to
achieving compliance, there is clearly much needing to be done. Ultimately, the key to a well-managed - and therefore
compliant - organisation is a culture of doing the right thing. This culture needs to be ingrained into both the mindset and
behaviour of staff, reinforced by a close alignment of values, processes and rewards. It is perhaps telling that a number of
recent scandals have taken place in organisations where the basis for incentives has not included compliance.

Role of Compliance
A well-managed organisation makes a holistic assessment of the risks it faces now and in the future, taking into account the
needs of a broad range of external and internal stakeholders. It then designs appropriate risk management and control
mechanisms to handle these - one of which is the compliance function. Our study found that while many organisations are
moving in this holistic direction, few have clearly figured out the best role for the compliance function in helping to achieve
the endgame of a compliant organisation. Compliance functions currently gravitate between the police officer and
counsellor roles, with ongoing concerns over their independence, and their interaction with other management and control
functions and indeed business. Many organisations are failing to adequately address the wider needs of internal
stakeholders, by actively fostering appropriate compliant behaviour and by ensuring that practices, processes, and
technology, help rather than hinder such behaviour.

Cost of compliance
64% of respondents viewed the complexity of the regulatory environment as the biggest hurdle to achieving compliance, but
many compliance officers also suggested deep-rooted management concern over the cost of compliance. However,
compliance with regulations is quintessential for doing and staying in business in the financial sector, in the same way as
complying with managements strategic and risk management guidelines enables an organisation to succeed. Management
should be more concerned about achieving an appropriate payback from their investment in compliance. The price of This study was intended to update and extend the
scope of a previous study, undertaken in 2002, into
safeguarding the organisation from regulatory fines and reputational damage must be factored into any evaluation of revenue
financial institutions compliance functions with a
returns, in the same way as operational expenses or the costs of risks such as default of a borrower. It is telling that around
view to spurring ongoing debate across the financial
80% of respondents believe that their compliance function adds value to their businesses, yet most are finding it difficult to services industry internationally. It was also designed
pinpoint the precise benefits. to complement other studies and surveys we have
undertaken in recent years looking at governance,
The ultimate goal, according to some study respondents, is an organisation so inherently compliant that the need for a risk and compliance, not least the 8th Annual CEO
compliance function is eliminated. Given a complex and rapidly changing regulatory environment, aligned with increasingly Global Survey: Bold Ambitions, Careful Choices, the
results of which were launched at the Davos World
dynamic business strategies, this utopia will not be realisable in the foreseeable future, if ever. Nevertheless, organisations
Economic Forum in January 2005
can and should take measurable, incremental steps in this direction over the longer term.

We sincerely thank all the participants who have enabled us - we hope - to offer useful insights into the progress and
remaining challenges for boards, management and compliance officers alike. We are particularly grateful for comments
received from national and international regulators and industry associations. We also thank the many
PricewaterhouseCoopers regulatory and compliance specialists internationally who have supported this initiative, conducting
and documenting the interviews, and providing feedback from their own experience to support the analysis. Finally, our
thanks go to Wendy Reed who, under our stewardship, drove the study process overall and was responsible for the
preparation of this report.

We hope you find the results both illuminating, and actionable.

Jeremy Scott Charles Ilako

Chairman, Global Financial Services Global Lead Partner, Financial Services
Leadership Team Regulatory Practice
May 2005
Introduction

Purpose of the study

This study aimed to continue PricewaterhouseCoopers contribution to the evolving international debate on the role of Countries represented
compliance functions within the financial services sector, building on other, wider PricewaterhouseCoopers initiatives in the
governance, risk and compliance area2, and on a European study into financial institution compliance practices in 20023. Asia & Australia Europe & Middle East
Australia Austria
In some countries, compliance requirements have existed for many years and compliance practices are well-
Hong Kong Bahrain
established. Now, to mirror increasingly accepted best practice or as a reaction to crises, financial services regulators around Japan Belgium
the world4 are introducing, or enhancing, requirements for compliance functions. They advocate compliance with wide- France
ranging prudential and conduct of business regulations, thus shifting gear from the often piecemeal requirements of the past. North America: Germany
Boards of directors and senior management, generally, are confronted with ever more stringent requirements for corporate Canada Italy
United States Luxembourg
governance, risk management and compliance infrastructures.
Netherlands
The purpose of the study was primarily to i) understand progress in strengthening compliance functions in financial Spain
institutions and ii) elucidate both current and future challenges. Our intention was to surface discernible trends to provide Sweden
further food for thought, given that the thinking on this issue is at different evolutionary stages around the globe and across Switzerland
sectors. This report endeavours to give a flavour of the often wide-ranging responses to key issues, in addition to extracting United Kingdom

some key messages.

Study approach
We believe that this is the first time such an in-depth international study has been undertaken into compliance functions in
It is important to stress that the questions, and the
the financial sector. The GRC model (see inside cover) guided the detailed questionnaire, subsequently tailored to specific
discussions, were largely qualitative in nature. In this
institutions and national environments. The results of the study are based on participation from over 73 internationally active
report, in order to provide indications of the range of
and major domestic financial services institutions in 17 countries worldwide: 66% of participants are internationally active, responses, we have reviewed the responses carefully
34% are major domestic institutions. Study participants represented all sectors of the financial services industry: 63% and provided indicative statistics. However, it must
banking, 19% investment services and 18% insurance (although many of the international participants are active in all three be noted that not all participants were able to
sectors). respond to every question, so the statistics provided
Interviewees included group risk compliance officers, heads of risk management, members of senior management with are based on actual responses, and have only been
prepared when a reasonable percentage of overall
compliance-related responsibilities (including CEOs), regional compliance heads, and heads of business line compliance.
participants answered the relevant question.
PricewaterhouseCoopers regulatory and compliance specialists conducted face-to-face interviews with participants in the
latter half of 2004. The study was further enhanced through interviews with some key industry associations and regulators.
The results from these interviews were then supplemented by significant desk research and input from the
PricewaterhouseCoopers global network of regulatory and compliance specialists.

2 See Annex III to this report for recent PricewaterhouseCoopers initiatives in this area.
3 Regulatory Compliance: Adding value - a review of future trends, 2002.
4 Annex I to this report provides an overview of recent developments in study participants countries.
Structure of the Report
Executive Summary 8

Detailed Feedback on Study Results

Setting the scene - defining compliance risk 15
Challenges to achieving compliance 19
The compliance function - counsellor or police officer? 24
One configuration does not fit all 40
Compliance contributing value to business performance 51

Annexes
Overview of regional and national requirements for compliance functions 65
Current regulatory challenges 80
Selection of recent related surveys and white papers 82
 Executive summary
Executive summary
At a time when society expects integrity as well as competence from its financial services providers, effective compliance is
becoming as much a competitive as a regulatory imperative. With many financial services regulators focusing on the role and
responsibilities of the compliance function5, this study set out to explore the rapidly evolving nature and responsibilities of
the compliance function at a critical juncture both for the function and the organisations it serves. It revealed considerable
improvements over the past three years, across all sectors:
Organisations vision of the role and structure of the compliance function has developed significantly on a cross-sector
basis
The concept of embedding a compliance culture is clearly widespread in all the participant countries, establishing a
coherent backdrop for compliance function activities
There has been a quantum leap in certain countries where regulatory requirements for compliance functions are
relatively new: they should not take decades to catch up
As a result of regulatory action, improved governance structures, designed to ensure the independence of the
compliance function, are more prevalent.

Significant challenges remain, however, if organisations hope to reap the full benefits of improved compliance. Many
organisations still believe that a large part of the challenge stems from the weight of new regulations and uncertainty over
their practical application, and that conformance might undermine performance if regulatory requirements constrain the
flexibility and innovation of business models, and impose apparently unnecessary costs. Ultimately, however, compliance -
like performance - is a prerequisite for doing and staying in business. The compliance function provides one, albeit essential,
tool to enable management to fulfil stakeholders expectations of integrity and to protect the brand. Compliance costs would
certainly appear modest when compared to the billions that can be wiped off share values if lapses in probity, governance or
codes of conduct come to light.
Essentially, meeting these challenges requires a more holistic and proactive approach to compliance which moves
beyond statutory expectations to embrace broader ethical and strategic considerations. It means understanding the
essential link between integrity, ensuring the right behaviours throughout the business and meeting strategic objectives. This
approach should focus squarely on encouraging appropriate behaviours and the achievement of compliant business
practices and processes (i.e., compliant outcomes) - rather than placing the onus solely on the compliance function. Certain
common elements underpin such an approach:
Closer integration of governance, risk management and compliance structures, forming a practical continuum
underpinning the overall integrity of the organisation and aligned to innovation and the achievement of strategic objectives
A culture which breeds the right behaviours and instils integrity into the DNA of the organisation, fostering awareness and
ownership of compliance at all levels of the organisation, supported by appropriate rewards, processes and procedures

5 The compliance function is referred to in full in the report or as Compliance, in order to differentiate it from the generic term, compliance.
 PricewaterhouseCoopers - Protecting the brand, May 2005 9

An extension of the role of Compliance to engage directly, and at an early stage, with those involved in tactical and
strategic decision-making in areas ranging from acquisition to product development
A clear definition of the relationship between the business as the first line of defence; the compliance function as the
second; and independent assurance and non-executive directors as the third
Coherent approaches to ensuring that business processes and procedures, generally, facilitate rather than frustrate
integrity, and that robust technology infrastructures foster integrity-driven decision-making.

The shift towards a principles-based, or risk-based, regulatory or supervisory approach in many countries would call for
more emphasis on the compliance functions advisory role: but it is a question of balance. Primarily, the organisation needs
to anticipate and quickly respond to the most serious threats to the brand, rather than seeking to comply with everything all
of the time. Managements success in configuring the business to achieve its performance objectives while remaining well-
managed (and consequently compliant) will predetermine the evolving role and ongoing efficacy of the compliance function.
The study surfaced a number of important related issues that require deeper management consideration.

No common language
The Basel Committees definition of the compliance function provides a broad-based conceptual approach, establishing the
parameters of managements responsibilities but not necessarily, in a practical sense, the actual scope of compliance
function activities. From an organisational perspective, different interpretations of compliance risk are apparent within
different business lines, and across national borders. This is further complicated by different regulatory approaches,
internationally, and across sectors to both compliance risk and compliance functions.
Regulatory principles sketch regulators expectations for the management of compliance risk, and compliance
functions, leaving management to fill in the gaps. Management is concerned that, without more detailed guidance, regulators
mean to give themselves room for manoeuvre, enabling them to criticise managements efforts in retrospect. This is an
unsettling prospect given the current perceived regulatory propensity to move the goal posts retroactively.
Essentially, however, management needs a clearer understanding of its own compliance risks, as well as regulatory and
reputation risks, in order to provide the basis for appropriate delineations and allocation of responsibilities to the compliance
function. Regulators can help by clarifying their expectations further. We believe, therefore, that this is the first issue to be
addressed. From our analysis, we suggest that:

Industry and regulators need to reach a consensus as to the meaning - and their understanding - of
compliance risk across business lines, both generally and in the context of the role of the compliance function
Internationally, and across sectors, regulators need to continue to align their approaches to risk management,
including compliance risk.
10 PricewaterhouseCoopers - Protecting the brand, May 2005

Management talks the talk but is it just lip-service?

The study showed that boards and senior managements primary fear relates to reputation or brand damage, as well as
personal liability - understandable given recent high-profile incidents. In many countries covered by the study, organisations
made minimal efforts in the compliance arena - particularly in terms of compliance functions - prior to explicit regulatory
requirements. Ongoing pressure from regulators, or from other stakeholders, such as institutional investors and possibly
rating agencies, should continue to underline the intrinsic value of compliance and of the compliance function.
Remaining compliant is quintessential from a business perspective, but the general lack of progress in demonstrating
the value of the compliance function suggests that should such pressure decline, the needs and the role of the compliance
function could be subjugated to other regulatory and business priorities. In effect, management needs to place less
emphasis on the short-term costs of compliance and more on its fundamental ability to enhance the return of investment for
the organisation overall.
Although a great deal of progress has been made in terms of articulating a sound compliance vision and establishing
and/or reinforcing compliance functions in recent years, the study provided limited evidence of coherent, sustainable
strategies aimed at achieving compliant business practices and processes in the longer-term. When addressing regulatory
requirements, compliance functions are often designed to essentially paste over the perceived gaps in an organisations
existing control framework. This may not be the optimal approach, particularly as organisations have not yet recognised, let
alone realised, the overall benefits of being compliant.
Attempting to tackle all the issues with one major project, however, is unlikely to be effective. Instead, continuous initiatives
in a number of inter-related areas (with iterative reassessments as the situation evolves), together with a clearer vision of the long-
term endgame, are essential. Based on an analysis of the study results, common initial challenges for management include:
i) Assessing risk holistically, probing further the correlation between different types of business and market risk in terms of
compliance, regulatory and reputation risk
ii) Given a definition of compliance risk for all business activities, clearly determining the compliance functions associated
roles and responsibilities, in the context of other control and support functions, such as internal audit, legal, risk
management, human resources, etc.
iii) Establishing the right balance between Compliance's counsellor and police officer roles (see below), and providing
organisational flexibility for these roles to evolve
iv) Providing adequate resources to Compliance, targeting efficiency through appropriate human and financial resources
supported by a robust technological infrastructure
v) Adopting a bottom-up, as well as a top-down approach to achieving compliance, whereby business processes and
practices are thoroughly reassessed to ensure current and future compliance, taking particular account of the
technological needs.
 PricewaterhouseCoopers - Protecting the brand, May 2005 11

vi) Above all, concentrating on ingraining a deep sense of integrity into the DNA of the organisation, fostering both appropriate
behaviours and attitudes, and using the compliance function as a tool to promote and promulgate the required value system.
We therefore suggest that:

Management should assess the current role and future evolution of the compliance function, as part of longer-term
strategies aimed at configuring business practices and processes - and indeed its overall infrastructure - with a view
to instilling a deep sense of integrity and facilitating the right behaviours in its people. It should appreciate that people
will not be able to behave consistently with integrity if the business processes themselves create barriers.
Management should strive for a coherent response to managing risk, developing holistic strategic risk
assessments which explicitly encompass compliance risk within the overall risk profile of the organisation.
Particular attention should be paid to the interaction between Compliance and other risk management functions,
while recognising the difference in emphasis when managing compliance risk.
Boards and senior management should ask themselves probing questions about the current and future
configuration of the compliance function, the comprehensive control framework of the organisation and the optimal
level of resources - human, financial and technological. Senior management should continue to ensure that
organisational design does not impede the independence and effectiveness of the compliance function. Inter alia:
- Senior management needs to reconcile the different approaches necessitated by divergent societal and
business cultures within its operations overall, with its associated strategies in terms of configuration, modus
operandi and resources of the compliance function.
- Management should pay careful attention to the interaction with other control and support functions, and
ensure that the respective roles and responsibilities are clearly defined, and documented.
- Recognising the dual role of the compliance function (counsellor and police officer), management should
make sure that the organisations configuration is thoroughly assessed, both top-down and bottom-up, to
permit appropriate access and interaction with front-line businesses.
As with any other intrinsic part of the business, boards and senior management should focus more on measuring
the real cost of compliance and non-compliance, as a means to ensuring appropriate cost management
strategies, ameliorating their understanding of Compliances value, and finally permitting an effective balance
between compliance costs and value generated.
Equivalent, if not higher, priority should be placed on the development and use of technology able to help
management to really understand, on a timely and consistent basis, what is going on in the business. From the
perspective of the compliance function, a robust technological infrastructure entails both sophisticated tools for
monitoring compliance in business activities, together with appropriate tools for streamlining compliance function
activities, and facilitating knowledge sharing.
Boards and senior management should focus more on frequency, timeliness and consistency of reporting, as a
means to deriving additional comfort that current business transactions and practices are much less likely to
generate future compliance problems.
Rating agencies should take more account of the role and potential contribution of the compliance function to
the overall strength and quality of the organisation.
12 PricewaterhouseCoopers - Protecting the brand, May 2005

Compliance officer: police officer or counsellor?

The traditional role of the compliance function - in Anglo-Saxon countries - is shifting from police officer to counsellor.
There is increasing acceptance that Compliance, as a trusted advisor to the business, both creates value and protects the
brand. In some European countries where compliance functions are more recent, the initial emphasis has been on advising
business, while Compliances police officer role - its crucial compliance monitoring and oversight role - is often
underdeveloped. Compliance is most useful when both proactive and reactive - helping to ensure that new business is
compliant as well as monitoring existing business. However, the right balance needs to be struck between the two roles
within the organisational, business and cultural context. As business progressively manifests the right behaviour - embodying
both integrity and innovation - the need for the compliance function to police its activities diminishes, and the value-adding
counsellor role comes more to the fore. During this evolution, care needs to be taken to ensure that potential conflicts of
interest between the two roles are managed effectively.
Segregating compliance responsibilities between Compliance and the business is often difficult to accomplish in day-
to-day operations. Today, Compliance is often involved in executing compliance controls over daily business transactions
(operational compliance), as well as providing ongoing compliance oversight. This causes another potential conflict of
interest that can be mitigated through the tone at the top (instilling a compliance culture throughout the organisation);
consistent, ongoing performance measures to ensure that business is fully cognisant of its compliance responsibilities; and
separate reporting lines.
Evidently, to be able to advise management and the business proficiently, compliance officers need a deep
understanding of the business, a detailed knowledge of relevant regulations, and insights into regulators expectations, as
well as pragmatism. Many respondents stressed, however, compliance officers communication and influencing skills as key
to engendering trust. How well their advice is trusted, however, should not rely solely on their influencing skills: management
should always be prepared to listen and act. Based on our analysis, we suggest that:

We, therefore, suggest that:

Compliance officers, with management support, need to focus more on developing their business vision - the
ability to advise management on compliant, but profitable, business solutions.
Compliance must be prepared to advise management at an early stage on all new business ventures and
transactions, including new products, entry into new markets and mergers or acquisitions, as well as outsourcing
or offshoring initiatives. (Commensurate with the organisations maturity in terms of its underlying integrity, the
compliance function will need the authority to escalate or inhibit any activities which may raise longer-term
compliance issues until such times as it can function, primarily, in an advisory capacity.)
 PricewaterhouseCoopers - Protecting the brand, May 2005 13

Compliance, supported by management, needs to strive to enhance the dialogue with regulators - and other
industry participants - to improve the depth of general understanding of the challenges faced by compliance
functions, across organisations and across borders.
There should be continuous focus on the blend of skills and competences within the compliance function overall,
ensuring suitable broad-based training for compliance officers and staff.
Compliance officers should help themselves, and their firms, by further developing their profession through
industry fora, groups and associations.
Compliance should develop more in-depth awareness of the technologies used by the organisation, including
legacy systems, and be consulted with regards to new systems developments. At the same time, the IT
department should develop greater awareness of the needs of the compliance function.

Regulatory heavy-handedness?
Respondents saw the principal challenges to achieving compliance as the rising bar of regulatory expectations, uncertainty
due to regulators moving the goalposts retroactively, and the increased - and increasing - heavy handedness of both
regulators and law enforcement. International financial institutions and conglomerates said they face multiple complexities in
meeting diverse regulations across borders. Increased convergence in regulatory approaches and attitudes internationally
was both appreciated and welcomed, yet respondents stressed that existing inconsistencies - both locally and
internationally - exacerbate current difficulties. Clearly, more guidance and clarification of regulators expectations would be
beneficial. Nevertheless, organisations also need to adopt a longer-term view, recognising that regulatory convergence in
time should result in considerable cost savings, particularly if they can develop and put into place today holistic, forward-
looking strategies for ensuring compliant outcomes, using the compliance function as the key tool to achieve this.

Regulators need to provide more guidance and clarification regarding their expectations of both management
and compliance functions, and be more transparent about them.
Regulators should aim to be consistent, over time, and with other regulators, both nationally and internationally.
Detailed feedback
on study results
Setting the scene - defining compliance risk PricewaterhouseCoopers - Protecting the brand, May 2005 15

To set the scene, participants were generally asked for three definitions key to compliance functions, namely the definition of
i) compliance risk, ii) regulatory risk and iii) reputation risk. Not all respondents had defined all three terms, and amongst
those that had there were some subtle differences.

Compliance risk
A definition of compliance risk, as determined by the Economist Intelligence Unit and PricewaterhouseCoopers6, is:
The risk of impairment to the organisations business model, reputation and financial condition (resulting) from failure to
meet laws, regulations, internal standards and policies, and expectations of key stakeholders such as customers, employees
and society as a whole.
The breadth of this definition was reflected in the definition of a banks compliance function set out in the Basel
Committee in its paper Compliance Functions in Banks, of October 2003 7. Major regulatory challenges identified:
While many respondents found this definition was in line with their own view of compliance risk, a number of AML related-legislation
international institutions considered it too broad. For them, compliance risk resulted from the possibility of non-compliance Basel II
Best execution
with laws and regulations affecting the offering of (relevant) products and services. Some saw this definition as closer to
Compliance arrangements
reputation risk, while others thought this definition more akin to operational risk. A number of firms, especially those in
Conflicts of interest including market
Sweden and Japan, believed it was better to look at compliance risk as the risk of business not being conducted according abuse/insider trading
to legal and regulatory requirements. Focus on treating (retail) customers fairly
Respondents also considered compliance risk as implying the potential ramifications of non-compliance with laws IFRS
and regulations in terms of adverse regulatory attention for the firm, loss of confidence in the compliance function, and the Market disclosure and transparency requirements
Privacy legislation
negative impact on Compliance and management time.
Sarbanes-Oxley
Solvency regimes for insurers
Regulatory risk
For some respondents, regulatory risk was a narrower concept than compliance risk, defined as the risk of not complying
with specific laws and regulations. Others, however, had a much more comprehensive definition of regulatory risk, for
example:
Regulatory risk can be defined as the risk of regulatory sanctions, financial loss, or loss to reputation a bank may suffer
as a result of its failure to comply with all applicable laws and regulations, change in business models in order not only to
6 PricewaterhouseCoopers and Economic Intelligence Unit survey, July 2003:
avoid its failure to comply with all applicable laws and regulations but also to correspond with the change in the expectations Compliance: A gap at the heart of risk management
7 A banks compliance function can be defined as: An independent function that
of regulators. identifies, assesses, advises on, monitors and reports on the banks compliance
In effect, many respondents saw two clear dimensions to regulatory risk: i) breaching regulations and ii) not meeting risk, that is, the risk of legal or regulatory sanctions, financial loss, or loss to
reputation a bank may suffer as a result of its failure to comply with all
regulator expectations. Regulatory risk might be interpreted as the risk of not keeping pace with the rising regulatory bar. applicable laws, regulations, codes of conduct and standards of good
This bar was no longer national: Sarbanes-Oxley had demonstrated the potential impact of extra-territoriality. Regulatory risk practice.Note: the October 2003 paper was a consultation paper. The Basel
Committee has very recently (April 2005) issued a formal guidance note entitled
also lay in the need to adjust business models to comply with new detailed rules, particularly in terms of costs and possible Compliance and the Compliance Function in Banks.
16 PricewaterhouseCoopers - Protecting the brand, May 2005

inappropriateness for the business. There was also risk in not communicating appropriately with the regulator(s). Clearly, the
most explicit concern in this respect was that regulators moved the goal-posts, retroactively. Respondents said that these
concerns considerably increase uncertainty, and risk stymieing business.

Reputation risk
Many respondents said that managements biggest fear was damage to reputation and brand. Often, however, reputation
[It] takes years to build it but can be lost in
risk or brand risk were not defined, sometimes intentionally in order not to dilute judgement.
an instant
Some respondents provided more granularity to a potential definition. Damage occurred when business behaviour, in
any sense, was viewed as inappropriate by stakeholders, whether regulators, customers, other market operators, or - in
certain businesses - the public at large. A German institution described it as [..] broader than regulatory risk and is the risk of
any activity that may impact the reputation of the business. It is not necessarily legal in nature.
Respondents highlighted the inability to quantify this risk, or even to mitigate it thoroughly in all circumstances,
particularly where it arose through no wrongdoing on the part of the organisation. Reputations could be tarnished by
association. There was also the materiality factor: a media feeding frenzy could cause serious damage, however minor the
incident.

Reflections
Clearly, there was no overall consensus on a definition for these risks. The differences in the meaning and appreciation of the
risks are understandable given the evolving nature of risk management, the different stages of evolution of compliance
functions across organisations, the positioning of the compliance function within financial services organisations (legal, risk,
operations) and the cultural receptivity towards regulation. However, the differences in the definitions point to the need for a
common language and approach to compliance and regulatory risks, across sectors and between industry and the
regulators. This would facilitate improved granularity in identifying and assessing compliance risks.
Considering the studys responses, the definition of reputation risk is more generic: an over-arching risk, to which all
areas of the business are susceptible, both from the organisations own activities, or changing perspectives of external
stakeholders which it fails to anticipate adequately. As a primary concern of management, reputation risk could, perhaps,
provide a framework within which risks to the organisation can be correlated, and their interdependencies better
appreciated. However, boards and senior management need to be realistic in terms of what the compliance function can
achieve: it cannot mitigate reputation risk generally. Reputation risk can only be managed by the careful orchestration of the
various control mechanisms within the organisation.
 PricewaterhouseCoopers - Protecting the brand, May 2005 17

The lack of a common language, inside organisations, at industry level and between regulators and industry, inhibits clarity Reeputation Risk
and transparency around the role and responsibilities of the compliance function. Importantly, the work of the international
standard setters - the Basel Committee, IAIS and IOSCO - in terms of core principles has set the tone for increased
ideological convergence, more broadly. The Basel Committees definition of the compliance function demonstrates that

ex
r
de
regulators expect a broad-based conceptual approach, reflecting managements responsibility to identify, assess and

pe
ol

c
ta
eh
manage all compliance risks in their business effectively. This definition does not necessarily correlate to the actual scope of

tio
ak

ns
st
the compliance function. The compliance function cannot be held responsible for all the compliance risks that could damage Compliance & Legal Risk
reputation potentially, only those related to specific types of business transaction, as predetermined by its mandate from
management. One insightful comment threw light on this conundrum: the compliance role can be chopped up in many
ways: the essential thing is to ensure that everything is covered by someone and that it is clear who is doing what. Clear
Regulatory Operational
definitions provide the basis for appropriate delineations and allocation of responsibilities. Risk
Risk
There were also different interpretations of the scope of compliance risk in terms of similar operations or business
transactions within different business lines, and when operating across borders. Group policies can provide minimum
standards but extra efforts are required to ensure that a common understanding of compliance risk, as well as the scope of
the compliance functions remit, permeates throughout the organisation.
Business Risk
This challenge is further complicated by different regulatory approaches, internationally, and across sectors. Regulatory

r
he t
O
principles sketch regulators expectations for the management of compliance risk, and compliance functions. Management
is expected to fill in the gaps. However, management is concerned that, without more detailed guidance, regulators mean to
give themselves room for manoeuvre, enabling them to criticise managements efforts in due course: an unsettling prospect
given the current perceived regulatory propensity to move the goal posts retroactively (see next section). This uncertainty is
beneficial for neither party.

From our analysis, we suggest that:

Industry and regulators need to reach a consensus as to the meaning - and their understanding - of compliance
risk across business lines, both generally and in the context of the role of the compliance function
Internationally, and across sectors, regulators need to continue to align their approaches to risk management,
including compliance risk.
18 PricewaterhouseCoopers - Protecting the brand, Mary 2005

Introduction of national requirements regarding compliance functions8

Evidently, national requirements regarding compliance functions related to securities business have existed in Anglo-Saxon countries have existed for some time.
A conceptual trajectory can also be drawn in other countries from requirements relating to anti-money laundering compliance arrangements.

Country Banking Investment Services Insurance

Compliance Functions AML Compliance Compliance Functions AML Compliance Compliance Functions AML Compliance
First Updated First Updated First Updated First Updated First Updated First Updated
introduced introduced introduced introduced introduced introduced
Australia 1998 2004(1) 1988(2) 2005 1998 2004(1) 1988(2) 2005 2002 - 2005 -
Austria 1993 2002 1993(3) 2003 1993(4) 2002(4) 1996 2003 1993 2002 1978 2003
Bahrain 1999 - 1989 2001 1999 - - - 2005 - 2001 -
Belgium 2001 - 1993 2004 2002 - 1993 2004 2005 - 1993 2004
Canada 1999/2000 2002/2003 1993 2001 1999(5) 2003(5) 1993 2001 1999/2000 2002/2003 1993 2001
2000/2001
2000(6)
France 1996(7) 2005 1991 2002 2001 2005 1991 2002 - - 1991 -
Germany 1993 2004(8) 1993 2002 1993 2004(8) 1993 2002 2002 - 1993 2002
Hong Kong 1991 2003 1997 2004 1997 2003 1997 2003 2002 - 1997 2000
Italy N/A(9) N/A(9) 1991 1997/2004 2005(10) - 1991 1997/2004 N/A(9) N/A(9) 1991 1997/2004
Japan 1999 2004 1990 2003 1992 2003 1990 2003 2000 2004 1990 2003
Luxembourg 1998(11) 2004 1989 2004 1998(11) 2004 1989 2004 - - 1991 2004
Netherlands 1999 2004 1993 2004 1999 2004 1993 2004 2004 - 1993 2004
Spain 1995(12) 2002(12) 1993 2003/2005 1988(13) 2002/2003(13) 1993 2003/2005 N/A N/A 1993 2003/2005
Sweden 1999 - 1993 1999 2002 2004 1993 1999 2000 - 1993 1999
Switzerland 2002 2005(14) 1991(15) 1998/2003(15) 2001 - 1991(15) 1998/2003(15) - - 1998 -
United Kingdom 1988 2001 1993 2004 1988 2001 1993 2004 1988 2001 1993 2004
United States N/A N/A 1987 2002 1988(16) 2004(17) 2002(18) 2005(19) Matter Matter 2005(19) -
of State law of State law

(1) Australian Standard on Compliance Program AS3806 updated draft released: the
requirements under the Managed Investment Act were not amended at this time.
Additional requirements under the Financial Services Reform Act became
mandatory.
(2) Financial Transactions Report Act 1988 related to cash dealers (did not stipulate
appointment of compliance officer)
(3) Adoption of EU-equivalent rules, in line with Directive 91/308/EEC, the first anti-
money laundering directive.
(4) For pension funds
(5) Requirements of the Ontario Securities Commission.
(6) 2000: Mutual Fund Dealers Association requirements; 2001 Investment Dealers
Association requirements; 2002 Universal Market Integrity Rules.
(7) For banks subject to CMF regulation.
(8) Further updates in 1995,1998 and 2002. BaFin introduced detailed requirements
for the compliance function in 1999.
8 For more detailed information see Annex I.
(9) Not applicable: the current regulations do not explicitly define the compliance
function but only an internal audit function.
(10) Anticipated introduction for broker-dealers.
(11) Compliance was the responsibility of the internal auditor.
(12) Compliance function for banks not explicitly defined but rules on adequate
administrative and accounting organisation and internal controls. Further changes
introduced regarding internal audit compliance.
(13) Compliance function has traditionally derived from the regulatory regime on
rules on conduct, conflict of interest, internal control and adequate level of
administrative resources.
(14) First introduced as part of internal control system by Swiss Bankers Association
guidelines in 2002: specific provisions for compliance functions in
banks/securities firms to be published shortly by the Swiss Federal Banking
Commission.
(15) Prior to introduction of specific AML rules in 1991, provisions on customer
identification were in place since 1977. Introduction of Politically Exposed
Person-term and related regulations in 1998 (subsequently adopted by FATF):
SFBC issued 2003 Anti-Money Ordinance anticipating most of the 40 FATF
recommendations.
(16) Requirements for broker-dealers introduced.
(17) Updated requirements for broker-dealers, and new requirements for investment
advisors and mutual funds.
(18) For broker-dealers and mutual funds.
(19) Final rules expected for investment advisors and insurance companies in 2005.
Source: PricewaterhouseCoopers
Challenges to achieving compliance PricewaterhouseCoopers - Protecting the brand, May 2005 19

Introduction What are the biggest challenges to achieving compliance?8

70
Traditionally, regulatory compliance was a secondary concern for most senior management and board members.
60 64
The business impact of non-compliance was often considered to be relatively low. Organisations are now facing
unprecedented pressure, from regulators and other external stakeholders, senior management and board members to 50

proactively manage their compliance, regulatory and reputation risks. Risk appetite for such risk is where it ought to be: 40
low - with some respondents stressing zero tolerance. At the same time, organisations are faced with an ever-changing, 36
30 33
complex and uncertain regulatory environment. 31
27
20 24 23 23
20
What are the major challenges? 10
16
11
17

0
Not surprisingly, the study found that the large majority of participants9 saw the sheer and increasing complexity -
% of total responses
both in volume and frequency of changes - in the regulatory environment as the principal challenge to achieving compliance.
This complexity was difficult for all types of organisations - retail and wholesale, insurance, banking and asset management. Sheer complexity of regulatory environment
There was also concern about the more aggressive posture of regulators, and the trend to move the goal-posts not only with Poor communication with regulators and other external stakeholders
Changing expectations of stakeholders
new regulations but also with existing rules. Organisations also worried about the changing (external) stakeholder Non-involvement of the compliance function in strategic decision-making
expectations in a broader sense (including shareholders, customers, etc.), particularly the difficulties in anticipating the (i.e. in terms of the financial institutions organisational structure(s), new
markets/products)
changes, for example, where this meant second-guessing existing market practices.
The organisation of the compliance function (roles and responsibilities)
The compliance function lacks independence
Inadequate technological infrastructure for monitoring compliance
Compliance officers stressed two interconnected challenges to achieving compliance on a sustainable basis:
Poor integration with other functions, including risk management, sales
and customer service
Embedding a compliance culture within the organisation, particularly across borders and across sectors Lack of direct communication between compliance and senior
management and/or the board
Remaining compliant on a cross-border, cross-sector basis in the context of a dynamic business environment and rapidly Focus on cost-cutting/cost control
changing regulations. Insufficient pool of talent in this area of business
Incomplete acceptance/understanding by the board/senior management
of their compliance responsibilities.
Dynamic business strategies severely exacerbated the challenges. Regulatory complexity increased exponentially when
organisations operated on a cross-border basis, with the need to balance global and national requirements. Respondents
also identified numerous related challenges as a result of cross-border business (see box overleaf).

Lack of technological infrastructure was ranked the highest internal issue, followed closely by incomplete recognition - by
both the board and senior management - of their compliance responsibilities. Respondents stressed the knock-on effect of
cost cutting and cost control policies.

9 The chart shows the percentage of total respondents who identified each category as a challenge.
20 PricewaterhouseCoopers - Protecting the brand, May 2005
Compliance challenges for cross-border business
Different interpretations of corporate ethics
(and compliance goals) against national cultural
backgrounds which management fails to reconcile
Differing stages in the evolution of the compliance
function and its role in different countries/lines of
business:
- Variations in technical compliance capabilities
- Convincing management of the inverse logic of a
potential increase in compliance breaches or
weaknesses identified when compliance function
was established, or its scope extended
- Ineffective communications
- Lack of a common language for compliance
risk
A disconnection between group compliance
policies and national procedures
Possible competitive distortions at the national
level resulting from (group) compliance approach
Non-efficient development of compliant cross-
jurisdictional products and services
Overlapping regulatory requirements across
financial sectors
Different, and changing, powers of the regulators,
and the politicisation of the regulator
National/regional political agendas creating
barriers to business
Differences in shareholder expectations in terms
of corporate governance and compliance
(combined with differing power/leverage of
shareholders)
Increased expectations and financial awareness of
customers, including consumers
Increased impact of the media.
10 Basel Committee: The compliance function in banks, October 2003, p.2
There were other related impediments:
Lack of empowerment of the compliance function
Lack of efficient organisational structures and unclear roles and responsibilities
Different expectations between internal stakeholders (including management) and the compliance function
Lack of pragmatism on the part of compliance staff in dealing with business
Differences in awareness of compliance issues between securities, banking, insurance, asset management businesses.
Several compliance officers echoed regulators concerns in that they felt senior management had no well-developed, longer-
term strategy towards compliance. One commented that, without a strategic view of how to do compliance, his organisations
ability to remain compliant was not sustainable in a complex environment. In some more advanced jurisdictions, commentators
suggested that high turnover rates in compliance staff resulted from frustration over the lack of coherent strategies. In less
advanced jurisdictions, some respondents believed that management still viewed compliance as a necessary evil, and the
compliance function as a means to pacify regulators, rather than as an effective management support tool.
How do you align the scope of compliance with corporate values
and goals?
A number of questions sought to clarify the scope of the compliance function, to assess whether it was in line with the goals
and values of the organisation, and the challenges in meeting those goals: in essence, reflecting the Basel Committees
comment that compliance risk management is most effective when a banks culture emphasises high standards of ethical
behaviour at all levels of the bank.10
The study found that most organisations corporate values and ethics (or codes of conduct which addressed these
issues) had been clearly defined by the board, or senior management with board oversight. Interestingly, only a few
respondents made a direct link between corporate values and corporate social responsibility goals. Compliance officers
were often directly involved in the preparation of corporate values statements and codes of ethics. Subsequent ownership
generally rested with the board and senior management, or was delegated to the compliance function or, in some cases,
human resources. This latter delegation, however, raised some concerns among regulators about the risk of discontinuity
when rolled out throughout an organisation.
The frequency with which corporate values statements and codes of ethics were reviewed varied from explicit time
intervals (e.g., annually, every 2/3 years) to as and when the need arises. Active communication strategies, initiated by
senior management, were evident in some responses but many took a passive approach, relying on the intranet and the
compliance network. There were only a few examples of staff attestation or testing requirements, although this was clearly a
means of providing comfort on comprehensive awareness. Explicit training and ethical surveys were also limited, though
employees of one European conglomerate underwent dilemma studies to select action alternatives, compliant with both
corporate policies and ethical values.
 PricewaterhouseCoopers - Protecting the brand, May 2005 21

What is the organisations vision for compliance?

To assess evolution in organisational vision, and to see whether appropriate connections were being made between the
compliance function and corporate values and ethics on the one hand and the organisations strategy on the other,
participants were asked to describe the current vision and whether it had changed over the last three years.
Organisations current vision ranged from compliance should not cost too much and be disruptive to Compliance
should provide a high quality advisory service to staff and management. A number of organisations said compliance was
instilled in the corporate culture but more effort was needed to fully implement it in the organisation. Where there was a
perceived need (e.g., within internationally active organisations) and/or national regulatory requirement for a compliance Identified advantages of increased formalisation
function, there was a clearer alignment between compliance vision and ethical values. of the compliance function:
In all cases, compliance vision had changed over the past three years: often through reinforced regulatory obligations, Compliance commanding more respect, with
increased influence over business decisions
but sometimes in anticipation of regulators expectations or in order to stay in step with best business practice
Compliance seen not just as a monitoring tool but
internationally. Clearly, management had a more profound appreciation of the importance of compliance in protecting the as an active, ongoing support to management
brand and reputation but many compliance officers expressed concern that their perceived responsibilities may extend The scope of Compliances responsibility
beyond their formal authority in this respect. extended (beyond AML, securities)
In international organisations, the vision had matured rather than changed over the past three years, offering a more Improved awareness throughout the organisation
professional and formalised approach to compliance. Respondents noted increased sensitivity and awareness both at an of compliance requirements
Adoption of a more integrated compliance
industry level and within their own organisations of the need for proactive, solid compliance programmes, supported by senior
approach throughout the business
management. Central compliance structures (at group and divisional level) had been enhanced, with deeper awareness of
Adoption of risk-based approaches based on pre-
which compliance activities should be performed at a central level, and which should be devolved to business lines and entities. determined risk tolerance levels for
regulatory/compliance risk, depending on the
What is the intended scope of compliance? business mix
Compliance seen as a contributor to strategic
The majority of respondents said that their organisations aimed to comply with: objectives, such as improved corporate
Prudential and conduct of business rules governance standards
Industry best practice codes and codes of good conduct Retrospective, and forward-looking, information
Internal policies and codes of good conduct. for the board and senior management.
More proactive interaction between Compliance
However, as previously indicated, they confirmed that all related responsibilities did not fall entirely within the remit of the and business
compliance function. Compliance with prudential rules, for example, was nearly always the responsibility of Accounting or Growing appreciation of Compliances potential
value to external stakeholders (other than
Finance. Some respondents indicated that Compliances main objective was to ensure adherence purely with laws and
regulators).
regulations relating to business transactions, while others included industry codes of good conduct within the overall scope.
However, so-called industry best practice codes were not always seen as best practice, nor appropriate for the organisation.
14% of organisations wanted to go beyond compliance with laws and regulations, to focus on satisfying the
expectations of other stakeholders, such as clients and communities, and adopting ethical social values. These participants
22 PricewaterhouseCoopers - Protecting the brand, May 2005

What do you comply with? said that this was an issue on which the industry as a whole needs to focus. Increasingly, organisations took a pragmatic
approach when determining with what they needed to comply. While adhering to minimum requirements in all areas, a
significant number of respondents indicated that they would like to be best in class in selected areas. One UK respondent
14 noted that the nature of the organisations business model meant that the wider risk management programme, including
compliance risk management, was ultimately a capital issue. Consequently, her organisation believed it had to do enough to
66
meet the first two examples (prudential/conduct of business rules, and industry best practice codes, etc.), and use the latter
56
(internal policies and codes) as a commercial tool to help maximise profitability.
100 It was noted that losing the confidence of regulators would limit business opportunities. However, regulatory scepticism
appeared to extend beyond pure regulatory requirements, to best practice. One regulator commented that while institutions
100
claim a desire to comply with best practice, having done a cost/benefit analysis, they do not often proceed.

0 10 20 30 40 50 60 70 80 90 100
Reflections
% of respondents
Looking at the responses overall, both serious external and internal challenges to achieving compliance were highlighted.
Ethical social standards/CSR From an external perspective, the style and forcefulness of regulators and law enforcement are evidently a cause for
Internal policies and procedures
Industry best practice considerable concern, with particular consternation over regulators changing expectations - and perceived heavy-
Market/conduct of business rules handedness. Strengthened anti-money laundering and combating terrorist financing requirements significantly exacerbate
Prudential rules
concerns regarding law enforcement. Although the impact of the investigations by the New York State Attorney General, Eliot
Spitzer has been felt most strongly in North America, the reverberations are global. Institutions are concerned that this level
of uncertainty could generate risk aversion enough to stymie business.
On the positive side, corporate values, codes of ethics and conduct have been more widely established and organisations
are better formulating their views on what they need to comply with, in the context of a broader spectrum of stakeholders.
However, the fear generated by recent high-profile incidents, and regulatory reactions, appears to be the principal driving force
behind the reshaping of the corporate vision of compliance. This situation may well change over time if there are fewer
incidents. In many countries covered by the study, organisations made minimal efforts in the compliance arena until forced by
regulatory requirements. It is possible that future pressure may come from other stakeholders, such as institutional investors and
possibly rating agencies. The lack of progress made in demonstrating the value of the compliance function means that when
the pressure is off, compliance will be subjugated to other regulatory and business priorities.
From an internal perspective, many respondents accentuated the internal challenges which suggests that senior
management, and business management, are still failing to appreciate fully the potential business benefits of compliant
behaviour. Management needs to adopt an ongoing and consistent top-down, and bottom-up, approach to changing mind-
sets throughout their organisations to ingrain a deep sense of integrity. This represents a hurdle not only for organisations
facing new requirements for compliance functions. In effect, cultivating broad-based, practical comprehension of the
inherent advantages of engendering appropriate behaviours and business practices and processes designed for compliance
 PricewaterhouseCoopers - Protecting the brand, May 2005 23

may be more difficult in jurisdictions where compliance functions have existed for some time: subtle realignments are often
more difficult to achieve than substantial ones. If organisations are not convinced of the longer-term benefits, the risk is that -
if and when regulatory pressure and the associated fear of regulatory action subsides - management will not have set in
motion the change processes necessary to modify corporate mind-sets on a sustainable basis11. Based on our analysis, we suggest that:
Attempting to tackle all the associated issues in one major project, however, is unlikely to be effective. Instead, Management should assess the current role and
continuous initiatives in a number of inter-related areas (with iterative reassessments as the situation evolves), together with a future evolution of the compliance function, as
part of longer-term strategies aimed at configuring
clearer vision of the long-term endgame, are essential. Based on an analysis of the study results, common initial challenges
business practices and processes - and indeed its
for management include:
overall infrastructure - with a view to instilling a
deep sense of integrity and facilitating the right
Assessing risk holistically, probing further the correlation between different types of business and market risk in terms of behaviours in its people. It should appreciate that
compliance, regulatory and reputation risk people will not be able to behave consistently
Given a definition of compliance risk for all business activities, clearing determining the compliance functions with integrity if the business processes
themselves create barriers.
associated roles and responsibilities, in the context of other control and support functions, such as internal audit, legal,
risk management, human resources, etc.
Establishing the right balance between counsellor and police officer roles of the compliance function, and providing
flexibility for these roles to evolve
Providing adequate resources to Compliance, targeting efficiency through appropriate human and financial resources
supported by a robust technological infrastructure
Adopting a bottom-up, as well as top-down approach to achieving compliance, whereby business processes and
practices are thoroughly reassessed to ensure current and future compliance, taking particular account of the
technological needs.
Above all, concentrating on ingraining a deep sense of integrity into the DNA of the organisation fostering both
appropriate behaviours and attitudes, and using the compliance function as a tool to promote and promulgate the
required value system.

The rest of this report considers issues such as the roles and responsibilities of the compliance function, its configuration,
and, particularly, the means by which to promote appropriate behaviours and consequently extract the inherent value of the
compliance function for the business overall. Efforts and progress in these areas, however, are likely to be ineffectual in the
longer-term if not predicated on uncontested management appreciation of - and striving for - the realisation of the intrinsic
value potential of compliant behaviours, supported by appropriate business practices and processes.

11 Initiatives that can help organisations nurture a compliance mind-set are

considered in more detail on PricewaterhouseCoopers Global Best Practices
website at www.globalbestpractices.com.
24 PricewaterhouseCoopers - Protecting the brand, May 2005
The compliance function - police officer or counsellor?

Compliance function goals

What are the objectives of the compliance function?
70
Most respondents considered all the goals relevant, to a greater or lesser extent (see chart left). However, to ensure the firm
60
60 is in compliance with regulations was ranked the highest, followed closely by to ensure that reputation risk is being
56
50
51 managed effectively and to ensure that regulatory risk is being managed effectively. The two lowest rated were to build
40 43 43 greater confidence in the organisation on the part of clients and to act as the champion of the customer within the firm.
40
30 35 Having said that, one Australian respondent saw Compliance in a way as a marketing tool, differentiating the firm from
26
boutique competitors. Also, the link between properly managing reputation risk and client confidence was stressed.
20
One North American respondent indicated that some objectives - such as to help the firm anticipate and plan for
10 16
10
changes in regulations - ended up on the backburner, due to lack of resources. Conversely, a UK respondent underlined the
9
0 importance of this particular objective as it enabled Compliance to better advise management and help prepare business for

% of total responses
changes associated with regulatory developments.
Increased emphasis on providing support and advice to management was a common theme. A French bank stressed
What should be the primary goals of a compliance function within a financial that the over-riding aim must be to keep management out of trouble, implying three key objectives for the compliance
institution?
To help the firm anticipate and plan for changes in regulations function:
To ensure that reputation risk is being managed effectively i) Provide advice and support to management in managing regulatory risk in terms of business transactions
To ensure that the firm is in compliance with regulations
To act as the champion of the customer within the firm
ii) Train and educate staff, raising awareness in the business of compliance requirements
To influence the regulatory process in the interests of the firm iii) Improve relationships with regulators through ongoing dialogue and through participating in the regulatory debate.
To ensure that regulatory risk in the institution is being managed effectively
To ensure compliance with regulations and both internal and external
codes of conduct in the development of new products and markets This echoes to a certain extent a North American respondent who suggested that the overarching goal of the compliance
To train and educate staff in regulatory requirements and the requirements
function should be to provide the expertise to help the firm manage regulatory and reputation risk and that this could be
of internal policies and procedures
To build greater confidence in the organisation on the part of clients accomplished on the front-end by being seen as a trusted advisor (involved in change management, training, consultation,
To act as a central repository of all information on rules, codes and etc.) and, on the back-end, by verifying compliance (i.e., testing, monitoring risk, and so forth). Notably, French institutions
business practices and ensure dissemination to all appropriate people in
the organisation tended to de-emphasise compliance verification activities.
To advise the business units on how to ensure that new services and new
products are compliant
 PricewaterhouseCoopers - Protecting the brand, May 2005 25

What are the roles and responsibilities of the compliance function?

A number of the questions in the questionnaire were designed to probe the current roles and responsibilities of the
compliance function. The study found that these were changing in line with the objectives discussed earlier. Although to It is not yet clear whether Im a vicar or a policeman.
some, Compliance was still primarily a control function, the emphasis was noticeably shifting towards a balance between a
counsellor (trusted advisor) and police officer, in line with the objectives discussed above. 30% of respondents indicated
Compliance charter/terms of references
that the roles and responsibilities of the compliance function were formalised at group and business line level, through a
compliance charter, formal terms of reference, or similar. 33% indicated that these were implicit in compliance policies.
Respondents largely agreed with the list of compliance activities set out in the table (below). Their activities could be split 4
6
4
between the two roles, but respondents stressed that there was substantial interplay between them (it must be stressed again
30
that the percentages included in the table are purely indicative). Certain trends however were evident. In the Anglo-Saxon
countries (United States, Canada, Australia and the UK), there appeared to be more emphasis on a friendly police officer 23

approach. Compliance monitoring activity represents a higher percentage than the international average, with advice
33
representing an equal percentage. However, this could also reflect a more manual approach to compliance monitoring activities,
and a lack of technological support. Organisations in Japan and Hong Kong placed significantly more emphasis on training and
education of business units, and embedding the compliance culture. Continental European respondents generally seemed to
Explicity in charter (or similar)
place more emphasis on i) establishing compliance policies and procedures, ii) monitoring and interpreting regulatory Implicity in policies/instructions
developments, and iii) providing advice to business. No charter or similar
Update underway/required
Developing
Percentage of compliance function activity No response
ANGLO CONTINENTAL
TOTAL SAXON ASIA EUROPE
Police officer
Monitoring compliance with procedures 16 26 11 10
Reporting to management 8 10 10 5
Counsellor
Promoting the adoption of a compliance culture within the organisation 5 3 10 6
Interface with regulators 6 7 1 5
Monitoring and interpreting regulatory developments 12 7 12 13
Taking preventative or corrective measures* 5 5 7 3
Establishing compliance policies and procedures 16 11 12 22
Providing advice (including a helpline) 19 19 23 22
New product/market approval processes 5 4 2 6
Training and education of business units 6 5 11 6
Further developing the compliance functions role 2 3 1 2
100 100 100 100

* Corrective measures generally fall more under the police officer role.
26 PricewaterhouseCoopers - Protecting the brand, May 2005
Three line of control approach:
Business unit - execution of controls
Group compliance - oversight of monitoring
and testing
Group audit - independent assurance
Police officer
Monitoring compliance with policies and procedures
Over 95% of respondents indicated that Compliance was responsible for monitoring adherence to policies and procedures,
often working closely with internal audit. However, in a few cases - generally where compliance functions were less
developed - this was the sole responsibility of internal audit. In some European countries, however, where explicit
requirements for compliance functions were relatively recent, less emphasis was placed on Compliances role with regards to
compliance monitoring (the primary emphasis being advice to business).
Monitoring day-to-day business transactions (suspicious transactions, employee dealing, etc.) was often an intrinsic
part of local compliance staff responsibility. These compliance staff might be simultaneously responsible for oversight of
monitoring and testing at the business unit level, potentially creating tensions and confusion about the differentiation
between the roles. Regular reporting was both to local management, and through the compliance network.
Where appropriate technological infrastructures were in place, Group Compliance backed up this real-time
monitoring (e.g. with global trading position monitoring). Group compliance also undertook special monitoring visits,
sometimes in conjunction with internal audit and legal. One European respondent carried out three to four wider theme
reviews per annum into specific risk areas. A North American respondent indicated that internal audit undertook some 20 to
30 special reviews into compliance on an annual basis. More broadly, Compliance collaborated closely with internal audit to
monitor compliance, often providing advice to internal audit as to what should be covered in its annual audit plan. However,
although the roles of compliance and internal audit were sometimes clarified through compliance charters or service level
agreements (SLAs), some respondents mentioned also the blurring of lines between the two functions, and the fact that
senior management and business did not always understand the differences between their roles. Others stressed frequent
communication as a means to avoid overlap between Compliance and internal audit.
Compliances ability to comprehensively prepare its monitoring plan was dependent on its awareness of both past
events, and future regulatory and business developments. Where Compliance was not involved directly in new business
initiatives, respondents indicated that both business and internal audit kept Compliance informed of potential compliance
risks emerging from new business in the majority of cases (see p. 33).
Taking corrective measures
Business line management was deemed responsible, in the main, for the rectification of compliance breaches and
weaknesses, although, this was seen as Compliances responsibility in a number of cases. In leading organisations,
 PricewaterhouseCoopers - Protecting the brand, May 2005 27

Compliance:
decided whether a breach should be reported to the regulator,
informed senior management if the breach had to be reported to the regulator and/or was considered material from an
internal perspective,
advised business on rectification,
monitored progress on rectification (in conjunction with internal audit) and
reported to senior management/the board on rectification progress.
How often does the compliance function report
to the board of directors ?
If not reported to the regulator, breaches were nonetheless escalated to senior management or the board depending on the
materiality of the breach or deficiency (according to pre-established parameters). One respondent had an incident grading 3 3

system, which predetermined who was responsible for rectification (see also p. 42). Over 90% of respondents said they 9 14

ensured root cause analysis was undertaken to identify cases of potential systemic weakness, ensuring appropriate actions 11 14
are taken, including penalising personnel where appropriate. Notably, however, no established breach rectification process 3
was in place in some organisations where i) the compliance function was new, and ii) there had been no significant incidents 3
40
in that country.

Reporting to the board/senior management

annually
semi-annually
84% of respondents reported directly to the board or appropriate board committee; the remaining 16% reporting to senior quarterly
5 times annually
management. In over 95% of organisations, either a member of senior management was directly responsible for compliance,
bi-monthly
or the compliance officer reported directly to a member of senior management. 40% of respondents indicated that formal monthly
regularly
reporting to the board took place quarterly: an additional 17% said that reporting was actually more frequent (either five
on request
times per year, or monthly). 3% did not prepare formal reports for the board. do not report
28 PricewaterhouseCoopers - Protecting the brand, May 2005
Group Compliance responsibilities
Set vision, profile, appetite and culture
Set framework, policy, strategy
Communicate that the management of
compliance and operational risk is an institutional
priority
Provide and reward no surprises openness
attitude
Act as a counsellor to business on policy
implementation
Oversight control environment
Manage stakeholder interaction to achieve
awareness and collaboration
Obtain and act on relevant management
information.
Business unit compliance responsibilities
Create a risk awareness profile and culture
Implement and manage risk strategy consistently
throughout the organisation
Communicate that the management of
compliance and operational risk is an institutional
priority
Translate strategy into policies, processes and
procedures
Promote and reward no surprises openness
attitude.
Implement and maintain effective control
environment
Generate and utilise effective management
information systems.
Counsellor
International institutions saw Compliance as better placed to add value to the organisation, on both a strategic and day-to-
day transactional basis, if perceived as a trusted advisor to management at all levels in the business. This trend was evident
in the majority of the regions covered in the study, although in some organisations there appeared to be a disconnection
between the goal of fostering a compliance culture and the empowerment of the compliance function. In Continental Europe
(e.g. Belgium, the Netherlands, Sweden), the concept appeared generally well understood - although the necessary
structures and resources were not yet in place to realise it fully. In the UK and Canada, there was a consistent move in this
direction, although some respondents suggested this was creating some political tensions within the organisation.
Assuming a role as an advisor to business created different roles and responsibilities at group, regional and local levels,
and between business lines and legal entities. One Australian institution allocated responsibilities between the group and
business units as shown in the box.
Promoting the adoption of a compliance culture within the organisation
As an over-arching activity - impinging to a greater or lesser extent on all the other activities - the relatively low percentage
rate in the table above (p. 25) is understandable. Few projects or ongoing activities were tagged promoting the adoption of
a compliance culture although a wide range of activities could be designed with this goal in mind, either explicitly or
implicitly. The primary role that Compliance played in promoting a compliance culture was one of communication, designed
to facilitate consistent interpretation of the tone at the top at the business level. Respondents described the role as a
vital, critical, central, but also subtle and intrinsic. However, for some organisations no formal role was conceived.
Other respondents said that they were aware that the role needed to be broader than it is. To be effective, though,
Compliance needed the respect of business units and this depended not only on Compliances demonstrating sound
business understanding but also its recognised senior status - acknowledged explicitly by senior management - within the
organisation.
Respondents mostly indicated that Compliance was an active advisor to both the board and management in effecting
changes necessitated by specific new regulations. Compliance informed the board of the business impact of regulatory
developments, put forward proposals for changes required, and subsequently supported management in implementation.
A North American respondent indicated that Compliances role then went further in evaluating the effectiveness of the
changes through obtaining employee feedback, and sustaining the changes through developing enhanced scenario or other
training tools to help the business cope with the changes on a daily basis.
Only in a few cases, however, were there clear indications of Compliances active role - and authority - in terms of
coherent change management programmes, targeting ongoing improvements to the compliance culture.
 PricewaterhouseCoopers - Protecting the brand, May 2005 29

Monitoring external stakeholder expectations

Changing stakeholder expectations, in the broader sense, was considered a significant challenge to achieving compliance
(see p. 19). Although a relatively systematic and broad-based approach to monitoring external stakeholder expectations from
a compliance perspective existed in North America, Australia, Japan and the UK (involving Compliance, business and
supporting departments, such as legal, customer service, marketing, etc.), in some European countries, it was primarily
Compliances responsibility to monitor such expectations.

Important external stakeholders

Approach to systematic monitoring of external stakeholders
Ongoing communication and dialogue with regulators 100

Monitoring the media particularly press coverage of other institutions experiences with regulatory 90 95
breaches, and consumer protests. 80
Monitoring changing customer expectations through: 70
- Reviewing customer complaints on a regular basis, as well as regular customer satisfaction surveys or 60
reputation surveys. One respondent indicated that an independent third party carried out a customer 50
satisfaction survey on behalf of the organisation on a quarterly basis. 40
- Regular interaction with senior and business/line management to gauge client expectations, as well as 30 36
with business development and sales teams. 31 29 29 29
20
Monitoring industry-wide developments through participation in industry associations and peer groupings,
10 13
including, where relevant, Compliance Officer Associations. 7 6
0 5
Monitoring shareholder expectations: through dialogue, surveys, board participation.
% of total responses

Regulators
Not surprisingly, regulators were deemed the most important external stakeholder from a compliance perspective. External Law Enforcement
Investors/ shareholders
auditors were also rated relatively highly, together with law enforcement. Customers, analysts (including rating agencies) and Analysts (inc. rating agencies)
the general public were ranked as moderately important. A respondent in the Nordic region did note the increasing emphasis External auditors
Customers
institutional investors placed on well-functioning compliance functions. One German respondent considered that, if rating General Public
agencies were to focus on compliance function effectiveness (as they are starting to look at corporate governance regimes), Peers
Partners
this could have a positive impact on the perceived value of the function within the organisation. However, a French
Media
compliance officer, having been surveyed on a number of occasions by rating agencies, believed their questions were not
probing enough.
30 PricewaterhouseCoopers - Protecting the brand, May 2005

Contacts with regulators Interface with regulators

2 The majority of compliance officers indicated that their relationship with (local) regulators was mainly open, although
9
Japanese respondents suggested more need for formality. 47% of respondents indicated that - generally - Compliance was
13
the central point of contact with the regulators, although 12% indicated another department, either finance/accounting (the
47
department responsible for prudential reporting) or the legal department was the central contact. However, a number of
12
respondents stressed that this depended on the individual regulator. 17% indicated that the central point of contact was the
17 member of senior management with compliance responsibility, although 13% indicated that various members of senior
management had contact with the regulators. In effect, communication through nominated central contacts, or Compliance,
was often complemented by regular informal contacts with senior management and/or the board.
Compliance
Senior manager with compliance
Respondents stressed not only the different regulators attitudes (some more dictatorial than others), but also the
responsibility differing levels of capability/approaches of regulators staff (e.g., policy versus supervision). Four aspects of regulatory
Other department
relationships needed to be effectively co-ordinated (see box opposite): a miscommunication in one area could affect the
Various Senior managers
Board members relationship overall, creating an impression of inconsistency. A number of Anglo-Saxon respondents dealt with this by:
No restriction

1. Maintaining a log or central database of all incoming and outgoing communication with the regulator(s).
2. Developing regulator engagement plans.

Respondents appreciated the increased dialogue and growing convergence of regulatory approaches, and attitudes,
internationally, although overall regulatory complexity was not reduced. One respondent mentioned that it was often
useful to talk to the local regulator about difficulties faced in other countries because this could improve the understanding of
both the local (home country) regulator of difficulties faced within the group and that of the foreign regulator because of
enhanced communication between regulators at the international level.

The functions biggest challenge today is the

rising regulatory bar driven by new and unclear
interpretations of requirements. The question
becomes how do you protect shareholder
interests in a world of uncertain regulator
interpretations.
 PricewaterhouseCoopers - Protecting the brand, May 2005 31

Four aspects of regulatory relationships

Ongoing dialogue & lobbying Regular contact with the regulators did not often translate into direct attempts to influence the regulatory agenda. Any such attempts were
frequently made through industry associations. According to this sample, Compliance and Legal joined forces to monitor and interpret
regulatory developments in many cases (36%): twice as often as Legal solely being responsible (18%). This was most prevalent in civil law
jurisdictions. Nevertheless, this approach was also adopted in the UK and the US (particularly in cases where legal and compliance are
combined organisationally). The second most popular approach was for Compliance to monitor developments alone (30%). All but three
respondents indicated that monitoring was carried on a proactive basis, although many adopted a combined proactive/reactive approach.
The implication was, however, that such pro-activity referred only to rules in the pipeline, rather than influencing the regulatory agenda or
proactively pre-empting new regulations.

Regulatory reporting (prudential and market activity reporting) Compliance had a role to play in regulatory reporting specific to its remit. Generally, this did not include prudential reporting, although a few
respondents indicated that Compliance acted in an advisory capacity, in terms of both the prudential reports and processes.

On-site reviews A number of respondents indicated that different approaches were required when dealing with inspection teams, as opposed to the policy
divisions, of regulatory authorities. A number stressed that Compliance should have a key role in terms of preparing for onsite supervisory
visits: some UK respondents, for example, underlined the importance of Compliances direct involvement in FSA visits relating to its
ARROW programme.

Crisis management and remediation This was covered, to a certain extent, in the section on corrective measures above. Generally, respondents said that Compliance was not
directly involved in crisis management or in the remediation processes themselves: senior or business management was responsible
(depending on the severity of the situation). However, Compliance would often monitor, and report on, remediation progress internally. In
some organisations, management sought Compliances advice in managing a crisis, particularly in terms of communicating with regulators
(often in collaboration with the legal department) and, occasionally, other external stakeholders.

Taking preventative measures

Respondents felt that Compliance should be in a position to place more emphasis on prevention rather than correction,
although not all felt that they were. Asked whether their focus is primarily on i) risk identification and rectification, or ii) risk
mitigation and management, many said both, and those who indicated the former said they were trying to migrate
towards the latter. They indicated that this could depend, however, on the nature of the compliance risks: fire-fighting
may be more prevalent in areas such as anti-money laundering.
32 PricewaterhouseCoopers - Protecting the brand, May 2005

Group/centralised policies Establishing compliance policies and procedures

69% of respondents indicated that Compliance was responsible for, or collaborated with management and/or the board in,
12
establishing compliance policies and associated procedures. 12% indicated that compliance policies were the responsibility
of the board, and 17% said that they were managements responsibility, although often with assistance from the compliance
50
function. Only 2% indicated that either the audit or legal departments were responsible for compliance policies.
38
88% of respondents indicated centralised, or group, compliance control through the imposition of group-wide (often
board approved) compliance policies, with certain levels of autonomy delegated to divisional compliance functions to
adjust these policies to specific business, regional or local requirements. Of these, 50% indicated that these
group/centralised policies were extensive, while 38% indicated that they were relatively limited.
Extensive Some respondents indicated that such policies were considered minimum standards: more demanding local
Limited
None requirements would have to be complied with. Some said that group standards must be adhered to even if they were
stricter than local requirements. Others, however, believed that, given an acceptable level of conformity with group
standards, these standards should not put the organisation at a competitive disadvantage locally. As previously mentioned,
a number of international organisations had begun to rethink the scope of the group-wide compliance policy approach,
recognising the extensive tailoring often required at the business line, regional and local level. Also, 9% of respondents
indicated that responsibilities for compliance policies were totally decentralised, with group compliance acting only in an
advisory capacity.

Application of group/centralised policies Providing advice (including helpline)

Responses indicated three main dimensions to the advisory role: i) advising senior management on an ongoing basis, ii)
9
advising business management in day-to-day business transactions and iii) providing a general helpline to business. Even
21 in advanced countries, however, this advisory support was often seen as primarily reactive, responding to requests from
70 business. How proactive Compliance was - or could be - depended on i) the status given to Compliance by senior
management, ii) the degree of trust between Compliance and business, iii) Compliances proximity to the business and,
importantly, iv) the Compliance resources available.
37% of respondents had a formal helpline, but most stressed that all staff had access to relevant compliance officers
and staff, inside and outside office hours. One respondent mentioned that their intranet also contained discussion fora,
Mandatory
(but with regional/local tailoring) allowing staff to discuss ethical issues: others mentioned the value of ethics hotlines.12 Few respondents indicated that
Voluntary specific technology (apart from telephones, email, intranet) supported the helpline or that advice given was made available
Local
more broadly. However, some indicated that the quality of advice was used as a performance measure.

12 See also whistle-blowing systems, p. 42

 PricewaterhouseCoopers - Protecting the brand, May 2005 33

New product/market approval process

The business units often seem to be more
Perceptions as to whether advice was proactive did not rely on the existence of a helpline, although the availability of
creative than the compliance function in finding
solutions for achieving compliance.
Compliance was obviously an important factor. Positive perceptions of Compliance derived from its ability to facilitate
business: respondents talked of the need for Compliance to be both pragmatic and creative in finding solutions for
transacting business in a compliant fashion. Compliance reesponsibilities regarding new business
51% of respondents were involved in new business approval processes, although the level of involvement varied. 60
International institutions increasingly involved Compliance - on a systematic basis - in assessing new products and 50
51
services and plans for entry into new markets and for due diligence on mergers and acquisitions. 25% of respondents said 40
that Compliance sign-off was required on all new proposals - including outsourcing and offshoring, when appropriate - and 30
that Compliance was involved in key risk and control committees. Others mentioned that Compliance had both the right to 20 25 24
veto new proposals, and the subsequent right of appeal. 10
Group Compliance at one international bank was the driver of a screening committee. Business management would 0 3

escalate clearance requests for new products, etc. rapidly up the organisation for review by the committee, filtering out Percentage of total responses

inappropriate requests on the way. An Australian asset management firm said that business was encouraged to engage
Compliance sign-off
control groups, including Compliance and Legal, early in the process and that management was aware that the executive Compliance right of veto
Compliance involvement in approval process
committee would not approve any venture without Compliance sign-off. In Japan, respondents were involved in new
No (formal) involvement
products but not in M&A due diligence from the outset. Only 30% of respondents were systematically involved in new IT
systems.
24% of respondents indicated that there was little or no systematic involvement of Compliance in new business, Types of new business

although respondents indicated that Compliance was informed after the event. Some respondents said that business had 80
70 73
responsibility to inform compliance when there were compliance implications in new business, but this did not necessarily
60
parallel clear indications of a high level of business understanding/awareness of potential compliance implications. 50 57

40 46
30
30
20
10
0
Percentage of total responses

Products
New market due diligence
Mergers & acquisitions
IT systems
34 PricewaterhouseCoopers - Protecting the brand, May 2005
Specific challenges identified for the compliance
function
General:
Allocating compliance resources effectively in
order to manage risks appropriately
Appropriate sharing of compliance monitoring
responsibilities between Compliance and
business (the issue of operational compliance
as regards day-to-day transactions and
Compliances oversight role)
Being able to advise management appropriately
in light of complexity of business, speed of
regulatory change and lack of clarity regarding
regulatory expectations
Increased appetite amongst regulators for
enforcement.
Resources:
Lack of appropriate technological
infrastructure: working with legacy systems to
generate management information for
compliance
Inability to justify the cost of compliance
Variable technical capabilities of compliance
staff.
Culture:
Acceptance of compliance by front office units
Corporate wide education as to the role of
compliance and the obligations of the staff
thereof
Ensuring that business units are compliant
Ensuring compliance becomes more involved in
strategic decision-making
Embedding compliance within the business
Balancing stakeholder, management and
regulators requirements.
Training and education of the business units
71% of respondents indicated that their organisation had an induction or orientation programme for all new joiners and this
programme either incorporated a session on compliance, or that codes of conduct were issued to all new joiners (in some
cases, with a requirement for formal signed acceptance of the code by the employee). One respondent indicated that this
starter pack included explicit instructions on incident reporting procedures. However, 18% of respondents indicated that
there was no induction programme (unless to cover areas mandated by regulation) or Compliance took no role. In these
cases, codes of conduct were often posted on the organisations intranet. Induction programmes, where run, were frequently
organised by human resources with Compliance supplying necessary content. New management, or senior employees with
specific responsibilities (e.g. Approved Persons in the UK) underwent a one-to-one session with local compliance officers,
who would determine ongoing training requirements.
Asked what role Compliance played in training and education of front-line businesses, responses ranged from
Compliance having a major role to little involvement at all. In some cases, Compliance had primary responsibility, assessing
the training required, developing the necessary materials and delivering the training sessions, using a combination of direct
and e-learning methods. Alternatively, Compliance worked closely with HR to design and deliver such training.
Further developing the role of the compliance function
What role did Compliance play in promoting the development of the compliance function? Dutch respondents mostly
stressed their efforts to raise Compliances profile externally through publications, networking, and so forth. Other
respondents mentioned internal communication initiatives, such as newsletters.
Clearly, this role was not an explicit remit in many cases, although implicitly Compliance drove the process. Some
respondents stressed senior managements responsibility in the development of the compliance function but Group (or head
office) Compliance often had a major role in enhancing the Compliance network within the organisation, through both
feedback from the network and close collaboration with management. On-site visits by Group Compliance were also used to
support the development of the function overall. Key here was the way in which Compliance was structured within the
organisation and its reporting lines (discussed in the next section).
Overall, as suggested earlier, respondents felt that a considerable amount of work was still required to develop the role,
and that longer-term strategies were under-developed.
 PricewaterhouseCoopers - Protecting the brand, May 2005 35

What competences does the compliance function now need?

The enhanced role of Compliance as an advisor to management raised issues around the competences of compliance officers
and staff at both group level, and within business lines/operating units. Respondents indicated that a key competence is a deep A personal profile characterised by qualities of
discretion, neutrality, independence of judgement
knowledge and understanding of the business, combined with strong influencing skills. In the US and UK, the tendency in the
and professional knowledge and experience of the
past for Compliance functions to be managed and staffed primarily by lawyers or accountants was changing. Compliance activities of the company.
functions were being reconceived to encompass a relatively broad blend of skills and experience. In Continental Europe, Japan
and Hong Kong, the trend was to configure compliance functions on this basis from the outset. A French respondent indicated
that the compliance functions current complement included lawyers, accountants, and internal controllers, together with former
regulators, analysts, front-office staff and policemen. An Italian respondent said that the compliance officer should have a
systemic view of the business, good analytical and process innovation skills, as well as good communication skills.
Not surprisingly, given this perceived range of required competences, respondents indicated that there were no pre-
requisites for qualifications for compliance officers and staff, except in securities firms where there was a preference for a legal
background. A number of respondents, principally in Continental Europe and Hong Kong, did indicate that a university degree
was required. An Italian respondent suggested that the range of responsibilities of the compliance function actually necessitated
a business degree.

Reflections
Clearly, organisations are at different stages of evolution in defining the roles and responsibilities of the compliance function.
Compliance functions themselves - within individual organisations - are also at different stages of evolution. In some regions,
Asia for example, many aspects of management, including compliance activities, are not yet clearly defined. For compliance
to be recognised as a business facilitator as well as a protective capability - comparable to credit risk management (for
example) - management attitudes need to evolve further. Having defined compliance risk - and the overall scope of
Compliances remit - a key management goal must be to strike the right balance between Compliances police officer and
counsellor roles, against the backdrop of the relative strength of the compliance culture within the organisation, i.e., how
deeply a sense of integrity is ingrained. Here again, it is a question of determining the essential roles and responsibilities, and
ensuring that each aspect can be addressed appropriately by Compliance or, where necessary, another control function
supporting Compliance. However, the compliance function shares responsibility for creating and maintaining this balance.

Compliance skills and competences

From the study, it is clear that compliance officers believe that their ability to create this equilibrium depends on the level of
trust generated in the business. They strongly emphasised personal qualities: the ability to engender respect in the business,
discretion, personal integrity, fairness and independence of judgement, as well as the clout of the compliance officer (which
36 PricewaterhouseCoopers - Protecting the brand, May 2005

today often derives from his/her seniority), as well as perceived standing with the regulators. However, in order to ensure the
effectiveness of the compliance network overall, compliance officers ability to influence business decisions should not rely
on the level of seniority, but rather on their knowledge of the business and of the regulations applying to it, combined with
insight into regulators intentions.
Given these qualities, the principal prerequisite for engendering trust is pragmatism - the ability to find appropriate, timely
solutions to compliant but profitable business. To be pragmatic, compliance officers and staff need to focus on business actuality
- the competitive challenges business faces today - in the context of past/current compliant performance and future regulatory
requirements. Compliance, in some ways, needs broader vision than business itself, and the ability to communicate this vision
coherently. This, however, may be a tall order when i) Compliance does not report to the right people at the right levels, ii)
appropriate remuneration policies are not in place (and the appraisal process is driven by business and business constraints), iii)
relatively junior staff are involved in influencing business decisions and iv) there are difficulties in ensuring equivalent competences
in compliance staff throughout the compliance network.
The blend of skills and competences required by todays compliance function - to achieve the police officer/counsellor
balance - presupposes a mixture of personality types, and the need for good communication within the compliance function, as
well as team-building and leadership skills in the compliance officer. This reinforces the importance of clearly defined roles and
responsibilities within the compliance function, particularly in terms of interaction with various internal stakeholders, such as
internal audit, risk management, human resources, and so forth. It also suggests that considerable attention needs to be paid to
ongoing training of compliance officers and staff, progressively building the necessary competences, as the roles and
responsibilities of the compliance function evolve. Training needs to encompass not only regulatory developments, but also
important business and market developments, together with competence-enhancing education (e.g. interpersonal skills,
communication skills, team building, etc.).
Some aspects of the overall programme need to be organisation-specific, taking account of the nature and scope of the
business(es) and the configuration of its compliance function. However, given the relatively unique skill-set required for
compliance officers and staff, internal training could be greatly supplemented by increased external peer-group interaction.
The lack of access - except in Anglo-Saxon countries - to external education programmes for compliance officers and
staff may impede ongoing professionalisation of the compliance function. There are moves to establish compliance officer
associations, or institutes, in certain countries in Continental Europe. Luxembourg has had a Compliance Officer Association
since 2000. The Swiss Association of Compliance Officers was established in 1998. Additionally, the nascent European
Compliance Association runs annual conferences for compliance professionals which have been well-attended. In other
countries, industry associations (e.g. the Belgian Bankers Association) are beginning to focus on providing compliance-related
training. This is an issue which needs further attention broadly in non-Anglo-Saxon countries.
The benefits of compliance associations could extend beyond training and education, however. National, regional and,
indeed, international compliance institutes or associations could eventually provide a much-needed interlocutor for regulators.
 PricewaterhouseCoopers - Protecting the brand, May 2005 37

Perfecting the balance

Prevention is better than a cure

The role of trusted advisor shifts the balance more towards preventative measures than has necessarily been the case in
the past in Anglo-Saxon countries. Effective prevention requires a multi-pronged, holistic approach (which naturally may
instigate corrective measures):

Anticipating regulatory intentions, and making an early assessment of potential impact on business from a compliance
perspective, coupled with effective lobbying, can help ward off or rationalise requirements where the cost may far
outweigh the potential benefits. Such assessments also feed into longer-term strategic business considerations.
Correctly interpreting new regulations, and the specific implications for business practices and processes, can ensure
that suitable plans are made to adapt business practices and processes to the new requirements in a timely and cost-
effective manner.
Thoroughly assessing compliance risks, in terms of their probability and materiality in line with the risk tolerance of the
organisation, enables effective prioritisation of scarce resources.
Ascertaining whether existing business processes are configured to be compliant, and that technology facilitates this, can
i) clarify inherent difficulties and risks of non-compliance, and ii) simplify the adaptation of business processes to reflect
new regulatory requirements.
Ensuring that sufficient knowledge of how to remain compliant guides day-to-day business through appropriate hand-
holding, training and awareness raising initiatives, and appropriate communication strategies, which simultaneously
enhance business knowledge of compliance-related issues and the profile of the compliance function.
Ensuring that compliance ramifications are fully considered in all new business ventures and transactions, from both a
strategic and a tactical perspective, in order to effectively streamline innovation and associated costs.
Analysing trends to ensure that potential systemic compliance weaknesses are identified early is essential in the context
of a dynamic business environment.

Interface with regulators

As we have seen, study respondents identified the principal challenges to achieving compliance as the rising bar of
regulatory expectations, uncertainty due to regulators moving the goalposts retroactively, and the increased, and increasing
forcefulness of both regulators and law enforcement. Particularly, they stressed that detailed rules can create cost
impediments to business. Nevertheless, ultimately, compliance, like risk management, is one of the costs of conducting and
38 PricewaterhouseCoopers - Protecting the brand, May 2005

staying in business. In order to be in a position to advise business proficiently, Compliance needs to play an active and
intrinsic role supporting management in interfacing with regulators in terms of all four aspects of the regulatory relationship
mentioned above. In effect, Compliance can represent an effective communication conduit between management and the
regulators.

The police officer informs the counsellor

The pendulum should not be allowed to swing unreservedly in the counsellor direction. Compliance has a critical role to
play in compliance oversight and monitoring in order not only to provide the necessary comfort to (senior) management but
also to frame the advice it provides going forward. A clear delineation needs to be set between doing compliance and
monitoring compliance. Sufficient knowledge needs to be ingrained in the business in order to execute the necessary
compliance controls: this responsibility should not be confused with the role of oversight and monitoring which should
remain with the compliance function (whether or not supported by other control functions, such as internal audit). Admittedly,
this distinction can be difficult to achieve at the local level. However, management needs to clearly differentiate between the
two roles, and their intrinsic, separate importance when configuring the compliance function, setting compliance objectives,
allocating resources to the compliance function and determining the nature of its interaction with other support and control
functions both in the short- and longer-terms.
Evidently, to be able to advise management and the business proficiently, compliance officers need a deep
understanding of the business, a detailed knowledge of relevant regulations, and insights into regulators expectations, as
well as pragmatism. Many respondents stressed, however, compliance officers communication and influencing skills as key
to engendering trust. How well their advice is trusted, however, should not rely solely on their influencing skills: management
should always be prepared to listen and act.
 PricewaterhouseCoopers - Protecting the brand, May 2005 39

Based on our analysis, we suggest that:

Boards and senior management should focus more on frequency, timeliness and consistency of reporting, as a
means to deriving additional comfort that current business transactions and practices are much less likely to
generate future compliance problems
Compliance officers, with management support, need to focus more on developing their business vision - the
ability to advise management on compliant, but profitable, business solutions
Compliance must be prepared to advise management at an early stage on all new business ventures and
transactions, including new products, entry into new markets and mergers or acquisitions, as well as
outsourcing or offshoring initiatives. (Commensurate with the organisation's maturity in terms of its underlying
integrity, the compliance function will need the authority to escalate or inhibit any activities which may raise
longer-term compliance issues until such times as it can function, primarily, in an advisory capacity.)
Compliance, supported by management, needs to strive to enhance the dialogue with regulators - and other
industry participants - to improve the depth of general understanding of the challenges faced by compliance
functions, across organisations and across borders.
There should be continuous focus on the blend of skills and competences within the compliance function
overall, ensuring suitable broad-based training for compliance officers and staff.
Compliance officers should help themselves, and their firms, by further developing their profession through
industry fora, groups and associations.
In addition, we suggest that rating agencies should take more account of the role and potential contribution of the
compliance function to the overall strength and quality of the organisation.
40 PricewaterhouseCoopers - Protecting the brand, May 2005

One configuration does not fit all

Introduction
Regulators want Compliance to be independent from business to ensure its effectiveness as a corporate governance tool.
Certain jurisdictions have issued specific regulatory guidelines on the configuration of the compliance function aimed
particularly at protecting independence. However, these frameworks rarely transcribe, easily, into practical organisational
solutions.

Respondents suggested various combinations of factors to ensure independence:

1. Specific legal requirements for the independence of the compliance function

2. Governance structures:
Frequent reporting directly to senior management or the board
Direct access to the board
Direct functional reporting within the compliance function up to senior management/the board, not to business line
management

3. Dedicated human resources:

Compliance officer(s) cannot be dismissed by management, without approval by the board
Personal integrity, personality and seniority of compliance officer
Control (hiring and firing) of compliance staff remains the remit of the compliance function
Compliance charter (or similar) ensures clear allocation of responsibilities to the compliance function

4. Relationship with business:

Freedom of access to all areas of the business
Appropriate authority for the compliance function (e.g. right to veto new business)
Budgeting - Compliance not reliant on business lines for resources
Distance from business decisions - Compliance only acts in an advisory capacity.
 PricewaterhouseCoopers - Protecting the brand, May 2005 41

Governance structures
The majority of respondents indicated that the group compliance officer reported either to an executive member of senior
management (e.g., chief executive officer, chief risk officer, chief operating officer, general counsel) or directly to the board of The inherent conflict is recognised, but this is
directors. Some respondents indicated full board responsibility for oversight was delegated to a suitable board committee dealt with appropriately through safety valves.
(e.g. audit and compliance committee, risk and control committee, etc.). Respondents - generally - indicated that this
approach was adopted also at the divisional level and at legal entity level (where it may be mandated by local regulatory
requirements), in addition to reporting hierarchically within the compliance network. Board oversight charters, or similar, were
in place in the 51% of respondents. Most respondents also said that their reporting lines were formally documented,
reflected in organigrams, and often posted on the organisations intranet. Similarly, compliance representatives in branches
reported to Group/HQ Compliance and local management/boards. Not all respondents had direct access to the board.
Many respondents stressed the dual reporting lines of the compliance function as a means to ensure independence.
Organisations with group compliance functions showed a 50/50 split between embedded Decentralised (dotted reporting to Compliance)
compliance staff reporting hierarchically to Group Compliance (centralised) or directly to senior
business line management13 with dotted line reporting to Group Compliance (decentralised). Board
All considered business line management ultimately responsible for compliant business practices
Audit Risk Compliance
and processes but some respondents believed that this responsibility needed to be reinforced Committee Committee Committee
by embedded compliance staff reporting directly to business line (senior) management. Others,
however, believed that Compliances independence could only be assured if there were direct
functional reporting within Group Compliance as this approach provided comfort to senior CEO
management at group level and also a suitable framework for appraising compliance officers and
staff on the basis of their allocated responsibilities, both as individuals and as part of the group
compliance network.
LE1 DIV C DIV B DIV A

Group Risk Management

The potential conflict of interest arising from Compliances need to stay close to business on a Compliance

Internal Audit
day-to-day basis was controlled by the tone at the top, as well as a combination of other safety

Group Compliance
valves including:
LE2
Group audit: obviously an important safety valve, all respondents confirmed that internal
Compliance Compliance Compliance Compliance
audit scope included the compliance function, and also that it reviewed business for AML AML AML
Data privacy Data privacy Data privacy
compliance with the organisations policies and procedures, including compliance with laws Conflict of Conflict of Conflict of
LE3 interest interest interest
and regulations. Market abuse Market abuse Market abuse
Compliance Etc Etc Etc

13 It was always clear whether compliance function reporting was operational or functional within separate lines of business. Source: PricewaterhouseCoopers
42 PricewaterhouseCoopers - Protecting the brand, May 2005

Decentralised (direct, hierarchical reporting to Compliance) Risk control: Some respondents indicated that, separate to internal audit, risk control
functions also had responsibilities relating to compliance risk.
Board Group compliance policies and procedures: Group policies were often used to
establish minimum standards for compliance throughout the organisation (see p. 32)
Audit Risk Compliance
Committee Committee Committee Operational compliance committees: A limited number for respondents said that there
were operational compliance committees, comprising various stakeholders (including
legal, internal audit, human resources, etc.) often at functional director level. However, one
CEO
European respondent noted experience has shown that the benefits of Compliance
Committees are limited in terms of large organisations (when multiple stakes are at play)
Group Compliance and are more effective in smaller organisations/parts of the organisation when all key
stakeholders can be represented on the Committee.
Internal alert programmes: Sarbanes-Oxley requires the establishment of an (external)
LE1 whistle-blowing system. This has had an extra-territorial impact, even for non-SEC
Compliance
DIV C DIV B DIV A registrants. Regulators are exerting more pressure on firms to introduce whistle-
Internal Audit

blowing, internal alert programmes or ethical hotlines. External alert programmes,

however, are rare, except amongst SEC registrants. Most Anglo-Saxon respondents
Compliance

LE2

Compliance
Compliance

Compliance
indicated that while internal alert programmes had existed for some time, these were not
Compliance Compliance Compliance always anonymous (i.e. confidential) systems. However, some doubt was expressed over
AML AML AML
Data privacy Data privacy the need for anonymous systems if an effective compliance culture exists, and also over
LE3 Data privacy
Conflict of Conflict of Conflict of
interest interest interest their efficacy. Many felt that alerting Compliance should suffice. In a number of countries,
Compliance Market abuse
Market abuse Market abuse
Etc Etc Etc there was a common obligation on employees to report breaches of codes of ethics
Source: PricewaterhouseCoopers and/or conduct. Nevertheless, clearly national cultural constraints impacted the
introduction, or ongoing effectiveness, of anonymous whistle-blowing systems.
Whistle-blowing systems Effective escalation procedures: 52% of respondents indicated that escalation procedures were the responsibility of
management (either senior management or business line management). Where the nature/materiality of a breach
warranted it, business line management reported to senior management/the board, and Group Compliance. 59% of
respondents indicated that the compliance function had clearly defined responsibilities in relation to escalation. A number
48 of respondents in Anglo-Saxon countries indicated that they had a specific database which tracked issues, and their
52 rectification, throughout the organisation which supplemented formal escalation and breach/weakness reporting
procedures.
Frequent board reports: As indicated earlier, there was a wide difference in the frequency of reporting to the board:
however, many respondents supplemented this formal reporting by frequent formal and informal reporting to senior
Yes management.
No
 PricewaterhouseCoopers - Protecting the brand, May 2005 43

Structuring the compliance function

Obviously, organisations had paid considerable attention in recent years to the structure necessary for the compliance
A key issue in structuring the compliance function
function. Amongst the international players - across sectors - a common conceptual approach for structuring the function
is the delineation between the different control
was developing, heavily influenced by regulatory guidance. The trend was to establish a group compliance function functions. The compliance role can be chopped
supported by, and supporting, compliance functions within business units and at local entity level. As indicated earlier, an up in many ways: the essential thing is to ensure
understanding of the different roles and responsibilities of the group compliance function, versus business line or entity that everything is covered by someone and that it
is clear who is doing what.
compliance officers and staff, was also crystallising.

From the discussions, determinants of the compliance function structure included:

Structure of the wider organisation
Scope and scale of compliance function activity
Regulatory requirements in terms of compliance structures both at the group, business line, subsidiary and legal entity
levels
Improving risk management structures, often in the context of new regulatory requirements (such as the Basel II
requirements).

However, it was not clear that organisations were always getting it right. There were indications of classic problems of Group Compliance Functions
organisational design or redesign, balancing apparently competing regulatory requirements within existing organisational Organised by Function Organised by Issue
structures, while trying to maximise opportunities and managing costs.
The study showed a trend for two main approaches to the organisation of the group compliance function: by function Compliance monitoring Market regulations
or by issue. The functional split reflected the range of compliance function activities, recognising the different Compliancy policy and Personal behaviour
skills/competences required to undertake the related tasks. In certain cases, the split by issue was clearly the result of an procedures (employee dealing, fraud,
organisational trajectory: for example, where regulatory requirements for AML compliance officers pre-existed more general Training insider trading, etc.)
compliance requirements (and continued to exist). However, respondents contended that a split by issue made sense
IT Anti-money laundering
because different issues required different compliance strategies throughout the organisation.
In many cases, this concept appeared to underpin the overall approach to compliance functions within the organisation
(also mirroring management structures). Many respondents had a relatively small group compliance unit, with supporting
compliance structures within business lines. The organisation, and focus, of the compliance structures within each business
line would vary to respond to the specific risks in the business. In mono-sector institutions, or within individual business
lines, the compliance function was most frequently organised on a regional, then local basis. One institution indicated that
local compliance co-ordinators had been appointed in legal entities through which different business lines operated.
44 PricewaterhouseCoopers - Protecting the brand, May 2005

Full-time equivalents in group compliance functions ranged from two to 40, but the majority of respondents had between
10 and 15. This was the case for banks, insurers, and financial conglomerates. Some respondents indicated that the
compliance function at divisional HQs was larger than the group compliance function. Comparing the total number of
compliance staff with total employees, international organisations ranged between 0.24% to 0.65%, and regional
organisations between 0.16% and 0.24%. Indications were, however, that the percentage was considerably higher in
securities firms and investment managers. It must be stressed that these percentages are purely indicative: not all
respondents were able, or prepared, to provide staff numbers. Total numbers were not always available where a
decentralised organisational approach to the compliance function was adopted. Additional work in this area could help
provide useful benchmarks for industry generally and across sectors.

Specialisms within compliance functions

Regulatory requirements for compliance officers for specific issues such as anti-money laundering, anti-fraud, privacy, insider
trading and in France ethics (dontologie), often pre-existed the wider requirement for a compliance function in a number of
countries. In Belgium, there has been a requirement for a compliance officer for special mechanisms, basically focusing on
anti-fraud and tax evasion, for close to 20 years. Clearly, the study showed that the trend was to rationalise the scope of the
compliance function by aligning these dedicated specialists closely with, or integrating them into, the generic compliance
function while retaining their specialisms (except privacy and data protection specialists who were generally separate). Within
international institutions, integral AML global networks organised regionally and locally worked within or alongside the
compliance function. Management, in certain organisations, had established dedicated teams to focus on other specific
areas of compliance risk. One international German institution, for example, had established a global division specifically
dedicated to monitoring and managing conflicts of interest, reflecting a German regulatory requirement.
 PricewaterhouseCoopers - Protecting the brand, May 2005 45

How does Compliance interact with other support and control functions? Configuration

2 8
Where Compliance sat, organisationally, within the overall corporate control and support infrastructure influenced the approach
to compliance function organisation, and its interaction with other support functions. The study showed that a number of
organisations in the more advanced countries had recently reappraised this situation. In 49% of cases, compliance functions 25
49
were stand-alone functions, often reflecting explicit regulatory requirements. A close alignment with legal (e.g. with both
Compliance and the legal department reporting to the general counsel) was the next most popular approach. 16% of 16
respondents, primarily located in Australia and the UK, indicated that Compliance was embedded into risk management (e.g.
with direct reporting lines at the group level to the chief risk officer). In 8%, Compliance was one of several control and support
functions (including internal audit, legal, risk management) reporting one individual. Only 2% were aligned with internal audit. Compliance separate
Compliance embedded
Interestingly, some institutions directly associated quality, security or corporate social responsibility with compliance,
in rise management
with staff within the compliance function focusing on these issues. Compliance aligned with legs
The study indicated that the interactions with other support and control functions were not necessarily fully recognised, nor Compliance aligned with internal audit
Other
fully exploited, by all organisations in the study (see Reflections section below). Clearly, there were different views on the nature of
the interaction14, particularly in relation to the risk management or risk control functions. The interaction ranged from an integral
part of risk management to no involvement at all. One North America respondent stressed that organisational integration with
risk management should be avoided, as this could jeopardise the independence of the compliance function. Strategic integration,
however, in terms of how risks were assessed was critical.
The risks related to non-compliance are a
specific part of the whole range of risks the
Many respondents recognised the potential overlap with operational risk management in identifying and assessing and company has to deal with.
- to a certain extent - monitoring compliance risk but many stressed the essential differences in focus. One UK respondent
noted that operational risk managements focus was far more transactional.
In terms of communication, formal, regular lines of communication between risk management were established in
some organisations. One Belgian respondent indicated that risk management systematically provided Compliance with
information on compliance risks, deficiencies and controls. In others, communication lines were informal or concentrated
around specific issues, such as new products.
Some respondents emphasised that operational risk and Compliance had a similar status, but this was not always
the case. In some cases, operational risk management reported to Compliance on all compliance-related issues it identified.
In others, however, Compliance was apparently subservient to operational risk. Some respondents felt that the tangible
benefits of effective operational risk management - where good practice may translate to regulatory capital savings in the
context of Basel II - put Compliance at a disadvantage, as the benefits were intangible. As previously seen, others
mentioned that the intention was to leverage the databases developed for Basel II operational risk purposes to support
compliance monitoring throughout the organisation. Several respondents indicated that the interaction between risk
14 The previous section looked at the relationship with internal audit and the legal
management and Compliance was not as good as it should be.
department, see pp. 26 and 31.
46 PricewaterhouseCoopers - Protecting the brand, May 2005

How does Compliance interact with front-end businesses?

Asked how compliance interacts with front-end businesses, responses ranged from compliance interaction with front-end
business units is based on trust and established relationships to the business units expect not to be disturbed in their
activities by Compliance. In the majority of cases, respondents indicated that the interaction with front-end business units
was based on a combination of formal requirements (mission statement, charter, etc.) and informal relationships, through
day-to-day advice on business transactions and involvement in relevant committees. Getting the right balance between
monitoring compliance by business units and providing advice was often difficult to accomplish. One respondent noted very
strained relationships with business where compliance was perceived as a business inhibitor. One international respondent
indicated that the formal requirements included a mandatory allocation of compliance responsibilities to line managers.
A similar approach was evident elsewhere where businesses were required to do periodic self-assessments against
compliance objectives (and report to Compliance).
Many respondents said that business expected Compliance to provide (i) guidance, support and advice, and (ii) training
and education. Others believed business units only expected clear working instructions: however, surprisingly, no significant
emphasis was placed on Compliances monitoring and oversight role. Business units sometimes confused the role of
Compliance with that of the legal department or just did not have a clear conception of the role of Compliance. To address
this, some respondents indicated Compliance, on an annual basis, provided business unit heads a summary of the main
Compliance: % of overall
Service Level Agreements responses responsibilities of Compliance towards the business, covering what it will do and why (on a risk-based basis).
With business 12% Only 12% of respondents indicated that service line agreements (SLAs) had been established with business
With audit 6% lines/entities, and even less with audit, legal, risk management, etc. 58% of respondents indicated that there were no SLAs
With legal 1%
in place. Two respondents indicated that SLAs determined the basis for re-invoicing the costs of compliance to the business
With risk management 3%
units. A number of respondents said their intention was to establish such agreements primarily with other functional
With others (e.g., HR) 4%
Respective responsibilities established 27% collaborators (internal audit, risk management, etc.). A lack of formality sometimes resulted from the organisational structure:
in mandates/plans one respondent commented that due to the structure, where all support and control functions reported to one person, such
No SLAs 58% agreements were unnecessary.
 PricewaterhouseCoopers - Protecting the brand, May 2005 47

Reflections
As the compliance function strengthens within a financial services organisation its role will have to be clearly defined in order
for it to i) provide senior management the assurance that specific compliance, reputation and business risks are being
managed and ii) inform senior management of the compliance risks inherent in the business. The range of activities to be
undertaken by the compliance function, as determined by management, will impact on its structure, costs and ability to
attract new talent into the function. While the study participants acknowledged that the evolution would take time, the range
of activities of the compliance function differed significantly across national, regional and industry boundaries.
A clear strategy will need to be developed in terms of the current configuration of the compliance function, and its
future evolution, to ensure effective use of the compliance functions resources and influence. Simply overlaying Compliance
onto an existing organisational context, or onto other risk management initiatives - pasting over identified gaps in effect - is
not often the right approach to ensure optimal efficiency and effectiveness of the compliance framework and the compliance
function. Indeed, political constraints could jeopardise the longer-term value of the compliance function. Essentially,
management must ask itself some probing questions, including challenging the role and existence of everything that makes
up the compliance framework.

Centralised versus decentralised Centralised Compliance Model Decentralised Compliance Model

compliance structures
Centralised and decentralised compliance models15 for the
compliance function both have advantages. A centralised
model permits standardisation of compliance and reporting
activities across the organisation, allowing for efficiencies in
training, cross-functionality, communication and resources.
A decentralised model allows for a measure of customisation
so each business unit can meet the demands of its markets,
locations and industries. Managers can closely monitor their
compliance activities and give employees a deeper sense of
involvement in the process.
15 For further information, see Global Best Practices website at
www.globalbestpractices.com
Board of directors:
Develops charter
Make compliance a major board oversight responsibility
Compliance office:
Functions at the senior management level
Led by chief compliance officer or other senior manager
Monitors performance
Oversees training and communication
Maintains confidential liaison with the board
Business units:
Assurances that controls and compliance activities are
effective
Ensures that employees adhere to policies and regulations
Assurance that key suppliers are informed
Source: PricewaterhouseCoopers
Global Best Practices
Board of directors:
Develops charter
Makes compliance a major board oversight responsibility
Compliance management:
Functions at senior management level
Co-ordinates compliance activities and reporting from
business units
Develops tools and templates for customisation at the
business unit level
Ensures allocation of proper resources
Business units:
Appoint a chief compliance manager
Gather and report compliance information to senior management
Customise compliance work flow to meet industry and unit
requirements
Ensure that employees know their roles and are prepared to
execute them.
48 PricewaterhouseCoopers - Protecting the brand, May 2005

The choice between a centralised versus a decentralised structure should take into account the overall role to be played by
the compliance function at the local level. For complex organisations, a combination of the two approaches is often the most
practical, as it provides the flexibility to handle different business and national cultures. In many organisations, local
Compliance is operational, executing the necessary controls and procedures at the business level to monitor/ensure
compliance. Consequently, the ability of Compliance, at the local level, to oversee local compliance is potentially
compromised. Similarly, there is often a need to balance local compliance roles, with local requirements, necessitating part-
time allocation of compliance responsibilities (and consequently the possibility of blurred understanding of the role of
Compliance).
Safeguarding the compliance functions independence then relies on i) local managements attitudes, which can vary
from one location to another and ii) the effectiveness of Group Compliances oversight capabilities. Whether companies
choose a centralised or decentralised model - or a combination - compliance operations affect the relationships and
workflow across the organisation, shaping the way senior managers, business units, internal audit, risk management,
employees, and compliance personnel work together. Clearly defining and managing these relationship within the
compliance framework is critical to achieving compliance objectives. The structure of the compliance function needs to
evolve as the compliance culture permeates the organisation:
Centralised compliance functions do not necessarily succeed in balancing the control role with appropriate strategic
change management authority.
Decentralised, and business-focused, compliance functions may have greater ability to influence tactical change but their
independence may be compromised because i) Compliance does not report to the right people at the right levels,
ii) appropriate remuneration policies are not in place (the appraisal process is driven by business, and business
constraints), iii) relatively junior staff are involved in influencing business decisions and iv) difficulties in ensuring equivalent
competences in decentralised compliance staff.
The nature and scope of business activities often requires a combination of the two structures, adding to the complexity
in terms of evolution of the function overall.

Interaction with other functions

There are other considerations in determining the optimal approach. Appropriate interaction with other support and control
functions is key to ensuring the effectiveness and efficiency of the compliance function and the compliance framework
overall. The table below pulls together various ideas from the responses which elucidate the possible nature of the
relationship, and points of interaction.
 PricewaterhouseCoopers - Protecting the brand, May 2005 49

Actor Nature of interaction Areas of potential interaction with the compliance function
with compliance
Risk management Collaborative, supportive Identifies and assesses risks, including compliance risk
Contributes to compliance risk monitoring & monitoring plans
Enhances awareness of compliance risk within the organisation
Collaborates with Compliance in advising management (e.g., new products, new markets, etc.)
Internal audit Collaborative, supportive Drives the adoption of automated controls for compliance risk work flow
Provides input for overall compliance risk assessment
Monitors business practice/processes for compliance, amongst other, risks
Assesses the effectiveness of internal controls around compliance risks
Reviews specific areas of compliance risk, at the request of Compliance, as part of annual audit review
Undertakes thematic reviews of compliance-related issues
Participates in investigations into compliance weaknesses and breaches
Legal department Collaborative, supportive Keeps abreast of developments in legislation and case law and helps interpret the consequences for the organisation
Collaborates with Compliance in advising management (new products, new markets, etc.)
Represents the organisation in legal matters and in terms of compliance incidents
Collaborates with Compliance in cultivating relationship with regulators
Supports Compliance with training of, and communication with, staff
Participates in investigations into compliance weaknesses and breaches
Provides advice on disciplinary matters
Corporate social responsibility (CSR) Collaborative Links compliance processes to overall CSR responsibilities
Quality assurance Collaborative Ensuring coherence between quality assurance and compliance
Reinforces the link between compliance and quality
Human resources Supportive Helps implement regulations, codes of conduct, in staff handbooks and induction courses
Assists with the development of policy concerning measures to be taken in the case of compliance incidents
Helps administer/develop compliance training and communication
Supports compliance in terms of staff recruitment for sensitive positions
Supports compliance in the development of performance appraisal and remuneration systems aimed at stimulating compliant behaviour
Leads dialogue with trade unions/labour relations (where relevant)
Corporate communications Collaborative, reports Supports Compliance in issuing internal communications supporting compliant behaviour
Ensures compliant external communications and public disclosures
Marketing Reports, supportive Ensures compliant marketing information
Supports Compliance in monitoring external environment
Customer service Reports Provides input to Compliance via reports on customer complaints
50 PricewaterhouseCoopers - Protecting the brand, May 2005

Based on our analysis, we suggest that:

Boards and senior management should ask themselves probing questions about the current and future configuration
of the compliance function, the comprehensive control framework of the organisation and the optimal level of
resources - human, financial and technological. Senior management should continue to ensure that organisational
design does not impede the independence and effectiveness of the compliance function. Inter alia:
- Senior management needs to reconcile the different approaches necessitated by divergent societal and business
cultures within its operations overall, with its associated strategies in terms of configuration, modus operandi and
resources of the compliance function.
- Management should pay careful attention to the interaction with other control and support functions, and ensure
that the respective roles and responsibilities are clearly defined, and documented.
- Recognising the dual role of the compliance function (counsellor and police officer), it should make sure that
the organisations configuration is thoroughly assessed, both top-down and bottom-up, to permit appropriate
access and interaction with front-line businesses.
Regulators need to provide more guidance and clarification regarding their expectations of both management and
compliance functions, and be more transparent about them.
Regulators should aim to be consistent, over time, and with other regulators, both nationally and internationally.
Compliance contributing value to business performance PricewaterhouseCoopers - Protecting the brand, May 2005 51

Introduction
As we have seen, boards and senior managements vision for compliance functions, including the role, responsibilities and
A key difficulty in terms of compliance is the
organisation of the compliance function, has evolved towards greater formalisation in recent years. However, coherent,
difference between theory and practice. In effect,
longer-term strategies, aimed at inculcating a sense of integrity into the business (demonstrable through associated
there are perhaps three levels: (i) the ideal
behaviours) and at ensuring that Compliance contributes value to business performance on an ongoing basis, were not yet compliant or compliance scenario (ii) the
in place. One respondent said there was still some way to go to reconcile theory and practice. Based on our analysis, there management decision (which in theory, is reached by
were three common, initial challenges: weighing all the pros and the cons, including
Assessing, monitoring and managing compliance risk within the context of overall risk profile of the organisation compliance considerations) and (iii) the practical,
Quantifying the value of compliance, and balancing this against the costs compliant implementation of these decisions.
Ensuring an appropriate technological support structure both in respect of the compliance function, and business
processes generally.

Assessing, monitoring and managing compliance risk within

Specific compliance risks identified16
the context of overall risk profile of the organisation Anti-fraud legislation
Anti-money laundering (and rising regulatory bar)
In terms of the main compliance risks faced by the organisation, responses split between specific regulatory requirements, Anti-trust legislation
e.g. anti-money laundering, insider trading, and customer duty of care, and specific business areas, (for example, investment Complaints handling
banking, private banking or wealth management). In terms of ranking of compliance risks, breaching legal/regulatory Conflicts of interest
requirements and reputation/brand risk (see p. 16), were followed by anti-money laundering and insider trading Consumer protection legislation
Fat tail events
requirements. Interestingly, there was not necessarily a direct correlation between respondents conception of the main
Insider trading and market manipulation
compliance risks, the main challenges for the compliance function, and the perceived challenges to achieving compliance in
Internal organisation issues
all cases. Know Your Customer rules
Many respondents indicated that there was no common terminology (yet) within their organisations in respect of Liability risk: risk of penalties
compliance risk. Respondents, in all regions, indicated that work was currently underway to clarify key compliance risk Product development and administration
indicators, or key performance indicators, in different business lines. Compliance risk matrices were being developed to map Rogue employees
local regulatory and sectoral differences. One North American respondent indicated that a group risk assessment matrix was Secrecy & privacy rules
Technology risks
used by compliance officers as the basis for conducting risk assessments in the lines of business. Many of the banks
Terrorism
participating in the study indicated that the risk assessment was either being driven by Basel II rules on operational risk, or Third parties (joint ventures outsourcing, agency
that Compliance planned to leverage data collected to better assess compliance risk. One insurer commented that business agreements)
units were scored on a scale of 1 to 10 according to several compliance indicators and risks, their readiness to take action,
receptivity to the risks, actual action taken, and reporting and goals reached.
16 See also Annex II.
52 PricewaterhouseCoopers - Protecting the brand, May 2005

Compliance risk assessment Additionally, the strength of the compliance networks relationship with business - and effective communication - were seen
45 as important mechanisms for identifying and assessing compliance risks. Formal risk assessment was also undertaken as a
40 result of periodic reporting.
40
35
Almost a quarter of respondents indicated that their organisation took a holistic approach to risk generally, identifying
30
and assessing compliance risk in the context of other risks (such as credit risk, market risk, operational risk). 40% of
25
25 respondents took a broad-based, strategic approach to assessing compliance risks, but here too a number of the
20 21
18 international players were reconsidering their approaches and work was in progress to enhance the granularity of their
15
10
14 approach, to increase their appreciation of both compliance risks and their interdependence with other risks. However, 21%
5
8 indicated there was no systematic assessment of compliance risks within the organisation.
0 Many respondents indicated that compliance risk identification and assessment occurred as a result of various
Percent of total activities within the organisation, not exclusively those of Compliance. Internal audits role, as part of their annual audit
programmes inter alia, in the identification and assessment of potential compliance risks in the business was widely
Holistic risk assessment recognised. As we have seen however, there was sometimes a lack of clarity between the role of Compliance and that of risk
Work in progress
Board based management - particularly operational risk management - in terms of risk identification, assessment, monitoring and
Partial management. Even in those organisations where compliance risk was perceived as an integral part of the firms overall risk
Starting point
No compliance risk assessment
management programme, clear links - or, more importantly, clear delineations - between the two in terms of relative
responsibilities were not always apparent.
Risk-based approach to compliance monitoring Over 40% of respondents said their organisation had adopted a risk-based approach to monitoring compliance risk:
8% said that they had developed compliance dashboards. 18%, however, still operate in a fire-fighting mode, dealing with
3
issues as they arise as opposed to systematic monitoring.
Few took a risk-based approach to compliance risk identification and assessment, although some have begun to
18
assess the materiality and probability of compliance risks occurring.
41

Quantifying the value of compliance, and balancing this against the costs
38

Cost of compliance

Risk-based Only 49% of respondents indicated that there was an explicit budget for Compliance, and less than half of those had
Non risk-based complete discretion over how the budget was spent. One North American respondent indicated that a detailed, itemised
No compliance monitoring plan
No response budget had to be prepared on an annual basis, to which Compliance then had to adhere. Others, however, emphasised the
need for the flexibility to be able to react to issues. Not surprisingly, respondents with recently established compliance
functions (within last year/18 months) indicated that budgeting was still work-in-progress.
 PricewaterhouseCoopers - Protecting the brand, May 2005 53

Group Compliance was often budgeted centrally - and sometimes hidden in general corporate staff function overheads -
Holistic view of compliance costs
with businesses responsible for budgeting local compliance staff. The full cost of compliance, including costs at the
Costs of compliance
business level was often not monitored closely (and, consequently, respondents could only provide indicative numbers, if - Staff (FTE and part-time): salaries, benefits,
any, for overall costs). training
- Wider education/communications programme
One international bank said that it did not monitor the cost of compliance because it is seen as a very small proportion - Space, associated technology costs
of total costs. Other observations included: Costs of non-compliance
- Financial penalties
Compliance was simply a cost of doing business
- Remediation costs
It was difficult to split the costs between Compliance activities and what businesses need to have in place as a matter
- Suspension of business/business disruption
of course costs
With limited resources, Compliance did not have time to analyse all the costs. - Impact on cost of capital
- Impact on market share
In some cases, Compliance still had significant influence in determining resources at the local level, but it often needed to Governance costs
negotiate with business. As seen earlier, some international organisations indicated that there was a system whereby Source: PricewaterhouseCoopers
Integrity-Driven Performance TM White Paper, 2004.
compliance costs, notably the costs of Group Compliance, were charged back to business.
In terms of the elements covered by the budget, most respondents indicated that the budget generally included staff
costs (i.e., salaries, benefits, training, and overheads), although in some cases specific authorisation had to be obtained in
respect of headcount from HR or senior management. Others indicated that the costs of compliance-related training
(particularly in terms of wider training programmes for business) often fell within the remit of HR or the training department.
No respondent indicated that a holistic approach was undertaken covering all potential costs of compliance (as shown in the
box above), although some of the more advanced participants indicated that these were under (some) consideration. Often,
certain costs of non-compliance (such as penalties, fines, legal fees) were tracked separately at a corporate level, or were
the responsibility of business. Few respondents took account of the impact of reputational damage on market share, even
those who indicated that reputation risk was the greatest concern to the organisation. Neither the costs of business
suspension/disruption, nor governance costs, were generally considered in the context of compliance.
Having said that, the majority of respondents indicated that there had been an increase in compliance costs over the
past three years - sometimes doubling or even trebling - as a result of staff increases (or increased seniority/quality of staff)
in order to respond to regulatory developments. Some indicated that business changes, such as mergers and acquisitions
and additional investment in technological infrastructure had also increased costs. Many anticipated that compliance costs
would continue to increase in coming years.
54 PricewaterhouseCoopers - Protecting the brand, May 2005
Examples of how Compliance adds value
Logical Measures
Quality and speed of regulatory interpretations, and related
compliance policies and procedures
Improved regulatory relationship, including good feedback
from supervisory reviews
Improved relationship with shareholders
Improved relationship with customers (customer surveys)
Positive feeling which comes from doing the right thing
Good internal/external audit reviews of compliance function
Compliant business decisions
Speed of new compliant products to market
Positive internal feedback from business (through surveys,
360 reviews)
Compliance training assessments
Effectiveness reviews of compliance function
Compliant marketing documentation
IT systems that are designed from the outset to be compliant
Increased professionalism of Compliance
Level of ethics/compliance culture throughout the
organisation (internal surveys)
Clarity and comprehensiveness of compliance reporting
Timely rectification of breaches/deficiencies
Results of compliance monitoring
Measuring value added
Asked whether Compliance was seen as adding value to the organisation, 78% of respondents believed it was, although
22% of these qualified the answer due to the difficulties of measurement. One European conglomerate believed an effective
compliance function enables the company to reach its goals; it not only prevents damages but increases the strength of the
company as well. For the remainder, Compliance was a legal necessity, a control function, or too immature for its value to
be recognised by the business.
Of those who said that Compliance did add value, none had yet developed a systematic measurement approach, but a
number of international organisations were working on this. Respondents indicated, however, that measuring the value was
difficult because it depended on inverse logic: i.e., non-compliant events not happening. As one European respondent
noted, an insurance policys real value is only really appreciated when something goes wrong. One Australian respondent
noted that business perceived more value-added before the introduction of the Financial Services Reform Act, but not after
its introduction, given the need to comply with extremely
onerous regulatory requirements (suggesting that
Inverse Logic Measures Compliance was held responsible for this). Additionally, when
Absence of fines/penalties compliance arrangements were initially formalised or the
Less fines/penalties than peers
scope extended, there was often an increase in identified
Insurance policy
Absence or reduction of compliance breaches/deficiencies compliance weaknesses and breaches which management
No reworking required to achieve quality often found difficult to reconcile with the increased costs of
Reduced complaints (less resources required for complaints compliance. One North American respondent indicated that
handling) while its securities business appreciated the value added by
No licence withdrawals or restrictions
compliance, its banking business saw Compliance as just a
Management and business silence
Gate-keeping: stopping bad business decisions tax.
However, as indicated earlier, Compliance was also
seen to be at a disadvantage in comparison with other
business risk management functions, which were perceived
as business enablers while Compliance was a cost of doing
business. The financial impact of credit, market and
operational risk management was measurable in terms of
potential reductions in regulatory capital requirements. Some
believed that the value of Compliance would only be
recognised if a viable balance were found with the costs.
Many respondents said that Compliance needed to market
 PricewaterhouseCoopers - Protecting the brand, May 2005 55

itself better internally: one compliance officer said It is my task to make compliance and its advantages more transparent Key performance indicators
and operationally workable.
3
71% of respondents indicated that job descriptions and/or specific individual objectives had been established for
18
compliance officers and staff. Several respondents indicated that they were looking to introduce balanced scorecards for the
compliance function (although one European respondent indicated that a scorecard had been tried but had not worked well). 41

Developing key performance measures (KPIs) - both for the compliance function and to measure compliant behaviour
in the business units - was considered difficult by most respondents, again due to the need to measure negatives (e.g., no 38

penalties, fines, breaches, etc.). Not surprisingly, 62% of respondents indicated that they did not use KPIs or, at least, not
yet. Where they were used, respondents felt they were in their infancy and consequently too generic. The majority of
international institutions were working on more granular KPIs. For example, they were looking to introduce metrics for KPI for compliance function
KPls used for predictive analysis
business compliance results such as number of regulatory investigations, number of audit findings, etc. Some respondents Starting to use/develop KPls
stressed the importance of root cause analysis of breaches and weaknesses: assessments had to be made to determine No KPls

whether compliance breaches could/should have been detected earlier. Few, however, indicated that they used KPIs to
predict trends. Examples of generic KPIs
Training provided versus plan
Testing performed versus plan
Various tools were used to monitor compliance performance overall (including both the work of the compliance function and
Complaint volumes
compliant business practices), for example: Exception tracking
Number of advertisements reviewed
360 reviews Number of breaches (reported or not)
Internal surveys to monitor perceptions of the compliance function and the relationship with business, amongst other Audit reviews
things Results of regulatory examinations
Firmwide polls
Compliance dashboards, indicating for example issues reported to the regulators, fines paid, adverse findings, breaches,
Success at recruiting/training talent in the
weaknesses, inappropriate personal dealing
compliance function
Heat maps highlighting compliance risks Assessment of comprehensiveness of compliance
Controlled self-assessments of business (e.g., covering regularity of training, pre-clearance of trading, etc.) against monitoring
objectives Benchmarking quality of the organisation
Statistical analyses of complaints and breaches. Performance reporting on changes to compliance
policies and procedures
Quality of compliance culture
Some respondents indicated that they would like to benchmark themselves against their peers, but that this was not easy.
People retention
One international respondent noted that the US regulators were trying to establish benchmarks for their reviews - such as Negative press coverage
comparing the number of suspicious transaction reports submitted by banks. These benchmarks were unreliable, however, Number of regulatory inquiries, or enquiries
given differences in business activities, risk profiles and risk tolerance levels, etc. Overall relationship with regulators
Speed in addressing/rectifying breaches/weaknesses
56 PricewaterhouseCoopers - Protecting the brand, May 2005

Ensuring an appropriate technological support structure both in respect

of the compliance function, and business processes generally
Our analysis showed that Compliance was definitely lagging behind business in terms of the exploitation, and
understanding, of technology. While a large majority of respondents mentioned Compliances use of intranets, email,
telephones, and so forth, only 14% of respondents focused on the wider use of technology - and the most cited example of
technology used was AML-related software. Notably, only 3% placed a heavy reliance on technology for compliance
monitoring purposes, using technology-based tools to analyse the outputs of compliance monitoring. One heavy technology
user, however, stressed that the efficient use of technology suitably streamlined (human) resource requirements, and
enhanced Compliances global performance.
Only 17% of respondents used technology for knowledge management purposes within their compliance function.
Equally, when asked to what extent IT personnel were involved in the compliance programme, 43% of respondents indicated
that there was some involvement but only 28% felt that IT staff were knowledgeable about the needs of the compliance
function. In terms of new systems developments, 30% indicated that Compliance was involved, but in most firms, business
was the key decision maker in terms of prioritising systems projects. While most respondents gave Compliance equal
priority in terms of systems development (with appropriate justification), 20% of respondents said that compliance projects
were given low priority.
It was evident that, in the main, the use of technology was predominantly borne out of regulatory necessity rather than
business vision. For example, revised AML requirements and, in Europe at least, market abuse requirements, have acted as
the catalyst to the growing use of technology and the increased need for the compliance function to understand the
technology in use within their particular organisation.

Reflections
Significant challenges remain if organisations hope to reap the full benefits of improved compliance. Many organisations still
believe that a large part of the challenge stems from the weight of new regulations and uncertainty over their practical
application, and that conformance might undermine performance if regulatory requirements constrain the flexibility and
innovation of business models, and impose apparently unnecessary costs. Ultimately, however, compliance - like
performance - is a prerequisite for doing and staying in business. The compliance function provides one, albeit essential, tool
to enable management to fulfil stakeholders expectations of integrity and to protect the brand. Compliance costs would
certainly appear modest when compared to the billions that can be wiped off share values if lapses in probity, governance or
codes of conduct come to light.
 PricwaterhouseCoopers - Protecting the brand, May 2005 57

Essentially, meeting these challenges requires a more holistic and proactive approach to compliance which moves beyond
statutory expectations to embrace broader ethical and strategic considerations. It means understanding the essential link
between integrity, ensuring the right behaviours throughout the business and meeting strategic objectives. This approach
should focus squarely on encouraging appropriate behaviours and the achievement of compliant business practices and
processes (i.e., compliant outcomes) - rather than placing the onus solely on the compliance function.

Certain common elements underpin such an approach:

Closer integration of governance, risk management and compliance structures, forming a practical continuum
underpinning the overall integrity of the organisation and aligned to innovation and the achievement of strategic
objectives
A culture which breeds the right behaviours and instils integrity into the DNA of the organisation, fostering awareness and
ownership of compliance at all levels of the organisation, supported by appropriate rewards, processes and procedures
An extension of the role of Compliance to engage directly, and at an early stage, with those involved in tactical and
strategic decision-making in areas ranging from acquisition to product development
A clear definition of the relationship between the business as the first line of defence; the compliance function as the
second; and independent assurance and non-executive directors as the third
Coherent approaches to ensuring that business processes and procedures, generally, facilitate rather than frustrate
integrity, and that robust technology infrastructures foster integrity-driven decision-making.

The shift towards a principles- or risk-based regulatory or supervisory approach in many countries would call for more
emphasis on the compliance functions advisory role: but it is a question of balance. Primarily, the organisation needs to
anticipate and quickly respond to the most serious threats to the brand, rather than seeking to comply with everything all of
the time. Managements success in configuring the business to achieve its performance objectives while remaining well-
managed (and consequently compliant) will predetermine the evolving role and ongoing efficacy of the compliance function.
58 PricewaterhouseCoopers - Protecting the brand, May 2005

Sustainable strategies for compliance functions

Having said that, we believe that a coherent, ongoing strategy for the compliance function has two dimensions, operating
against the backdrop of comprehensive awareness of stakeholder expectations and a maturing culture of integrity (see chart
below). From a practical perspective - in the context of the wider governance, risk and compliance approach - management
needs to ensure that the role of the compliance function evolves with the progressive achievement of compliant business
practices and processes, eventually becoming a proactive management discipline to protect the longer term health of the
organisation.

1. Ensure the longer-term viability of the compliance 2. Integrate compliance into business processes:
function: Clearly assign compliance responsibilities to board and senior
Provide adequate resources: management, and business line management
- Focus on the costs of compliance, and who pays Focus on engendering appropriate behaviours throughout the
- Arm the compliance function with technological support organisation
appropriate for the business Understand compliance risk through defining its nature in the
Establish clear delineation/allocation of roles and context of comprehensive, granular risk assessments, and
responsibilities between various control and risk management determine approaches to managing and mitigating this risk
functions, optimising their complementary nature appropriate to the businesses and to the organisation overall
LDER EXPECTA
EHO TIO Manage the evolution of these roles and responsibilities over Develop flexible but coherent compliance policies and
TAK NS
S time procedures appropriate for the business
Increasingly recognise compliance as a proactive Define strategies for balancing compliance risks against the
RE EME management discipline and encourage the profession costs
LTU
CU OLOGY & ne RGIN
L INGECHN w re G
qu ST of the compliance officer Develop processes for establishing, reviewing and revising
AB & T ire AN
m D
EN SS Governance e Focus on the efficiency of the compliance function in its internal controls
CE

AR
nt
s
PRO

DS

interaction with business Ensure technology supports compliant outcomes

Enterprise Devise appropriate means for quantifying the value added Ensure ability to remain compliant in a dynamic business
Risk Management
by Compliance. environment.

Compliance Without a vision of, and belief in, the endgame of compliant business as a valid business goal rather than a reaction to
regulatory pressure, future difficulties for Compliance are anticipated, and not just in those countries where a compliance
Extended Enterprise & Value Chain function is relatively new. A major stakeholder in overall convergence, Compliance is not consistently allocated a clear role in
the change management process, nor given adequate resources to enable it to participate extensively. If regulatory pressure
should subside, and with it the fear factor, resources may be redirected to other perceived regulatory or business priorities.
ETH
IC AL C U LT U R E Generally, respondents encountered few current problems in obtaining (human and financial) resources for the
compliance function (though clearly there is insufficient emphasis on optimising the use of technology). However, this trend
Source: PricewaterhouseCoopers
Integrity-Driven Performance TM White Paper, 2004. may not last if regulatory pressure declines and profits are squeezed. Organisations would benefit from less regulatory
enforcement, but to achieve it they need to strive for consistently compliant business practices and processes.
 PricewaterhouseCoopers - Protecting the brand, May 2005 59

Comprehensive risk identification, assessment and management

A 2004 survey17 undertaken by PricewaterhouseCoopers and the Economist Intelligence Unit identified four reasons why risk
management remains primarily focused on meeting regulatory requirements and only secondarily on protecting and
enhancing the value of the franchise:
A culture of risk awareness has yet to emerge
Quantifiable risks are still the focus of too much attention
Compliance is not being turned into competitive advantage
The importance of governance is underestimated.

Clearly, this study shows that there is a growing appreciation of compliance risk as an integral part of the overall risk profile
of the organisation. However, the substantial interplay between the various risks faced by an organisation needs to be better
understood before it can be managed professionally. Management, evidently, needs to focus more on the granularity of
compliance risks, progressively undertaking detailed assessments throughout all levels of the business, enabling fuller risk
appreciation both top-down and bottom-up. As the 2004 survey indicated, considerably more attention is paid currently to
quantifiable risks, such as credit risk, market risk and operational risk, particularly in the context of the Basel II Accord. Much
of this effort, however, can feed into the assessment of compliance risks. The Risk Management Associations working group
focusing on key risk indicators has identified over 1,000 indicators which will offer its members potential menu of options.

A balanced set of performance measures would focus on:

Organisation, people and culture (e.g., ethics hotline statistics, employee survey results)
Compliance process effectiveness (e.g., number of incidents/events, key process metrics around key issues)
Key stakeholders (e.g., number and severity of regulatory issues, external press and market perceptions)
Costs (e.g., direct programme costs, indirect programme costs, fines, penalties and settlements).

17 PricewaterhouseCoopers/EIU Briefing Programme: Uncertainty tamed?

The evolution of risk management in the financial services industry, July 2004
60 PricewaterhouseCoopers - Protecting the brand, May 2005

Quantifying the value of compliance

The study demonstrated that some progress is being made in quantifying the value of the compliance function, but reluctance
to measure the full cost of compliance - and non-compliance - remains. Measuring the cost is, however, essential to
discovering the inherent value. When compliance functions cannot measure their effectiveness and performance, they face
barriers to effectively carrying out their role within the organisation. Compliance touches almost every business process within
financial institutions in some way, and understanding this impact will help compliance functions better demonstrate their value.
This will provide their organisations with a sounder basis on which to build business cases for improving compliance
performance more widely.
It needs to be emphasised though that quantification may also be necessary to provide justification for maintaining - let
alone increasing - Compliance human, financial and technological resources, if management attitudes do not evolve further.
The inability of Compliance to focus on cost and performance measurement is directly tied to the limited focus on the use of
technology, and to the perceptions of Compliance within organisations currently.
 PricewaterhouseCoopers - Protecting the brand, May 2005 61

Technology
The apparently low level of knowledge of IT within compliance functions supports the view that, in many organisations, the IT
department is not considered to be a key stakeholder in the compliance function. Similarly, the responses also suggested
that knowledge within IT departments of the compliance functions requirements may also be limited. However, we believe
that technology is a key enabler to supporting compliance within the organisation, and presents a significant opportunity for
many organisations. There is also an opportunity to leverage technologies being put in place to support Basel II to better
manage compliance risk. Successfully establishing a sustainable and cost-effective process for on-going compliance
requires leveraging technology to achieve efficiency and effectiveness in a companys control environment, as well as their
compliance process. This means the use of technology to:

Control and manage processes that cut across systems and organisational boundaries. Compliance touches nearly
every operating and administrative unit in an organisation so the task of controlling and managing the compliance
process itself is huge. However, there is the equally massive task of controlling and managing the underlying business
processes. Each of these require appropriate application of technology in order to establish sustainable compliance. In
the first instance, technology is used to facilitate retrieval and updating of documentation, analysis and status reporting.
In the latter instance, manual controls are automated.
Improve the quality of information and speed of delivery. Inaccurate, incomplete or late information impedes action.
Reliable information increases confidence to take action. Appropriate use of technology can improve quality and speed by
transferring data from one system to another, replacing manual processes for execution, analysis and reporting, challenging
the quality of data, modelling alternatives and delivering reports and dashboard information to decision makers.
Identify and manage events in a consistent and auditable manner. When incidents of non-compliance go unnoticed
risk increases. Technology is used to identify events and report exceptions. This involves optimising control capabilities in
existing business and support systems, use of integration technologies to bring together information from disparate
source systems and administering and monitoring of risk and control self-assessments and other surveys.
Build accountability into the management and reporting of events. When negative events are noted (e.g., in a log file)
but no action is taken, risk increases and poor information often contaminates subsequent processes. Business process
management and business rules engine technologies help ensure action by creating a closed loop environment that
incorporates accountability for each incident and requires action.

An important lesson of the recent past is the recognition that compliance is ultimately executed at multiple corporate levels -
enterprise, business unit and business process. While many compliance functions have focused on the first two, companies
are discovering that the opportunity to create real value through technology lies at the business-process level. To capture
62 PricewaterhouseCoopers - Protecting the brand, May 2005

this value, companies must develop compliance technology architectures to pull together data from disparate systems,
using it to enforce compliance, improve data quality, or identify incidents. In taking this approach, companies bring
compliance to life for a fraction of the cost it took them to implement other business applications.
There is no single technology solution which enables the actions described above. Instead they are supported by
several building blocks, or types of functionality - some of which are available in most companies current technology
environment. Others are available in the out-of-the-box solutions which are flooding the marketplace. A compliance
technology architecture incorporates components from each of the following:

Core business processing: Core front, middle and back office systems, financial systems, human resources and other
systems are used to run the business at most major companies. Many key compliance controls are executed in these
systems, and much of the data to support compliance reporting, including key risk indicators, resides in these systems.
Data integration: Ability to get information from core business systems to systems used for event identification and
reporting. Technologies range from enterprise application integration to databases and XBRL/Web services.
Process monitoring and event identification: Ability to apply key controls that cut across core business systems as
well as identify and manage compliance events as business activities are occurring. Technologies that support this
functionality include business process management platforms (which can be used to automate manual processes,
enabling better process monitoring), business rules engines (which can help to set and manage thresholds and
tolerances) and various process monitoring platforms such as AML technologies, business activity monitoring and
security event management technologies.
Core risk and compliance management: Functionality specific to the management of the compliance function itself,
including the management of policies and procedures, the support of risk assessment processes, the facilitation of the
analytical aspects of compliance/risk management, the project management of key compliance initiatives, the tracking of
key compliance obligations and the organisations performance against these, etc.
Risk and compliance reporting tools: Address risk analytics, key performance indicators and management reporting.
Technologies which support this functionality include business intelligence and corporate reporting platforms.
 PricewaterhouseCoopers - Protecting the brand, May 2005 63

Based on our analysis, we suggest that:

Management should strive for a coherent response overall to managing risk, developing holistic strategic risk
assessments which explicitly encompass compliance risk within the overall risk profile of the organisation. Particular
attention should be paid to the interaction between Compliance and other risk management functions, while
recognising the difference in emphasis when management compliance risk.
As with any other intrinsic part of the business, boards and senior management should focus more on measuring
the real cost of compliance and non-compliance, as a means to ensuring appropriate cost management strategies,
ameliorating their understanding of Compliances value, and finally permitting an effective balance between
compliance costs and value generated.
Equivalent, if not higher, priority should be placed on the development and use of technology able to help
management to really understand, on a timely and consistent basis, what is going on in the business. From the
perspective of the compliance function, a robust technological infrastructure entails both sophisticated tools for
monitoring compliance in business activities, together with appropriate tools for streamlining compliance function
activities, and facilitating knowledge sharing.
Compliance should develop more in-depth awareness of the technologies used by the organisation, including legacy
systems, and be consulted with regards to new systems developments. At the same time, the IT department should
develop greater awareness of the needs of the compliance function.
ANNEX
Annex I PricewaterhouseCoopers - Protecting the brand, May 2005 65

Overview of regional and national requirements for compliance functions

Asia and Australia
Australia
The first attempt in Australia to state objectively what was required for an effective compliance system was made in 1998 by
Legal base:
Standards Australia, when it released AS 3806-1998: Compliance Programs, after a long period of industry consultation. In
Corporations Act 2001.
the same year, the funds management industry also came under increased compliance obligations with the enactment of the
Managed Investments Act 1998.
Managed Investments Act 1998, which made it compulsory for all managed investment funds to have a compliance plan Financial Services Reform Act 2001.
registered with the Australian Securities and Investment Commission (ASIC) prior to becoming operational or accepting any ASIC Policy Statement 164: August 2003.
funds. Since that time, Australian regulators have increasingly acknowledged the important role of compliance systems in AS 3806-1998: Compliance programs (Standard).
supporting the development and maintenance of appropriate standards of corporate governance, codes of conduct and SAA HB 133-1999: A guide to AS 3806-1998
Compliance programs (Handbook).
ethics. This acknowledgement has been reflected in the reports of a number of Federal Government reviews of the financial
Draft Prudential Standard: Compliance Committees
service sector, including CLERP 6, whose recommendations formed the basis of the recent Financial Services Reform Act
for eligible foreign life insurance companies.
2001 which requires licensees to implement compliance programmes substantially based upon AS 3806. Maintenance of an
effective programme is required in order to meet the Australian Financial Services Licence requirements under that Act. The
latest example of the regulator focus on compliance is the release in December 2004 of the Australian Prudential Regulation
Authoritys (APRA) draft standard that requires all eligible foreign life insurance companies to establish and operate a
compliance committee.
December 2004 also saw Standards Australia issue a new draft compliance standard aimed at responding to criticism
that the 1998 version of AS3806 did not provide sufficient guidance on how to implement an effective compliance
programme. The new draft provides additional guidance on the specific types of documents/activities that should be
undertaken when developing a compliance framework. In particular, it suggests that organisations should establish
compliance management processes, with a documented compliance management plan. A compliance policy should be
developed in consultation with interested parties within the firm, and endorsed by the board and executive. Business line
managers and staff should be made responsible for managing compliance, together with the board and top management.
Firms should also nominate a chief compliance officer (competent senior executive) who would take primary responsibility
for compliance issues within the organisation.
The new draft standard sets out rules supporting the development of compliance programmes within firms, for instance
by linking performance pay to achievement of compliance obligations. Senior management are charged with the
responsibility to promote awareness and train staff on the importance of compliance, in particular those employees whose
work activities have a potential to cause a deviation from compliance obligations. The draft standard also recommends that
firms document and report on compliance performance regularly to internal and external stakeholders. Regular reviews of
the compliance programme are also recommended to ensure that it supports the compliance objectives of the firm and is
adapted to the changing internal and external operating environment.
66 PricewaterhouseCoopers - Protecting the brand, May 2005
Legal base:
Securities:
Management, supervision and internal control
guidelines for persons licensed by or registered with
the securities and futures commission. April 2003.
Securities and Futures Ordinance.
Banking:
Statutory guideline: IC-1 General Risk Management
Controls (from the Supervisory Policy Manual).
Insurance:
Statutory guideline: GN10 Guidance Note on The
Corporate Governance Of Authorised Insurers.
Insurance Companies Ordinance.
Anti-money laundering
Anti-money laundering requirements have existed in Australia for over 15 years having been introduced by the Financial
Transaction Reports Act (FTRA) 1988. The Act did not specify the appointment of a compliance officer for AML purposes.
The FTRA covered cash dealers. New legislation, expected by the end of March 2005, is to be risk-based and have a
broader coverage of parties involved. It will cover parties involved in financial transactions (the legislation includes a broader
definition of a financial transaction) covering a much broader range of financial institutions, both bank and non-bank. It also
covers lawyers, accountants, bullion dealers and real estate agents.
Hong Kong
In Hong Kong, financial institution supervision is shared amongst several regulators. The Hong Kong Monetary Authority (HKMA)
is responsible for banking supervision; the Securities and Futures Commission (SFC) is responsible for the market supervision
and regulation of the securities and futures markets; while the Office of the Commissioner of Insurance (OCI) supervises the
insurance industry. The Mandatory Provident Fund Authority oversees the regulation of the mandatory retirement funds.
The Commissioner of Banking (the former regulatory body for the banking industry) issued a best practice guideline on
Duties and Responsibilities of Directors of Authorised Institutions which stated that directors are held responsible for the
institutions compliance with the requirements under the Banking Ordinance. On 1 April 1993, the HKMA was established by
merging the Office of the Exchange Fund with the Office of the Commissioner of Banking. Under the statutory guidelines IC-1
General Risk Management Controls (from the Supervisory Policy Manual) specific provisions address the compliance
function. The HKMA website also makes reference to current work on developing more detailed compliance rules.
The SFC regulates the securities and futures market in Hong Kong. In the same way as banks, investment firms in
Hong Kong are required to have a compliance function, which implements compliance policies established by management.
The Management, Supervision and Internal Control Guideline broadly describes the compliance duties that may be
undertaken by the compliance function.
The OCI issued a guidance note which addresses corporate governance of authorised insurers. The guidance note
specified that the board must ensure corporate compliance with all the relevant ordinances, regulations, guidance notes,
industry standards and guidelines. An authorised insurer is encouraged to appoint a compliance officer to oversee
compliance by it and its staff with the relevant laws, regulations, guidance notes and industry standards and codes of
practice. The guidance note indicates that the compliance officer must also report to the board at regular intervals.
Anti-money laundering
The HKMA issued guidance on AML in 1997, which was subsequently amended to reflect the Organised and Serious Crimes
(Amendment) Ordinance 2000 and again in 2004. Current guidelines stipulate that an authorised institution must appoint a
compliance officer as a central reference point for reporting suspicious transactions. This compliance officer should play an
active role in the identification and reporting of suspicious transactions.
 PricewaterhouseCoopers - Protecting the brand, May 2005 67

Japan
Legal base:
The Financial Services Agency in Japan (JFSA) established in 2000, regulates the financial services sector. From 1998 to
Banking Law
2000, the Financial Supervisory Agency played the same role. Previously, the Ministry of Finance had long regulated the Insurance Law
Japanese financial services sector. Securities and Exchange Law
In 1992, the Securities and Exchange Surveillance Commission was set up by an amendment to the Securities and JFSA: Inspection Manual for banks, insurance
Exchange Law. This Commission was empowered to survey whether rules are observed in the securities market. Under the companies and securities companies
Securities and Exchange Surveillance Commission, a self-regulatory body - the Japan Securities Dealers Association (JSDA)
- established rules for its members in 1992 concerning the appointment of internal control managers. The JSDA requires all
investment firms to appoint a general manager for internal control as well as internal control managers for each subsidiary.
There are no specific rules for appointing compliance officers, however the chief compliance officer is obliged to participate
in a training programme organised by the JSDA every year. Firms are encouraged to appoint compliance managers who
have passed the internal control manager certification examination held by the JSDA. The chief compliance officer should be
a member of the board. The president of the organisation will determine how often the chief compliance officer will report.
Late in the 1990s, JFSA decided to prepare its Inspection Manual, a guidebook both for its inspectors and financial
institutions. This guidebook covers compliance and risk management. The Inspection Manual for deposit-taking institutions
was first published in 1999, followed by that for insurance companies in 2000, and the one for securities firms in 2001. In
these Inspection Manuals, the JFSA provides that the compliance function should be marked as a first priority in managing
financial institutions. For example, the board should discuss all compliance matters, as well as sales promotion; a
compliance manual should be prepared and disseminated to all the employees; and the compliance programme should be
approved by the board and executed regularly throughout the organisation.

Anti-money laundering
Anti-money laundering efforts were launched in July 1990 when financial institutions were required to identify their
customers. The Government also established the suspicious transactions reporting system requiring financial institutions to
file reports on transactions suspected to involve laundering of the proceeds from drug offences, under the Anti-Drug
Special Law which came into force in July 1992. Under the Anti-Organised Crime Law, effective February 2000, the
Government enhanced the suspicious transaction reporting system. The new law expanded the scope of offences to cover
all serious crimes. The law also empowered the Commissioner of the Financial Services Agency to collect and analyse
suspicious transaction reports and disseminate the information to law enforcement agencies. The Law on Customer
Identification and Retention of Records on Transactions by Financial Institutions came into effect on 6 January 2003. This
Law obliges financial institutions to perform customers identification procedures and keep records on their transactions.
68 PricewaterhouseCoopers - Protecting the brand, May 2005

Europe
European Union
Legal base: Traditionally, EU legislation focused primarily on requirements for adequate administrative and internal controls systems in
Directive 2004/39/EC: Markets in Financial
financial institutions. With the recent adoption of the Markets in Financial Instruments Directive (MiFID), there is now an
Instruments Directive (MiFID)
Directive 91/308/EEC: 1st Anti-Money Laundering explicit requirement for investment firms and banks to establish a permanent and effective compliance function. MiFID is
Directive. one of the first, and definitely the most extensive, piece of legislation to be subject to the Lamfalussy procedure: whereby
Directive 2001/97/EC: 2nd Anti-Money Laundering Level 1 legislation is adopted through the traditional co-decision procedure (involving the European Council and the
Directive. European Parliament) and Level 2 legislation is developed by the European Commission, upon advice from a Lamfalussy
committee - in this case, the Committee of European Securities Regulators (CESR) - and in collaboration with the European
Securities Committee (comprising representatives of national governments).
Work is currently ongoing on the MiFID Level 2 measures. The European Commission recently announced a
postponement17 in the date of implementation by one year to April 2007, to allow additional time to elaborate the Level 2
details and for regulators to implement the necessary national measures, once these details were agreed. CESRs advice
includes principles relating to the compliance function, compliance policies and procedures, and compliance oversight.
MiFID, however, also establishes high-level organisational and conduct of business standards, covering issues such as
managing conflicts of interests, best execution, pre- and post-trade transparency, customer classification and suitability
requirements for customers.

There are no similar requirements, as yet, at the EU level for insurance companies.

Anti-money laundering
Two community directives have been adopted in the field of anti-money laundering, the first in 1991 and the second in 2001.
The first directive made the reporting of money laundering an obligation and required financial institutions to identify and
know their clients, to keep appropriate records, and establish anti-money laundering training programmes. The second
directive extended the scope of the directive beyond the financial sector (i.e. asset managers, insurance undertakings,
investment firms and credit institutions) to embrace professions such as accountants, external auditors and lawyers.
In June 2004 the Commission proposed a third AML directive, which is currently being considered by the European
Parliament and the Council of Ministers. The European Commission issued the draft directive in order to align EU standards
fully with the Financial Action Task Force on Money Laundering (FATF) 40 recommendations. Inter alia, it subjects insurance
intermediaries to equivalent requirements to those imposed on other financial services intermediaries.

17 Approval of the Council of Ministers and European Parliament currently pending.

 PricewaterhouseCoopers - Protecting the brand, May 2005 69

Austria
Legal Base:
The requirements for an independent compliance function were introduced in 1993 on a voluntary basis based on a self
Standard Compliance Code of the Austrian Credit
regulation of the sub-organisations for credit institutions, insurance companies and pension fund associations within the Institutions Sector.
Austrian Chamber of Commerce. There are currently no legal requirements for the appointment of a compliance officer or Standard Compliance Code of the Austrian Insurance
establishment of a compliance function. The main principles are: Sector.
Definition of restricted areas which will normally deal with sensitive information Standard Compliance Code of the Austrian Pension
Listing and monitoring of restricted securities (i.e. securities which must be traded by the company or its employees) Fund Associations.
Listing and monitoring of monitored securities (trades in these securities will be investigated by the compliance function).
Currently, the activities of the compliance function are limited mainly to the prevention of insider trading or other prohibited
transactions as defined in the Austrian Securities Exchange Act and the Austrian Securities Supervision Act.
Austrian anti-money laundering regulations adopted EU-standards in 1993. The most recent amendment was in 2003
when the 2nd EU AML directive was transposed. These regulations specify the appointment of an independent AML
compliance officer, who shall not have wider compliance responsibilities. In a circular in March 2004, the Austrian Financial
Market Authority (FMA) stated that, in principle, the compliance function, the AML compliance function and internal audit
must not be fulfilled by one organisational unit/person. Nevertheless they admitted that - depending on the size of the entity,
the number of employees, the business conducted, and the number and complexity of transactions relevant for Compliance
and/or AML - these functions could be conducted by one person, provided that an independent review is undertaken.
The FMA is currently in discussions with industry as to its understanding of the compliance function requirements in
the context of MiFID. These new rules are expected to lead to significant change in the meaning of compliance in Austria
and, therefore, will impact the approach to compliance functions.

Belgium
The Banking, Finance and Insurance Commission (BFIC), created through the integration of the Insurance Supervisory
Legal Base:
Authority (ISA) into the Banking and Finance Commission (BFC), has been the single supervisory authority for the Belgian
Law of 22 March 1993 and associated royal decrees.
financial sector since 1 January 2004. Circular D1 2001/13 to credit institutions,
In Circular D1 2001/13, the BFIC set out its position on the organisation of a comprehensive compliance function in 18 December 2001.
credit institutions, enumerating 10 principles. The circular requires credit institutions to set up an independent compliance Circular D1/EB/2002/6 on the internal control and the
function with the aim of ensuring that the firm complies with the rules relating to banking integrity. It identifies the areas to function of the internal audit and the compliance
function in investment firms, 14 November 2002.
which the integrity policy should give priority. The executive committee is responsible for drawing up an integrity policy and
Circular PPB/D.255 to insurance companies,
the board of directors is responsible for its adequacy. At least once a year, the executive committee reports to the board of
10 March 2005
directors on the compliance, through the audit committee if one exists. The circular stipulates that professional competence, Law of 11 January 1993 and associated royal
integrity and discretion are essential qualities of the compliance staff for the proper functioning of the compliance function. decrees and BFIC circulars.
In November 2002, the Belgian regulator issued a similar circular stipulating that the compliance function in investment firms
70 PricewaterhouseCoopers - Protecting the brand, May 2005
Legal base:
Compliance arrangements:
AMF General Regulation.
Commission Bancaire draft proposals on
compliance arrangements, within the existing
Regulation 97-02 on internal controls -
implementation anticipated 30 June 2005.
AML:
Regulation 91-07 of the CRBF (banking and
investment firms).
Regulation 02-01 of the CRBF (banking and
investment firms).
Instruction 00-09 of the Commission Bancaire.
should be independent: in March 2005, similar requirements were imposed on insurance companies. These circulars are
supplemented by a June 2004 circular which confirmed that the compliance requirements apply to credit institutions and
investment firms in terms of all outsourced activities.
Prior to 2001, requirements for a limited compliance function were established for all financial institutions (banks,
investment firms and insurance companies) by the anti-money laundering law of 11 January 1993, which inter alia, required the
appointment of a compliance officer. Similar requirements relating to special mechanisms (anti-fraud and tax evasion) were
also in effect at that time. The law of 11 January 1993 transposed the first EU AML Directive (91/308/EEC). The second EU
Directive (2001/97/EC) was transposed by the Law of 12 January 2004. Article 21bis of this law provided that the BFIC should
define the specific implementation rules applicable to institutions it supervises and these rules were promulgated by the BFIC
circular of 27 July 2004 which was subsequently approved by the Royal Decree of 8 October 2004.
France
The Autorit des Marchs Financiers (AMF, formerly CMF), the French regulator of investment firms, was the first regulator in
France to establish requirements regarding compliance arrangements. The General Regulation requires that a dontologue is
appointed in each entity who is responsible for the definition, and implementation, of conduct of business rules throughout the
institution. Recently, the Commission Bancaire, the French banking regulator, issued a series of proposals on compliance
arrangements. Those proposals apply to both banks and investment firms, as the Commission Bancaire supervises both groups
of institutions. These form part of the current regulation on internal controls (Regulation 97-02).
The proposals introduce a definition of non-compliance risk, based on the Basel Committees definition as set out in
the October 2003 consultation paper. AML is included within the scope of non-compliance risk although not explicitly. The
main proposals are the following:
Appointment of a dedicated and independent compliance officer
Implementation of a compliance monitoring programme
Implementation of specific procedures with respect to new products approval
Implementation of specific procedures in terms of breach identification, escalation process and record-keeping
Implementation of a non-compulsory whistle-blowing process (i.e. each employee must be given an opportunity to blow
the whistle if he/she deems this necessary, but must be under no compulsion to do so).
In addition to the above, the new proposals (due to come into force on 30 June 2005) include specific requirements on
outsourcing and introduce a requirement to split internal controls and internal audit functions (internal controllers being now
referred as permanent controllers). The compliance function is a permanent control function, compared with internal audit
which is now referred to as a periodic control function.
A series of specific AML-related regulations - beyond definitions of money laundering practices and related sanctions
that are of a legal nature - are in place (see table above), but no recent change as been introduced.
No compliance regulation exists for insurance companies at that stage. However specific AML requirements are in place.
 PricewaterhouseCoopers - Protecting the brand, May 2005 71

Germany
Legal base:
Germanys financial services regulators merged into a single entity during 2002, forming the Federal Financial Supervisory
Securities Trading Act (WpHG - 1994) as amended
Authority (BaFin). BaFin is responsible for the supervision of financial institutions, including insurance undertakings and October 2004.
pension funds, and the regulation of securities trading and the investment business (investment companies). The supervision Banking Act (KWG) as amended April 2004.
of financial services institutions is dual faceted, split between solvency and market supervision. Investment Act (InvG) as amended October 2004.
Insurance Supervision Act (VAG) as amended July
Financial services institutions 2004.
Money Laundering Act (GwG) as amended August
Market supervision
2002.
Looking at the financial services industry in Germany the term compliance is closely linked to all issues regarding the
securities sector and investor protection. The basis for supervision, and the groundwork for investor protection, is provided by
the rules of business conduct for investment services enterprises set out in the Securities Trading Act (WpHG).
A further fundamental component of market supervision is supervision in accordance with the Safe Custody Act
(DepotG). For financial services institutions, whose regular business is the provision of investment services (investment firms),
the compliance function has been a part of the regulatory regime since 1994 when certain rules for staff transactions came
into force. The role was further developed in the Securities Trading Act (WpHG) and corresponding supervisory guidelines
covering organisational requirements and rules of conduct. Since 2002, BaFin also monitors securities analysis provided by
investment firms. In October 2004 Germany transposed the European Directive on insider dealing and market manipulation
(Market Abuse Directive) establishing organisational duties and rules of conduct for all kinds of financial analysts creating and
distributing investment recommendations.
Compliance function structures, and compliance processes, are governed by the BaFin guideline on organisational
duties pursuant to Sec 33 WpHG. These include, for example, obligations for companies to maintain the necessary level of
resources for the compliance function, and obligations for addressing conflicts of interests. The compliance function should fit
to the nature and structure of the investment firms business(es). Detailed minimum requirements are stipulated. The
compliance function should be a standalone department. Irrespective of the functions of the compliance office, the overall
responsibility for compliance remains with the management.
BaFin monitors compliance with the rules of business conduct and the Safe Custody Act. External auditors undertake
annual audits of financial institutions, checking compliance. BaFin evaluates the resulting audit reports.
Beyond the securities sector, there are only few specific requirements relating to compliance, but more extensive
requirements relating to internal control.

Solvency supervision
The groundwork for internal control and compliance (in a broader sense) is provided by sec. 25a of the Banking Act (KWG)
supplemented by several BaFin guidelines. The three major ones i) Minimum requirements for the Trading Activities of Credit
Institutions (MaH, 1995), ii) Minimum requirements for the credit business of credit institutions (MAK, 2002) and iii) Minimum
72 PricewaterhouseCoopers - Protecting the brand, May 2005
Legal base:
Legislative decree n 58/98.
Bank of Italy, Circular 229/99.
Bank of Italy, Circular 216/96.
Bank of Italy, regulation of 1/7/98.
requirements for the internal audit function of credit institutions (MaIR, 2000) will be merged in 2005 into the Minimum
requirements for Risk Management (MaRisk). The new MaRisk will implement the second pillar of Basel II (Supervisory
Review Process and Internal Capital Adequacy Assessment Process, Sound Practices for the Management and Supervision
of Operational Risk).
Insurance
The basis for supervision of the insurance industry is the Insurance Supervision Act (VAG). BaFin circular 29/02 deals with the
requirements regarding investment of insurance undertakings. This circular requires, amongst other things, a compliance
report regarding investments of an insurance undertaking confirming compliance with the legal, regulatory and internal
regulations and guidelines.
Investment Companies
According to German law, investment companies are specialised credit institutions. The Investment Act provides a catalogue
of permissible assets that may be freely combined within the investment limits. The Derivatives Ordinance (2004) governs the
specific risk management and risk measurement policies, required under the Investment Act, when using derivatives in funds.
Reporting obligations are designed on exceeding investment limits, statement of assets and material transactions to intensify
and improve the market supervision of funds.
Anti Money Laundering
The Money Laundering Act (GwG) and the Guidelines of the BaFin concerning measures to be taken by credit institutions to
combat and prevent money laundering are the main regulations designed to combat money laundering. The Money
Laundering Act, which entered into force at the end of 1993 and was updated in 2002, specifies statutory duties for credit
institutions and other businesses (financial services institutions, as well as some kinds of insurance business). The guidelines
of the BaFin clarify the main statutory duties. These regulations represent minimum requirements. Credit institutions are called
upon to make additional organisational and administrative arrangements.
Italy
The Bank of Italy and CONSOB regulate the banking and securities sectors in Italy. The insurance sector is supervised by
ISVAP. The three supervisory bodies, especially Bank of Italy, have clearly defined the internal control framework for the Italian
companies, but requirements regarding the compliance function are not stipulated in current regulations. Both Bank of Italy
and CONSOB regard compliance monitoring as an activity within the internal audit function and related processes.
Bank of Italy is about to issue a new Circular which will regulate the Investment and Asset Management companies
operations in accordance with UCITS III directive. The draft circular states that the internal audit function has to perform the
activities connected with the compliance function.
 PricewaterhouseCoopers - Protecting the brand, May 2005 73

Luxembourg
Legal base:
The Commission de Surveillance du Secteur Financier (CSSF) supervises the financial services sector in Luxembourg,
Law of 5 April 1993 on the financial sector
including credit institutions, investment firms, investment funds and pension funds. On 27 September 2004, following CSSF Circular 04/155 on compliance function
consultation with industry, the CSSF issued a circular (CSSF 04/155) providing detailed guidelines for the setting up of a
compliance function in banks and investment firms. This function will be mandatory in all Luxembourg banks and investment
firms as from 1 January 2006.
The introduction of a compliance function does not lead to an additional level of supervision. Rather it aims at ensuring
proper co-ordination, organisation and structuring of controls, already carried out in accordance with the provisions of the
circular on internal control, but which are often split amongst different departments and handled at different organisational
levels.
According to the circular, the board of directors must adopt a positive attitude towards compliance, ensure the
effectiveness of the compliance function, and approve the compliance policy and the compliance charter defined by the
management. The compliance policy must include the fundamentals of the compliance risk, clarify the broad principles for
managing the compliance risk, define the compliance function, its objectives and independence, prescribe the charter process
and define the training programme. The compliance charter, communicated to the entire staff, governs the objectives and
responsibilities of the compliance function. The compliance charter must include the compliance functions objectives,
responsibilities, independence and permanence, relationships with other units, access to all necessary information, reporting
lines and access to the management bodies. Management is in charge of developing and implementing the compliance
policy, as well as of setting up a compliance function which is in accordance with stated principles. Management must
appoint one of its members, whose name must be communicated to the CSSF, as the person directly in charge of the
compliance function.
The circular also stipulates that the compliance function shall be independent from all commercial, administrative or
control functions and shall exist on a permanent basis. It has the power to start investigations and controls on its own
initiative, and has the right to access any kind of information. The institution has to designate an employee in charge of the
compliance function, the compliance officer, whose name has to be communicated to the CSSF. The compliance officer
must, in principle, be dedicated on a full-time basis to the compliance function. Small-scale institutions engaged in low-risk
activities are allowed to fulfil their compliance function on a part-time basis, with prior authorisation from the CSSF.
Certain tasks assigned to the compliance function may be delegated to other services provided that such tasks are
compatible with other tasks for which the personnel of these services are responsible. In such cases, the compliance function
assumes a coordination role between the services carrying out these tasks. In any event, the responsibility for the tasks
remains with the compliance function.
The Commissariat aux Assurances (CAA) supervises the insurance industry in Luxembourg. The CAA has not issued any
specific regulations on the compliance function for the insurance sector, as yet.
74 PricewaterhouseCoopers - Protecting the brand, May 2005
Legal base:
Securities Markets Supervision Act 1995 (Wet toezicht
effectenverkeer 1995).
Decree on Supervision of the Securities Markets 1995
(Besluit toezicht effectenverkeer 1995.
Further regulations on market conduct supervision of the
securities trade 2002 (nadere regeling gedragstoezicht
effectenverkeer 2002).
Further regulations on prudential supervision of the
securities trade 2002 (Nadere regeling prudentieel
toezicht effectenverkeer 2002).
Act on the Supervision of Credit Institutions 1992
(Wet toezicht Kreditwezen 1992, Wtk 1992).
Regulations on Organization and Control (Regeling
Orginsatie en Beheersing).
Act on the supervision of insurance companies 1993
(Wet toezicht verzekeringsbedrijf 1993).
Pension Fund and Savings Fund Act
(Pensioen- en Spaarfondsenwet).
Act on the disclosure of unusual transactions
(Wet melding ongebruikelijke transacties).
Legal base:
Law 24/1988, 28 July, Stock Market.
Law 26/1988, 19 July, Discipline and Intervention of
Credit Entities.
Law 26/2003, 17 July, in order to increase the
transparency on public limited liabilities companies.
Order ECO/3722/2003, 26 December, on the annual
report of the corporate government and other
information instrument of the public limited liabilities
companies and other entities.
Law 44/2002, 22 November, Financial System reform
measures.
Anti-money laundering law 19/1993 and
implementing regulations.
Netherlands
Financial markets are regulated by the Autoriteit Financile Markten, the Financial Markets Authority (AFM), in so far as it
relates to market conduct supervision. Prudential requirements for banks, securities institutions, pension funds, investment
institutions and insurance companies are supervised by the Dutch Central Bank, De Nederlandsche Bank (DNB).
Investment institutions and securities institutions and credit institutions in the Netherlands are obliged by regulations to
retain one or several compliance officer(s). The Regulations on Organisation and Control (Regeling Organisatie en Beheersing
or ROB) stipulate that the compliance function should be independent with direct reporting lines to the management board,
and in case the integrity of the management board is in doubt the compliance officer should have access to a delegate of the
supervisory board.
Although not mandatory, the compliance officer is expected both to monitor and control the institutions activities, as well
as consult on the implementation and interpretation of rules and regulations and advising management on compliance issues.
There are only very limited rules for appointing a compliance officer and even though there are certification programmes
offered by commercial training entities for compliance officer they are not compulsory.
Under the Dutch act that covers the AML (Wet melding ongebruikelijke transacties), there is no obligation to appoint a
compliance officer. However, this is common practice as it is perceived that the tasks under the AML act are best performed
by one person, in general or preferably, the compliance officer.
Spain
In Spain, the supervision of the financial sector is carried out by the Bank of Spain (banking activities), the Spanish National
Securities Exchange Commission (stock market) and the General Directorate of Insurance and Pension Funds (insurance
activities).
Under Spanish law applicable to financial entities, compliance requirements have traditionally applied within the
regulatory regime in terms of the rules on conduct of business, conflict of interest, internal control and adequate level of
administrative resources. According to this approach to the compliance function, Spanish general regulation on financial
institutions provides general conduct of business standards, general principles on conflict of interest, and specific regulatory
obligations regarding customer and operations. Since 2003 certain legislation focused on internal control resources, corporate
governance, transparency and investor protection has been adopted accordingly.
Spanish anti-money laundering rules have recently been modified to implement additional quality control measures such
as enhancing corporate governance within the financial institutions AML framework, particularly strict know-your-customer
rules, and the adoption of qualified control and supervisory measures applicable to those high-risk areas within financial
institutions according to the nature of their activities, and type of clients, amongst other things. Amongst the changes
introduced by the new AML regulatory framework, financial institutions are now subject to a compliance review of their internal
procedures by an external expert.
 PricewaterhouseCoopers - Protecting the brand, May 2005 75

Sweden
Legal base:
Finansinspektionen (FI), an integrated regulator supervising all sectors in the Swedish financial services industry, was
FFFS 2002:5-7 Regulations governing rules of the
established in 1991. conduct on the securities market.
There is a regulatory code (FFFS 2002:5-7) requiring all investment firms and banking institutions, licensed to conduct FFFS 1999:12 Regulations governing rules of the
securities operations, to have a compliance function. An investment firm must have one or more compliance officers who are conduct on the banking market.
responsible for ensuring that employees within the firm, and its board of directors, are acquainted with the rules governing the FFFS 2000:13 Regulations governing rules of the
conduct of its operations. It is the responsibility of the board of directors to ensure that the compliance officer reports directly conduct on the insurance market.
AML-law 1993:768.
to them or to the companys management. Banks and insurance companies (regulatory code 1999:12 and 2000:3) are
FFFS 1999:8 Regulation for AML.
required to have an internal control function that is responsible for the compliance with internal as well as external rules and
regulations.

United Kingdom
The Financial Services Authority (FSA), the UK regulator, an integrated regulator set up by the Financial Services and Markets Legal base:
Act 2000 (FSMA 2000), was established in 1997 and assumed full responsibility for the financial services sector in 2001, FSMA 2000.
FSA Handbook section Senior Management
succeeding the Securities & Investments board which was established in 1985.
Arrangements, Systems and Controls chapter 3,
Since the late 1980s, the vast majority of financial services firms in the UK have been required to have a compliance
December 2001.
officer. An investment firm must allocate a director or senior manager as having responsibility for the oversight of the firms
compliance and should report directly to the firms executive board. The compliance function is a controlled function in the
United Kingdom, which means that a candidate proposed as head of compliance cannot be appointed until approval has
been given by the FSA. The FSA must be satisfied that the person is fit and proper in accordance with the fit and proper
test for approved persons. Outsourcing compliance to external consultants is allowed, but responsibility rests with one or
more directors or senior managers of the firm as head of compliance.
The compliance officer consults all business lines, and does not solely have a control function. Compliance generally
means respecting the Principles for Businesses and Senior Management, and rules for Conduct of Business (COB), the
Collective Investment Schemes (CIS) and Money Laundering (ML). Heads of compliance will normally have responsibility for
overseeing a firms relationship with the FSA.
Compliance is defined by the FSA Handbook section Senior Management Arrangements, Systems and Controls
Chapter 3 and the Money Laundering sourcebook.
76 PricewaterhouseCoopers - Protecting the brand, May 2005

Legal base:
Non-EU Europe and Middle East
BMA Rule Book.
Amiri Decree Law No. 23 of 1973 (the BMA Law). Bahrain
BC/13/99 - Circular: Compliance, Risk Management The Bahrain Monetary Agency (BMA), in its capacity as the regulatory and supervisory authority for all financial institutions in
and Internal Controls. Bahrain, issues regulations with which licencees are legally obliged to comply under the BMA law.
The BMA recognised that due to the complex structure and underlying risks of banks and other financial institutions,
the spreading of responsibility for compliance across various entities and functions without an internal single central co-
ordinating point may lead to certain areas of compliance not being covered effectively and efficiently. Consequently, on 15
June 1999, the BMA issued a circular, Compliance, Risk Management and Internal Controls requiring a senior member of
management to monitor compliance risk.
Such a member should be vetted by the BMA before appointment. Furthermore, the BMA requires financial institutions
to outline how the compliance function fits into the institutions reporting structure and the circular further states that the
compliance officer should have access to the board of directors.
The role of the compliance officer may perform other functions such as anti money laundering, legal as well as internal
audit.

Switzerland
Legal base:
The Federal Banking Commission (SFBC) is the licensing and supervising body in Switzerland for banks and securities firms.
Swiss Banking Law.
SFBC Circular 04/01 of April 21, 2004 on the The Swiss Banking Law is the main legal basis in regulating compliance. More guidance is included in SFBC circulars.
Supervision of large banks. Compliance, as part of internal controls, was first mentioned in the circular on internal controls issued by the Swiss Bankers
SFBC circular on supervision within banks (expected Association in 2002. In a SFBC circular, expected by mid 2005, banks and securities dealers will be required to establish a
by mid 2005). compliance function. However, the implementation of compliance functions is common practice nowadays in Switzerland.
Due to its large community of international banks, national standards are strongly influenced by international best practice
and the work of international standard setters.
The SFBC views compliance as a staff function: it should independent and should not have operational responsibilities.
It should have direct reporting lines to the board of directors.
The Anti-Money-Laundering Ordinance was due to be totally implemented by 30 June 2004. The implementation was
audited and a separate report must be filed to the SFBC by 15 March 2005.
 PricewaterhouseCoopers - Protecting the brand, May 2005 77

North America Legal base:

Bank Act.
Canada Insurance Companies Act.
Deposit-Taking Institutions, Insurance Companies, and Pension Plans Trust and Loan Companies Act.
(Banks, Insurance Companies, Trust and Loan Companies, Cooperatives, and Pension Plans) Cooperative Credit Associations Act.
At the federal level, the Office of the Superintendent of Financial Institutions Canada (OSFI) regulates federally regulated Financial Consumer Agency of Canada Act.
Office of the Superintendent of Financial Institutions
financial institutions, including banks and insurance companies. Under the Office of the Superintendent of Financial
Act.
Institutions Act, OSFI was given the powers to supervise and regulate all federally regulated financial institutions. Under Bill Bill C-15.
C-15 OSFIs mandate was clarified to include promoting sound business practices to reduce the risk that financial Legislative Compliance Management (LCM) Sound
institutions will fail. Business & Financial Practices.
OSFI supervision is in accordance with its Supervisory Framework (1999) and related Supervisory Framework Rating 2003 FCAC Mystery Shopping Results.
Assessment Criteria (2002) supplement. In 2000, OSFI introduced the Interim Guideline Legislative Compliance Management
Provincial Securities Acts.
(LCM), which was replaced in 2003 with Guideline E-13, Legislative Compliance Management for Sound Business &
Financial Practices (2003) which conveys OSFIs expectations of federally regulated institutions. E-13 stipulates, inter alia, a
compliance function including an enterprise-wide framework of compliance controls, a head of compliance accountable for
LCM oversight, adequate resources to manage compliance and an integrated communications and reporting network.
In addition, all banks and federally incorporated or registered insurance companies, trust and loan companies, and
cooperative credit associations are regulated by the Financial Consumer Agency of Canada (FCAC). The FCAC is
responsible for enforcing many of the federal laws that protect consumers in their dealings with financial institutions. The
mandate of the FCAC focuses on consumer protection and consumer education. In 2003, the FCAC released 2003 FCAC
Mystery Shopping Results whereby the FCAC sent mystery shoppers into 1,653 bank branches across Canada to identify
best practices in banks with respect to the type and availability of information they are providing to their customers
At the provincial level there are regulations governing pensions, insurance, trust companies, credit unions, caisses
populaires, cooperatives and mortgage brokers. These regulations are administered by each provinces respective Ministry
of Finance.

Investment Dealers, Mutual Fund Dealers, and Investment Counsel and Portfolio Managers
In Canada, the regulation of the securities industry is the responsibility of provincial securities commissions that oversee a
provincial securities act. Each provincial securities act is a set of laws and regulations which defines the activities that can be
undertaken by participants. The provincial securities commissions delegate certain aspects of securities regulation to the
following self regulatory organisations (SRO): i) the Investment Dealers Association of Canada (IDA); ii) Mutual Fund Dealers
Association of Canada (MFDA); and iii) Market Regulation Services Inc (RS). The IDA and MFDA have been delegated
responsibility by the provincial governments to ensure that their respective SRO members meet certain agreed upon
78 PricewaterhouseCoopers - Protecting the brand, May 2005

standards written into the provincial securities laws. RS is the independent regulation services provider for Canadian equity
markets and is recognised by the provincial securities commissions in Alberta, British Columbia, Manitoba, Ontario and
Quebec.
Overview of SRO regulatory responsibilities:
IDA - regulates the activities of investment dealers for both capital adequacy and conduct of business, e.g., registration,
sales compliance and financial compliance.
MFDA - regulating all sales of mutual funds by its members and capital adequacy.
RS - ensures market integrity by regulating trading on marketplaces to ensure transactions are executed properly, fairly
and in compliance with trading rules.
Investment Counsel and Portfolio Managers are regulated by the provincial securities commissions.
In 2000, the MFDA introduced rule 2.5.2 requiring Members to designate a trading officer as a compliance officer. The
MFDA was recognised as a self-regulatory organisation (SRO) by a number of Canadian Securities Commissions in 2001. In
2001, IDA introduced By-Law 38 requiring members to designate an officer to act as the Ultimate Designated Person and to
appoint an Alternative Designated Person to act as Chief Compliance Officer (CCO). In 2002, the Universal Market Integrity
Rules (UMIR) were adopted to replace the rules and policies of the Toronto Stock Exchange and the Canadian Venture
Exchange. UMIR Rule 7.1 Trading Supervision Obligation sets out requirements for the appointment of supervisory staff and
written trading policies and procedures.

Anti-money laundering
In 1993, the Canadian Federal government introduced the Proceeds of Crime (Money Laundering) Suspicious Transaction
Reporting Regulations applicable to all financial institutions. This was replaced in 2001, by the Proceeds of Crime (Money
Laundering) and Terrorist Financing Suspicious Transaction Reporting Regulations. In 1999, the Ontario Securities
Commission (OSC) introduced Rule 31-505 Conditions of Registration requiring a registered dealer or adviser to designate a
registered partner or officer as the compliance officer. OSC amended Rule 31-505 in 2003 to include a requirement for a
registered adviser to designate a senior officer as the Ultimately Responsible Person for the compliance function and for the
day-to-day supervision to be undertaken by a chief compliance officer.
 PricewaterhouseCoopers - Protecting the brand, May 2005 79

United States
Legal basis:
Investment Management Companies
Investment Management: SEC Rule: Compliance
The Securities and Exchange Commission (SEC) has adopted rules under the Investment Company Act of 1940 and the Programs of Investment Companies and Investment
Investment Advisers Act of 1940 which require each investment company and investment adviser registered with the SEC to Advisers
adopt and implement written policies and procedures reasonably designed to: (i) prevent violation of the federal securities laws, Rule 38a-1 under the Investment Company Act, and
(ii) review those policies and procedures annually for their adequacy and the effectiveness of their implementation, and (iii) related Rule 206(4)-7 under the Investment Advisers
designate a chief compliance officer to be responsible for administering the policies and procedures. In the case of an Act.
Broker-Dealers: NASD Rules 3010, 3012 and 3013
investment company, the chief compliance officer reports directly to the fund board. The rules are designed to protect investors
and NYSE Rule 342.
by ensuring that all funds and advisers have internal programmes to enhance compliance with the federal securities laws.

Broker-Dealers
The National Association of Securities Dealers (NASD) and the New York Stock Exchange (NYSE) have rules regarding the
supervisory system, supervisory control and certification procedures of their member firms which have been approved by the
SEC. Rule 3010 requires the establishment of a supervisory system which includes policies and procedures reasonably
designed to achieve compliance with rules and regulations. Rule 3012 specifically requires that firms identify principals who
will be responsible for establishing, maintaining and enforcing a system of supervisory control policies and procedures which
test and verify a firms supervisory procedures. Rule 3013 requires CEO certification that there exists a process to ensure the
controls required by Rules 3010 and 3012 are in place. NYSE Rule 342 requires NYSE member firms to create verification
procedures for supervisory procedures over specific areas and a method to test those procedures.

Banks
While banks, like other US financial institutions, must establish an anti money-laundering compliance programme, US
banking law and regulation does not mandate general banking law compliance programme requirements for US banks.
The US bank regulators, through regulation, supervision and on-site examinations, seek to ensure that US banks operate in
a safe and sound manner. In this connection, US bank regulators expect banks to have a compliance risk management
system that is designed to be effective within the context of the size, scope, complexity, and nature of a banking
organisations business activities and legal structure. Compliance with these expectations is assessed and enforced largely
through the bank examination and supervision process.

Insurance Companies
Under the McCarran-Ferguson Act, the regulation of the business of insurance in the US occurs at the State level. Insurance
companies are regulated by State Insurance Commissioners, which coordinate their activities through the National
Association of Insurance Commissioners. Any compliance programme requirements or expectations for insurance
companies would thus be assessed and enforced by State Insurance Commissioners. It is beyond the scope of this survey
to identify possible requirements at the State level.
80 PricewaterhouseCoopers - Protecting the brand, May 2005
Annex II
Current regulatory challenges
Region/Country Current Regulatory Challenges Region/Country Current Regulatory Challenges
Asia & Australia North America

Australia International Financial Reporting Standards (IFRS) Canada New legislation:

Sarbanes Oxley - AML
Basel II - Privacy
APRA licensing and Super Choice (Superannuation industry only)
Anti-Money Laundering (AML) Existing areas of current regulatory risk / concern:
For Australian Financial Services Licensees: Conflict of interest management (PS 181) and - Insider trading and Chinese walls
disclosure (dollar and general disclosure) - Mutual fund trading abuse.
For APRA regulated firms: fit and proper persons obligations
Draft standards on Unit Pricing. United States Bank Secrecy Act/Anti-Money Laundering/OFAC (Office of Foreign Assets Control)
Fair and Accurate Credit Transactions Act (FACT ACT) (Identity Theft/Fair Credit Reporting)
Hong Kong IFRS/International Accounting Standards (IAS) Privacy/Information Security (Privacy is also affected by the FACT ACT)
/China Basel II Compliance Programme Requirements (Investment Management Companies)
Sarbanes Oxley for US listed companies Mutual Fund Trading Practices
AML Best execution (Broker-Dealers)
Independent Financial Advisory (IFA) supervision in Hong Kong. Insurance industry broker issues.

Japan Basel II
Protection for Privacy Act (starting April 2005)
SOA302-like regulation (possibly 404-like in the future)
Business Continuity Programme
Strengthening internal audit function (based upon Inspection Manual)
Stricter assessment of asset (loan) quality (based upon Inspection Manual)
IFRS.

Europe

Austria IFRS and prudential filters

Belgium (contd) IFRS is very hot on the agenda as it will imply change in the monthly regulatory reporting
Basel II/Capital Requirements Directive (CRD) discussion is underway; regulators have
to the BFIC which is processed via the BNB. IFRS is compulsory for all quoted banks or
already defined their expectations:
having to issue consolidated Financial Statements as from 2005. NSA (New Schema A)
- Minimum standards for measuring credit risk and conduct of financing
reporting under IFRS will start as from January 2006
business rules
Basel II.
- Minimum standards for internal audit
Increased expectations of regulators on implementation of best practice solutions
France AML: although no change has occurred in the existing AML regulation in France, this is
Transposition of EU-Directives (e.g., Market Abuse Directive, Transparency Directive)
still a topic which sits high on the financial institutions agenda. Regulators tolerance
Company Law will be changed in 2005 to increase confidence in Austrian Capital market,
is nil, as evidenced by recent sanctions
new definition of the role of the supervisory board.
Basel II: as the date of application is looming, institutions are focusing on the
implementation of Basel II arrangements. Some diagnostics are still underway but
Belgium Circular on good practices for outsourcing (external but also intra-group) with deadline
implementation is the key element and new issues are starting to emerge, such as the
for compliance by end of 2005 (all outsourcing should be governed by SLAs, meeting
interaction with regulatory reporting
principles outlined in the regulation)
Compliance arrangements: it is the new key issue, in view of the recent consultation held
New regulation (Royal Decree) on AML/KYC/Transaction Monitoring
by the Commission Bancaire on this topic. This is about to lead to a specific Compliance
Recommendations on Business Continuity Plan. Though not formally a regulation, this is
regulation and date of entry is expected to be end of June 2005
a strong warning from the BFIC that compliance will be expected by 2007. This derives
IFRS: 2005 being the first year of application at consolidated level, not surprisingly,
from the work performed at the level of the Financial Stability Working Committee being
institutions are currently focusing on this intently.
established at the Belgian National Bank (BNB)
 PricewaterhouseCoopers - Protecting the brand, May 2005 81

Region/Country Current Regulatory Challenges Region/Country Current Regulatory Challenges

Europe Europe

Germany Banking sector: Sweden Basel II/CRD

Basel II (including supervisory review process and minimum requirements for risk IFRS, in particular IAS39/32
management (MaRisk) Financial Conglomerates Directive
IFRS (mostly public sector; the major private credit institutions already comply) Solvency II
Banking sector/Investment firms (market supervision - Compliance issues):
Transposition EU Market Abuse Directive into German Law (German Act on the Switzerland Draft law on integrated financial supervision (proposal to integrate the Swiss Federal
Improvement on Investor protection): main issues - accepted market practices versus Banking Commission, the Swiss Private Insurance Commission, and the Swiss Money
market manipulation, insider lists, reporting of suspicious transactions) Laundering Control Authority)
Insurance Banking and Investment firms
Solvency I and (upcoming) Solvency II Basel II
Insurance Supervision Act: amendments of the investment ordinance and changes in risk Banking Commission Circular on the supervision of large banks, issued in April 2004
management approach Regulation on financial conglomerates
IFRS (ED 7). Insurance
Solvency I and II and regulation on supervision of financial conglomerates
Italy IFRS/IAS: mandatory for listed companies and all financial institutions under supervision New Act on on insurance supervision
of Bank of Italy (2005 Consolidated financial statements mandatory, individual financial Private insurance contract law: total revision of the relevant body of law in status of
statements voluntary. Both mandatory in 2006) preparation
Basel II Company law
Sarbanes-Oxley for US listed companies Corporate Governance - bill on compensation transparency
New Bank of Italy Legislative decree (related to UCITS III) on investment companies UCITS III
operations: to be issued in the next few months Anti-Money Laundering, insider dealing
Legislative decree 231/2001 on companies responsibilities and internal control framework Proposed law to comply with FATF related requirements
to prevent frauds and administrative crimes. Revision of scope and appraisal of insider dealing.

Luxembourg IFRS
United Kingdom Capital requirements for Banks and Investment firms (Basel II/CRD)
AML (new law of 12 November 2004)
Changes in international accounting standards
Compliance Function (new CSSF circular of September 2004)
The regulation of Mortgage and General Insurance Business
UCITS III
FSAs expectations with regard to treating customers fairly
Basel II/CRD
Also future impact of Directive for Markets in Financial Instruments (MiFID).
Solvency II.
Bahrain Basel II
Netherlands Basel II
IFRS
Solvency II
AML
Insurance Mediation Directive
Prudential regulation requirements - the regulator have adopted the Basel papers.
Integrity conduct
Outsourcing
Anti-competition requirements
AML.

Spain AML Regulations (Changes on 2003 & 2005) and Specific Recommendations on
Compliance Functions by Spanish Regulator
UCITS III
Basel II
Solvency II
IAS.
82 PricewaterhouseCoopers - Protecting the brand, May 2005
Annex III
Selection of recent related surveys and white papers
Recent Surveys:
8th Annual Global CEO Survey, 2005: Bold Ambitions, Careful Choices
PricewaterhouseCoopers Management Barometer, July and November 2004
Private Banking/Wealth Management, Global Survey 2004: Leveraging Compliance and Risk Management for Strategic
Advantage
Banana Skins 2005 (Annual Survey by CFSI, sponsored by PricewaterhouseCoopers)

White Papers:
The PricewaterhouseCoopers/Economist Intelligence Unit Briefing Series:
Governance: From compliance to strategic advantage
Compliance: The gap at the heart of risk management
Uncertainty tamed? The evolution of risk management in the financial services industry

The Future of Compliance Series:

Best Practice and Delivering Value, 2002
Using Technology to Deliver Value, 2003
An Efficient and Effective Commercial Operation, 2004

Integrity-Driven PerformanceTM - A New Strategy for Success Through Integrated Governance, Risk and Compliance
Management: A White Paper, January 2004,

Regulatory Compliance: Adding value - a review of future trends, 2002

Available on the PricewaterhouseCoopers website at www.pwc.com/financialservices

PricewaterhouseCoopers (www.pwc.com) provides industry-focused assurance, tax and advisory services for public and private clients. More than 120,000 people in 139 countries connect their thinking,
experience and solutions to build public trust and enhance value for clients and their stakeholders.

This study is not intended to provide specific advice on any matter, nor is it intended to be comprehensive. If specific advice is required, or if you wish to receive further information on any matters referred to in
this briefing, please speak to your usual contact at PricewaterhouseCoopers or those listed in this publication.

For additional copies please contact Jurgen De Greef at PricewaterhouseCoopers on 32 2 710 9716 or e-mail at jurgen.de.greef@pwc.be.

2005 PricewaterhouseCoopers. All rights reserved. PricewaterhouseCoopers refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and
independent legal entity. *connectedthinking is a trademark of PricewaterhouseCoopers LLP.
PricewaterhouseCoopers Regulatory and GRC Contacts
Global
Regulatory: Charles Ilako, Partner,
Global Leader, Financial Services
Regulatory Practice
charles.ilako@uk.pwc.com
Wendy Reed, Senior Manager
wendy.reed@pwc.be
GRC: Sandra Birkensleigh, Partner,
Global GRC Co-Leader
sandra.birkensleigh@au.pwc.com
Dan DiFilippo, Partner, Global
Performance Improvement Leader
dan.difilippo@us.pwc.com
AML: John Campbell, Partner, U.S.
john.w.campbell@us.pwc.com
Andrew Clark, Partner, EMEA
andrew.p.clark@uk.pwc.com
Dominic Nixon, Partner, AsiaPac
dominic.nixon@sg.pwc.com
Europe, Middle East & Africa
Austria Andrea Cerne-Stark, Partner
andrea.cerne-stark@at.pwc.com
Gerhard Margetich, Manager
gerhard.margetich@at.pwc.com
Belgium Josy Steenwinckel, Partner
josy.steenwinckel@pwc.be
Denis Caprasse, Director
denis.caprasse@pwc.be
France Guy Flury, Partner,
Head of Financial Services
Regulatory Practice
guy.flury@fr.pwc.com
Marine Laufer-Tourte,
Senior Manager
marine.laufer-tourte@fr.pwc.com
Germany Gnter Borgel, Partner
guenter.borgel@de.pwc.com
Martina Rangol, Senior Manager
martina.rangol@de.pwc.com
Ireland Alan Merriman, Partner
alan.merriman@ie.pwc.com
Marion Kelly, Senior Manager
marion.kelly@ie.pwc.com
Italy Giacomo Neri, Partner
giacomo.neri@it.pwc.com
Fabiano Quadrelli, Director
fabiano.quadrelli@it.pwc.com
Luxembourg Olivier de Vinck, Partner
olivier.de.vinck@lu.pwc.com
Emmanuelle Henniaux, Director
emmanuelle.henniaux@lu.pwc.com
Netherlands Ger Roeleven, Senior Manager
ger.roeleven@nl.pwc.com
Martin Eleveld, Senior Manager
martin.eleveld@nl.pwc.com
Spain Jos Luis Lpez Rodriguez, Partner
jose.luis.lopez.rodriguez@es.pwc.com
Enric Domnech, Director
enric.domenech@es.pwc.com
Sweden Andr Wallenberg, Director
andre.wallenberg@se.pwc.com
Switzerland Pascal Portmann, Partner
pascal.portmann@ch.pwc.com
Christiana Suhr Brunner, Director
christiana.suhr.brunner@ch.pwc.com
United Kingdom John Tattersall, Partner
john.h.tattersall@uk.pwc.com
Stuart Crotaz, Senior Manager
stuart.crotaz@uk.pwc.com
Middle East Elham Hassan, Partner
elham.hassan@bh.pwc.com
Madhukar Shenoy, Director
madhukar.shenoy@bh.pwc.com
South Africa Tom Winterboer, Partner
tom.winterboer@za.pwc.com
Central & David Wake
Eastern Europe david.wake@hu.pwc.com
North America
Canada Brenda Eprile, Partner
brenda.j.eprile@ca.pwc.com
Dorothy Sanford, Partner
dorothy.a.sanford@ca.pwc.com
United States Regulatory:
Bill Lewis, Partner (Banking)
bill.lewis@us.pwc.com
Gary Welsh, Managing Director
gary.welsh@us.pwc.com
Tony Evangelista, Partner
(Investment Management)
tony.evangelista@us.pwc.com
Roger Coffin, Partner
(Capital Markets)
roger.coffin@us.pwc.com
Ellen Walsh, Partner (Insurance)
ellen.walsh@us.pwc.com
GRC:
Miles Everson, Partner
miles.everson@us.pwc.com
Asia & Australia
Australia Peter Trout, Partner
peter.trout@au.pwc.com
Kate Clarke-Palmer, Director,
Performance Improvement
kate.clarke-palmer@au.pwc.com
Hong Kong/ Rick Heathcote, Partner
China rick.heathcote@hk.pwc.com
Evi Sukardi, Manager
evi.sukardi@hk.pwc.com
Japan Hajime Yasui, Director
Email: hajime.yasui@jp.pwc.com
Akira Yamate, Partner
akira.yamate@jp.pwc.com
www.pwc.com