The State of the Chief Compliance Officer in 2016

The compliance profession has seen a significant transformation in responsibility, accountability and technology since the financial crisis erupted in 2008.

Along with that transformation has come greater pay and status, and as well as the challenge compliance officers face of adapting their firms to these transformations and keeping leadership involved. Compliance professionals must also appreciate a growing sense from regulators that they could face potential liability for their actions or inaction.

The transformation has been so swift and broad that it may be time to take stock, to review prominent changes to the profession and what is expected of the modern compliance officer, plus how to succeed in the role.

Compliance experts in a variety of roles have contributed to this reflective exercise, as discussed below.

Fintech, Big Data and cybersecurity

Financial technology, or fintech, is growing in importance to financial services businesses as new processes, tools and business models offer customers more options and greater flexibility and ease in transacting. They also, combined with the “Big Data” now available for monitoring and analytical exercises, provide a means for compliance professionals to carry out their responsibilities, as long as compliance officers are trained in using them and appreciate their limitations.

“The fintech industry has created new products and ways of doing business that the compliance function in traditional financial services firms has not seen before,” said Rafael Gomes, an executive in Accenture Finance & Risk Services. “For example fintech has facilitated new ways to bank digitally — not only checking balances online, but applying for loans and other credit products via mobile phones, making payments via smartwatches, etc.”

“Compliance needs to ensure that the right controls are in place across these new digital media,” Gomes said.

Technology is helping compliance professionals in their job roles and spurring them to enhance their skills, said Maria Tomlinson, general counsel and chief compliance officer of Optimal Payments Services, Inc., in New York. “Even if they cannot write code, they can implement and use savvy new tools and have a better sense about what their exposure is to risks such as money laundering, sanctions violations, and the like,” she said.

The growing role and interconnectedness of new technology have also created new systemic and operational risks, spurring an emphasis on cybersecurity that has been echoed by the Securities and Exchange Commission (SEC) and other regulators. Shortly after the SEC released survey last year finding that most of the registered broker-dealers and registered investment advisers surveyed had reported being the subject of a cyber-related incident, it issued new guidance on creating effective cybersecurity policies.

The recruiter’s corner

I asked a veteran recruiter about what he’s been hearing from compliance officers looking for new opportunities and employers seeking to fill those roles.

“Compliance professionals are seeing more opportunities develop for their expertise outside of the banking industry, in some less traditional sectors,” said Maurice Gilbert, founder and managing partner of Conselium, a compliance and risk search firm and founder of Corporate Compliance Insights, an online supplier of news and analysis articles for compliance and risk professionals.

“We’re seeing money transfer companies, prepaid debit card firms, mobile money businesses, all getting into the act of hiring compliance professionals,” he said. “Obviously, this widens candidates’ opportunities.”

“Another positive development is that CCOs are getting the access to boards to do the reporting the regulators have sought in their rules and the language of their enforcement actions. They are also getting access to the CEO — informing the executive suite on an administrative basis — like the general counsel and chief financial officer have enjoyed,” Gilbert said.

The appearance that demand is exceeding supply is a reality, Gilbert says. That helps candidates command greater salaries, but some businesses have not yet come to terms with what they have to pay to get the skills they need.

Furthermore, Gilbert said, the increased regulatory focus on individual liability — which has occasionally targeted compliance executives — is giving some of his senior candidates pause. “For the first time in 15 years, in the last few six months, I’ve had two qualified candidates turn down CCO positions because they do the ‘risk versus reward’ equation in their minds, and the risk of being held personally liable does not seem worth it.”

The fear, Gilbert said, is that a new firm might not “have their CCO’s back” when violations occur and would allow the CCO to be a scapegoat for corporate lapses.

From the CCO’s perspective

“You know what? The potential for personal liability enables candidates to more seriously choose the organization they are willing to work for,” said Tomlinson, of Optimal Payments Services. Tomlinson is a compliance executive with over 15 years of experience, and she sees the personal liability issue in a positive light.

The compliance officer must choose the right firm — one that will offer support, take compliance seriously, and give the department adequate resources to perform the job, she said.

“This focus is helping firms get the best compliance officers, because only those who know they will do a good job, and who are picky about the firms they join, will apply.”

A PricewaterhouseCoopers survey in 2014 found that 93 percent of financial services firms reported they have a CCO and, among those firms, 73 percent reported that this person performs this role as his or her sole responsibility.

Tomlinson has seen attitudes toward compliance shift over her career in a manner that takes compliance more seriously, and she credits U.S. regulators’ more aggressive fines.

“These fines are finally having an impact on firms’ bottom lines and reputations, as fines go up and news spreads rapidly about them. That has propelled firms to appreciate that good compliance goes hand in hand with good business,” she said.

Indeed, Tomlinson said she has served as a member of a firm’s board of directors, rather than just having periodic access to it.

Technology is also having a positive impact and streamlining effect on the compliance profession, she said. The compliance and technology teams are communicating more to design tools that help their firms specifically address the risks they face.

She sees it as the emblem of good compliance practice when a firm advertises it as a business advantage that it has avoided enforcement action, and when it uses its good compliance record as a marketing claim to distinguish itself from competitors.

The onslaught of regulations has made it more important for lawyers to occupy the CCO chair, she said, rather than someone with just an operations background.

“In the past, a CCO was often the former chief operations officer, and this was not a sufficient background once the onslaught of regulations began,” she said. “It’s important to have training in interpreting and applying the law.”

Her own double role in applying and interpreting the law — as general counsel and CCO — can work well, depending on the firm and how it is carried out, she said. “You cannot give yourself counsel as the GC/CCO, and you cannot solely handle the company’s litigation efforts.”

But the combined role can help synchronize efforts. “I can do the contract writing that both the GC and CCO should be involved in and make sure all of our contracts and arrangements have the compliance details they require, not just the standard legal ones,” she said.

Best practices for today’s CCO

Familiarity with the business. In addition to knowing their regulatory-reporting obligations, compliance officers should understand what their managers do, what products and services their company offers and the systems that sustain these products and services. If a compliance officer lacks this background, it can be acquired through research, on-the-job training, observing business associates, and asking for outside educational opportunities.

Another method for ensuring compliance officers understand their business is for them to get involved, where possible, in the development and creation of new business services and business units. This can also help ensure compliance is embedded in new activities from the outset.

Reporting lines. Institutions with elevated regulatory compliance risk profiles may want to have the CCO report directly to the chief executive, and CCOs should advocate this model. The relationship with the CEO can help lift the prominence of the CCO function, promote the compliance program’s importance throughout the organization and hasten reporting and response time for any incidents.

Apprise the board and senior management of how risks are managed. Compliance officers should seek to set out how the business has managed risk through regular reports to the board or senior management.

This is likely to include how the compliance program has handled any extraordinary employee incidents, what the team has changed within the compliance program since the last meeting, how it is handling any regulatory investigations or meeting the terms of any deferred or non-prosecution agreement, how it has mitigated any bribery or other corruption issues or insider trading concerns, and the state of its cybersecurity preparedness, at a minimum.

Avoid companies lacking a compliance culture. There is little reason to commit time and talent to a business environment where reputational threats lurk around the corner because a strong culture of ethics and compliance is lacking.

Regulators have been referencing “culture” in enforcement decisions because they have come to the realization that businesses that view their ethics and compliance programs as a set of check-the-box activities are more likely to ignore the ever-evolving risks facing them. An organization could have an impressive-looking ethics and compliance program, but without a commitment by all levels of employees to reference it and abide by it, and by top executives to promote it and encourage adherence, the program is insufficient.

There is no need to linger in this type of atmosphere if there is little to no support from the top in altering it.

Get the help you need. There are so many aspects to the compliance officer’s role that require the support and active engagement of other teams and individuals. Besides getting demonstrable support of senior management, compliance officers must make sure their efforts align with other groups, such as human resources (disciplining, plus hiring and firing employees), IT (data privacy policies and cyber security protections), audit (testing and monitoring controls) and marketing (reviewing advertising and social media communications).

Rules do not exist in a vacuum at any business. Having other departments reinforce your messaging and reminding their teams of how to alert you to potential problems will go a long way in making your program more effective.

Keep learning. There are so many certification, continuing education programs, conferences and seminars available to compliance and risk professionals that offer opportunities to learn from peers and network. In particularly ever-changing areas like the use of financial technology, these learning opportunities can help compliance professionals implement state of the art techniques at work and hopefully provide leverage with employers in terms of compensation.

This article originally appeared on www.complinet.com and is reprinted with permission