Lessons from Barrington
Part of the logic of publishing regulatory penalties is to dissuade unacceptable conduct. To prudent financial institutions, it points out what not to do.
But boards of directors and compliance officers may have a dazed-and-confused look about them when interpreting the practical lessons from Barrington's fine.
In late August, the Bermuda Monetary Authority announced that it fined Barrington Investments Ltd $50,000 for being “ … in breach of the Minimum Criteria for Licensing under the [Investment Business Act 2003] …”
The press release said that the breaches occurred in three key areas: corporate governance; conducting business in a prudent manner; and risk management.
Having seen this happen, prudent financial institutions would ensure these failures don't manifest within their own compliance programmes. But that is easier to say than do.
Even the most basic compliance programme is a framework of controls based on sets of obligations stemming from multiple regulations. This means that even one named control can vary in kind and extent.
For example, a record-keeping method will vary in timing, resource consumption, duties allocated to staff and management reporting. This is based on which records are being kept, in what condition, acceptability, accessibility — in short, depending on which regulation the control is designed to satisfy.
Even with an indexed control register, ferreting through that framework for all touchpoints related to “corporate governance; conducting business in a prudent manner; and risk management” will be difficult.
That's because all controls have some form of connection to these topics. These topics are headings, each with multiple requirements and explained in multiple subsidiary policies.
Further the headings have wide-ranging, numbered requirements within each. For example, the Minimum Criteria for Licensing (MCL) “conducting business in a prudent manner” contains obligations ranging from calculating contingent liabilities for liquidity to the extent of insurance coverage.
Naming the specific, numbered requirement breached versus a generalised heading or topic, will provide clarity and mutual accountability between the regulated and the regulator. Parliament actually initiated this kind of relationship.
As the MCL imposed obligations on institutions, so too does the Investment Business Act 2003 (IBA) impose obligations on the Authority.
The IBA requires the Authority to publish codes of conduct and statements of principles which explain its interpretation of the MCL, its approach to granting, restricting and revoking licences as well enforcing the MCL.
Therefore, there is a mechanism to set out a full, clear understanding of expectations and accountability — which can be specifically referenced in press releases.
But there is a complication.
The MCL was amended in 2014 but substantial policies — code of practice and statement of principles — were last updated in June 2010. There is an argument that the MCL amendments simply rearranged things and therefore the content of the policies is still accurate. But ultimately neither policy explains a risk management expectation — much less qualifies what is a “proper risk management” versus an improper one.
This is a good example of where requirements are subject to widely different interpretations.
There is a treatment of risk management in the Authority's Corporate Governance Policy, released when the MCL was amended to include multiple requirements under the corporate governance heading.
At paragraph 37, the Policy states: “An institution's approach to risk management should be commensurate with the size, complexity, structure and risk profile of the business.”
Given that Barrington's breaches included, “a failure to have a proper risk management function”, it infers that there was one but something about it wasn't “proper”.
Would a financial institution of similar “size, complexity, structure and risk” be able to interpret what was improper from the Barrington press release? Or even a financial institution of exact matching characteristics?
Without details, Bermuda's 58 licensed investment providers have two options.
They can, despite having different “size, complexity, structure and risk profile”, attempt to interpret what is “proper” about their own risk management. Interpreting requirements inaccurately results in widely disproportionate, costly control frameworks that inconvenience and deter customers.
The second option is to take their chances, and ignore the entire affair.
Surely we cannot be surprised when a financial institution without the financial heft of a large industry player, chooses the second option.
And perhaps, unintentionally, it is the vague nature of these regulatory actions that perpetuates further compliance failures.
Jarion Richardson, FICA; Certified Professional, CAMS, is the managing principal of Certainty, a regulatory compliance consulting firm. He is a Fellow of the International Compliance Association, Certified Anti-Money Laundering Specialist, former Bermuda Monetary Authority examiner and former Detective Constable in the Bermuda Police Service. He can be reached at www.certainty.bm.