The Fundamentals of Compliance

Fundamentals of Compliance

By James R Downing

Acknowledgements

First and foremost, I want to thank all of the wonderful people and organizations I have worked with as a regulator and Compliance professional over the past 20+ years.  Without your insight, assistance and guidance, I would not have been able to formulate the Fundamentals of Compliance.  A special thank you to Adam Leber for helping me with the outline of the book before I ever began writing.  I would also like to thank my family for putting up with me while writing this. It was a dream of mine to write this book and I would not have been able to do it without my wife, Adria, and my kids, Sophie and Paul. 

Forward:

James Downing has written an excellent book on the Fundamentals of Compliance.  I would encourage all compliance professional to read this book.  Whether you are new to compliance or a seasoned expert, it provides a comprehensive end to end guidance on practical solutions to implement effective and efficient compliance practices.  In that spirit, it would be equally valuable to directors on boards overseeing compliance, teachers and students engaged in the study of compliance, and regulatory professionals looking to better understand industry best practices in complying with the letter and the spirit of laws, regulations and ethical standards.  All readers will learn valuable lessons in how to improve the effectiveness and efficiency of their organization's compliance programs.

It doesn't surprise me that James has taken the time and effort to document such thoughtful guidance.  I had the pleasure of meeting James when he was Chairman of the Board of the National Society of Compliance Professionals (NSCP) and I was serving on the NSCP's Regulatory Advisory Committee, after serving a decade in senior regulatory roles at the SEC and FINRA.   His commitment to the compliance mission, compliance profession, and compliance education was clear to me then.  It is even more clear and compelling now, as I appreciate the care and thought that James has poured into this book to create a valuable resource for the compliance profession.

In this book, James guides the reader in a clear conversational manner through the fundamentals of risk assessment, policies and training, monitoring and testing, issues and exams, governance and reporting, and the importance of practical advice.  In each chapter, he clearly explains the fundamental principles and sets forth helpful examples so the practitioner can both understand and apply effective practices.  He also clarifies roles and responsibilities and provides guidance on effective teamwork and collaboration across different roles in the organization, so that stakeholders can drive better compliance outcomes across their organization.

Finally, as a former senior executive at both the SEC and FINRA, and as the Global Advisory Leader at ACA, I care deeply about investor protection, market integrity and capital formation.  Helping firms implement effective and efficient compliance programs is not only critical to helping firms launch, grow and protect their businesses, but it is also critical to supporting investor protection, market integrity and capital formation in our economy and markets more broadly.  As compliance professionals read and apply the fundamental principles and guidance in this book they are not only strengthening compliance, but they are also doing their part to strengthen investor protection, market integrity and capital formation.

Carlo di Florio, Global Advisory Leader, ACA Group

Carlo di Florio Bio

Carlo di Florio is the Global Advisory Leader at ACA Group. ACA supports over 6,500 clients with Governance, Risk and Compliance (GRC) advisory, technology, outsourcing and data analytics solutions.  Prior to joining ACA in 2019, Carlo served for a decade as a senior regulator, first as the Director of the SEC’s Division of Compliance Inspections and Examinations (OCIE, now the Division of Examinations) and then as the Chief Risk and Strategy Officer at the Financial Industry Regulatory Authority (FINRA).  Prior to joining the SEC in 2010, in the wake of the Financial Crisis, Carlo was a Partner at PricewaterhouseCoopers (PwC) in the Financial Services Risk and Regulatory Practice.  Carlo served as co-President and currently serves as Governor of the Risk Management Association (RMA) NY Chapter.  He also serves on the Regulatory Advisory Committee of the National Association of Compliance Professionals (NSCP) and on the Board of Advisors of the Private Equity CFO Association NY Chapter (PECFOA).  In addition, Carlo serves as a Lecturer at Columbia University, where he teaches Strategic Risk Management in the Masters of Science program in Enterprise Risk Management.

Table of Contents

Risk Assessment

Policies and Training

Monitoring and Testing

Issues and Exams

Reporting

Advice

Conclusion

Introduction to The Fundamentals of Compliance

Why Compliance?

In almost every organization across the globe, regardless of the industry, compliance plays a critical role. Compliance stands as a universal pillar in every organization worldwide, transcending industry boundaries. Whether in finance, healthcare, technology, or manufacturing, adherence to laws, regulations, and ethical standards is not merely a legal formality but a fundamental aspect of operational integrity and reputation. As businesses operate in increasingly complex environments with stringent regulatory demands, the role of compliance has never been more crucial. It ensures that organizations not only prevent costly legal violations but also foster a culture of transparency and accountability. This sets the stage for a discussion on the pivotal role of compliance in sustaining business operations and driving long-term success while implementing the Fundamentals of Compliance.

Reflecting on the past quarter-century, the ascension of the compliance profession underscores a shift in corporate culture—from a peripheral consideration to a central, strategic function. Decades ago, as a college student, the realm of compliance was not just unfamiliar to me—it was virtually non-existent in the formal job market. Compliance duties were often relegated to the margins of roles in legal, accounting, operations, or other departments, handled almost as an afterthought. Today, however, the landscape is vastly different. Compliance professionals have emerged as pivotal figures in ensuring that organizations not only adhere to legal and ethical standards but thrive because of them.

Throughout my career in financial services, I have cultivated a deep understanding of compliance, though the principles I've come to know are not confined to any single sector. Whether in financial services, healthcare, education, technology, or beyond, the Fundamentals of Compliance form the backbone of an effective compliance program. This book distills these insights into five fundamental aspects: risk assessments, policies, procedures and training, monitoring and testing, issues and exams, and reporting. All centered around advice. Below is an illustration:

Designed to offer a comprehensive overview, this book aims to outline what a robust compliance program looks like in practice.

Why Write This Book?

After more than two decades in financial services, and witnessing firsthand the transformative impact of well-implemented compliance frameworks, I felt compelled to share my knowledge. The Fundamentals of Compliance is crafted to demystify the core practices that underpin an effective compliance department. My intention is to transcend industry boundaries, offering a primer that is universally applicable, easy to understand, and foundational. This book is not an exhaustive manual but rather an accessible guide meant for every compliance professional —from seasoned compliance officers to those new to the field.

Amidst the constantly evolving regulatory environment marked by rapid changes in technology and market dynamics, a static approach to compliance is insufficient. This book aims to establish a dynamic framework that is adaptable across different industries and responsive to the inevitable shifts in regulatory landscapes. By doing so, it seeks to support aspiring compliance officers and industry professionals in designing and sustaining effective compliance programs.

Who is This Book For?

Fundamentals of Compliance is designed for anyone operating within a regulated environment. You might wonder, Is my industry regulated? Consider this: if there are state, local or federal regulations that impact how your organization operates, then you are part of a regulated industry. In truth, very few sectors escape regulation at some level—be it local, state, or federal.

This book serves as a straightforward, practical guide to understanding the fundamentals of a compliance program. Written in plain English and crafted for ease of understanding, it addresses the needs of a diverse audience. Whether you are a seasoned professional seeking to refine your understanding or a newcomer aiming to grasp the basics, this book aims to equip you with the foundational knowledge necessary to navigate the complexities of compliance.

As you embark on this journey through The Fundamentals of Compliance, I invite you to engage with this material not just as educational but as a roadmap to excellence in compliance practices. The fundamentals outlined here are intended to be foundational yet adaptable, providing a baseline from which your understanding and practices can evolve as the profession and industry landscapes shift.

Risk Assessment

What is a Risk Assessment?

A risk assessment is a critical element of an effective compliance program. There is a reason the fundamentals start with risk assessments as its the core on which all compliance programs are built. It provides a structured approach to identifying, evaluating, and mitigating risks associated with non-compliance to regulatory and legal obligations. The evolving landscape of regulations across various industries underscores the increasing importance of a systematic and proactive approach to compliance. This introductory section will explore the significance of risk assessments, discuss the evolution of risk management in the context of compliance, and provide basic guidance on how a risk assessment can be designed and executed.

Foundational to any compliance program is the method by which a risk assessment is conducted. The ability of a compliance professional to objectively analyze rules, regulations, and policy against the subsequent controls allows an organization to determine where compliance risk lives within an organization.  What this isn’t is a comprehensive risk assessment across a firm.  A good compliance program is responsible for conducting a regulatory risk assessment.  This means that certain areas, operation risk, market risk, liquidity risk, etc., should not be included unless covered by a specific rule or regulation. Compliance is responsible for tracking regulatory risk.  While it can be combined with other risk assessments, and often is, it should not be the burden of compliance to conduct a risk assessment outside of these areas. This chapter will focus on many different areas of risk assessment, methodology, identifying risk, measuring risk, collaboration, reporting, and regulatory change management.

A comprehensive risk assessment process enables organizations to not only detect and mitigate existing risks but also to anticipate emerging ones. By understanding the full spectrum of their regulatory obligations, organizations can allocate resources more effectively, implement appropriate controls, and reduce the likelihood of non-compliance.

This process in a compliance program is truly foundational and should not be taken lightly.  A lot of thought should go into the design and implementation of a risk assessment as it has broad implications across an organization.  Every compliance program should start with a risk assessment. It is the practice that ties all of the other fundamentals together.  Without this step, a compliance program would be considered ineffective at best.  This chapter is the key to this program. Without it, the rest of the Fundamentals of Compliance do not work.  For example, a compliance risk assessment should be used to design and write policies across the organization.  Without the risk assessment, an organization may not have policies for a specific regulatory risk, for example sanctions compliance, and be exposing themselves to potential fines, censures and negative