September 22, 2017

Keys to Managing a Global Compliance Program, From Staffing to Culture

Countless obstacles can present themselves when managing a global compliance program, including when interfacing with multiple regulators across jurisdictions, observing diverse registration and filing requirements and allocating resources across regions, among other complex matters. A firm does not need to have a large global reach before its compliance team faces many of the same labyrinthine legal and regulatory issues that their larger peers face. Simply having investors or participating in the capital markets of jurisdictions outside of the U.S. can leave a manager exposed to the legal, regulatory and compliance challenges more commonly considered within the purview of a large multinational firm.

For large and smaller hedge fund managers alike, effectively managing these challenges can mean the difference between a thriving compliance culture—and attending efficiencies and fundraising advantages—and one in which even the smallest issues ignite regulatory and/or legal conflagrations. ACA Compliance Group recently hosted the webinar, “Managing a Global Compliance Program,” during which partner Alan Halfenger and consultant Matthew Girandola, and Allianz Global Investors’ managing director and global regulatory counsel David Owen offered managers of all sizes guidance on establishing an effective multi-jurisdictional compliance program. This article summarizes their insights.

Managing Legal and Regulatory Considerations Across Multiple Jurisdictions

Any manager that either has investors or manages a portfolio in a jurisdiction other than its principal place of business or domicile is subject to multiple regulatory regimes, and the scope of the firm’s activities and its size will dictate its approach to managing the compliance department. In addition to a firm’s domestic regulatory obligations, Halfenger said his clients frequently express concerns about extraterritorial issues, particularly in the UK, EU and U.S., where these concerns are most notable. The need to develop and maintain a cross-border compliance program adds to the existing complexity of global and local programs.

Owen advised that one key way a compliance officer or team can effectively address legal and regulatory obligations—along with staying on top of any relevant changes in the law—in multiple jurisdictions is through relationships with local experts. “In any situation, having relationships with local counsel and consultants is critical. The extent of those relationships is going to be different depending on your size and depending on the scope of your presence in those jurisdictions.”

Owen explained that for a smaller firm with more limited compliance and regulatory resources, the need to rely on local relationships tends to be more significant. He added that in addition to local consultants and lawyers, once a firm’s operations reach a certain size, local compliance officers help a firm keep its pulse on the business activities of a foreign office—a key component of ensuring a compliant operation—and can help maintain relationships with local consultants and lawyers.

Halfenger agreed and explained that when he was a global compliance officer, he assigned compliance personnel to each jurisdiction where the firm had operations, and those employees served as the “quarterbacks” for their respective regions, responsible for staying up-to-date on changes to the relevant regulatory regime and how its rules applied to the firm.

He added that regardless of the resources available to compliance officers, regularly visiting each of the jurisdictions the firm operates in can decrease the likelihood they will miss out on valuable intelligence. “Spend time with local lawyers and consultants and peer firms in addition to meeting with the local staff. What you find is that peer groups are key, because you find out who is the best law firm to talk to or the best consultant to work with. Spend time with traders and salespeople since they tend to know a lot of what is going on.”

Ultimately, a crisis will erupt, and a firm that has offices outside of headquarters or the home office should have a system or process in place to deal with that eventuality. Halfenger recalled a firm that had a “regulatory SWAT team” the firm called upon whenever such a situation arose. He noted that many firms are too small to have a full team, but a compliance chief with satellite offices would be wise to ask herself, “If I had a problem somewhere in the world, who is going to take care of it? Is it me? Someone there? A law firm? A compliance firm?” He noted that since a quick response will be necessary, mapping out a response ahead of time is a valuable exercise.

Risk Matrix

One way firms’ compliance personnel stay on top of the shifting sands of various regulatory regimes is by creating a regulatory risk matrix. The risk matrix should determine which of the firm’s activities are subject to regulatory oversight—sorted from greatest risk to least—and cross-reference the various worldwide rules the firm is subject to. The matrix enables compliance officers to prioritize which jurisdictions, laws and regulations are most relevant to the firm, and therefore most worth their time and energy.

Halfenger observed that he is seeing “more and more clients putting together a regulatory risk matrix,” and Owen said that his firm is “absolutely” utilizing the tool to assess global risks. He added that the risk matrix should be updated regularly.

Creation of a regulatory risk matrix is just a starting point, though, continued Owen. Ultimately, he said, risk matrices enable firms to fully evaluate what functions they currently perform and then go back to the beginning—a term he called zero-basing—to “figure out what you’re doing, then what you need to be doing, who should be doing it—is it compliance or does it belong somewhere else—and what is the most effective way to structure the control of those risks identified. In order to avoid the insanity and headaches, you have to do that overview and question everything that you’re doing and why you’re doing it and if it belongs in compliance.”

Compliance Policies: Uniformity Versus Regional Customization

One long-standing question that firms must answer when operating in jurisdictions with varied regulatory environments is whether they should establish a single set of global standards, and apply those standards uniformly across each locale, or allow each locale to operate within the confines of their respective regulatory regime. While each firm and their compliance officer(s) must weigh the pros and cons of each option in light of their specific circumstances, Halfenger said he’s observed the majority of managers leaning toward uniformity of overarching policies and procedures that are derived from the regulations imposed in the most rigorous jurisdictions a firm is subject to. He said he’s observed this trend with regard to anti-money laundering regulations, in particular, in which it is “next to impossible to have different standards given the volumes” involved.

Owen agreed and added, “Most firms are moving to adapt to the most restrictive, best practices.” In addition to AML compliance, he pointed to personal trading policies and noted that his own firm once had three sets of rules based on jurisdiction—Asia-Pacific, the U.S. or Europe. “That’s a real headache if you’re a global head of compliance. If you want to run efficiently and take advantage of certain efficiencies such as using the same team or one tech system, it can be challenging when you have three different policies. It starts to become very, very challenging to achieve any real enhancements in terms of efficiency and effectiveness if you don’t harmonize the programs.”

Owen warned that compliance personnel do have to review the rules and regulations in each location to evaluate whether it’s feasible to consolidate all policies and procedures around a single point, but it is vital in order to “preserve your sanity as a global CCO.”

Not every firm can, or will choose to, adopt global standards, since doing so could place their operations at a disadvantage in certain regions. Owen provided an example around gift and entertainment policies. “You might find the rules in the U.S. and the states have become quite restrictive in dealing with plans, and that conflicts with what goes on in certain jurisdictions, such as Asia. Having a single set of rules or single policy for all jurisdictions just won’t work.”

Organizational and Staffing Considerations

As most firms can attest to, and numerous surveys confirm, the fact that personnel costs are a compliance program’s biggest capital outlay, when discussing resource allocation across a multi-jurisdictional compliance team it makes sense to focus on staffing and organizational considerations. Key considerations include geography—where employees actually sit—and staffing—who is responsible for what, and to whom they report.

Halfenger said he’s seen three geographic models. “Everyone is at the mothership, personnel are dispersed to locales where there are sizeable trading and sales operations, or firms install regional compliance coordinators who cover a specific country or region from the home office, but frequently spend time in their assigned regions’ offices.”

Determining how to split up the team entails an assessment of whether the firm would most benefit from a centralized or decentralized compliance team structure. In a centralized structure, the home office personnel maintain responsibility for overseeing that office, as well as any remote offices, with the obvious advantage that policies and procedures are applied consistently throughout the various regions and there is less, if any, ambiguity about supervisory authority and control. Girandola pointed out that there are also drawbacks, including that, “The home office might not have full insight into what is taking place at the satellite offices,” which is a significant concern.

A decentralized approach has its own set of pros and cons. In addition to having someone in the office, and insight into day-to-day business dealings, the firm benefits from more nimble decision making, especially when a centralized office is located in another time zone. On the other hand, a decentralized approach could lead to inconsistent application of a firm’s global policies and themes.

In situations where a decentralized approach is deemed most appropriate, yet the office is perhaps too small to warrant a dedicated or nearly dedicated individual, Halfenger said he has started to see compliance duties being assumed by an onsite audit, risk or finance employee.

Once decisions concerning personnel and their locations have been made, managers must determine how the firm will oversee its compliance obligations and maximize the ability of the CCO to effectively delegate tasks. Girandola explained that he primarily sees the “Three Lines of Defense” model, which evolved in the late 90’s. Although primarily geared towards larger institutions, smaller managers can tailor the approach to their specific needs and circumstances.

The first line of defense starts with the process-owners across the firm’s business units. In a hedge fund, this would include everyone across the firm who has a hand in monitoring compliance issues, including managers, supervisors and traders. The second line of defense includes the employees who oversee risk—namely, the compliance department. Girandola explained, “They aren’t process-owners, but they have influence over the general risk framework which includes financial controls, compliance and risk management.” The third line of defense includes independent assurance groups, such as internal audit or an outsourced consulting firm, whose function is to evaluate the efficacy of the first two lines of defense.

Halfenger said that although certain staffing and organizational considerations apply more broadly and consistently to larger firms’ regulatory and legal obligations, smaller firms can use the same principles throughout their operations as well. “If you’re the CFO and CCO of a hedge fund, you have more limited staffing resources, but the principles are the same. You want to have your finance and operations processing. You want to have a compliance assistant doing some testing. And you want to do some independent testing to kick the tires. This can be right-sized for any organization. It basically comes down to separation of the duties. Someone should be doing the work, someone else testing it and then someone else kicking the tires to make sure it’s all working properly.”

He added that even if a smaller firm doesn’t have an internal audit function, compliance can come in and perform much of the testing in an effort to determine if any particular satellite office has gone, what he termed “native,” affecting their ability to “raise their hand and point to [a] problem.”

Maintaining a Culture of Compliance Across Multinational Hedge Funds

Maintaining culture at a firm is a challenge in and of itself, requiring the systematic application of a set of guiding principles and rules that are adhered to from the top of an organization down. The challenge of maintaining a top-down culture of compliance is amplified when segments of employees work in international locations that are a step, a time zone or a culture removed from the central office. Halfenger explained, “You’ve got a small office that is supposed to be semi-independent and they live with that local office and they probably report to the local office’s senior business person. You have to understand the conflict of interest where they report directly to the central compliance office, but they have local constituents they have to deal with every day. Your visits and the testing program, who the reporting line is, all of these things should be geared towards removing those conflicts of interest.”

Several key steps help ensure that a consistent compliance culture pervades an organization, even when it’s geographically dispersed. First, the CCO can visit the firm’s remote offices at least annually, with the goal of showing both onsite employees and regulators that the firm is “keeping a compliance pulse on the organization beyond the home office.”

The visit can be accompanied by a review of the policies and procedures most relevant to the satellite office’s responsibilities to ensure compliance with local regulations, such as custody and cash controls, advertising reviews, the types of fees and expenses incurred by the remote office, allocation decisions or investment recommendations, reporting, records retention, service provider due diligence, business continuity planning and IT infrastructure. Girandola advised compliance officers to memorialize in a memo to file any issues or deficiencies identified, along with any remediation recommendations.

Ultimately, extending the culture of a firm to other offices depends on the caliber of employees hired by the firm and encompasses skillsets beyond the technical capabilities of compliance personnel in international satellite offices, such as their language and cultural assimilation skills. Challenges will also vary by geographies. Owens explained that, “In NYC, London and HK, the greatest challenge is holding on to people. It’s a competitive environment that leads to turnover,” Owens explained. “In other places, meanwhile, the challenge is finding people who can do the job. Turnover is low, but few people can do what you need them to do.”