Your compliance manual is the centerpiece of your compliance program and plays a critical role in helping enhance and enforce your firm’s culture of compliance. As a former regulator and current principal of a compliance consultancy, I’m often asked about the key considerations for building an effective “audit proof” compliance manual. Although there is no such thing as an “audit proof” manual, based on many years working with both regulators and firms of all sizes on the right ingredients for an effective compliance manual, I’ve highlighted seven key elements to building the right manual for improving your next regulatory audit.
1. Seek Expert Help to Save Time
First, whether you’re starting from scratch or updating your existing manual, you shouldn’t try and reinvent the wheel unless you absolutely have to. Your time is valuable and probably best spent on top-line functions so seeking expert help may be the right choice for saving time while getting the right guidance needed to get started. Although each firm is different and one size certainly does not fit all, you can make your life a lot easier if you have a baseline from which to start and then customize. There are a wide range of vendors, service providers and/or individual consultants out there on marketplace or platform sites such as Connexien or membership directories on FINRA and NSCP offering everything from baseline templates as your starting point to more highly specialized services related to building customized compliance manuals centered around your firm’s activities. There is no right answer as to how you approach this as long as you end up with a compliance manual that is sufficiently aligned with your firm’s business activities and supervisory processes.
2. Build Your Foundation
One of the most important steps to building the right compliance manual is to start with a good foundation. Whether you’re a broker-dealer or investment adviser firm (or any other regulated entity for that matter), you will need to prepare a set of written supervisory procedures or a “compliance manual” that is largely based on the firm’s business activities, corresponding risks and the regulatory framework within which it operates. As a baseline standard, it should include general compliance requirements (e.g. those that every firm must comply with regardless of product lines or business model) together with product and/or service specific compliance requirements (e.g. based on your approved business lines per your FINRA Membership Agreement for broker-dealers or Form ADV for investment advisers, etc.). For broker-dealers looking for a good starting point, FINRA produces a WSP Checklist which is generally designed for guiding new FINRA member applicants on the minimum requirements when preparing a compliance manual during the new membership application process. Although this certainly doesn’t cover all required areas for all firms, it’s a useful tool and good reference point when considering what you should include based on your firm’s business model and product lines.
3. Understand Policies vs. Procedures
Understanding the distinction between policies and procedures is important when constructing your compliance manual. Although policies and procedures are separate in their purpose, they are complementary to each other in that you need both to build a comprehensive manual. For example, a well-constructed manual will start with broad-based Policies, which consist of a formal set of rules or guidelines adopted by a firm to achieve its goals and/or objectives, and then fine-tune its actions with Procedures, which consist of step-by-step processes for accomplishing such goals and/or objectives. Policies tend to have widespread application, change less frequently and focus on the “what” and “why” by identifying company rules, explaining why they exist and when and why the rules apply. Procedures on the hand have a narrow application, are more prone to change and tend to focus on the “how”, “when” and “who” by describing step-by-step processes, frequency of actions taken and the specific parties responsible for carrying out those actions.
4. Emphasize Assignment of Responsibility
Assignment of responsibility is key to clearly defining lines of authority with respect to each task to be performed. This refers to the “who” in the “who, what, where, when and how” questions that firms must address when building their compliance manual. For example, firms should focus on detailing who will be responsible for conducting the supervision of various tasks. To accomplish this step, firms should assign and list the designated supervisory principals or practice leaders who are responsible for each division, department or group and their respective compliance tasks including direct and indirect reports under their supervision. Firms must also stay on top of any changes in key personnel that may affect the compliance manual in terms of supervisors and direct reports and their assigned scope of responsibility.
5. Align your Procedures with your Processes
With any compliance manual, striking the right balance between procedures vs. practice is important. To hit the right note, firms should consider their business processes and align their procedures around those processes. If your procedures are too vague or lack specificity, it leaves little direction or guidance for the end user or, worse yet, may cause regulators to question your actual processes, while drafting procedures that are too specific or narrow in focus might create added risk if the firm deviates from overly precise controls. To effectively align procedures with internal processes, you should answer the remaining “what, where, when and how” questions when building your compliance manual. For example, your compliance manual should clearly describe “who” is conducting the supervision, “what” type of tasks are supervised, “where” are the tasks and supervision conducted, “when” is supervision performed, and “how” is the supervision documented. In this case, attention to detail on tasks specific to the organization is critical.
6. Focus on Dynamic over Static Procedures
Regardless of the type of financial service firm, regulation and its compliance requirements are in a constant state of change and keeping up with the ever changing regulatory landscape is a major focus. You compliance manual should be treated as a dynamic document constantly evolving with your changing internal processes, controls and personnel all set against the changing regulatory landscape. Your manual is only as accurate as its last update. Therefore, firms should remain vigilant in their approach to remain current in terms of current and applicable rules and regulations while also staying ahead of the curve with proposed rules that could impact the firm’s future processes.
7. Test the Efficacy of your Procedures
Lastly, the best way to find out if your compliance manual is working properly is to test it. Although many firms test the efficacy of their procedures in different ways, one of the main ways is through annual and/or periodic internal/external compliance reviews where the testing and verification processes are designed to detect any irregularities or gaps in compliance processes. These types of reviews also consider material changes in the regulatory landscape that may impact the firm and its internal controls and compliance processes. Additionally, since regulators will most certainly test your manual against your firm’s processes, getting it right can save time and energy by effectively managing regulatory expectations during the audit process. Firms should implement corrective actions and corresponding changes to their procedures with the discovery and identification of any gaps in their compliance program.