September 23, 2020

Two announcements caught our attention over the last weeks… One from the MAS, publishing a set of guidelines on individual accountability and conduct [1] and another one where the EU calls for a single set of anti money laundering rules [2]. That’s of course what regulators need to do: set the rules and regulations. And subsequently monitor and audit if these regulations are indeed adhered to by the financial sector as a whole and financial institutions individually.

What comes next is left to the institutions to which the regulations apply, notably the compliance team (the 2nd line of defense) together with senior management. They decide how and when the regulations are translated to company policies and how these are rolled out through the entire organisation.

Thereafter comes the real ‘compliance’: the entire financial institution – the 1st line of defense – needs to comply with the policy on a day to day basis: procedures need to be amended, new systems are implemented, staff are trained, client files need to be updated etc. etc. Most of these activities need to lead to a permanent change in behaviour of all staff. Remember that ‘compliance’ simply means that an organisation actually lives up to its own policies, agreements and commitments. And that’s not a one-time, but a permanent effort.

It still goes wrong though as frequent breaches and fines demonstrate. Of course there are still a 3rd line of defense (internal audit), external audits and regulatory inspections but these are all after the fact, often late and they focus on the past. Not on the future and not on building a compliant organisation.

Building a compliant organisation is often left to individual line managers, unit heads, subsidiaries and branches, without assigning a single responsibility in the first line of defense, relying on the right ‘tone-at-the-top’, individual responsibility and a guiding compliance team to achieve a compliant institution.

But that means there is not one dashboard, not one view on the state of the FEC ‘health’ of the institution, not one team aware of what’s actually happening in the entire 1st line of defense. Often the compliance manager or MLRO is tasked accordingly, but isn’t it time for the 1st line of defense to take up the responsibility?

A centralised FEC Operations unit, responsible for achieving operational compliance in the entire 1st  line of defense, supporting the compliance team in the strenuous task to implement all policies would solve many problems and would give senior management the one point of contact for and grip on the organisation adhering to all policies.