According to Compliance Expert Elin Cherry from Elinphant, “anyone who’s actually worn the hat of the Chief Compliance Officer is very aware of the concerns of CCO liability.” When it comes to regulatory liability, the line takes a stop at the CCO. So it’s critical that the CCO is both proactive and consistent with making senior management aware of what’s going on with Compliance within the organization. According to Cherry, rigorous issue reporting combined with regular meetings sets the tone for how your management hears you and opens the door better conversations.
During the webinar CCO Insurance – The Importance of Transparent Escalation, presented by Cherry, we polled the audience of compliance professionals to ask them how often they formally meet with senior management. 63% indicated that they meet monthly with senior management. Cherry states that’s optimal timing for regular meetings. By meeting monthly, you’re not just putting structure and rigor into your compliance program, you’re also training your management to pay attention to compliance on a regular and ongoing basis.
With regulatory liability, it’s easy to say that CCO’s and registered supervisors should have been doing something. “You're going to have senior management saying, Hey, you're the registered person. You're the CCO. You didn't tell me. And, and the regulators, frankly, look at it that way, too. This was your job.” A consistent and ongoing reporting and meeting process proves to regulators that you’ve been paying attention to compliance and sharing relevant information within the organization.
Compliance reporting should be clear, unemotional, and fact driven—here’s the regulation, here are the issues, here’s the level of risk and here is what needs to happen. Monthly reporting lets your senior management see a snapshot of how much activity is happening and where that activity is coming from. Is one person trading way more than everyone else? Is there someone who’s violated policy multiple times? Senior management doesn’t want a compliance issue either. Showing activity across the organization can provide both a broad summary of compliance across the organization and let management know about issues, incidents, and areas of potential risk.
Cherry was asked about building an escalation process when there’s an incident within the organization. Can the issue wait for the monthly meeting? She shared that by doing the reports monthly you’ve already set the tone for how your management hears you and opens the door for better conversations around the event driven issues. She also emphasizes the importance of issue reporting. If it’s a middle of the month event that needs to be escalated, start by gathering the facts. The biggest thing is being effectively heard. How do you make sure you get a commitment to action when you see the beginning of an issue and you can stop it sooner versus later, without being perceived as alarmist? Through structured compliance reporting.
The underlying framework of comprehensive reporting is a rigorous compliance program. When firms have automated systems for things like outside business activities, private investments and employee trading, monthly reports with different views can easily be created. And issue and incident reporting can also be used to develop trend analysis over time. Read more reasons to automate compliance.
What if you’re so busy running your compliance program that you don’t have time to pull reports? Cherry suggests that while finding the time to get the monthly reports up and running can be a challenge, it’s worth it once it’s in place. Start by gathering what’s supported by automation. And if you have functions not supported by automation, figure out how you will get the data for those. Get the monthly meetings on the calendar, because before you know it, it’s been a quarter and then the year is half over and all of a sudden you haven’t been doing your job throughout the year. A project plan that lists the dates can help as well. It’s a lot of rigor and discipline on the front end, but it will make the rest of the compliance program run easily as well once it’s implemented.
Another question Cherry is often asked what the best approach is to structure these meetings with senior management. Efficiency and organization is key. Cherry follows the same agenda every month. “So I will tell you that I have most of my monthly reporting meetings down to less down to less than 45 minutes, because over the course of a year, the managers start getting used to the reports. They know what they're looking at, and we cover what we have to cover, but everything is there for them.” And what should a CCO do if senior management does not seem to be paying attention? Cherry suggests color coding the reports.
Read about using technology to transform compliance
FINRA recently clarified the difference between the Rule 3120 Report and the Rule 3130 report. The Rule 3130 report identifies the processes a firm has in place to establish, maintain, review, test and modify its written compliance policies and written supervisory procedures. The Rule 3120 report requires firms to review their system of supervisory controls and testing and to provide to their senior management (no less than annually) a report that verifies the system of supervisory policies and procedures are reasonably designed to achieve compliance with applicable rules and laws, provides a summary of the test results and significant gaps found, and identifies the necessary changes to supervisory procedures in order to address deficiencies found through its testing.
Cherry shared that the annual FINRA Rule 3120 Report, along with your monthly reporting and event driven issue reporting, is your CCO Insurance policy. It shows that the Compliance job was getting done throughout the year. It’s proof that you’ve reviewed your WSPs, checked them against the regulations, and have the right supervisory processes in place. Monthly reporting also lays the foundation for annual compliance reporting and testing. And if you're doing it in a project plan, it almost writes itself.
MyComplianceOffice provides automated compliance management and powerful reporting on one single platform. Our easy-to-use solution lets compliance professionals demonstrate that they are proactively managing the regulated activities of the company, employees and third-party vendors.
Want to learn more about how we can help? Let us know and we’ll set up some time to talk.
