8 Steps To Develop a Strong Compliance Strategy (And Why You Should)

Implementing a strong compliance strategy helps you navigate the complex regulatory landscape. It helps you understand the current and upcoming challenges and prepare for them in due time. 

With authorities around the world consistently revising and reinforcing laws to eliminate a range of illegal behaviours from the corporate world, including fraud, market manipulation and money laundering, staying on top of compliance has never been more important. 

Stuart Altman of law firm Hogan Lovells said during a roundtable discussion on compliance that: 

“The global reach of regulation has created new challenges. It is no longer enough to focus on a company’s headquarters and a few hotspots. Enforcement requires vigilance across the organisation. It also means that companies now face potentially conflicting regulatory schemes as they move from country to country and must be prepared to adjust their compliance programme to react to these differences.”

What is a regulatory compliance strategy?

Your regulatory compliance strategy is your blueprint for how you will operate within the jurisdictions in which your company resides. No longer is it enough to fire-fight after the event of a compliance lapse, trying to ascertain what went wrong. Compliance departments should instead be looking to mitigate potential risks, whilst working with the business to help maintain sustainable growth that does not put the organisation at odds with regulators and legislators. 

The elements that form your strategy for compliance will depend on the size of your organisation and the sector in which you operate as well as the countries in which you do business. For example, 

• All companies that do business in the European Union and the United Kingdom must adhere to theGeneral Data Protection Regulation (GDPR). The UK transposed the EU’s regulation into national law after Brexit, referring to it as UK GDPR. 
• Organisations with 50 or more employees are subject to the new EU Whistleblowing Directive which requires organisations to implement internal whistleblowing systems, protect whistleblowers from retaliation and keep accurate records of each report.
• Financial services and credit companies, estate agents, gambling organisations and other businesses that operate in the EU and deal in large financial transactions form the obliged entities that must comply with the union’s various anti-money laundering directives (AMLD).
   

Why have a compliance strategy?

The most basic reason for having a compliance strategy is that the various laws you have to abide by are in place for good reasons. Less fraud and money laundering, a more encouraging approach to whistleblowers, and more scrutiny in the financial markets all make the environment better for everyone involved. Legislation is there to solve problems and it is the right thing to do for companies to play their part, too. 

In addition, the punishments for failing to uphold these standards are also a major factor in promoting the use of a compliance strategy. For example, the penalties for breaching Article 14 of MAR can reach up to €5,000,000 for natural persons and €15,000,000 or 15% of the annual turnover for legal persons. 

To make this argument more tangible, here are two cases that illustrate the consequences of non-compliance:

• In 2019, Finland’s Financial Supervisory Authority (FIN-FSA) fined chrome mining company Afarak Group €1.45 million for violating the Market Abuse Regulation (MAR) in relation to failing to disclose inside information and surrounding the drawing up of an insider list. 
• Risk consultancy Kroll found that authorities around the globe had imposed financial penalties worth almost US$1 billion in relation to money laundering offences in the first six months of 2021. 
  
  

A solid compliance strategy not only reduces the cost of penalties and the need for internal audit investigations but also catalyses compliance growth, diminishing the likelihood and severity of compliance breaches.

8 steps to develop a strong compliance strategy

1. Define your goals

What is it that you want to achieve with your compliance management strategy? It could be that you want to cut the number of penalties the company pays out, to save time and expense on retrospective investigations following failings, or to work more closely with the business to enable compliance to improve rather than stall growth. It could be that you want to increase understanding within the business or to impart knowledge on a new piece of incoming legislation that will affect your organisation or anything else that is related to compliance. 

You should work out through a risk assessment which are the priority goals for the coming month, quarter, half-year and year, and set targets to achieve them by the next given deadline. These goals may be dictated by the time of year. For example, it would make sense to refresh staff on the rules around corporate gifts in the months before Christmas. 

2. Align with your corporate culture

Aligning compliance with corporate culture opens the door for easier acceptance of your new policies across the organisation. If you can make the case for compliance being advantageous at each level of the company’s structure, your employees will be able to understand its importance more clearly. 

You should be able to identify the risks that compliance can mitigate in each strategic area of the organisation to back up your policy. From the CEO and other company leaders to the temporary staff, everyone needs to know why they must commit to total transparency if your risk management efforts are to be effective. 

3. Establish a functional scope

The scope of the compliance and ethics officer is shifting from a more retrospective role to a forward-facing, preventative function in the organisation. Being able to foresee regulatory issues before they occur means increasing resources, so the scope of the strategy needs to reflect the implications of that. This might mean that you have to start at a certain level and increase the scope over time. 

Not all organisations will be able to deploy robot process automation and other artificial intelligence immediately in their compliance budgets. This needs to be considered when developing the strategy to help you reach your goals. 

4. Understand the regulatory environment

The regulatory environment is ever-changing and developing, so it is essential that your team is on top of these trends at all times. This does not just include the legislation within your current location, but also that of the regions in which you do business. The best strategy here is to monitor draft bills through to their implementation. 

From there, you must be able to break down the procedures and requirements so that you can provide your employees with the grounding they need to adhere to an effective compliance programme. 

5. Develop formal policies, procedures, and standards

Once you understand the current and prospective landscape, you can develop the formal policies, procedures and standards needed to comply with the law. Many of these procedures might closely follow the technical standards laid out in the legislation, but you might also want to consider adding your own internal checks to identify potential human or software errors before there are any consequences.

You could liaise with regulators to establish best practices in relation to regulations. Having input from these bodies helps to confirm that you have understood the legislation accurately and that your compliance strategy is going in the right direction. 

6. Train your employees

Thorough training on the procedures required and the reasons behind them is essential to make sure that the business not only remains compliant but also fosters ongoing compliance growth. Employees should know how to spot a compliance issue, how to report it and how to escalate it. Management should understand how to handle reports and what to do next, as well as how their dealings with business partners are affected.

In addition, employees at all levels should understand the correct procedures to avoid compliance issues. For example, how to manage personal data, how to deal with whistleblowers, how to onboard new customers using the correct know your customer (KYC) and customer due diligence (CDD) protocols. 

7. Ensure accurate record-keeping

Many areas of legislation require meticulous record-keeping, which is an important area of compliance. For example, in accordance with MAR, all suspicious reports, records of inside information, disclosure delays, and so on, must be retained for five years. This is why it is important to lay out clearly the compliance rules that employees must follow when dealing with related work. In addition, you can face substantial financial penalties for incorrect record-keeping. In the case of MAR, this could be adding all insiders to a permanent insider list, for example. 

In some areas of legislation, a set of regulations may affect the records you keep or do not keep. For example, the EU Whistleblowing Directive requires organisations to establish a whistleblowing process and receive reports from employees but, under GDPR, they are not allowed to retain personal information that is not relevant to a report. In addition, GDPR mandates that organisations must only hold on to a record of a report for as long as it is necessary for the investigation. 

8. Monitor compliance

In order to understand if your processes and compliance systems are working, you should monitor your performance. Check that you are meeting your goals using the insights and analytics available to you and that there is a return on investment for the strategy. For example, you can use a digital tool such as IntegrityLog to stay on top of your whistleblowing cases and make sure that you respond within the time frame defined by the EU Whistleblowing Directive. 

Checks on progress towards your goals on a quarterly or annual basis help support compliance efforts and show senior leadership the benefits of an effective programme. This enables decision-makers to justify the investment in corporate compliance. 

Compliance officers should survey their employees to gain an idea of their understanding of the various regulatory requirements and their level of satisfaction with the policies and procedures in place. Are there bottlenecks in reporting or, perhaps, other issues with the process? Consistently monitoring performance and asking the right compliance questions allows companies to tweak procedures and achieve continuous improvement. 

Managing non-compliance

Managing non-compliance begins with working out the circumstances behind the act. If it is related to confusing or poorly rendered compliance policies, this requires the team to look again at the rules they installed and attempt to understand how to add clarity and efficiency to the process. Similarly, if the breach is down to an employee simply not understanding the policy, this needs to be addressed in the compliance function training programme. 

However, if the non-compliance is not related to these factors, the Chief Compliance Officer should ensure that they communicate the consequences of non-compliance to the individual or team members that were involved as well as the business as a whole. They could also consider using enforcement activities or motivating factors to encourage compliance with rewards for passing certain milestones or completing various tasks. 

Using compliance software

There are a host of compliance software solutions available to help you automate and simplify your processes while remaining compliant with legislation and saving a considerable amount of time. This will improve compliance in your company in general. Here are some examples: 

References and further reading

• How InsiderLog works (video)
• IntegrityLog features
• How to improve your employee trading pre-clearance process
• How to encourage whistleblowing
• Article 18 of MAR and insider lists