Section 7 of the Regulation on Sound Operational Management relating to the Act on the Supervision of Trust Offices (Regeling integere bedrijfsvoering Wet toezicht trustkantoren – Rib) stipulates that trust offices must have a compliance function in place. This Q&A document offers guidance for adequately organising the compliance function.
Compliance Function (internal)
Why should trust offices have a compliance function in place?
The purpose of the compliance function is to ensure compliance with the internal procedures and agreements as well as with statutory regulations. This primarily concerns the rules ensuing from the requirement of having sound operational management, as laid down in the Supervision of Trust Offices Act (Wet toezicht trustkantoren – Wtt) and the Rib. The compliance prevents the objective of making a profit coming at the expense of acting according to the internal agreements and procedures that safeguard sound operational management. The compliance function contributes the necessary knowledge and balance between realising commercial objectives and operating within the context of the applicable statutory regulations and the organisation's own standards.
What is the role of the compliance function?
The compliance function is the second line of defence in the Three Lines of Defence (3LOD) model for trust offices. The first line of defence is formed by the staff members responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis, for example the procedures for establishing a customer's or potential customer's identity. The second line of defence is the compliance function. This part of the organisation is independent of the operational units of the trust office and the unit responsible for the internal audit function. The compliance function monitors compliance with the first line-of-defence controls, i.e. with the trust office's internal procedures, actions and agreements as well as with statutory regulations. The third line of defence is the audit function, which is tasked with periodical assessment of the effectiveness of the trust office's organisational structure and of the procedures and measures in place.
How is the compliance function organised?
The compliance function has the following main responsibilities:
- It monitors compliance with statutory regulations as well as with the trust office's own standards. The compliance function closely monitors integrity risks and focuses on preventing involvement with non-ethical conduct by customers or potential customers, e.g. tax evasion and other forms of tax fraud, sanctions regulations evasion, money laundering or terrorist funding. The compliance function independently reports to the management board.
- It is plays an active role in customer risk classification.
- It takes on an active monitoring role in service provision to high-risk customers; it monitors these customers and oversees the timely reporting of any unusual transactions.
- It is involved in systematic analysis of integrity risks.
- It has an advisory role in drafting the internal standards, procedures and measures on the basis of legislation and regulations as well as the organisation's internal regulations, and in implementing these.
- It is actively involved in familiarising staff members with the applicable external and internal standards, procedures and measures.
Frequency of activities
The compliance function is involved in customer relations management and service provision to high-risk customers on an ongoing basis. This group is not necessarily restricted to customers designated as high-risk customers on the basis of legislation and regulations, such as politically exposed persons (PEPs), but may also include other customers as a result of the trust office's own, more stringent classification standards.
The compliance function continuously monitors whether the trust office acts in accordance with the applicable internal and external regulations, e.g. by regularly checking a representative random sample of files . The compliance function then verifies whether the external regulations and internal standards, procedures and measures have been complied with and checks that the trust office staff have adequately identified and adequately mitigated all relevant integrity risks.
The compliance function is also permanently involved in reviewing internal standards and education of staff members.
Embedding in the organisation: independent
It is essential that the compliance function should be able to carry out its activities independently and free from pressure. This is why both the compliance function and the audit function are organisationally separate from the operational units and activities they monitor. The management board must be able to fully rely on the control functions. This means that control functions must not be responsible for the activities they are required to monitor.
The Rib stipulates that the compliance function should report its findings directly to the Management Board. If there is an internal supervision body in place, such as a supervisory board, the compliance function should report directly to the supervisory board as well.
There are various models for organising an adequate compliance function. The size and positioning of the compliance function strongly depends on the nature, size, risks and complexity of the trust office's activities. In some cases the compliance function may be fulfilled by a single officer, in others this needs to be a separate department. Under certain conditions, the function may also be outsourced to a third party.
Outsourcing the compliance function
A trust office may outsource the compliance function or part of it to an external compliance officer. In this case too, the statutory regulations continue to apply; the trust office remains responsible for compliance with these regulations.
Outsourcing requires clear agreements about the organisation of the compliance function in order to guarantee its effective performance. A trust office which engages the services of an external compliance officer on paper but rarely or never meets with the compliance officer, or does not implement the external compliance officer's findings and recommendations, is considered not to have an effective compliance function in place and may be in breach of the Rib.
Segregation of duties
Section 7(3) of the Rib stipulates that the compliance function must be an independent function. This means that a staff member responsible for performing compliance activities must not perform those activities that are monitored by the compliance function. Staff members responsible for performing compliance activities must not at the same time perform audit activities that are monitored by the compliance function. It is also not permitted to 'cross-organise' the compliance function at board level: one management board member may not monitor the other management board member's activities and vice versa.
If the trust office outsources the compliance function to a third party, it is not permitted to engage that same third party for the audit function at the trust office. This applies equally to natural persons or a group of legal persons with the same effective owner. A third party performing the compliance function is never permitted to perform the audit function for the same organisation at the same time, not even when these activities are carried out by different members of staff.
It is essential that the staff members carrying out the audit function possess relevant and up-to-date knowledge. Regulations, internal agreements and procedures may change in the course of time, as do the ways in which risks materialise and money laundering and terrorist financing activities develop. Compliance professionals must have up-to-date knowledge of the developments in their field in order to adequately perform their duties.
Neither the Wtt nor the Rib stipulate any substantial requirements for compliance officers. There is no compulsory qualification or certification procedure. This means that the trust office itself must carefully consider whom to engage as a compliance officer and why this person is suitable for this position. The trust office should take the principles described above into account.