Compliance officers and other people whose job it is to ensure that their regulated businesses are compliant are bombarded with operational compliance issues every day. In addition to this, they have to keep abreast of regulatory and compliance-related changes that will affect both them and their organisations.

The sheer volume of rules and regulations that compliance officers face poses a very real problem for them: which ones should they concentrate on first? It seems clear that one driving force behind the prioritisation of tasks is fear. This takes two main forms:

• personal fear – of the failure to comply for the compliance officer; and
• corporate fear – of the penalties and other effects on the business that non-compliance can have.

Personal fear – the responsibilities of being a compliance officer

HM Government has recently made major changes to managerial responsibility with the implementation of the Senior Managers and Certification Regime (SM&CR) that the Financial Conduct Authority introduced in its original form in 2015. The aim of these changes is to hold people in positions of responsibility to account when things go wrong, especially when they fail to have effective compliance systems in place.

The financial crash of 2008 saw many senior executives escape sanctions for wrongdoing, as the regime that was in place at that time tended to focus on the accountability of firms rather than individuals. The new regime clearly places responsibility on those senior executives who make strategic decisions on behalf of their organisations.

In a fascinating case study recently, the FCA turned down an application from a compliance officer who oversaw certain areas at the firm for which he was working. He had a significant background (more than 20 years in length) in compliance but the FCA thought that this was not good enough to fit him for the jobs for which he was applying.

It would be interesting to see what would happen if the Solicitors' Regulation Authority (SRA) decided to take the same approach when vetting of compliance officers. I suspect that many of these people would not be regarded as appropriate or qualified for their jobs!

What specific personal fears do compliance officers face? In a heavily regulated sector such as financial services, there are various concerns that could keep a compliance officer awake at night, irrespective of the rank he might have reached in his career.

Does my company really value my contribution?

For internal compliance functions, life can sometimes feel like an uphill struggle. As a compliance officer, you might find that the company effectively regards you as a burden because you are not bringing in any money. On top of this, it can be difficult to quantify the money that you’re saving the company by ensuring that it remains compliant. Needless to say, this lack of acceptance can cause friction and worry.

Have I missed something important?

With more than 20,000 pieces of regulation and guidance from the FCA (some of which seems contradictory at times), not to mention other regulatory bodies, it is only natural for compliance officers to question whether or not they have cross-referenced everything and whether or not their interpretation of the rules is correct.

This may be especially worrying for small compliance teams, as there is little or no opportunity for them to discuss the issues they face. It is also a cause for concern for those new to compliance. The regulated sector is an intimidating area in which to work.

Is the firm likely to be fined?

The unease that firms feel about regulation is likely to increase because of the change in accountability engendered by the Senior Managers and Certification Regime. With government legislation and regulatory guidance changing so frequently, it can be easy to make errors. Ultimately, these could be punishable by fines, prison sentences and the removal of permission(s) – all of which make compliance officers sleep less easily than they otherwise might.

Will the firm take my recommendations on board?

As a compliance officer, you might find yourself constantly having to repeat the same messages. You might keep documents of all of your reports and findings and keep records of all your recommendations and justifications, but will these be enough to persuade your company to act upon them? If not, will they prove to the regulator that you have tried your utmost to communicate your recommendations? It can be very difficult to know how forceful you should be towards people in your own company without this damaging your working relationships. There is a fine line between involvement in a company and running an independent function – this is a luxury afforded to consultants but, for internal compliance teams, it can much more difficult to maintain the balance.

Corporate fear – the need to assess the implications of major changes

With so many new regulations popping up so frequently, it’s unsurprising that companies also feel that they have a lot to fear. Just the task of coping with the huge number of necessary changes can appear formidable. For instance, during 2017 and 2018 alone, several major pieces of legislation are being introduced. These will have a significant effect on both the regulated and general business sectors over the coming months and years.

The first key pieces of legislation to be introduced recently (in June 2017) were the Money Laundering Regulations 2017 and the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (which between them enshrine the EU's fourth Money Laundering Directive or MLD IV in British law). They are being followed by the Criminal Finances Act. The next major item of legislation will take place in May 2018, when the General Data Protection Regulation (GDPR) comes into force. It is worth looking at each of these, and the ‘fear factor’ surrounding them, in a little detail.

The Money Laundering Regulations

This new legislation replaces the previous regulations and makes them more onerous. It makes some important new demands on every reporting firm. These include the need for it to assess the risks of being exposed to money laundering; the appointment of a new anti-money-laundering officer if the Money Laundering Reporting Officer (MLRO) is not a board-level officer; and the need to create an independent audit function that oversees its money laundering systems and procedures.

The Solicitors' Regulation Authority has already started a thematic review of the new anti-money-laundering regimes at law firms. This began before these entities had actually been issued with the promised guidance in the form of a practice note from its professional body, the Law Society. This practice note will be used by all 11 regulated sectors covered by the Money Laundering Regulations, so it is a key source of guidance for many regulated businesses.

The penalties for failing to comply with the regulations include fines and, in the case of an authorised person or a payment service provider, the ability of the Financial Conduct Authority (FCA) to cancel, suspend or restrict their authorisation or registration.

The Criminal Finances Act

Following on from the Money Laundering Regulations and the Transfer of Funds Regulations is the implementation of the Criminal Finances Act at the end of this month. This new act focuses on:

• the criminal evasion of British tax;
• the criminal facilitation of this offence by an associated person; and
• a failure to prevent the associated person from committing that facilitation.

It is clear from the Act that businesses with clients who are dealing with large financial transactions will fall under the Government's spotlight. Aspects of transactions that might previously have been regarded as routine will now come under much more scrutiny. Most significantly, if a company fails to prevent tax evasion, it can be liable under the new Act.

The new Act covers both companies that are based in the UK and those that are based abroad but have operations in the UK. If your company fails to meet the requirements of the Act, this becomes a "strict liability" offence, i.e. one that takes no notice of whether the firm intended to commit the crime. This can be punishable by an unlimited fine; confiscation orders and/or serious crime prevention orders; loss of one's licence or other restrictions for those in the regulated sector; and exclusion from bidding for contracts. It is not something to be taken lightly.

The General Data Protection Regulation

The GDPR will come into force in May 2018. The aim of this new legislation is to provide more stringent controls over the collection, storage and processing of personal data. A key aspect is the introduction of some highly punitive measures for non-compliance. For instance, the GDPR will levy higher fines than ever before for any breaches. These will range from up to €10 million (circa £9 million) or 2% of the firm’s global turnover for minor breaches, right up to a maximum of €20 million (circa £18 million) or 4% of the company’s global income for major breaches - whichever is the higher!

Lack of compliance with the GDPR will therefore pose a highly significant risk for all businesses in the future. For example, under the current data protection laws the maximum fine for the recent Equifax ‘data breach’ would be £500,000, but under the new GDPR rules, the company could have had to pay a fine of €20 million – which is equivalent to some 16% of its turnover! Similarly, Talk Talk was fined £400,000 for a major data breach in 2016. If this had occurred under the GDPR, the fine could have been £59 million!

Fines are not the only thing for firms to fear or to take into account – there is also the reputational damage that can happen as a consequence of a data breach. For instance, following its transgression, Talk Talk experienced significant damage to its reputation, its market position and its share price.

Although the GDPR will not come fully into force until next year, businesses ought to be preparing for it now. Those that are not already doing so will expose themselves to regulatory action – where the main defence is that appropriate measures had already been put in place. They will also be unprepared to deal with customers who request access to their personal data. These requests are highly likely to start arriving once customers realise what power they have over those who hold and manage their personal data!

Under the terms of the GDPR, businesses will only have 30 days to deal with these "customer access requests" and will not be able to charge people for providing the information. Customers will have the right to ask for their data to be transferred to a potential competitor in an appropriate format. They will also have the right to have their data deleted by the business holding the data, and by any other entity that has been passed their data by the business.

There has recently been evidence that the Information Commissioner’s Office has been trying to dispel a number of myths that have arisen around the introduction of the GDPR. A great amount of fear has been generated around these. However, in view of the huge fines outlined above, it is hardly surprising that the "fear factor" has increased anyway in this area of compliance. After all, the new regulation affects all businesses, not just those that are regulated.

Some recent blogs have accused companies that offer businesses help and assistance in relation to the GDPR of being "ambulance chasers" or of scaremongering. However, there is a big difference between scaremongering and trying to encourage businesses to wake up in time and to see the juggernaut of regulation that is heading towards them and that will arrive in May 2018!

The fear factor

Fear of new regulations, then, can be seen in both personal and corporate forms. However, it doesn’t always have to be a totally negative factor – for example, if used carefully, corporate fear can a useful tool that can be turned to the advantage of compliance officers. It can be used to persuade their organisations to act more quickly than they might otherwise do when new regulations appear.

Ultimately, the message to both compliance officers and the companies they serve is the same – allow the fear of the consequences to drive you on to greater compliance. As the old saying goes, it is better to be safe than sorry.

* Brian Rogers can be reached on 01829 731 204 or at brian@riliance.co.uk