I1273818 - International Diploma in GRC - Unit 8

SEE GREEN SECTION
PAGE DOC
Un i t 8
How to Design and Build

World- cl ass GRC Systems
and Controls
Unit 8 How to Design and Build World-class GRC
Systems and Controls
Learning Objectives
The purpose of this unit is to:
discuss how GRC controls fit within the structure of the firm
consider how policies and procedures need to be developed in order to
achieve GRC objectives
explain the significance of issues such as:
disclosure
conflicts of interest
remuneration
advertising
data protection
record keeping.
1. How to implement effective GRC structures

Effective GRC structures underpin a successful company. A bold statement perhaps,
but one that is fundamentally true.
These structures ensure there are clear reporting lines through the company,
unimpeded access to the board of directors for those business functions with
critical operational and management duties, and clearly defined roles and
responsibilities. Some commentators argue that GRC processes have failed to
prevent serious compliance breaches and failures of governance, and have not
managed risk effectively. GRC processes failed to alert financial institutions to
the risks that led to the financial crisis and to prevent the seemingly innumerable
banking scandals since then. This is not simply a financial services problem, as
energy firms and pharmaceuticals manufacturers, for example, have also faced
failures and fines stemming from the inadequacies of GRC processes (see Unit 7,
section 8).
GRC needs a stronger focus on people and behaviour. The recent LIBOR and
FOREX scandals, among others, have shown the crucial importance of behaviour
and good conduct in avoiding governance, risk and compliance failures. Any
realistic GRC strategy needs to engage and involve employees in understanding
its importance and the way it works in practice.
Unit 7 described how effective corporate governance underpins the whole of the
GRC framework, through creating an effective compliance environment, and this
section will explore that in greater detail.
250
Unit 8 How to design and build world class GRC systems and controls
1.1 Reporting lines
Effective structures will have documented reporting lines through the company
hierarchy. These will be supported by agreed terms of reference so that, in the
event of a query, the relevant personnel can be accessed in order to resolve it.
Effective reporting lines are essential so that senior management is aware of

business activity, and any potential risks associated with this activity. In addition,
clear reporting lines allow for escalation of issues to the correct decision-making
body, so that the board and senior management can maintain control over
the company.
There have been many examples of companies suffering the consequences of

inadequate or poorly defined reporting lines, and researching the circumstances
behind these failures and scandals would be a useful exercise in developing more
understanding of where mistakes were made, and how an effective GRC structure
could have enabled those concerned to avoid them.
We have already discussed the problems leading to the collapse of Enron and
Barings Bank in earlier unit, but there are other important examples.
Examples: Société Générale and UBS
In January 2008, Société Générale (SG) announced that it had lost nearly €5bn.
Jerome Kerviel, an equity derivatives trader, had created long positions worth
approximately €49bn. Owing to failings in SG’s systems and controls, the creation
of these positions had not been identified or communicated. SG’s own
investigation into the matter revealed that its controls were inadequate and that
there was little or no challenge to Mr Kerviel even when issues were identified,
because the issues were not reported.
In 2011, UBS experienced a similar incident when its systems and controls failed
to identify Kweku Adoboli’s US$2.3bn ’rogue trading‘ fraud. UBS was fined £29.7m
by the UK Financial Services Authority for failings that had led to the losses made
by Adoboli, and the fact that they had had no control over his activities (see Unit
2, section 7).
Example: JP Morgan Chase Bank
In January 2013, the Federal Reserve Bank of New York issued ‘cease and desist’
orders to JP Morgan Chase Bank for failings in its risk management systems and
controls, which had led to losses through trading in credit derivatives. The bank
was ordered to improve its financial and internal audit systems and improve its
risk management controls.
Deficiencies were found in JP Morgan’s internal reporting methods and the senior
management team’s escalation of issues to the board of directors, which meant
that the board could not meaningfully consider the issues as they arose.
251
1.2 Access to the board
Clearly, if all employees in the firm had unlimited access to the board to raise all
concerns or questions, it would be overwhelmed with queries. So, in conjunction
with the clear lines of communication already mentioned, access to the board
should be managed by departments or functions such as Compliance, Internal
Audit, the senior management committees, legal teams, HR and so on.
Using clearly defined reporting lines and meaningful management information (MI)
means that many of the queries can be answered by subject-matter experts, while
maintaining the flow of accurate and significant information to a senior level (for
more on MI see Unit 5, section 3.2; Unit 6, section 2.3.1; Unit 7, section 6.2). This
allows the board and senior management to have surveillance of the types of
queries and issues that are relevant to their control, management of risks and
overall governance of the firm.
1.3 Roles and responsibilities
1.3.1 The board and senior management
There is a common misconception in many firms that the Compliance function

is responsible for ensuring that operations are compliant. In fact, primary
responsibility for ensuring compliance rests with the board and senior
management (although typically the necessary activities are delegated to business
heads on a day-to-day basis). This issue needs to be addressed in job descriptions
and reinforcement of responsibilities.
As highlighted above, a board cannot manage compliance risks without some

assistance and it therefore looks to the Compliance function to support it by
providing oversight and reassurance, using an effective internal compliance risk
control framework. Typically, the board expects the Compliance function to design,
implement and monitor the framework, while relying on the business as a whole to
operate in accordance with it.
Although the framework can ensure that information about compliance risk
is regularly supplied to the board, it is up to the board itself to decide whether
the framework is adequate to provide the degree of comfort required and to
suggest ways of improving the information provided or to strengthen the wider
framework itself.
1.3.2 The Compliance function
The Compliance function is at the centre of the risk control framework. While the
board is ultimately responsible for any risk control failures, it is acceptable for it to
rely upon a Compliance function to design, implement and test the framework,
subject to appropriate delegation and oversight.
As we have seen earlier, a key role of the Compliance function is to assist the
board in ensuring effective oversight of the firm’s compliance arrangements. The
internal compliance system is the main mechanism through which this is achieved.
The fact that the board, not the Compliance Officer, is ultimately responsible for
252
compliance needs to be remembered, but a key point to recognise is that the

majority of jurisdictions expect the Compliance function to have a pivotal role in
the management of compliance risk.
Most regulated jurisdictions permit a firm to develop a compliance system that

addresses its own particular needs. With this in mind, IOSCO undertook a study
on the function of compliance, the results of which can be found in its study
document97 published in December 2003. The Basel Committee on Banking
Supervision has provided an excellent description of the Compliance function of a
bank.98 The description is applicable to all types of financial services business.
An independent function that identifies, assesses, advises on, monitors and reports on
the bank’s compliance risk, that is the risk of legal and regulatory sanctions, financial
loss, or loss to reputation a bank may suffer as a result of its failure to comply with all
applicable laws, regulations, codes of conduct and standards of good practice.
In addition to the wider responsibilities of the Compliance function discussed

in Unit 5, most jurisdictions will also look to that department to carry out the
following specific responsibilities in relation to risk management. In designing
a risk based compliance system, the standard risk management methodology
(as outlined in Unit 6, section 1) is a good place to start. Although different risk
management models apply slightly different terminology, as a reminder the cycle
will typically involve the following key stages:
identification of risk
quantifying and evaluating risk
implementing controls
monitoring and assurance
escalation/reporting, and
resolution and regular review.
Following this model, the role of a Compliance function can, in essence, also be
split into the following six functions:
identifying the risks that the organisation faces and advising on them
(identification) (considered in detail in Unit 6, section 1.2)
understanding fully the rules with which the organisation must comply and
understanding where breaches are likely to arise in practice (evaluation)
(see Unit 6, sections 1.2.3 and 1.2.4)
designing and implementing controls to protect the organisation from the
identified risks (implementation/prevention) (see Unit 6, section 1.2.5)
monitoring and reporting on the effectiveness of those controls in the
management of the organisation’s exposure to risks (monitoring/detection/
escalation) (see Unit 6, sections 1.2.6, 1.2.7 and 2.3.2; Unit 5 sections 3.1.4
and 3.2)
resolving compliance difficulties should they occur (resolution) (see Unit 6,
section 3)
advising the business on rules and controls on a continuing basis (regular
advice and review) (see Unit 5, section 2).
97. www.IOSCO.org/library/pubdocs/pdf/IOSCOPD160.pdf.
98. Compliance and the Compliance Function in Banks, October 2003, Basel Committee on
Banking Supervision.
253
The role and responsibilities of a Compliance function must be clearly defined. As

we have seen, it should be responsible for the identification of compliance risk,
the implementation of controls and the monitoring of those controls. Beyond that,
each employee is individually responsible for complying with the controls that have
been put into place. Ensuring that compliance is achieved is an essential element of
the role of every employee of a financial services business. A Compliance function
facilitates the process of broader compliance with regulatory rules.
1.3.3 Other risk management functions
In addition to the Compliance function, larger financial services businesses are

also likely to have other departments that have functional responsibility for the
mitigation of risk. The respective responsibilities for each of these areas should
be clear.
Relevant personnel will include those who deal with:
risk management
legal issues
specific risks, for example, a dedicated risk team within a Credit department
internal audit.
The role of the Internal Audit function within the GRC framework can best be
described as ‘checking the checkers’, in the sense that it is the role of Internal
Audit (where such a function exists within a business) to verify whether other risk
control functions (including the Compliance function) are operating effectively to
mitigate risks, and to provide information about this to the board of directors. It
would be unsafe for a board to derive comfort on the effectiveness of a compliance
framework by relying solely on the Compliance function that is responsible for
making it work.
The Internal Audit function should evaluate the risks controlled by the Compliance
function and review the manner in which they are analysed, controlled and tested.
The compliance monitoring programme should be thoroughly tested. A report
should then be prepared for the board, which should consider the extent to which
the Compliance function is discharging its obligations effectively. Where there is
no Internal Audit function, the board should instruct a competent third party to
evaluate and report on the effectiveness of the Compliance function.
It should also be remembered, however, that the Internal Audit and Risk
Management functions can be useful sources of information for a Compliance
function, and vice versa. Sound communication links are vital between these
‘assurance’ functions, to maximise the benefit of intelligence gathered in the
course of undertaking business reviews and support activities. Care should also be
taken to ensure that all three of these functions do not descend on a certain part
of the business at the same time to complete monitoring activity. Some effort to
coordinate or, at least, understand the planned activities of the various assurance
teams is likely to be welcomed by the rest of the business, and demonstrates that
such personnel understand their potential impact on day-to-day business.
In designing GRC systems, therefore, it is important to recognise that compliance

responsibilities do not rest solely with the Compliance function.
254
1.3.4 Summary of responsibilities
As we have seen, ultimate responsibility for GRC rests with the board and senior
management. Nonetheless, the Compliance function should be responsible for
operating the internal compliance system. This will be considered further below
but should comprise the identification of compliance risks, the implementation
of controls and the monitoring of those controls. Beyond that, each employee is
individually responsible for complying with the controls that have been put into
place. The respective responsibilities of other risk management functions should be
clearly spelt out, but close liaison between these areas and compliance staff should
be encouraged to ensure effective information flows, minimisation of any gaps and
overlaps, and good levels of cooperation.
All parts of a business must accept ownership of the GRC responsibilities. The board
must discharge its oversight function, business units must accept responsibility for
compliance with internal rules and the Compliance function must educate, advise
and monitor, assess effectiveness and generate management information. The
process, if followed correctly, is both dynamic and perpetual.
2. Developing GRC policy and procedures

When designing and implementing internal GRC systems, it is important to
determine the structure required to achieve the objectives of both the firm and
the regulator in relation to compliance risk. Once agreed, the structure of the
Compliance function should be published so that accountabilities are clear, and
so that people know who to contact. Once the structure is in place, compliance
resources need to be determined and allocated to the various tasks. The
interaction with other control functions and business compliance roles should
also be considered.
2.1 The GRC manual
One of the most important aspects of implementation is communication of the

detailed compliance requirements to staff across the whole firm. This can be
done by a variety of means, including training (face-to-face or computer-based
learning), newsletters and other notifications. Since the uninterrupted accessibility
of compliance information and procedures is crucial, however, the most important
reference document is usually the GRC manual.
The GRC manual is a demonstration of commitment to compliance and therefore

GRC principles. Throughout all the firm’s policies, consideration must be given to
how each one demonstrates that the firm is treating its customers fairly. This must
be clearly interwoven into all relevant procedures and adherence to the principles
of ensuring good customer outcomes must be demonstrable through MI.
The structure of the GRC manual (or handbook) varies by firm. Some firms include
all compliance, risk and governance-related processes in the manual, while others
limit it to key compliance controls, with detailed procedures set out in operational
procedure manuals. Between them, the various manuals and procedures must
document all compliance and operational procedures designed to achieve
compliance across the firm, ensuring that this information is accessible to all
255
members of staff. This is less of a burden now than in the past: intranet-based
systems allow for quick and easy cross-referencing to other webpages without
having to reproduce everything in one place. Nevertheless, the communication of
compliance requirements still requires careful thought.
Ease of updating is also a key consideration (for changes in external regulation

and also agreed revisions in internal procedure, using version control). This
is fundamental if the manual is to remain an accurate and reliable reference
document for the business. Again, this is helped considerably by the use of
appropriate technology.
A compliance manual should serve as a comprehensive reference point for

management and regulators for all the procedures that an organisation has in
place. Each procedure should be cross-referenced to an applicable rule, with each
of the following requirements covered in relation to each rule:
an assessment of the likelihood of a rule breach

the related compliance procedures
the identification of the person responsible for compliance with a procedure
the monitoring procedures in place
the frequency of application of monitoring procedures, and
the regularity with which the applicability of a rule should be reviewed.
Drafting a GRC manual is an excellent way of focusing attention upon the role
of the Compliance function and assessing the adequacy of the compliance system
and framework in place within a financial services business. A comprehensive,
well-considered and relevant manual demonstrates that a business has really
thought about the rules and principles to which it must adhere, the risks it faces,
the procedures it has implemented to tackle them and the methods for testing the
effectiveness of those procedures. It will then help to demonstrate to a regulator
that it is serious about managing its exposure to compliance risk.
The starting point for the manual and supporting procedures will be the regulatory
principles. These will underpin the high-level standards to be adopted by the firm
and in turn these will be the basis of detailed policies and procedures. Typically,
the GRC manual and associated procedures (including the firm’s governance or
financial controls manual) will cover the information in the following sections:
a summary of high-level systems and controls

prudential regulatory requirements
company, customer and market conduct, and conflicts of interest
policies and procedures covering the business areas in which the firm
is engaged.
We will now look at each of these in more detail.
256
2.1.1 A summary of high-level systems and controls
These are designed to meet the regulatory principles requiring that business be
conducted with integrity, due skill, care and diligence, and the requirement for
a firm to take reasonable care to organise and control its affairs responsibly and
effectively, with adequate risk management systems. Such systems include:
senior management arrangements and accountabilities

systems and controls arrangements, including board/committee structure,
and delegated authorities
risk assessment requirements in relation to specific risk categories, for
example, operational, market, liquidity, investment and credit risks
corporate governance arrangements
signing authorities and financial limits
managing conflicts of interest for directors/senior managers
‘fit and proper‘ requirements
training and competence requirements
internal compliance arrangements:
details of the compliance structure and reporting lines
roles and responsibilities for compliance
whom to contact; in particular, contact details for the Compliance Officer
and Money Laundering Reporting Officer (MLRO)
compliance charter and service levels
information on the regulators, the firm’s responsibilities to them, and the
regulatory environment
the firm’s approach to compliance: for example, a risk based approach
to regulation
monitoring procedures
breach reporting
risks arising from non-compliance; for example, disciplinary action
how to escalate issues or report breaches, including ‘whistle-blowing’
arrangements.
2.1.2 Prudential regulatory requirements
These are usually contained in financial control manuals and are designed to
address the principle that firms must maintain adequate financial resources.
For example:
capital adequacy requirements

solvency/liquidity requirements or frameworks for calculating
such requirements
management of the company’s own assets/liabilities
procedures for regulatory reporting and financial returns.
Prudential compliance requirements were explored in detail in Unit 5, section 6.
2.1.3 Market conduct and conflicts of interest
These procedures will generally be designed to satisfy the principle that a firm
must observe proper standards of market conduct and the duty to avoid
257
allowing conflicts of interest to arise (see also section 5 below). Typically these
might include:
handling confidential and price-sensitive information

the need for insider lists (details of employees with access to privileged
and sensitive information relating directly or indirectly to the company as
required under the regulator’s requirements) and Chinese walls (see section
5.1.5 below), to keep information contained within the firm or within a
specific part of the firm
dealing restrictions, including personal account dealing procedures
disclosure obligations in relation to personal interests in contracts or
relationships with suppliers
restrictions on gifts and hospitality, to avoid conflicts of interests.
There are also detailed conduct of business rules designed to meet the principles
that firms must consider the interests of their customers and treat them fairly, pay
due regard to their information needs, ensure the suitability of advice provided to
them and the safeguarding of their assets through:
customer classification, to ensure that customers receive the right degree of

protection on the basis of their experience of financial matters
appropriate advertising and promotion of products
accurate customer communications
ethical selling practices and required disclosures
suitability of advice
appropriate customer dealings
accurate after-sale information
customer due diligence
safekeeping of customer assets
proper handling of customer complaints
accurate record keeping.
2.1.4 Policies and procedures
The policies and procedures to be documented in the GRC manual should address
key topics and issues. The following subjects provide indicative content, but are
not exhaustive, and compliance professionals should assess what is appropriate
for inclusion for their own firm in light of the factors previously discussed. In all
instances, the compliance function is responsible for maintaining the manual’s
accuracy, and the business units are responsible for following the policies and
procedures. We must not forget that, even so, the overall accountability for
compliance in the company remains with the board of directors.
Promotions and advertising
Any advertisement or promotional material for financial services must not be

misleading in any way. Scandals involving investors who feel that they have been
victims of misleading advertisements or promotional material can be extremely
damaging. It is good practice for the marketing function, in conjunction with
the compliance function, to formulate a final pre-publication checklist to be
completed before any advertisements or promotional materials are either placed
258
or issued. The checklist should be drafted with reference to any specific advertising
or promotional material regulations applicable, particularly where a compliance
officer has responsibility for complying with them. More information on the GRC
systems and controls for advertising is given in section 7 below.
Capital adequacy
Although in many financial services businesses ensuring that there is adequate

capital is the role of the financial control teams, compliance professionals
must ensure that the calculations are carried out in accordance with
regulatory requirements.
Client assets
Procedures for the handling of client assets are vital for a number of reasons. They
can both protect against employee fraud and act as a barrier in the event that a
financial services business is in need of additional finance (or becomes insolvent).
Segregation and reconciliation
Evidence of title to client assets requires that such assets can be identified
separately from the assets of the financial services business itself. This segregation
is designed to ensure that in the event of a firm’s failure, client money is protected
and does not form part of general creditor entitlements. The FCA rules (contained
within CASS, the Client Assets Sourcebook) require financial services businesses
to ensure that assets belonging to their customers are ring-fenced from their own,
and that reconciliations of client money balances are conducted regularly.
Registration and safe keeping
Rules also exist to ensure that organisations make arrangements for the safe
keeping of any documents of title, and ensure that any registered investments are
either registered in the customer’s name or in the name of an eligible nominee/
custodian. Where a financial services business uses an eligible nominee/custodian
(service provider), it must ensure that it has undertaken satisfactory due diligence
on the service provider.
In the case of registered investments, the firm must usually ensure that the
investments are properly registered. This may be in the name of:
the client
the firm itself (or an affiliated custodian/nominee)
a recognised or designated investment exchange, or
a regulated third-party custodian or nominee.
Most jurisdictions that impose client asset rules stipulate that customer
investments cannot be released without correct customer authorisation.
Compliance functions must therefore ensure that robust controls, including
documented procedures, are in place to prevent the organisation from transferring
customer investments other than upon receipt of the correct level of authority from
the customer.
259
Where firms have physical custody of documents of title in bearer form on behalf of
the customer, these must be kept separate from those belonging to the firm.
Complaints
The importance of effective complaint-handling procedures within a regulated

firm must not be underestimated. The way in which complaints are handled is an
indication of the firm’s commitment to its customers, and it shows how serious it
is about managing its compliance risk. Effective complaint-handling processes and
standards are quite often an integral part of the regulator’s expectations.
While effective complaint handling can be an important indicator of compliance

with regulatory requirements, complaints themselves can also be a useful tool in
the assessment of wider risk.
When establishing complaint-handling systems, compliance professionals should

ensure that the business is not simply addressing individual complaints, but is also
using the management information obtained effectively, to improve wider systems
and controls.
Confidentiality
Procedures should cover both commercial confidentiality (that is, the need to
protect business secrets and, in the case of a listed company, the need to manage
price-sensitive information in accordance with the relevant Listing Rules) and
customer confidentiality. Client confidentiality is explored further in section 10.2
of this unit.
Personal account dealing
Restrictions and controls in relation to personal account dealing (that is,

transactions conducted for the personal benefit of those members of staff who
may have access to price-sensitive information, such as the sale or purchase of
shares to be held by the member of staff or their nominee) are essential controls in
the prevention of insider dealing. These staff, and senior managers in the firm, are
usually required to have all deals for themselves or their close family signed off by
the compliance function and senior management. Approval will not be given if,
for example, the member of staff holds insider information in relation to the
proposed transaction.
A Compliance function must implement and monitor procedures to control

employee dealing. As a general rule, officers and employees, whether on their own
account or on behalf of any third party, must not conduct any of the following
forms of transaction.
Dealing in investments of any kind in which their employer conducts

regulated business, without the permission of the employer. So, an equity
broker should not deal in equities on his own account without the consent
of his employer. Best practice dictates that a compliance function should
also maintain a record of authorised trades conducted by employees on
their own account.
260
Dealing in investments for their own account with any of their

employer’s customers.
Dealing in an investment with a customer whose portfolio is under the
discretionary management of the employer, unless the customer is closely
related to the employee and he has the consent of his employer.
Dealing in a manner that may have an adverse effect on the interest of
a customer. This may occur when an employee buys an investment but
deliberately fails to attribute it to a customer’s account by holding it in
suspense until he decides that it is not in his interests to attribute the deal
to his own account, as a result of a price decrease.
Knowingly dealing in an investment on behalf of oneself, or any other party,
in advance of dealing in accordance with a client‘s instructions, in a way
that is likely to affect the price of the client’s investment. This practice is
commonly known as ‘front running’.
Financial services businesses face a conflict of interest where one business unit
deals in investments while another is exposed to information that may affect the
price of those investments. One way of managing such conflicts of interest and
preventing employees from acting to the detriment of customers (for example by
‘front running’) is through the use of ‘stop’ or ‘watch’ lists.
Stop and watch lists are methods of conflict management. They are used to
prevent or monitor trading by staff in companies about which the financial services
business may have sensitive information that may affect those companies’ share
prices – for example, knowledge that a company may be the subject of a takeover
bid. This knowledge can be obtained in a variety of ways – either the business may
be directly acting for the company or it may have an indirect relationship with the
company, for example as a major shareholder through an asset-management arm
of the business.
Stop lists prohibit employees from dealing in the stock of such companies either on
their own account or on behalf of customers.
Watch lists do not prevent employees from trading, but serve to highlight particular
stocks so that unusual trades can be identified and investigated.
2.2 Getting all employees to understand the importance of the

GRC framework
An internal compliance framework cannot be fully effective if the business

is not fully imbued with an ethical and compliance culture. This cannot be
created overnight and relies on the right behaviours and attributes being
consistently demonstrated.
The right culture encourages employees to ‘buy in’ to making the framework
operate. Creating an environment in which employees understand and value
the importance that is attached to the conduct of ethical business practice is an
essential prerequisite of the creation of an effective compliance framework. This
is not just because of fear of the criminal or regulatory repercussions that may
occur (negative motivational reasons) but also because of an appreciation of the
commercial benefits that it can have for themselves, for their clients and for their
261
employer (positive motivational reasons). These benefits of good compliance were

explored in more depth in Unit 1, section 6.1.
2.3 Factors affecting the GRC framework
2.3.1 The regulatory environment
All firms have to operate within the limits set by their regulators. Over time, and
between different jurisdictions, these limits change, perhaps to reflect the way
the market is developing, or perhaps in response to an event or situation that has
placed either consumers or the prudent financial management of firms at risk.
In addition, different firms may have different risk profiles depending on their
appetite for risk. This is influenced by the regulatory environment, so where there
is increased pressure on firms to reduce the risks they take, for example in
consumer lending, these firms will respond by reviewing policies and procedures.
All this is made possible by the internal interactions between governance, risk
and compliance.
Most regulators have devised their own form of risk based assessment to
determine the level of attention to be paid to a particular firm. Firms will undergo
some form of risk assessment by the regulator at the time of authorisation and
periodically thereafter, depending on the risk the firm is perceived to present to
the regulator’s objectives. The methodologies used vary but it is usual for them to
include a means of:
identifying the nature of the risks to the particular business

assessing the probability or likelihood that a given risk will crystallise
estimating the impact of that risk, should it crystallise, on the
regulator’s objectives
determining the effectiveness of the controls put in place to manage or
mitigate that risk.
Once the assessment has been completed, the regulator can determine the
appropriate level of supervision and supervisory resources required for the
business. Risks identified during the assessment will usually be reported back
to the firm and should immediately be incorporated into the firm’s own risk and
compliance plans.
2.3.2 The operating environment
As with the regulatory environment, the environment in which the firm does
business leads to challenges. ‘Environment’ here could mean any of the following:
the nature of the customer base, in terms of product and service requirements
the geographical spread within which the firm operates
the channels through which it delivers its products and services – such as
online, by telephone contact centres, by post, through a network of branch
offices, through intermediaries, etc.
competition and the effects this may have on the commercial pressures
involved in competing for a market share when these conflict with the
GRC requirements.
262
Clearly, the more diverse the operating environments are, the more internal
coordination and control there has to be, and the more comprehensively managed
the high-level systems and controls need to be (see section 2.1.1 of this unit).
Larger firms operating in more markets with more products and services, and using
more distribution channels, will face greater challenges in this respect than those
firms with a narrower focus and less diversity.
2.3.3 Risk appetite, culture and ethics in the firm
We discussed risk management in depth in Unit 6. A firm’s risk appetite will dictate
to a certain extent the content of its GRC policies and procedures. The higher the
risk appetite a firm has, the greater the risk of regulatory or compliance breach, and
the greater the probability that other risks will materialise. This can increase the
complexities of GRC policies and procedures, because the greater the risk appetite,
the more potential problems there will be to document.
The same could be argued over the culture and ethics in a firm. If the firm has
a strong culture of compliance and high ethical standards are promoted and
demonstrated from the board and senior management levels down, then taking
unacceptable risks is less likely than in a firm which does not have the same strong
cultural and ethical identity. This may be reflected in GRC policy and process
documents that forbid the taking of unacceptable risk, and may even prescribe
some form of action against employees who ignore this requirement.
3. Disclosure
The dictionary definition of disclosure is ‘making new or confidential information
known’ and in financial services companies this can happen in many different
circumstances and situations. What is important to remember is that there is, on
the face of it, quite a contradiction between the duty of confidentiality that firms
owe to their clients, and the obligation of disclosure in some circumstances. There
are a number of generally accepted exceptions to the duty of client confidentiality,
and it is important that compliance professionals are aware of them:
where the disclosure is required by law

where there is a public duty to disclose
where the company’s interests require it, with the client’s express or
implied consent.
3.1. Where the disclosure is required by law
Investigations are generally conducted using legal instruments known as

Production Orders or Investigatory Warrants. These allow regulators and law
enforcement agencies to obtain documents or evidence.
As an example, in the UK, the Proceeds of Crimes Act 2002 (POCA) contains three
different types of Production Orders:
Disclosure Orders
Customer Information Orders
Account Monitoring Orders.
263
Essentially, the effect of each order is to compel the recipient organisation to

disclose information or material relating to particular client relationships and
activity. See Unit 6, section 3.3.2 for an example of the wording of a typical
Production Order and how the Compliance Officer should deal with one.
3.2 Where there is a duty to the public to disclose
What may be deemed to be ‘in the public interest’ may not be the same as what
the public find interesting. Previously, it was possible to divulge information
in connection with any inequity, so that the exception was based upon the
unfairness rule. Nowadays, this situation extends to misdeeds, such as crime and
fraud. This is regardless of whether the act has been actually committed or has
only been contemplated. At present, the public interest exception depends on
many provisions that require banks to divulge confidential information to law
enforcement agencies or regulators.
The disclosure may be in relation to an official inquiry into banking regulation by

the police, or other regulatory authorities, such as banking supervisors, and may
even be in relation to other jurisdictions, as could be the case for a multinational
bank. In addition, statutory provisions protect a bank from responsibility for breach
of the duty of secrecy. Similarly, legislation provides for ‘protected disclosure’. For
example, a bank might be held liable and commit a crime when it fails to divulge
knowledge or suspicion about a customer involved in terrorist crimes. The public
interest exception may overlap with the obligation by law (section 3.1 above).
Hence, legislation may oblige bankers to disclose confidential information in

certain circumstances, and this surely does not mean that the public interest
exception is impractical. At common law, the divulging of confidential information
is often allowed if this is deemed to be in the public interest. Companies are, on
the one hand, obliged to adhere to the duty of secrecy and to keep information
confidential, but on the other hand may have to divulge information if this is in
the public interest or required by law. If the latter were not possible, integrity
within markets would be at risk because money launderers, drug traffickers,
human traffickers, and other serious offenders would be able to easily launder their
criminal proceeds secretly.
3.3 Where the interests of the company require disclosure, and where
it is made with the express or implied consent of the customer
A good example of this is where a company issues proceedings against a customer

to repay their debts. In such a case, a firm must provide evidence of the amount
of the debt in question on a summons, which is a public document. In ordinary
language, this disclosure might be in the interests of the bank and divulging this
information is sanctioned, as a matter of law, in the public interest for the purpose
of the effective administration of justice.
There are two ways to obtain the customer’s consent: expressly or impliedly.
As regards express consent, when a customer gives his express consent to

divulge confidential information by his financial services provider, this will
absolve the bank from responsibility for breach of duty of secrecy. Indeed, the
264
firm ought to gain express consent from its customer in writing as a matter of
prudence. In the case of a bank, it could, for example, include a clause in the
customer’s loan documentation, which grants express consent with regard to
passing on confidential information to credit reference agencies, should there ever
be any default.
It is worth noting that express consent can be general or qualified. If the express
consent is qualified, this means that it is given solely for a specific aim. Generally,
there is no limited period for an express consent to be valid, but it may become
invalid where circumstances change, and it is advisable to renew it periodically. For
instance, before divulging information to a customer’s auditors about any security
or attached responsibilities, and the customer’s financial situation, the bank ought
to require the customer’s written consent.
The second is implied consent, which had often been used to provide trade credit
references, although the scope of this was limited by the Business Banking Code
(the non-banking elements of the Business Banking Code are incorporated into the
Lending Code, published by the Lending Standards Board), which provides that a
reference can only be obtained via express consent of the customer. As a result, the
customer has to be given 28 days’ notice before disclosure is completed, though if
the customer has disputed some of the amounts, then the company in question is
not allowed to disclose. In general, confidentiality is waived through the customer’s
consent, but the confidential information may only be made available to certain
‘limited persons’.
4. Product development and selling practices

To be successful in developing compliant products and processes, a firm needs to
understand its customer base, and the market in which it operates.
To understand the market or markets in which it operates, the firm needs local
knowledge, jurisdictional knowledge, and knowledge of the approach taken by the
regulator of the market(s) in question. This latter knowledge falls within the scope
of the expertise, advice and guidance that the Compliance function can provide.
The Compliance function gains its knowledge from the day-to-day understanding
and research into the regulator’s activities, including consultations, final notices,
speeches, news, etc. and analysis of this information to construct an informed view
of how product sales and developments need to be done in a way that
demonstrates their compliance.
4.1 Being compliant or being competitive?
There is a strong argument that there is a choice between being competitive

and being compliant. A question that does need to be answered is whether the
desire to do the right thing for consumers at all times – a robust cultural and
ethical standpoint – can ever have a higher priority than commercial demands.
Or, on the contrary, will firms always try to operate with the belief that remaining
just within regulatory and legal boundaries maximises the possible returns
for shareholders?
265
Having the culture of compliance as a central principle within a firm can lead to
opportunity. What is the point in developing products, services and sales processes
that are subsequently found to be unsuitable for their markets? Regulatory action
and reviews of past business could mean that the income generated from these
activities has to be returned to the consumers in a remediation exercise. So, in
the long term, isn’t it more profitable to ensure that products and practices are
compliant at the outset? Profits made in this way can be kept by the firm, and will
generate a better all-round stakeholder benefit.
4.2 Selling to the right customer
In the UK FCA’s TCF outcomes, which form part of High Level Principle 6,
outcome 2 clearly says that ‘products and services marketed and sold in the
Retail market are designed to meet the needs of identified consumer groups,
and are targeted accordingly’.
The FCA also sets out its expectations for the role of management information
in ensuring correct outcomes:
The FCA continues to expect firms to make use of management information to monitor
the outcomes they are achieving for customers. This may comprise a range of different
types, both numeric and descriptive, but it is important that it is forward looking
(enabling management to identify risks to consumer outcomes rather than dealing only
with known issues) and that it is acted upon when necessary.99
The final notice issued by the FCA in October 2013 against Porta Verde Financial
Services Ltd100 is a good example of the sales practices Principle 6 is designed
to prevent.
The FCA imposed a financial penalty of £25,000 on Porta Verde for breaches of
Principles 3, 6 and 7 of the Principles for Businesses. Porta Verde agreed to settle at
an early stage of the investigation and also produced evidence of serious financial
hardship. Porta Verde therefore qualified for a 30% discount under the settlement
procedures. Were it not for this discount the FCA would have imposed a financial
penalty of £353,800 on the firm.
The breaches of the Principles and Rules set out below relate to a number of
failings by Porta Verde in its appointment, management and monitoring of
two appointed representatives (ARs), Company A and Company B. The FCA has
concluded that Porta Verde breached Principles 3, 6 and 7 during the period 5
October 2010 to 8 June 2012.
Porta Verde failed to pay due regard to the interests of its customers and treat them
fairly, putting it in breach of Principle 6. Specifically, it failed to take reasonable
steps to ensure that Company A and Company B did not pressurise or mislead
customers, during telephone conversations, to conclude insurance contracts for
satellite television equipment or emergency home plumbing and drainage cover.
99. http://www.fca.org.uk/firms/being-regulated/meeting-your-obligations/fair-treatment-of-
customers.
100. http://www.fca.org.uk/static/documents/final-notices/porta-verde.pdf.
266
Company B sold home emergency plumbing and drainage insurance to

approximately 3,000 customers during the relevant period. Company B bought
information from lead generation companies about customers who had home
emergency policies with utility providers, and then called these customers to sell its
own policy. The cost of Company B’s annual policy was £119, to be paid in quarterly
instalments. During the relevant period, Company B’s sales calls generated a total
income of £475,419, of which Porta Verde received £27,266. In July 2011, a utility
provider notified the FSA (as the financial services regulator at that time) that it had
received complaints from 28 of its customers who said they had received sales calls
from a company they thought was the utility provider. The company making the
calls was Company B.
On 18 May 2011, Company A became an AR of Porta Verde. Between May 2011

and June 2012, Company A sold insurance for satellite television equipment to
21,310 customers, of whom 2,330 subsequently cancelled their policies. The cost of
the policies ranged from £65 to £90 for an annual contract and from £170 to £240
for a three-year policy. This was taken from customers as a non-refundable lump
sum payment. Company A generated a total income of £1,883,772 from its sales
calls, of which Porta Verde received £46,152 for the period May 2011 to June 2012.
Before becoming an AR, Company A had bought a renewals database and taken on
some sales staff from a separate company that had also sold regulated insurance
contracts for satellite television equipment cover. In August 2011, the FSA received
complaints from three customers who said that they had received sales calls from
Company A and that the sales agents had incorrectly informed them that their
satellite television equipment insurance had expired and that they were being
contacted to renew the insurance cover.
These reasons led the FCA to conclude that Porta Verde had breached Principle 6,
in that it failed to ensure that its ARs, Company A and Company B, paid due regard
to the interests of its customers and treated them fairly. In particular, Porta Verde’s
ARs used unacceptable sales practices to conclude contracts that resulted in some
customers being:
i. pressurised into taking out insurance cover for satellite television equipment
or emergency home plumbing and drainage they did not want or need, or
ii. misled into believing that they were renewing their insurance contracts with
their existing satellite television or utilities provider.
4.3 Product intervention rules
In the UK, the Financial Services and Markets Act 2000 gives the FCA the power
to intervene at an early stage where it believes it is necessary to do so to protect
consumers from issues that relate to specific products, services or marketing
activities. This power was introduced when the FCA became the conduct of
business regulator in 2013.
The FCA’s rationale for product intervention rules (PIRs) is as follows.
In general terms, product intervention rules are rules made to tackle

issues relating to specific products (or types of product), product features
or marketing practices relating to specific products. They exist alongside
267
other regulatory tools, such as other general rules, guidance, Variations

of Permission which amend the firm’s authorisation, imposition of
requirements, supervisory interaction with firms and enforcement action.
Product intervention rules made without consultation (under Section 138M
of FSMA) are limited to a maximum duration of 12 months and are referred
to in the act as ‘temporary product intervention rules’.
Temporary product intervention rules will offer protection to consumers
in the short term while allowing either the FCA or the industry to develop
a more permanent solution to address the source of detriment. They
may also be made in response to competition or (if applicable) market
integrity issues.
Interventions may range from requiring certain product features to be included,

excluded, or changed, to requiring amendments to promotional materials, or to
imposing restrictions on sales or marketing of the product or, in more serious cases,
a ban on sales or marketing of a product to all or some types of customer.
In general terms, the FCA will consider a product intervention rule where it
identifies a risk that consumer detriment may arise from a particular product,
type of product, or practices associated with a particular product or type of
product. In deciding whether the intervention should be made as a temporary
product intervention rule, the FCA’s main consideration will generally be whether
prompt action is necessary to reduce or prevent consumer detriment arising
from that product, type of product or practices. It will also have regard to these
other considerations:
use of the PIR is an appropriate and effective means of addressing actual

or potential consumer detriment associated with a particular product or
group of products
it is a proportionate and practical means of addressing actual or
potential detriment
it is compatible with the FCA’s duty to promote effective competition in
the interests of consumers
it is capable of being supported by sufficient and appropriate evidence
the use of the PIR is transparent in its aim and operation
the effect is likely to be beneficial for consumers, when taken as a whole.
An example of the use of product intervention rules to protect consumers was

announced in August 2014 when, with the first use of these new consumer
protection powers, the FCA announced that it would restrict firms from
distributing contingent convertible securities (CoCos) to the mass retail market
from 1 October 2014.101
CoCos are highly complex and the FCA believes they are unlikely to be appropriate
for the mass retail market, so has stepped in to temporarily restrict their
distribution to only professional, institutional and sophisticated or high-net-
worth retail investors ahead of consulting on permanent rules later in 2014. The
announcement reflected the FCA’s objective of securing appropriate protection for
consumers and follows announcements by the European Securities and Markets
Authority and Joint Committee of European Supervisory Authorities highlighting
the risks of CoCos and firms’ responsibilities when selling them.
101. http://www.fca.org.uk/news/fca-restricts-distribution-of-cocos-to-retail-investors.
268
5. Conflicts of interest
A conflict of interest arises where an individual is in a position of owing a duty
to two or more persons and is unable to discharge his obligations fully to both.
Conflicts of interest can arise in a number of different situations and all employees
and senior management have a duty to avoid such conflicts. Procedures should
ensure that if conflicts do arise they are managed appropriately.
Conflicts of interest can arise in a number of different situations, but can generally
be placed into the following categories:
self-dealing, for example where a trustee deals personally in trust property

or a company director deals personally in company property
conflicts between the competing interests of two clients
conflicts between a client and the firm (or an employee of the firm)
conflicts between services provided by the same firm, for example corporate
banking and investment dealing or audit.
Conflicts between a firm and a client can arise in a variety of ways:
where a firm or member of staff or a director has a personal interest in a

transaction or an arrangement to which a client is party
where a client disputes a firm’s fees
where commissions are paid to a firm in relation to a transaction undertaken
on behalf of a client
where a firm is involved on its own behalf in a transaction to which a client
is also party.
Compliance professionals must be aware of and consider local regulatory

requirements on conflicts, but beyond those regulatory requirements they should
also fully understand the distinct legal duties that financial services businesses owe
as agents to client principals. This is known as the ‘fiduciary duty’.
The fiduciary duty is commonly associated with the duty owed by trustees to
beneficiaries and directors to companies; however, a fiduciary relationship actually
arises whenever one person (an ‘agent’) agrees to act on behalf of another person
(a ‘principal’). The elements of a fiduciary duty are:
an agent must at all times act in the best interests of the principal and not in
the best interests of himself or third parties (duty of good faith, sometimes
also referred to as a duty to avoid conflicts or divided loyalties)
an agent must disclose all material information to a principal
an agent must not make a secret profit even where it is not to the detriment
of the principal (duty not to profit)
an agent must not disclose any confidential information about the principal
(duty of confidentiality)
an agent must obey the instructions and directions of the principal (duty
of obedience).
So, where a financial services business acts on behalf of a customer, for example
in the provision of investment management services, it acts at law as an agent on
269
behalf of the customer, who is its principal. It must therefore discharge the various
elements of the fiduciary duty, one aspect of which is to act in the best interests of
the customer by avoiding conflicts of interest.
Local regulatory requirements on conflicts must be adhered to but compliance

professionals are well advised to remember that any conflict that is to the
detriment of a client is likely also to result in a breach of the fiduciary duty.
5.1 How to control and manage conflicts of interest
There are a number of different conflict-management mechanisms that a financial

services business may employ. Before we examine them in detail there are some
basic and fundamental rules to highlight, which should be applied whenever a
conflict does arise.
The first basic rule is that the compliance function is to be advised of any conflict
and that conflicts must be recorded and managed appropriately. The second rule is
that conflicts of interest must be dealt with openly. The procedure should require
a declaration to be sent to the client concerned, detailing the nature of the conflict
and its proposed resolution. This should be undertaken as soon as possible. As with
complaints, the procedure must be transparent.
Staff and senior management have a duty to avoid conflicts of interest. Procedures
should ensure that if conflicts do arise they are managed appropriately. Examples
of conflict management procedures include:
procedures on the acceptance of gifts and hospitality to ensure that

decisions are based on a proper commercial evaluation and not the promise
of lavish gifts or entertainment
a proper procurement and tender process for the selection of major suppliers
disclosure of personal interests in major contracts, such as a relationship
with supplier.
Wherever possible, businesses should seek to avoid conflicts of interest. In

reality, however, they do arise during the course of relationships and there are
conflict-management mechanisms that should be employed to overcome them.
These include no-conflict policies, refusal to act, an independence policy and
Chinese walls.
5.1.1 No-conflict policy
This is not a conflict management system but a conflict avoidance mechanism.

A financial services business may implement a rule that simply prohibits the
creation of any new relationships where there is potential for a conflict to arise.
Naturally, such a policy will not prevent conflicts from arising within a relationship
once it has been established.
5.1.2 Disclosure requirements
As we have seen already, when a conflict arises, a financial services business must
advise the customer affected. If, despite the existence of the conflict, the customer
consents to allow the organisation to continue to act, it is free to do so.
270
5.1.3 Refusal to act
A financial services business may implement a policy whereby it refuses to act

when a conflict arises. The difficulty with this is that in refusing to act for an existing
customer, in whose best interests the organisation owes a duty to act, it is likely to
breach its fiduciary duty to the customer. In reality, therefore, this mechanism only
works in relation to new customers.
5.1.4 An independence policy
An independence policy is simply a rule that requires employees to put the

interests of customers first in all situations and disregard any information that may
come to their attention. Policies of independence may only be used where it is not
practical for an organisation to make disclosures.
5.1.5 Chinese walls
A Chinese wall (often referred to as a firewall) is an artificial barrier which

isolates one part of a business from another, in order to protect and prevent
the flow (and therefore the potential misuse) of confidential or commercially
sensitive information.
This is a key control in managing potential conflicts of interest. The wall in effect
consists of a set of internal rules that prohibit the movement of information
between different divisions of the same financial services business.
A Chinese wall works as follows.
Imagine that the corporate finance division of X bank had been instructed to act
on behalf of a purchaser in a proposed takeover of company Y. This information,
which would be extremely valuable to the investment management division of X
bank (because of the influence that news of the proposed takeover would have
on the share price of company Y), would be prevented by a Chinese wall from
passing into the investment management division.
This is how Chinese walls work in theory, but there is significant scepticism about
whether a set of internal rules can effectively act as a barrier to the passage of
such valuable information. Recent scandals would seem to suggest that they are
often inadequate. Where a Chinese wall is used within a business, compliance
professionals must ensure that it is robust.
In smaller, multiple-function businesses, the use of Chinese walls may be

impractical and such businesses must employ other methods, such as an
independence policy.
5.1.6 Conflicts of interest in a market conduct context
Typical procedures for avoiding conflicts of interest were listed under section
2.1.3 above.
271
6. Remuneration policies
Setting and monitoring remuneration is an important item of governance as it
contributes to driving performance and setting the objectives and direction of the
company. This operates at the front line in the way targets are set.
Current concern about pay levels in the financial services industry, and apparently
high rates of reward even if there have not been sufficient improvements in
performance, have led to calls for regulatory intervention to cap bonus levels and to
allow for ‘clawback’ of these should there be any regulatory enforcements in the future.
6.1 Corporate governance codes and remuneration
Corporate governance codes contain remuneration provisions, as there may be

tension between remuneration policies and the company’s strategy. It is important
for these remuneration policies to be closely aligned with the strategy and the risks
related to this strategy. This applies to the remuneration of senior management
and the board, and to employees at other levels within the firm. A well thought out
policy can help a firm to reach its objectives, but equally an ill-considered policy
can also jeopardise these efforts and so, to combat the latter risk, the board must
play an oversight role.
This means the board and senior management must achieve the right balance
between the fixed and variable components of the remuneration packages, and
the short-term and long-term remuneration policies. Ultimately, remuneration
policy must serve the interests of the company and its affiliated enterprises, which
means it must be designed to create and preserve long-term value.
6.2 Examples of remuneration policy in corporate governance codes
6.2.1 The Dutch Corporate Governance Code
The principles contained in the Dutch Corporate Governance Code102 are:
The level and structure of the remuneration which the management board members
receive from the company for their work shall be such that qualified and expert
managers can be recruited and retained. When the overall remuneration is fixed, its
impact on pay differentials within the enterprise shall be taken into account. If the
remuneration consists of a fixed component and a variable component, the variable
component shall be linked to predetermined, assessable and influenceable targets,
which are predominantly of a long-term nature. The variable component of the
remuneration must be appropriate in relation to the fixed component.
The remuneration structure, including severance pay, shall be simple and transparent.
It shall promote the interests of the company in the medium and long term, may not
encourage management board members to act in their own interests or take risks
that are not in keeping with the adopted strategy, and may not ‘reward’ failing board
members upon termination of their employment. The supervisory board is responsible
for this. The level and structure of remuneration shall be determined by reference
to, among other things, the results, the share price performance and non-financial
indicators that are relevant to the company’s long-term value creation.
102. http://commissiecorporategovernance.nl/dutch-corporate-governance-code.
272
The shares held by a management board member in the company on whose board he
sits are long-term investments. The amount of compensation which a management
board member may receive on termination of his employment may not exceed one
year’s salary, unless this would be manifestly unreasonable in the circumstances.
In addition, the Code contains the following best-practice provisions.
1. Before drawing up the remuneration policy and determining the remuneration

of individual management board members, the supervisory board shall analyse
the possible outcomes of the variable remuneration components and how they
may affect the remuneration of the management board members.
2. The supervisory board shall determine the level and structure of the
remuneration of the management board members by reference to the scenario
analyses carried out and with due regard for the pay differentials within
the enterprise.
3. In determining the level and structure of the remuneration of management
board members, the supervisory board shall take into account, among other
things, the results, the share price performance and non-financial indicators
relevant to the long-term objectives of the company, with due regard for the
risks to which variable remuneration may expose the enterprise.
4. If options are granted, they shall, in any event, not be exercised in the first three
years after the date of granting. The number of options to be granted shall be
dependent on the achievement of challenging targets specified beforehand.
5. Shares granted to management board members without financial
consideration shall be retained for a period of at least five years or until at least
the end of the employment, if this period is shorter. The number of shares to
be granted shall be dependent on the achievement of challenging targets
specified beforehand.
6. The option exercise price may not be fixed at a level lower than a verifiable
price or a verifiable price average in accordance with the trading in a regulated
market on one or more predetermined days during a period of not more than
five trading days prior to and including the day on which the option is granted.
7. Neither the exercise price of options granted nor the other conditions may
be modified during the term of the options, except in so far as prompted by
structural changes relating to the shares or the company in accordance with
established market practice.
8. The remuneration in the event of dismissal may not exceed one year’s salary (the
‘fixed’ remuneration component). If the maximum of one year’s salary would be
manifestly unreasonable for a management board member who is dismissed
during his first term of office, such board member shall be eligible for severance
pay not exceeding twice the annual salary.
9. The company may not grant its management board members any personal
loans, guarantees or the like unless in the normal course of business and
on terms applicable to the personnel as a whole, and after approval of the
supervisory board. No remission of loans may be granted.
6.2.2 The Corporate Governance Code in Pakistan
Muhammed Ali, the Chairman of the Securities and Exchange Commission in

Pakistan,103 explained why good corporate governance is essential.
103. http://www.ecgi.org/codes/documents/cg_code_pakistan_apr2012_en.pdf.
273
Good governance instils investor confidence. The investment decisions taken by

the local and international investors are impacted by the governance practices. As
markets compete to attract the capital from the world over, companies are gauged
by the investors using various factors that demonstrate a sustainable track record. In
order for our companies to compete globally, they have to follow enhanced corporate
governance standards. This is a major factor towards making capital markets
transparent, protecting the rights of minority shareholders and attracting and retaining
foreign investment.
The key to corporate governance lies in the change in mind-set. It is the joint
responsibility of all concerned and not just the regulators’ prerogative. It should be
viewed as a means towards achieving value creation and sustainability and only
then can one reap the benefits of sustained economic growth and development at
a macro level.
The Code summarises the requirements for directors’ remuneration in the

following terms.
There shall be a formal and transparent procedure for fixing the remuneration
packages of individual directors. No director shall be involved in deciding his/her
own remuneration.
a. Directors’ remuneration packages shall encourage value creation within the

company. These shall be subject to prior approval of shareholders/board as
required by company’s Articles of Association. Levels of remuneration shall
be appropriate to attract and retain the directors needed to govern the
company successfully. Subject to the provisions of the Ordinance and the
company’s Articles of Association, the shareholders/board shall determine the
remuneration for non-executive directors. However, it shall not be at a level that
could be perceived to compromise their independence.
b. The company's Annual Report shall contain details of the aggregate
remuneration separately of executive and non-executive directors, including
salary/fee, benefits and performance-linked incentives.
7. Advertising: Clear, fair and not misleading?

We have already seen in section 2.1.4 of this unit that advertising and
promotional material for financial services must not be misleading in any way.
In the UK, the FCA’s Principle for Business 7 (communications with clients) directs
that a company must to ‘pay due regard to the information needs of its clients,
and communicate information to them in a way which is clear, fair and not
misleading’. Within the FCA Handbook, each of the individual Sourcebooks (which
contain the principles that govern conduct of business) contains the rules and
principles relating to those aspects of advertising and promotion of products
that fall into the scope of the sourcebook concerned: for example, the rules and
principles on promoting mortgages are in chapter 4 of the Mortgage Conduct of
Business Sourcebook (MCOB).
In addition, the Advertising Standards Authority is the UK’s independent regulator

of advertising across all media. It applies the Advertising Codes, which are
written by the Committees of Advertising Practice. Their work includes acting on
274
complaints and proactively checking the media to take action against misleading,
harmful or offensive advertisements.
So, advertising needs to comply with standards from more than one regulator.
This is also the situation in Australia, where the Advertising Standards Bureau (ASB)
exists so that consumers, industry and government have confidence in and respect
the advertising self-regulatory system, and are assured that the general standards
of advertising are in line with shared community values.
The values of the ASB are:
transparency in decision making

accountability to advertisers and to the community
being responsive to complaints
being independent, with a diverse board membership which can make
decisions without undue influence from vested interests and stakeholders.
The ASB has established close links with the European Advertising Standards
Alliance (EASA) and with other bodies in the UK, the Republic of Ireland, New
Zealand and Canada.
8. Outsourcing
Outsourcing occurs when a regulated entity transfers the day-to-day running of a
regulated part of its business to another party. The other party may be one of
the following:
a group company or affiliate

a branch
a representative office
an independent third party.
Outsourcing of functions is becoming common in an era of growing specialisation.

It can be beneficial both for regulated businesses and for customers if such
outsourcing is to a specialist supplier who offers the best service. Regulators
are, however, keen to ensure that outsourcing does not occur at the expense of
effective regulatory oversight. Therefore, although it is possible to delegate the
function, it is not usually possible to delegate the responsibility or accountability.
Compliance functions must be able to demonstrate that effective GRC procedures
are in place for the outsourced function, that the function is effectively monitored,
and that the delegating organisation retains control of the outsourced activity.
8.1 Responsibilities of the outsourcing firm
When a financial services business is considering outsourcing any part of its regulated
functions, regulators expect it to consider adopting a number of principles.
Compliance professionals must pay regard to the outsourcing requirements of the

regulator in the jurisdictions for which they have responsibility. Nonetheless, the
following list of principles serves as a useful starting point.
275
Before outsourcing, establish the fitness, properness and competence of the

contractor, ensuring that no conflict of interest exists.
Set out the terms of the delegation in a written contract.
Insist on the right to approve any and all further subcontractors.
Retain sufficient capacity (and the contractual right) to monitor and assess
whether a contracted function is being discharged correctly.
Maintain contingency plans and the ability to terminate the arrangement.
Depending upon the nature of the outsourced activity you may need to
consider informing your regulator.
Outsourcing can be seen across many business activities as well as industry sectors.
Increasingly, more complex arrangements are being developed, whereby related
entities perform some activities while unrelated service providers perform others.
These outsourcing services have the potential to transfer risk management and
compliance management to third parties who may not be regulated (or not as
well regulated).
Companies can mitigate these risks by taking steps:
to draw up comprehensive and clear outsourcing policies

to establish effective risk management programmes
to require contingency planning by the subcontracting firm
to negotiate appropriate outsourcing contracts
to analyse the financial and infrastructure resources of the service
provider, and
to ensure the preservation (at the regulated entity) of strong corporate
governance, oversight and control.
Increasing reliance on the outsourcing of activities may affect the ability of a firm
to manage risk and monitor compliance with regulatory requirements. Specifically,
there is a concern that firms will become over-reliant on the outsourced service
provider, which may affect the future viability of the firm as well as its obligations
to customers. Ultimately, the risk that outsourcing activities may impede the
firm’s management from fulfilling its regulatory responsibilities is of concern
to regulators. The Bank for International Settlements (BIS) has warned financial
institutions that take ‘offshore’ risks (by outsourcing business to offshore centres) to
closely monitor risk and compliance procedures.
In outsourcing situations, Compliance Officers need to:
demonstrate that they remain in charge of their own business and in control
of their risks
comply with the regulatory requirements and be able to demonstrate this
compliance when requested by regulators
demonstrate to regulators (through examinations or reporting, for example)
that they are taking appropriate steps to manage risk.
Compliance Officers should be also be aware that a number of regulators have

addressed the risks of outsourcing and many have issued rules and/or guidance for
their regulated community to follow. Outsourcing may lead to the risk of conflicts
of interest as the firms contracted can undertake a range of activities, with different
276
and potentially conflicting incentives and objectives and on behalf of different

client bases (or on their own account).
9. The importance of data protection

Technological advances and the ease with which data can be stored and
transported, for example using a laptop or hand-held devices, have increased
regulatory concerns over information security.
Unlike many of the requirements that are examined in this unit, a firm’s obligations
under data protection legislation generally stem from laws that apply to all data
users and not just to regulated financial services businesses. Compliance with data
protection laws is therefore not a regulatory issue in many jurisdictions, but the
protection of data is important and can have serious consequences if neglected:
there may be an indirect regulatory impact if a business is prosecuted for a data
protection breach. In jurisdictions where there are no data protection laws, reliance
is often placed on the confidentiality laws, which are often more all-embracing but
less consumer orientated, particularly in marketing-related areas.
In the UK, data protection legislation is overseen by the Information

Commissioner’s Office. The Data Protection Act 1998 (DPA) lays down certain
requirements for the collection, use and storage of such information. In order to
comply with the law, information about individuals must be collected and used
fairly, stored safely and securely and not be disclosed unlawfully to any third party.
Individuals are entitled to access to information held about them and can expect
that organisations adopt a regular process of updating and/or destroying out-of-
date information. Both computerised and paper-based records are covered by
the Act.
The UK law requires users of data to be open about their use of personal data
through registration, and to maintain good practice in relation to the personal
data that they hold. Laws do not prevent data users from using personal data
for legitimate purposes provided that they are appropriately registered and they
operate in accordance with the principles contained within the law.
In France, Law No. 78 17 of 6 January 1978 on ‘Information Technology, Data Files

and Civil Liberty’ (Law) is the principal law regulating data protection in France. The
EU Data Protection Directive 95/46/EC was implemented via Law No. 2004-801 of 6
August 2004, which amended the earlier Law. Enforcement of the Law is principally
through the ‘Commission Nationale Informatique et Libertés’ (CNIL).
In Russia, fundamental provisions of data protection law can be found in the

Strasbourg Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data (‘Convention’) ratified by Russia in 2006 and the
Russian Constitution establishing the right to privacy of each individual (articles 23
and 24). There is also specific legislation, including the Data Protection Act No. 152
FZ dated 27 July 2006 ('DPA') and various regulatory Acts adopted to implement
the DPA, as well as the Information, Information Technologies and Information
Protection Act No. 149 FZ dated 27 July 2006 establishing basic rules as to the
information in general and its protection. In addition, the Russian Labour Code
contains provisions on the protection of employees’ personal data (Part XIV). Other
277
laws may also contain data protection provisions that implement the provisions of
DPA in relation to specific areas of state services or industries.
In Canada, there are 28 federal, provincial and territorial privacy statutes that
govern the protection of personal information in the private, public and health
sectors. Although each statute varies in scope, substantive requirements, and
remedies and enforcement provisions, they all set out a comprehensive regime for
the collection, use and disclosure of personal information.
The summary below focuses on Canada’s private sector privacy statutes. The
applicable laws are:
Personal Information Protection and Electronic Documents Act ('PIPEDA')

Personal Information Protection Act ('PIPA Alberta')
Personal Information Protection Act ('PIPA BC'),
Personal Information Protection and Identity Theft Prevention Act (‘PIPITPA’)
The Act Respecting the Protection of Personal Information in the Private
Sector (‘Quebec Privacy Act’), (collectively, 'Canadian Privacy Statutes').
PIPEDA applies:
to any organisation that is deemed to be a ‘federal work, undertaking or

business’ (such as a bank, telecommunications company, airline, railway, or
other interprovincial undertaking)
to organisations that collect, use and disclose personal information in the
course of a commercial activity which takes place within a province,
unless the province has enacted ‘substantially similar’ legislation (PIPA
BC, PIPA Alberta and the Quebec Privacy Act have been deemed
‘substantially similar’)
to interprovincial and international collection, use and disclosure of
personal information.
No matter which jurisdiction is being examined, the Compliance function often has
responsibility for all registration issues on behalf of the firm, and therefore it should
ensure that the firm is appropriately registered to maintain relevant classes of data
for permitted uses.
9.1 Some case studies
The issue of information (or data) security has become increasingly prominent, with
some high-profile organisations receiving considerable fines from regulators for
failing to protect customer information appropriately. With the topic of information
security high on the public and regulatory agenda, it is common for Compliance
functions to become increasingly involved in data security issues within their
firm, as a breach in this area can be directly related to the robustness of a firm's
systems and controls. Financial institutions must address this as a serious risk to
their business. With hackers using increasingly sophisticated methods of attacking
systems, firms must keep abreast of developments to protect the interests of
their customers.
278
Consider the following examples.
Examples: Nationwide Building Society
In February 2007, the UK mortgage lender Nationwide Building Society was fined
£980,000 following the theft of a company laptop computer. The regulator at the
time, the FSA, considered that Nationwide had breached Principle 3 of the
Principles for Business Handbook, by failing to take care to organise and control
the risks relating to information security, in particular the risk that customer
information could be lost or stolen.
In August 2010, the UK branch of Zurich Insurance Plc (Zurich UK) was fined
£2,275,000 by the FSA for failing to have adequate systems and controls in place
to prevent the loss of 46,000 customers’ personal, confidential information. The
loss could have led to serious financial detriment for customers and even exposed
them to the risk of burglary.
In August 2013, the Information Commissioners Office (ICO) fined Bank of

Scotland Plc £75,000 for repeatedly faxing customer account details to the wrong
recipients. This highlights the fact that action can be taken by the ICO as well as
by the finance industry regulators.
Example: Home Depot DIY chain
Data theft is not limited to theft from financial services companies. In highly
publicised incidents in September 2014, the world's largest DIY retailer (US
chain Home Depot) admitted that 56m credit and debit card numbers had been
compromised over a five-month period in one of the worst breaches of customer
data ever recorded. Home Depot said that although the data theft began in April
that year, the malware used by the hackers had only been completely removed
from its systems in September.
The breach was revealed on 2 September 2014 by the security website Krebs on
Security, which said that all 2,200 of Home Depot's US stores could have been
affected. The chain, which did not confirm the data breach until 8 September
2014, said that security groups Symantec and FishNet Security were brought in to
investigate the possible hacking as soon it became known.
The criminals used ‘unique, custom-built malware’ that had not been seen in
similar attacks, which helped them to avoid detection for so long, Home Depot
said. It had completed a major payment security upgrade to ensure better
encryption of customers' card numbers.
US retailers have been slower to adopt the chip-and-Pin technology found in

Britain and most European countries as many American credit cards still lacked
the appropriate chips. The US payments industry has set a deadline of October
2015 to switch to chip and Pin.
The data theft eclipses the 40m card numbers stolen from Target customers in
2013 and is second only to the 90m stolen from TJX, the owner of the TK Maxx
clothing store chain, in 2007.
279
10. Record Keeping, confidentiality and secrecy

The maintenance of adequate records by a financial services business is essential
if it is to demonstrate adequate compliance systems and their proper functioning.
Detailed procedures covering the retention and deletion of records are usually
included in the GRC manual or operational procedures. Regulators may set periods
for which documents must be kept, but it is important to remember that the
retention periods for some documents are fixed by legislation (for example, in the
case of records about anti money laundering checks).
From a law enforcement perspective, record keeping by financial services

businesses is critical to the successful investigation of money laundering, terrorist
financing and other types of financial crime. Documentary evidence of identity
and transactions can act as primary evidence in the successful prosecution of such
crimes, by allowing law enforcement to piece together various parts of what are
often very complex arrangements.
Compliance professionals should remember the often quoted and accurate

comment associated with regulators everywhere; ‘if it isn’t documented, it
didn’t happen’.
There are essentially three types of record that need to be maintained:
records of internal systems of control (written procedures), including

records resulting from the application of such procedures (minutes of
board meetings, compliance reports, etc.)
recruitment and training and competence records of certain
regulated individuals
client records, including records pertaining to the identity of clients
and the nature of transactions.
10.1 Retention periods
Compliance professionals must familiarise themselves with the required periods

for record retention in the jurisdictions for which they have responsibility. These
generally extend beyond the termination of a relationship. Most legislation
differentiates between retention of Know Your Customer information and
transactional documentation, the former being retained for a longer period after
the relationship has been terminated. Caution must be exercised in the destruction
of documents, to ensure that they are not destroyed before the expiry of the time
limits. Internal procedures should always require a senior person to authorise the
destruction of documents.
10.2 Client confidentiality
In most jurisdictions, the common law duty of confidentiality between banker

and customer is well established. The same principles apply to relationships with
other financial services customers and to all dealings with customers (such as, for
example, telephone conversations and face-to-face meetings) and not just stored
data. In recent years there has been a marked increase in the volume of law and
regulation with which the industry has been required to comply.
280
The rules governing client confidentiality differ between jurisdictions. In

jurisdictions with no bank secrecy legislation, the rules are likely to be virtually
identical to the rules in the UK, as laid down as early as 1924 in the case of Tournier
v National Provincial & Union Bank of England.104 It was established in this case
that banks owe their customers a duty of confidentiality extending at least to
information concerning account transactions, and extending beyond the date
of the termination of the banker–customer contract. As we have already seen
in section 3 above, this duty of confidentiality is not absolute, for there may be
disclosure of information in the following situations:
where the disclosure is under compulsion of law

where there is a duty to the public to disclose, and
where the interests of the bank require disclosure and where that disclosure
is made by the express or implied consent of the customer.
These principles have also been extended to other financial services businesses.
It can be seen that the relationship governing client confidentiality is contractual

in nature. Where confidentiality is compromised in acceptable circumstances (as
outlined above), the compromise is not deemed to constitute a breach of contract.
Where circumstances are not deemed to be acceptable, a financial services
business is likely to be regarded as having breached a core regulatory requirement,
namely that of maintaining a high regard for the interests of its customers.
There are a greater number of circumstances in which confidentiality may be

breached under compulsion of law than was the case ten years ago, but the
overriding principle of client confidentiality remains as important as it has ever
been. Compliance professionals should consider the merits of arranging staff
training sessions on the issue of confidentiality.
Client confidentiality is most frequently deliberately breached in circumstances

where a financial services business formulates knowledge or suspicion of
money laundering.
10.3 Bank secrecy
In reality, all jurisdictions offer confidentiality rights. What distinguishes them

is the extent of those rights. Some jurisdictions are bound by a duty not just of
confidentiality but also of secrecy. It is often wrongly asserted that ‘offshore’ finance
centres offer greater bank secrecy than their onshore counterparts. Many do not.
For example, the rules governing customer confidentiality in Jersey, Guernsey and
the Isle of Man are virtually identical to the rules that apply in the UK. Bank secrecy
jurisdictions can generally be described as jurisdictions that enshrine in law secrecy
rights for customers and that impose an obligation upon banks, their officers
and employees to protect and withhold information about the affairs of clients.
Examples include the Banks and Trust Companies Regulation Act 2000 of the
Bahamas, the Confidential Relationships (Preservation) Law 1976 (as amended) of
the Cayman Islands, or Article 28 of the Swiss Civil Code and Article 47 of the Swiss
Federal Banking Code.
104. [1924] KB 461
281
Unlike the duty of confidentiality, which can be overruled in certain circumstances,

banking secrecy is sacrosanct and cannot be breached other than in far more
limited circumstances. In recent years, there has been a drive to force jurisdictions
that have such laws to waive their obligation of secrecy. Not surprisingly, they see
this obligation as central to their client relationships and have been reluctant to
do so.
Despite this, developments in the relationship between the US and Switzerland

over secrecy, and the conflict between secrecy laws and the requirements of the
Foreign Account Tax Compliance Act (FATCA) have resulted in relaxations in the
Swiss laws. One development of this was the situation surrounding the oldest bank
in the country, Wegelin & Co, which is to close permanently after pleading guilty in
a New York court to helping Americans evade their taxes.
10.3.1 Wegelin & Co Bank
Wegelin & Co, which was established in 1741, agreed to pay $57.8m (£36m; €44m)
in fines to US authorities. It said at the time that once this is completed, it ‘will cease
to operate as a bank’. The bank had admitted to allowing more than 100 American
citizens to hide $1.2bn from the Internal Revenue Service for almost 10 years. It
became the first foreign bank to plead guilty to tax evasion charges in the US.
Other Swiss banks have in recent years moved to prevent US citizens from opening
offshore accounts. Otto Bruderer, a managing partner at the bank, admitted that
Wegelin had sheltered US clients from tax between 2002 and 2010, and said it
was aware that its conduct had been ‘wrong’. Mr Bruderer's further admission
that assisting tax evasion was common practice in Switzerland has caused huge
concern among the Swiss banking community, with some Swiss financial analysts
speculating that Wegelin's $58m fine, which many had expected to be higher, was
kept low by the US authorities in return for Wegelin’s clear implicating of the rest of
the Swiss banking community in tax evasion.
11. Whistle-blowing
In most jurisdictions, regulators are keen to ensure that matters are properly
escalated and cannot be covered up by senior management. Firms are required
to notify staff about how to escalate matters of concern internally. If the matter is
not taken seriously, they should be aware of the need to ‘blow the whistle’, that is,
report it directly to the regulator or relevant authority. Whistle-blowing is the act
of alerting the authorities (including regulators) to potential wrongdoing, such as
fraud, corruption or other similar offences.
One of the key aims of whistle-blowing procedures is to promote a culture where

workers have nothing to fear by raising concerns, and this will ultimately protect
the company.
The reasons why authorised or licensed firms should have a whistle-blowing

policy include:
it increases the likelihood that problems will be identified at an early stage

before any serious damage occurs
282
it decreases the likelihood that workers will go public with disclosures

and provides the employer with safeguards against unexpected public
disclosures to the outside world
it deters malpractice, as those engaging in malpractice are more likely to
be caught.
The primary responsibility for ensuring that appropriate whistle-blowing processes

are in place lies with senior management. In some cases, however, Compliance may
be seen as the independent function that will have responsibility for investigating
allegations from whistle-blowers.
Learning outcomes
By the end of this unit you should:
appreciate the importance of well-designed reporting lines, with properly

designated roles and responsibilities for those involved, in operating an effective
GRC framework
know what to include in a GRC manual and how the manual should be used to
ensure staff familiarity with and adherence to the firm’s policies and procedures
and prudential regulatory requirements
understand the effects of the regulatory and operating environments, and the
firm’s risk appetite and culture, on its GRC framework
be able to explain the legal duty of confidentiality and the circumstances in
which disclosure of otherwise confidential information is allowed
appreciate the importance of selling the right products to the right customers
know what is meant by ‘conflict of interest’ and be able to assess the merits of
various ways of dealing with this
be able to advise on remuneration policies that avoid creating incentives to
treat customers unfairly or unnecessary risk taking, in light of the related codes
of conduct
be able to advise the Marketing function on the production of promotional
material that is ‘clear, fair and not misleading’ and understand why this is vital
understand what is meant by ‘outsourcing’, and the responsibilities of the firm in
relation to its agents
appreciate why protecting customers’ data is vital and the penalties and
problems that can result if data is lost or stolen, but also the problems that can
arise from hiding data that would reveal a customer’s wrongdoing
know what records should be kept by the firm and the problems that can arise
from record-keeping failures
understand the firm’s and the Compliance function’s responsibilities for operating
a whistle-blowing policy.
283

I1273818 - International Diploma in GRC - Unit 8

Uploaded by

Copyright:

Available Formats

I1273818 - International Diploma in GRC - Unit 8

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

I1273818 - International Diploma in GRC - Unit 8

Uploaded by

Copyright:

Available Formats

SEE GREEN SECTION

How to Design and Build

The purpose of this unit is to:

1. How to implement effective GRC structures

1.1 Reporting lines

Effective reporting lines are essential so that senior management is aware of

There have been many examples of companies suffering the consequences of

Examples: Société Générale and UBS

Example: JP Morgan Chase Bank

1.2 Access to the board

1.3 Roles and responsibilities

1.3.1 The board and senior management

There is a common misconception in many firms that the Compliance function

As highlighted above, a board cannot manage compliance risks without some

1.3.2 The Compliance function

compliance needs to be remembered, but a key point to recognise is that the

Most regulated jurisdictions permit a firm to develop a compliance system that

In addition to the wider responsibilities of the Compliance function discussed

The role and responsibilities of a Compliance function must be clearly defined. As

1.3.3 Other risk management functions

In addition to the Compliance function, larger financial services businesses are

Relevant personnel will include those who deal with:

In designing GRC systems, therefore, it is important to recognise that compliance

1.3.4 Summary of responsibilities

2. Developing GRC policy and procedures

2.1 The GRC manual

One of the most important aspects of implementation is communication of the

The GRC manual is a demonstration of commitment to compliance and therefore

Ease of updating is also a key consideration (for changes in external regulation

A compliance manual should serve as a comprehensive reference point for

 an assessment of the likelihood of a rule breach

 a summary of high-level systems and controls

We will now look at each of these in more detail.

2.1.1 A summary of high-level systems and controls

 senior management arrangements and accountabilities

2.1.2 Prudential regulatory requirements

 capital adequacy requirements

Prudential compliance requirements were explored in detail in Unit 5, section 6.

2.1.3 Market conduct and conflicts of interest

 handling confidential and price-sensitive information

 customer classification, to ensure that customers receive the right degree of

2.1.4 Policies and procedures

Promotions and advertising

Any advertisement or promotional material for financial services must not be

Although in many financial services businesses ensuring that there is adequate

Segregation and reconciliation

Registration and safe keeping

The importance of effective complaint-handling procedures within a regulated

While effective complaint handling can be an important indicator of compliance

When establishing complaint-handling systems, compliance professionals should

Personal account dealing

Restrictions and controls in relation to personal account dealing (that is,

A Compliance function must implement and monitor procedures to control

 Dealing in investments of any kind in which their employer conducts

 Dealing in investments for their own account with any of their

2.2 Getting all employees to understand the importance of the

An internal compliance framework cannot be fully effective if the business

employer (positive motivational reasons). These benefits of good compliance were

2.3 Factors affecting the GRC framework

an assessment of the likelihood of a rule breach

a summary of high-level systems and controls

senior management arrangements and accountabilities

capital adequacy requirements

handling confidential and price-sensitive information

customer classification, to ensure that customers receive the right degree of

Dealing in investments of any kind in which their employer conducts

Dealing in investments for their own account with any of their

identifying the nature of the risks to the particular business

where the disclosure is required by law

In general terms, product intervention rules are rules made to tackle

use of the PIR is an appropriate and effective means of addressing actual

self-dealing, for example where a trustee deals personally in trust property

where a firm or member of staff or a director has a personal interest in a

procedures on the acceptance of gifts and hospitality to ensure that

transparency in decision making

a group company or affiliate

Before outsourcing, establish the fitness, properness and competence of the

to draw up comprehensive and clear outsourcing policies