The front office control function is a vital part of the first line of defence for financial services companies. Many of our clients are banks looking to establish or enhance existing control and conduct frameworks.
We also work with investment management firms and other financial services companies that are looking to do the same thing. To date, the focus has been directed chiefly at the wholesale banks. But all parts of the wholesale and consumer markets, including buy-side firms, brokers and infrastructure firms are building out and enhancing their front office control frameworks.
What should it look like?
The Senior Managers and Certification Regime (SM&CR), which will be applicable to all UK financial services firms in 2019, is clear that accountability for front office risks resides with the business and lies with the senior managers and certified staff of the front office. In addition, MiFID II, the Market Abuse Regulation, and the Benchmarking Regulations, have introduced enhanced expectations with respect to controls in many areas.
In line with regulation, we would absolutely expect our clients to have a robust first line of defence, and that includes an effective front office controls framework. Historically, all too often, firms have relied too heavily on the second and third lines of defence.
We stress to clients that the front office must drive the controls agenda within the first line and connect through into the second line control framework. The front office knows the business, it knows the clients, it knows the key risks, it understands the market impact of misconduct and it understands the motives of those on the desk. It is key that the control agenda is driven by the first line as opposed to a compliance or risk function telling the front office what it should look for.
Today, there is more likely to be a robust first line of defence than there was a few years ago but gaps still exist and improvement is widely needed. The terminology may vary as some firms have a chief controls officer, while others have a risk and controls officer. In general, all firms have a front office controls function that monitors key risks. We offer expertise in reviewing these functions and ensuring that the control framework is robust, control processes are being followed, any required attestations are being made, and that first line controls are separate from a strong second line of defence.
We would expect clients to have their first line risk assessment, and for purposes of consistency and reporting we would expect to see a collective taxonomy, with consistent methodology and definitions, across an organisation. Additionally, we expect that the first line looks at these risks independently of its second line.
What do we find?
Are we sometimes surprised by what we find? Sometimes, yes. Some have the controls in place but not the proper documentation to show they are operating effectively. Others might have controls that are not functioning properly. Often policies, procedures or reviews might be missing, or the IT configuration has changes and is not working as it should.
But the biggest issue is when relevant controls have not been designed at all. The firm might have identified a source of potential misconduct or abuse within the organisation, but it hasn’t thought about the controls that should be in place to prevent abuse in the first place or detect it quickly. In these instances, we work with the firm to design appropriate controls.
A question of culture
It’s also very important that clients do not rely just on controls. We expect firms to seriously consider culture and conduct. This is key.
We look at three main areas. First, does the remuneration structure reward undue risk-taking and insufficient attention to the needs of the firm’s clients? Secondly, is there consistent messaging about culture from the top of the organisation and senior managers? And, thirdly, are the messages from the top being instilled into daily business practice?
The control framework cannot just be backward-looking either. Firms often focus on past misconduct or current risks, but they should be forward focused and, for example, identify political or regulatory risks on the horizon. Firms should also be looking outward as well as inward when they assess possible risks.
Monitoring and surveillance advice is part of what we offer to clients, both front office monitoring and T+1 compliance surveillance, while understanding the data used. Investment managers are enhancing their surveillance programmes, too. We work across the first two lines of defence to develop policies and put standards and processes in place, recognising that the same data can be used by more than just the front office. And where clients already have these in place, then we help to devise enhancements.