What is the Compliance function?

The definition of Compliance function is closely related to the concept of Compliance risk. While the phrase «the right thing to do» aptly encapsulates the remit of this function, it is also true that the actual tasks attached to it are subject to a number of different interpretations. Whereas in the English-speaking world the key focus is on ethical standards, in continental Europe there is greater emphasis on procedures to verify purely regulatory aspects.

An examination of the EU regulations that delineate the compliance function reveals three key tasks: advising the board on compliance with any external and internal regulations that have a bearing on the company, assessing the impact of any changes to the legal framework in which the company operates and lastly, identifying and assessing the company’s Compliance risks.

How would you define Compliance risk?

The concept of Compliance risk has recently become an essential element of corporate governance

According to its standard definition, Compliance risk is the risk of incurring regulatory or legal penalties, material financial loss or damage to corporate reputation resulting from failure to comply with the law, rules, regulations and internal or external standards, as well as any administrative requirements applicable to a company’s operations.

Why has it been introduced now into the insurance industry?

The concept of Compliance risk has recently become an essential element of corporate governance. Companies in several industries including finance have already implemented, or are in the process of implementing, regulatory Compliance programmes to manage Compliance risk, which is the latest addition to their overall map of corporate risks.

Today it is simply impossible not to view regulation as a risk environment. As legislation and organisations become increasingly complex, companies need to monitor and manage compliance with internal and external regulations proactively so as to avoid financial penalties and, most importantly, protect their reputation.

Whereas other segments of the financial industry have long been regulated, regulation in the European insurance sector has been left to the discretion of the individual states. The absence of any analyses by EU directives has created a situation in which some countries are heavily regulated, while Spain has no legislation in this area.

Currently, the legislation implementing Solvency II specifically requires the establishment of a Compliance function within insurance companies. The new legislation will lead to the creation of what it refers to as key or core functions of insurance company governance, namely risk management, actuarial, internal audit, and compliance.

What aims does it seek to achieve?

The quick answer to that should be: to minimise Compliance risk. Mathematically -and rather simplistically- the point is to minimise the function that models Compliance risk. The problem, as with all attempts to apply mathematical analysis to social science, lies in finding models that aptly represent the variables under examination. So, in order to minimise Compliance risk, the Compliance function should be given the task of making compliance an objective across the whole organisation, and promoting awareness about the need to comply with internal and external regulations.

What should be the Compliance function’s core principles?

In my opinion, the Compliance function’s activities should be guided by the following principles:

1. Operational independence from the company’s businesses. The Compliance function must be established within the organisation in a way that ensures it is free of any influence that may compromise its independence. It must operate under the ultimate responsibility of, and report to, the Board of Directors or its representative committee.
2. Status and authority. People performing the Compliance function must be able to communicate with anyone within the organisation and have access to any information they deem relevant for the performance of their duties.
3. Top management involvement. Advances in compliance culture can only be achieved through active, committed involvement of the organisation’s top management.
4. Structure and means. It is the responsibility of the individual undertakings to decide how the Compliance function is organised in practice. Thus, it may be performed in-house or outsourced to affiliate or non-affiliate providers. The function should be organised on the basis of the nature, scale and complexity of the undertaking’s operations, and in smaller or less complex companies one single person or organisational unit may be responsible for more than one key function, with the exception of the internal audit function. In contrast to this organisational freedom, Solvency II requires all persons who perform the Compliance function to be fit and proper, i.e. to meet certain qualifications and experience requirements and to be of good repute and integrity. Additionally, all appointments of Compliance function holders must be reported to the supervisor for verification of the fit and proper requirements.
5. Communication and training. Communication and internal training will enable organisations to become aware of the potential risks they face and to attain the internal concordance necessary to make compliance an objective across the whole organisation.

What specific tasks is the Compliance function responsible for?

The legislation implementing Solvency II specifically requires the establishment of a Compliance function within insurance companies

Further to what I mentioned earlier in connection with the Compliance function’s responsibilities under the regulation, it may be worth focusing at this point on the strongly preventative nature of the function’s remit. Whereas other departments within the organisation act reactively when faced with a breach of regulations, the Compliance function will carry out ex-ante actions aimed at preventing risk from actually materialising. These involve both proactive analysis and assessment of the effects that any changes to the legislation might have on the company’s operations, as well as handling the management of Compliance risk.

What might be the Compliance function’s objective scope?

As I mentioned before, from a regulatory standpoint the Compliance function’s remit extends to both external regulations and to the company’s internal policies. Having said this, there is not even remotely an international consensus on the limits of that regulatory scope.

The Compliance function should be given the task of making compliance an objective across the whole organisation, and promoting awareness about the need to comply with internal and external regulations

Certain areas are deemed included by most, such as insurance, anti-corruption policies, money laundering and terrorist funding, freedom of information, FATCA (Foreign Account Tax Compliance Act) regulations and corporate criminal liability. Other areas tend to be left out of the Compliance function’s scope, such as human resources, tax and accounting and claim management.

So far, both the European and the Spanish supervisor have remained silent on the responsibilities included in the Compliance function’s objective scope (in contrast to the Belgian prudential and market behaviours supervisor), so until their voice is heard it will be down to the individual companies to structure and select the Compliance function’s responsibilities in the way that best suits their organisational arrangements.

How does the Compliance function fit into an insurance company’s organisational structure? Who does it report to?

As I mentioned earlier, there are so far no regulatory provisions on the Compliance function’s objective scope. But the regulations do lay down guidelines on how the function should be integrated within organisations. The European insurance supervisor has expressed the view that it should be down to insurance companies to decide how the function is to be organised. The supervisor does not make any provision on departmental structure or on how compliance-related responsibilities are to be assigned. Organisations are free to use their own existing structure to ensure compliance. Therefore, it is not necessary to create a specific division or department. The function’s tasks can be performed by different parts of the organisation. Nonetheless, it seems appropriate to have a unit in charge of coordinating all compliance-related activities.

I should also like to point out, however, two key aspects that strongly affect the compliance function’s integration within the organisation: firstly, the need to assure its independence, and secondly, direct reporting to the board of directors or its representative committee.

How is Compliance risk managed?

Managing Compliance risk involves going through all the stages of any risk management process, i.e. identifying the risks, determining inherent risk through impact assessment and probability of occurrence, evaluating the organisation’s vulnerability in its business processes, implementing mitigation techniques in business processes through internal policies and controls, evaluating residual risk and, lastly, monitoring and reporting to the board.

Whereas other departments within the organisation act reactively when faced with a breach of regulations, the Compliance function will carry out ex-ante actions aimed at preventing risk from actually materialising

What activities need to be carried out to implement the Compliance function?

The first step necessarily consists in evaluating the measures and procedures already in place. There is no such thing as a start from scratch. You have to take advantage of what is already in use. Rather than bringing in new procedures, it is often a case of coordinating activities that are already performed by different departments within the organisation.

Additionally, I spoke earlier about the involvement of top management as one of the core principles of the Compliance function. That involvement, plus the aid of a written policy approved by the Board of Directors setting out the Compliance function’s responsibilities, competences and reporting duties, are in my opinion a good starting point.

What are the benefits of implementing a Compliance function?

Obviously, the foremost benefit of having a Compliance function is the ability to prevent regulatory non-compliance issues and their effects, both financial and non-financial. But we should not overlook its preventative capabilities, which may help to prevent the damage caused to company reputation by non-regulatory breaches. These do not strictly contravene legal regulations but internal rules or codes of good practice that the company has agreed to abide by.

Additionally, implementing the Compliance function should help to internalise other benefits. On the one hand, it could be deployed as an exonerating argument to fend off any claims of criminal liability brought against the insurance company. On the other hand, it would provide an individual defence mechanism against potential liability claims aimed at Board Members. And perhaps most importantly, it constitutes public proof of the organisation’s commitment to integrity, thus helping to build trust in the company and enhancing its reputation.

go top