A panelists of fund compliance officers was moderator by a lawyer.
The regulatory landscape is changing rapidly, so the compliance function needs to be able to change rapidly.
Compliance should have a seat at the table and be embedded in key functions with conflicts and regulatory concerns. Bolted on compliance will be less effective. It’s better to get compliance in the decision-making process to avoid later problems.
The difficult part is balancing the strategic approach to compliance with the day-to-day requirements. It can be a struggle to stay on top of the issues.
Running the machine.
Advisory judgments to the business units
Strategic initiatives
There are particular challenges that come from being an SEC regulator coming into a business, with the change in decision-making.
CCO liability is not in the forefront of concerns. You are operating way outside the norm if you are worried about this. It’s about being reasonable and thoughtful about the issues and the business.
Strategic initiatives includes a focus on staffing the compliance department and the technology you use to handle the compliance load. And also how much you outsource compliance functions to third parties. You need to prove to management that you need more resources and how the resources need to be deployed. You need to build a use case.
Think of compliance as a business unit, not merely a cost center.
How do you stay on top of substantive issues, especially where you may not have the expertise? Aspects of cybersecurity and GDPR are beyond the skill set on many compliance officers. Peer groups are incredibly useful. (One reason to attend this conference.) Identify internal expertise. That means a strong relationship with IT to understand the IT issues around cyber, data security and privacy issues. It’s also important to understand when compliance should be at the front of issues and when compliance should be supporting another business function.
Law firm newsletters are a good source of upcoming issues. There is lots of channel of inbound information. But it’s often better to hear from peers about issues. It’s better stay focused on internal changes in the firm business.
When to outsource? Repeatable tasks are ripe for being outsourced. Substantive items are harder to outsource. If there is a business judgement to be made, it should be made by internal people, not outsourced. Look for manual processes that could be automated. The more the complexity, the better to keep it internal. Look at your staff’s expertise. You should look to outsource if you lack the expertise. Privacy and sensitivity of the underlying task is another factor. It’s hard to outsource trading review if your people are sensitive to that information being more widely reviewed.
Multi-point reporting is common. The CCO often works under the GC, but has escalation channels and multiple points of contacts with other business units and firm leadership. A compliance oversight committee is common. It obviously provides oversight to compliance and also a reverse feature of making the business units aware of compliance issues.
(This session was subject to the Chatham House Rule so I have not identified the participants and have not attributed any of the statements to anyone.)