Screen Shot 2016-06-02 at 16.15.55

The Lawyer’s In-house Financial Services conference advisory panel weighs in on the key to a good relationship between legal and compliance, technology that in-house counsel should be using and how regulation is driving change in the market.

Q: What is the best practice regarding the relationship between legal and compliance? How is this relationship impacted by increased scrutiny from regulators?

Zoe Bucknell, former general counsel, OneSavingsBank: Increasingly, the trend in compliance is to split it into two different activities: the traditional assurance activities – monitoring, checking, reporting and reviews – and the advisory capacity where you advise on regulatory changes and how those impact across the business as well as horizon scanning for regulatory change.

I think the assurance piece should be kept as independent as possible and legal should have minimal interaction with it. Where I see a correlation is in the advisory piece, where you could create a regulatory affairs team within the legal function. Mixing compliance professionals who understand the practical implications of regulation with lawyers’ interpretative skills gives you a very strong proposition.

Regulators have a two-pronged attack. In Europe they are playing catch-up on the financial crisis. They have a host of restraints up their sleeve that they want to impose on the financial services industry. The onslaught probably won’t slacken until the economic environment stabilises more.

Osagie_Solomon_Tsys_2016
Solomon Osagie

“The roles of compliance and legal shouldn’t become blurred – regulators need to see a clear and coherent responsibility structure”

In a way, imposing such a high level of regulatory change on an industry like financial services that is also trying to manage turbulent economic waters is counterproductive; the industry is overstretched. Regulators should take a step back and identify the key aspects that the industry needs to stabilise and strengthen to avoid another economic shock. Then you need to give them a break.

I made the changes in OneSavingsBank because that was the only way the business could organise its services in order to handle regulatory changed without being using too many resources. This should be happening elsewhere – businesses should leverage their legal teams more to guide the business through the regulatory change maelstrom. In bigger financial services businesses this has been the case for some time, but the smaller and mid-size financial firms have to catch up.

Solomon Osagie, lead counsel, Tsys: Traditionally legal and compliance functions have sat with the general counsel but a number of organisations have moved away from this model, or  have a model where there is a head of legal and a head of compliance reporting to a general counsel. I favour the latter approach. From a practical perspective, it is difficult to manage either function without huge input from the other. It is clear that each requires a specific skill set but the two need to interact regularly. Compliance must be integral to overall risk management and strategy; to effectively manage this requires some sort of co-ordinated approach.

The financial services industry, like most service operations, is becoming increasingly regulated and the common view is that this will continue. However, it is important the roles of compliance and legal don’t become blurred – regulators need to see a clear and coherent responsibility structure at a company. It will be interesting to see how companies structure their approach: does the legal strategy determine the compliance approach or should compliance dictate the approach to management of legal issues?

Leigh Murrin, chief legal operations counsel, GE Capital: Regarding best practice, the strongest legal and compliance departments have mutual respect and regular communication.

Mutual respect is needed because while there are adjacencies in legal and compliance, it’s important to understand the responsibilities of the other. I recommend in-house lawyers take the time to understand the regulatory responsibilities of compliance officers and the differences between the operational risks that legal and compliance teams are responsible for overseeing in a regulated business. Also helpful is mapping out who does what; in particular you should consider when legal should consult with compliance and vice versa, and share this as widely in your business as you feel necessary.

Regular communication is important: you have to establish relationships with each other and a regular rhythm of sharing what you are working on. In terms of regulators, I don’t think that the relationship is impacted at all: regulators have always expected these teams to work together. Our business leaders do as well.

Sanjay Bhandari, partner, EY: There is a  clear decision to be made when structuring a legal and compliance department. You can create a unified management structure with a single clear reporting line through to the board, or you can create separate reporting lines and management teams for both legal and compliance. Boards may take comfort in having two departments looking at different aspects of compliance risks, but this can be outweighed by potential gaps in responsibility that can lead to an enhanced legislative/regulatory risk.

Compliance teams are front of mind but do not necessarily have the detailed understanding of the legal and ethical frameworks that influence regulator thinking that is needed to pinpoint areas of extreme future legal risk. Ironically, because regulators prefer to liaise with non-legal staff, they push firms towards a dual reporting line, which potentially increases the chances of a legislative/regulatory breach.

Fergus Speight, general counsel, Royal London: It is essential to agree who is responsible for what, with no gaps or overlap. In order to do so effectively it is important to establish and document a comprehensive framework for dealing with changes in regulation and legislation.

In taking this view I am assuming that the business areas are already compliant with the regulatory rules and legislation that affects them. The components in the framework build the picture of who is responsible for what across the enterprise in terms of identifying and tracking changes in regulation and legislation.

The advisory part of the compliance function will undertake the majority of this work; they should be working with the compliance people in the business areas. This framework should be set out in a way that clearly shows the compliance function’s remit; its contents will detail the regulators it will watch and the regulations it will cover, which will likely include large impact pieces of legislation such as those with direct effect from Europe. The legal function’s remit will generally be much narrower and concentrate on the interpretation of the legislation to help the business better identify the impact on the arrangements the company has with customers or suppliers.

Fergus Speight
Fergus Speight

“It is important to establish and document a comprehensive framework for dealing with changes in regulation and legislation”

It is also important to agree on who will deal with any problems that arise. Often compliance  teams deal with issues while they are still being dealt with by the regulator’s supervision team, but should it escalate and go towards the enforcement team then legal should take the lead.

Lesley Wan, corporate real estate counsel, Lloyds Banking Group: It is becoming increasingly important for legal and compliance teams to be better aligned in the wake of the watchful eyes of the regulator. The teams should ensure regularly communicate about key issues and work as one team in order to be able to better identify and deal with key issues as they arise.

Q: How can in-house teams use technology to increase collaboration between compliance and legal?

Osagie: There has been a huge interest in legal technology in the areas of management of work-flows; discovery and disclosure; and corporate and company secretarial work. We have seen the emergence of legal tech firms with lawyers jettisoning legal practice for what they see as a growth area. Technology has its advantages: we are now able to communicate within the workplace via a multitude of formats (email, instant messaging, video calls, SharePoint sites, etc), and technology conferences can replace face-to-face meetings.

Encouraging collaboration is easy. The organisational challenge is now to ensure that these tools are effectively used and crucial information is not buried in with the mundane. Teams have to consider what is being shared and ensure the correct individuals are involved throughout the process. However, I have my doubts as to how much this industry can grow for the in-house community. The majority of organisations do not have the resources to invest in what is in truth huge capital, and this is what the main challenge is.

Murrin: Technology is important from the point of view of sharing know-how. When both teams are horizon scanning, any useful issues should be shared between them and technology can enable this.

It would be great if technology could take horizon scanning to the next level – it could not only tell us that a change in regulation and law has occurred, but it could be tailored intuitively to the specific geographical places where our businesses and customers operate, our product lines, corporate structures and regulatory footprint. Legal and compliance functions would really benefit from the time savings this would generate.

Speight: The framework document should set out the reports that the governance committee receives, and have simple technology solutions such as access to shared databases where there could be details of breaches, their impact and progress on remediation. The status and findings of compliance monitoring reports all go a long way to ensuring that there is one single view of the compliance environment.

Bhandari: Simple is best when it comes to in-house use of technology. Shared matter management systems, to enable cross-department collaboration on proactive compliance work, and current investigations, are a must. Shared document libraries and know-how systems enable members of each team to quickly understand issues, as do shared training programmes. But true collaboration comes from a shared sense of responsibility and a shared understanding of the crucial role each department plays in managing legal risk for the firm.

Wan: Intelligent ways to capture, record and share concerns regarding legal and compliance risk are only possible with the right level of technological support and infrastructure. Ideally, both legal risk and compliance risk (and credit risk) should be adopting similar shared technology portals to share and develop strategies on risk affecting a business.

Q: How much time do you believe the legal team should spend on horizon tracking?

Osagie: Putting a numerical figure on such a question is very difficult. Ideally you would have an individual or team dedicated to this task: if budget constraints do not allow for this it is crucial that legal teams are aware of future events and possible issues. The earlier changes and potential risks are identified the easier it is for an organisation to adapt. The US and other jurisdictions are ahead of the game here but we’re catching up.

Anticipatory engagement, getting involved in consultation processes, being part of the dialogue when new legislation and regulation is being considered is where it should start. For any organisation that has a strategic focus, prospective regulatory and compliance issues must be central. Sadly most organisations do not see this as a worthwhile investment but it will become more and more of an issue.

Bhandari: Horizon scanning and legislative and regulatory impact assessment are a core risk control function. Legal teams spend a huge amount of time already trying to stay on top of legislative and regulatory pipelines across multiple jurisdictions for a wide range of businesses, products and distribution channels that grow at a phenomenal rate.

Fragmentation of regulation, national tiering and international layering add complexity and make risk assessments time consuming and legally complex. One of legal and compliance teams’ biggest current needs is to create standard legislative and regulatory assessment models that enable them to take a consistent and proactive approach to risk analysis and compliance resource prioritisation.

Speight: The time spent should be limited; the majority should be done by the business themselves and the compliance team should be carrying out the bulk of it.

Bucknell: I split horizon tracking into different elements; mainly to align the way I split responsibility between compliance and legal. I had the compliance function looking at regulatory change from the FCA perspective. It was just the conduct regulation. I had legal responsible for non-regulatory legislative changes such as consumer contract changes and data protection.

I made the company secretary team responsible for corporate governance tracking. All three teams worked collaboratively on horizon scanning. It split the burden: there is a danger that a lot of the team ends up looking ahead, and you can spend too much time looking ahead and not enough on now. It was also collaborative: they had regular meetings that allowed them to discuss what would impact across the business. This was particularly the case with the implementation of the Senior Managers Regime in March this year.

Looking out for what is coming on the horizon is one thing and managing the regulatory change programme is another.  The legal team should spend 20 per cent of their time or less on this, not including the impact analysis.

Wan: Horizon tracking is now an established part of the role of a general counsel and his or her legal function. Legal teams add value by capturing and assessing legal risk; staying one step ahead of legal change and wider developments in the markets is fundamental, and increasingly a greater degree of time is and should be spent by legal teams on horizon tracking and sharing views on legal risk. That way the legal teams throughout the business are better informed and there will be consistency of approach.

Murrin: The answer will be different depending on the size of the legal department. If you are in a large business, lawyers will be more specialised, and it makes sense that some will spend more time than others on horizon scanning relative to their roles. For example, we have lawyers in our organisation who are required to do horizon scanning for changes in financial services regulations as part of their day job and communicate those changes to impacted colleagues. The same is true in other internal legal departments as well.

Lesley Wan
Lesley Wan

“Horizon tracking is now an established part of the role of a general counsel and his or her legal function”

If you’re in a smaller legal department, then the onus is on the individual to spend a greater amount of time on horizon scanning across a variety of topics. That is definitely harder and more time consuming. However, all lawyers have a responsibility to keep on top of changes in law and how it impacts your business and area of expertise  – that is part of the currency of who you are and where you bring value. Personally, I think spending one to two hours a week on general reading and know-how is good practice. The time spent may fluctuate depending on how law is changing at any given time and the extent to which it impacts your practice area or business lines.

Q: What are the main issues concerning the financial services industry and how do they impact future horizon tracking?

Murrin: Regulators and public opinion will hold individuals personally accountable for failures of corporate controls, processes and ethics. The idea that people can hide behind a cloak of corporate anonymity is long gone. Legal and compliance have a responsibility to be on top of impending changes and developments so that our businesses and colleagues do not inadvertently step outside the law or these external expectations. Horizon scanning cannot be de-prioritised in today’s world and legal and compliance functions have to find ways to manage it.

Bhandari: Legislative or regulatory complexity is a big issue, but added to that are the twin issues of digital disruption and data protection. Digital technology is changing the face of the industry, giving new access to services through digital distribution channels, new efficiencies in delivery, accelerated product development and augmented risk analytics.

Regulators are embracing digital, for example through the FCA sandbox, and are keen to show that regulation will not act as an insurmountable barrier to entry to the market. But there are risks associated with digitisation. In particular the driving need to protect customer data, and the burden that shifts in regulation will impose on incumbent providers of financial services. Future strategies firms take will need to be guided by predictions of how the legislative/regulatory landscape will shift to accommodate fintech, and the role of legal in assessing the future direction of legislation/regulation will be central to the success of the firm.

Bucknell: The main issues are the volume of regulatory change and the increased scrutiny of the regulator. It has changed from rules-based regulation that encouraged a tick-box approach to compliance to a principles-based regulation. Now there is outcomes based regulation, where it doesn’t matter if you followed the rules and the principles: if something at the end is detrimental to the customer then the regulators are going to come down on you.

I think that means that horizon scanning is a discipline that businesses must have. You can’t run a business without horizon scanning, but if you don’t have all the other bits – the gap analysis and the operational impact assessment and how they need to be implemented in an operational basis, if you don’t review your policies and frameworks – it is irrelevant.

It’s the double whammy: you have the volume and the complexity of the changes which go across your whole operational environment.

Then there is the increased proactivity of the regulators. The regulators almost become a political beast. They are out there to prove their worth and their teeth. It would be great to have best practice, leading market innovation, but the reality is you would probably not be operating a profitable business because you would have put everything in compliance. There has to be a balance. You have to run a business. There might be a tendency to not be the last person in the water when the sharks are coming after you. The cost of compliance is becoming a real issue.

I would strongly recommend that general counsel retain the advisory business of compliance, and not pass this onto risk or compliance functions if these are separate.

Osagie: I suspect that at this time of the year Brexit implications must be at the fore. There are others like the new Data Protection Regime, and how transfers are resolved with the US, and the application of MiFiD 2. The UK is considered to be the world’s leading fintech hub – the banks have now realised that there is competition from fintechs, and so a focus on the changing commercials models within retail banks is of acute interest. The tension between the need to promote trade and stimulate the growth of technology balanced against the need to protect consumer rights is huge and we are seeing this tension in  the lead-up to most of the new legislation.

What I suspect we can all agree on is that there is likely to be a constant stream of regulatory issues for which we all have to keep watch.

Horizon tracking should not be limited to legal issues: a wider review encompassing political issues, developments in technology and consumer behaviour must be taken into account in order to build a comprehensive view of the financial services industry. Lastly I suggest that we strive for an organisation-wide approach should this be given more prominence and support.

Speight: The sheer volume of change is one aspect. The uncertainty of what that change really looks like due to regulations being unclear contributes to that issue. There is also the issue of the timeframe in which we have to implement these changes, which, coupled to constraints in the IT systems and capacity of people to actually do the work while the business is trying to carry on as usual and provide a service to customers, causes anxiety!

Wan: Regulatory and political issues dominate the landscape for the banks. For example, fraud continues to be a key focus for financial institutions and we need to ensure we have the right tools to manage our risks, engage with the authorities and handle the regulatory issues related thereto particularly as FCA has begun to really focus on this as a key issue. Legal teams are already beginning to start to assess the impact of Brexit on their businesses and is a good example of legal teams partnering with external counsel to horizon scan.

The increased volume and complexity of regulation in the financial services industry has posed major challenges to the legal and compliance functions at many financial institutions. To help the industry navigate through the upheaval, The Lawyer is launching a brand new conference: In-house Financial Services, an event for in-house legal, compliance and risk professionals, taking place on 5 July at St Paul’s – 200 Aldersgate, London.

If you are interested in attending or would like more information on the event please: call +44 (0)207 970 4940 / email: delegates@thelawyer.com / visit: www.thelawyer.com/ihfs