Greater control of company data allows compliance officers to dedicate more time to proactive work and ensures that the company is well equipped to handle future changes in legislation.For the past few years, compliance officers across Europe have spent a large amount of their time preparing for and implementing new routines to handle a barrage of new and revised EU directives and regulations.
In Norway, we saw three major directives come into force in 2018 alone:
- The revised Markets in Financial Instruments Directive (MiFID2)
- The General Data Protection Regulation (GDPR)
- The Anti-Money Laundering Act (including regulations on terrorist financing)
MiFID2 came into force in January 2018, followed by GDPR in April and the Anti-Money Laundering Act in October.
Additionally, the revised Payment Services Directive (PSD2) came into force in Norway on 1 April 2019, having already been in effect in the EU since January 2018.
For compliance officers with an already over-encumbered workload, the question now is: What’s next?
Creating a healthy compliance culture
Keeping on pace and up-to-date with the continuous evolution of European legislation adds to the long list of tasks and responsibilities assumed by the compliance officer, consuming time that could have otherwise been dedicated to perhaps his or her most important responsibility: building and safeguarding a healthy compliance culture within the company.
If the CO is to succeed in building a healthy compliance culture, salespeople, consultants, and customer service representatives must have an adequate understanding of what is required in order to comply with all laws and regulations, both old and new.
These employees are, in many ways, a company’s first line of defense when it comes to compliance, as they are the ones working and communicating directly with clients.
The second line of defense is the corporate management, from department heads and all the way up the corporate ladder. Creating a healthy compliance culture is difficult at best, and impossible at worst, without support, interest, and commitment from the management.
This effectively means that the compliance team must approach both the top and bottom of the chain of command simultaneously in order to achieve their goal and fulfill their responsibility.
Dedicating the required time and resources to this two-pronged approach – educating, training and following up colleagues and management, ensuring that they all recognize the importance of a compliance culture – is an imposing challenge in itself, and one that is made all the more challenging due to the seemingly endless line of new directives and regulations coming into force every three or four months.
Naturally, compliance officers must educate themselves before they can pass that knowledge on to their colleagues. And more often than not, time spent reading up on complicated regulations equals time deducted from safeguarding the company’s compliance culture.
As a result, compliance officers often feel as if they spend the majority of their time putting out fires, rather than actually educating, training and following up co-workers
Avoid spending excessive time and resources
While there is little to be done about new directives coming into force, COs can take action to limit the time and resources spent on implementing new company rules and guidelines that correspond with future changes in legislation.
To avoid spending excessive and often unnecessary amount of time adjusting to new international or national directives and regulations, compliance teams should work proactively to ensure that the company is well equipped to handle upcoming changes.
Their goal should be to verify that the company fulfills three important criteria:
- Compliance with existing guidelines, directives, and regulations
- Complete control of company data
- A good system for quality assurance of the entire audit trail
Fulfilling these three criteria gives companies a good foundation in terms of compliance and ensures that the CO will not have to start over at the very beginning with every new directive coming in to force. Instead, he or she can dedicate more time to proactive compliance work and co-operating with the company’s first line of defense to prevent potentially costly mistakes and violations from being made.
Centralized solution for greater data control
One the biggest time consumers for compliance officers is fragmented data. After spending time and effort to prepare for and adopt new regulations and implementing new routines within the company, many COs still have to search through multiple systems in order to audit, control, and follow up on compliance efforts.
Client communication over the phone may be recorded and logged in one system and sensitive client data in another, while emails and texts might be saved on its own server – or even locally on individual employees’ devices.
Collecting and storing all these data sources in one central compliance system is imperative in order to comply with regulations such as MiFID2 and GDPR.
Additionally, it gives the compliance team far greater control of the data and easier access to the complete audit trail – which enable them to work more efficiently.
Features of a good compliance system
In addition to providing complete audit trail tracking, a good compliance system should include functionalities that enable COs to document their proactive compliance efforts, log all quality assurance actions that have been taken, and provide simple generation and retrieval of reports upon request from the company’s board of directors or external regulatory agencies.
Other important features in a central compliance system include:
- Access control for enforcing strict regulations on who can access the data
- Automated risk detection and random picker for recorded client communication
- Functionalities for tagging audited data, whitelisting irrelevant communication and flagging potential compliance risks
- Feedback options for employees using the system
Finally, the system should allow COs to easily share client-specific recordings and data, should the client make a request.