The emergence of artificial intelligence (not to mention other developments such as the potential rise of digital assets, blockchain, and decentralized finance) presents a number of compliance challenges for compliance officers. These developments have a common denominator—use cases that increasingly do not require a human actor.
There is certainly a lot to digest for risk and compliance professionals facing these emerging technologies. While these new developments may feel difficult for compliance professionals to manage, we must not forget that the fundamentals of blocking and tackling still carry the day for how compliance should execute on its mission. At the end of the day, human actors will still be the ones ultimately identifying risks, designing ways to implement workable policies and procedures, working with subject matter experts, and providing guidance and oversight to execute on the firm’s obligations to the marketplace.
Compliance and regulatory developments are never static. Rules change. Regulators issue alerts. Bureaucrats and elected officials signal changes. New products and use cases emerge. Industry scandals and missteps surface. New developments arise overseas. New technological developments prompt changes in approaches. The list goes on.
How to keep up with compliance demands
To help address the constant evolution of compliance and regulations, where there is always something new, I’d like to suggest a framework that has served me well over the years in my various regulatory and chief compliance officer roles. This framework involves steps in a never-ending circle. The good news is that many of these steps will feel familiar.
The first step begins with creating standards that will govern how the firm conducts its business within the context of its regulatory requirements. Those standards should include protocols that reflect the firm’s culture and desire to reflect its standards in the marketplace. Standard setting involves identifying legal requirements and best practices. It requires an assessment about how the firm will implement appropriate standards. It involves choices as to how the standards could be most productively integrated into the firm’s business model, and how it could most effectively maximize its ability to mitigate risk.
Once the firm determines the standards that will govern its business, the next step is guiding the firm’s implementation of policies and procedures that will enable the firm to execute on its standards. Once implemented, the firm should religiously document how policies and procedures are being executed, particularly if there was an issue that required remediation. A former FINRA examiner would consistently remind us that “if you didn’t document it, you didn’t do it…”
One thing to remember, particularly for smaller firms, is that firms should beware of placing too much reliance on off-the-shelf policies and procedures. While such documents can be a helpful first draft, the policies and procedures that firms ultimately use must be tailored to their businesses. Firms have been tripped up over the years when an off-the-shelf policy and procedure manual contained policies that do not reflect the actual practices of the firm, creating self-inflicted regulatory exposure.
Once policies and procedures have been created and fully documented, the next step is training. The firm’s people need to be trained on how to execute the policies and procedures. Simple is better. Beware of creating “War and Peace” policy and procedure manuals that are difficult to digest and understand. The documents need to be accessible and understandable by the staff and are the foundation of what a regulatory examiner would focus on. Effective training techniques are those that engage the staff and place them in realistic scenarios that they may be likely to face. Consider including live training sessions to help provide the opportunity for the staff to ask questions and to clarify obligations. All training sessions, whether through live sessions or through online programs, need to be documented to prove that the training took place and the staff participated.
The next step in the process involves monitoring and testing. This key element of any compliance program requires ongoing review and testing in real time to help determine the effectiveness of the implementation of the firm’s policies and procedures. Guided by the firm’s risk assessments, the foundation of this stage is to focus on those areas of the firm’s businesses that may present a relatively higher level of exposure.
Monitoring and testing techniques can include exception reporting, surveillance for outlier behaviors, and random testing of potential higher risk areas.
For compliance, best laid plans still need work
Monitoring and testing may uncover exceptions and breakdowns. Over time, these are unfortunately inevitable. Early detection is a gift and can offer more options as to remediation and avoidance of serious regulatory exposure. Particularly in an environment where the pace of change is accelerating, being able to react quickly is a primary objective. Depending on the seriousness of the exception, being able to stay ahead of the situation and hopefully control the narrative is key.
Escalation protocols should be in place to make sure that any material breakdowns are quickly brought to the attention of management, legal, and risk. This is crucial both for driving a timely remediation, but also to be able to remain ahead of alerting regulators, customers, and other stakeholders. Prompt escalation and quick, decisive action can mitigate a deleterious effect that could hurt the reputation of the firm. One way to help the compliance function stay on top of rapidly emerging developments is to keep track of exceptions and breakdowns by other firms.
After a breakdown has been identified, the next step is remediation and change. The uncovering of a weakness and decisions as to remedies need to be managed carefully. Often, these breakdowns rise to the level of potential concerns of regulators. As a compliance officer, you may need to have early conversations with regulators to let them know that you have identified the weakness and have hopefully addressed it. Ideally, compliance officers will have taken steps over time to engage with their regulatory colleagues to help promote a sense of comfort and responsibility as to how your firm addresses these issues.
Exceptions and breakdowns are inevitable. This is never “one and done” in the life of a firm. Processes are never infallible in the long run. Humans are never perfect. While perfection is impossible, constant, continuous improvement should be the goal. And to the extent that the firm is known to have a reputation that takes seriously its duties to promote market integrity, this will maximize the chance that the firm can weather what could have been a difficult storm.
Restarting the compliance circle
Once the remediation and lessons learned have taken place, we return to the beginning of the circle. The lessons learned will likely result in improved standards, which can lead to improved policies and procedures, which can lead to new training topics being unveiled, which can lead to improved paradigms for monitoring and testing, which can result in the detection of new exceptions and the embracing of new lessons learned, which can generate the creation, once again, of improved standards. The “compliance circle” is perpetual.
The opinions provided are those of the author and not necessarily those of Fidelity Investments or its affiliates.
1127006.1.0