Compliance control in an organization: what is it. Compliance disclaimer that this is a report of the compliance service in the bank

As everyone knows, the blind or half-blind pursuit of super-profits led to the inflating of “soap bubbles”, which at some point burst. Subsequently, both regulators and company management bodies began to take the risk management function seriously. And if previously the latter in many companies was reduced to an advisory function, now it is becoming increasingly a control function, when work standards are not only set, but also the proper execution of policies and procedures is monitored.

Meanwhile, modern practices distinguish between several types of risks - financial, operational and business risks. Then you can segment them, where financial risks include liquidity and credit risks, operational risks include system and personnel risks, and business risks include strategy and reputation risks. Of course, this is not an exhaustive list, and these risks lend themselves to more detailed classification. But, one way or another, they all have one thing in common - they suffer financial losses, including lost profits as a result of insufficient business development, and direct financial costs.

Many managers think about direct costs, since it is often more difficult to part with what you already have than with what you can earn in the future. Therefore, control of business risks, in particular reputational ones, was developed last. On the other hand, if we look at this risk under a magnifying glass, we will see that it can be much more expensive than others.

Causes and Effects

Now let's step back from the previous storyline and turn to realized risks, in other words, problems that arose at enterprises as a result of the occurrence of certain events. Problems come in various sizes, and we very often see information about the largest of them on the front pages of the business press, as well as other media. At the same time, traditionally, many are interested in what will happen to the direct culprits of these events, but not everyone thinks about what measures were taken in relation to those personnel whose inaction or lack of professionalism led to losses.

Almost any incident in an organization means that control in one area or another is not established or it was not done properly. Accordingly, not only the one who committed the violation is to blame, but also the one who did not take all the necessary measures to prevent this from happening. This may indicate the absence or insufficient effectiveness of preventive mechanisms that should counteract the formation of unfavorable situations.

Often, control functions are “adjusted” using the so-called reactive method: system shortcomings identified as a result of a certain event are corrected with “patches” - in the form of payment authorization, the “four eyes principle”, etc. Then to all interested parties - shareholders, creditors, investors, counterparties and others are informed that the perpetrators have been found and measures have been taken. And this cycle can be repeated until the company implements risk management, which is aimed at preventing them in advance.

Actually, effective risk management is built on three pillars: “detection” (the ability to identify risks), “prevention” (risk control) and “response” (the ability to act correctly in certain situations). Any control functions are aimed at reducing the likelihood of any risk occurring and/or mitigating the consequences of its implementation. Minimizing consequences often means that the organization's employees know what they will do if the risk occurs and how they will continue to operate.

Managing the risk of loss of business reputation

A positive reputation is formed both by the absence of generally known adverse events associated with a person that arose through his fault or as a result of omissions in his activities, and by actions aimed at following legal and cultural norms.

As already mentioned, at this stage of economic development, the time has come to think about the risks of loss of business reputation, as well as to build a risk management system, which boils down to their identification, prevention and response.

In this regard, it is necessary to take comprehensive measures to develop mechanisms that can help minimize the risk of a company’s involvement in processes that could result in not only financial losses, but also a loss of trust from society in the person of regulatory authorities, investors, partners, shareholders, clients, etc. The idea of ​​​​creating one of these mechanisms arose relatively recently and was called “compliance”.

Over the past few years, this term has become increasingly widespread in the Russian business community. The word compliance itself is a Russian derivative of the English compliance, which means “compliance”. Compliance activities in an organization come down to the obligation to comply with the internal policies and procedures of the organization, which are developed taking into account local legislation and leading international practices.

Reputation risk management in a company is implemented by developing internal documents and creating conditions in which all employees and other persons working on behalf of the organization will behave in accordance with high professional and ethical standards in relation to both external and internal market participants. Thus, the company acquires and maintains its reputation as a worthy market participant, working with which does not carry additional risks.

Practice of foreign companies

In the global practice of financial institutions, there are many cases where, due to omissions in the field of compliance, an organization lost its clients, counterparties and suffered significant losses. That is why compliance policies have been carried out in foreign organizations for several years now, and we are talking not only about financial organizations, but also about manufacturing enterprises, medicine, trade, government agencies and many other areas.

In many jurisdictions and in various financial institutions, the concept of compliance includes different areas, such as investment compliance (regulating issues of the “correct” and “fair” sale of investment products), tax compliance (regulating issues of maximum compliance with tax laws), principles of fair treatment of clients ( Treat Customer Fairly) and Fair Lending Policy, use of personal data, etc. A large number of policies of various kinds, which depend on the specifics of the activities of a particular financial organization, entail differences in the interpretation and content of the compliance function in different jurisdictions and organizations.

Basic compliance policies

There are a number of standard policies that, regardless of geography and/or specifics of activity, are traditionally applied to varying degrees in most organizations:

1. The Code of Corporate Ethics (Code of Corporate Conduct) is, as a rule, a fairly general document that affects almost all aspects of the organization’s activities. It talks about moral and ethical principles, standards of behavior, organizational priorities and employee responsibilities.

2. Policies to combat money laundering and the financing of terrorism are implemented in one way or another in all financial and many non-financial organizations in developed and developing countries. It prevents the penetration of criminal proceeds into the legal sector of the economy and prevents the financing of terrorism. Today, this is one of the most important tools to combat the legalization of shadow income and is based on international law and recommendations of international groups.

3. The policy of accepting and giving gifts, invitations to events - its function is to distinguish between the concepts of “gift” and “bribe” / “kickback” or, in other words, to indicate the line after which a gift becomes an offering in order to obtain the opportunity to manipulate an official in your own interests. The presence of such policies is especially relevant in countries where national traditions dictate the need for this kind of interaction with regulatory authorities, partners and contractors. The policy generally does not prohibit gifts, but rather limits their value and establishes procedures to control them accordingly.

4. A policy for reporting violations of ethical standards exists in most Western organizations and regulates the procedure and methods for reporting violations by bank employees (with the right to anonymity), as well as the procedure for subsequent investigation and documentation of these violations. It is worth noting that high-quality implementation of this function is one of the most effective ways to combat violations within the company.

5. The policy governing conflict of interest sets ethical standards for employee behavior when a conflict of interest arises, namely in cases where: the interests of the employee may conflict with the interests of the company; the interests of one client may conflict with the interests of another client, etc. In particular, employees are obligated to help identify and prevent cases of conflicts of interest, and it is also declared that the interests of the company must always be placed above the personal interests of its individual employees.

6. The policy for monitoring the purchase of securities by employees establishes the procedure for monitoring transactions in the securities market by employees of financial organizations. In particular, it may establish restrictions on the purchase of securities of certain companies (as a rule, those with which a given financial organization is currently conducting a transaction), prohibit “short” sales of securities, and also regulate special procedures for the approval of transactions employees on the securities market with company officials. The main meaning of this policy is to use it to avoid misuse of working time and official information for the purpose of personal enrichment, and to protect yourself from accusations of unethical behavior of employees in the securities market (market timing).

7. The “Chinese Wall” policy is necessary to delimit the information field in the activities of an organization, usually the financial sector, in order to prevent conflicts of interest and create conditions for fair competition. This policy is implemented in almost all leading investment companies, where such a distinction is especially important, since the possession of non-public information about someone’s financial condition, investment plans, additional issues may lead to its use, for example, by employees of another department in order to extract additional profit. The erection of this information barrier allows the organization not only to prevent the occurrence of conflicts of interest, but also to serve all clients without restrictions.

8. Policy for interaction with regulatory authorities. The issue of effective and correct interaction with regulatory authorities is very relevant today, since even very law-abiding organizations face a number of practical difficulties in such a situation.

9. The information confidentiality policy governs the non-disclosure of data about clients and their transactions. It implies not only the formation of a general culture for handling client data, but also the organization of storage and compliance with certain standards when processing personal data. There are also other policies, such as the policy of due diligence of clients, counterparties and suppliers of goods/services; principles for receiving and processing complaints; personnel training policy and other internal documents. Moreover, each organization, due to the objectives set by senior management, shareholders and creditors, can implement additional processes in this area, while creating its own unique compliance control structure.

General principles of compliance

In the global practice of financial institutions, there are many cases where, due to omissions in the field of compliance, an organization lost its clients, counterparties and suffered significant losses. That is why the compliance policy has been carried out in foreign organizations for several years now. The presence of the above policies alone in an organization does not mean that it has made full efforts to comply with the law and minimize legal and reputational risks. It is necessary to properly structure the workflow so that all potential problems are monitored and resolved in real time.

There are several general principles that must be observed to effectively build a function:

  • The organization's governing bodies should be responsible for ensuring that policies are properly followed and directly coordinate compliance activities as well as the coordination of business units. This is one of the most important aspects on which the effectiveness of the entire compliance system directly depends.
  • Often, the implementation of the compliance function encounters resistance from business units, including from the top management of the organization, since it goes against the interests of the business: the compliance service takes measures such as “cutting off” partners and clients with a dubious reputation, banning certain operations, etc. In this case, it is necessary to build the organizational structure in such a way as to provide the compliance service with all the necessary rights and powers, and its personnel must have a high status in the hierarchy of the organization and independence in terms of decision-making.
  • Along with the rest of the organization, proper implementation of compliance policies should be monitored through internal reviews and audits. In this case, it is necessary to separate the internal control functions and the compliance functions, but at the same time, ensure their effective interaction in identifying compliance risks.
  • The personnel responsible for the development and implementation of compliance policies (compliance controllers) must have the necessary qualifications, experience, professional and personal qualities to coordinate the work and development of this area.
  • One of the most common misconceptions is the opinion of organization employees that the compliance controller is the only person in the organization who is obliged to mitigate legal and reputational risks. However, the compliance department is physically unable to monitor all emerging risks on its own, since it often does not interact with the client and does not process the relevant information, and therefore is not able to identify all emerging problems in departments and other issues that fall under the scope of policies. Therefore, it is necessary not only to explain to all employees of the organization, without exception, the formal requirements of the compliance policy, their meaning and consequences of non-compliance, but also to clearly outline the responsibilities of each employee to comply with these requirements. Here, high-quality presentation of information in the form of training, seminars and advanced training is very important - only it gives the corresponding effect.

At the same time, it is important to understand that there is a certain line beyond which the compliance function not only minimizes risks, but also limits business. The areas where compliance risks are least present and where the organization cannot afford to operate should be identified. Correct designation of this edge, without shifting it to one side or another, contributes to the most efficient organization of the work process, without conflicts with other departments and minimizing risk. At the same time, it is necessary to monitor market trends and changes in legislation in order to timely adjust this line.

By working in accordance with the above aspects, organizations build not only a reliable compliance process, reducing their reputational risks, but also at the same time make it easier for themselves to work with international counterparties, since among the requirements when establishing partnerships, the presence of policies and organization of the compliance process is increasingly common, consistent with leading world practices.

If we talk about our market, then in connection with the integration of Russian business into the global economy, there is an obvious need for proper reflection of the world's leading compliance practices in the policies and procedures of local organizations. Proper adherence to the basic principles of compliance and their effective implementation lead to the establishment of the principle of fairness in relations between market participants, minimization of legal and reputational risks, and also directly affect the success and integrity of the organization itself and the well-being of its personnel, which ultimately increases business efficiency.

One of the most important components of management in any organization is a control system called compliance. Translated from English, this word means “compliance with requirements.” It refers to actions to ensure compliance with regulations, constituent documents and other measures aimed at managing all types of risks.

In the banking environment, this term means the timely provision of information to the Bank of Russia, the exclusion of the involvement of banking organizations and their employees in carrying out any illegal activities.

Compliance is a set of specific functions that can be divided into mandatory and optional. The first includes legislative norms, non-compliance with which can lead to penalties and loss of reputation. The second includes management orders and functions, the implementation of which is related to the expectations of partners.

Taking this into account, compliance should be implemented by the security service of a banking organization. However, in practice, a multi-level system is quite common, providing for the distribution of functions between several structural units.

Features of implementing the system in banking organizations

Issues of organizing compliance control in Russian banks are regulated by a number of documents, the most important of which are Bank of Russia Regulations No. 242-P and No. 06-29/PZ-N.

According to these documents, all employees of banking organizations can be involved in implementing the functions of the control system - each within their competence. At the same time, a certain person (manager) must be responsible for implementing the system.

Building a control system in banks, as a rule, pursues several goals:

  • identifying and managing regulatory risks;
  • anti-corruption and fraud;
  • compliance with the requirements of legislative acts and international standards;
  • compliance with the rules of corporate conduct;
  • compliance with information security;
  • responding to complaints received from customers.

To implement these functions, various information systems and platforms are used to systematize monitoring and analysis processes.

The issues of automation of compliance control are among the highest priorities for many banks today.

The compliance system requires proper organization of the work process: potential problems must be quickly monitored and resolved in real time.

Basics of Compliance Policy

In most banking organizations, a policy is developed and approved as part of the compliance system.

In particular:

  • corporate conduct policy (a general document regulating standards of behavior and responsibilities of employees);
  • anti-corruption and anti-terrorist financing policy (a document designed to prevent the penetration of ill-gotten gains and the financing of terrorist organizations);
  • policy for accepting and giving gifts (this policy is aimed at distinguishing between gifts and bribes given to employees of banking organizations);
  • policy aimed at regulating conflicts of interest (sets certain standards of behavior when a conflict of interest arises);
  • policy for control of transactions and acquisition of securities;
  • policy of interaction with supervisory and regulatory authorities (designed to ensure effective interaction and minimize possible difficulties);
  • policy for receiving and responding to customer complaints;
  • policy of proper identification of clients;
  • policy of confidentiality and non-disclosure of data that may cause harm to the organization.

These are only general directions that can be supplemented by other activities in each specific organization.

Principles of compliance control in banks

The task of the compliance controller is to organize an internal control system.

The manager responsible for implementing the system, together with other employees, organizes work to comply with external and internal requirements, identify risks and manage them.

The compliance control system is based on the following principles:

  • The bank's compliance policy must be approved by the board of directors, which must periodically evaluate its effectiveness (the overall result depends on this);
  • the manager responsible for implementing the system must have a fairly high status (this may be a member of the executive bodies, or a person directly subordinate to the manager);
  • the bank must allocate a sufficient amount of resources necessary to perform the functions of compliance control;
  • the manager responsible for implementing the system must organize staff training on compliance control issues;
  • Some compliance control tasks can be performed by outsourcing, but in this case they must be controlled by the responsible manager and bank management.

The implementation of compliance functions may encounter some resistance within the organization itself, since the manager may make decisions to cut off dubious partners and clients, which may contradict (at first glance) the financial interests of the organization.

But at the same time, compliance control is aimed at protecting the reputation of a banking organization, and therefore its financial success. In addition, the implementation of the system simplifies work with international partners, since their requirements often include the presence of a compliance policy, which is the norm in many countries.

What is compliance control? This is a new financial risk management practice for Russia. Our students were lucky enough to learn first-hand why top management and staff are checked for loyalty, how compliance is related to ethical standards and affects the reputation of the corporation. As part of the program "Open Lectures" invited speakers - representatives OJSC Uralsib.

Compliance (English: agreement, compliance) is internal control over the compliance of the company’s activities with the law. Its main goal is to eliminate the risk of loss of profit. These include fines, damages, or failure to fulfill contracts. At the same time, compliance risks can lead to a deterioration in reputation, limited business opportunities, or a reduction in the customer base.

Irina Katysheva, Head of the Compliance Service of URALSIB OJSC, noted why it is important to purposefully create a culture of compliance with laws in the company.

“Everyone wants their employees to be loyal and decent,” says Irina Katysheva. – Every tenth person can become a fraudster if he has the opportunity and appropriate motivation. Therefore, compliance must create such an ethical culture in the company so that there are no temptations and people honestly fulfill their responsibilities. And for this it is important to organize business processes that comply with legal requirements. Compliance risks should be minimal.”

Irina Katysheva listed the areas in which compliance works:

  • code of ethics (standards of official conduct);
  • hotline for collecting information about violations;
  • “Chinese walls” in organizing business processes;
  • professional activity in financial markets;
  • countering the misuse of insider information and manipulation in the securities market;
  • combating money laundering and terrorist financing. The banking principle of KYC is “Know your customer”;
  • anti-corruption and abuse control;
  • Information Security.

    • Questions from students

    — What control methods does compliance use?

    — First of all, this is prevention. Control during hiring, corporate training of personnel, approval of documents, payments, transactions, etc. We carry out ongoing control, including analysis of transactions, operations, telephone conversations and client activities. Our area of ​​responsibility includes comprehensive checks in the organization of business processes and claims work. Investigations into customer statements and messages from employees via the hotline are also the competence of compliance.

    — What are the pros and cons of your work?

    — We identify shortcomings in people, as well as in the management system as a whole, we see unpleasant things. We have to collect a lot of information about employees and candidates for a particular position. The positive thing about our work is that when you are right, they believe you and the risk is averted. For example, when they did not receive a fine or license revocation. Then this is recognition and respect.

    -Who do you report to?

    — We work not for top management, but for the business owner. We are a service directly reporting to the shareholder, who must receive objective information “on the table” from us. Independence from top management is important.

    — To minimize risks, we began to use psychometrics. What methods do you use?

    - I can’t say that all this works. We also use a polygraph. Everything can be fooled: both a test and a lie detector. Therefore, as a manager, I communicate a lot, talk with employees, and use the socionic method. For example, you need to understand that there are “conflict” people. You must define them. There are people who are not suitable for each other at work. You also need to be able to identify this.

    — What qualities and knowledge do you need to have to work in compliance?

    — If you want to be a professional in this field, you need to be a specialist in different fields. Communication skills, the ability to obtain information, analyze, and clearly see the result of your work are very important. Naturally, it is necessary to know the legislation well. The task of compliance is not just to understand it, but to apply the rules so that they work. But you must also know the entire business in which you work. Know what business process you regulate. You need to have a systemic view.

    Anti-corruption in business

    Another guest speaker at the Open Lectures explained why compliance is related to corruption and how private companies fight it.

    “Kickback is the most common violation in Russian companies. According to 2014 data, 74% of all types of fraud are kickbacks, says the director for anti-corruption issues of the Compliance Service of Uralsib OJSC. Roman Esin. – Commercial bribery is widespread and is still an integral part of the business environment. Therefore, it is important to change the mentality and culture of people, including using appropriate legislation.”

    The most significant consequences of corruption are reputational damage and financial loss. How do private companies build control over corruption risks? The COSO (Committee of Sponsoring Organizations of the Treadway Commission, USA) model is used.

    “The compliance hotline is important,” noted Roman Esin. – People who are loyal to the company should have a channel for informing the internal control service. They can call anonymously and report violations.”

    Prevention is an equally important area in working with personnel. Rules of business ethics, training programs, hiring procedures, and information about what a “conflict of interest” is are being developed. Gifts are also subject to compliance control:

    “The practice of giving gifts is widespread in Russia,” says Roman Esin. – If two main signs are not observed – “free of charge” and “ordinary”, then at some point it can become a bribe. We send employee handouts outlining what is acceptable and what is not. For example, the cost of a gift should not exceed 3,000 rubles. An expensive gift must be included in the registry. It indicates from which counterparty, what gift and for what amount. Participation in this procedure indicates the loyalty of the employee. The memo specifies business hospitality events in which you can or cannot take part. Business breakfast, lunch and dinner are acceptable. It is unacceptable to participate in entertainment activities that could be considered indecent or negatively affect the bank’s reputation (for example, nightclubs, gaming halls).”

    From the history

    In 2009, Federal Law No. 273-FZ “On Combating Corruption” was adopted. Significant regulatory and systemic support was received in the public sector:

  • International anti-corruption conventions have been ratified;
  • anti-corruption legislation has been developed;
  • institutions have been created to coordinate anti-corruption tools.

    • In 2013, the vector of development turned to private companies. Article 13.3 (Law No. 273-FZ) came into force, according to which private companies can take additional measures in the fight against corruption:

  • identify officials responsible for the prevention of corruption offenses;
  • develop and implement standards and procedures aimed at ensuring the integrity of the organization;
  • adopt a code of ethics and professional conduct for employees of the organization;
  • prevent and resolve conflicts of interest;
  • Prevent the preparation of unofficial reports and the use of false documents.

    • The “Open Lectures” project is implemented by the Institute of Higher Professional Education of the Moscow State University of Medicine of the Moscow Government. A space is created for university students to discuss current topics, exchange opinions and get acquainted with new management practices. Mikhail Barshchevsky, Sergei Andriyaka, Igor Mann and other famous figures from Moscow spoke as part of the project.

    More details:


    In the difficult conditions of the Western sanctions policy against our country, compliance control is becoming one of the important tools in the banking sector management system. What is compliance? What do foreign business partners pay attention to when they talk about compliance procedures in Russian companies? And what benefits do they provide? Let's try to figure it out.

    History of appearance

    It all started with Russia's accession to the WTO (World Trade Organization). There have been many changes that are invisible to the naked eye. For example, domestic companies and organizations began to be subject to international regulations on the implementation of standards for combating money laundering, corruption, financing of terrorist organizations and other areas of the compliance system (what compliance is will be discussed below).

    What is compliance?

    This is compliance by commercial organizations with laws, standards and rules in force in the country aimed at preventing corruption. In other words, compliance is the compliance of the activities of any organization with a set of codes and rules that are provided by the regulators of the relevant sector of the economy. Today, having a compliance control system in an organization is a necessity when doing business to prevent risks (in particular, raider attacks) and protect the company’s reputation. That is, this is a kind of foundation on which the control system of any organization is built, and one of the most important parts of management.

    Modern realities are such that failure to comply with compliance rules leads to loss of business. However, adjusting this system to internal regulations and rules is actually extremely difficult.

    What's the point?

    Any modern organization involves, in the course of its activities, several types of control over technical, human and in order to comply with standards and requirements. They are formed during the creation of an enterprise by drawing up statutory documents and developing principles for managing organizations. But as business processes become more complex and the enterprise “matures,” it becomes increasingly difficult to comply with established norms and rules.

    The growth of technological processes, expansion of the range of products and the introduction of new ones, increased efficiency, and expansion of staff require a complex management system.

    Why comply?

    On the one hand, you can show good results, but on the other hand, you can fail inspection by regulatory authorities and receive serious fines and other troubles. This is the so-called regulatory risk, which leads to a loss of market share, a decrease in demand, sales volumes, etc. In parallel with this, there are also For example, in the event of a decrease in financial activity indicators, the borrower may request to repay the debt ahead of schedule.

    It turns out that the rules and regulations that initially appeared in the organization must be observed. And we also need a person responsible for ensuring that for a new norm or rule that has arisen, before they begin to be applied, technology is introduced that makes it possible to continue business development, but in compliance with the introduced norms and requirements. In foreign countries, this function is performed by a special compliance manager.

    Requirements for system documents

    Any new order or regulation must go through a number of stages before implementation. This:

    • Appearance (project development).
    • Approval (signing of the drawn up document).
    • Entry into force.
    • Transformation (planned or sudden change in parameters).
    • Cancellation of a document (with the appearance of a new one or for another reason).

    To form new types of activities of the organization by analogy with existing ones is the task of the manager responsible for compliance (translated from English - compliance, compliance, consent). This means that this employee must have a wide range of skills, abilities and knowledge, participate in the creation of a documentary base and oversee staff training issues. He can also argue for additional budgetary expenses for the implementation of a new administrative document, if necessary.

    Definition of compliance for the banking industry

    In this branch of business, the concept of “compliance” involves providing information to the parent organization - the Bank of Russia, and within a strictly specified time frame. As well as excluding the involvement of financial and credit organizations and their employees in any type of illegal activity.

    What is compliance control in banks? This is a set of specially defined functions that are divided into mandatory and optional. The first include legislative norms, non-compliance with which leads to loss of reputation and almost always to penalties. The second group includes orders from the organization’s management and functions, the implementation of which is related to the expectations of business partners.

    Taking into account the described features, the security service should be in charge of managing the compliance system in the bank. But in reality, this system is almost always multi-level, so most of its functions are distributed between structural divisions.

    Features of implementation

    Compliance control in Russian banks is regulated by Bank of Russia Regulation No. 242-P, No. 06-29/PZ-N and a number of other documents.

    They indicate that every employee of a credit institution must be involved in performing the functions of this system within the limits of their job descriptions and competence. A separate employee is responsible for the implementation of the system.

    The construction of the system pursues the following goals:

    • Anti-fraud and corruption.
    • Identification of risks associated with non-compliance with external (internal) standards (these are compliance risks).
    • Compliance with the requirements of international standards and Russian legislation.
    • Response to complaints received from customers.
    • Compliance with information security principles.

    To implement the described functions, banking organizations must use personal information systems and platforms that make it possible to systematize the process of monitoring and subsequent analysis.

    The task of automating compliance control in banks (what it is - described above) is currently a priority for most banks. In addition, this system requires a clear organization of the company's activities - potential problems must be identified and resolved in real time and as quickly as possible.

    Principles of the banking compliance control system

    The person responsible for implementing the system in the bank (manager) attracts employees and organizes work to comply with external rules and requirements, internal ones and to identify compliance risk (this is a priority task in compliance control).

    The basic principles of the system are as follows:

    • The compliance policy implemented by the bank must be approved by the board of directors, which, in turn, evaluates its effectiveness at certain intervals.
    • The organization is obliged to allocate the required amount of resources to the system.
    • The manager responsible for the operation of the system is obliged to organize training for personnel involved in compliance (what compliance is was described above).
    • The person responsible for the implementation and operation of the system must have a high status in the company (for example, directly report to the manager or be a member of the executive bodies).
    • Some of the tasks of compliance control can be performed through outsourcing (in this case, control is exercised by the responsible manager or head of the banking organization).

    The implementation of the system's functions sometimes encounters resistance within the bank. Most often, this arises, for example, due to a decision to cut off one or more untrustworthy partners or clients, which at first glance contradicts the financial interests of the banking organization.

    But at the same time, the work of compliance (translated from English, as mentioned above - compliance, observance, agreement) is aimed at protecting the bank’s reputation, and therefore, its financial success. Plus, the introduction of this system simplifies interaction with partners from abroad, since the main point among their requirements is the presence of a compliance policy, recognized as the norm in almost all countries.

    Compliance policy

    Almost every banking organization is developing it. It consists of the following. This is the policy:

    • Corporate Conduct(that is, a general document designed to regulate the behavioral standards and job responsibilities of employees).
    • and financing of terrorist organizations(a document designed to prevent the penetration of funds acquired or earned through dishonest means and the financing of terrorism).
    • Aimed at resolving conflicts of interest(documents setting behavioral standards in the event of a conflict of interest.
    • Interactions with regulatory authorities and supervisory authorities(minimizes possible difficulties and ensures effective and complete interaction).
    • Control of transactions and purchases of securities.
    • Receiving complaints from customers and taking countermeasures.
    • Data confidentiality and non-disclosure (so as not to cause harm to the organization).
    • Proper client identification.

    The list is quite general. Each organization has the right to add or remove any of the described events.

    Compliance at Sberbank

    In one of the largest banking organizations in the country, every employee is involved in the implementation of compliance functions within the limits of their job description.

    Implementation of the functions of this system requires automation of all banking processes. Sberbank actively cooperates with CIO offices for this purpose. An example is an Oracle-based IT platform. It makes it possible to systematize state processes and optimize the structure of the bank organization.

    Several years ago, a law came into force according to which all banking organizations in the world are required to transfer to the American Tax Service all data on the accounts of its taxpayers. Sberbank has introduced such a product and will further adapt it to the Russian market.

    Magazine: Svetlana Viktorovna, what is compliance and why is it needed?

    Afanasyeva S.V.: The word compliance itself is a Russian derivative of the English compliance, which means “compliance”. Compliance is internal control over the compliance of an enterprise’s activities with legislation.

    Its main goal is to eliminate the risk of loss of profit. These include fines, damages, or failure to fulfill contracts.

    At the same time, compliance risks can lead to a deterioration in reputation, limited business opportunities, or a reduction in the customer base.

    Magazine: What is needed to organize compliance control?

    Afanasyeva S.V.: The main thing in launching compliance at an enterprise is the decision of the enterprise management to work honestly and openly.

    Of course, one cannot do without the development and implementation of a compliance policy, as well as monitoring the implementation of the developed compliance requirements.

    The workflow must be organized in such a way that all potential problems are tracked and resolved in real time.

    Magazine: What is the compensation policy?

    Afanasyeva S.V.: There are a number of standard policies that, regardless of the specifics of the activity, are traditionally used to one degree or another in most organizations:

    The Code of Corporate Ethics (Code of Corporate Conduct) is, as a rule, a fairly general document that affects almost all aspects of the organization’s activities. It talks about moral and ethical principles, standards of behavior, organizational priorities and employee responsibilities.

    Policies to combat money laundering and the financing of terrorism are implemented in one way or another in all financial and many non-financial organizations in developed and developing countries. It prevents the penetration of criminal proceeds into the legal sector of the economy and prevents the financing of terrorism.

    The policy of accepting and giving gifts, invitations to events - its function is to distinguish between the concepts of “gift” and “bribe” / “kickback” or, in other words, to indicate the line after which a gift becomes an offering in order to obtain the opportunity to manipulate an official in your own interests. This policy generally does not prohibit gifts, but does impose limits on their value and implement procedures to exercise appropriate control.

    The Ethics Reporting Policy governs the manner and means of reporting violations by employees of the enterprise (with the right to anonymity), as well as the subsequent investigation and documentation of these violations. High-quality implementation of this function is one of the most effective ways to combat violations within an enterprise.

    The policy governing conflict of interest sets ethical standards for employee behavior when a conflict of interest arises, namely in cases where: the interests of the employee may conflict with the interests of the enterprise; the interests of one client may conflict with the interests of another client, etc. In particular, the employees of the enterprise are obliged to help identify and prevent cases of conflict of interest, and it is also declared that the interests of the enterprise must always be placed above the personal interests of its individual employees.

    The policy for monitoring the purchase of securities by employees establishes the procedure for monitoring transactions in the securities market by employees of financial organizations.

    In particular, it may establish restrictions on the purchase of securities of certain enterprises (as a rule, those with which a given financial organization is currently conducting a transaction), prohibit “short” sales of securities, and also regulate special procedures for the approval of transactions employees on the securities market with officials of the organization. The main meaning of this policy is to use it to avoid misuse of working time and official information for the purpose of personal enrichment, and to protect yourself from accusations of unethical behavior of employees in the securities market (market timing).

    The “Chinese Wall” policy is necessary to delimit the information field in the activities of an enterprise, usually the financial sector, in order to prevent conflicts of interest and create conditions for fair competition.

    This policy is implemented in almost all leading investment organizations, where such a distinction is especially important, since the possession of non-public information about someone’s financial condition, investment plans, additional issues may lead to its use, for example, by employees of another department in order to extract additional profit.

    Note!

    The erection of this information barrier allows the organization not only to prevent the occurrence of conflicts of interest, but also to serve all clients without restrictions.

    Policy for interaction with regulatory authorities. The issue of effective and correct interaction with regulatory authorities is very relevant today, since even very law-abiding enterprises face a number of difficulties in such a situation.

    The information confidentiality policy governs the non-disclosure of data about clients and their transactions. This policy implies not only the formation of a general culture for handling client data, but also the organization of storage and compliance with certain standards when processing personal data.

    There are also other policies, such as the policy of due diligence of clients, counterparties and suppliers of goods/services; principles for receiving and processing complaints; personnel training policy and other internal documents.

    Moreover, each enterprise, due to the objectives set by senior management, shareholders and creditors, can implement additional processes in this area, while creating its own unique compliance control structure.

    Magazine: If all the policies you mentioned are developed, can we assume that the enterprise has fully protected itself?

    Afanasyeva S.V.: The presence of the previously mentioned policies alone does not mean that the company has made every effort to comply with the law and minimize legal and reputational risks. Need implementation.

    Often, the implementation of compliance control encounters resistance from business units, including from the top management of the organization, since it goes against the interests of the business: the compliance service takes measures such as “cutting off” partners and clients with a dubious reputation, banning carrying out certain operations, etc. In this case, it is necessary to build the organizational structure in such a way as to provide the compliance service with all the necessary rights and powers, and its personnel must have a high status in the hierarchy of the organization and independence in terms of decision-making.

    Magazine: Do I understand correctly that the compliance controller is the only person who is responsible for reducing the compliance risks of an enterprise?

    Afanasyeva S.V.: You are wrong. By the way, this is a fairly common misconception. For example, the same opinion is often shared by employees of an enterprise where compliance is being implemented.

    The compliance controller is physically unable to monitor all emerging risks on his own, since he often does not interact with the client and does not process the relevant information, and therefore is not able to identify all emerging problems in departments and other issues covered by policies.

    Therefore, I recommend that the compliance controller not only explain to all employees of the organization the formal requirements of the compliance policy, their meaning and consequences of non-compliance, but also clearly outline the responsibilities of each employee to comply with these requirements, thereby establishing the responsibility of each employee of the enterprise. Staff training is also required.

    Perhaps, for this you should use the services of specialized training and consulting centers that can organize high-quality information in the form of seminars and advanced training for all employees of the enterprise.

    Magazine: Thank you for the informative conversation!

    Afanasyeva S.V.: Thank you! I will be glad to meet you again!

    Source: https://ukcabb.info/a163021-chto-takoe-komplaens.html

    Compliance clause in dealer agreements: risks and consequences of implementation

    The active adoption of internal compliance policies by both foreign and Russian companies today inevitably leads to the emergence of new instruments for regulating business relations, which in turn gives rise to a number of legal issues in the area of ​​application of such instruments.

    One of the tools for regulating contractual relations in the field of compliance should be called the design of a compliance clause.

    By its nature, a compliance clause, as a rule, represents the establishment of assurances and guarantees of the parties to the agreement about the refusal to violate applicable law, the refusal of bribery, commercial bribery, illegal payments, as well as from committing other illegal acts that may lead to a violation of one of the parties to the applicable law.

    The most important!

    In practice, one of the consequences of violating the compliance clause is the exercise of the party’s right to unilaterally refuse to perform the contract.

    If we talk about dealer agreements, then such a construction of the application of a compliance clause leads to the emergence of a number of legal risks.

    Risk of recognition of unilateral refusal of the contract as illegal

    A dealer agreement, although not named in the Civil Code of the Russian Federation today, can be qualified differently by the court. One way or another, a dealer agreement is mixed in nature and may contain elements of supply, agency, commercial concession, organizational elements, and others.

    The problem of qualifying dealer agreements leads to the risk of uncertainty about the admissibility of unilateral refusal to fulfill the agreement in the event of a violation of the compliance clause.

    Thus, if the dealer agreement contains elements of a supply agreement, a unilateral refusal to execute it will be possible in the event of a significant violation of the agreement according to the rules of Art. 523 Civil Code of the Russian Federation.

    In this case, a violation of the compliance clause may not be recognized as a material breach of the contract, which in turn will not lead to the interested party having a legal right to unilaterally refuse to perform the contract.

    A negative consequence of a unilateral refusal to fulfill a dealer agreement in the event of a violation of the compliance clause may be the filing of a claim to compel the fulfillment of contractual obligations.

    For example, if, as a result of violation of the compliance clause, the distributor suspended the fulfillment of its supply obligations, or completely unilaterally terminated the dealer agreement, one of the negative consequences may be the presentation of demands from the dealer to force the resumption of supplies and compensation for losses.

    Helpful advice!

    One of the options for solving this problem may be a partial unilateral refusal to fulfill the dealer agreement, which is permissible according to the rules of Art. 523 Civil Code of the Russian Federation. In case of violation of the compliance clause, the dealer may be deprived of dealer status, but retaining the right to supply. However, this model is not always positive for the distributor.

    Antitrust risks

    The inclusion of a compliance clause and the exercise of the right to unilaterally refuse to enter into a dealer agreement in the event of its violation can be qualified as the imposition of unfavorable conditions on the counterparty by an economic entity occupying a dominant position in the market.

    This risk is due to the fact that the list of criteria allowing to qualify the terms of the contract as unfavorable for the counterparty in the sense of the Law “On Protection of Competition” is open. Under such circumstances, the inclusion of a compliance clause may be regarded by the antimonopoly authority as an abuse of a dominant position.

    This risk is also due to the fact that when a violation of a compliance clause is included in the contract as a basis for its unilateral termination, the very fact of the presence or absence of such a violation and its significant nature can be determined at the subjective discretion of the person occupying a dominant position in the market.

    In any case, the qualification of a compliance clause largely depends on its content, which allows us to talk about positive opportunities for minimizing this risk.

    In addition, to justify the legality of the compliance clause, an economic entity occupying a dominant position in the market has the right to provide evidence that its actions are permissible in the sense of the Law “On Protection of Competition”.

    Source: https://zakon.ru/blogs/komplaens_ogovorka_v_dilerskix_dogovorax_riski_i_posledstviya_realizacii/5689

    Anti-corruption clauses in the contract

    Anti-corruption clauses included in supply contracts, other distribution agreements or joint venture agreements are now becoming increasingly important.

    The ultimate goal of a company resorting to the use of such clauses is to protect against “corrupt behavior” of business partners and to avoid possible risks of administrative penalties and damage claims, as well as, in some cases and to the greatest extent, losses enterprise image.

    Most of these clauses essentially contravene statutory provisions regarding general terms and conditions or other requirements of German law, especially data and information privacy laws. However, the use of “softly” structured, i.e. moderate and correctly structured anti-corruption clauses can help, if not avoid, then at least reduce legal risks to a minimum.

    Essence of the question

    Points and provisions of the contract - reservations (clauses) - within the framework of which the parties undertake obligations to come into compliance with and further comply with legislative provisions - in particular, anti-corruption and competition law - are becoming increasingly common in the business environment.

    Unlike Anglo-American law, until the development of the final type of anti-corruption clauses (referred to in some cases in a generalized form as a “compliance clause” if they are related to other areas of law enforcement), they were found in German legal practice rarely. Nevertheless, the globalization of business activities and inextricably linked financial transactions, coupled with the Napoleonic plans of the United Kingdom of Great Britain and Northern Ireland and the United States of America to develop anti-corruption legislation, had a decisive influence on the development of this area.

    For example, Article 7 of the UK Bribery Act provides for the imposition of an unlimited fine on any entity in the event that a person associated with him offers/gives him a bribe, and the said entity does not accept the due measures to implement adequate procedures to prevent this kind of corrupt behavior.

    Should such situations arise, the UK Ministry of Justice Guidance prescribes the use of contractual anti-corruption standards within the supply chain as an adequate preventative procedure.

    The United States Foreign Corrupt Practices Act, jointly promulgated by the Securities and Exchange Commission (SEC) and the Department of Justice, recommends the use of compliance standards when reviewing the activities of business partners.

    Note!

    In 2012, the International Chamber of Commerce (ICC) developed and published the text of its own model anti-corruption clause.

    The text of the analytical materials accompanying the clause encourages enterprises to incorporate the proposed clause into the texts of their agreements and contracts in order to reduce corruption risks in relation to agents, consultants, distributors, contractors, suppliers and joint venture parties.

    Risk of invalidity of the reservation

    In most cases, anti-corruption clauses oblige the economically weaker party to the agreement to comply with a number of provisions and standards. Such policies often entail compliance with supplier codes of ethics or at least foreign statutory law (eg see UK Bribery Act).

    In case of violation, the other party to the agreement has the right to terminate the contract or demand compensation for damages. In addition, in case of suspected violations by one of the parties, the other party may be granted auditing rights.

    In most cases, control rights do not meet the strict standards of the Federal Republic of Germany regarding the protection of data secrecy; Moreover, general contractual obligations to comply with certain provisions and standards often constitute an unreasonable hardship for the other party and are therefore invalid under German national law. So, for example, a situation in which one of the parties to a contract is obliged to comply with a number of foreign legal norms (for example, see UK Bribery Act) can be characterized as an unreasonable difficulty, even when in certain cases the norms are not prescribed for execution in legislative level. Likewise, a widely accepted provision that requires a supplier to bind its sub-suppliers regardless of the extent or nature of their breach is likely to be invalidated if it falls under the category of general terms and conditions. conditions).

    A provision of a contract may be characterized as a general provision (condition) if it was not specifically agreed upon in advance between the parties when concluding the contract, and the party intending to use this provision did not intend to discuss its application with its business partner.

    Anti-corruption clauses are a necessary element of the overall compliance system

    Against the backdrop of the fact that enterprises and directors are responsible not only for violations of employees, but also, in some cases, for violations of their partners, the use of moderate, average anti-corruption clauses is only recommended, but not prescribed.

    Such clauses can be a meaningful addition to the overall compliance system as long as the risk of their invalidity is taken into account.

    Disclaimers can help raise awareness of the need to meet certain standards.

    The most important!

    In this regard, an extremely “sensitive” point for the provision of the agreement may be an unambiguous requirement in terms of compliance with a number of statutory rules in relation to the right to cancel the agreement.

    In particular, medium-sized companies - a key part of the German industry - until now have not had the opportunity to fully familiarize themselves with the issue of compliance, and thus often have no idea about the legal prerequisites of legislation regarding corruption crimes and competition.

    Moreover, compliance clauses have the extremely important “side effect” - at least compared to other compliance measures - of reducing the risk of imposing personal liability on the director for possible regular violations, be it corrupt behavior or price fixing, that occur in the company. level of subordination of employees.

    This provision applies in particular to liability in the form of administrative penalties under sections 130 and 30 of the Law on Administrative Offenses (OwiG – Ordnungswidrigkeitsgesetz) and - in the case of members of the executive body of a company - to civil liability under section 43(2) of the Law on Limited Companies liability and Article 93(2) of the Law on Joint Stock Companies (Aktiengesetz).

    In order to reduce the risk of liability, such clauses should be accompanied by other elements of an effective compliance system (thorough due diligence of the business partner, training courses, frequent audits).

    To apply or not to apply?

    Even in cases in which the anti-corruption clauses included in the text of the agreement are likely to be invalid if a dispute arises, the parties to the agreement to which they relate must take them seriously. The validity of such provisions depends on individual cases, the outcome of which can only be determined by a court.

    Moreover, German law regarding general terms and conditions does not apply in all cases (ie, if the agreement is not primarily governed by German law, or if the clause was agreed between the parties and therefore does not fall within the definition of general terms and conditions.

    Anti-corruption clauses should be the subject of legal analysis for each of the parties to whom they apply, and especially if they oblige one party to impose duties or obligations on its own business partners in the supply chain.

    All this has the effect of spreading the risk of liability and thus is extremely beneficial for the most affected party. However, parties to the agreement should refrain from applying such clauses to business partners.

    Only a legal analysis will help bring complete clarity to this issue.

    Helpful advice!

    In most cases - from the point of view of the economically weaker party - it is at least not so scary to try to revise a specific clause rather than it ultimately being invalid, thereby transferring personal liability to another business partner (http://www.worldbiz.ru) .