Could internal compliance training place your company at risk? 

If we have learned anything over the past few years, it is that even the best compliance policies can be worthless if the workplace environment does not support their implementation. To create a supportive environment requires the systematic and deliberate inculcation of a culture of compliance, a strong culture of ethical decision-making and behaviour, which helps to ensure that not only are all compliance obligations met but surpassed. Without this kind of diligence, compliance policies may not worth the paper on which they are written, and too many senior executives have realized this truth when it is too late to avoid censure.

Engineering an appropriate culture is no easy task and requires carefully curated training and clear, constant messaging from top management. It seems, however, that at least one of those elements is a low priority for compliance managers - in a recent survey of compliance executives in the MENA region, only 17% chose training when asked their priority to meet their compliance objectives[1].

Executives know that when a function such as training is low on the priority list, it can be difficult to motivate for a substantial budget. In this situation, there is a tendency to turn towards internal resources to supply the requisite training. Internal training may be a workable option for the well-resourced organization, but for the majority of organizations, reliance on an internal function may create its own risk – the risk of complacency. Complacency has caused many organizations to fall foul of the regulator despite a full compliance department, investment in the most up-to-date software, and well-maintained paperwork. They may have the best of intentions, the best policies on paper, the most thorough monitoring regime and a consistent training schedule - but a lack of in-depth regulatory knowledge can leave them vulnerable.

Indeed, meeting the expectations of regulators requires a rigorous, critical approach, and this is not always achievable through an internal process. It is far more likely that an assessment by an outsider – an external training agency - will reveal fundamental gaps in skills and knowledge.

Regulatory compliance has, over the years, become incredibly complex and characterized by constant change. The flow of information has increased exponentially and can often overwhelm compliance departments. Official guidance is often open to interpretation as regulators continue to push the message of a risk-based approach, with each organization expected to choose its own risk setting.

Training provided by an internal function may lack some of the essential details that, for compliance executives, make the difference between swimming and drowning. While the course may be sound, it is these vital insights and critical details that can help executives understand where best to focus their efforts, and to concentrate their valuable resources.

It seems that these insights are becoming increasingly critical to success with the growth of regulation, especially as we see an increase in regulation with an extra-territorial impact. The European Union’s influential privacy law, for example, the General Data Protection Regulation, adds another layer of complexity to the compliance process for organizations around the world. Unravelling the implications of these regulations requires time, analysis and critical insight, and we expect to see other jurisdictions develop and implement laws that will have a similar impact.

Indeed, this is not a time for complacency. Enforcement agencies have stepped up their activities, and as a way of increasing oversight and accountability, global regulators have begun to target individual executives in the event of a compliance failure. It is a time of rising personal and organizational risk, with local regulators such as the Dubai Financial Services Authority and the Central Bank of the UAE indicating that they will increase their focus on enforcement. 

Internal training may be good at addressing the basics of compliance, and useful as a method of raising awareness throughout an organization for the need for an effective compliance function, but to create the optimal environment for an effective, sound compliance culture requires a highly specialized approach.

Authorities have made it clear for many years now that ignorance is not an excuse, so relying on internal training to ensure effective implementation may turn a cost-saving initiative into an incredibly expensive exercise. 

[1] Financial Crime in the Middle East and North Africa 2019, Refinitiv