1 Studi e Note di Economia, Anno XIV, n , pagg GruppoMontepaschi The compliance function and the evolution of the internal structure of Italian banking intermediaries* MANUELA GALLO** The Basel Committee document, Compliance and compliance function in banks, published in April 2005, introduces an independent function in bank s organisation, for the identification, evaluation and monitoring of compliance risk. Compliance activity was introduced for the first time in Italy with the consultation document of the Bank of Italy of August Compliance is considered a primary function of the system of internal controls. This work is directed toward the analysis of the evolution of the internal structure of the banks operating in Italy, following the introduction of the compliance function; through an analysis of the results of an empirical survey, we attempt to obtain an identification of the roles and responsibilities of the main functions involved in the internal controls process, in order to determine any overlapping areas. (J.E.L.: G21, G28, G32) 1. Introduction In Italy 68% of intermediaries conduct compliance activities, among these two-thirds have created a special unit for the management of compliance risk, while one-third conduct their compliance functions through pre-existing units. Among the companies that have assigned the compliance function to a pre-existing organisational unit, almost 70% refer to Internal Auditing, despite the indications supplied by the Basel Committee and by national supervisory authorities, regarding the need for special compliance units, put under the control of internal auditing. These units must be independent and autonomous, equipped with adequate investigative powers, suitable structures and human and financial resources (Nadotti and Gallo 2006). These considerations lead one to believe that, short term, it is very likely that we will witness an internal restructuring of those intermediaries who still assign the function of conformity verification to pre-existing units, with the intention of adapting to regulation and * Paper accepted in august ** Università degli Studi di Perugia, Facoltà di Economia, Dipartimento di Discipline Giuridiche e Aziendali.
2 326 Studi e Note di Economia, Anno XIV, n of guaranteeing the harmonising of the instruments and the existing structures. Even when compliance functions are managed through an especially created structure, it will be necessary to carefully and clearly identify the responsibilities and competences assigned to it; as well as the consequent collocation within the business structure and the relative hierarchical and collaboration relationships. In fact, it should be kept in mind that the typical features of compliance risk place the related function in a transversal position in the banking activity, involving the usual activity of risk management and of internal controls and so creating the problem of coordinating the new control instruments with the already existing ones, according to the various business realities 1. In this regard, Hinna asserts that: the real risk is that the control system is not a system but a simple summation (Hinna 2006), that is to say that the concept of compliance risk must be considered according to a broader meaning than that usually proposed, considering that it includes not only the risks deriving from a lack of an effective defence of all the exposed areas, but also of those produced by deficiencies in the coordination of the instruments and structures put in place to defend against the risk itself. Various empirical surveys (Nadotti and Gallo 2006; Pizolli 2006; KPMG 2006, Sda Bocconi 2008) have also evidenced that the introduction of the compliance function in pre-existing units has led to significant changes within the host structures; these changes have mainly concerned the broadening of operational and regulatory responsibilities, to different degrees in relation to the structure, the size and the objectives pursued by each business. If, on the other hand, one considers that the development of the functions of internal control has often occurred as a reaction to clamorous financial scandals which have involved the banks, exposing the fragility of the control mechanisms adopted, and which have, as a consequence, led to the creation of a certain number of functions, for which the division of tasks is not always clearly defined, one can easily understand the reason for the attention that must be paid to possible areas of superimposition among compliance activities and the other internal control functions, in particular those of internal auditing. In this paper the objective is to bring to light the risks of inefficient processes and of any duplication of costs that can emerge from the co-presence of activities whose boundaries of competence and whose responsibilities are not yet 1 The Bank of Italy, in its document on compliance, affirms that: "the compliance function collaborates with various other business functions (internal auditing, operational risk management, the legal function, organisation, the vigilance body identified in accordance with Law 231/2001, etc.) with the intent to develop its own methodologies for risk management in ways that are coherent with company strategies and operativeness, delineating processes that comply with external regulations and giving consulting aids". (Banca d Italia, 2007: 7).
3 M. Gallo - The compliance function and the evolution of the internal structure clearly defined, but which are characterised by the presence of broad grey areas 2. This reasoning is strengthened by the consideration that the application of the new national directives (the law on savings or Law 231/2001, the document of Bank of Italy on compliance and the supervisory provisions concerning banks organization and corporate governance, or the joint document of Bank of Italy and Consob in application of art. 6, com. 2-bis, Tuf,), as well as of European Community directives and those of the documents issued by the Basel Committee (Mifid and application directives, the New Basel Agreement, regulation of the compliance function), will determine a need for change and for considerable adaptation efforts, which, on the one hand, should be directed toward evaluating the reasons for savers growing lack of confidence in the work of the banks and to orienting, as a consequence, the banking organisation toward the achievement of more solid fiduciary relations; while, on the other hand, banks will have to show a preference for the pursuit of internal stability and the containment of costs deriving from noncompliant behaviour. In this new vision of banking activity, corporate governance, the system of internal controls, operational and decision-making practices must be organised in coherence with company objectives, keeping in mind the valorisation of the reputation requirement, and guaranteeing the functionality and independence of business bodies, the capillary diffusion of a shared system of values, respect for law and the valorisation of an effective and efficient compliance function (Pisanti 2006). According to this, in fact, Tarantola 3 asserts that corporate governance and the system of controls are two aspects of banks organization that integrate each other, and contribute to improving the banks functioning; corporate governance is defined as a set of regulations according to which a bank is governed, managed and controlled (Tarantola 2008, p. 2). In this new vision of bank s activity, the management and the function of control are responsible for ensure the compliance with law and regulation (Banca d Italia and Consob 2007, capo II, art. 6). The document of Bank of Italy and Consob confirms the necessity of an independent compliance function in the internal control system (Banca d Italia and Consob 2007, capo II, art. 12); in fact, while, in particular conditions, the presence of the functions of risk management and internal audit is not required in bank s organization, the 2 It is estimated that in the USA up to 50% of compliance costs per company (equal to about 2% of turnover) are produced by redundant activities. That is, often different committees work on the same information, generating reports with similar contents, but destined for different subjects, with the result of increasing the possibility of error and of introducing new risks with respect to those that one is trying to assess and control. Data from CA World 2005, annual Conference on Management & Information Technology, Las Vegas. 3 Direttore Centrale per la Vigilanza Creditizia e Finanziaria Banca d Italia.
4 328 Studi e Note di Economia, Anno XIV, n compliance function must be always present (Banca d Italia and Consob 2007, capo II, art. 12, com. 3, 4, 5). As has been often repeated, the principal of compliance independence, enunciated by the Basel Committee and repeated by the Bank of Italy and Consob, does not in any way preclude the possibility and utility of close collaboration between the compliance function and the other business units; in a context characterised by strong interrelations, the guarantee of independence must be provided by the formalisation of a mandate, from which it is possible to clearly deduce the tasks and responsibilities of each body within the company, and by the provision of adequate information flows among the various operational and control units. In the pages that follow I relate the results of a sample survey, conducted in the period from March to May 2007 and submitted to a sample of thirty-one financial intermediaries operating in the Italian market; the objective is to emphasise relations among the compliance function and the other business functions involved in the compliance process and, in particular, with the Internal Auditing function, the authority of internal control, also assigned to verify compliance activities. The analysis of results is preceded by a brief summary of the existing literature on the study of compliance. 2. An analysis of literature The study of compliance activity is relatively new in Italy, therefore great part of the bibliographic references on the topic have been produced abroad. There are two main lines of research: the first, of theoretical orientation, deals with the topics inherent to the compliance culture and managing non-compliance risk; the second, more operational, is centred principally on the study of the implementation of a compliance function in financial intermediaries structures and on the classification of the costs related to compliance activity. Edwards and Wolfe define compliance in the following way: Compliance in general terms is the adherence by the regulated to rules and regulations laid down by those in authority. Not only does compliance means adherence to the letter of the law it also is just as concerned with adherence to the spirit of the law" (Edwards 2003), therefore, the term Compliance includes concepts of obedience, observance, deference, governability, amenability, passivity, nonresistance and submission, uniting a rules-based approach to a more flexible ethical one. This definition proposes a tie between an ethically correct attitude and the activity of compliance, which has been frequently emphasised and studied by numerous authors 4, who stress the importance of supporting compliance programmes by a solid orientation towards ethical behaviour, demonstrating that the objective of responsible conduct cannot be achieved solely by imposing from outside what is required but must also appeal to what is desired (Michaelson 2006). They suggest not to 4 Some of the main authors include: Paine 1994; Laufer and Robertson 1997; Trevino, Weaver, Gibson and Toffler 1999; Weaver and Trevino 1999 and 2001; Jackman 2001; Edwards and Wolfe 2005; Weber and Fortune 2005; Michaelson 2006.
5 M. Gallo - The compliance function and the evolution of the internal structure adopt programmes oriented toward mere respect of the rules, but to pursue the creation of a sense of shared values that can help define an ethical role for individuals, a combination of compliance and values approaches is ideal 5. Jackman, in particular, proposed the development of ethical values and of a compliance culture both within organisations, and in support of the activities of the supervisory authority; recognising the importance of a change that involves the entire financial system 6. The compliance function is set up to defend against the risk of non-compliance, defined by the Basel Committee (Basel Committee 2005) as the risk of legal sanctions and financial losses or loss of reputation, that the bank could incur as the result of the failure to comply with laws, rules, self-regulation standards and codes of behaviour that are applicable to banking activities. It is evident that this risk comprehends very heterogeneous aspects, involving both the typical elements of legal 7 risk and those of operational 8 and reputation risk. The main difficulty in managing non-compliance arises exactly from this complex definition, which includes the possibility of creating superimpositions and waste of resources compared to the already existing protections used in the management and measurement of other types of risk. Both operational risks and compliance risks originate, on close examination, from the lack of or inefficient protection in certain areas of business and the definitions proposed delineate an area of superimposition of the two types of risk (Uselli 2005). The Basel Committee itself affirms that there is a close relationship between compliance risk and certain aspects of operational risk (Basel Committee 2005, p. 8), for this reason it recognises that some banks may wish to organise their compliance function within their operational risk function, while others may decide to institute a body for compliance activity that is independent of the function of operational risk management but establish mechanisms requiring close cooperation between the two functions on compliance matters. 5 A study conducted by the Ethics Officers Association (EOA) in 2000, in approximately 150 member organisations belonging to different economic sectors and with variable dimensions, showed that approximately 100 different titles were attributed to the persons responsible for the application of compliance programmes. In these titles the word ethics appeared with a frequency of about 35%, while the term compliance had a frequency of roughly 37%. Among subsequent studies we single out that of Weber and Fortune, which although conducted on a sensibly reduced reference sample (14 firms), reported that the term compliance had a frequency of 85%, while ethics appeared with a frequency of 21,4%. (Weber and Fortune 2005, p. 102). 6 It is this integration that Jackman s model of development of organisational values and culture seeks to identify and encourage in a compliance competent organisation (Edwards and Wolfe 2005). 7 According to the formula of legal risk adopted by the Basel Committee this type of risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements (Basel Committee 2004, p. 120). 8 The Basel Committee defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events ; the Committee itself asserts that the definition just cited includes legal risk, but voluntarily excludes strategic and reputational risk (Basel Committee 2004).
6 330 Studi e Note di Economia, Anno XIV, n Cola defines legal risk as the risk of the loss or reduction of the value of portfolio activities, because of inadequate or incorrect contracts or legal documents or ones containing clauses that turn out to be particularly burdensome (Cola 2005). Therefore the definition identifies a more limited case of risk compared to that of non-compliance, which instead involves reputation aspects and ones having to do with possible conflict of interest. The reputation risk is substantiated in the possibility of economic damage deriving from alterations in the judgement and in the fiduciary relations perceived by the intermediary s clientele (Gabbi 2003, p. 1). It is evident that this type of risk is particularly important for the banking system, in which the fiduciary relations with the clientele represents the qualifying element of the very existence of credit intermediation. Given the manifest intangibility of the reputation requisite, even the evaluation of the risk associated to it becomes difficult 9, even more so if one considers the specificity of the type of events that characterise the reputation sphere, in consideration of the fact that losses absolutely disproportionate to the original event (Gabbi 2003, p. 3) can derive from it. A study conducted by PricewaterhouseCoopers 10 demonstrated that there is no generalised consensus on the definitions of compliance risk, operational risk and reputational risk. The main differences are due to the different evolutionary level of the approach to risk management and of the compliance function, to the organisational positioning of the compliance unit within the company, to the cultural receptivity shown by the company toward regulation (PricewaterhouseCoopers 2005, p. 16). Compliance risk, like all risks, can be faced by influencing either the probability of a risk occurring (company culture) or the effects deriving from damaging events taking place. The first hypothesis involves properly motivating one s own human resources and fostering their adhesion to the ideal objectives of the company; while the second hypothesis is related to the ability of the company to face the consequences of the event once it happens; this ability will depend on the mechanisms of containment of economic and reputational damage, put into effect through the proper techniques of risk management and retention. Nevertheless in this case, since the damage is reputational, the use of reserves or external instruments such as insurance is not sufficient to contain the effects of the compliance process, characterised not only by a component of immediate economic damage, but also forerunner of future effects that are difficult to quantify. From this, one can deduce that the 9 For an analysis of literature on the measurement of reputational risk in the financial industry see: Gillet, R., Hubner, G., Plunus, S. 2007, Operational Risk and Reputation in the Financial Industry, available at: and Gabbi, G. 2004, Definizione, Misurazione e gestione del rischio reputazionale degli intermediari bancari, Banca Impresa e Società, a. XXIII, n The study was conducted during the second half of 2004 on a sample of 73 financial intermediaries (prevalently banks, 63% of the reference sample), belonging to 17 different countries in Asia, Australia, North America, Europe and the Middle East.
7 M. Gallo - The compliance function and the evolution of the internal structure Tab. 1 - A comparison between the definitions of compliance risk and of operational risk indicated by the Basel Committee Compliance Operational Risk External events Risk Market abuse Legal risk Reputation risks Other pecuniary Internal or external losses fraud Costs/obligations consequent to clientele complaints Damage to IT systems Source: Uselli 2005, p formation of a compliance-oriented 11 culture is a priority and essential to adequately manage non-compliance risks. The available literature on the analysis of the organisational requisites of the compliance function, can prevalently be brought back to some recent sample surveys conducted in the United States and in Europe, whose objective was to evidence the main operational and organisational features of the compliance function in the financial system 12. The proposed studies identify various organisational models that range from a more advanced model in which the compliance activity is carried out through an autonomous structure equipped with its own staff and budget to a model characterised by the fact that the compliance activity is positioned within another business activity, in the majority of cases Internal Auditing. Moreover these studies provide evidence for the generalised lack of congruous resources that are coordinated among themselves, which has often represented and still represents today the main element which obstructs the activity of the function. It is possible to add to these studies three other works carried out more recently respectively by KPMG (2006), by Centro Studi Bancari of the Associazione bancaria Ticinese (Pizolli 2006) and by Sda Bocconi (2008), which contribute to defining the organisational framework of the compliance function in the financial sector in a prevalently European area. The study proposed by KPMG has the objective of gathering information on the current and prospective state of the art of the compliance function of the main domestic and international banking groups operating in Italy. The research was conducted from February to March 11 See: Langevoort 2001; Trevino, Weaver, Gibson and Toffler 1999; Schwizer 2006; Zamagni 2006; Hinna 2006; Paine 1994; Willmott 1993; Ogbonna and Harris See: American Banking Association 2003; PricewaterhouseCoopers 2002 and 2005; The Economist Intelligence Unit 2006; KPMG 2006; Pizolli 2006.
8 332 Studi e Note di Economia, Anno XIV, n and involved eight Italian banks and seven foreign ones. Despite the reduced number of intermediaries involved in the survey, this work has the merit of supplying useful elements of an organisational and operational nature regarding the application of the compliance function in Italy. The authors themselves, nevertheless, recognised that the organisational choices made by the Italian banks are often temporary and not exhaustive, even considering the general climate of uncertainty present on the domestic market. All the intermediaries contacted showed interest in the topics related to the compliance activity and 50% of them (one should not forget that these are the major Italian banking groups) have a structure dedicated exclusively to the verification of compliance, compared to the totality (100%) of the foreign intermediaries, while in 33% of the cases a structured system of organisational protections is coordinated by a person who responds to the bank direction. The study carried out by Pizolli in Switzerland, instead, describes the Ticinese banking situation and the level of development of the compliance activity and represents a useful element of comparison with the Italian context. Pizolli conducted his study from June to July 2006, through the administration of a questionnaire to eighty-four financial intermediaries; there were thirty replies, equal to about 37% of those contacted. The Ticinese institutes, even those of more reduced dimensions, are in conformity with the most important requirements regarding internal controls. All the institutes have already had a compliance function for, on an average, six years, with a range of action that involves the entire banking activity and is founded on the concept that the compliance officer is not a controller/policeman but a consultant at the service of the bank who acts preventively and tries to anticipate regulatory changes rather than adapting to them a posteriori (Pizolli 2006, p. 7). Finally the contribution of Sda Bocconi (2008) is focused on the compliance risk in the evolution of investment services. This study, carried out during the period January - July 2007, has involved 35 intermediaries and has highlighted some critical situations in the compliance function of banks and other intermediaries; among these, a restricted managerial autonomy and an insufficient employment of risk measurement instruments. With regard to the identification and classification of compliance costs, various literary contributions regard only the costs sustained for adjustment to specific regulatory requests or to a group of these 13, while it is more difficult to evaluate the costs sustained to introduce ex- 13 Particularly appreciable in this sense is the document by Franks, Schaefer and Staunton (1998), in which an attempt is proposed to estimate the direct and indirect costs of regulation in the sector of English financial enterprises and proceeds to a comparison with the United States and France. On the basis of the estimates made by the authors the conclusion is drawn that indirect costs would be 4 for every 1 of direct costs and that annual aggregate costs would be 100 million. Regarding the definition and classification of compliance costs, instead, the suggestions for reflection supplied by Elliehausen (1998), Alfon and Andrews (1999) are particularly useful.
9 M. Gallo - The compliance function and the evolution of the internal structure novo a process for the verification and coordination of the entire compliance activity inside the intermediaries called upon to manage non-compliance risk. Particularly effective, for the purposes of this analysis, is the classification proposed by Fernandez (2005), which groups the direct and indirect costs of compliance into four categories: staffrelated; out-of-pocket; capital; opportunity cost. Costs related to personnel employed in compliance activities (staffrelated) are generally considered to be most easily quantifiable, because they are referable to the salaries paid to the personnel involved for various reasons in these activities. Besides the costs of employees, one must also consider those related to any services in out-sourcing, for consultancy or professional services that can be associated with compliance activity; these costs are the ones defined by Fernandez as out-of-pocket. With the term capital-cost, instead, reference is made to the investments of capital referable to the compliance function, such as the purchase of specific software, or of suitable equipment and structures for the pursuit of pre-set objectives. The last classification indicates opportunity costs, which are calculated in relation to the personnel only partially employed in the compliance functions: the time dedicated to the new objectives is subtracted from activities that were previously conducted full time, therefore an eventual reduction of earnings, which can be generated by such activity, can be considered an opportunity cost. The research summarised in the following pages intends to analyse the evolution of the internal organisational structure of financial intermediaries, after the introduction of the new compliance function, with specific focus on the Italian context and on the relations with the other business functions involved in the process of internal controls. 3. The questionnaire This study was conducted through the distribution of a questionnaire, composed of thirty-four questions, prevalently multiple choice. The aspects placed in relief are related to the operational structure of communications and collaboration between the compliance function and the other levels of the internal control system, with the goal of evidencing the weaknesses. The study illustrated below intends to analyse the presence of the minimum requirements indicated in the document of the Bank of Italy (independence, autonomy, adequate investigative powers, suitable structure and human and financial resources) and to make manifest the status of collaboration relations, reporting activities, the production and diffusion of information flows among the various areas of banking or business activity. From an analysis of all this it is possible to find out the structure of the hierarchical and collaboration relations. The guidelines of Aicom (Associazione italiana compliance) itself at principle nr. 5 state: the compliance function must be equipped with adequate means and resources; information flows and specific training pathways must guarantee the continuous acquisition of the competences necessary to carry out the interventions provided for in the mandate. The questionnaire submitted to the intermediaries has the purpose,
10 334 Studi e Note di Economia, Anno XIV, n therefore, of bringing to light the following aspects: 1. the adequacy of the resources and the means available to the compliance function to carry out its activity; 2. the presence and structure of information flows to/from the compliance function; 3. the prevision of specific training. The information flows supply a systemic and an overall view of the company or group s exposition to compliance risks; they document and formalise the operational needs, in terms of compliance risks, of the structures involved: staff training needs, the need for new human and economic resources, verification of the conformity of new products and of review of internal processes. They also allow the adequate integration of the compliance programmes, in order to remove the most urgent weaknesses and progressively improve performance (Sassi 2007). The questionnaire, submitted to those intermediaries who declared that they possess a compliance function, was sent by electronic mail, or in exceptional cases by fax. 4. The reference sample Through the contribution of Aicom, the questionnaire was submitted to thirty-one financial intermediaries 14, prevalently banks, which declared that they conducted a compliance activity for at least one year. The response rate was approximately 55% (seventeen intermediaries out of thirty-one). The complexity of the themes inherent to the compliance activity is further incremented, in fact, by regulatory uncertainties, which have characterised recent months 15. On the other hand, the scene of the financial markets has recently been noted for numerous and noteworthy bank fusion processes 16, which have also shifted the attention of company vertices from the themes related to business management, Tab. 2 - Financial intermediaries that responded to the survey Type of business Frequency Percentages banking 15 88% other intermediaries 2 12% Total % Tab. 3 - Average values of the sample Variable Average Std. Dev Minimum Maximum dimension (mil Euro) , , The sampling thus defined presents a degree of representativeness of the population of Italian banks active in 2005, with the exception only of the Cooperative Credit banks, of about 9% (number of banks). 15 The instructions on compliance was issued by Bank of Italy the last 12 July 2007, almost an year after the publication of the consultation document. 16 Only to give some examples, it is possible to cite the Intesa San Paolo fusion, the arrival in Italy of the French BNP Paribas that acquired BNL and of the Dutch ABN Amro which acquired AntonVeneta; the more recent fusion Unicredit Capitalia and Banca Popolare di Milano with the Popolare dell Emilia Romagna.