ICA Incompliance Magazine article - MAS IAC, A Shift in Mindset
1. inCOMPLIANCE®
17
inCOMPLIANCE®
17
ACCOUNTABILITY AND CONDUCT REGIMES
inCOMPLIANCE®
17
inCOMPLIANCE®
17
A shift in mindset
Thomas Wan outlines the MAS Guidelines on
Individual Accountability and Conduct and
explains what the introduction of such
regimes means for compliance
in practice
2. M
any regulators have introduced (or proposed)
accountability and conduct regimes (ACRs; see Box
1). This follows a paradigm shift towards a corporate
social responsibility (CSR) and sustainability-focused
financial regulatory landscape1
, in which the behaviour and
conduct of financial institutions (FIs) and individuals, and
their interaction with customers and other stakeholders, has
assumed greater importance. This shift has come about in
the wake of recurring “incidents of misconduct and egregious
risk-taking in the financial industry, which have continued to
undermine public trust and confidence in FIs, with poor culture
and behaviour being identified as the key root causes.”2
Although the terms used by regulators may differ,
essentially, ACRs cover directors, senior management and key
executives (DSMFs) who are tasked with the responsibility and
/ or accountability for the management or control of the firm
and business, risk-taking, and control functions. Regulators
also differ slightly in their registration, approval and licensing
requirements, but most require an assessment – and ongoing
review – of whether the DSMF incumbent is ‘fit and proper’.
The Monetary Authority of Singapore’s (MAS) proposed new
Guidelines on Individual Accountability and Conduct (IAC or
'the Guidelines')3
outline an approach towards responsibility
mapping that is consistent with comparable jurisdictions. This
approach, it is anticipated, will require the Board of Directors
(BOD) and senior management (SM) of FIs to be more mindful
and deliberate in discharging their duties. This article (the first
in a two-part series) highlights the key implications of the MAS
IAC and the practical challenges to its implementation.
The MAS Guidelines
The proposed Guidelines aim to supplement existing
regulations and guidelines on corporate governance, risk
culture, and conduct, particularly in the following areas:
a. Promoting individual accountability of SM of FIs
b. Strengthening management oversight of FI employees
engaged in material risk functions (MRFs), and
c. Embedding within all FI employees related standards of
proper conduct.
MAS has announced that it will adopt an outcomes-based
approach, so that each FI has the flexibility to adopt different
means of achieving the specified outcomes, while abiding by
the benchmarks set out within the Guidelines, namely4
:
• Outcome 1: SM who have responsibility for the management
and conduct of functions that are core to the FI’s operations
must be clearly identified. Core management functions
(CMFs) are listed in Annex B of the consultation paper.
• Outcome 2: SM must be fit and proper for their roles,
and held responsible for the actions of their staff and the
conduct of the business under their purview.
• Outcome 3: The FI’s governance framework must be
supportive of and conducive to SM’s performance of their
roles and responsibilities. The FI’s overall management
structure and reporting relationships must be clear and
transparent.
• Outcome 4: Employees in MRFs must be fit and proper
for their roles, and subject to effective risk governance
as well as the appropriate standards of conduct and
incentive structure.
• Outcome 5: The FI must have a framework that promotes
and sustains the desired conduct among all employees.
This article considers the first two outcomes and examines
their potential implications, as well as some of the key
implementation challenges and practical implications for FIs
and industry practitioners.
Outcome 1
FI’s management structure – The identification and definitions
of key DSMFs should be undertaken on a firm-wide / group
basis. This might sound easy in theory, but in reality some
FIs have grown so big and complex – operating in several
jurisdictions – that this can be an onerous and complex
task, and one that must be considered in the context of
the management structure model that the FI has adopted
(i.e. centralised or decentralised). Empirical studies5
have
yielded mixed findings with regards to the advantages and
disadvantages each model, as summarised in Box 2.
Some practical pointers to consider for the adoption of
either model, and in the identification and definitions of key
DSMFs, are:
• Whether centralisation is required by the regulators or laws
• Whether 20% or more efficiency gains may be achieved by
centralising the function
• Whether centralising the function would materially
reduce risks.
Responsibility vs accountability – Responsibility should not
be confused with accountability. The distinctions between the
two are summarised in Box 3.
Three lines of defence (3LOD) and ownership of risks –
Risk ownership is not the sole responsibility of the second
line of defence (risk management and compliance).
ACCOUNTABILITY AND CONDUCT REGIMES
inCOMPLIANCE®
18
Box 1: ACRs introduced by leading regulators
• UK FCA’s Senior Managers and Certification
Regime (SMCR) – implemented effective Mar 2016
• Hong Kong SFC’s Managers in Charge Regime
(MIC) – implemented effective 17 Oct 2017
• Australia APRA’s Banking Executive Accountability
Regime (BEAR) – 7 February 2018, the Australian
Senate passed the Treasury Laws Amendment
(Banking Executive Accountability and Related
Measures) Bill 2018 Full implementation by 1
July 2018 for large Authorised Deposit-taking
Institutions (ADIs). Smaller and medium sized ADIs
will have another year to comply, commencing on
1 July 2019.
• Malaysia BNM’s Discussion Paper on Responsibility
Mapping (RM) – consultation ended 20 April 2018
• Singapore MAS Guidelines on Individual
Accountability and Conduct (IAC) – consultation
ended 25 May 2018
• US Dodd Frank Act and DOJ’s memo – Sep 2015 on
Individual Accountability for Corporate Wrongdoing
3. inCOMPLIANCE®
19
ACCOUNTABILITY AND CONDUCT REGIMES
Instead, FIs should map risks across the lines. This mapping
should be informed by the company’s risk tolerance and
risk monitoring strategy, which the BOD and SM should
communicate to the business. Each risk should have a clear
link to the responsible owner in the relevant line of defence.
Documenting where the responsibility for risk, controls and
assurance lies, in the form of charters, should ensure that
individuals understand their responsibilities within the wider
context of the firm’s risk strategy.6
Each line should also have adequate skills (i.e. competencies)
to discharge its risk ownership and responsibilities. Finally,
there should be integrated communication between the three
lines and reporting to the BOD and SM should be performed
collectively in a single report showing the overall status for
individual risks in the firm.
Some further practical pointers to consider aiding the
optimisation of the 3LOD on risk ownership are:
• Do the BOD and SM have a clear view of how each
significant risk is being managed on an ongoing basis (e.g.
a risk map of the firm)?
• Does the BOD feel that the right risk and compliance
activities are being performed for the organisation’s key risks?
• Does SM understand the BOD’s risk appetite, and is that
evidenced in the reporting on risks?
• Is the BOD comfortable that there are no gaps and does it
have visibility on action being taken on any material risks or
gaps in risk management?
• Does the BOD feel that risk management is embedded in
the organisation and is part of the day-to-day culture?
Outcome 2
Job description and statement of responsibilities – DMSFs
require a detailed job description (JD) and map of the
responsibilities and/or accountabilities. Some regulators, such
as the UK Financial Conduct Authority (FCA), prescribe this
detailed document.7
Some practical pointers for consideration
are as follows:
• The allocation of functions and tasks, and responsibilities
and accountability should be understood within the
wider remit of the firm/group. The firm’s corporate
governance framework and context should also be
considered (MAS Outcome 4 – to be covered further in
the next article).
• A clear mandate and formal appointment of the DSMF role
must be acquired from the BOD.
• A clear JD and a clear mission statement must be developed.
• DMSFs must know and understand the risks and how to
manage them within their functional area and capacity.
• Terms of reference, JDs and progression pathways for such
key roles and functions must have clear documentation.
• Lines of supervision (and supervisory liabilities) within the
firm and for the role must be documented, as should clear
lines of escalation and reporting of all material issues to
the BOD.
• The JDs of the incumbent DMSFs must support the decision
by the BOD and/or SM to delegate to that individual.
• DMSFs must possess the necessary personal ‘bandwidth’
and confidence to fulfil the prescribed responsibilities.
• DMSFs must be able to exercise ‘full control’ over the areas
of responsibility.
Box 2: Centralised vs Decentralised bank models
Management Structure Centralised Bank Decentralised Bank
Definition Power and authority for planning and
decisions rest with top management
organised around a hierarchical
structure
Power and authority (with
accountability) should be close to
the employee and customer
Decision making Rests with senior management Rests with local markets
Key risk Inflexibility Inconsistency
Key advantages Control
Consistent customer experience
Resilience
Cost savings results Mixed Market specific pricing / response /
product design
Speed of decision making results Mixed Mixed
Get more on the CPD Portal
• Held to account: senior management responsibilities
in global financial services
https://www.int-comp.org/cpd/smrgfs
• Maintaining competitiveness under the SM&CR
https://www.int-comp.org/cpd/maintainSMCR
Not a member?
For access to the ICA CPD Portal, among other benefits,
become a member today:
www.int-comp.org/membership/why-become-a-member
4. • DMSFs must know their legal obligations and personal
liabilities (both civil and criminal).
• The ‘two or multiple hats’ problem must be addressed,
in which DMSFs and compliance officers perform other
functions in addition to their key functional role.
• Advice must be sought from Human Resources (HR) or
independent legal counsel if there is a disagreement with
SM regarding the job role, description, and responsibilities
and/or accountabilities.
• Consider obtaining adequate indemnification and insurance
protection where appropriate.
Responsibilities vs competencies mapping – The
greatest fear amongst BOD, SM, banking and financial, and
compliance practitioners under ACRs is of being singled out
by the regulator(s) as being ‘incompetent’ and not ‘fit for
the role / job purpose’.8
Being ‘competent’ involves more than having academic
qualifications and experience, or passing regulatory
licensing exams. Competence is about the ability to
demonstrate characteristics that enable the proper
performance of a job. ‘Competence’ involves a combination
of practical and theoretical knowledge, cognitive skills,
behaviour and values that are used to improve performance.
Some practical pointers for consideration to help DMSFs to
meet the competencies requirements are suggested below:
• CV/Role profiles – Do these accurately reflect the
expertise and competencies the DMSFs have (or ought
to have) in order to be able to perform to his/her specific
function competently?
• Mapping against a competency standard – A
competency standard is a set of defined performance
behavioural outcomes that provides a structured guide
enabling the identification, evaluation and development
of behaviours in individual employees. HR and DMSFs
can perform a gap analysis to better determine if the
individual possesses the necessary skills, knowledge and
attributes to be able to perform their function
• Examples of good competency standards include
the Singapore Institute of Banking and Finance (IBF)
standards9
and the UK-ICA National Occupational
Standards (UK NOS) for Compliance10
, AML/CFT and
Financial Crime Prevention11
.
Competency-based training and continuous
professional development (CPD) – The ACRs require
ongoing periodic reassessment of DMSFs’ competencies.
The range of skills needed by DSMFs, the Compliance
Function, and the associated functions are both
broadening and deepening. For the firm, it is crucial
that FIs invest sufficiently in talent development within
DMSF functions. At the Board-level, this priority is
often overlooked. Individuals must be competent, fluent
in business operations, plugged-in to organisational
developments, and have the authority and network to
engage effectively throughout the FI.
One can identify where individuals may be lacking
skills, knowledge and attributes through working with HR
or their superiors, through peer appraisals or own self-
reflection. Individuals can also attend industry forums,
seminars and regulatory briefings to maintain technical
skills in line with
the demands arising from an evolving business and
regulatory environment. They can also attend
inCOMPLIANCE®
20
ACCOUNTABILITY AND CONDUCT REGIMES
Box 3: Responsible vs accountable individuals
Responsibility Accountability
• Individuals are responsible for completing the step in
the process
• Individuals are accountable for ensuring the step is
completed appropriately
• Few / many people may be responsible for the action • One / few person(s) may be accountable for the action
• Individuals are responsible to the person accountable • Individuals are responsible for ensuring that the work, task
or activity is performed to expectations / satisfactorily.
• Individuals are assigned to do the work • Individuals make the final decision (sign off) about the
work, including ‘yes’ and ‘no’ authority and veto power
• Individuals work on the activity • Individuals have ultimate ownership of the activity
• Individuals are entrusted with the task • Individuals are liable for any faults
• Individuals develop and make happen • Individuals set rules and policy
• Individuals facilitate, co-ordinate and clarify • Individuals direct, validate and approve
• Individuals deliver to those accountable • Individual is accountable signs-off or approves the
work provided by those responsible
5. inCOMPLIANCE®
21
accredited training and assessment programmes that are
benchmarked to competency standards.12
A paradigm shift
The move towards a regulatory environment focused on
risk culture and conduct calls for a radical paradigm shift
in the mindsets of FIs, DSMFs and compliance. Moreover,
such a paradigm change remains a major challenge for
both FIs as well as regulators, for the following reasons.
The shift to individual responsibility – The responsibility
for proper, correct and ethical conduct shifts to the
individuals involved in the day-to-day running, risk-taking
and control functions of FIs. DSMFs are therefore expected
to have full control of their areas of responsibility and to
demonstrate that their individual actions and decisions can
be evidenced and are defensible.
CSR and sustainability-based regulation – A rules
and principles-driven system does not adequately
mitigate risk. Regulatory regimes are focusing more on
complex concepts, such as risk culture and conduct risk.
The functional competencies expected from ACRs are
‘outcomes-based’, but culture remains a critical key issue.
This raises several questions:
• Are behaviour and conduct predictable?
• Can culture be managed via controls? Why? What about
the burden of ‘over-control’?
• What defines / measures a ‘desirable outcome’ for risk
culture and conduct?
• If something is not proscribed, does that mean it is
‘acceptable’?
• Compliance-related risk management requires not just
core technical skills but behavioural competencies, to
reduce the organisational risks and costs associated
with compliance and regulatory risks. How can we better
incentivise behavioural change?
Competency-based training and CPD – A shift is
underway from traditional knowledge areas towards new
areas of knowledge, to meet the evolving business needs
and challenges. An example of this is the application of
forensics in investigations, cutting across financial crime,
fraud, IT (e.g. digital forensics). The need for investment
in training has increased accordingly. ‘Advanced’
competency-based training programmes for DSMFs would
promote a globally-consistent approach to compliance, and
might reduce attrition rates. However, the question remains
whether FIs are prepared to invest invest in developing
such programmes.
In the next article, I will consider MAS Outcomes 3 to 5.
Wan Chee Kien, Thomas is the
Course Director and Tutor at ICTA in
Singapore, and teaches various ICA
courses in GRC, AML/CFT and FCP
in Asia-Pac. He holds postgraduate
qualifications in Finance, GRC and FCC,
and is a FICA, IBFA and CFTP (Snr).
ACCOUNTABILITY AND CONDUCT REGIMES
1. Read more on CSR and sustainability financial
regulations here: https://www.researchgate.
net/publication/303697394_Corporate_Social_
Responsibility_in_the_Banking_Sector
2. MAS Consultation Paper on Proposed Guidelines on
Individual Accountability and Conduct:
http://www.mas.gov.sg/News-and-Publications/
Consultation-Paper/2018/Consultation-Paper-on-
Proposed-Guidelines-on-Individual-Accountability-
and-Conduct.aspx); see also, BOE and US Fed on
Risk Culture and Conduct: Has banking culture has
really changed; https://youtu.be/ZpKXF-Ktipg
3. MAS IAC: http://www.mas.gov.sg/News-and-
Publications/Media-Releases/2018/MAS-to-
strengthen-individual-accountability-of-senior-
managers-in-financial-institutions.aspx
4. ibid. Footnote 2
5. CBS Correspondent (2016); Centralized or
Decentralized Bank Management?
https://csbcorrespondent.com/blog/centralized
-or-decentralized-bank-management
6. see further, for example, here:
https://www.ey.com/Publication/vwLUAssets/EY-
Maximizing-value-from-your-lines-of-defense/$FILE/
EY-Maximizing-value-from-your-lines-of-defense.pdf;
see also, The Handbook of Board Governance A
Comprehensive Guide for Public, Private and
Not for Profit Board Members, edited by
Richard Leblanc, John Fraser
7. UK FCA Statement of Responsibilities document:
https://www.handbook.fca.org.uk/form/sup/
SUP_10C_ann_05_SOR_20180629.pdf
8. See, for example: UK FCA finds compliance officer
with 20-yr record unfit for role:
https://www.fca.org.uk/publication/final-notices/
goldenway-global-investments-uk-limited.pdf
9. See IBF Standards:
https://www.ibf.org.sg/community/Pages/Adopting-
IBF-Standards.aspx - https://www.int-comp.org/
membership/national-occupational-standards/
10. See, for example UK-ICA NOS
https://www.int-comp.org/media/2007/nos-comp-
june-11.pdf; p.9
11. In 2006, ICA partnered with the Financial Skills
Partnership to develop the first ever NOS for those
working in compliance, anti-money laundering and
financial crime prevention in the UK;
https://www.int-comp.org/membership/national-
occupational-standards/
12. The ICA Professional Qualification programmes are
benchmarked against the UK National Occupational
Standards (NOS) and other local industry and
professional competency standards for those working in
compliance, anti-money laundering and financial crime
prevention in the UK and other leading jurisdictions and
accredited by the national agencies and bodies;
https://www.int-comp.org/qualifications-homepage