Over the past ten years, legal and regulatory bodies — particularly in the United Kingdom and the United States — have enhanced their expectations of compliance risk management.
This has particularly impacted our larger and more regulated clients, but expectations of a strong compliance ethic are filtering throughout sectors in the shipping and commodity markets, as financiers, governments and business partners place increased emphasis on this area. At Infospectrum, our core counterparty risk management service has increasingly been complemented by assisting our clients in managing compliance risk. The approach of many of our clients is highly varied, depending on local laws, budgets and a willingness to enforce such structures in highly competitive markets. In today’s highly regulatory climate, it may seem that managing compliance risk and implementing solutions requires a blank cheque. But is this really the case? We think not. This article considers whether any general principles can be applied to the process as a catch-all, or alternatively used to ascertain where to draw the line.
Laws and Regulations
The legislative landscape is continually changing, with compliance officers dealing with new requirements on a daily basis. While sanctions and Anti Money Laundering legislation tend to be the most high profile compliance issues, UK companies also have to abide by the UK Bribery Act 2010 and the UK Modern Slavery Act, which specifically address potential concerns brought upon a company by its business partners. Regulators such as the UK's Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) maintain an interest in financial crime (covering KYC and UBO reguirements) and financial solvency/commercial risk (via legislation such as MiFiD II). The US Foreign Corrupt Practices Act covers foreign nationals and entities regardless of whether the foreign national or company engages in any action in the US, but is considered to have aided and/or abetted an act of bribery.
While these laws are often not explicit in their wording, and authorities may not proactively check compliance on a regular basis, they are clearly able to enforce legislation if it is proven that your company did not have procedures in place to ensure compliance, with potentially very substantial fines applied. As always then, there is a balance between cost and benefit - does your business expose you to real risks of compliance issues? How often? Would greater compliance investment improve or undermine your competitive position?
A well supported compliance officer or team will identify all of the compliance regulations that apply to their specific company, industry and operations, but understanding regulatory requirements is only half the battle. It is just as important to appreciate compliance risks specific to each company and to implement systems to mitigate these risks. We believe that the following general principles can serve as catch-all reference points for this process:
1. Understand your parameters
This is often the biggest grey area of compliance - what laws apply to you? What is legally required, and what is best practice? Some of our clients have found even this first step extremely difficult to quantify, a position which isn't helped when the regulatory bodies are also dealing with new, and often untested, legislation. Auditors can often help in this process, but again, your auditor needs to understand the practicalities of enforcing compliance in a sector where much of the information needed may not be available in the public domain.
2. Risk assessment and strategy
Where do you start? Undergoing a risk assessment will help your company to identify the legal, financial, operational, strategic, reputation, and operational risks that affect it. A risk assessment can also double up as a vehicle to help allocate resources to mitigate the risks found. Any formal compliance strategy which emerges as a result needs to take into account the potential impacts on your business of enforcing a strategy - can you afford to turn potential business away as a result? Can you afford not to?
3. Assess the onboarding process
Many of our clients rely on third parties to introduce business, and have an expectation (often based on experience) of the quality of the information provided. Under the UK's Marine Insurance Act, for example, brokers are expected to provide information in good faith, but our experience has shown that they, in turn, are reliant on ship owners/operators which may not be keen to release the full detail of their ownership or operations. Use of a compliance questionnaire can gather information that focusses on key concerns. Capturing this information also assists in implementing a governance structure for the day-to-day management of compliance.
4. Educate both internal and external stakeholders
Compliance is often seen as yet another "business prevention device" by stakeholders, but for regulated companies, non-compliance can be business critical. It is important to discuss compliance expectations with both employees and business partners if a compliance risk management culture is to be established. Frequent training is also a vehicle that helps to deliver these expectations and establishes clear ownership of risks and encourages transparency. Sharing outputs from compliance risk assessments and the evaluation of counterparties also allows employees to better understand existing and emerging risks and helps to prioritise remediation activities. Likewise, including compliance language and audit rights in agreements with counterparties formalises the importance of adhering to applicable legal regulations and internal compliance policies and processes.
5. Ongoing monitoring and auditing
Compliance shouldn't just be a matter of ticking the least number of boxes possible. Monitoring and auditing counterparties will help your company stay ahead of risks, particularly in the complex corporate international trading environments such as shipping and commodity trading, where business can be transferred from a sanctioned entity to an apparently "clean" entity very rapidly. Designing an approach that provides current information to your organisation and captures intelligence on a current or potential business partner is key — as is the ability to undertake regular audits that flag up operational changes with these business partners.
Real world implementation
The range of initiatives carried out by our clients in relation to compliance varies hugely. Regulated entities cannot afford not to have policies in place, other clients use compliance to burnish their credentials with stakeholders, financiers and counterparties, and others spend little time addressing this area at all. Managing and implementing compliance risk is front-loaded cost wise, but it certainly doesn’t require a blank cheque. Responsive procedures, a dedicated compliance officer or team, a commitment to training and access to the right intelligence will foster a risk management culture that ultimately pays for itself.
While each client will have their own compliance framework to operate within, the industry has found our due diligence provides the rapid intelligence they need to assess compliance risk. This has been particularly critical in the existing sanctions environment, but is equally true, for example, in complying with credit insurance or banking requirements. With our deep and global pool of intelligence, and trusted industry record, clients know they can use our intelligence to prove they have sought out impartial, independent advice on these subjects.
For further detail on Infospectrum's Counterparty Management System, which ties the counterparty onboarding and assessment process directly into our intelligence, click here.
If you are interested in learning more about how Infospectrum’s expertise can help to support your organisation with compliance, click the button below to get in touch.