At the recently marked IFCA Global Compliance Conference, an important global occasion that serves to highlight both the key strides made by Chief Compliance Officers of Banks across the globe, as well as the work that still needs to be done in order to forge an equal future. Pattison Boleigha, President, Compliance Institute, Nigeria (CIN), the Nigerian contingent speaks with O’Lekan Babatunde Nigeria’s Compliance industry, its impact on businesses, how Compliance programmes help manage risk, the role Compliance officers play as members of Directors of their companies and the reason why Africa is backward. Excepts…
Compliance Officers have sometimes been called Revenue Prevention Officers. With this seeming outlook, where does that leave Nigerian Compliance Officers who operate in an environment seemingly unfriendly?
The compliance officer’s job is grossly misunderstood especially in this part of the world. They have always been likened to duplicating the Audit function. The revenue loss prevention role is an audit function and not a compliance function. Using revenue loss as an example, the role of the compliance officer in Revenue loss is to ensure that adequate controls are put in place to ensure that the revenue is never lost in the place. Such controls like Maker/Checker, Data authentication automation, Segregation of duties, and ensuring that beyond putting these controls in the policies and procedures, they are also embedded in the system to proactively prevent losses. That way, compliance helps to prevent the cost of non-compliance and rework. It costs more to correct what has gone wrong instead of getting them done correctly first time if only a good compliance program was put in place.
With your experience in the Nigerian landscape, can Compliance guarantee return on investment?
Yes, this principle of ROI is universal, irrespective of the country. And even if the investment in compliance in the interim shows a negative ROI, it does not mean that compliance has not contributed to organisational sustainability. This is because the negative ROI report given to management will spur up a behavior of management to take the right decisions to reverse the negative trends in the long run. The management will either reduce certain businesses or stop a line of business producing these losses based on the negative ROI report. When that happens the gains that come from these actions will in future reverse the ROI because the gains will be added as benefits to help in the computation of a positive ROI. The most important thing for the Compliance officer is to calculate the ROI always and report and leave management to do their own job.
Which countries can one benchmark these standards on Compliance regime as ROI is concerned?
There is no one size fits all ROI standard globally. It depends on what is important for a particular organization to track. Therefore, ROI is computed on a risk-based approach where the organization focuses more on the key Compliance risk areas.
What performance metrics are required to measure the Compliance regime?
According to Matt Kelly in his Article on 5 Compliance Metrics Every Business Should Measure in January 2021, there are five matrices that will give you a good sense of compliance program effectiveness. They are:
Mean Time to Issue Discovery. This metric gives you a sense of how quickly your program discovers a compliance issue.
Mean Time to Issue Resolution.: This metric is a companion to the one above; it helps you understand how quickly you resolve an issue once the problem is discovered.
Compliance Expense Per Issue.; You can calculate this metric by dividing your total compliance budget into the number of issues your program manages, perhaps calculating it every quarter or every year.
Severity Gap Between Predicted and Actual Risks.: “Negative risk events,” as we politely call them, are inevitable. These are residual risks which typically takes most of management and board time to deal. In some cases, the management just give up and accept them or outsource the through insurance.
Risk Mitigation Timeframe: This is the time that elapses between your discovery of a risk and when you implement any changes necessary to mitigate that risk
However, again, these are generic matrixes. Organisations differ in several ways and have varying risk structures so we cannot recommend any particular one for any organisation. However, in typical Nigeria bank in addition to the above, I suggest the following should be tracked for the effectiveness of a compliance program for a typical bank in Nigeria, but not exhaustive.
Number of (Suspicious transactions)STR /SAR filed, Number of STRs not filed after investigations, FTR and CTR returns not filed or filed late, KYC deficiency ratio, Number of overaged items in Global Control Log (Excluding Legacy KYC),Number of Repeat Audit & RBS exceptions, Number of overdrawn staff accounts, Transactions above approved thresholds on staff Accounts without appropriate approvals, Count of dud cheques issued by staff, Number of regulatory enquiries received but not yet treated, Number of regulatory breaches / near misses, Number of late Regulatory returns, Number of Regulatory penalties/fines, KYC: Count of PEP not flagged, Number of Successful Positive hit from Sanctions list, Overaged items: Number of overaged items in GL, Number of GLs with differences/Irregular balances for 3 consecutive months, Number of Unproofed /Unsubmitted proofs, Number of over aged items without evidence of escalation for 3 consecutive months, Number of regulatory investigations against the Bank / Insider related, Number of transactions or Deals or account Not opened due to EDD failure, Percentage of staff not trained for the year/month/ quarter, Number of enquiries from IMTO, VISA, Mastercard, Number of penalties from IMTO, VISA, Mastercard, Number of crystalised fines from IMTO, VISA, Master card, Number of rules book violations for the month, Correspondent Banks’ Enquiries above SLA, Policies and frameworks due for renewal, ABC risk assessment residual risk score above moderate risk, Compliance risk assessment residual risk score above moderate risk, AML/CFT risk assessment residual risk score above moderate risk.
Where investments decisions misfire, what compliance regime(s) can be adopted?
When investment decisions misfire, it is time to carry out corrective measures. These will include investigation of the business areas producing losses to get the root causes of the figures in that business. Then the compliance disciplinary measures will be invoked to punish wrongdoing fairly. Then lastly, utilize the outcome of the root cause analysis to fix the control failures observed to prevent recurrence. In all of these, the compliance program will emphasize the need for fairness and avoidance of retaliation.
On the back of COVID-19 pandemic, how can Compliance programmes help to manage risk?
Nobody ever predicted the COVID-19 pandemic. It was never in any organisation’s compliance plan anywhere in the world. Therefore, every organisation had to evaluate the COVID risks as it affected them and took certain measures to mitigate the risks. However, since 2020 to date, organisations have developed new policies and procedures arising from more demands in new improved compliance programs that have considered the Covid-related risks. For example, the process of customer on-boarding as seen a lot more use of digital processes in collecting customer data to comply with the compliance requirements to observe social distancing. The need to work from home also led into increased cyber-related crimes thereby making it inevitable for organisations to introduce more stringent cyber-compliance requirements to manage data leakages as a result of working from home. Also, the need to develop a separate COVID -19 Health compliance program to ensure that organisations and their staff comply with the government Covid rules became very expedient.
How can you help Organisations understand Compliance risk?
Organisations are expected to carry out annual risk assessment of their compliance risk. They should have a deliberate program to identify compliance risk peculiar to their organizations and deploy effective controls to mitigate them. A typical Compliance management program will cover, Identification, evaluation, analysis, monitoring and reporting.
What role can Compliance officers play as members of Directors of their companies?
Everyone in the organization has a role to play in institutionalizing a compliance culture within the organization. The Boards is responsible for crafting, approving the Mission Statement and other Policy statements. It performs oversight functions on Management in order to ensure that the organization is run professionally and in accordance with international best practice. The board receives, reviews and actions the report of the Chief Compliance Officer. It ensures that the approved recommendations are implemented by Management within agreed timelines and progress is monitored
Management is responsible for implementing the strategy approved by the Board. Its responsible for setting up structures and systems within the organization that ensure compliance and must communicate the importance of the compliance function to every staff of the organization; accord the compliance function due recognition; treat the reports from the CCO seriously and live by example by not undermining compliance.
Compliance officers Roles include to identify the compliance risks that an organisation faces and advise on them; to design and implement controls to protect an organisation from those risks; to monitor and report on the effectiveness of those controls in the management of an organisations exposure to risks; to resolve compliance difficulties as they occur.
Compliance officers advise the business on rules and controls, identify and manage regulatory risk. The overriding objective of a compliance officer should be to ensure that an organization has systems of internal control that adequately measure and manage the risks that it faces. The general responsibility of the Compliance Officer is to provide an in-house compliance service that effectively supports business areas in their duty to comply with relevant laws and regulations and internal procedures.
What would you say have been the key changes in the compliance officers’ role in the last 12-18 months?
The major changes in the compliance role have occurred in the area of Environment Social and Governance (ESG) Compliance. The issues around climate change, increased levels of crime in the society and the need to make organizations more socially accountable are responsible for the heightened compliance role in these areas. Also, recently we have seen compliance officers unlearning old ways and equipping themselves to be able to tackle the increase in the use of FinTech’s in financial inter-mediation. Most prominent in this area is the use of Cryptocurrency.
Have you encountered any challenges in getting buy-in of the value of compliance from top to bottom?
Off course the push back from compliance is a normal phenomenon in area of compliance. Typically, nobody wants to be controlled. The basic objective of any business organization is to make profit. There is a constant drive to make profit irrespective of the rules. The behavior that disregards the needs to play by the rules in making the profit is the reason that gave the compliance role the prominence it has today. So, the Role of compliance is to serve as a balancing factor to put programs in place to moderate the urge to break the rules while pursing the business profit objective. However, when the need to have a sustainable profit becomes management’s goal, then compliance would have played its role in the organization. So, the compliance officer should not relent to constantly give enlightenment to senior management and board on the ROI of compliance.
In your opinion, are companies now taking compliance more seriously and seeing the value it adds to their business?
I don’t think so. Companies in Nigeria and Africa generally are yet to get to a heightened level of compliance. Perhaps, this is so because we have not truly seen the serious impact of non- compliance on business failures in Nigeria and Africa. However, I can say that lack of compliance is a major reason why we have been backwards in Africa. Level of corruption and other criminal activities like kidnapping, banditry, Terrorism and Proliferation of weapons of mass destruction that drive Money laundering and Terrorism financing is sufficient reason for us to change our ways in Africa
Anti-Money Laundering seems to be increasingly on the radar for non-financial sector companies. How are companies in Nigeria dealing with regulations that were often written with the financial sector in mind?
I do not agree that current regulations on AML/CFT/CFP are still tilted in Favour of financial sector alone. That was in the past. Today, Nigeria as the more robust regulation on Designated non-financial businesses and professions (DNFBPs). Since the creation of the Special control unit on Money laundering. (SCUML), the regulatory environments of these area have greatly improved. The only problem is that of implementation and enforcement. In fact, in 2022 the President of Nigeria signed into law a new Money Laundering Prevention and Prohibition Act 2022 where one of the major changes made was the removal of the SCMUL office from the ministry of Trade and Investment to the EFCC. This has improved the funding of their activities. Nevertheless, there is still more to be done in the non-financial sector given the vast number of participants involved. The resources to training these vast number for example is lacking. However, despite the successes in Nigeria, the rest of Africa is still lacking in this area and need to do a lot more.
Have companies’ attitudes towards compliance and integrity changed over the years? Could you share some of your observations in this regard?
Companies attitude globally have changed, but we cannot say much for Africa. The various global reports on crime are increasing and this is an indication that the stakeholders are still not doing enough.
What is the (CIN) Compliance Institute of Nigeria’s’ outlook for the future, and plans for next year specifically?
Our immediate future outlook is the Charter of the NASS we are pursuing, getting other industries in the country to be covered in our programs and to take compliance to the grass roots in our educational system from primary to tertiary levels.
You were one of the esteemed speakers at the annual IFCA International Compliance Conference. This year, they had an interesting focus on Compliance in an era of global complexity… What is your view on the fast-changing compliance landscape in today’s world?
Nigeria and Africa unfortunately are coming late to the party on compliance relevance. However, it is not too late. So what this conference will do for us is that we will become more aware of the changes in the society and how this has affected the way compliance is practiced in the world. The issues around risk management, Artificial; Intelligence and machine learning, ESG, Crpto and Social issues have made compliance very complex. Therefore, compliance officers should also skill up and scale up their level of knowledge to cope .
What is the desired outcome of the 2022 IFCA International Compliance Conference for you?
Coming out from this conference, we have created a lot of consciousness in the minds of compliance professionals globally on the complex nature dimension that compliance is taking now, and the need for the compliance officers to up their game or play catch-up, so as not to be left behind.
Any recommendations to how private sectors and civilians can be actively engaged in fighting against corruption?
First, we need to put in better controls in the system to prevent corruption in the system instead of the reactive practice we have today. We also need to take the teaching of Anti- Corruption back down to the primary schools and make the course compulsory. The ICPC, NFIU, DCUML and EFCC should be funded better to improve the enforcement and deterrent. Also, we need to encourage more private sector consultative forums to enable us share ideas and information on corruption. We should publish known cases to the public to serve as deterrent to others.
Leave a reply