No Business Is Without Risk and Many Regulators Adopt a Risk-Based Approach to Supervision

For Question 1:

Supervision

No business is without risk and many regulators adopt a risk-based approach to supervision, whereby authorised firms that pose the greatest risk will be monitored more closely than other firms.

The principles of supervision can be grouped under four headings:

• diagnostic – to identify and measure risk

•  monitoring – to track the development of identified risks

•  preventative – to limit or reduce identified risks

•  remedial – to respond to risks that have materialised.

This process of supervision will help the regulator assess the level of attention to be paid to a firm as part of the supervisory effort and this can be subdivided as follows:

â—¦   define objectives

â—¦ obtain information from regulated businesses

â—¦ assess the risk posed by regulated businesses

â—¦ take action in response to the risk assessment (or specific issues raised) with a view to reducing risk.
Once a regulator has the information it needs to risk-assess a business, it can then determine what information the business should provide in order that it can be adequately supervised. It is important to note that risks faced and posed by a business are not fixed, but constantly change.
Compliance professionals must be knowledgeable about the types of supervision that apply, and the issues on which a regulator is likely to focus attention. Often areas of focus are set out in business plans published by a regulator, or can be identified from regular monitoring of the press. During the periodic meetings that could form part of a firm’s supervision programme, it is also acceptable to ask the supervisor for an update from the regulator and the areas on which it is likely to focus in the coming period.

Examples of the types of information a regulator may need are:

• risk management strategies and practices

• accounting policies

• basic business, management and corporate governance information

• ownership, management and staff structures

• financial resources

• financial performance

• financial position (including capital, solvency and liquidity)

• risk exposures (credit risk, market risk, liquidity risk, operational risk and/or,
legal risk, etc.)

• stock exchange filings

• transaction reports, on a transaction-by-transaction basis, giving details
such as price, counterparty and instrument, thereby allowing regulators to
review for issues relating to market conduct

• previous regulatory enforcement

• results of previous regulatory compliance visits

• changes in structure

• changes in senior management

• any litigation in progress

• internal/external/compliance and audit reviews

• general surveys

• previous regulatory breaches

• complaints data.
Prudential regulation requires an element of continuous desk-based supervision through the imposition of reporting requirements on capital adequacy and material internal events. This monitoring has seen an increase in emphasis in many jurisdictions in the wake of the global financial crisis. In addition, internal control systems and corporate governance are supervised through a mixture of desk-based supervision, on-site inspections and ad hoc meetings.
Most regulators assess and monitor compliance with conduct of business principles during on-site inspections and at regular and ad hoc meetings.
In certain jurisdictions, where there is very little, if any, supervision of regulated businesses, compliance with both prudential and conduct of business rules is supervised through the imposition of disclosure rules. Alternatively, regulators can use the services of a firm’s auditors to ensure that the firm is complying with key areas of the rules.

Compliance visits

Regulators usually undertake compliance visits as part of the supervisory process. A regulator may undertake a regulatory visit for a number of reasons, including the following.

• A specific suspected problem with a particular firm can trigger a visit.

• Complaints – a consumer complaint (or more likely, a trend in complaints) can cause a regulator to change its risk assessment of a firm and/or to pay a visit.

• Routine – passage of time, for example, there may be annual or more frequent visits, depending upon activity and risk weightings.

• Dual agency/country – a host state regulator or other agency may require a regulator to undertake regular reviews as a requirement for the firm
to continue to do business in its market. Consolidated visits consider all authorised activities from a ‘bottom up’ as well as a ‘top down’ perspective.

Hot topics or themes

Regulators increasingly look at themes or ‘hot topics’ across a cross-section of firms so as to establish and implement best practice. In the current global regulatory environment these themes might include:

• prudential arrangements (financial resources)

• corporate governance structures

• outsourcing arrangements

• senior management

• market abuse

• risk strategies

• AML procedures

• compliance structures/arrangements

• conduct of business standards evidence

• conflicts of interest.
Compliance professionals need to be aware of the types of visit they may experience.

Enforcement

Enforcement is a necessary outcome of the process of authorisation and supervision, in the sense that the regulator must be seen to enforce compliance. Regulators have the power to conduct an investigation into either general concerns or specific areas of concern, or to support a regulator in another jurisdiction. A regulator may also use its power to investigate a firm where an immediate risk is identified or where a regulator believes that a firm will not take the appropriate action.

Principle 11 of the Basel Committee Core Principles for Banking Supervision59 states:

The supervisor acts at an early stage to address unsafe and unsound practices or activities that could pose risks to banks or to the banking system. The supervisor has at its disposal an adequate range of supervisory tools to bring about timely corrective actions. This includes the ability to revoke the banking licence or to recommend its revocation.

In the FATF Recommendations on counter measures against money laundering, Recommendations 26–32 outline the powers and resources required by regulators. In particular, Recommendation 29 states:

Supervisors should have adequate powers to monitor and ensure compliance. They should be authorised to compel production of any information relevant to monitoring such compliance, and to impose adequate administrative sanctions for failure to comply with such requests.

59. http://www.bis.org/publ/bcbs230.pdf

A broad range of enforcement actions exist, not all of which necessarily result
in the imposition of regulatory penalties upon a business. It is, for example, not uncommon for a regulator to commence enforcement action by conducting an investigation, which may lead to the conclusion that no action needs to be taken against a business and/or its employees. Thus enforcement is as much about investigating, gathering and sharing information as it is about imposing penalties.

Where a regulatory compliance issue is discovered, enforcement can entail:

• inspection

• investigation

• monitoring

• intervention in the business of the regulated firm concerned, including
injunctions where appropriate

• the imposition of corrective or remedial action, including restitution
where appropriate

• on occasion, the imposition of penalties or referral of the issue to the criminal prosecutors.
Regulators must be able to take appropriate action in response to problems they discover within a regulated business. Minor problems should clearly be dealt with in a different way to more serious ones. Where changes need to be implemented within a business, the firm must follow a strict timetable agreed with the regulator. Thereafter, the regulator should have the power to monitor the progress of implementation of improvements and to take appropriate action if they are not satisfactorily completed.
Regulators therefore normally have the powers to:

â—¦ request information

â—¦ impose sanctions or to seek orders from courts or tribunals

â—¦ refer matters for criminal prosecution

â—¦ suspend operations or trading.
These powers can ultimately extend from withdrawing or suspending authorisation of the firm, or of individuals within the firm who hold ‘authorised or controlled functions’, through to punishing a firm for misconduct. Regulators can also impose financial penalties and public censure. Increasingly, regulators may also impose penalties on individual persons within the firm. A regulator’s enforcement power illustrates how regulatory standards are upheld and helps to promote consumer confidence and raise awareness of regulatory standards.

Recent enforcement trends

Since 2009 many European banks have been fined very heavily by US regulators for violating US laws and regulations, such as on sanctions, tax evasion, and manipulation of interest rates such as LIBOR (among other breaches). These fines are often in addition to fines from their own national regulators in Europe. These fines have included:

BNP Paribas $8.9bn for sanctions violations 

Credit Suisse $2.6bn for tax evasion

Barclays $2.32bn for FOREX manipulation

HSBC $1.92bn for money laundering violations

UBS $1.2bn for LIBOR manipulation

UBS $780m for tax evasion

Rabobank $740m for LIBOR manipulation

Standard Chartered $674m for sanctions violations

RBS $669m for FOREX manipulation

ING $619m for sanctions violations

Deutsche Bank $7.2bn for RMBS trading activity.

This trend has led to suggestions – largely from the firms themselves – that the
US regulators are targeting foreign banks. In fact, the level of fines levied on US banks, especially in respect of restitution and compensation over mortgage-backed securities, has also been substantial, indicating that there has been a change of approach by the regulators in that they are fining at levels that are designed to deter law breaking.

For Question 5

Regulatory structures: Rules 

Regulatory rules may be broadly described as the detailed requirements placed on regulated firms and individuals, together with those imposed on the regulator itself in the exercise of its powers and fulfilment of its responsibilities.
Typically, regulatory rules include: 

those concerned with corporate governance and internal control systems 

prudential rules, and 

conduct of business rules. 

There are generally two approaches to regulation. These are the ‘rules-based’ and ‘principles based’ systems. 

Under the ‘rules-based’ approach, legislators and regulators prescribe in detail exactly what a firm must or must not do to attain the standard of conduct required. The ‘rules-based’ approach will also set out the firm’s obligations to its clients
and shareholders. 

The choice of regulatory approach 

Under the ‘principles-based’ approach, a regulator will focus less on the prescriptive detail of a rule and more on assessing how a firm has interpreted the broad principles set within the source materials (such as regulatory handbooks). For example, a principle might be worded as ‘a firm must observe proper standards of market conduct’. This gives a firm scope in how it might interpret and achieve adherence to the principle. It also provides the regulators with scope to judge whether a firm has acted in the best interest of its shareholders and customers. This is also the case where regulators wish to promote good standards of conduct, as
it allows both the company and the regulator to interpret and provide evidence of what good conduct looks like. 

In practice, of course, the distinction between the two approaches is not as neat
or clear cut as the above explanations might suggest. Under a ‘principles-based’ approach, the principles are usually supplemented by underlying rules and codes of practice, while under a ‘rules-based’ approach organisations still have to interpret the rules to some degree. 

Consequently, jurisdictions can end up with a hybrid approach as, for example, in the UK. Although the FSA had its 11 Principles for Businesses, the responsibilities for which have now been taken over by the FCA and the PRA, its approach was more prescriptive, with the result that initially it was largely rules-based. It can also be argued that the title of these ‘Principles’ is quite misleading because the Principles for Business are effectively the core ‘rules’ on which UK conduct regulation is built. 

In 2005, however, the FSA moved towards what they termed more ‘principles-based’ regulation. The FCA has committed to continuing with this approach. Internationally, the move towards more principles-based regulation has continued, with the exception of the regulations designed to rebuild confidence in the international financial system following the credit crunch. If anything, the rules have been made more prescriptive in prudential regulations.

The case for and against rules-based regulation 

Rules-based regulation provides clarity for firms in so much as it is prescriptive in its requirements, allowing firms to understand what they must do to be compliant. A substantial rulebook of detailed requirements typically accompanies such a regime. There is limited room for interpretation of these rules, and therefore there is a lower risk of different levels of application by different firms in the market than might be the case in a principles-based system. 

This can, however, lead to a ‘tick-box’ approach to compliance, focusing on the letter (rather than the spirit) of the rules. If rules have to be written to accommodate market developments, there is also the risk that firms’ new products and services may be found to be non-compliant at a date in the future when the rules are updated. Furthermore, the rulebook simply cannot cover every possible circumstance or eventuality. This inevitably leaves gaps in the detail that could be exploited – a significant limitation of this approach. 

The case for and against principles-based regulation 

This approach is less concerned with precision and targeted more at achieving the general aims that the regulator wants for consumers and markets. The aim of a ‘principles-based’ approach is to articulate what a regulator would expect a firm to do or how it would expect a firm to behave. For example, a firm must: 

conduct its business with integrity 

protect its investors 

reduce systemic risk. 

The interpretation of principles is sometimes considered by firms to be more challenging than simply adhering to rules, as it does not provide clarity on exactly what is expected by the regulator. This can lead to difficulties if, for example, the regulator has a different interpretation to the firm. 

This approach is also criticised as firms must make judgements about what will, or will not, be considered to meet the desired principle in the future. The regulator may, however, believe that the principle has not been achieved and will have the benefit of hindsight on which to base its judgement. 

Nonetheless, principles-based regulation does allow a firm more flexibility in the way it achieves a principle, enabling it to adopt an approach in keeping with the organisation’s culture, systems and controls. It also helps to encourage innovation, as firms can assess whether a new product, service or venture would be within the spirit of the existing regulation’s aims and objectives, rather than having to wait for a specific new rule to be drafted and agreed.

Rules-based or principles-based? 

Some firms have commented that a principles-based approach to regulation is preferred, as less time and resources are spent trying to analyse and assess compliance with complex rules. Under principles-based guidance, regulators can allocate more time to examining the substance of the market participant’s behaviour rather than probing the minutiae of a rule breach.

The difference between these two approaches was highlighted by the accounting scandals in the US in the early 2000s. Accounting standards in the US were set out in extensive rules, but despite this there was no high-level unifying principle. The comment was made that this made it easier for US corporations to take a legalistic approach and weave around the letter of the requirements because of the absence of this overarching principle. The approach in many other jurisdictions by contrast, is based on principles, with a ‘true and fair view’ requirement being the overriding principle to be considered.

Perhaps the best way of regarding rules is to view them as illustrating the principles. Rules will never be created as quickly as financial firms can innovate; they will always be one step behind. If an action can be interpreted to be possible under the rules, but appears to conflict with a principle, the principle should be applied. On a day-to-day basis, it is more often necessary to consider and apply core principles than it is to apply the detailed rules. This is a skill compliance professionals need to develop.

Increasing focus on outcome-based regulation

In recent years, the ‘principles-based’ approach has evolved to focus increasingly on outcomes. The transition to what has become known as more ‘principles-based’ regulation (MPBR) has come about to address the perceived weaknesses in the ‘principles-based’ approach, where a firm can show that it has adopted a principle but may still not have achieved the desired outcome.

MPBR has focused attention on the most important outcomes. It has increased the emphasis on senior management’s responsibility for achieving these outcomes while retaining the flexibility offered to them under a ‘principles-based’ approach. The key is that the outcomes are measurable, and therefore it can be demonstrated they are being achieved.

Some prescription may need to remain, however, such as is the case in the EU where firms have to adhere to certain EU Directives, such as MiFiD, CRD and CAD, etc. Where possible, any remaining rules have been refocused – outlining the desired outcome rather than the process required to achieve it.

Regulatory structures: Guidance

Sometimes, a regulatory authority may be compelled to issue detailed guidance
to regulated businesses, detailing how it expects them to discharge their legal and regulatory obligations. Anti money laundering and counter terrorist financing are areas where most regulators around the world have issued guidance. This may be in the form of a statement of minimum best practice. The results of non-compliance with such guidance depend upon the nature of the guidance and the regulator’s power to enforce compliance with it.

Regulatory structures: Codes of conduct 

In understanding how law and legal rules operate within financial services, it is also important to consider the role of voluntary codes. 

Voluntary codes of conduct are guidelines and commitments that firms voluntarily agree to follow. Known also as ‘codes of practice’ or ‘non-regulatory agreements’, they typically outline standards that customers can expect when they are dealing with a company that subscribes to a particular code. Companies and associations in the financial sector have for some years adopted voluntary codes of conduct in areas such as insurance, mortgages and other banking services. 

Voluntary codes have typically been used in financial services as an alternative to government legislation or regulation. They can be an inexpensive and effective method of influencing and controlling the behaviour of companies, ensuring enhanced consumer protection. 

Many trade bodies still have an important role in the industry worldwide – we looked at a small number of them in section 2.1 above. Such trade bodies define standards and codes of conduct that firms must meet in order to maintain their membership. 

Regulatory models 

The principles- and rules-based approaches explained above define the way in which regulation is exercised or communicated. In practice, this approach must be set within an overall regulatory supervisory framework, of which there are various different models in use around the world. Broadly speaking, the models can be categorised as follows: 

institutional regulation 

functional regulation 

regulation by objectives 

regulation by single regulator. 

These models describe the different ways in which regulatory supervisory regimes can be structured to oversee financial firms operating in a particular jurisdiction. We will examine each in turn.

Institutional regulation 

This is the traditional approach to supervision, sometimes referred to as ‘by-markets regulation‘, based on the firm’s legal status (banks, insurance firms, etc.). The approach entails regulation of each single category of financial services business
by distinct regulatory authorities and/or divisions. These cover the whole range of different functions or activities performed by each institution.

Functional regulation 

           Sometimes referred to as ‘regulation by activity’, this approach focuses on the functions performed by financial services businesses (the business being transacted) rather than the legal status of the businesses themselves. This approach to regulation requires rules that must be applied consistently to any business
that engages in a particular activity, irrespective of the type or category of that company. Under functional regulation, therefore, a firm might have to deal with a number of regulators covering different activities. For example, one regulator might be responsible for ensuring that conduct of business requirements are followed by firms, while another reviews prudential management.

Regulation by objectives
This approach seeks to achieve certain explicit objectives by giving responsibility for one or more of them to a specific regulatory body that exists solely for that purpose, with other bodies being responsible for other objectives. Such an approach means that financial services businesses are often subject to the control of more than one regulatory body.
’Twin Peaks’ can be an example of regulation by objectives, with one regulator responsible for market stability and confidence and another for consumer protection – two of the main objectives of regulation. In practice, under regulation by objectives there could be further regulators focusing on other objectives, such as monetary policy, competition, or indeed any other objective considered necessary. 

Regulation by single regulator
This integrated approach entails the creation of a single central regulatory authority responsible for the fulfilment of all regulatory objectives involving the supervision of the different institutions and functions. This is the approach favoured in Singapore where the sole regulator is the Monetary Authority of Singapore (which is also the Central Bank).