7. The Compliance Function as Embedder of the Law-on-the-books and as Enforcement-Frontliner

Ibid. At 4.

The Institute of Internal Auditors provides for a clear picture of the “Three Lines of Defense mode”: operational management; Compliance and Risk Management Functions; Internal Audit. The Institute of Internal Auditors, “Iia Position Paper: The Three Lines of Defense in Effective Risk Management and Control,” ed. The Institute of Internal Auditors (2013).

Defined by professor Miller as “close cousins”. Miller. At 1.

Dellarosa and Razzante. At 245. The Internal Audit “is responsible for checking on the entire organization, including senior managers, in order to ensure that policies and procedures are being observed and shortcomings in the organization’s internal controls are identified and promptly fixed”. Miller. At 4.

Basel Committee on Banking Supervision, “Compliance and the Compliance Function in Banks,” (2005).

“The Basel Committee’s framework is meta-regulatory in nature as it provides a high-level framework for the objectives and responsibility of the compliance function, and a skeletal profile of the procedural nature of tasks that the compliance function should undertake.” Chiu. At 44.

It is not an easy task to categorize “soft-law” measures because several “instruments may be included within this generic term for a number of reasons: (1) they have been articulated in non-binding form according to traditional modes of law-making; (2) they contain vague and imprecise terms; (3) they emanate from bodies lacking international law-making authority; (4) they are directed at non-state actors whose practice cannot constitute customary international law; (5) they lack any corresponding theory of responsibility; (6) they are based solely upon voluntary adherence, or rely upon non-judicial means of enforcement.” Christine Chinkin, “Normative Development in the International Legal System,” in Commitment and Compliance: The Role of Non-Binding Norms in the International Legal System, ed. Dinah Shelton (New York: Oxford University Press, 2000). At 30.

As Professor Chiu states: “The Basel Committee’s recommendations in 2005 provided considerable detail as to how the compliance would carry out its responsibilities.” Chiu. At 43.

Basel Committee on Banking Supervision. At 7.

Miller. At 2.

On internal controls other than Compliance (Risk Management, Internal Audit), see: Chiu.

Basel Committee on Banking Supervision.

Ibid.

IOSCO. At 7.

Ibid. At 10.

Ibid. At 12.

Ibid. At 14.

Ibid. At 15.

Ibid. At 17.

Ibid. At 19.

Ibid. At 21.

Even if with reference to the US context, Professor Miller points out that: “distribution of responsibility is often unclear and varies from organization to organization.” Miller. At 5.

Kimberly Krawiec, “Cosmetic Compliance and the Failure of Negotiated Governance,” Washington University Law Quarterly 81, no. 2 (2003). At 542. On codes of ethics and mere window-dressing: Christopher Hodges, Law and Corporate Behaviour: Integrating Theories of Regulation, Enforcement, Compliance and Ethics (Oxford: Hart Publishing, 2015). At 689.

On the same wavelength, Professors Parker and Nielsen state that the “implementation of formal systems alone is not enough if those systems do not promote and connect to a “culture” of compliance within each organization”. Christine Parker and Vibeke Lehmann Nielsen, “Corporate Compliance Systems: Could They Make Any Difference?,” Administration & Society 41, no. 1 (2009). At 27. Similarly, Professor Lenglet states that “Not only because there is usually a point where the compliance officer looks at his own interests as an individual, and cannot go too far in an apparent fulfilment of compliance while bending the spirit of the rules (this would be the point where merely conformist compliance clashes with personal ethics), but also because compliance officers are regulatory pathfinders.” Marc Lenglet, “Ambivalence and Ambiguity: The Interpretive Role of Compliance Officers,” in Finance: The Discreet Regulator, ed. Isabelle Huault and Chrystelle Richard (London: Palgrave Macmillan, 2012). At 72.

Ibid. At 43.

Ibid. At 43.

Ibid. At 43.

Ibid. At 43.

European Securities and Markets Authority—ESMA, “Final Report—Guidelines on Certain Aspects of the Mifid Compliance Function Requirements—Esma/2012/388,” (2012).

Ibid. At 23.

Professor Miller speaks of a “form of internalized law enforcement”. Miller. At 1.

ESMA. At 23.

Ibid. At 7. Professor Chiu rightly points out that “A risk-based approach may then excuse a firm for ignoring risks of an improbable nature which could become a ‘black swan’.” Chiu. At 58.

ESMA. At 6.

Hodges. At 706. Professor Hodges also states that: “Given the existence of multiple sub-units within businesses, each with individual functions, groups of individuals, and sub-cultures, an idea that the behaviour of every internal group can be absolutely controlled so as to conform to every required norm, whether the source of control emanates from an internal or even less—external position, appears highly unlikely.” At 507–508.

In more details, according to ESMA, a Compliance Function’s main responsibilities are to determine which risks must be monitored and/or for which an advice activity is necessary; the adoption of a monitoring program—coherent with the priorities identified by the risk-based approach—covering all areas of the firm’s investment activities and services; issuance of reports to senior management describing the implementation and effectiveness of the executed controls, a summary of the identified risks alongside the remedies undertaken; and the advisory obligations, such as providing support for staff training. ESMA.

Professor Hodges speaks about core values “which are shared by all members of the workforce […and] form an ideology that is enduring and able to be applied consistently in different trading and geographical circumstances, whilst operational goals are constantly examined and develop”. Hodges. At 508.

In more detail, according to ESMA, a Compliance Function’s main organizational requirements are: being endowed with the appropriate allocation of resources (depending on the size and complexity of the business); the permanence of the Function (tasks and responsibilities must be performed on a permanent basis); independence (a firm must ensure compliance staff are in a position to act independently when performing their tasks); possibility of outsourcing (but a firm’s senior management must ensure that all the requirements are fulfilled and is held responsible for this). ESMA.

In the words of Professors Parker and Nielsen: “[C]ompliance culture can also refer to values, beliefs, and attitudes within an organization that support compliance with the law. This is much more subjective and difficult to measure. We hypothesized that these values would also affect the way compliance is managed in practice and actual compliance behavior.” Parker and Nielsen. At 27–28.

Professor Hodges rightly points out: “Compliance with the norms of a social system is produced by ethical values and systems. It is not produced directly by rules (laws) and their enforcement. Systems can be risk-based, but behaviour is value-based.” This is why the ethical role played why the Compliance Function is important. Hodges. At 699.

In the words of Professor Miller: “Whistleblowers are key to compliance because they come forward with private information about violations.” Miller. At 15.

ESMA. At 34.

Ibid. At 34.

On the pros of the separation between Compliance and Legal: Miller. At 9.

European Securities and Markets Authority—ESMA, “Guidelines Compliance Table—Esma/2013/923,” (2014).

Professor Hodges states—and the practical experience of the author strongly confirms so—that: “Most businesses expected regulators to provide some help and guidance rather than simply enforcing rules and regulations only.” Hodges. At 516.

“If ‘informal’ means of enforcement suggests going beyond reliance on formal infringement combined with sanctioning, our research shows that all authorities—even the self-consciously more legalistic ones—engage in informal enforcement practices.” Yane Svetiev and Annetje Ottow, “Financial Supervision in the Interstices between Private and Public Law,” European Review of Contract Law 10, no. 4 (2014). At 542.

On the basis of the discussions held and the opinions exchanged by the author with his peers.

In their seminal article Professors Svetiev and Ottow use the expression of “cooperative implementation” which very well fits the reality of the financial industry. Svetiev and Ottow. At 503.

Compliance staff should understand that “The job of policymakers is to devise a system which minimizes total costs of norm enforcement and norm violations. This task cannot be performed scientifically. Lawmakers are not structural engineers. When it comes to designing a compliance system much is done by intuition and guesswork”. Miller. At 2.

As implicitly admitted by ESMA itself at the end of 2016: “The number of legislative mandates in the coming years might be lower than the ones that ESMA had to face in the past with the major reforms to the key financial regulations (MIFID, MAR, etc.). However, ESMA expects to continue to develop the single rulebook activity.” European Securities and Markets Authority—ESMA, “2017 Work Programme—Esma/2016/1419,” (2016). At 17.

On overcoming the box-ticking approach, Professor Hodges states that: “In many businesses, compliance management has been elevated from ‘box ticking’ so as to provide a paper trail as a defence mechanism against external interference to a very senior function, capable of shutting down non-compliant operations on their own authority.” Hodges. At 512.

According to MiFID II Article 4.1(36): “‘[M]anagement body’ means the body or bodies of an investment firm […] which are appointed in accordance with national law, which are empowered to set the entity’s strategy, objectives and overall direction, and which oversee and monitor management decision-making and include persons who effectively direct the business of the entity.” According to MiFID II Article 4.1(37): “‘[S]enior management’ means natural persons who exercise executive functions within an investment firm […] and who are responsible, and accountable to the management body, for the day-to-day management of the entity, including for the implementation of the policies concerning the distribution of services and products to clients by the firm and its personnel.”

Professor Chiu reports that “Some commentators are of the view that the independence of the compliance function may be compromised by accountability to senior management, and advocate that the Chief Compliance Officer should report directly to the Board”. See: Chiu. At 52–53. Professors Hoffman, Neill, and Stovall clearly opt for compliance officers to “(1) be hired by, (2) be fired by, and (3) report directly to the corporate board of directors rather than company management.” W. Michael Hoffman, John D. Neill, and O. Scott Stovall, “An Investigation of Ethics Officer Independence,” Journal of Business Ethics 78, no. 1–2 (2008). At 87. MiFID II seems to be following this path, already paved by the SEC for mutual funds: “In the case of an investment company, the chief compliance officer will report directly to the fund board.” Securities and Exchange Commission—SEC, “Release Nos. Ia-2204—Final Rule: Compliance Programs of Investment Companies and Investment Advisers,” (2004).

“[A] few respondents […] proposed that only a supervisory board (not senior management) should be able to appoint and replace the compliance officer. ESMA cannot accommodate this suggestion because of the different corporate legal structures in Member States” ESMA. At 13.

In this direction, also the Group of Thirty in their 2012 “Toward Effective Governance of Financial Institutions” Report: “It is for the board of directors to articulate and senior executives to promote a culture that embeds these values from the top to the bottom of the entity. Culture is values brought to life.” G30, “Toward Effective Governance of Financial Institutions,” (2012). At 25.

Article 22.2 of Commission Delegated Regulation 2017/565: “[T]he compliance function shall conduct an assessment on the basis of which it shall establish a risk-based monitoring programme that takes into consideration all areas of the investment firm’s investment services, activities and any relevant ancillary services, including relevant information gathered in relation to the monitoring of complaints handling. The monitoring programme shall establish priorities determined by the compliance risk assessment ensuring that compliance risk is comprehensively monitored.”

In this regard, MiFID-provided intra-firm complaints-handling procedures seem to share a similar connotation with self-enforcement in transnational private regulation where this is used to provide “input for the private regime about the way in which the standards function in practice. Accordingly, enforcement activities are employed as an instrument to test and verify the viability of standards and update the standards when necessary”. Paul Verbruggen, Enforcing Transnational Private Regulation: A Comparative Analysis of Advertising and Food Safety (Cheltenham: Edward Elgar, 2014). At 299. However, in the transnational private regulation realm, complaints-handling is very often run by extra-firm certification bodies and trade associations. See: ibid. At 8, 39, 188, 192.

English and Hammond rightly point out that: “Compliance should be able to oversee cultural change and assist with its implementation. Leadership for cultural change must, however, remain firmly with the firm’s board and senior management, without which cultural change is unlikely to happen.” Stacey English and Susannah Hammond, “Cost of Compliance,” (Thomson Reuters, 2016). At 12.

On the transnationalization of European Regulatory Private Law, see: Antonio Marcacci, “European Regulatory Private Law Going Global? The Case of Product Governance,” European Business Organization Law Review 18, no. 2 (2017).

The “litigation risk” can be defined as “the risk of a contracting party that it will be required to enforce its rights by litigation, or defend proceedings brought by a counterparty”. Richard Fentiman, International Commercial Litigation (Oxford: Oxford University Press, 2010). At 51. Viewed from the prospective of an investment firm, the litigation risk is the likelihood to be brought before a court by one or more of its counterparties/clients. As very well defined by the “Risk Management Disclosures 2015” by Deloitte Investment Services Limited: “Litigation risk is the risk of financial loss, interruption of the Company’s operations or any other undesirable situation that arises from the possibility of non-execution or violation of legal contracts and consequentially of lawsuits. The risk is restricted through the contracts used by the Company to execute its operations.” Deloitte Investment Services Limited—Wealth Advisory Services.

Paul Verbruggen has carried out an excellent analysis on the phenomenon of compliance with private (i.e., predominantly established by private, non-state actors) transnational regulations on fields other than investment services (advertising and food safety), the institutional design of privately run tools to enforce such regulations, and the relationship these tools have with public enforcement mechanisms. Paul Verbruggen highlights how the interplay between public and private enforcement mechanisms pushes firms toward compliance of such standards, for instance, through formal delegation of public regulatory powers or by means of contractual clauses that oblige firms to comply with industry practices codes and SROs’ decisions. See: Verbruggen. At 149–150). The kind of compliance this book deals with is, instead, an internal Function that investment firms are legally required (by MiFID) to establish in order to observe public-law rules on investment services (provided by MiFID itself). This does not mean that if an industry-created rule is officially endorsed by the ESMA or incorporated in ESMA’s regulatory standards, then the internal Compliance Functions of European MiFID firms are free to ignore it due to the fact that it was not originally enacted by a public body, but quite the contrary (see also Verbruggen on increasingly difficult to distinguish between public and private regulation, at 296). However, given the extremely high level of public regulation of the investment services market in the post-crisis Europe, the overlap between public and private regulation is substantially reduced in favor of the former, so that the Compliance Function’s focus for investment services is—de facto—almost entirely on public regulation. The landscape in the United States is, instead, different given the role played by SROs in developing the suitability rule and arbitration schemes for broker-dealers (on the differences between the EU and the United States in this regard, see Chaps. 5 and 6). Having said that, further research on the intersections between the post-crisis EU Law of Financial Services and Markets and the transnational public and private regulation covering the same field is worth executing, with particular attention being paid to the normative production of the International Organization of Securities Commission—IOSCO.

In the words of Mills and Haines: “As the financial industry grows in complexity, there is a corresponding broadening in the scope of the Compliance function, which also makes it a more interesting area in which to work.” Annie Mills and Peter Haines, Essential Strategies for Financial Services Compliance, 2nd Edition (Chichester: Wiley, 2015). At 43. Also Miller: “The importance of compliance and the extent of liability for its failure have greatly increased over the past decades.” Miller. At 2. On the development of compliance professional in general: “The increased importance of compliance programs has led to the development of compliance professionals. This development is supported by several nonprofit organizations and networks devoted to compliance professionals. […] Some universities are also starting to offer certificate programs in compliance.” Cristie Ford and David Hess, “Can Corporate Monitorships Improve Corporate Compliance?,” Journal of Corporation Law 34, no. 3 (2009). At 692.

Chiu. At 47. Mentioning: Andrew Newton, The Handbook of Compliance: Making Ethics Work in Financial Services (Mind into Matter, 2002). At European level, it is worth mentioning the TECC—The European Compliance Conference as the “Europe’s leading, international conference for Compliance Professionals” TECC, “The European Compliance Conference—Tecc,” http://​www.​shcog.​co.​uk/​tecc-intro/​. The author joined the 2016 edition of the TECC as speaker and Conference Planning Committee Member.

In the words of Professor Chiu: “Empirical research carried out in European banks shows that compliance personnel generally have a diverse range of business knowledge and skills.” Chiu. At 50. However, English and Hammond state that: “There is a lack of good compliance skills in the marketplace, which has driven up the costs of senior compliance professionals in particular and may in turn make it harder for firms (and indeed regulators) to keep hiring ever more compliance staff.” Stacey English and Susannah Hammond, “Cost of Compliance 2016,” (Thomson Reuters, 2016). At 6.

Even if lawsuits are often handled by external law firms, the Legal department usually exercises a supervisory task.

It could be added that a more demanding and complex regulatory framework requires a robust and full-fledged Compliance Function, whose costs can be more easily borne by bigger firms. A very interesting article published on the SEC website and dealing with regulatory compliance costs and related economies of scale benefitting larger firms is the following: C. Steven Bradford, “Does Size Matter? An Economic Analysis of Small Business Exemptions from Regulation,” The Journal of Small & Emerging Business Law 8, no. 1 (2004).

“Most, not all, continental private legal orders enshrine the idea of social justice, understood as distributive justice, which has to be preserved in private law matters, both in contract and in tort law” Hans-Wolfgang Micklitz, “The Visible Hand of European Regulatory Private Law—the Transformation of European Private Law from Autonomy to Functionalism in Competition and Regulation,” Yearbook of European Law 28, no. 1 (2009). At 9. In addition: “Social Justice and Access Justice in Private Law,” in EUI Working Paper Law 2011/2, ed. European University Institute (Florence 2011).

“Social Justice and Access Justice in Private Law.”

Hans-Wolfgang Micklitz and Andrea Wechsler, eds., The Transformation of Enforcement: European Economic Law in Global Perspective (Oxford: Hart Publishing Limited, 2015). Marta Cantero-Gamito, “Dispute Resolution in Telecommunications: A Commitment to out-of-Court,” European Review of Private Law 25, no. 2 (2012). At 420.

In the words of Professor Micklitz: “In the old world of contract and tort, two parties litigated against each other and it was for the courts to decide this interpersonal conflict, that is, if the parties decided to involve courts rather than find a solution outside the court system by way of arbitration. The Europeanization of private law has considerably altered the landscape of law enforcement.” Micklitz, “The Transformation of Enforcement in European Private Law: Preliminary Considerations.” At 497.

However, it is still the firm—either individually or though industry organizations—to formally interact with other enforcement actors.

Term also used by Lenglet.

Professor Hodges on multiple modes of corporate organizations, also mentioning Teubner. Hodges. At 503–506.

As rightly pointed out by Professor Miller. Miller.

“The risk-based approach is one that emphasises cost-effectiveness, so that resources can be deployed in areas susceptible to the highest risk and therefore used efficiently.” Chiu. At 58.

“A decentralised structure also provides an opportunity for compliance officers to spread the compliance culture to front line units, embedding the compliance objective within business culture more effectively.” Ibid. At 56.

Ibid. At 63.

Professor Hodges pushes the edge even further: “Both structures and language have historically divided regulation and enforcement (by officials) from compliance (by firms internally). They are the same thing, and should be joined up both functionally, operationally and linguistically. […] It is time that the internal and external functions were regarded as holistic and joined up. They need to operate in partnership. […] Regulatory systems should not be thought of as opposing public officials and firms. Both of those groups—but also many other stakeholders—are all integral parts of learning and hence compliance and successful systems.” Hodges. At 700–701.

For example, the important Association for Financial Markets in Europe (AFME). (https://​www.​afme.​eu/​).

On financial education initiatives: European Commission, “Review of the Initiatives of the European Commission in the Area of Financial Education,” (2011). Examples of these initiatives organized by public authorities can be found in the program launched in 2007 by the Italian Ministry of Education, University and Research (MIUR) and the Bank of Italy called “Financial Education for Schoolchildren”. Organisation for Economic Co-operation and Development—OECD, “Italy: Financial Education for Schoolchildren,” http://​www.​financial-education.​org/​Italy_​Financial_​Education_​for_​Schoolchildren.​html.

Chiu.

Micklitz, “The Transformation of Enforcement in European Private Law: Preliminary Considerations.”

On the difference between public and private enforcement remedies: Olha O. Cherednychenko, “Public Supervision over Private Relationships: Towards European Supervision Private Law?,” ibid. 22, no. 1 (2014).

On the role of the Compliance Function, Professor Lenglet rightly raises the point of its ambivalent role. On the one hand, the law mandates the Function’s establishment to ensure compliance with the Law; but, on the other hand, it is located within a firm and, thus, it cannot underestimate the firm’s interests. In the words of Professor Lenglet: “Compliance officers therefore occupy an ambivalent position in the organization: they are hired by the company, and therefore attached to it ‘from the inside’, but also perform control and reporting duties required by external regulators.” Lenglet. At 63.

Krawiec. At 542.