“MAS expects CEOs and directors to carry out the duties and functions of their offices effectively, including ensuring that financial institutions comply with regulatory requirements and providing complete and accurate information to MAS. Where appropriate, MAS has taken, and will continue to take, regulatory action against CEOs and directors of financial institutions that fail to comply with regulatory requirements.” – The Monetary Authority of Singapore
MAS CONSULTATION PAPER ON PROPOSED GUIDELINES ON INDIVIDUAL ACCOUNTABILITY AND CONDUCT
Meanwhile, the MAS is continuing to finalise its Guidelines on Individual Accountability and Conduct (the “Proposed Guidelines”).2 The consultation paper was released in April 2018.3 The final version of the Proposed Guidelines could be published and go into effect at any time. The Proposed Guidelines are intended to promote the individual accountability of senior managers, strengthening oversight of employees in material risk functions,5 and reinforce standards of proper conduct among all employees.
CORPORATE GOVERNANCE STRUCTURES
Typical management reporting structures In general, responsibility for management of a financial institution (“FI”) is held by its board of directors (the “Board”). Day to day management of the FI is delegated to senior management, which often includes one or more directors, led by a CEO.8 An FI’s legal and compliance functions (“L&C”) can be combined or separate. In either case, the head(s) of those functions usually have dual reporting lines. One reporting line goes to a member of senior management such as the CEO or chief operating officer. The second line is a direct reporting line to the Board.
Responsibility for compliance
As a general matter, the Board of Directors of an FI is accountable for oversight of the management and activities of the FI, including compliance. In the Reprimand, the MAS stated: “As the CEO and a director of ACPAM, Mr. Tan was primarily responsible for ensuring that ACPAM complied with the regulatory requirements”.
Authority of L&C
Excluding the FI’s articles of association, shareholder rights and any external legal or regulatory requirements that may apply, an employee’s authority within a corporate setting is derived from the Board. Sometimes a Board may give the Head of L&C authority to approve/veto certain actions suchas entering into contracts or conducting new businesses. However, many Boards give senior management, including the CEO, discretion as to whether to follow the advice of L&C. In cases where the advice of L&C is not followed, the matter may or may not be reported to the Board depending on the facts and circumstances of the case.
QUESTIONS AND ANSWERS
In Singapore, are compliance officers directly accountable to a regulator for breaches by a licensed entity?
No.11 The general responsibility of the compliance officer is to provide an in-house compliance service that effectively supports business areas in their duty to comply with relevant laws and regulations and internal procedures.12 In Singapore, a compliance officer has a duty to his employer, but is not directly accountable to the MAS for breaches by committed by a licensed corporation. The rules of other jurisdictions may vary.
Can compliance officers, senior management and Boards have legitimate disagreements on matters of compliance?
Yes. A decision of senior management or the Board to not follow the advice of L&C on any given matter may be completely proper and appropriate. Many matters on which L&C advises boil down to judgment or risk tolerance. If the Board wanted L&C to decide those grey cases, the Board could have (1) promoted the Head of L&C to CEO or (2) required L&C approval to go forward. Instead, Boards of FI’s typically ask L&C to advise senior management and the Board. After considering the advice of L&C and any other relevant factors, senior management or the Board make a decision and are accountable for their actions. Meanwhile, L&C is accountable to the FI for
its advice to the Board and senior management, but not the final decision taken. For these reasons, L&C is generally viewed as an advisor to the Board and senior management rather than a decision-maker.
Should compliance officers have supervisory powers?
On 18 March 2019, the Hong Kong Securities and Futures Commission (the “SFC”) announced a reprimand and HK$15.2 million fine (the “Sanction”) against Guosen Securities (HK) Brokerage Company Limited (“Guosen”). The SFC found that Guosen failed to comply with anti-money laundering and counter-terrorist financing requirements when handling third party fund deposits. Along with its announcement of the Sanction, the SFC published a Statement of Disciplinary Action relating to its findings (the “Statement”). Among the breaches noted by the SFC was Guosen’s failure to have in place an effective compliance function from 1 November 2014 to the end of 2015 (the “Relevant Period”). In its discussion of that breach, the SFC noted: “During the Relevant Period, Guosen’s Legal and Compliance Department merely performed an advisory function and did not exercise a supervisory or review function” (the “Supervisory Remark”). The Supervisory Remark raises the question of what supervisory authority L&C should have. We believe that the Supervisory Remark was intended to remind licensed corporations that L&C should have sufficient authority to serve as an effective internal control. However, the significance of the SFC’s contrast of a supervisory function vs a mere advisory function is unclear, because at most FIs, L&C is ultimately an advisory role due to the reporting lines and ultimate authority of the Board.
Should compliance officers be licensed persons?
If compliance officers are required to specifically approve or veto certain actions of an FI, the compliance officer’s power will be nearly equal to the CEO with respect to those matters. Rather than give compliance officers veto/approval power or make them licensed persons which may produce the same practical outcome, an FI could achieve similar results by promoting its compliance officer to CEO or changing the incentives of the CEO to match the incentives of the compliance
officer.
According to the MAS’ Guidelines on Risk Management Practices – Internal Controls, “Compensation for risk management, control and valuation functions should be sufficiently independent of the performance of trading activities or sales and revenue targets. This is to avoid providing incentives for such staff to condone excess risk-taking in the institution”. Compliance officers are not necessarily more ethical than other members of senior management. Nor do they necessarily have better judgment than other members of senior management. However, compensation incentives are different for a specific reason. Altering the power dynamics among the Board, the CEO and L&C could have material adverse effects on an FI’s financial results due to L&C’s relative lack of incentives to take risks or generate revenues.
PRACTICAL RECOMMENDATION FOR BOARDS AND CEOS
We recommend that Boards and CEOs require compliance officers to certify to them on a monthly basis that the FI has complied in all material respects with applicable regulation (except as may be set forth in an attached schedule. FI’s are required to comply with applicable laws at all times. However, the purpose of having an L&C function is for such function to identify and escalate regulatory issues of which other senior management may not otherwise be aware. Upon any escalation, the Board and senior management should adequately address the issue raised. Still, requiring such certifications should help Boards and senior management (i) demonstrate their
commitment to operating with a culture of compliance and (ii) reduce their personal risk regarding compliance breaches.
CONCLUSION
It is clear that the MAS as well as regulators globally are focused on increasing accountability of the Board, the CEO, L&C and other employees of FIs14 material risk functions. We strongly recommend financial institutions consider their existing governance to ensure they will be able to implement the final version of the Proposed Guidelines whenever they come into effect.