Compliance risk is the risk of legal or other regulatory actions taken against an organization or an individual, presumably due to a violation of applicable laws and regulations mandated by governments, supervisory agents or legislators, and sometimes by the organization itself (e.g., the code of conduct, corporate policies and procedures or other standards of practice).
Occurrence of compliance risks often results in adverse financial impact due to hefty regulatory fines, unexpected investigation costs, excess spending on remediation, and in extreme cases, economic sanctions and other temporary bans that result in material losses and/or forfeiture of assets. Compliance risks also exposes organizations/individuals to reputational harm, especially when the violation in question impacts social, economic or environmental rights and welfare. Examples of compliance risks that are more likely to present material reputational risks include sexual harassment, corruption and bribery to retain business or otherwise gain in improper business advantage, data breaches, contamination of land, air or water, and many more.
The majority of rules and regulations
The majority of rules and regulations applied by compliance departments have legal force – this is also true whenever an organization introduces a new policy or procedure to ensure compliance with such rules and regulation. In addition, some regulatory provisions require legal analysis and interpretation in order to understand how best to apply them across the organization.
As a result, both companies and businesspersons have developed a natural tendency to mitigate compliance risks primarily from a legal perspective. However, in practice, there are several challenges faced by legal practitioners when mitigating compliance risks as if they were legal risks. First, the current regulatory environment in which business entities operate has become increasingly complex, with a growing number of layers of standards and practices that deal not only with legal issues, but also with ethical conduct (for example, the FCPA and UKBA anti-bribery provisions), controls over financial integrity and transparency (e.g., Sarbanes–Oxley Act or “SOX”), social and environmental sustainability, cyber threats and insider threats on privacy, and many other challenges.
While some of these issues may require a basic legal analysis, they also require an understanding of how to develop proactive strategies that promote a company’s culture and resilience, while balancing between actual legal risks, business performance and costs. In addition, compliance programs mandated by regulators have become increasingly focused on utilizing a “risk-based approach” rather than a “de-risking” approach, with more emphasis on informing decisions by risk assessments, implementing practical procedures and internal controls, and adopting culture of compliance via consistent training activities, monitoring/auditing and disciplinary actions.
The financial services sector
The financial services sector in Israel operates in a regulatory environment consisting of hundreds of provisions, guidelines and standards that regulate many banking services, financing and trading activities. In particular, the financial services sector has seen a consistent uprise in both legislation and enforcement in areas concerning customer engagement (e.g., conduct and fairness), anti-money laundering and financing of terrorism (“AML/CFT”), international tax compliance (e.g., FATCA and CRS), as well as model risk management and validation practices. Such regulations are usually designed to reflect international best practices published leading organizations such as the FATF (“Financial Action Task Force”), the Wolfsberg Group, FMSB and many others, as well as by prominent regulators abroad such as the FCA, APRA, DOJ, FINRA, OCC, SEC, BIS, EBA, EIOPA, ESMA, BAFIN, DNB and more. Consequently, Israel’s supervisory agencies require that financial institutions commit to maintain best-in-class compliance programs, establish robust compliance departments and appoint a designated Compliance Officer.
In turn, this has also set the tone for new FinTech players such as credit service providers, online remitters and other innovations.
In sum, effective management of compliance risks requires making decisions that are constantly informed by known levels of risk, as well as the estimated effectiveness of internal controls and various other processes that can reduce such risks to acceptable levels. This process involves:
- Identifying compliance risk areas, analyzing and assessing inherent risks of potential non-compliance, as well as the effectiveness of current controls;
- Formulate effective procedures that govern heightened risk transactions and activities;
- Ensure compliance procedures and processes are aligned with operational procedures, especially those governing human resources, procurement, accounting, finance and IT.
- Ensure compliance resources are commensurate with the levels of risks identified;
- Continuously raise awareness through training – both targeted and standard;
- Conduct regular testing of higher risk areas using tailored compliance analytics and anomaly detection techniques;
- Formulate appropriate processes for initiating, when needed, internal investigations, disciplinary hearings and other enforcement actions; and
- Periodically audit the above practices and documents to ensure they are effective and consistent with the organization’s evolving risks.
- Conduct robust compliance gap assessments and workplans;
- Design internal controls frameworks;
- Conduct compliance risk assessments using a hybrid “top-down” and “bottom-up” approach, leveraged by quick and easy-to-use tools to capture and consolidate information collected from disparate business areas and systems.
- Provide SME support in IT implementation projects involving compliance management systems (e.g., GRC or monitoring systems)
- “Compliance as a Service” – Assist financial institutions as well companies in higher risk industries, by partaking a desired portion of compliance processes that require oversight, or acting as a compliance officer on behalf of the company. And FINTECH companies, whether as a full Chief Compliance Officers, or as a part time service in order to support compliance units in organizations
- Outsourced compliance services – services of core compliance activities – performing KYC, EDD processes, transaction monitoring review, periodic compliance testing activities and providing optimization services for existing risk & compliance platforms (e.g., False Positive Optimization).
- The firm provides regulatory advisory services to leading organizations in the financial services sector in Israel. These services include regulatory reviews , typologies and enforcement trend analysis , and more.
- The firm also assists with the implementation of international standards such as the Basel FX CODE, Dodd-Frank ,Volcker Rule, the clearing regulation CSDR, the corporate governance regulation SMCR, CECL, the Privacy Protection Regulation (GDPR and CCPA), as well as trading and capital market regulations such as MIFID2, EMIR, PRIIP, or LIBOR.
- Design and implement compliance programs as mandated by the Israel Securities Authority.
- Design and implement compliance programs in accordance with international best practices, specializing in areas such as anti-bribery & anti-corruption, anti-money laundering or international sanctions.
- Design risk-based policies and procedures that outline compliance responsibilities, as well as auditing practices and documentation requirements;
- Design and/or execute training programs for compliance officers, compliance trustees and business entities,
- Support in compliance IT vendor evaluation, selection and implementation procedures.