Regulatory compliance management is defined by professional services firm Deloitte as the management discipline of designing and implementing effective systems to ensure that an organization actually complies with the laws, regulations and codes of practice relevant to its operations.
Everything in life is science. There is an approach to solving a mathematical problem. Politics is a science. It is widely understood within the medical world that there are various avenues to diagnose a patient, however, one thing is certain – there are documented approaches. Likewise, with supervised financial institutions (SFIs) and designated non-financial businesses and professions (DNFBPs), there must be a science or an approach to developing a robust regulatory compliance regime; it is not optional. SFIs and DNFBPs must work diligently to design and maintain regulatory compliant companies.
Internationally, the Association of Certified Financial Crime Specialists (CFCS) notes: “More than $8 billion in anti-money laundering (AML) fines were handed out in 2019, with the USA and UK leading the charge. The year 2014 still holds the record for the highest total value of fines at $10.89 billion, but this includes an anomalously large penalty of $8.9 billion. If this were to be removed, 2019 would take the lead.”
In the Caribbean, there may be little statistical indication that fines have been levied, however, there is clear evidence that the threat of penalties is increasing as legislative changes now reflect higher fines for regulatory non-compliance. Just last month, the Cayman Islands enacted the Monetary Authority (Administrative Fines) (Amendment) Regulations, 2020. Multi-jurisdictional law firm the Maples Group wrote on its website: “The fines regulations extend the application of the fines administered by CIMA (Cayman Islands Monetary Authority) from the anti-money laundering regime to all regulatory laws and regulations, and any rules issued by CIMA pursuant to those laws and regulations.”
The Maples Group further explained, “There is a sliding scale of fines from CI$5,0001 for minor breaches to CI$100,000 for individuals and CI$1 million for entities for very serious breaches. Fines for ongoing minor breaches can be applied at intervals on a continuing basis, up to a CI$20,000 cap.”
In The Bahamas, we have also experienced an overhaul of our penalties framework. Additionally, not only SFIs and DNFBPs are being subjected to fines. Within the last three quarters, headlines have shouted “URCA fines BPL”, “URCA fines BTC for breaches in retail pricing” and “Polluters could be hit with $30m in fines”. These headlines illustrate that although this article primarily focuses on SFIs and DNFBPs, the approach to designing a regulatory compliant environment is applicable to any regulated industry.
Against the current regulatory backdrop, here is a practical approach to avoiding fines and sanctions.
Step 1: Identification
This step is key. The institution must decide who the owners are of this step. All changes in acts, regulations, directives and standards must be acknowledged and their applicability to the institutions’ industry determined. Also, the institution must decide whether this function is outsourced, co-sourced and completed in-house. Based on the size, experience and structure of an organization’s risk, legal and compliance will play a significant role in this decision.
Step 2: Actions, owners and timelines
This step should not be taken lightly as it is not uncommon to misidentify changes in acts, regulations, directives and standards based on how technical the change is or if the change is a part of a full repeal and replace approach. As the cost of compliance continues to climb, skilled owners within the compliance department and other operational functions should be identified. This will assist with efficiency and cost. Once identified, these individuals must be given realistic timelines and clear deliverables. The process should be monitored by the institution’s risk and compliance function. This monitoring sits with the compliance functions because this function is ultimately responsible for the effectiveness of the entire change management process.
Moreover, during this step, subject matter and operations experts need to determine if there are any gaps, if additional resources are needed and if any adjustments to the original timelines are required.
Step 3: Review changes together
Once a change is identified and confirmed to be applicable, and gaps and resources assessed, the regulatory compliance function should facilitate meetings with stakeholders. These meetings are to ensure stakeholders are aware of the positions and the actions, resources and time needed to implement changes, if needed. Equally, where there is no change needed, there should be reasoning given at this time. This review would allow other stakeholders to weigh in other subject matter decision-making processes.
Owners should be armed with the identified change, whether the change requires an action, how it can be actioned, who would need to complete the action and the time frame needed to complete the action. Failure to have this information available at the time of this meeting will negatively impact efficiency.
Step 4: Documentation and tracking
Automation of this function is available, however, depending on available customization options and cost, some compliance functions will have to manually monitor this process. The size and complexity, again, impact how vigorous and segmented the employed design will be. Although this is noted as step four, organizations must document and track through every stage. An internal communication plan should be used to ensure stakeholders are made aware in a timely and systematic order.
Regulatory compliance will differ depending on the size and complexity of an institution. Boutique firms can be more flexible when dealing with changing regulations. A strong regulatory compliance framework can be the distinguishing factor on whether your institution survives. Therefore, institutions should spend time and energy in adequately designing this area of their companies.
• Derek Smith Jr., a Top 40 Under 40 leader, is the compliance officer at a leading law firm in The Bahamas and former AVP, compliance & money laundering reporting officer (MLRO) at an international private bank. His professional career started at a Big Four accounting firm and has spanned over 15 years including business risk management, compliance, internal audit, external audit and other accounting services. He is also a CAMS member of the Association of Certified Anti-Money Laundering Specialists (ACAMS) and executive member of the Bahamas Association of Compliance Officers.