Mapping Your Regulatory Territory

For many Compliance Officers and Managers, having a vision of providing the very best compliance service that is possible for their firm each and every day, is commendable and noble, provided they understand how and where their firm stands.

How to map your regulatory territory?

The first step is identifying the high-level activities and then to tease out from that data the more detailed aspects and responsibilities of exactly where compliance is or could be impacted. This will then help with future audits or regulatory visits, as well as provide compliance and the rest of the business exactly where everything fits in.

This activity, although vast and sometimes complicated, is a fundamental necessity to ensure that the foundations of any compliance department and all the ideas, policies, controls, processes and procedures that you implement are not ‘built on sand”.

To start this it would be advisable to take a new notebook and cover the following rough sections;

each entity within your group including appointed reps, introducer appointed representatives or other subsidiary or joint-venture partners that your firm may have entered into business with.
each business unit and support departments within each entity.
external service providers including anything that maybe outsourced from IT to Para-planning, Legal to Banking.
the regulatory jurisdiction in which you are operating, for most this will be the UK and at most Europe however many firms these days offer offshore investment services
- Within your jurisdiction you need to identify all of the regulators and any standards or best practice setting, parties that may contain a quasi-regulator status as well as the obvious legislation, regulation and code etc.
product services and specific business activities across the range from front, middle and back office, as well as any general insurance, mortgages, financial and investment planning
common documentation used within the businesses across all entities for regulatory matters such as disclosure, financial promotions et cetera and any other relevant areas that may apply in the periphery

Now your list may look something like this for a medium to large organisation, perhaps a group.

Executive Committee

Retail/Group Functions
Digital Banking & Self Service
Mortgages & Savings
Banking, Insurance & Investments
Customer Strategy & Marketing
Lending Control
Operational Risk & Controls
Branch Network (Split regionally or by jurisdiction; i.e. IOM, CI etc)
Centralised Distribution Services
Subsidiary or AR Financial Planning Solution Firms
Group Intermediary Sales
Financial Performance Analysis

Finance & Specialised Support (internal or external/outsourced)
Reporting & Tax (Financial & Regulatory, Trading etc)
Group/Legal & Compliance (GC)
Internal Audit
Business Protection
Business Continuity Stakeholders (telephony, WAR site, utilities etc)

Risk
Secured Credit Risk
Commercial Credit Risk
Unsecured Credit Risk
Data, Systems & Organisation (internal, external exposures, shared or JV)
Compliance Oversight, complaints
IT Framework, Storage & Data Protection

Operations
Operational & IT Strategy
Business Transformation
Customer Service & Operations
Business Continuity

Extended Operations/Development
Enterprise Development
Group Services
Digital Development

People Management – Corporate, Customers and Staff
Operational Governance & Risk Management
Business Partnering & Operations
Corporate HR
Customer Experience/Journey
Corporate Communication & Corporate Social Responsibility
Commercial
Strategy & Planning (Disaster Recovery/Business Continuity)

Beneath these headline activities you will obviously have the “Heads of Department” or regulatory responsibility type of functions, most of whom, under the impending Senior Managers & Certification Regime (SMCR) will more likely be “Certified Persons” and reporting to a Senior Management Function (SMF) of the above. It is worth noting that people in these positions with SMCR will fall under the definition in the Code of Conduct Rules, COCON 1.1.2d a certification employee employed by a relevant authorised person, even if the certification employee has not been notified that COCON applies to them or notified of the rules that apply to them”. A point most worthy of remembering.

You will gather from this exercise that the requirements to be a good Compliance Officer or Manager takes you beyond the normal scope of compliance into legal, marketing as well as governance, company secretarial and office management. As it’s in your interest to leverage these additional areas from a relationship point of view, it is often best not to approach these with all guns blazing.

In gathering this information and immersing yourself in the knowledge of these other departments you will find that others will be asking you why you need to know how the IT system works, a subordinated loan is treated for the owners or even just how the HR recruitment process works, and you need to be confident in your response that by having even a broad understanding of the firm’s involvement will help put your own activities into context and therefore assist you in identifying compliance risks or potential breach areas.