In my last article, I wrote about recalls in the automotive sector, and how sometimes not being aware of the compliance and regulatory rules in countries we operate/sell in can trigger massive recalls. In this article, I would like to go deeper into the compliance aspect, which has the ability to cripple companies all by itself.
In 2002, Sarbanes Oxley (SOX) was introduced, and in 2010, Dodd Frank was signed into law. These were acts introduced in the United States as a reaction to Enron and the abuses on Wall Street. The end goal was to protect consumers from predatory lending practices, and holding officers accountable for any fraud. In 2011, as a result of the financial crisis, the Consumer Financial Protection Bureau (CFPB) was formed. Unfortunately that was just the start of increased regulation and scrutiny. A combination of Brexit, a Trump presidency, and overhaul of EU privacy rules has put regulatory change and uncertainty back into the spotlight. With the change of guard in the UK, numerous new regulations are expected to be introduced.
The Chief Compliance Officers job has become increasingly difficult over the years. In recent years, U.S. government agencies have targeted automotive and their supply chain companies under a number of different regulatory regimes, particularly Foreign Corrupt Practices Act (FCPA) investigations. There is a huge cost to be compliant, which most companies don’t have an option of avoiding. The U.S. government has undertaken a strategy of aggressively enforcing U.S. laws including the FCPA, economic sanctions largely administered by the Office of Foreign Assets Control (OFAC), and export controls on U.S. origin goods. These laws mandate that all multinational companies are required to place on aggressively identifying and managing regulatory risk, particularly for their international operations. Multinational business must evaluate and understand the sales, operations, and joint ventures reaching into countries known for high levels of corruption, industrial espionage, and illegal export diversion.
In addition to manufacturing specific regulations, the compliance officer must also pay attention to data privacy laws. Here are a few big ones in 2018.
Chief Compliance Officers need to set up tasks to understand how data is processed in your organization, how it moves across, and where it is stored. Is it encrypted at rest? Is it encrypted in transit? Who has access to it? What is the archiving and disposal policy?
The changes keep coming
Compliance Officers, when surveyed, said “Keeping policies and procedures up-to-date was ranked as the #1 biggest challenge when it comes to regulatory compliance or risk management”. 44% of organizations see reputational risk as the biggest driver for compliance, followed by being a good corporate citizen (32%), and avoiding fines and penalties (20%).
But all this is a cost. Compliance departments in small sized-mid companies have staff and headcount that could go as high as 5% total. Compliance officers simply cite reputational risks, and CEOs and CFOs have no choice but to allow for the expenditure to remain compliant. At some companies, the cost is just choking out any margin that may remain. Pressure on the compliance function has been steadily increasing. Every year customer audits become longer, and regulators continue to publish even more regulations. Now personal liability of compliance officers is on the table. New roles and processes are required. The question is, are our excel spreadsheet warriors ready to handle the onslaught of new regulations?
Having key policy documents are always the first step. But being able to audit those polices and ensure enforcement is a real challenge for the compliance team.
Where is the ROI?
Return on Compliance (ROC) is becoming more important. How do you quantify this? According to Thomson Reuters, “69% of companies expected an increase in their total compliance budget over the following 12 months. Metrics will be critical. Therefore, the right dashboards that shows compliance progress will ensure we are not re-doing items. The larger the company and the wider its stance, the more important it becomes to measure and set a benchmark, to then measure against your own industry or other companies within your own organization
The 3rd wheel
Being a vendor today in most of the industry, including the legal fraternity, brings a lot of 3rd party players into the mix. Data is being exchanged via integration between vendors and suppliers in all industries. One area that I am quite familiar with is the mortgage default industry, where law firms received information about mortgages from its clients. The clients would always view the law firms and any of their suppliers with trepidation. It was not uncommon for the firm to receive 30-50 audits annually from its clients. 3rd party risk management is a large piece of what a compliance officer must do as a lot of audits focus on just that.
There is only one constant in the world of compliance: Everything changes all the time. “The main challenges facing compliance professionals in today’s world are based on the pace of change and level of uncertainty we are experiencing,” says Tracey Groves, head of ethics and compliance in PwC’s UK forensics practice.
Regulation is only likely to continue to increase and get more complex and burdensome.
You tweeted what?
An area that is gaining more attention these days is Omni-channel communications, which include social media and text messaging. Twitter, for example, has been the tool of choice for President Trump in announcing his policies. In such a charged environment, an ill-advised tweet by the rest of us can result in state and federal regulators knocking on the door. It is with ease that confidential data can be tweeted out for the world to see within a split second. There will be regulations around this at some point no doubt!
Companies will need to invest in talent who understands how to read and interpret regulations. Currently, the demand is greater than the supply, and the gap is widening. This is more pronounced for global companies who want to standardize tools and processes. Security is wrapped into the equation, and as traditionally non-connected companies become more digital, the risk of security breaches increases. Unfortunately, more often than not, the perpetrators of white collar crimes are employees. The compliance team must ensure any and all safeguards put into place are not at risk of circumvention. The right compliance tools must have adequate role-based security to ensure confidentiality. In addition to complying with regulations and protecting data assets, the compliance team must be able to foresee potential threats from new business activity, influence management, and advise the board of potential risks, both external and internal, of a new product.
The compliance team definitely has a lot on their plate, and in order for them to operate effectively and provide a good return of compliance, they must be empowered with the right tools and software to manage the ever-changing world of compliance.