home · Control · Compliance: what is it - a new step in business management or bureaucratic procedures. Compliance – what is it? Compliance in a bank: functions, definition and tasks What does the term compliance mean?

Compliance: what is it - a new step in business management or bureaucratic procedures. Compliance – what is it? Compliance in a bank: functions, definition and tasks What does the term compliance mean?

The first question that suggests itself, given that compliance control is a relatively new phenomenon for Russia: what does your department do?

- One of the main tasks of the compliance control department- protection of the bank’s reputation, as well as protection of licenses, which, in fact, ensures continuous financial success. This is a general definition. And in the details The compliance control department is divided into several groups. The largest of them is the anti-money laundering group, the financial monitoring department. Other, no less important groups within the division are involved in preventing conflicts of interest, ensuring the “Chinese Wall” information control regime, monitoring and analyzing customer complaints, and complying with the bank’s gift policy. There is personal account dealing - a group that monitors the purchase of securities into the personal accounts of employees. We are also tasked with monitoring the external interests of employees, usually business interests. Accordingly, we train employees in all these intricacies.

It seems that in Russia the first area of ​​activity - combating money laundering - is precisely the most well-known.

This is true. In our country, the very term “compliance controller” was introduced at one time by the instructions of the Central Bank and then it meant mainly groups of people or specific individuals responsible in banks for combating money laundering. And even now, if you ask many bankers what the responsibilities of compliance control are, you will most likely hear the answer: to ensure that the bank is not used to launder funds.

Many, but not all?

Not everyone, of course. Moreover, in my opinion, in the last two or three years there has been a trend towards expanding the functions of compliance control units in Russian banks. Banks included in the top 10 - top 15, apparently, have realized that reputational risks can seriously complicate the life of a financial and credit structure, and at the same time they can be associated not only with suspicions or accusations of money laundering. Therefore, banks began to create their own compliance control units, which are not limited only to anti-money laundering. This is very important - maybe some bank board members still have crimson jackets hanging in their wardrobes, but in general the trend of the last few years is that all banks want to be transparent, respected, and have a good reputation. Therefore, on the one hand, what I said above is happening - the range of responsibilities of the compliance control unit is expanding, and on the other hand, the compliance control department is increasingly being united under a single “umbrella” with the risk control department. This makes sense because compliance control is a department that, in a certain sense, also controls risks.

Dossier "BO"

Dmitry Chistov graduated from the Moscow Aviation Institute with a degree in information transmission systems and studied for an MBA at the University of Minnesota. At the beginning of 2006, he was appointed head of compliance control for the Deutsche Bank group in Russia and the CIS, and is now responsible for the entire range of compliance control - from anti-money laundering to managing conflicts of interest and preventing insider trading. Before joining Deutsche Bank, Dmitry Chistov worked in a similar position at CJSC Citibank for eight years. Since 2001, he has been actively involved in the development of by-laws on anti-money laundering by the Bank of Russia, speaks at conferences and seminars, advises Russian banks on compliance issues, and is deputy chairman of the anti-money laundering committee of the Association of Russian Banks.

You said that the trend towards expanding compliance control functions began two or three years ago. In Russia, as we know, when thunder doesn’t strike, a man doesn’t cross himself. Is it necessary to understand that banks began to develop a new view of this division after some scandals, internal or external?

Well, I would answer your question this way: and after scandals too. But the reason of the first order, in my opinion, is that the time of “raspberry jackets” is truly a thing of the past, and in the banking sector too. Integration in the international arena is increasing, banks are striving to attract large foreign clients. Now imagine how these potential clients must react to situations when they ask the question: do you have a compliance officer at your bank, and instead of answering, they see the chairman of the board exchanging confused glances with his colleagues. Or they are told that yes, there is, he is engaged in combating money laundering and nothing else. Clients say: “That’s it?!” - and that’s when our bankers begin to understand that the functions of compliance control should include something else. Moreover, this “something” is no less important than the fight against money laundering.

And, having realized this, Russian banks begin to “copy” the examples of foreign banks?

Not at all necessary. I may say something seditious, but I know foreign banks where things with compliance control are not much better than in other Russian banks, where all the efforts of the department are focused exclusively on complying with Russian legislation on combating money laundering, and other areas remain “uncovered”. As a matter of fact, the best evidence that this is the case is the periodic scandals surrounding very large and very well-known financial groups. At the same time, some advanced domestic banks often demonstrate very good developments in the organization of compliance control units. It is clear that not everything is working out for them yet, but the management of Russian banks has an interest and understanding that this is necessary - which means there will be good results.

Different groups - different goals

Speaking about the various groups included in the compliance control division, you mentioned personal account dealing - a group that monitors employee purchases of securities on personal accounts.

What, exactly, needs to be controlled here? Can't bank employees buy for themselves those securities that seem profitable to them?

They can, of course, but in this case it is necessary to respect not only their own interests, but also the interests of the bank - in any case, to avoid situations in which the bank may incur image costs. There is a so-called “closed list”, which includes companies using the services of Deutsche Bank at the time an employee purchases their securities. Let's say a bank finances a company from this list to purchase another asset, and at this time our employee begins to actively buy securities of this company. The market will react to this like this: “Of course, you had non-public information, so your employee was able to take the lead.” It is clear that such an assumption is usually not true. However, if such a precedent is established, it can be very difficult to convince the market of the bank’s innocence.

And what about the “Chinese wall” regime? Why is it needed?

- The “Chinese Wall” is necessary in order to separate two information “zones” in the bank’s activities. Conventionally, they can be called the “private side” and the “public side”. The first of them employs bank employees who have information about clients that is not available to the market at the time of service. The second includes divisions involved in analysis and purchase of securities, that is, those divisions whose activities are based only on the use of public information. Since we want to serve all clients without exception and do not want to exclude those who provide us with non-public information, the “Chinese wall” regime is being introduced. As a result, people on the “public side” can calmly, for example, continue to enter into transactions for the purchase and sale of shares of a given company at the request of clients. And no one can accuse them of having access to non-public information and using it for personal gain.

You named another very interesting area in compliance control - the group responsible for implementing the “gift policy”. What does this mean?

Compliance with the bank’s internal rules on what can be a gift and what cannot.

That is, in fact, an attempt to establish a boundary at the point where the gift ends and the bribe begins?

You can say that. The Russian banking sector has its own specifics in this regard, and this specificity is largely due to the national character of Russia itself. It is not for nothing that we have a double-headed eagle as our coat of arms, one head of which looks at Europe, the other at Asia. The Asian part may have completely different gift traditions than the European part. Therefore, what in Europe may be considered a bribe, in our country can be considered as a good gift, a sign of respect, but in no way an attempt to influence decision-making. And to avoid unfounded reproaches against the bank, such things should be clearly regulated.

Conflict of interest and how to deal with it

Well, what about conflicts of interest, which the compliance control unit should also prevent - under what conditions do they arise? And by what criteria are transactions checked for possible conflicts of interest - are they selected by size or by some other indicator?

I would like to immediately note that a deal in this case is not quite the appropriate term. We are not talking about transactions, but about projects. Transactions with securities on the stock exchange, as a rule, do not pass the test for the presence of conflicts, regardless of the amount they were concluded, because in this case it is clear that they were carried out as a result of the analysis of public information, on general terms. The situation is different with projects: they mean, in particular, conducting an initial public or secondary offering of shares, or financing a serious expensive project, or participating in the preparation of a merger and acquisition transaction.

How can a conflict of interest arise in such a case? For example, our corporate finance department finances company A to purchase company B. It may well happen that another department of our bank at this time is consulting company “B”, looking for potential buyers for it. Now imagine what will happen if, in the end, company “B” is sold to company “A”, and information leaks to the market that both of them were clients of various departments of our bank?

It is clear that there will be a scandal...

A scandal, and what a scandal! The question will arise: maybe the bank deliberately did everything so that company “B” would prefer company “A” as the buyer, while another sales option would have been more profitable for it, in which company “C” would have been the buyer? Maybe those who were involved in financing the transaction at the bank simply “leaked” the necessary information to their colleagues engaged in consulting, and as a result, the interests of the company that turned to you for consulting services were violated?

That is, there will be suspicions that there was no separation of information flows in this case?

Yes, and therefore, so that such a possibility does not arise even theoretically, bank divisions enter into a database - deal logging - all information about the projects that they are implementing or are going to implement. One of the tasks of our division is precisely to remind employees of all divisions of the need to enter and update information about projects at a very early stage. Sometimes this is forgotten, and this forgetfulness can result in serious problems for the bank's image.

But is this really necessary if we are talking about a project, negotiations about which have not even begun? He may not even get close to the negotiation stage.

Maybe it won't come close. Nevertheless, information about it - that which the bank has even at the planning stage - must be entered into the database. It is better that the threat of a conflict of interest be diagnosed immediately and measures taken to eliminate it immediately.

What specific measures can be taken?

Refusal of this or that project?

Not necessarily, this is a last resort. Most often, we are talking about a strict separation of teams that are engaged in “overlapping” projects, so that any possibility of exchanging information between them is excluded.

Suppose that the client learned about the existence of a conflict of interest, but agreed to continue to be served by the bank? Will measures to separate information flows still be taken?

Of course they will. Although today the client does not object, tomorrow he may begin to be indignant and claim that his interests have been violated. Therefore, I repeat, if the conflict of interests cannot be eliminated, we prefer to abandon the project rather than brush it aside on the principle “God won’t give it away, the pig won’t eat it.” The bank's reputation is more valuable than any short-term profits that we can receive as a result of servicing this or that client, however, in the presence of a conflict of interest.

You enter all information about existing and potential projects into the database. And who ultimately makes, so to speak, an opinion on the case - your department or some other division of the bank?

No, all information flows into the bank’s control room - a special global division where analysts, operators, and so on sit. They process the information received and, as a result, provide their conclusions about whether a conflict of interest arises in this case and, if so, by what measures it can be eliminated.

Compliance officer - disciplined, patient, not known to have any damaging connections

It turns out that a compliance officer is a kind of defender of the honor and reputation of the bank. What kind of specialists are invited to this work?

And are there special educational institutions for their training?

As far as I know, as well as from interviews with job candidates, today there are no such people either in Russia or in countries with developed economies. And who is selected... most often the same bankers who were previously involved in combating money laundering or were auditors, controllers of professional participants, or worked in completely different banking departments that have nothing to do with compliance control.

But such employees, apparently, have to be retrained and, as they say, “reached out”?

Yes, and this is the most painful question. We at Deutsche Bank, for example, often turn into a “HR forge” due to the quality of employee training known to the market: we take a person, train him, and then he is lured to another bank, and we have to look for a replacement for him. And, as I already said, you won’t find a ready-made replacement in our department. So the process begins again.

But do you have any requirements for applicants, other than having professional knowledge and skills?

Certainly. It is obvious that in order to work successfully in our department, a person must have a high degree of discipline, perseverance and, of course, analytical abilities and a keen sense of decency.

Everything is clear with the second and third points, but why is discipline so necessary?

It is not just necessary - it is one of the most important criteria when hiring. If a person is inclined to say “oh well, it will work out somehow,” by definition he has no place in our management. This indicates his lack of professionalism and lack of understanding that his lack of discipline could result in serious losses for the bank.

It is important to note another thing - an employee of the compliance control department must, among other things, be very loyal to his bank. After all, having access to the database, he thus gains access to non-public information about various companies that were clients of the bank or may become such. It is clear that this information should not “leak” onto the market under any circumstances, because in this case the image losses for the bank can again be quite significant.

Is such a trait as stress resistance important?

Very important. We work in a huge bank, there are many different divisions. Not all employees are aware of how important compliance control is to ensure the successful operation of the bank. At the very top, at the level of, for example, the executive directorate, this is well understood, but at the lower level one can hear addressed to us: “Why are you interfering, have you earned at least a penny for the bank?” This can be heard especially often from young employees who have earned their first million for the bank and are dizzy with success. I take such attacks calmly, but less experienced employees, of course, get offended when, for example, in response to their fair requests to add information about a particular project to the database, they are told such things. So stress resistance in this case is only a plus, and an even greater plus is the understanding that we may not earn millions for the bank, but we preserve what is more expensive than any millions: its reputation and its licenses, which, in fact, make it possible work and earn money for the entire bank for a long time.

For reference: Compliance control is monitoring the compliance of banking activities in financial markets with current legislation in this area.

What is compliance control? This is a new financial risk management practice for Russia. Our students were lucky enough to learn first-hand why top management and staff are checked for loyalty, how compliance is related to ethical standards and affects the reputation of the corporation. As part of the program "Open Lectures" invited speakers - representatives OJSC Uralsib.

Compliance (English: agreement, compliance) is internal control over the compliance of the company’s activities with the law. Its main goal is to eliminate the risk of loss of profit. These include fines, damages, or failure to fulfill contracts. At the same time, compliance risks can lead to a deterioration in reputation, limited business opportunities, or a reduction in the customer base.

Irina Katysheva, Head of the Compliance Service of URALSIB OJSC, noted why it is important to purposefully create a culture of compliance with laws in the company.

“Everyone wants their employees to be loyal and decent,” says Irina Katysheva. – Every tenth person can become a fraudster if he has the opportunity and appropriate motivation. Therefore, compliance must create such an ethical culture in the company so that there are no temptations and people honestly fulfill their responsibilities. And for this it is important to organize business processes that comply with legal requirements. Compliance risks should be minimal.”

Irina Katysheva listed the areas in which compliance works:

  • code of ethics (standards of official conduct);
  • hotline for collecting information about violations;
  • “Chinese walls” in organizing business processes;
  • professional activity in financial markets;
  • countering the misuse of insider information and manipulation in the securities market;
  • combating money laundering and terrorist financing. The banking principle of KYC is “Know your customer”;
  • anti-corruption and abuse control;
  • Information Security.

    • Questions from students

    — What control methods does compliance use?

    — First of all, this is prevention. Control during hiring, corporate training of personnel, approval of documents, payments, transactions, etc. We carry out ongoing control, including analysis of transactions, operations, telephone conversations and client activities. Our area of ​​responsibility includes comprehensive checks in the organization of business processes and claims work. Investigations into customer statements and messages from employees via the hotline are also the competence of compliance.

    — What are the pros and cons of your work?

    — We identify shortcomings in people, as well as in the management system as a whole, we see unpleasant things. We have to collect a lot of information about employees and candidates for a particular position. The positive thing about our work is that when you are right, they believe you and the risk is averted. For example, when they did not receive a fine or license revocation. Then this is recognition and respect.

    -Who do you report to?

    — We work not for top management, but for the business owner. We are a service directly reporting to the shareholder, who must receive objective information “on the table” from us. Independence from top management is important.

    — To minimize risks, we began to use psychometrics. What methods do you use?

    - I can’t say that all this works. We also use a polygraph. Everything can be fooled: both a test and a lie detector. Therefore, as a manager, I communicate a lot, talk with employees, and use the socionic method. For example, you need to understand that there are “conflict” people. You must define them. There are people who are not suitable for each other at work. You also need to be able to identify this.

    — What qualities and knowledge do you need to have to work in compliance?

    — If you want to be a professional in this field, you need to be a specialist in different fields. Communication skills, the ability to obtain information, analyze, and clearly see the result of your work are very important. Naturally, it is necessary to know the legislation well. The task of compliance is not just to understand it, but to apply the rules so that they work. But you must also know the entire business in which you work. Know what business process you regulate. You need to have a systemic view.

    Anti-corruption in business

    Another guest speaker at the Open Lectures explained why compliance is related to corruption and how private companies fight it.

    “Kickback is the most common violation in Russian companies. According to 2014 data, 74% of all types of fraud are kickbacks, says the director for anti-corruption issues of the Compliance Service of Uralsib OJSC. Roman Esin. – Commercial bribery is widespread and is still an integral part of the business environment. Therefore, it is important to change the mentality and culture of people, including using appropriate legislation.”

    The most significant consequences of corruption are reputational damage and financial loss. How do private companies build control over corruption risks? The COSO (Committee of Sponsoring Organizations of the Treadway Commission, USA) model is used.

    “The compliance hotline is important,” noted Roman Esin. – People who are loyal to the company should have a channel for informing the internal control service. They can call anonymously and report violations.”

    Prevention is an equally important area in working with personnel. Rules of business ethics, training programs, hiring procedures, and information about what a “conflict of interest” is are being developed. Gifts are also subject to compliance control:

    “The practice of giving gifts is widespread in Russia,” says Roman Esin. – If two main signs are not observed – “free of charge” and “ordinary”, then at some point it can become a bribe. We send employee handouts outlining what is acceptable and what is not. For example, the cost of a gift should not exceed 3,000 rubles. An expensive gift must be included in the registry. It indicates from which counterparty, what gift and for what amount. Participation in this procedure indicates the loyalty of the employee. The memo specifies business hospitality events in which you can or cannot take part. Business breakfast, lunch and dinner are acceptable. It is unacceptable to participate in entertainment activities that could be considered indecent or negatively affect the bank’s reputation (for example, nightclubs, gaming halls).”

    From the history

    In 2009, Federal Law No. 273-FZ “On Combating Corruption” was adopted. Significant regulatory and systemic support was received in the public sector:

  • International anti-corruption conventions have been ratified;
  • anti-corruption legislation has been developed;
  • institutions have been created to coordinate anti-corruption tools.

    • In 2013, the vector of development turned to private companies. Article 13.3 (Law No. 273-FZ) came into force, according to which private companies can take additional measures in the fight against corruption:

  • identify officials responsible for the prevention of corruption offenses;
  • develop and implement standards and procedures aimed at ensuring the integrity of the organization;
  • adopt a code of ethics and professional conduct for employees of the organization;
  • prevent and resolve conflicts of interest;
  • Prevent the preparation of unofficial reports and the use of false documents.

    • The “Open Lectures” project is implemented by the Institute of Higher Professional Education of the Moscow State University of Medicine of the Moscow Government. A space is created for university students to discuss current topics, exchange opinions and get acquainted with new management practices. Mikhail Barshchevsky, Sergei Andriyaka, Igor Mann and other famous figures from Moscow spoke as part of the project.

    More details:



    Internal control
    Audit
    Financial control methods Areas of financial control Financial control by industry Audit and criminal procedure Accounting

    The term came into Russian practice and the practice of other CIS countries with the arrival of large foreign companies on the market, where this function is an integral part of their activities. Its main goal is to minimize legal and reputational risks arising from violations of professional and ethical standards.

    Broadly speaking, the term refers to the risk of legal or regulatory sanctions, significant financial loss, or loss of reputation by a bank as a result of its failure to comply with laws, regulations, rules, self-regulatory organization standards, or codes of conduct relating to banking.

    As a rule, the main document is the Code of Corporate Conduct. Code of conduct ), regulating the standards of conduct of employees of the organization when interacting with clients, other employees, contractors, suppliers, supervisory authorities and other third parties that an employee encounters in the performance of his professional duties and applies to such systems business principles, business integrity, company assets, etc.

    In addition to the Code of Corporate Conduct, the organization can develop/are developing the following documents:

    • Code of Ethics
    • Gift Acceptance and Giving Policy
    • Whistleblowing policy
    • Bribery and Corruption Policy
    • Policy on combating the legalization (“laundering”) of proceeds from crime and the financing of terrorism
    • Data privacy policy
    • Conflict of Interest Policy (Chinese Wall Policy)

    see also

    Links

    1. Educational resource "Business by the rules: compliance practices, ethics in business, risk management."

    Notes


    Wikimedia Foundation. 2010.

    See what “Compliance control” is in other dictionaries:

      English compliance control internal control over the compliance of activities in financial markets with the legislation on financial markets in a credit institution. Compliance control is part of the internal control system of a credit institution.… … Dictionary of business terms

      This term has other meanings, see Control (meanings). Control (French contrôle, from contrerôle list, kept in duplicate, from Latin contra against and rotulus scroll) is one of the main functions of a management system ... Wikipedia

      - (English: Operational risk) risk associated with the company’s performance of business functions, including the risks of fraud and external events. The definition most often adopted is that given in Basel II: Operational risk is the risk of loss as a result of inadequate ... ... Wikipedia

      Audit Types of audit Internal audit External audit Tax audit Environmental audit Social audit Firefighter ... Wikipedia

      - (VKD) a product of combining elements of a web content management system and a document management system. It is a repository (archive) of certain confidential corporate documents in electronic form and with a clear structure.... ... Wikipedia

      - (Latin with together, morbus disease) is the presence of an additional clinical picture that already exists or may appear independently, in addition to the current disease, and is always different from it. Contents 1 Historical background... ... Wikipedia

      Nonfarm Payrolls- (Number of new jobs outside of agriculture) Nonfarm Payrolls is a macroeconomic indicator of employment of the US population outside of agriculture Macroeconomic indicator of employment Nonfarm Payrolls, the number of jobs outside of ... Investor Encyclopedia

    Books

    • International Accounting No. 3 (297) 2014, Absent. The magazine covers the problems of reforming the Russian accounting system in accordance with international financial reporting standards; issues of creation and implementation...

    Compliance is the foundation on which an organization’s control system is built. This is the most important part of management. But it is very difficult to adjust compliance control to the internal rules of the organization.

    The essence

    At any enterprise, there are a lot of types of control of human, technical, and administrative resources built into business processes in order to comply with standards and requirements. When creating an enterprise, statutory documents are formed and principles of company management are formulated. But as business processes become more complex, it becomes increasingly difficult to comply with the rules.

    The growth of technological processes, personnel expansion, and product diversification require a complex management system. You can achieve good financial indicators, but after an organization is inspected by a regulatory authority and a fine is issued, you can end up with a whole series of troubles. Reputational risks lead to a loss of market share, a decrease in sales volumes, etc. At the same time, legal risks may arise. The borrower may demand early repayment of the debt if the company's financial performance worsens.

    That is, that’s what rules are for, to follow them. You also need a person who is responsible for ensuring that when a new rule or requirement appears and until it is transformed, technology is introduced that allows the business to develop and comply with established standards. In Western practice, these functions are performed by a compliance manager.

    Requirements Cycle

    Each new order or resolution goes through a number of stages:

    • appearance (discussion of the project);
    • approval (signing of the document);
    • entry into force of the requirement;
    • transformation (change of parameters);
    • cancellation of an order due to the appearance of a new one or because it is unnecessary.

    It is the responsibility of the manager responsible for compliance to form new processes by analogy with the old ones. What does it mean? The manager must have a wide range of knowledge and skills, participate in the creation of a documentary base, and supervise personnel training issues. He can also justify the budget if there is a need for additional funding for the implementation of a new order.

    Compliance management is not only about establishing internal connections, but also external ones. The manager must maintain relationships with other departments and control structures (auditors, security service, etc.). With well-established work of the manager and all of the listed services, it is possible to obtain a synergistic effect for the benefit of the common cause of the financial organization.

    How to fit a compliance system into an organization

    By creating a product, an enterprise expects to receive profit and other benefits in the form of a competitive advantage. But at the same time, you cannot direct all business processes to generate income. Otherwise, the control system will be lame. Compliance is called upon to correct the situation. What does it mean? Simultaneously with the release of the product, it is necessary to prepare the software necessary for sales analysis in accordance with internal requirements.

    When developing a compliance control center, you need to remember the golden rule: the cost of control should be less than the losses from its absence. That is, when introducing a new product, it is necessary:

    • Determine in advance all the factors that interfere with its implementation under the agreed conditions.
    • Calculate the losses that may arise if the product is sold in the absence of a control system. Compliance risk is the consequences of the application of sanctions from regulatory authorities (fines, penalties, penalties, etc.), financial loss, and loss of reputation of the organization.
    • Determine their minimum and maximum boundaries.
    • If the maximum value of losses is considered satisfactory for the enterprise, then it makes no sense to implement a full-fledged control system.

    Compliance in a bank

    The term compliance translated from English means compliance with requirements (standards). There is no clear interpretation in Russian legislation. The term “compliance” has been used in the professional sphere for a long time. What does it mean? The term is used to express the function of ensuring compliance with regulations, constituent documents, preventing the involvement of the bank and its employees in illegal activities (money laundering, terrorist financing), and timely provision of information to the Bank of Russia.

    Compliance is a set of specific functions, the implementation of which allows you to manage all types of risks. They can be divided into two groups: mandatory and optional. The first are legal requirements. For non-compliance, the bank may lose its reputation and earn penalties. The second includes management orders, as well as functions, the implementation of which is related to the expectations of partners. For example, operational employees, risk managers, and IT department employees are involved in studying the client’s activities and identifying them. But the performance of these functions is dictated by common sense, and not by the requirements of regulations.

    Laws

    The implementation of the compliance system is regulated by two documents: Regulation No. 242 “On the organization of risk management in credit institutions” and Regulation No. 06-29 “On the internal control of a professional participant in the securities market.”

    Responsibility of the parties

    Based on the essence of the term itself, compliance in any credit institution should be handled by the security service. But international standards allow a multi-level model, that is, the distribution of compliance functions between various divisions of the bank. On the other hand, according to the recommendations of the Basel Committee on Banking Supervision, responsibility for the implementation of the system as a whole should be borne by one specific person - a high-status employee who is part of the management body of a credit institution.

    Areas of activity - compliance center

    Sberbank, like any other credit institution, is developing a comprehensive control system with a specific purpose:

    • combating fraud, corruption, money laundering;
    • compliance with the requirements of regulatory documents and international standards;
    • compliance with corporate conduct standards;
    • control of a professional participant of the RCB;
    • countering manipulation on the securities market;
    • handling customer complaints;
    • compliance with information security.

    Compliance of Sberbank

    All employees are involved in the implementation of the compliance function in the largest credit institution in the country within the scope of their official duties. Implementation of functions in all areas requires automated processes. In Western countries, 10% of all bank employees are involved in compliance implementation. Sberbank actively interacts with CIO offices and successfully implements automated systems.

    For example, IT platforms based on Oracle, which allows you to systematize financial monitoring processes and optimize the organizational structure.

    In 2014, the Foreign Account Tax Compliance Act (FATCA) came into force, according to which all banks in the world are required to disclose information about the accounts of American taxpayers and related legal entities to the US Tax Service. Sberbank spent several million dollars on the implementation of this product. In the future, it is planned to adapt the system to the Russian market.

    Compliance in enterprises

    It is often impossible to implement a business project without permits or agreement on the terms of business activity with government agencies. To organize internal control, it is necessary to implement compliance. What does it mean? Today, compliance is perceived as a system of monitoring the reliability of contractors and employees. But such an approach does not allow assessing the risks of applying measures by government organizations for violations of requirements. Therefore, it is necessary to establish a control system to ensure compliance with standards and a pre-audit audit.

    Information about scheduled inspections of government agencies is posted on the website of the Prosecutor General's Office. The grounds for unscheduled inspections are: appeals to government authorities with information about violations of rules, unfulfilled orders, violations of consumer rights. It is advisable to organize compliance with counterparties and employees who may file a complaint through conflict resolution. It is also necessary to comply with the requirements of government agencies on time.

    If any provisions of the regulations remain unclear, then in order to prevent the risk of liability, you should seek written clarification from the regulatory authorities. Such measures usually exclude culpability and liability.


    When developing a compliance control system, companies must remember the following circumstance: business entities are allowed everything that is not prohibited by law.
    That is, if the demands of officials go beyond the capabilities provided to them, the company may issue a refusal to comply with illegal instructions. The organization can also appeal to a higher authority and in court any demands, actions and decisions of government bodies if they affect its rights.

    12.11.2015

    A system of measures called Compliance is a tool that prevents violations (by both management and line personnel of the company) of the current legislation, internal regulations and basic provisions of business ethics.

    The law requires the creation of a full-fledged specialized division (department) for compliance only in companies in the banking sector. However, certain elements of this function will be useful to organizations from other industries, in particular:

    • business entities conducting business under strict administrative regulation (energy, pharmaceuticals, telecommunications, etc.);
    • subsidiaries and representative offices of global corporate groups, if there is a risk of cross-border requirements of US and UK anti-corruption legislation extending to their operations;

    Case study: In the USA, a subsidiary of Daimler AG in Russia was found guilty of violating the law

    In 2010, Daimler AG was tried in the US District Court for the District of Columbia for violating the Foreign Corrupt Practices Act (FCPA). At the same time, a Russian company, a subsidiary of Daimler AG in Russia, was also found guilty.

    • companies whose officials and (or) products are subject to sanctions, as well as companies whose counterparties are on the “black list”.

    What is compliance

    The activities of any company must meet the requirements:

    • current legislation;
    • internal standards;
    • provisions of business ethics.

    Violations of any of these requirements may result in significant financial and reputational losses: fines, suspension of activities, and litigation.

    One way to reduce the risk of such negative consequences is to implement a compliance function aimed at proactively preventing violations of legislation and internal regulations, including comprehensive risk management at all levels of management. The term “compliance” itself comes from the English word “compliance” - agreement, conformity (to comply).

    Compliance is a system of measures, procedures and mechanisms that ensure that employees conduct business in strict accordance with current legislation, the requirements of regulators and self-regulatory organizations, internal regulations and ethical standards, which is solved through the identification, assessment and management of compliance risks and regulatory risks in business -processes at each level of the company’s organizational structure. Compliance risk is understood as the risk of losses due to non-compliance with the legislation of the Russian Federation, SRO standards, and internal local regulations. And regulatory risk means the risk of losses as a result of the application of sanctions and (or) other regulatory measures by supervisory authorities.

    Two options for building a compliance function in an organization

    Organizations that regulatory requirements for mandatory compliance do not apply, can voluntarily build this function within themselves in the form of a centralized or decentralized structure.

    Centralized scheme. A new division is being formed in the organizational structure of the company (by analogy with the banking sector, for which such a scheme is mandatory). It is responsible for the functions of analyzing compliance risks and regulatory risks, preparing proposals for optimizing business processes and controls, as well as conducting ongoing monitoring of compliance with established control procedures.

    The advantage of a centralized scheme is the concentration of functional responsibility on a specific structural unit. This ensures the most complete coverage of areas of the company’s activities that require a compliance system, as well as high quality performance of assigned tasks due to the narrow specialization of the department.

    The main disadvantage is the compliance department duplicating the functionality of existing departments in the areas of risk management, legal support, economic security and internal audit, as well as additional expenses in the company’s budget for wages and social contributions. A centralized compliance organization scheme is optimal for large companies whose activities are monitored by international rating agencies (Standard Poors’s, Moody’s, Fitch). The assignment of the final rating will be influenced, among other things, by the presence of a compliance risk management function within the existing corporate risk management system of the observed company.

    Decentralized scheme. This configuration ensures the distribution of responsibility for the implementation of elements of the compliance function between existing structural units.

    In this case, each manager analyzes compliance and regulatory risks and manages them within the framework of business processes of the supervised area of ​​activity. The advantage of the scheme is the saving of resources, at the same time, powers in the field of compliance will become an additional burden on the existing functionality of structural divisions.

    How to implement a compliance function

    In a situation of economic crisis, when companies are cutting costs, the owners and management of the company may not support the idea of ​​​​creating a new department to perform exclusively the compliance function. At the same time, the need for systemic analysis and management of compliance and regulatory risks is not removed from the agenda. One solution to the problem may be the introduction of certain elements of the compliance function into the current activities of the company. This will require the following steps.

    1. Identify compliance and regulatory risks. To identify risks by order or regulation on the organization, it is recommended to form a working group with the participation of lawyers and representatives of specialized departments. In the project passport, determine the mode of meetings and requirements for the result of the work.

    The working group needs to identify business processes that may pose risks of compliance violations. When identifying risks, existing conflicts of legal regulation, heterogeneity of judicial practice, and the possibility of dual interpretation of regulations by regulatory authorities are taken into account. For example, if among the top managers of a company there is a US citizen, then this automatically leads to the application of the requirements of the FCPA (The Foreign Corrupt Practice Act of 1977) to the company.

    The result of the working group’s activities should be a map of compliance risks and regulatory risks affecting the company’s business. In this case, the risks in the map are ranked based on the likelihood of their occurrence and the amount of possible damage. The map will allow you to analyze specific situations in which non-compliance with legislation, regulatory requirements and business ethics principles is possible, as well as develop measures to prevent them.

    In addition, during the meetings of the working group, basic regulatory documents in the field of compliance can be developed, including:

    • code of ethics (business conduct);
    • conflict of interest policy;
    • hotline operating procedure;
    • procedures for internal investigation into violations of established norms and procedures

    2. Distribute areas of responsibility. Once problem areas in which violations may occur have been identified, another local regulatory act for the company determines the officials responsible for implementing risk management measures. Typical compliance solutions are presented in the table:

    Risk

    Risk Reduction Measure

    Structural unit responsible for compliance control

    Corruption on the part of company officials responsible for interaction with external parties

    Approval of a local regulatory act defining:

    – criteria for an acceptable gift;

    – standards for gifts and entertainment expenses by employee level;

    – list of prohibited expenses (gifts);

    – procedure for preparing supporting documents

    Human Resources Department

    Threat to the company's business reputation

    Interaction with unscrupulous counterparties, as well as with counterparties under sanctions and (or) involved in suspicious transactions

    Inclusion in all contracts with counterparties compliance clauses, providing:

    – the right to unilaterally terminate the contract on the part of the company without paying penalties in the event of violations by the counterparty of the established principles of fair business conduct;

    – safety of all transaction documentation and ensuring access for the company to this documentation, including after a certain period after completion of the contract

    Legal Support Department

    Mandatory procedure for verifying the integrity of the counterparty (the Know your customer principle), including, but not limited to, checking for presence of the counterparty on international sanctions lists

    Economic Security Service

    3. Link bonuses to compliance. Payment of the variable part of employee remuneration (including annual bonuses) must be linked to the achievement of the indicator “Absence of violations of legislation, regulatory requirements and business ethics provisions identified as a result of an audit of external regulatory bodies and (or) control activities within the company.” If there are violations, the target premium amount is reduced by a set percentage.

    4. Ensure interaction with regulators. The authority to interact with regulatory authorities should be assigned to a single employee who coordinates this work on behalf of the entire company. The powers of such an employee will include, in particular, participation in working groups and round tables held by the government agency, at which future regulatory mechanisms planned for implementation and affecting the business of the organization are discussed.

    What role does the legal department play in implementing the compliance function?

    The above describes the measures that need to be taken throughout the company. In addition, it is necessary to make changes to the work of the legal department. Namely, transform it in the following three directions.

    1. Consideration of compliance and regulatory risks at early stages. The participation of lawyers in the collegial management bodies of the company, in specialized committees (strategic, investment, budget, tax, risk management) will allow us to analyze emerging risks at the earliest stage of making management decisions regarding:

    • development of new products;
    • entering new markets;
    • transactions M
    • business restructuring;
    • tax planning.

    An appropriate mechanism for the participation of lawyers should be fixed at the level of local regulations of the organization, which will allow transforming the legal function from the previous fire brigade mode into the role of a legal risk manager. But this will require support from the CEO.

    2. Monitoring of legislation. In the context of an avalanche of changes in the legislative framework, the head of the legal service needs to allocate a separate employee who will monitor changes in legislation, judicial and law enforcement practice. If the department has the budget for it, this function can be outsourced to an external contractor.

    An example of the growing number of legislative changes

    In addition, it is necessary to monitor bills planned for adoption and, if possible, take part in public hearings.

    3. Regularly informing line managers about legal and regulatory requirements. Legal service employees analyze monitoring results and distribute them centrally across structural units on a regular basis. In case of significant changes, the head of the legal department may initiate internal meetings with representatives of other structural units.

    New functions will require an increase in the staffing level of the legal department and (or) an increase in additional workload on existing employees. These factors are the basis for the head of the legal department to raise the issue of increasing funding for the division to the general director.

    Material from the legal reference system “System Lawyer”