Compliance Study_complet - pwc

Protecting the brand
The evolving role of the compliance function
and the challenges for the next decade*
*connectedthinking

PricewaterhouseCoopers on Governance, Risk and Compliance
The PricewaterhouseCoopers Governance, Risk and Compliance (GRC) approach and operating model are founded on
three core principles
1. Integrity-Driven Performance requires that organisations integrate their approach to GRC. Such an approach is
critical as effective integration fosters a culture of business integrity and accountability.
2. An integrated model should link to shareholder value and effectively coordinate an organisation’s people, process
and technology capabilities so that Integrity-Driven Performance is embedded in the fabric of the organisation
acting to support the achievement of strategic objectives.
3. Integrity-Driven Performance requires a new vision of business conduct and compliance - one that understands
stakeholders’ needs and supports compliance with both the letter and spirit of relevant obligations. This includes
compliance with internal policies and procedures as well as managing expectations of stakeholders such as
regulators, customers, business partners, employees, investors and society as a whole.
To attain a level of Integrity-Driven Performance, we believe that organisations need to get four fundamental enablers right:
• Address and effectively manage the change to a culture of business integrity and ethical values
• Embed an integrated GRC approach into core business processes
• Deploy the capability to measure performance and calculate value through the right metrics and dashboards
• Leverage technology to enable effectiveness and efficiency.
1 See Integrity-Driven PerformanceTM - A New Strategy for Success Through Integrated Governance, Risk and Compliance Management: A White Paper, January 2004, available on the PricewaterhouseCoopers
website at www.pwc.com

Protecting the brand*

Foreword
The financial services sector is grappling with the biggest shake-up in regulation for a generation, including the growing shift
from rules-based to principles-based supervision. Compliance teams have an increasingly important role to play in
protecting and enhancing corporate value and reputation in the face of stakeholder demands for greater integrity,
accountability and financial stability. Indeed, recent experience indicates that even if certain dealings comply with the letter
of the law, they may still fall foul of what may ultimately prove to be the more damning court of market and public opinion.
An organisation’s ultimate goals should be:
• A strong, flexible and cost-effective platform of compliance capable of meeting changing business, regulatory and
stakeholder expectations
• Achieving compliance as an integral feature of a well-managed business, capable of creating value through enhanced
reputation, investor confidence and lower cost of capital.
Culture of compliance
Many respondents recognise that Compliance cannot be expected to police today’s increasingly diffuse corporations and
that the business needs to take ownership of the necessary controls. However, with 30% rating ‘incomplete
acceptance/understanding by the board/senior management of their compliance responsibilities’ as a significant hurdle to
achieving compliance, there is clearly much needing to be done. Ultimately, the key to a well-managed - and therefore
compliant - organisation is a culture of ‘doing the right thing’. This culture needs to be ingrained into both the mindset and
behaviour of staff, reinforced by a close alignment of values, processes and rewards. It is perhaps telling that a number of
recent scandals have taken place in organisations where the basis for incentives has not included compliance.
Role of Compliance
A well-managed organisation makes a holistic assessment of the risks it faces now and in the future, taking into account the
needs of a broad range of external and internal stakeholders. It then designs appropriate risk management and control
mechanisms to handle these - one of which is the compliance function. Our study found that while many organisations are
moving in this holistic direction, few have clearly figured out the best role for the compliance function in helping to achieve
the endgame of a compliant organisation. Compliance functions currently gravitate between the ‘police officer’ and
‘counsellor’ roles, with ongoing concerns over their independence, and their interaction with other management and control
functions and indeed business. Many organisations are failing to adequately address the wider needs of internal
stakeholders, by actively fostering appropriate compliant behaviour and by ensuring that practices, processes, and
technology, help rather than hinder such behaviour.
Cost of compliance
64% of respondents viewed the complexity of the regulatory environment as the biggest hurdle to achieving compliance, but
many compliance officers also suggested deep-rooted management concern over the cost of compliance. However,
compliance with regulations is quintessential for doing and staying in business in the financial sector, in the same way as

complying with management’s strategic and risk management guidelines enables an organisation to succeed. Management
should be more concerned about achieving an appropriate payback from their investment in compliance. The price of
safeguarding the organisation from regulatory fines and reputational damage must be factored into any evaluation of revenue
returns, in the same way as operational expenses or the costs of risks such as default of a borrower. It is telling that around
80% of respondents believe that their compliance function adds value to their businesses, yet most are finding it difficult to
pinpoint the precise benefits.
The ultimate goal, according to some study respondents, is an organisation so inherently compliant that the need for a
compliance function is eliminated. Given a complex and rapidly changing regulatory environment, aligned with increasingly
dynamic business strategies, this utopia will not be realisable in the foreseeable future, if ever. Nevertheless, organisations
can and should take measurable, incremental steps in this direction over the longer term.
This study was intended to update and extend the
scope of a previous study, undertaken in 2002, into
financial institutions’ compliance functions with a
view to spurring ongoing debate across the financial
services industry internationally. It was also designed
to complement other studies and surveys we have
undertaken in recent years looking at governance,
risk and compliance, not least the 8th Annual CEO
Global Survey: Bold Ambitions, Careful Choices, the
results of which were launched at the Davos World
Economic Forum in January 2005
We sincerely thank all the participants who have enabled us - we hope - to offer useful insights into the progress and
remaining challenges for boards, management and compliance officers alike. We are particularly grateful for comments
received from national and international regulators and industry associations. We also thank the many
PricewaterhouseCoopers regulatory and compliance specialists internationally who have supported this initiative, conducting
and documenting the interviews, and providing feedback from their own experience to support the analysis. Finally, our
thanks go to Wendy Reed who, under our stewardship, drove the study process overall and was responsible for the
preparation of this report.
We hope you find the results both illuminating, and actionable.
Jeremy Scott
Chairman, Global Financial Services
Leadership Team
May 2005
Charles Ilako
Global Lead Partner, Financial Services
Regulatory Practice

Introduction
Purpose of the study
This study aimed to continue PricewaterhouseCoopers’ contribution to the evolving international debate on the role of
compliance functions within the financial services sector, building on other, wider PricewaterhouseCoopers initiatives in the
governance, risk and compliance area 2 , and on a European study into financial institution compliance practices in 2002 3 .
In some countries, compliance requirements have existed for many years and compliance practices are wellestablished.
Now, to mirror increasingly accepted best practice or as a reaction to crises, financial services regulators around
the world 4 are introducing, or enhancing, requirements for compliance functions. They advocate compliance with wideranging
prudential and conduct of business regulations, thus shifting gear from the often piecemeal requirements of the past.
Boards of directors and senior management, generally, are confronted with ever more stringent requirements for corporate
governance, risk management and compliance infrastructures.
The purpose of the study was primarily to i) understand progress in strengthening compliance functions in financial
institutions and ii) elucidate both current and future challenges. Our intention was to surface discernible trends to provide
further food for thought, given that the thinking on this issue is at different evolutionary stages around the globe and across
sectors. This report endeavours to give a flavour of the often wide-ranging responses to key issues, in addition to extracting
some key messages.
Study approach
We believe that this is the first time such an in-depth international study has been undertaken into compliance functions in
the financial sector. The GRC model (see inside cover) guided the detailed questionnaire, subsequently tailored to specific
institutions and national environments. The results of the study are based on participation from over 73 internationally active
and major domestic financial services institutions in 17 countries worldwide: 66% of participants are internationally active,
34% are major domestic institutions. Study participants represented all sectors of the financial services industry: 63%
banking, 19% investment services and 18% insurance (although many of the international participants are active in all three
sectors).
Interviewees included group risk compliance officers, heads of risk management, members of senior management with
compliance-related responsibilities (including CEOs), regional compliance heads, and heads of business line compliance.
PricewaterhouseCoopers regulatory and compliance specialists conducted face-to-face interviews with participants in the
latter half of 2004. The study was further enhanced through interviews with some key industry associations and regulators.
The results from these interviews were then supplemented by significant desk research and input from the
PricewaterhouseCoopers global network of regulatory and compliance specialists.
Asia & Australia
• Australia
• Hong Kong
• Japan
North America:
• Canada
• United States
Countries represented
Europe & Middle East
• Austria
• Bahrain
• Belgium
• France
• Germany
• Italy
• Luxembourg
• Netherlands
• Spain
• Sweden
• Switzerland
• United Kingdom
It is important to stress that the questions, and the
discussions, were largely qualitative in nature. In this
report, in order to provide indications of the range of
responses, we have reviewed the responses carefully
and provided indicative “statistics”. However, it must
be noted that not all participants were able to
respond to every question, so the statistics provided
are based on actual responses, and have only been
prepared when a reasonable percentage of overall
participants answered the relevant question.
2 See Annex III to this report for recent PricewaterhouseCoopers initiatives in this area.
3 Regulatory Compliance: Adding value - a review of future trends, 2002.
4 Annex I to this report provides an overview of recent developments in study participants’ countries.

Structure of the Report
Executive Summary 8
Detailed Feedback on Study Results
• Setting the scene - defining compliance risk 15
• Challenges to achieving compliance 19
• The compliance function - counsellor or police officer? 24
• One configuration does not fit all 40
• Compliance contributing value to business performance 51
Annexes
• Overview of regional and national requirements for compliance functions 65
• Current regulatory challenges 80
• Selection of recent related surveys and white papers 82

Executive summary
Executive summary
At a time when society expects integrity as well as competence from its financial services providers, effective compliance is
becoming as much a competitive as a regulatory imperative. With many financial services regulators focusing on the role and
responsibilities of the compliance function 5 , this study set out to explore the rapidly evolving nature and responsibilities of
the compliance function at a critical juncture both for the function and the organisations it serves. It revealed considerable
improvements over the past three years, across all sectors:
• Organisations’ vision of the role and structure of the compliance function has developed significantly on a cross-sector
basis
• The concept of “embedding a compliance culture” is clearly widespread in all the participant countries, establishing a
coherent backdrop for compliance function activities
• There has been a “quantum leap” in certain countries where regulatory requirements for compliance functions are
relatively new: they should not take decades to catch up
• As a result of regulatory action, improved governance structures, designed to ensure the independence of the
compliance function, are more prevalent.
Significant challenges remain, however, if organisations hope to reap the full benefits of improved compliance. Many
organisations still believe that a large part of the challenge stems from the weight of new regulations and uncertainty over
their practical application, and that conformance might undermine performance if regulatory requirements constrain the
flexibility and innovation of business models, and impose apparently unnecessary costs. Ultimately, however, compliance -
like performance - is a prerequisite for doing and staying in business. The compliance function provides one, albeit essential,
tool to enable management to fulfil stakeholders’ expectations of integrity and to protect the brand. Compliance costs would
certainly appear modest when compared to the billions that can be wiped off share values if lapses in probity, governance or
codes of conduct come to light.
Essentially, meeting these challenges requires a more holistic and proactive approach to compliance which moves
beyond statutory expectations to embrace broader ethical and strategic considerations. It means understanding the
essential link between integrity, ensuring the right behaviours throughout the business and meeting strategic objectives. This
approach should focus squarely on encouraging appropriate behaviours and the achievement of compliant business
practices and processes (i.e., compliant outcomes) - rather than placing the onus solely on the compliance function. Certain
common elements underpin such an approach:
• Closer integration of governance, risk management and compliance structures, forming a practical continuum
underpinning the overall integrity of the organisation and aligned to innovation and the achievement of strategic objectives
• A culture which breeds the right behaviours and instils integrity into the DNA of the organisation, fostering awareness and
ownership of compliance at all levels of the organisation, supported by appropriate rewards, processes and procedures
5 The compliance function is referred to in full in the report or as ‘Compliance’, in order to differentiate it from the generic term, ‘compliance’.

© PricewaterhouseCoopers - Protecting the brand, May 2005 9
• An extension of the role of Compliance to engage directly, and at an early stage, with those involved in tactical and
strategic decision-making in areas ranging from acquisition to product development
• A clear definition of the relationship between the business as the first line of defence; the compliance function as the
second; and independent assurance and non-executive directors as the third
• Coherent approaches to ensuring that business processes and procedures, generally, facilitate rather than frustrate
integrity, and that robust technology infrastructures foster integrity-driven decision-making.
The shift towards a principles-based, or risk-based, regulatory or supervisory approach in many countries would call for
more emphasis on the compliance function’s advisory role: but it is a question of balance. Primarily, the organisation needs
to anticipate and quickly respond to the most serious threats to the brand, rather than seeking to ‘comply’ with everything all
of the time. Management’s success in configuring the business to achieve its performance objectives while remaining wellmanaged
(and consequently compliant) will predetermine the evolving role and ongoing efficacy of the compliance function.
The study surfaced a number of important related issues that require deeper management consideration.
No common language
The Basel Committee’s definition of the compliance function provides a broad-based conceptual approach, establishing the
parameters of management’s responsibilities but not necessarily, in a practical sense, the actual scope of compliance
function activities. From an organisational perspective, different interpretations of ‘compliance risk’ are apparent within
different business lines, and across national borders. This is further complicated by different regulatory approaches,
internationally, and across sectors to both compliance risk and compliance functions.
Regulatory principles sketch regulators’ expectations for the management of compliance risk, and compliance
functions, leaving management to fill in the gaps. Management is concerned that, without more detailed guidance, regulators
mean to give themselves room for manoeuvre, enabling them to criticise management’s efforts in retrospect. This is an
unsettling prospect given the current perceived regulatory propensity to move the goal posts retroactively.
Essentially, however, management needs a clearer understanding of its own compliance risks, as well as regulatory and
reputation risks, in order to provide the basis for appropriate delineations and allocation of responsibilities to the compliance
function. Regulators can help by clarifying their expectations further. We believe, therefore, that this is the first issue to be
addressed. From our analysis, we suggest that:
• Industry and regulators need to reach a consensus as to the meaning - and their understanding - of
“compliance risk” across business lines, both generally and in the context of the role of the compliance function
• Internationally, and across sectors, regulators need to continue to align their approaches to risk management,
including compliance risk.

10 © PricewaterhouseCoopers - Protecting the brand, May 2005
Management talks the talk …but is it just lip-service?
The study showed that boards’ and senior management’s primary fear relates to reputation or brand damage, as well as
personal liability - understandable given recent high-profile incidents. In many countries covered by the study, organisations
made minimal efforts in the compliance arena - particularly in terms of compliance functions - prior to explicit regulatory
requirements. Ongoing pressure from regulators, or from other stakeholders, such as institutional investors and possibly
rating agencies, should continue to underline the intrinsic value of compliance and of the compliance function.
Remaining compliant is quintessential from a business perspective, but the general lack of progress in demonstrating
the value of the compliance function suggests that should such pressure decline, the needs and the role of the compliance
function could be subjugated to other regulatory and business priorities. In effect, management needs to place less
emphasis on the short-term costs of compliance and more on its fundamental ability to enhance the return of investment for
the organisation overall.
Although a great deal of progress has been made in terms of articulating a sound compliance vision and establishing
and/or reinforcing compliance functions in recent years, the study provided limited evidence of coherent, sustainable
strategies aimed at achieving compliant business practices and processes in the longer-term. When addressing regulatory
requirements, compliance functions are often designed to essentially paste over the perceived gaps in an organisation’s
existing control framework. This may not be the optimal approach, particularly as organisations have not yet recognised, let
alone realised, the overall benefits of being compliant.
Attempting to tackle all the issues with one major project, however, is unlikely to be effective. Instead, continuous initiatives
in a number of inter-related areas (with iterative reassessments as the situation evolves), together with a clearer vision of the longterm
endgame, are essential. Based on an analysis of the study results, common initial challenges for management include:
i) Assessing risk holistically, probing further the correlation between different types of business and market risk in terms of
compliance, regulatory and reputation risk
ii) Given a definition of “compliance risk” for all business activities, clearly determining the compliance function’s associated
roles and responsibilities, in the context of other control and support functions, such as internal audit, legal, risk
management, human resources, etc.
iii) Establishing the right balance between Compliance's “counsellor” and “police officer” roles (see below), and providing
organisational flexibility for these roles to evolve
iv) Providing adequate resources to Compliance, targeting efficiency through appropriate human and financial resources
supported by a robust technological infrastructure
v) Adopting a bottom-up, as well as a top-down approach to achieving compliance, whereby business processes and
practices are thoroughly reassessed to ensure current and future compliance, taking particular account of the
technological needs.

© PricewaterhouseCoopers - Protecting the brand, May 2005 11
vi) Above all, concentrating on ingraining a deep sense of integrity into the DNA of the organisation, fostering both appropriate
behaviours and attitudes, and using the compliance function as a tool to promote and promulgate the required value system.
We therefore suggest that:
• Management should assess the current role and future evolution of the compliance function, as part of longer-term
strategies aimed at configuring business practices and processes - and indeed its overall infrastructure - with a view
to instilling a deep sense of integrity and facilitating the right behaviours in its people. It should appreciate that people
will not be able to behave consistently with integrity if the business processes themselves create barriers.
• Management should strive for a coherent response to managing risk, developing holistic strategic risk
assessments which explicitly encompass compliance risk within the overall risk profile of the organisation.
Particular attention should be paid to the interaction between Compliance and other risk management functions,
while recognising the difference in emphasis when managing compliance risk.
• Boards and senior management should ask themselves probing questions about the current and future
configuration of the compliance function, the comprehensive control framework of the organisation and the optimal
level of resources - human, financial and technological. Senior management should continue to ensure that
organisational design does not impede the independence and effectiveness of the compliance function. Inter alia:
- Senior management needs to reconcile the different approaches necessitated by divergent societal and
business cultures within its operations overall, with its associated strategies in terms of configuration, modus
operandi and resources of the compliance function.
- Management should pay careful attention to the interaction with other control and support functions, and
ensure that the respective roles and responsibilities are clearly defined, and documented.
- Recognising the dual role of the compliance function (“counsellor” and “police officer”), management should
make sure that the organisation’s configuration is thoroughly assessed, both top-down and bottom-up, to
permit appropriate access and interaction with front-line businesses.
• As with any other intrinsic part of the business, boards and senior management should focus more on measuring
the real cost of compliance and non-compliance, as a means to ensuring appropriate cost management
strategies, ameliorating their understanding of Compliance’s value, and finally permitting an effective balance
between compliance costs and value generated.
• Equivalent, if not higher, priority should be placed on the development and use of technology able to help
management to really understand, on a timely and consistent basis, what is going on in the business. From the
perspective of the compliance function, a robust technological infrastructure entails both sophisticated tools for
monitoring compliance in business activities, together with appropriate tools for streamlining compliance function
activities, and facilitating knowledge sharing.
• Boards and senior management should focus more on frequency, timeliness and consistency of reporting, as a
means to deriving additional comfort that current business transactions and practices are much less likely to
generate future compliance problems.
• Rating agencies should take more account of the role and potential contribution of the compliance function to
the overall strength and quality of the organisation.

12 © PricewaterhouseCoopers - Protecting the brand, May 2005
Compliance officer: police officer or counsellor?
The traditional role of the compliance function - in Anglo-Saxon countries - is shifting from “police officer” to ”counsellor”.
There is increasing acceptance that Compliance, as a trusted advisor to the business, both creates value and protects the
brand. In some European countries where compliance functions are more recent, the initial emphasis has been on advising
business, while Compliance’s “police officer” role - its crucial compliance monitoring and oversight role - is often
underdeveloped. Compliance is most useful when both proactive and reactive - helping to ensure that new business is
compliant as well as monitoring existing business. However, the right balance needs to be struck between the two roles
within the organisational, business and cultural context. As business progressively manifests the right behaviour - embodying
both integrity and innovation - the need for the compliance function to police its activities diminishes, and the value-adding
counsellor role comes more to the fore. During this evolution, care needs to be taken to ensure that potential conflicts of
interest between the two roles are managed effectively.
Segregating compliance responsibilities between Compliance and the business is often difficult to accomplish in dayto-day
operations. Today, Compliance is often involved in executing compliance controls over daily business transactions
(operational compliance), as well as providing ongoing compliance oversight. This causes another potential conflict of
interest that can be mitigated through the “tone at the top” (instilling a compliance culture throughout the organisation);
consistent, ongoing performance measures to ensure that business is fully cognisant of its compliance responsibilities; and
separate reporting lines.
Evidently, to be able to advise management and the business proficiently, compliance officers need a deep
understanding of the business, a detailed knowledge of relevant regulations, and insights into regulators’ expectations, as
well as pragmatism. Many respondents stressed, however, compliance officers’ communication and influencing skills as key
to engendering trust. How well their advice is trusted, however, should not rely solely on their influencing skills: management
should always be prepared to listen and act. Based on our analysis, we suggest that:
We, therefore, suggest that:
• Compliance officers, with management support, need to focus more on developing their business vision - the
ability to advise management on compliant, but profitable, business solutions.
• Compliance must be prepared to advise management at an early stage on all new business ventures and
transactions, including new products, entry into new markets and mergers or acquisitions, as well as outsourcing
or offshoring initiatives. (Commensurate with the organisation’s maturity in terms of its underlying integrity, the
compliance function will need the authority to escalate or inhibit any activities which may raise longer-term
compliance issues until such times as it can function, primarily, in an advisory capacity.)

© PricewaterhouseCoopers - Protecting the brand, May 2005 13
• Compliance, supported by management, needs to strive to enhance the dialogue with regulators - and other
industry participants - to improve the depth of general understanding of the challenges faced by compliance
functions, across organisations and across borders.
• There should be continuous focus on the blend of skills and competences within the compliance function overall,
ensuring suitable broad-based training for compliance officers and staff.
• Compliance officers should help themselves, and their firms, by further developing their “profession” through
industry fora, groups and associations.
• Compliance should develop more in-depth awareness of the technologies used by the organisation, including
legacy systems, and be consulted with regards to new systems developments. At the same time, the IT
department should develop greater awareness of the needs of the compliance function.
Regulatory “heavy-handedness”?
Respondents saw the principal challenges to achieving compliance as the rising bar of regulatory expectations, uncertainty
due to regulators’ moving the goalposts retroactively, and the increased - and increasing - ‘heavy handedness’ of both
regulators and law enforcement. International financial institutions and conglomerates said they face multiple complexities in
meeting diverse regulations across borders. Increased convergence in regulatory approaches and attitudes internationally
was both appreciated and welcomed, yet respondents stressed that existing inconsistencies - both locally and
internationally - exacerbate current difficulties. Clearly, more guidance and clarification of regulators’ expectations would be
beneficial. Nevertheless, organisations also need to adopt a longer-term view, recognising that regulatory convergence in
time should result in considerable cost savings, particularly if they can develop and put into place today holistic, forwardlooking
strategies for ensuring compliant outcomes, using the compliance function as the key tool to achieve this.
• Regulators need to provide more guidance and clarification regarding their expectations of both management
and compliance functions, and be more transparent about them.
• Regulators should aim to be consistent, over time, and with other regulators, both nationally and internationally.

Detailed feedback
on study results

Setting the scene - defining compliance risk
© PricewaterhouseCoopers - Protecting the brand, May 2005 15
To set the scene, participants were generally asked for three definitions key to compliance functions, namely the definition of
i) compliance risk, ii) regulatory risk and iii) reputation risk. Not all respondents had defined all three terms, and amongst
those that had there were some subtle differences.
Compliance risk
A definition of compliance risk, as determined by the Economist Intelligence Unit and PricewaterhouseCoopers 6 , is:
“The risk of impairment to the organisation’s business model, reputation and financial condition (resulting) from failure to
meet laws, regulations, internal standards and policies, and expectations of key stakeholders such as customers, employees
and society as a whole.”
The breadth of this definition was reflected in the definition of a bank’s compliance function set out in the Basel
Committee in its paper “Compliance Functions in Banks”, of October 2003 7 .
While many respondents found this definition was in line with their own view of compliance risk, a number of
international institutions considered it too broad. For them, compliance risk resulted from the possibility of non-compliance
with laws and regulations affecting the offering of (relevant) products and services. Some saw this definition as closer to
“reputation risk”, while others thought this definition more akin to “operational risk”. A number of firms, especially those in
Sweden and Japan, believed it was better to look at compliance risk as “the risk of business not being conducted according
to legal and regulatory requirements”.
Respondents also considered “compliance risk” as implying the potential ramifications of non-compliance with laws
and regulations in terms of adverse regulatory attention for the firm, loss of confidence in the compliance function, and the
negative impact on Compliance and management time.
Regulatory risk
For some respondents, regulatory risk was a narrower concept than compliance risk, defined as the risk of not complying
with specific laws and regulations. Others, however, had a much more comprehensive definition of regulatory risk, for
example:
“Regulatory risk can be defined as the risk of regulatory sanctions, financial loss, or loss to reputation a bank may suffer
as a result of its failure to comply with all applicable laws and regulations, change in business models in order not only to
avoid its failure to comply with all applicable laws and regulations but also to correspond with the change in the expectations
of regulators.”
In effect, many respondents saw two clear dimensions to regulatory risk: i) breaching regulations and ii) not meeting
regulator expectations. Regulatory risk might be interpreted as the risk of not keeping pace with the rising regulatory bar.
This bar was no longer national: Sarbanes-Oxley had demonstrated the potential impact of extra-territoriality. Regulatory risk
also lay in the need to adjust business models to comply with new detailed rules, particularly in terms of costs and possible
Major regulatory challenges identified:
• AML related-legislation
• Basel II
• Best execution
• Compliance arrangements
• Conflicts of interest including market
abuse/insider trading
• Focus on treating (retail) customers fairly
• IFRS
• Market disclosure and transparency requirements
• Privacy legislation
• Sarbanes-Oxley
• Solvency regimes for insurers
6 PricewaterhouseCoopers and Economic Intelligence Unit survey, July 2003:
Compliance: A gap at the heart of risk management
7 “A bank’s compliance function can be defined as: “An independent function that
identifies, assesses, advises on, monitors and reports on the bank’s compliance
risk, that is, the risk of legal or regulatory sanctions, financial loss, or loss to
reputation a bank may suffer as a result of its failure to comply with all
applicable laws, regulations, codes of conduct and standards of good
practice.““Note: the October 2003 paper was a consultation paper. The Basel
Committee has very recently (April 2005) issued a formal guidance note entitled
“Compliance and the Compliance Function in Banks”.

16 © PricewaterhouseCoopers - Protecting the brand, May 2005
inappropriateness for the business. There was also risk in not communicating appropriately with the regulator(s). Clearly, the
most explicit concern in this respect was that regulators moved the goal-posts, retroactively. Respondents said that these
concerns considerably increase uncertainty, and risk stymieing business.
“[It] takes years to build it but can be lost in
an instant”
Reputation risk
Many respondents said that management’s biggest fear was damage to reputation and brand. Often, however, “reputation
risk” or “brand risk” were not defined, sometimes intentionally in order not to dilute judgement.
Some respondents provided more granularity to a potential definition. Damage occurred when business behaviour, in
any sense, was viewed as inappropriate by stakeholders, whether regulators, customers, other market operators, or - in
certain businesses - the public at large. A German institution described it as “[..] broader than regulatory risk and is the risk of
any activity that may impact the reputation of the business. It is not necessarily legal in nature.”
Respondents highlighted the inability to quantify this risk, or even to mitigate it thoroughly in all circumstances,
particularly where it arose through no wrongdoing on the part of the organisation. Reputations could be tarnished by
association. There was also the materiality factor: a media “feeding frenzy” could cause serious damage, however minor the
incident.
Reflections
Clearly, there was no overall consensus on a definition for these risks. The differences in the meaning and appreciation of the
risks are understandable given the evolving nature of risk management, the different stages of evolution of compliance
functions across organisations, the positioning of the compliance function within financial services organisations (legal, risk,
operations) and the cultural receptivity towards regulation. However, the differences in the definitions point to the need for a
common language and approach to compliance and regulatory risks, across sectors and between industry and the
regulators. This would facilitate improved granularity in identifying and assessing compliance risks.
Considering the study’s responses, the definition of reputation risk is more generic: an over-arching risk, to which all
areas of the business are susceptible, both from the organisation’s own activities, or changing perspectives of external
stakeholders which it fails to anticipate adequately. As a primary concern of management, reputation risk could, perhaps,
provide a framework within which risks to the organisation can be correlated, and their interdependencies better
appreciated. However, boards and senior management need to be realistic in terms of what the compliance function can
achieve: it cannot mitigate reputation risk generally. Reputation risk can only be managed by the careful orchestration of the
various control mechanisms within the organisation.

© PricewaterhouseCoopers - Protecting the brand, May 2005 17
The lack of a common language, inside organisations, at industry level and between regulators and industry, inhibits clarity
and transparency around the role and responsibilities of the compliance function. Importantly, the work of the international
standard setters - the Basel Committee, IAIS and IOSCO - in terms of core principles has set the tone for increased
ideological convergence, more broadly. The Basel Committee’s definition of the compliance function demonstrates that
regulators expect a broad-based conceptual approach, reflecting management’s responsibility to identify, assess and
manage all compliance risks in their business effectively. This definition does not necessarily correlate to the actual scope of
the compliance function. The compliance function cannot be held responsible for all the compliance risks that could damage
reputation potentially, only those related to specific types of business transaction, as predetermined by its mandate from
management. One insightful comment threw light on this conundrum: “the compliance role can be chopped up in many
ways: the essential thing is to ensure that everything is covered by someone and that it is clear who is doing what”. Clear
definitions provide the basis for appropriate delineations and allocation of responsibilities.
There were also different interpretations of the scope of “compliance risk” in terms of similar operations or business
transactions within different business lines, and when operating across borders. Group policies can provide minimum
standards but extra efforts are required to ensure that a common understanding of compliance risk, as well as the scope of
the compliance function’s remit, permeates throughout the organisation.
This challenge is further complicated by different regulatory approaches, internationally, and across sectors. Regulatory
principles sketch regulators’ expectations for the management of compliance risk, and compliance functions. Management
is expected to fill in the gaps. However, management is concerned that, without more detailed guidance, regulators mean to
give themselves room for manoeuvre, enabling them to criticise management’s efforts in due course: an unsettling prospect
given the current perceived regulatory propensity to move the goal posts retroactively (see next section). This uncertainty is
beneficial for neither party.
Reeputation Risk
stakeholders’
Regulatory
Risk
Other
Compliance & Legal Risk
Business Risk
expectations
Operational
Risk
From our analysis, we suggest that:
• Industry and regulators need to reach a consensus as to the meaning - and their understanding - of “compliance
risk” across business lines, both generally and in the context of the role of the compliance function
• Internationally, and across sectors, regulators need to continue to align their approaches to risk management,
including compliance risk.

18 © PricewaterhouseCoopers - Protecting the brand, Mary 2005
Introduction of national requirements regarding compliance functions 8
Evidently, national requirements regarding compliance functions related to securities business have existed in Anglo-Saxon countries have existed for some time.
A conceptual trajectory can also be drawn in other countries from requirements relating to anti-money laundering compliance arrangements.
Country Banking Investment Services Insurance
Compliance Functions AML Compliance Compliance Functions AML Compliance Compliance Functions AML Compliance
First Updated First Updated First Updated First Updated First Updated First Updated
introduced introduced introduced introduced introduced introduced
Australia 1998 2004 (1) 1988 (2) 2005 1998 2004 (1) 1988 (2) 2005 2002 - 2005 -
Austria 1993 2002 1993 (3) 2003 1993 (4) 2002 (4) 1996 2003 1993 2002 1978 2003
Bahrain 1999 - 1989 2001 1999 - - - 2005 - 2001 -
Belgium 2001 - 1993 2004 2002 - 1993 2004 2005 - 1993 2004
Canada 1999/2000 2002/2003 1993 2001 1999 (5) 2003 (5) 1993 2001 1999/2000 2002/2003 1993 2001
2000/2001
2000 (6)
France 1996 (7) 2005 1991 2002 2001 2005 1991 2002 - - 1991 -
Germany 1993 2004 (8) 1993 2002 1993 2004 (8) 1993 2002 2002 - 1993 2002
Hong Kong 1991 2003 1997 2004 1997 2003 1997 2003 2002 - 1997 2000
Italy N/A (9) N/A (9) 1991 1997/2004 2005 (10) - 1991 1997/2004 N/A (9) N/A (9) 1991 1997/2004
Japan 1999 2004 1990 2003 1992 2003 1990 2003 2000 2004 1990 2003
Luxembourg 1998 (11) 2004 1989 2004 1998 (11) 2004 1989 2004 - - 1991 2004
Netherlands 1999 2004 1993 2004 1999 2004 1993 2004 2004 - 1993 2004
Spain 1995 (12) 2002 (12) 1993 2003/2005 1988 (13) 2002/2003 (13) 1993 2003/2005 N/A N/A 1993 2003/2005
Sweden 1999 - 1993 1999 2002 2004 1993 1999 2000 - 1993 1999
Switzerland 2002 2005 (14) 1991 (15) 1998/2003 (15) 2001 - 1991 (15) 1998/2003 (15) - - 1998 -
United Kingdom 1988 2001 1993 2004 1988 2001 1993 2004 1988 2001 1993 2004
United States N/A N/A 1987 2002 1988 (16) 2004 (17) 2002 (18) 2005 (19) Matter Matter 2005 (19) -
of State law of State law
(1) Australian Standard on Compliance Program AS3806 updated draft released: the
requirements under the Managed Investment Act were not amended at this time.
Additional requirements under the Financial Services Reform Act became
mandatory.
(2) Financial Transactions Report Act 1988 related to cash dealers (did not stipulate
appointment of compliance officer)
(3) Adoption of EU-equivalent rules, in line with Directive 91/308/EEC, the first antimoney
laundering directive.
(4) For pension funds
(5) Requirements of the Ontario Securities Commission.
(6) 2000: Mutual Fund Dealers Association requirements; 2001 Investment Dealers
Association requirements; 2002 Universal Market Integrity Rules.
(7) For banks subject to CMF regulation.
(8) Further updates in 1995,1998 and 2002. BaFin introduced detailed requirements
for the compliance function in 1999.
(9) Not applicable: the current regulations do not explicitly define the “compliance
function” but only an “internal audit function”.
(10) Anticipated introduction for broker-dealers.
(11) Compliance was the responsibility of the internal auditor.
(12) “Compliance function” for banks not explicitly defined but rules on adequate
administrative and accounting organisation and internal controls. Further changes
introduced regarding internal audit compliance.
(13) “Compliance function” has traditionally derived from the regulatory regime on
rules on conduct, conflict of interest, internal control and adequate level of
administrative resources.
(14) First introduced as part of internal control system by Swiss Bankers’ Association
guidelines in 2002: specific provisions for compliance functions in
banks/securities firms to be published shortly by the Swiss Federal Banking
Commission.
(15) Prior to introduction of specific AML rules in 1991, provisions on customer
identification were in place since 1977. Introduction of ‘Politically Exposed
Person’-term and related regulations in 1998 (subsequently adopted by FATF):
SFBC issued 2003 Anti-Money Ordinance anticipating most of the 40 FATF
recommendations.
(16) Requirements for broker-dealers introduced.
(17) Updated requirements for broker-dealers, and new requirements for investment
advisors and mutual funds.
(18) For broker-dealers and mutual funds.
(19) Final rules expected for investment advisors and insurance companies in 2005.
8 For more detailed information see Annex I. Source: PricewaterhouseCoopers

Challenges to achieving compliance
© PricewaterhouseCoopers - Protecting the brand, May 2005 19
Introduction
What are the biggest challenges to achieving compliance? 8
Traditionally, regulatory compliance was a secondary concern for most senior management and board members.
The business impact of non-compliance was often considered to be relatively low. Organisations are now facing
unprecedented pressure, from regulators and other external stakeholders, senior management and board members to
proactively manage their compliance, regulatory and reputation risks. Risk appetite for such risk is where it ought to be:
low - with some respondents stressing “zero tolerance”. At the same time, organisations are faced with an ever-changing,
complex and uncertain regulatory environment.
What are the major challenges?
70
60
50
40
30
20
10
64
16
33
27
24
11
36
20
17
23 23
31
Not surprisingly, the study found that the large majority of participants 9 saw the sheer and increasing complexity -
both in volume and frequency of changes - in the regulatory environment as the principal challenge to achieving compliance.
This complexity was difficult for all types of organisations - retail and wholesale, insurance, banking and asset management.
There was also concern about the more aggressive posture of regulators, and the trend to move the goal-posts not only with
new regulations but also with existing rules. Organisations also worried about the changing (external) stakeholder
expectations in a broader sense (including shareholders, customers, etc.), particularly the difficulties in anticipating the
changes, for example, where this meant second-guessing existing market practices.
Compliance officers stressed two interconnected challenges to achieving compliance on a sustainable basis:
• Embedding a compliance culture within the organisation, particularly across borders and across sectors
• Remaining compliant on a cross-border, cross-sector basis in the context of a dynamic business environment and rapidly
changing regulations.
Dynamic business strategies severely exacerbated the challenges. Regulatory complexity increased exponentially when
organisations operated on a cross-border basis, with the need to balance global and national requirements. Respondents
also identified numerous related challenges as a result of cross-border business (see box overleaf).
0
% of total responses
Sheer complexity of regulatory environment
Poor communication with regulators and other external stakeholders
Changing expectations of stakeholders
Non-involvement of the compliance function in strategic decision-making
(i.e. in terms of the financial institution’s organisational structure(s), new
markets/products)
The organisation of the compliance function (roles and responsibilities)
The compliance function lacks independence
Inadequate technological infrastructure for monitoring compliance
Poor integration with other functions, including risk management, sales
and customer service
Lack of direct communication between compliance and senior
management and/or the board
Focus on cost-cutting/cost control
Insufficient pool of talent in this area of business
Incomplete acceptance/understanding by the board/senior management
of their compliance responsibilities.
“Lack of technological infrastructure” was ranked the highest internal issue, followed closely by “incomplete recognition - by
both the board and senior management - of their compliance responsibilities”. Respondents stressed the knock-on effect of
cost cutting and cost control policies.
9 The chart shows the percentage of total respondents who identified each category as a challenge.

20 © PricewaterhouseCoopers - Protecting the brand, May 2005
Compliance challenges for cross-border business
• Different interpretations of corporate ethics
(and compliance goals) against national cultural
backgrounds which management fails to reconcile
• Differing stages in the evolution of the compliance
function and its role in different countries/lines of
business:
- Variations in technical compliance capabilities
- Convincing management of the inverse logic of a
potential increase in compliance breaches or
weaknesses identified when compliance function
was established, or its scope extended
- Ineffective communications
- Lack of a common “language” for compliance
risk
• A disconnection between group compliance
policies and national procedures
• Possible competitive distortions at the national
level resulting from (group) compliance approach
• Non-efficient development of compliant crossjurisdictional
products and services
• Overlapping regulatory requirements across
financial sectors
• Different, and changing, powers of the regulators,
and the politicisation of the regulator
• National/regional political agendas creating
barriers to business
• Differences in shareholder expectations in terms
of corporate governance and compliance
(combined with differing power/leverage of
shareholders)
• Increased expectations and financial awareness of
customers, including consumers
• Increased impact of the media.
10 Basel Committee: The compliance function in banks, October 2003, p.2
There were other related impediments:
• Lack of empowerment of the compliance function
• Lack of efficient organisational structures and unclear roles and responsibilities
• Different expectations between internal stakeholders (including management) and the compliance function
• Lack of pragmatism on the part of compliance staff in dealing with business
• Differences in awareness of compliance issues between securities, banking, insurance, asset management businesses.
Several compliance officers echoed regulators’ concerns in that they felt senior management had no well-developed, longerterm
strategy towards compliance. One commented that, without a strategic view of how to “do” compliance, his organisation’s
ability to remain compliant was not sustainable in a complex environment. In some more advanced jurisdictions, commentators
suggested that high turnover rates in compliance staff resulted from frustration over the lack of coherent strategies. In less
advanced jurisdictions, some respondents believed that management still viewed compliance as a “necessary evil”, and the
compliance function as a means to pacify regulators, rather than as an effective management support tool.
How do you align the scope of compliance with corporate values
and goals?
A number of questions sought to clarify the scope of the compliance function, to assess whether it was in line with the goals
and values of the organisation, and the challenges in meeting those goals: in essence, reflecting the Basel Committee’s
comment that “compliance risk management is most effective when a bank’s culture emphasises high standards of ethical
behaviour at all levels of the bank”. 10
The study found that most organisations’ corporate values and ethics (or codes of conduct which addressed these
issues) had been clearly defined by the board, or senior management with board oversight. Interestingly, only a few
respondents made a direct link between corporate values and corporate social responsibility goals. Compliance officers
were often directly involved in the preparation of corporate values statements and codes of ethics. Subsequent ownership
generally rested with the board and senior management, or was delegated to the compliance function or, in some cases,
human resources. This latter delegation, however, raised some concerns among regulators about the risk of discontinuity
when rolled out throughout an organisation.
The frequency with which corporate values statements and codes of ethics were reviewed varied from explicit time
intervals (e.g., annually, every 2/3 years) to “as and when the need arises”. Active communication strategies, initiated by
senior management, were evident in some responses but many took a passive approach, relying on the intranet and the
compliance network. There were only a few examples of staff attestation or testing requirements, although this was clearly a
means of providing comfort on comprehensive awareness. Explicit training and ethical surveys were also limited, though
employees of one European conglomerate underwent “dilemma studies” to select action alternatives, compliant with both
corporate policies and ethical values.

© PricewaterhouseCoopers - Protecting the brand, May 2005 21
What is the organisation’s vision for compliance?
To assess evolution in organisational vision, and to see whether appropriate connections were being made between the
compliance function and corporate values and ethics on the one hand and the organisation’s strategy on the other,
participants were asked to describe the current vision and whether it had changed over the last three years.
Organisations’ current vision ranged from “compliance should not cost too much and be disruptive” to Compliance
should “provide a high quality advisory service to staff and management”. A number of organisations said compliance was
instilled in the “corporate culture” but more effort was needed to fully implement it in the organisation. Where there was a
perceived need (e.g., within internationally active organisations) and/or national regulatory requirement for a compliance
function, there was a clearer alignment between compliance vision and ethical values.
In all cases, compliance vision had changed over the past three years: often through reinforced regulatory obligations,
but sometimes in anticipation of regulators’ expectations or in order to stay in step with best business practice
internationally. Clearly, management had a more profound appreciation of the importance of compliance in protecting the
brand and reputation but many compliance officers expressed concern that their perceived responsibilities may extend
beyond their formal authority in this respect.
In international organisations, the vision had matured rather than changed over the past three years, offering a more
professional and formalised approach to compliance. Respondents noted increased sensitivity and awareness both at an
industry level and within their own organisations of the need for proactive, solid compliance programmes, supported by senior
management. Central compliance structures (at group and divisional level) had been enhanced, with deeper awareness of
which compliance activities should be performed at a central level, and which should be devolved to business lines and entities.
What is the intended scope of compliance?
The majority of respondents said that their organisations aimed to comply with:
• Prudential and conduct of business rules
• Industry best practice codes and codes of good conduct
• Internal policies and codes of good conduct.
However, as previously indicated, they confirmed that all related responsibilities did not fall entirely within the remit of the
compliance function. Compliance with prudential rules, for example, was nearly always the responsibility of Accounting or
Finance. Some respondents indicated that Compliance’s main objective was to ensure adherence purely with laws and
regulations relating to business transactions, while others included industry codes of good conduct within the overall scope.
However, so-called “industry best practice” codes were not always seen as best practice, nor appropriate for the organisation.
14% of organisations wanted to go beyond compliance with laws and regulations, to focus on satisfying the
expectations of other stakeholders, such as clients and communities, and adopting ethical social values. These participants
Identified advantages of increased formalisation
of the compliance function:
• Compliance commanding more respect, with
increased influence over business decisions
• Compliance seen not just as a monitoring tool but
as an active, ongoing support to management
• The scope of Compliance’s responsibility
extended (beyond AML, securities)
• Improved awareness throughout the organisation
of compliance requirements
• Adoption of a more integrated compliance
approach throughout the business
• Adoption of risk-based approaches based on predetermined
risk tolerance levels for
regulatory/compliance risk, depending on the
business mix
• Compliance seen as a contributor to strategic
objectives, such as improved corporate
governance standards
• Retrospective, and forward-looking, information
for the board and senior management.
• More proactive interaction between Compliance
and business
• Growing appreciation of Compliance’s potential
value to external stakeholders (other than
regulators).

22 © PricewaterhouseCoopers - Protecting the brand, May 2005
14
What do you comply with?
56
66
100
100
said that this was an issue on which the industry as a whole needs to focus. Increasingly, organisations took a pragmatic
approach when determining with what they needed to comply. While adhering to minimum requirements in all areas, a
significant number of respondents indicated that they would like to be “best in class” in selected areas. One UK respondent
noted that the nature of the organisation’s business model meant that the wider risk management programme, including
compliance risk management, was ultimately a capital issue. Consequently, her organisation believed it had to do enough to
meet the first two examples (prudential/conduct of business rules, and industry best practice codes, etc.), and use the latter
(internal policies and codes) as a commercial tool to help maximise profitability.
It was noted that losing the confidence of regulators would limit business opportunities. However, regulatory scepticism
appeared to extend beyond pure regulatory requirements, to best practice. One regulator commented that while institutions
claim a desire to comply with best practice, having done a cost/benefit analysis, they do not often proceed.
0 10 20 30 40 50 60 70 80 90 100
% of respondents
Ethical social standards/CSR
Internal policies and procedures
Industry best practice
Market/conduct of business rules
Prudential rules
Reflections
Looking at the responses overall, both serious external and internal challenges to achieving compliance were highlighted.
From an external perspective, the style and forcefulness of regulators and law enforcement are evidently a cause for
considerable concern, with particular consternation over regulators’ changing expectations - and perceived heavyhandedness.
Strengthened anti-money laundering and combating terrorist financing requirements significantly exacerbate
concerns regarding law enforcement. Although the impact of the investigations by the New York State Attorney General, Eliot
Spitzer has been felt most strongly in North America, the reverberations are global. Institutions are concerned that this level
of uncertainty could generate risk aversion enough to stymie business.
On the positive side, corporate values, codes of ethics and conduct have been more widely established and organisations
are better formulating their views on what they need to comply with, in the context of a broader spectrum of stakeholders.
However, the fear generated by recent high-profile incidents, and regulatory reactions, appears to be the principal driving force
behind the reshaping of the corporate vision of compliance. This situation may well change over time if there are fewer
incidents. In many countries covered by the study, organisations made minimal efforts in the compliance arena until forced by
regulatory requirements. It is possible that future pressure may come from other stakeholders, such as institutional investors and
possibly rating agencies. The lack of progress made in demonstrating the value of the compliance function means that when
the pressure is off, compliance will be subjugated to other regulatory and business priorities.
From an internal perspective, many respondents accentuated the internal challenges which suggests that senior
management, and business management, are still failing to appreciate fully the potential business benefits of compliant
behaviour. Management needs to adopt an ongoing and consistent top-down, and bottom-up, approach to changing mindsets
throughout their organisations to ingrain a deep sense of integrity. This represents a hurdle not only for organisations
facing new requirements for compliance functions. In effect, cultivating broad-based, practical comprehension of the
inherent advantages of engendering appropriate behaviours and business practices and processes designed for compliance

© PricewaterhouseCoopers - Protecting the brand, May 2005 23
may be more difficult in jurisdictions where compliance functions have existed for some time: subtle realignments are often
more difficult to achieve than substantial ones. If organisations are not convinced of the longer-term benefits, the risk is that -
if and when regulatory pressure and the associated fear of regulatory action subsides - management will not have set in
motion the change processes necessary to modify corporate mind-sets on a sustainable basis 11 .
Attempting to tackle all the associated issues in one major project, however, is unlikely to be effective. Instead,
continuous initiatives in a number of inter-related areas (with iterative reassessments as the situation evolves), together with a
clearer vision of the long-term endgame, are essential. Based on an analysis of the study results, common initial challenges
for management include:
• Assessing risk holistically, probing further the correlation between different types of business and market risk in terms of
compliance, regulatory and reputation risk
• Given a definition of “compliance risk” for all business activities, clearing determining the compliance function’s
associated roles and responsibilities, in the context of other control and support functions, such as internal audit, legal,
risk management, human resources, etc.
• Establishing the right balance between “counsellor” and “police officer” roles of the compliance function, and providing
flexibility for these roles to evolve
• Providing adequate resources to Compliance, targeting efficiency through appropriate human and financial resources
supported by a robust technological infrastructure
• Adopting a bottom-up, as well as top-down approach to achieving compliance, whereby business processes and
practices are thoroughly reassessed to ensure current and future compliance, taking particular account of the
technological needs.
• Above all, concentrating on ingraining a deep sense of integrity into the DNA of the organisation fostering both
appropriate behaviours and attitudes, and using the compliance function as a tool to promote and promulgate the
required value system.
Based on our analysis, we suggest that:
• Management should assess the current role and
future evolution of the compliance function, as
part of longer-term strategies aimed at configuring
business practices and processes - and indeed its
overall infrastructure - with a view to instilling a
deep sense of integrity and facilitating the right
behaviours in its people. It should appreciate that
people will not be able to behave consistently
with integrity if the business processes
themselves create barriers.
The rest of this report considers issues such as the roles and responsibilities of the compliance function, its configuration,
and, particularly, the means by which to promote appropriate behaviours and consequently extract the inherent value of the
compliance function for the business overall. Efforts and progress in these areas, however, are likely to be ineffectual in the
longer-term if not predicated on uncontested management appreciation of - and striving for - the realisation of the intrinsic
value potential of compliant behaviours, supported by appropriate business practices and processes.
11 Initiatives that can help organisations nurture a compliance mind-set are
considered in more detail on PricewaterhouseCoopers’ Global Best Practices
website at www.globalbestpractices.com.

24 © PricewaterhouseCoopers - Protecting the brand, May 2005
The compliance function - police officer or counsellor?
70
60
50
40
30
20
10
0
40
56
% of total responses
Compliance function goals
60
9
16
What should be the primary goals of a compliance function within a financial
institution?
To help the firm anticipate and plan for changes in regulations
To ensure that reputation risk is being managed effectively
To ensure that the firm is in compliance with regulations
To act as the champion of the customer within the firm
To influence the regulatory process in the interests of the firm
To ensure that regulatory risk in the institution is being managed effectively
To ensure compliance with regulations and both internal and external
codes of conduct in the development of new products and markets
To train and educate staff in regulatory requirements and the requirements
of internal policies and procedures
To build greater confidence in the organisation on the part of clients
To act as a central repository of all information on rules, codes and
business practices and ensure dissemination to all appropriate people in
the organisation
To advise the business units on how to ensure that new services and new
products are compliant
51
35
43
10
26
43
What are the objectives of the compliance function?
Most respondents considered all the goals relevant, to a greater or lesser extent (see chart left). However, “to ensure the firm
is in compliance with regulations” was ranked the highest, followed closely by “to ensure that reputation risk is being
managed effectively” and “to ensure that regulatory risk is being managed effectively”. The two lowest rated were “to build
greater confidence in the organisation on the part of clients” and “to act as the champion of the customer within the firm”.
Having said that, one Australian respondent saw Compliance in a way as a marketing tool, differentiating the firm from
boutique competitors. Also, the link between properly managing reputation risk and client confidence was stressed.
One North American respondent indicated that some objectives - such as “to help the firm anticipate and plan for
changes in regulations” - ended up on the backburner, due to lack of resources. Conversely, a UK respondent underlined the
importance of this particular objective as it enabled Compliance to better advise management and help prepare business for
changes associated with regulatory developments.
Increased emphasis on providing support and advice to management was a common theme. A French bank stressed
that the over-riding aim must be to keep management out of trouble, implying three key objectives for the compliance
function:
i) Provide advice and support to management in managing regulatory risk in terms of business transactions
ii) Train and educate staff, raising awareness in the business of compliance requirements
iii) Improve relationships with regulators through ongoing dialogue and through participating in the regulatory debate.
This echoes to a certain extent a North American respondent who suggested that the overarching goal of the compliance
function should be to provide the expertise to help the firm manage regulatory and reputation risk and that this could be
accomplished on the front-end by being seen as a trusted advisor (involved in change management, training, consultation,
etc.) and, on the back-end, by verifying compliance (i.e., testing, monitoring risk, and so forth). Notably, French institutions
tended to de-emphasise compliance verification activities.

© PricewaterhouseCoopers - Protecting the brand, May 2005 25
What are the roles and responsibilities of the compliance function?
A number of the questions in the questionnaire were designed to probe the current roles and responsibilities of the
compliance function. The study found that these were changing in line with the objectives discussed earlier. Although to
some, Compliance was still primarily a control function, the emphasis was noticeably shifting towards a balance between a
“counsellor” (trusted advisor) and “police officer”, in line with the objectives discussed above. 30% of respondents indicated
that the roles and responsibilities of the compliance function were formalised at group and business line level, through a
compliance charter, formal terms of reference, or similar. 33% indicated that these were implicit in compliance policies.
Respondents largely agreed with the list of compliance activities set out in the table (below). Their activities could be split
between the two roles, but respondents stressed that there was substantial interplay between them (it must be stressed again
that the percentages included in the table are purely indicative). Certain trends however were evident. In the Anglo-Saxon
countries (United States, Canada, Australia and the UK), there appeared to be more emphasis on a “friendly police officer”
approach. Compliance monitoring activity represents a higher percentage than the international average, with “advice”
representing an equal percentage. However, this could also reflect a more manual approach to compliance monitoring activities,
and a lack of technological support. Organisations in Japan and Hong Kong placed significantly more emphasis on training and
education of business units, and embedding the compliance culture. Continental European respondents generally seemed to
place more emphasis on i) establishing compliance policies and procedures, ii) monitoring and interpreting regulatory
developments, and iii) providing advice to business.
Percentage of compliance function activity
ANGLO
CONTINENTAL
TOTAL SAXON ASIA EUROPE
Police officer
Monitoring compliance with procedures 16 26 11 10
Reporting to management 8 10 10 5
Counsellor
Promoting the adoption of a compliance culture within the organisation 5 3 10 6
Interface with regulators 6 7 1 5
Monitoring and interpreting regulatory developments 12 7 12 13
Taking preventative or corrective measures* 5 5 7 3
Establishing compliance policies and procedures 16 11 12 22
Providing advice (including a helpline) 19 19 23 22
New product/market approval processes 5 4 2 6
Training and education of business units 6 5 11 6
Further developing the compliance function’s role 2 3 1 2
100 100 100 100
“It is not yet clear whether I’m a vicar or a policeman.”
Compliance charter/terms of references
23
4 4 6
33
30
Explicity in charter (or similar)
Implicity in policies/instructions
No charter or similar
Update underway/required
Developing
No response
* Corrective measures generally fall more under the “police officer” role.

26 © PricewaterhouseCoopers - Protecting the brand, May 2005
Police officer
Monitoring compliance with policies and procedures
“Three line of control approach:
• Business unit - execution of controls
• Group compliance - oversight of monitoring
and testing
• Group audit - independent assurance”
Over 95% of respondents indicated that Compliance was responsible for monitoring adherence to policies and procedures,
often working closely with internal audit. However, in a few cases - generally where compliance functions were less
developed - this was the sole responsibility of internal audit. In some European countries, however, where explicit
requirements for compliance functions were relatively recent, less emphasis was placed on Compliance’s role with regards to
compliance monitoring (the primary emphasis being advice to business).
Monitoring day-to-day business transactions (suspicious transactions, employee dealing, etc.) was often an intrinsic
part of local compliance staff responsibility. These compliance staff might be simultaneously responsible for oversight of
monitoring and testing at the business unit level, potentially creating tensions and confusion about the differentiation
between the roles. Regular reporting was both to local management, and through the compliance network.
Where appropriate technological infrastructures were in place, Group Compliance backed up this “real-time”
monitoring (e.g. with global trading position monitoring). Group compliance also undertook special monitoring visits,
sometimes in conjunction with internal audit and legal. One European respondent carried out three to four wider “theme”
reviews per annum into specific risk areas. A North American respondent indicated that internal audit undertook some 20 to
30 special reviews into compliance on an annual basis. More broadly, Compliance collaborated closely with internal audit to
monitor compliance, often providing advice to internal audit as to what should be covered in its annual audit plan. However,
although the roles of compliance and internal audit were sometimes clarified through compliance charters or service level
agreements (SLAs), some respondents mentioned also the blurring of lines between the two functions, and the fact that
senior management and business did not always understand the differences between their roles. Others stressed frequent
communication as a means to avoid overlap between Compliance and internal audit.
Compliance’s ability to comprehensively prepare its monitoring plan was dependent on its awareness of both past
events, and future regulatory and business developments. Where Compliance was not involved directly in new business
initiatives, respondents indicated that both business and internal audit kept Compliance informed of potential compliance
risks emerging from new business in the majority of cases (see p. 33).
Taking corrective measures
Business line management was deemed responsible, in the main, for the rectification of compliance breaches and
weaknesses, although, this was seen as Compliance’s responsibility in a number of cases. In leading organisations,

© PricewaterhouseCoopers - Protecting the brand, May 2005 27
Compliance:
• decided whether a breach should be reported to the regulator,
• informed senior management if the breach had to be reported to the regulator and/or was considered material from an
internal perspective,
• advised business on rectification,
• monitored progress on rectification (in conjunction with internal audit) and
• reported to senior management/the board on rectification progress.
If not reported to the regulator, breaches were nonetheless escalated to senior management or the board depending on the
materiality of the breach or deficiency (according to pre-established parameters). One respondent had an incident grading
system, which predetermined who was responsible for rectification (see also p. 42). Over 90% of respondents said they
ensured root cause analysis was undertaken to identify cases of potential systemic weakness, ensuring appropriate actions
are taken, including penalising personnel where appropriate. Notably, however, no established breach rectification process
was in place in some organisations where i) the compliance function was new, and ii) there had been no significant incidents
in that country.
How often does the compliance function report
to the board of directors ?
3
3
11
9
3 3
40
14
14
Reporting to the board/senior management
84% of respondents reported directly to the board or appropriate board committee; the remaining 16% reporting to senior
management. In over 95% of organisations, either a member of senior management was directly responsible for compliance,
or the compliance officer reported directly to a member of senior management. 40% of respondents indicated that formal
reporting to the board took place quarterly: an additional 17% said that reporting was actually more frequent (either five
times per year, or monthly). 3% did not prepare formal reports for the board.
annually
semi-annually
quarterly
5 times annually
bi-monthly
monthly
regularly
on request
do not report

28 © PricewaterhouseCoopers - Protecting the brand, May 2005
Group Compliance responsibilities
• Set vision, profile, appetite and culture
• Set framework, policy, strategy
• Communicate that the management of
compliance and operational risk is an institutional
priority
• Provide and reward “no surprises” openness
attitude
• Act as a counsellor to business on policy
implementation
• Oversight control environment
• Manage stakeholder interaction to achieve
awareness and collaboration
• Obtain and act on relevant management
information.
Business unit compliance responsibilities
• Create a risk awareness profile and culture
• Implement and manage risk strategy consistently
throughout the organisation
• Communicate that the management of
compliance and operational risk is an institutional
priority
• Translate strategy into policies, processes and
procedures
• Promote and reward “no surprises” openness
attitude.
• Implement and maintain effective control
environment
• Generate and utilise effective management
information systems.
Counsellor
International institutions saw Compliance as better placed to add value to the organisation, on both a strategic and day-today
transactional basis, if perceived as a trusted advisor to management at all levels in the business. This trend was evident
in the majority of the regions covered in the study, although in some organisations there appeared to be a disconnection
between the goal of fostering a compliance culture and the empowerment of the compliance function. In Continental Europe
(e.g. Belgium, the Netherlands, Sweden), the concept appeared generally well understood - although the necessary
structures and resources were not yet in place to realise it fully. In the UK and Canada, there was a consistent move in this
direction, although some respondents suggested this was creating some political tensions within the organisation.
Assuming a role as an advisor to business created different roles and responsibilities at group, regional and local levels,
and between business lines and legal entities. One Australian institution allocated responsibilities between the group and
business units as shown in the box.
Promoting the adoption of a compliance culture within the organisation
As an over-arching activity - impinging to a greater or lesser extent on all the other activities - the relatively low percentage
rate in the table above (p. 25) is understandable. Few projects or ongoing activities were tagged “promoting the adoption of
a compliance culture” although a wide range of activities could be designed with this goal in mind, either explicitly or
implicitly. The primary role that Compliance played in promoting a compliance culture was one of communication, designed
to facilitate consistent interpretation of the “tone at the top” at the business level. Respondents described the role as a
“vital”, “critical”, “central”, but also “subtle” and “intrinsic”. However, for some organisations no formal role was conceived.
Other respondents said that they were aware that the role needed to be broader than it is. To be effective, though,
Compliance needed the respect of business units and this depended not only on Compliance’s demonstrating sound
business understanding but also its recognised senior status - acknowledged explicitly by senior management - within the
organisation.
Respondents mostly indicated that Compliance was an active advisor to both the board and management in effecting
changes necessitated by specific new regulations. Compliance informed the board of the business impact of regulatory
developments, put forward proposals for changes required, and subsequently supported management in implementation.
A North American respondent indicated that Compliance’s role then went further in evaluating the effectiveness of the
changes through obtaining employee feedback, and sustaining the changes through developing enhanced scenario or other
training tools to help the business cope with the changes on a daily basis.
Only in a few cases, however, were there clear indications of Compliance’s active role - and authority - in terms of
coherent change management programmes, targeting ongoing improvements to the compliance culture.

© PricewaterhouseCoopers - Protecting the brand, May 2005 29
Monitoring external stakeholder expectations
Changing stakeholder expectations, in the broader sense, was considered a significant challenge to achieving compliance
(see p. 19). Although a relatively systematic and broad-based approach to monitoring external stakeholder expectations from
a compliance perspective existed in North America, Australia, Japan and the UK (involving Compliance, business and
supporting departments, such as legal, customer service, marketing, etc.), in some European countries, it was primarily
Compliance’s responsibility to monitor such expectations.
Approach to systematic monitoring of external stakeholders
• Ongoing communication and dialogue with regulators
• Monitoring the media particularly press coverage of other institutions’ experiences with regulatory
breaches, and consumer protests.
• Monitoring changing customer expectations through:
- Reviewing customer complaints on a regular basis, as well as regular customer satisfaction surveys or
reputation surveys. One respondent indicated that an independent third party carried out a customer
satisfaction survey on behalf of the organisation on a quarterly basis.
- Regular interaction with senior and business/line management to gauge client expectations, as well as
with business development and sales teams.
• Monitoring industry-wide developments through participation in industry associations and peer groupings,
including, where relevant, Compliance Officer Associations.
• Monitoring shareholder expectations: through dialogue, surveys, board participation.
Important external stakeholders
100
90 95
80
70
60
50
40
30
36
20
31 29
29 29
10
13
0
7 5
% of total responses
6
Not surprisingly, regulators were deemed the most important external stakeholder from a compliance perspective. External
auditors were also rated relatively highly, together with law enforcement. Customers, analysts (including rating agencies) and
the general public were ranked as moderately important. A respondent in the Nordic region did note the increasing emphasis
institutional investors placed on well-functioning compliance functions. One German respondent considered that, if rating
agencies were to focus on compliance function effectiveness (as they are starting to look at corporate governance regimes),
this could have a positive impact on the perceived value of the function within the organisation. However, a French
compliance officer, having been surveyed on a number of occasions by rating agencies, believed their questions were not
probing enough.
Regulators
Law Enforcement
Investors/ shareholders
Analysts (inc. rating agencies)
External auditors
Customers
General Public
Peers
Partners
Media

30 © PricewaterhouseCoopers - Protecting the brand, May 2005
Contacts with regulators
Interface with regulators
13
12
2
9
17
47
Compliance
Senior manager with compliance
responsibility
Other department
Various Senior managers
Board members
No restriction
The majority of compliance officers indicated that their relationship with (local) regulators was mainly open, although
Japanese respondents suggested more need for formality. 47% of respondents indicated that - generally - Compliance was
the central point of contact with the regulators, although 12% indicated another department, either finance/accounting (the
department responsible for prudential reporting) or the legal department was the central contact. However, a number of
respondents stressed that this depended on the individual regulator. 17% indicated that the central point of contact was the
member of senior management with compliance responsibility, although 13% indicated that various members of senior
management had contact with the regulators. In effect, communication through nominated central contacts, or Compliance,
was often complemented by regular informal contacts with senior management and/or the board.
Respondents stressed not only the different regulators’ attitudes (some more dictatorial than others), but also the
differing levels of capability/approaches of regulators’ staff (e.g., policy versus supervision). Four aspects of regulatory
relationships needed to be effectively co-ordinated (see box opposite): a miscommunication in one area could affect the
relationship overall, creating an impression of inconsistency. A number of Anglo-Saxon respondents dealt with this by:
1. Maintaining a log or central database of all incoming and outgoing communication with the regulator(s).
2. Developing regulator “engagement” plans.
Respondents appreciated the increased dialogue and growing convergence of regulatory approaches, and attitudes,
internationally, although overall regulatory complexity was not reduced. One respondent mentioned that it was often
useful to talk to the local regulator about difficulties faced in other countries because this could improve the understanding of
both the local (home country) regulator of difficulties faced within the group and that of the foreign regulator because of
enhanced communication between regulators at the international level.
“The function’s biggest challenge today is the
rising regulatory bar driven by new and unclear
interpretations of requirements. The question
becomes how do you protect shareholder
interests in a world of uncertain regulator
interpretations”.

© PricewaterhouseCoopers - Protecting the brand, May 2005 31
Four aspects of regulatory relationships
Ongoing dialogue & lobbying
Regulatory reporting (prudential and market activity reporting)
On-site reviews
Crisis management and remediation
Regular contact with the regulators did not often translate into direct attempts to influence the regulatory agenda. Any such attempts were
frequently made through industry associations. According to this sample, Compliance and Legal joined forces to monitor and interpret
regulatory developments in many cases (36%): twice as often as Legal solely being responsible (18%). This was most prevalent in civil law
jurisdictions. Nevertheless, this approach was also adopted in the UK and the US (particularly in cases where legal and compliance are
combined organisationally). The second most popular approach was for Compliance to monitor developments alone (30%). All but three
respondents indicated that monitoring was carried on a proactive basis, although many adopted a combined proactive/reactive approach.
The implication was, however, that such pro-activity referred only to rules in the pipeline, rather than influencing the regulatory agenda or
proactively pre-empting new regulations.
Compliance had a role to play in regulatory reporting specific to its remit. Generally, this did not include prudential reporting, although a few
respondents indicated that Compliance acted in an advisory capacity, in terms of both the prudential reports and processes.
A number of respondents indicated that different approaches were required when dealing with inspection teams, as opposed to the policy
divisions, of regulatory authorities. A number stressed that Compliance should have a key role in terms of preparing for onsite supervisory
visits: some UK respondents, for example, underlined the importance of Compliance’s direct involvement in FSA visits relating to its
ARROW programme.
This was covered, to a certain extent, in the section on “corrective measures” above. Generally, respondents said that Compliance was not
directly involved in crisis management or in the remediation processes themselves: senior or business management was responsible
(depending on the severity of the situation). However, Compliance would often monitor, and report on, remediation progress internally. In
some organisations, management sought Compliance’s advice in managing a crisis, particularly in terms of communicating with regulators
(often in collaboration with the legal department) and, occasionally, other external stakeholders.
Taking preventative measures
Respondents felt that Compliance should be in a position to place more emphasis on prevention rather than correction,
although not all felt that they were. Asked whether their focus is primarily on i) risk identification and rectification, or ii) risk
mitigation and management, many said “both”, and those who indicated the former said they were trying to migrate
towards the latter. They indicated that this could depend, however, on the nature of the compliance risks: “fire-fighting”
may be more prevalent in areas such as anti-money laundering.

32 © PricewaterhouseCoopers - Protecting the brand, May 2005
Group/centralised policies
Establishing compliance policies and procedures
12
38
Extensive
Limited
None
50
69% of respondents indicated that Compliance was responsible for, or collaborated with management and/or the board in,
establishing compliance policies and associated procedures. 12% indicated that compliance policies were the responsibility
of the board, and 17% said that they were management’s responsibility, although often with assistance from the compliance
function. Only 2% indicated that either the audit or legal departments were responsible for compliance policies.
88% of respondents indicated centralised, or group, compliance control through the imposition of group-wide (often
board approved) compliance policies, with certain levels of autonomy delegated to divisional compliance functions to
adjust these policies to specific business, regional or local requirements. Of these, 50% indicated that these
group/centralised policies were extensive, while 38% indicated that they were relatively limited.
Some respondents indicated that such policies were considered minimum standards: more demanding local
requirements would have to be complied with. Some said that group standards must be adhered to even if they were
stricter than local requirements. Others, however, believed that, given an acceptable level of conformity with group
standards, these standards should not put the organisation at a competitive disadvantage locally. As previously mentioned,
a number of international organisations had begun to rethink the scope of the group-wide compliance policy approach,
recognising the extensive tailoring often required at the business line, regional and local level. Also, 9% of respondents
indicated that responsibilities for compliance policies were totally decentralised, with group compliance acting only in an
advisory capacity.
Application of group/centralised policies
Providing advice (including helpline)
21
9
70
Mandatory
(but with regional/local tailoring)
Voluntary
Local
Responses indicated three main dimensions to the advisory role: i) advising senior management on an ongoing basis, ii)
advising business management in day-to-day business transactions and iii) providing a general helpline to business. Even
in “advanced” countries, however, this advisory support was often seen as primarily reactive, responding to requests from
business. How proactive Compliance was - or could be - depended on i) the status given to Compliance by senior
management, ii) the degree of trust between Compliance and business, iii) Compliance’s proximity to the business and,
importantly, iv) the Compliance resources available.
37% of respondents had a formal helpline, but most stressed that all staff had access to relevant compliance officers
and staff, inside and outside office hours. One respondent mentioned that their intranet also contained discussion fora,
allowing staff to discuss ethical issues: others mentioned the value of “ethics hotlines”. 12 Few respondents indicated that
specific technology (apart from telephones, email, intranet) supported the helpline or that advice given was made available
more broadly. However, some indicated that the quality of advice was used as a performance measure.
12 See also whistle-blowing systems, p. 42

© PricewaterhouseCoopers - Protecting the brand, May 2005 33
New product/market approval process
Perceptions as to whether advice was proactive did not rely on the existence of a helpline, although the “availability” of
Compliance was obviously an important factor. Positive perceptions of Compliance derived from its ability to facilitate
business: respondents talked of the need for Compliance to be both pragmatic and “creative” in finding solutions for
transacting business in a compliant fashion.
51% of respondents were involved in new business approval processes, although the level of involvement varied.
International institutions increasingly involved Compliance - on a systematic basis - in assessing new products and
services and plans for entry into new markets and for due diligence on mergers and acquisitions. 25% of respondents said
that Compliance sign-off was required on all new proposals - including outsourcing and offshoring, when appropriate - and
that Compliance was involved in key risk and control committees. Others mentioned that Compliance had both the right to
veto new proposals, and the subsequent right of appeal.
Group Compliance at one international bank was the driver of a screening committee. Business management would
escalate clearance requests for new products, etc. rapidly up the organisation for review by the committee, filtering out
inappropriate requests on the way. An Australian asset management firm said that business was encouraged to engage
control groups, including Compliance and Legal, early in the process and that management was aware that the executive
committee would not approve any venture without Compliance sign-off. In Japan, respondents were involved in new
products but not in M&A due diligence from the outset. Only 30% of respondents were systematically involved in new IT
systems.
24% of respondents indicated that there was little or no systematic involvement of Compliance in new business,
although respondents indicated that Compliance was informed after the event. Some respondents said that business had
responsibility to inform compliance when there were compliance implications in new business, but this did not necessarily
parallel clear indications of a high level of business understanding/awareness of potential compliance implications.
“The business units often seem to be more
creative than the compliance function in finding
solutions for achieving compliance.”
60
50
40
30
20
10
Compliance reesponsibilities regarding new business
25
0
Percentage of total responses
80
70
60
50
40
30
20
10
3
51
Compliance sign-off
Compliance right of veto
Compliance involvement in approval process
No (formal) involvement
73
0
Percentage of total responses
Types of new business
57
46
24
30
Products
New market due diligence
Mergers & acquisitions
IT systems

34 © PricewaterhouseCoopers - Protecting the brand, May 2005
Specific challenges identified for the compliance
function
General:
• Allocating compliance resources effectively in
order to manage risks appropriately
• Appropriate sharing of compliance monitoring
responsibilities between Compliance and
business (the issue of “operational compliance”
as regards day-to-day transactions and
Compliance’s oversight role)
• Being able to advise management appropriately
in light of complexity of business, speed of
regulatory change and lack of clarity regarding
regulatory expectations
• Increased appetite amongst regulators for
enforcement.
Resources:
• Lack of appropriate technological
infrastructure: working with legacy systems to
generate management information for
compliance
• Inability to justify the cost of compliance
• Variable technical capabilities of compliance
staff.
Culture:
• Acceptance of compliance by front office units
• Corporate wide education as to the role of
compliance and the obligations of the staff
thereof
• Ensuring that business units are compliant
• Ensuring compliance becomes more involved in
strategic decision-making
• Embedding compliance within the business
• Balancing stakeholder, management and
regulators requirements.
Training and education of the business units
71% of respondents indicated that their organisation had an induction or orientation programme for all new joiners and this
programme either incorporated a session on compliance, or that codes of conduct were issued to all new joiners (in some
cases, with a requirement for formal signed acceptance of the code by the employee). One respondent indicated that this
“starter pack” included explicit instructions on incident reporting procedures. However, 18% of respondents indicated that
there was no induction programme (unless to cover areas mandated by regulation) or Compliance took no role. In these
cases, codes of conduct were often posted on the organisation’s intranet. Induction programmes, where run, were frequently
organised by human resources with Compliance supplying necessary content. New management, or senior employees with
specific responsibilities (e.g. Approved Persons in the UK) underwent a one-to-one session with local compliance officers,
who would determine ongoing training requirements.
Asked what role Compliance played in training and education of front-line businesses, responses ranged from
Compliance having a major role to little involvement at all. In some cases, Compliance had primary responsibility, assessing
the training required, developing the necessary materials and delivering the training sessions, using a combination of direct
and e-learning methods. Alternatively, Compliance worked closely with HR to design and deliver such training.
Further developing the role of the compliance function
What role did Compliance play in promoting the development of the compliance function? Dutch respondents mostly
stressed their efforts to raise Compliance’s profile externally through publications, networking, and so forth. Other
respondents mentioned internal communication initiatives, such as newsletters.
Clearly, this role was not an explicit remit in many cases, although implicitly Compliance drove the process. Some
respondents stressed senior management’s responsibility in the development of the compliance function but Group (or head
office) Compliance often had a major role in enhancing the Compliance network within the organisation, through both
feedback from the network and close collaboration with management. On-site visits by Group Compliance were also used to
support the development of the function overall. Key here was the way in which Compliance was structured within the
organisation and its reporting lines (discussed in the next section).
Overall, as suggested earlier, respondents felt that a considerable amount of work was still required to develop the role,
and that longer-term strategies were under-developed.

© PricewaterhouseCoopers - Protecting the brand, May 2005 35
What competences does the compliance function now need?
The enhanced role of Compliance as an advisor to management raised issues around the competences of compliance officers
and staff at both group level, and within business lines/operating units. Respondents indicated that a key competence is a deep
knowledge and understanding of the business, combined with strong influencing skills. In the US and UK, the tendency in the
past for Compliance functions to be managed and staffed primarily by lawyers or accountants was changing. Compliance
functions were being reconceived to encompass a relatively broad blend of skills and experience. In Continental Europe, Japan
and Hong Kong, the trend was to configure compliance functions on this basis from the outset. A French respondent indicated
that the compliance function’s current complement included lawyers, accountants, and internal controllers, together with former
regulators, analysts, front-office staff and policemen. An Italian respondent said that the compliance officer should have a
systemic view of the business, good analytical and process innovation skills, as well as good communication skills.
Not surprisingly, given this perceived range of required competences, respondents indicated that there were no prerequisites
for qualifications for compliance officers and staff, except in securities firms where there was a preference for a legal
background. A number of respondents, principally in Continental Europe and Hong Kong, did indicate that a university degree
was required. An Italian respondent suggested that the range of responsibilities of the compliance function actually necessitated
a business degree.
“A personal profile characterised by qualities of
discretion, neutrality, independence of judgement
and professional knowledge and experience of the
activities of the company.”
Reflections
Clearly, organisations are at different stages of evolution in defining the roles and responsibilities of the compliance function.
Compliance functions themselves - within individual organisations - are also at different stages of evolution. In some regions,
Asia for example, many aspects of management, including compliance activities, are not yet clearly defined. For compliance
to be recognised as a business facilitator as well as a protective capability - comparable to credit risk management (for
example) - management attitudes need to evolve further. Having defined compliance risk - and the overall scope of
Compliance’s remit - a key management goal must be to strike the right balance between Compliance’s “police officer” and
“counsellor” roles, against the backdrop of the relative strength of the compliance culture within the organisation, i.e., how
deeply a sense of integrity is ingrained. Here again, it is a question of determining the essential roles and responsibilities, and
ensuring that each aspect can be addressed appropriately by Compliance or, where necessary, another control function
supporting Compliance. However, the compliance function shares responsibility for creating and maintaining this balance.
Compliance skills and competences
From the study, it is clear that compliance officers believe that their ability to create this equilibrium depends on the level of
trust generated in the business. They strongly emphasised personal qualities: the ability to engender respect in the business,
discretion, personal integrity, fairness and independence of judgement, as well as the clout of the compliance officer (which

36 © PricewaterhouseCoopers - Protecting the brand, May 2005
today often derives from his/her seniority), as well as perceived standing with the regulators. However, in order to ensure the
effectiveness of the compliance network overall, compliance officers’ ability to influence business decisions should not rely
on the level of seniority, but rather on their knowledge of the business and of the regulations applying to it, combined with
insight into regulators’ intentions.
Given these qualities, the principal prerequisite for engendering trust is pragmatism - the ability to find appropriate, timely
solutions to compliant but profitable business. To be pragmatic, compliance officers and staff need to focus on business actuality
- the competitive challenges business faces today - in the context of past/current compliant performance and future regulatory
requirements. Compliance, in some ways, needs broader vision than business itself, and the ability to communicate this vision
coherently. This, however, may be a tall order when i) Compliance does not report to the right people at the right levels, ii)
appropriate remuneration policies are not in place (and the appraisal process is driven by business and business constraints), iii)
relatively junior staff are involved in influencing business decisions and iv) there are difficulties in ensuring equivalent competences
in compliance staff throughout the compliance network.
The blend of skills and competences required by today’s compliance function - to achieve the police officer/counsellor
balance - presupposes a mixture of personality types, and the need for good communication within the compliance function, as
well as team-building and leadership skills in the compliance officer. This reinforces the importance of clearly defined roles and
responsibilities within the compliance function, particularly in terms of interaction with various internal stakeholders, such as
internal audit, risk management, human resources, and so forth. It also suggests that considerable attention needs to be paid to
ongoing training of compliance officers and staff, progressively building the necessary competences, as the roles and
responsibilities of the compliance function evolve. Training needs to encompass not only regulatory developments, but also
important business and market developments, together with competence-enhancing education (e.g. interpersonal skills,
communication skills, team building, etc.).
Some aspects of the overall programme need to be organisation-specific, taking account of the nature and scope of the
business(es) and the configuration of its compliance function. However, given the relatively unique skill-set required for
compliance officers and staff, internal training could be greatly supplemented by increased external peer-group interaction.
The lack of access - except in Anglo-Saxon countries - to external education programmes for compliance officers and
staff may impede ongoing “professionalisation” of the compliance function. There are moves to establish compliance officer
associations, or institutes, in certain countries in Continental Europe. Luxembourg has had a Compliance Officer Association
since 2000. The Swiss Association of Compliance Officers was established in 1998. Additionally, the nascent European
Compliance Association runs annual conferences for compliance professionals which have been well-attended. In other
countries, industry associations (e.g. the Belgian Bankers Association) are beginning to focus on providing compliance-related
training. This is an issue which needs further attention broadly in non-Anglo-Saxon countries.
The benefits of compliance associations could extend beyond training and education, however. National, regional and,
indeed, international compliance institutes or associations could eventually provide a much-needed interlocutor for regulators.

© PricewaterhouseCoopers - Protecting the brand, May 2005 37
Perfecting the balance
Prevention is better than a cure
The role of “trusted advisor” shifts the balance more towards preventative measures than has necessarily been the case in
the past in Anglo-Saxon countries. Effective prevention requires a multi-pronged, holistic approach (which naturally may
instigate corrective measures):
• Anticipating regulatory intentions, and making an early assessment of potential impact on business from a compliance
perspective, coupled with effective lobbying, can help ward off or rationalise requirements where the cost may far
outweigh the potential benefits. Such assessments also feed into longer-term strategic business considerations.
• Correctly interpreting new regulations, and the specific implications for business practices and processes, can ensure
that suitable plans are made to adapt business practices and processes to the new requirements in a timely and costeffective
manner.
• Thoroughly assessing compliance risks, in terms of their probability and materiality in line with the “risk tolerance” of the
organisation, enables effective prioritisation of scarce resources.
• Ascertaining whether existing business processes are configured to be compliant, and that technology facilitates this, can
i) clarify inherent difficulties and risks of non-compliance, and ii) simplify the adaptation of business processes to reflect
new regulatory requirements.
• Ensuring that sufficient knowledge of how to remain compliant guides day-to-day business through appropriate “handholding”,
training and awareness raising initiatives, and appropriate communication strategies, which simultaneously
enhance business knowledge of compliance-related issues and the profile of the compliance function.
• Ensuring that compliance ramifications are fully considered in all new business ventures and transactions, from both a
strategic and a tactical perspective, in order to effectively streamline innovation and associated costs.
• Analysing trends to ensure that potential systemic compliance weaknesses are identified early is essential in the context
of a dynamic business environment.
Interface with regulators
As we have seen, study respondents identified the principal challenges to achieving compliance as the rising bar of
regulatory expectations, uncertainty due to regulators’ moving the goalposts retroactively, and the increased, and increasing
forcefulness of both regulators and law enforcement. Particularly, they stressed that detailed rules can create cost
impediments to business. Nevertheless, ultimately, compliance, like risk management, is one of the costs of conducting and

38 © PricewaterhouseCoopers - Protecting the brand, May 2005
staying in business. In order to be in a position to advise business proficiently, Compliance needs to play an active and
intrinsic role supporting management in interfacing with regulators in terms of all four aspects of the regulatory relationship
mentioned above. In effect, Compliance can represent an effective communication conduit between management and the
regulators.
The police officer informs the counsellor
The pendulum should not be allowed to swing unreservedly in the “counsellor” direction. Compliance has a critical role to
play in compliance oversight and monitoring in order not only to provide the necessary comfort to (senior) management but
also to frame the advice it provides going forward. A clear delineation needs to be set between “doing compliance” and
“monitoring compliance”. Sufficient knowledge needs to be ingrained in the business in order to execute the necessary
compliance controls: this responsibility should not be confused with the role of oversight and monitoring which should
remain with the compliance function (whether or not supported by other control functions, such as internal audit). Admittedly,
this distinction can be difficult to achieve at the local level. However, management needs to clearly differentiate between the
two roles, and their intrinsic, separate importance when configuring the compliance function, setting compliance objectives,
allocating resources to the compliance function and determining the nature of its interaction with other support and control
functions both in the short- and longer-terms.
Evidently, to be able to advise management and the business proficiently, compliance officers need a deep
understanding of the business, a detailed knowledge of relevant regulations, and insights into regulators’ expectations, as
well as pragmatism. Many respondents stressed, however, compliance officers’ communication and influencing skills as key
to engendering trust. How well their advice is trusted, however, should not rely solely on their influencing skills: management
should always be prepared to listen and act.

Based on our analysis, we suggest that:
• Boards and senior management should focus more on frequency, timeliness and consistency of reporting, as a
means to deriving additional comfort that current business transactions and practices are much less likely to
generate future compliance problems
• Compliance officers, with management support, need to focus more on developing their business vision - the
ability to advise management on compliant, but profitable, business solutions
• Compliance must be prepared to advise management at an early stage on all new business ventures and
transactions, including new products, entry into new markets and mergers or acquisitions, as well as
outsourcing or offshoring initiatives. (Commensurate with the organisation's maturity in terms of its underlying
integrity, the compliance function will need the authority to escalate or inhibit any activities which may raise
longer-term compliance issues until such times as it can function, primarily, in an advisory capacity.)
• Compliance, supported by management, needs to strive to enhance the dialogue with regulators - and other
industry participants - to improve the depth of general understanding of the challenges faced by compliance
functions, across organisations and across borders.
• There should be continuous focus on the blend of skills and competences within the compliance function
overall, ensuring suitable broad-based training for compliance officers and staff.
• Compliance officers should help themselves, and their firms, by further developing their “profession” through
industry fora, groups and associations.
In addition, we suggest that rating agencies should take more account of the role and potential contribution of the
compliance function to the overall strength and quality of the organisation.
© PricewaterhouseCoopers - Protecting the brand, May 2005 39

40 © PricewaterhouseCoopers - Protecting the brand, May 2005
One configuration does not fit all
Introduction
Regulators want Compliance to be independent from business to ensure its effectiveness as a corporate governance tool.
Certain jurisdictions have issued specific regulatory guidelines on the configuration of the compliance function aimed
particularly at protecting independence. However, these frameworks rarely transcribe, easily, into practical organisational
solutions.
Respondents suggested various combinations of factors to ensure independence:
1. Specific legal requirements for the independence of the compliance function
2. Governance structures:
• Frequent reporting directly to senior management or the board
• Direct access to the board
• Direct functional reporting within the compliance function up to senior management/the board, not to business line
management
3. Dedicated human resources:
• Compliance officer(s) cannot be dismissed by management, without approval by the board
• Personal integrity, personality and seniority of compliance officer
• Control (hiring and firing) of compliance staff remains the remit of the compliance function
• Compliance charter (or similar) ensures clear allocation of responsibilities to the compliance function
4. Relationship with business:
• Freedom of access to all areas of the business
• Appropriate authority for the compliance function (e.g. right to veto new business)
• Budgeting - Compliance not reliant on business lines for resources
• Distance from business decisions - Compliance only acts in an advisory capacity.

© PricewaterhouseCoopers - Protecting the brand, May 2005 41
Governance structures
The majority of respondents indicated that the group compliance officer reported either to an executive member of senior
management (e.g., chief executive officer, chief risk officer, chief operating officer, general counsel) or directly to the board of
directors. Some respondents indicated full board responsibility for oversight was delegated to a suitable board committee
(e.g. audit and compliance committee, risk and control committee, etc.). Respondents - generally - indicated that this
approach was adopted also at the divisional level and at legal entity level (where it may be mandated by local regulatory
requirements), in addition to reporting hierarchically within the compliance network. Board oversight charters, or similar, were
in place in the 51% of respondents. Most respondents also said that their reporting lines were formally documented,
reflected in organigrams, and often posted on the organisation’s intranet. Similarly, compliance representatives in branches
reported to Group/HQ Compliance and local management/boards. Not all respondents had direct access to the board.
Many respondents stressed the dual reporting lines of the compliance function as a means to ensure independence.
Organisations with group compliance functions showed a 50/50 split between embedded
Decentralised (dotted reporting to Compliance)
compliance staff reporting hierarchically to Group Compliance (centralised) or directly to senior
business line management 13 with “dotted line” reporting to Group Compliance (decentralised).
Board
All considered business line management ultimately responsible for compliant business practices
Audit
Risk
and processes but some respondents believed that this responsibility needed to be reinforced
Committee
Committee
by embedded compliance staff reporting directly to business line (senior) management. Others,
however, believed that Compliance’s independence could only be assured if there were direct
functional reporting within Group Compliance as this approach provided comfort to senior
CEO
management at group level and also a suitable framework for appraising compliance officers and
staff on the basis of their allocated responsibilities, both as individuals and as part of the group
compliance network.
The potential conflict of interest arising from Compliance’s need to stay close to business on a
day-to-day basis was controlled by the “tone at the top”, as well as a combination of other safety
valves including:
• Group audit: obviously an important safety valve, all respondents confirmed that internal
audit scope included the compliance function, and also that it reviewed business for
compliance with the organisation’s policies and procedures, including compliance with laws
and regulations.
Internal Audit
LE1
Compliance
LE2
Compliance
LE3
Compliance
“The inherent conflict is recognised, but this is
dealt with appropriately through safety valves.”
DIV C DIV B DIV A
Compliance
• AML
• Data privacy
• Conflict of
interest
• Market abuse
• Etc
Compliance
• AML
• Data privacy
• Conflict of
interest
• Market abuse
• Etc
Compliance
• AML
• Data privacy
• Conflict of
interest
• Market abuse
• Etc
Compliance
Committee
Group Risk Management
Group Compliance
13 It was always clear whether compliance function reporting was operational or functional within separate lines of business. Source: PricewaterhouseCoopers

42 © PricewaterhouseCoopers - Protecting the brand, May 2005
Internal Audit
Audit
Committee
Decentralised (direct, hierarchical reporting to Compliance)
• Risk control: Some respondents indicated that, separate to internal audit, risk control
functions also had responsibilities relating to compliance risk.
Board
• Group compliance policies and procedures: Group policies were often used to
establish minimum standards for compliance throughout the organisation (see p. 32)
Risk
Compliance
Committee
Committee
• Operational compliance committees: A limited number for respondents said that there
were operational compliance committees, comprising various stakeholders (including
legal, internal audit, human resources, etc.) often at functional director level. However, one
CEO
European respondent noted “experience has shown that the benefits of Compliance
Committees are limited in terms of large organisations (when multiple stakes are at play)
Group Compliance
and are more effective in smaller organisations/parts of the organisation when all key
stakeholders can be represented on the Committee”.
• Internal alert programmes: Sarbanes-Oxley requires the establishment of an (external)
LE1
whistle-blowing system. This has had an extra-territorial impact, even for non-SEC
DIV C DIV B DIV A
registrants. Regulators are exerting more pressure on firms to introduce “whistleblowing”,
internal alert programmes or ethical hotlines. External alert programmes,
LE2
however, are rare, except amongst SEC registrants. Most Anglo-Saxon respondents
indicated that while internal alert programmes had existed for some time, these were not
LE3
always anonymous (i.e. confidential) systems. However, some doubt was expressed over
Compliance
Compliance
Compliance
• AML
• AML
• AML
• Data privacy
• Data privacy
• Data privacy
the need for anonymous systems if an effective compliance culture exists, and also over
• Conflict of
• Conflict of
• Conflict of
interest
interest
interest
their efficacy. Many felt that alerting Compliance should suffice. In a number of countries,
• Market abuse
• Market abuse
• Market abuse
• Etc
• Etc
• Etc
there was a common obligation on employees to report breaches of codes of ethics
and/or conduct. Nevertheless, clearly national cultural constraints impacted the
introduction, or ongoing effectiveness, of anonymous “whistle-blowing” systems.
Whistle-blowing systems
48
52
• Effective escalation procedures: 52% of respondents indicated that escalation procedures were the responsibility of
management (either senior management or business line management). Where the nature/materiality of a breach
warranted it, business line management reported to senior management/the board, and Group Compliance. 59% of
respondents indicated that the compliance function had clearly defined responsibilities in relation to escalation. A number
of respondents in Anglo-Saxon countries indicated that they had a specific database which tracked issues, and their
rectification, throughout the organisation which supplemented formal escalation and breach/weakness reporting
procedures.
• Frequent board reports: As indicated earlier, there was a wide difference in the frequency of reporting to the board:
however, many respondents supplemented this formal reporting by frequent formal and informal reporting to senior
management.
Compliance
Compliance
Compliance
Source: PricewaterhouseCoopers
Yes
No
Compliance
Compliance
Compliance

© PricewaterhouseCoopers - Protecting the brand, May 2005 43
Structuring the compliance function
Obviously, organisations had paid considerable attention in recent years to the structure necessary for the compliance
function. Amongst the international players - across sectors - a common conceptual approach for structuring the function
was developing, heavily influenced by regulatory guidance. The trend was to establish a group compliance function
supported by, and supporting, compliance functions within business units and at local entity level. As indicated earlier, an
understanding of the different roles and responsibilities of the group compliance function, versus business line or entity
compliance officers and staff, was also crystallising.
“A key issue in structuring the compliance function
is the delineation between the different “control”
functions. The compliance role can be chopped
up in many ways: the essential thing is to ensure
that everything is covered by someone and that it
is clear who is doing what”.
From the discussions, determinants of the compliance function structure included:
• Structure of the wider organisation
• Scope and scale of compliance function activity
• Regulatory requirements in terms of compliance structures both at the group, business line, subsidiary and legal entity
levels
• Improving risk management structures, often in the context of new regulatory requirements (such as the Basel II
requirements).
However, it was not clear that organisations were always getting it right. There were indications of classic problems of
organisational design or redesign, balancing apparently competing regulatory requirements within existing organisational
structures, while trying to maximise opportunities and managing costs.
The study showed a trend for two main approaches to the organisation of the group compliance function: by function
or by issue. The functional split reflected the range of compliance function activities, recognising the different
skills/competences required to undertake the related tasks. In certain cases, the split by issue was clearly the result of an
organisational trajectory: for example, where regulatory requirements for AML compliance officers pre-existed more general
compliance requirements (and continued to exist). However, respondents contended that a split by issue made sense
because different issues required different compliance strategies throughout the organisation.
In many cases, this concept appeared to underpin the overall approach to compliance functions within the organisation
(also mirroring management structures). Many respondents had a relatively small group compliance unit, with supporting
compliance structures within business lines. The organisation, and focus, of the compliance structures within each business
line would vary to respond to the specific risks in the business. In mono-sector institutions, or within individual business
lines, the compliance function was most frequently organised on a regional, then local basis. One institution indicated that
local compliance co-ordinators had been appointed in legal entities through which different business lines operated.
Group Compliance Functions
Organised by Function Organised by Issue
• Compliance monitoring • Market regulations
• Compliancy policy and • Personal behaviour
procedures
(employee dealing, fraud,
• Training
insider trading, etc.)
• IT
• Anti-money laundering

44 © PricewaterhouseCoopers - Protecting the brand, May 2005
Full-time equivalents in group compliance functions ranged from two to 40, but the majority of respondents had between
10 and 15. This was the case for banks, insurers, and financial conglomerates. Some respondents indicated that the
compliance function at divisional HQs was larger than the group compliance function. Comparing the total number of
compliance staff with total employees, international organisations ranged between 0.24% to 0.65%, and regional
organisations between 0.16% and 0.24%. Indications were, however, that the percentage was considerably higher in
securities firms and investment managers. It must be stressed that these percentages are purely indicative: not all
respondents were able, or prepared, to provide staff numbers. Total numbers were not always available where a
decentralised organisational approach to the compliance function was adopted. Additional work in this area could help
provide useful benchmarks for industry generally and across sectors.
Specialisms within compliance functions
Regulatory requirements for compliance officers for specific issues such as anti-money laundering, anti-fraud, privacy, insider
trading and in France ethics (déontologie), often pre-existed the wider requirement for a compliance function in a number of
countries. In Belgium, there has been a requirement for a compliance officer for “special mechanisms”, basically focusing on
anti-fraud and tax evasion, for close to 20 years. Clearly, the study showed that the trend was to rationalise the scope of the
compliance function by aligning these dedicated specialists closely with, or integrating them into, the generic compliance
function while retaining their specialisms (except privacy and data protection specialists who were generally separate). Within
international institutions, integral AML global networks organised regionally and locally worked within or alongside the
compliance function. Management, in certain organisations, had established dedicated teams to focus on other specific
areas of compliance risk. One international German institution, for example, had established a global division specifically
dedicated to monitoring and managing conflicts of interest, reflecting a German regulatory requirement.

© PricewaterhouseCoopers - Protecting the brand, May 2005 45
How does Compliance interact with other support and control functions?
Where Compliance sat, organisationally, within the overall corporate control and support infrastructure influenced the approach
to compliance function organisation, and its interaction with other support functions. The study showed that a number of
organisations in the more advanced countries had recently reappraised this situation. In 49% of cases, compliance functions
were stand-alone functions, often reflecting explicit regulatory requirements. A close alignment with legal (e.g. with both
Compliance and the legal department reporting to the general counsel) was the next most popular approach. 16% of
respondents, primarily located in Australia and the UK, indicated that Compliance was embedded into risk management (e.g.
with direct reporting lines at the group level to the chief risk officer). In 8%, Compliance was one of several control and support
functions (including internal audit, legal, risk management) reporting one individual. Only 2% were aligned with internal audit.
Interestingly, some institutions directly associated quality, security or corporate social responsibility with compliance,
with staff within the compliance function focusing on these issues.
The study indicated that the interactions with other support and control functions were not necessarily fully recognised, nor
fully exploited, by all organisations in the study (see Reflections section below). Clearly, there were different views on the nature of
the interaction 14 , particularly in relation to the risk management or risk control functions. The interaction ranged from “an integral
part of risk management” to “no involvement at all”. One North America respondent stressed that organisational integration with
risk management should be avoided, as this could jeopardise the independence of the compliance function. Strategic integration,
however, in terms of how risks were assessed was critical.
Many respondents recognised the potential overlap with operational risk management in identifying and assessing and
- to a certain extent - monitoring compliance risk but many stressed the essential differences in focus. One UK respondent
noted that operational risk management’s focus was far more transactional.
In terms of communication, formal, regular lines of communication between risk management were established in
some organisations. One Belgian respondent indicated that risk management systematically provided Compliance with
information on compliance risks, deficiencies and controls. In others, communication lines were informal or concentrated
around specific issues, such as new products.
Some respondents emphasised that operational risk and Compliance had a similar status, but this was not always
the case. In some cases, operational risk management reported to Compliance on all compliance-related issues it identified.
In others, however, Compliance was apparently “subservient” to operational risk. Some respondents felt that the tangible
benefits of effective operational risk management - where good practice may translate to regulatory capital savings in the
context of Basel II - put Compliance at a disadvantage, as the benefits were intangible. As previously seen, others
mentioned that the intention was to leverage the databases developed for Basel II operational risk purposes to support
compliance monitoring throughout the organisation. Several respondents indicated that the interaction between risk
management and Compliance was not as good as it should be.
25
Configuration
2 8
“The risks related to non-compliance are a
specific part of the whole range of risks the
company has to deal with.”
16
14 The previous section looked at the relationship with internal audit and the legal
department, see pp. 26 and 31.
49
Compliance separate
Compliance embedded
in rise management
Compliance aligned with legs
Compliance aligned with internal audit
Other

46 © PricewaterhouseCoopers - Protecting the brand, May 2005
How does Compliance interact with front-end businesses?
Compliance:
% of overall
Service Level Agreements
responses
With business 12%
With audit 6%
With legal 1%
With risk management 3%
With others (e.g., HR) 4%
Respective responsibilities established 27%
in mandates/plans
No SLAs 58%
Asked how compliance interacts with front-end businesses, responses ranged from “compliance interaction with front-end
business units is based on trust and established relationships” to “the business units expect not to be disturbed in their
activities by Compliance.” In the majority of cases, respondents indicated that the interaction with front-end business units
was based on a combination of formal requirements (mission statement, charter, etc.) and informal relationships, through
day-to-day advice on business transactions and involvement in relevant committees. Getting the right balance between
monitoring compliance by business units and providing advice was often difficult to accomplish. One respondent noted very
strained relationships with business where compliance was perceived as a business inhibitor. One international respondent
indicated that the formal requirements included a mandatory allocation of compliance responsibilities to line managers.
A similar approach was evident elsewhere where businesses were required to do periodic self-assessments against
compliance objectives (and report to Compliance).
Many respondents said that business expected Compliance to provide (i) guidance, support and advice, and (ii) training
and education. Others believed business units only expected clear working instructions: however, surprisingly, no significant
emphasis was placed on Compliance’s monitoring and oversight role. Business units sometimes confused the role of
Compliance with that of the legal department or just did not have a clear conception of the role of Compliance. To address
this, some respondents indicated Compliance, on an annual basis, provided business unit heads a summary of the main
responsibilities of Compliance towards the business, covering what it will do and why (on a risk-based basis).
Only 12% of respondents indicated that service line agreements (SLAs) had been established with business
lines/entities, and even less with audit, legal, risk management, etc. 58% of respondents indicated that there were no SLAs
in place. Two respondents indicated that SLAs determined the basis for re-invoicing the costs of compliance to the business
units. A number of respondents said their intention was to establish such agreements primarily with other functional
collaborators (internal audit, risk management, etc.). A lack of formality sometimes resulted from the organisational structure:
one respondent commented that due to the structure, where all support and control functions reported to one person, such
agreements were unnecessary.

© PricewaterhouseCoopers - Protecting the brand, May 2005 47
Reflections
As the compliance function strengthens within a financial services organisation its role will have to be clearly defined in order
for it to i) provide senior management the assurance that specific compliance, reputation and business risks are being
managed and ii) inform senior management of the compliance risks inherent in the business. The range of activities to be
undertaken by the compliance function, as determined by management, will impact on its structure, costs and ability to
attract new talent into the function. While the study participants acknowledged that the evolution would take time, the range
of activities of the compliance function differed significantly across national, regional and industry boundaries.
A clear strategy will need to be developed in terms of the current configuration of the compliance function, and its
future evolution, to ensure effective use of the compliance function’s resources and influence. Simply overlaying Compliance
onto an existing organisational context, or onto other risk management initiatives - pasting over identified gaps in effect - is
not often the right approach to ensure optimal efficiency and effectiveness of the compliance framework and the compliance
function. Indeed, political constraints could jeopardise the longer-term value of the compliance function. Essentially,
management must ask itself some probing questions, including challenging the role and existence of everything that makes
up the compliance framework.
Centralised versus decentralised
compliance structures
Centralised and decentralised compliance models 15 for the
compliance function both have advantages. A centralised
model permits standardisation of compliance and reporting
activities across the organisation, allowing for efficiencies in
training, cross-functionality, communication and resources.
A decentralised model allows for a measure of customisation
so each business unit can meet the demands of its markets,
locations and industries. Managers can closely monitor their
compliance activities and give employees a deeper sense of
involvement in the process.
15 For further information, see Global Best Practices website at
www.globalbestpractices.com
Centralised Compliance Model
Board of directors:
• Develops charter
• Make compliance a major board oversight responsibility
Compliance office:
• Functions at the senior management level
• Led by chief compliance officer or other senior manager
• Monitors performance
• Oversees training and communication
• Maintains confidential liaison with the board
Business units:
• Assurances that controls and compliance activities are
effective
• Ensures that employees adhere to policies and regulations
• Assurance that key suppliers are informed
Source: PricewaterhouseCoopers
Global Best Practices
Decentralised Compliance Model
Board of directors:
• Develops charter
• Makes compliance a major board oversight responsibility
Compliance management:
• Functions at senior management level
• Co-ordinates compliance activities and reporting from
business units
• Develops tools and templates for customisation at the
business unit level
• Ensures allocation of proper resources
Business units:
• Appoint a chief compliance manager
• Gather and report compliance information to senior management
• Customise compliance work flow to meet industry and unit
requirements
• Ensure that employees know their roles and are prepared to
execute them.

48 © PricewaterhouseCoopers - Protecting the brand, May 2005
The choice between a centralised versus a decentralised structure should take into account the overall role to be played by
the compliance function at the local level. For complex organisations, a combination of the two approaches is often the most
practical, as it provides the flexibility to handle different business and national cultures. In many organisations, local
Compliance is “operational”, executing the necessary controls and procedures at the business level to monitor/ensure
compliance. Consequently, the ability of Compliance, at the local level, to oversee local compliance is potentially
compromised. Similarly, there is often a need to balance local compliance roles, with local requirements, necessitating parttime
allocation of compliance responsibilities (and consequently the possibility of blurred understanding of the role of
Compliance).
Safeguarding the compliance function’s independence then relies on i) local management’s attitudes, which can vary
from one location to another and ii) the effectiveness of Group Compliance’s oversight capabilities. Whether companies
choose a centralised or decentralised model - or a combination - compliance operations affect the relationships and
workflow across the organisation, shaping the way senior managers, business units, internal audit, risk management,
employees, and compliance personnel work together. Clearly defining and managing these relationship within the
compliance framework is critical to achieving compliance objectives. The structure of the compliance function needs to
evolve as the compliance culture permeates the organisation:
• Centralised compliance functions do not necessarily succeed in balancing the “control” role with appropriate strategic
“change management authority”.
• Decentralised, and business-focused, compliance functions may have greater ability to influence tactical change but their
independence may be compromised because i) Compliance does not report to the right people at the right levels,
ii) appropriate remuneration policies are not in place (the appraisal process is driven by business, and business
constraints), iii) relatively junior staff are involved in influencing business decisions and iv) difficulties in ensuring equivalent
competences in decentralised compliance staff.
• The nature and scope of business activities often requires a combination of the two structures, adding to the complexity
in terms of evolution of the function overall.
Interaction with other functions
There are other considerations in determining the optimal approach. Appropriate interaction with other support and control
functions is key to ensuring the effectiveness and efficiency of the compliance function and the compliance framework
overall. The table below pulls together various ideas from the responses which elucidate the possible nature of the
relationship, and points of interaction.

© PricewaterhouseCoopers - Protecting the brand, May 2005 49
Actor Nature of interaction Areas of potential interaction with the compliance function
with compliance
Risk management Collaborative, supportive • Identifies and assesses risks, including compliance risk
• Contributes to compliance risk monitoring & monitoring plans
• Enhances awareness of compliance risk within the organisation
• Collaborates with Compliance in advising management (e.g., new products, new markets, etc.)
Internal audit Collaborative, supportive • Drives the adoption of automated controls for compliance risk work flow
• Provides input for overall compliance risk assessment
• Monitors business practice/processes for compliance, amongst other, risks
• Assesses the effectiveness of internal controls around compliance risks
• Reviews specific areas of compliance risk, at the request of Compliance, as part of annual audit review
• Undertakes thematic reviews of compliance-related issues
• Participates in investigations into compliance weaknesses and breaches
Legal department Collaborative, supportive • Keeps abreast of developments in legislation and case law and helps interpret the consequences for the organisation
• Collaborates with Compliance in advising management (new products, new markets, etc.)
• Represents the organisation in legal matters and in terms of compliance incidents
• Collaborates with Compliance in cultivating relationship with regulators
• Supports Compliance with training of, and communication with, staff
• Participates in investigations into compliance weaknesses and breaches
• Provides advice on disciplinary matters
Corporate social responsibility (CSR) Collaborative • Links compliance processes to overall CSR responsibilities
Quality assurance Collaborative • Ensuring coherence between quality assurance and compliance
• Reinforces the link between compliance and quality
Human resources Supportive • Helps implement regulations, codes of conduct, in staff handbooks and induction courses
• Assists with the development of policy concerning measures to be taken in the case of compliance incidents
• Helps administer/develop compliance training and communication
• Supports compliance in terms of staff recruitment for sensitive positions
• Supports compliance in the development of performance appraisal and remuneration systems aimed at stimulating compliant behaviour
• Leads dialogue with trade unions/labour relations (where relevant)
Corporate communications Collaborative, reports • Supports Compliance in issuing internal communications supporting compliant behaviour
• Ensures compliant external communications and public disclosures
Marketing Reports, supportive • Ensures compliant marketing information
• Supports Compliance in monitoring external environment
Customer service Reports • Provides input to Compliance via reports on customer complaints

50 © PricewaterhouseCoopers - Protecting the brand, May 2005
Based on our analysis, we suggest that:
• Boards and senior management should ask themselves probing questions about the current and future configuration
of the compliance function, the comprehensive control framework of the organisation and the optimal level of
resources - human, financial and technological. Senior management should continue to ensure that organisational
design does not impede the independence and effectiveness of the compliance function. Inter alia:
- Senior management needs to reconcile the different approaches necessitated by divergent societal and business
cultures within its operations overall, with its associated strategies in terms of configuration, modus operandi and
resources of the compliance function.
- Management should pay careful attention to the interaction with other control and support functions, and ensure
that the respective roles and responsibilities are clearly defined, and documented.
- Recognising the dual role of the compliance function (“counsellor” and “police officer”), it should make sure that
the organisation’s configuration is thoroughly assessed, both top-down and bottom-up, to permit appropriate
access and interaction with front-line businesses.
• Regulators need to provide more guidance and clarification regarding their expectations of both management and
compliance functions, and be more transparent about them.
• Regulators should aim to be consistent, over time, and with other regulators, both nationally and internationally.

Compliance contributing value to business performance
© PricewaterhouseCoopers - Protecting the brand, May 2005 51
Introduction
As we have seen, boards’ and senior management’s vision for compliance functions, including the role, responsibilities and
organisation of the compliance function, has evolved towards greater formalisation in recent years. However, coherent,
longer-term strategies, aimed at inculcating a sense of integrity into the business (demonstrable through associated
behaviours) and at ensuring that Compliance contributes value to business performance on an ongoing basis, were not yet
in place. One respondent said there was still some way to go to reconcile theory and practice. Based on our analysis, there
were three common, initial challenges:
• Assessing, monitoring and managing compliance risk within the context of overall risk profile of the organisation
• Quantifying the value of compliance, and balancing this against the costs
• Ensuring an appropriate technological support structure both in respect of the compliance function, and business
processes generally.
Assessing, monitoring and managing compliance risk within
the context of overall risk profile of the organisation
In terms of the main compliance risks faced by the organisation, responses split between specific regulatory requirements,
e.g. anti-money laundering, insider trading, and customer duty of care, and specific business areas, (for example, investment
banking, private banking or wealth management). In terms of ranking of compliance risks, “breaching legal/regulatory
requirements” and “reputation/brand risk” (see p. 16), were followed by anti-money laundering and insider trading
requirements. Interestingly, there was not necessarily a direct correlation between respondents’ conception of the main
compliance risks, the main challenges for the compliance function, and the perceived challenges to achieving compliance in
all cases.
Many respondents indicated that there was no common terminology (yet) within their organisations in respect of
compliance risk. Respondents, in all regions, indicated that work was currently underway to clarify key compliance risk
indicators, or key performance indicators, in different business lines. Compliance risk matrices were being developed to map
local regulatory and sectoral differences. One North American respondent indicated that a group risk assessment matrix was
used by compliance officers as the basis for conducting risk assessments in the lines of business. Many of the banks
participating in the study indicated that the risk assessment was either being driven by Basel II rules on operational risk, or
that Compliance planned to leverage data collected to better assess compliance risk. One insurer commented that business
units were scored on a scale of 1 to 10 according to several compliance indicators and risks, their readiness to take action,
receptivity to the risks, actual action taken, and reporting and goals reached.
“A key difficulty in terms of compliance is the
difference between theory and practice. In effect,
there are perhaps three levels: (i) the ideal
“compliant” or “compliance” scenario (ii) the
management decision (which in theory, is reached by
weighing all the pros and the cons, including
compliance considerations) and (iii) the practical,
compliant implementation of these decisions.”
Specific compliance risks identified 16
Anti-fraud legislation
Anti-money laundering (and rising regulatory bar)
Anti-trust legislation
Complaints handling
Conflicts of interest
Consumer protection legislation
Fat tail events
Insider trading and market manipulation
Internal organisation issues
Know Your Customer rules
Liability risk: risk of penalties
Product development and administration
Rogue employees
Secrecy & privacy rules
Technology risks
Terrorism
Third parties (joint ventures outsourcing, agency
agreements)
16 See also Annex II.

52 © PricewaterhouseCoopers - Protecting the brand, May 2005
45
40
35
30
25
20
15
10
5
0
Percent of total
25
Holistic risk assessment
Work in progress
Board based
Partial
Starting point
No compliance risk assessment
Compliance risk assessment
8
Risk-based approach to compliance monitoring
18
38
40
3
18
41
14
21
Additionally, the strength of the compliance network’s relationship with business - and effective communication - were seen
as important mechanisms for identifying and assessing compliance risks. Formal risk assessment was also undertaken as a
result of periodic reporting.
Almost a quarter of respondents indicated that their organisation took a holistic approach to risk generally, identifying
and assessing compliance risk in the context of other risks (such as credit risk, market risk, operational risk). 40% of
respondents took a broad-based, strategic approach to assessing compliance risks, but here too a number of the
international players were reconsidering their approaches and work was in progress to enhance the granularity of their
approach, to increase their appreciation of both compliance risks and their interdependence with other risks. However, 21%
indicated there was no systematic assessment of compliance risks within the organisation.
Many respondents indicated that compliance risk identification and assessment occurred as a result of various
activities within the organisation, not exclusively those of Compliance. Internal audit’s role, as part of their annual audit
programmes inter alia, in the identification and assessment of potential compliance risks in the business was widely
recognised. As we have seen however, there was sometimes a lack of clarity between the role of Compliance and that of risk
management - particularly operational risk management - in terms of risk identification, assessment, monitoring and
management. Even in those organisations where compliance risk was perceived as an integral part of the firm’s overall risk
management programme, clear links - or, more importantly, clear delineations - between the two in terms of relative
responsibilities were not always apparent.
Over 40% of respondents said their organisation had adopted a risk-based approach to monitoring compliance risk:
8% said that they had developed compliance dashboards. 18%, however, still operate in a “fire-fighting” mode, dealing with
issues as they arise as opposed to systematic monitoring.
Few took a risk-based approach to compliance risk identification and assessment, although some have begun to
assess the materiality and probability of compliance risks occurring.
Quantifying the value of compliance, and balancing this against the costs
Cost of compliance
Risk-based
Non risk-based
No compliance monitoring plan
No response
Only 49% of respondents indicated that there was an explicit budget for Compliance, and less than half of those had
complete discretion over how the budget was spent. One North American respondent indicated that a detailed, itemised
budget had to be prepared on an annual basis, to which Compliance then had to adhere. Others, however, emphasised the
need for the flexibility to be able to react to issues. Not surprisingly, respondents with recently established compliance
functions (within last year/18 months) indicated that budgeting was still “work-in-progress”.

© PricewaterhouseCoopers - Protecting the brand, May 2005 53
Group Compliance was often budgeted centrally - and sometimes “hidden” in general corporate staff function overheads -
with businesses responsible for budgeting local compliance staff. The full cost of compliance, including costs at the
business level was often not monitored closely (and, consequently, respondents could only provide indicative numbers, if
any, for overall costs).
One international bank said that it did not monitor the cost of compliance because “it is seen as a very small proportion
of total costs”. Other observations included:
• Compliance was simply a cost of doing business
• It was difficult to split the costs between Compliance activities and what businesses need to have in place as a matter
of course
• With limited resources, Compliance did not have time to analyse all the costs.
In some cases, Compliance still had significant influence in determining resources at the local level, but it often needed to
negotiate with business. As seen earlier, some international organisations indicated that there was a system whereby
compliance costs, notably the costs of Group Compliance, were charged back to business.
In terms of the elements covered by the budget, most respondents indicated that the budget generally included staff
costs (i.e., salaries, benefits, training, and overheads), although in some cases specific authorisation had to be obtained in
respect of headcount from HR or senior management. Others indicated that the costs of compliance-related training
(particularly in terms of wider training programmes for business) often fell within the remit of HR or the training department.
No respondent indicated that a holistic approach was undertaken covering all potential costs of compliance (as shown in the
box above), although some of the more advanced participants indicated that these were under (some) consideration. Often,
certain costs of non-compliance (such as penalties, fines, legal fees) were tracked separately at a corporate level, or were
the responsibility of business. Few respondents took account of the impact of reputational damage on market share, even
those who indicated that reputation risk was the greatest concern to the organisation. Neither the costs of business
suspension/disruption, nor governance costs, were generally considered in the context of compliance.
Having said that, the majority of respondents indicated that there had been an increase in compliance costs over the
past three years - sometimes doubling or even trebling - as a result of staff increases (or increased seniority/quality of staff)
in order to respond to regulatory developments. Some indicated that business changes, such as mergers and acquisitions
and additional investment in technological infrastructure had also increased costs. Many anticipated that compliance costs
would continue to increase in coming years.
Holistic view of compliance costs
• Costs of compliance
- Staff (FTE and part-time): salaries, benefits,
training
- Wider education/communications programme
- Space, associated technology costs
• Costs of non-compliance
- Financial penalties
- Remediation costs
- Suspension of business/business disruption
costs
- Impact on cost of capital
- Impact on market share
• Governance costs
Source: PricewaterhouseCoopers
Integrity-Driven Performance TM White Paper, 2004.

54 © PricewaterhouseCoopers - Protecting the brand, May 2005
Measuring value added
Asked whether Compliance was seen as adding value to the organisation, 78% of respondents believed it was, although
22% of these qualified the answer due to the difficulties of measurement. One European conglomerate believed “an effective
compliance function enables the company to reach its goals; it not only prevents damages but increases the strength of the
company as well”. For the remainder, Compliance was a legal necessity, a control function, or too immature for its value to
be recognised by the business.
Of those who said that Compliance did add value, none had yet developed a systematic measurement approach, but a
number of international organisations were working on this. Respondents indicated, however, that measuring the value was
difficult because it depended on inverse logic: i.e., non-compliant events not happening. As one European respondent
noted, an insurance policy’s real value is only really appreciated when something goes wrong. One Australian respondent
noted that business perceived more value-added before the introduction of the Financial Services Reform Act, but not after
its introduction, given the need to comply with extremely
Examples of how Compliance adds value
onerous regulatory requirements (suggesting that
Logical Measures
Inverse Logic Measures
Compliance was held responsible for this). Additionally, when
• Quality and speed of regulatory interpretations, and related • Absence of fines/penalties
compliance arrangements were initially formalised or the
•
compliance policies and procedures
• Less fines/penalties than peers
scope extended, there was often an increase in identified
Improved regulatory relationship, including good feedback • Insurance policy
from supervisory reviews
• Absence or reduction of compliance breaches/deficiencies
compliance weaknesses and breaches which management
• Improved relationship with shareholders
• No reworking required to achieve quality
often found difficult to reconcile with the increased costs of
• Improved relationship with customers (customer surveys) • Reduced complaints (less resources required for complaints compliance. One North American respondent indicated that
• Positive feeling which comes from doing the right thing
handling)
while its securities business appreciated the value added by
• Good internal/external audit reviews of compliance function • No licence withdrawals or restrictions
compliance, its banking business saw Compliance as “just a
• Compliant business decisions
• Management and business “silence”
• Speed of new compliant products to market
• Gate-keeping: stopping bad business decisions
tax”.
• Positive internal feedback from business (through surveys,
360° reviews)
However, as indicated earlier, Compliance was also
seen to be at a disadvantage in comparison with other
• Compliance training assessments
business risk management functions, which were perceived
• Effectiveness reviews of compliance function
as business enablers while Compliance was a “cost of doing
• Compliant marketing documentation
• IT systems that are designed from the outset to be compliant
business”. The financial impact of credit, market and
• Increased professionalism of Compliance
operational risk management was measurable in terms of
• Level of ethics/compliance culture throughout the
potential reductions in regulatory capital requirements. Some
organisation (internal surveys)
believed that the value of Compliance would only be
• Clarity and comprehensiveness of compliance reporting
recognised if a viable balance were found with the costs.
• Timely rectification of breaches/deficiencies
• Results of compliance monitoring
Many respondents said that Compliance needed to market

© PricewaterhouseCoopers - Protecting the brand, May 2005 55
itself better internally: one compliance officer said “It is my task to make compliance and its advantages more transparent
and operationally workable”.
71% of respondents indicated that job descriptions and/or specific individual objectives had been established for
compliance officers and staff. Several respondents indicated that they were looking to introduce balanced scorecards for the
compliance function (although one European respondent indicated that a scorecard had been tried but had not worked well).
Developing key performance measures (KPIs) - both for the compliance function and to measure compliant behaviour
in the business units - was considered difficult by most respondents, again due to the need to measure negatives (e.g., no
penalties, fines, breaches, etc.). Not surprisingly, 62% of respondents indicated that they did not use KPIs or, at least, not
yet. Where they were used, respondents felt they were in their infancy and consequently too generic. The majority of
international institutions were working on more granular KPIs. For example, they were looking to introduce metrics for
business compliance results such as number of regulatory investigations, number of audit findings, etc. Some respondents
stressed the importance of root cause analysis of breaches and weaknesses: assessments had to be made to determine
whether compliance breaches could/should have been detected earlier. Few, however, indicated that they used KPIs to
predict trends.
Various tools were used to monitor compliance performance overall (including both the work of the compliance function and
compliant business practices), for example:
• 360° reviews
• Internal surveys to monitor perceptions of the compliance function and the relationship with business, amongst other
things
• Compliance dashboards, indicating for example issues reported to the regulators, fines paid, adverse findings, breaches,
weaknesses, inappropriate personal dealing
• Heat maps highlighting compliance risks
• Controlled self-assessments of business (e.g., covering regularity of training, pre-clearance of trading, etc.) against
objectives
• Statistical analyses of complaints and breaches.
Some respondents indicated that they would like to benchmark themselves against their peers, but that this was not easy.
One international respondent noted that the US regulators were trying to establish benchmarks for their reviews - such as
comparing the number of suspicious transaction reports submitted by banks. These benchmarks were unreliable, however,
given differences in business activities, risk profiles and risk tolerance levels, etc.
Key performance indicators
18
38
3
Examples of generic KPIs
• Training provided versus plan
• Testing performed versus plan
• Complaint volumes
• Exception tracking
• Number of advertisements reviewed
• Number of breaches (reported or not)
• Audit reviews
• Results of regulatory examinations
• Firmwide polls
• Success at recruiting/training talent in the
compliance function
• Assessment of comprehensiveness of compliance
monitoring
• Benchmarking quality of the organisation
• Performance reporting on changes to compliance
policies and procedures
• Quality of compliance culture
• People retention
• Negative press coverage
• Number of regulatory inquiries, or enquiries
• Overall relationship with regulators
• Speed in addressing/rectifying breaches/weaknesses
41
KPI for compliance function
KPls used for predictive analysis
Starting to use/develop KPls
No KPls

56 © PricewaterhouseCoopers - Protecting the brand, May 2005
Ensuring an appropriate technological support structure both in respect
of the compliance function, and business processes generally
Our analysis showed that Compliance was definitely lagging behind business in terms of the exploitation, and
understanding, of technology. While a large majority of respondents mentioned Compliance’s use of intranets, email,
telephones, and so forth, only 14% of respondents focused on the wider use of technology - and the most cited example of
technology used was AML-related software. Notably, only 3% placed a heavy reliance on technology for compliance
monitoring purposes, using technology-based tools to analyse the outputs of compliance monitoring. One heavy technology
user, however, stressed that the efficient use of technology suitably streamlined (human) resource requirements, and
enhanced Compliance’s global performance.
Only 17% of respondents used technology for knowledge management purposes within their compliance function.
Equally, when asked to what extent IT personnel were involved in the compliance programme, 43% of respondents indicated
that there was some involvement but only 28% felt that IT staff were knowledgeable about the needs of the compliance
function. In terms of new systems developments, 30% indicated that Compliance was involved, but in most firms, business
was the key decision maker in terms of prioritising systems projects. While most respondents gave Compliance equal
priority in terms of systems development (with appropriate justification), 20% of respondents said that compliance projects
were given low priority.
It was evident that, in the main, the use of technology was predominantly borne out of regulatory necessity rather than
business vision. For example, revised AML requirements and, in Europe at least, market abuse requirements, have acted as
the catalyst to the growing use of technology and the increased need for the compliance function to understand the
technology in use within their particular organisation.
Reflections
Significant challenges remain if organisations hope to reap the full benefits of improved compliance. Many organisations still
believe that a large part of the challenge stems from the weight of new regulations and uncertainty over their practical
application, and that conformance might undermine performance if regulatory requirements constrain the flexibility and
innovation of business models, and impose apparently unnecessary costs. Ultimately, however, compliance - like
performance - is a prerequisite for doing and staying in business. The compliance function provides one, albeit essential, tool
to enable management to fulfil stakeholders’ expectations of integrity and to protect the brand. Compliance costs would
certainly appear modest when compared to the billions that can be wiped off share values if lapses in probity, governance or
codes of conduct come to light.

© PricwaterhouseCoopers - Protecting the brand, May 2005 57
Essentially, meeting these challenges requires a more holistic and proactive approach to compliance which moves beyond
statutory expectations to embrace broader ethical and strategic considerations. It means understanding the essential link
between integrity, ensuring the right behaviours throughout the business and meeting strategic objectives. This approach
should focus squarely on encouraging appropriate behaviours and the achievement of compliant business practices and
processes (i.e., compliant outcomes) - rather than placing the onus solely on the compliance function.
Certain common elements underpin such an approach:
• Closer integration of governance, risk management and compliance structures, forming a practical continuum
underpinning the overall integrity of the organisation and aligned to innovation and the achievement of strategic
objectives
• A culture which breeds the right behaviours and instils integrity into the DNA of the organisation, fostering awareness and
ownership of compliance at all levels of the organisation, supported by appropriate rewards, processes and procedures
• An extension of the role of Compliance to engage directly, and at an early stage, with those involved in tactical and
strategic decision-making in areas ranging from acquisition to product development
• A clear definition of the relationship between the business as the first line of defence; the compliance function as the
second; and independent assurance and non-executive directors as the third
• Coherent approaches to ensuring that business processes and procedures, generally, facilitate rather than frustrate
integrity, and that robust technology infrastructures foster integrity-driven decision-making.
The shift towards a principles- or risk-based regulatory or supervisory approach in many countries would call for more
emphasis on the compliance function’s advisory role: but it is a question of balance. Primarily, the organisation needs to
anticipate and quickly respond to the most serious threats to the brand, rather than seeking to ‘comply’ with everything all of
the time. Management’s success in configuring the business to achieve its performance objectives while remaining wellmanaged
(and consequently compliant) will predetermine the evolving role and ongoing efficacy of the compliance function.

58 © PricewaterhouseCoopers - Protecting the brand, May 2005
Sustainable strategies for compliance functions
Having said that, we believe that a coherent, ongoing strategy for the compliance function has two dimensions, operating
against the backdrop of comprehensive awareness of stakeholder expectations and a maturing culture of integrity (see chart
below). From a practical perspective - in the context of the wider governance, risk and compliance approach - management
needs to ensure that the role of the compliance function evolves with the progressive achievement of compliant business
practices and processes, eventually becoming a proactive management discipline to protect the longer term health of the
organisation.
STAKEHOLDER EXPECTATIONS
ENABLING CULTURE
PROCESS & TECHNOLOGY
Governance
Enterprise
Risk Management
EMERGING STANDARDS
& new requirements
1. Ensure the longer-term viability of the compliance
function:
• Provide adequate resources:
- Focus on the costs of compliance, and who pays
- Arm the compliance function with technological support
appropriate for the business
• Establish clear delineation/allocation of roles and
responsibilities between various control and risk management
functions, optimising their complementary nature
• Manage the evolution of these roles and responsibilities over
time
• Increasingly recognise compliance as a proactive
management discipline and encourage the “profession”
of the compliance officer
• Focus on the efficiency of the compliance function in its
interaction with business
• Devise appropriate means for quantifying the value added
by Compliance.
2. Integrate compliance into business processes:
• Clearly assign compliance responsibilities to board and senior
management, and business line management
• Focus on engendering appropriate behaviours throughout the
organisation
• Understand compliance risk through defining its nature in the
context of comprehensive, granular risk assessments, and
determine approaches to managing and mitigating this risk
appropriate to the businesses and to the organisation overall
• Develop flexible but coherent compliance policies and
procedures appropriate for the business
• Define strategies for balancing compliance risks against the
costs
• Develop processes for establishing, reviewing and revising
internal controls
• Ensure technology supports compliant outcomes
• Ensure ability to remain compliant in a dynamic business
environment.
Compliance
Extended Enterprise & Value Chain
ETHICAL CULTURE
Source: PricewaterhouseCoopers
Integrity-Driven Performance TM White Paper, 2004.
Without a vision of, and belief in, the endgame of compliant business as a valid business goal rather than a reaction to
regulatory pressure, future difficulties for Compliance are anticipated, and not just in those countries where a compliance
function is relatively new. A major stakeholder in overall convergence, Compliance is not consistently allocated a clear role in
the change management process, nor given adequate resources to enable it to participate extensively. If regulatory pressure
should subside, and with it the fear factor, resources may be redirected to other perceived regulatory or business priorities.
Generally, respondents encountered few current problems in obtaining (human and financial) resources for the
compliance function (though clearly there is insufficient emphasis on optimising the use of technology). However, this trend
may not last if regulatory pressure declines and profits are squeezed. Organisations would benefit from less regulatory
enforcement, but to achieve it they need to strive for consistently compliant business practices and processes.

© PricewaterhouseCoopers - Protecting the brand, May 2005 59
Comprehensive risk identification, assessment and management
A 2004 survey 17 undertaken by PricewaterhouseCoopers and the Economist Intelligence Unit identified four reasons why risk
management remains primarily focused on meeting regulatory requirements and only secondarily on protecting and
enhancing the value of the franchise:
• A culture of risk awareness has yet to emerge
• Quantifiable risks are still the focus of too much attention
• Compliance is not being turned into competitive advantage
• The importance of governance is underestimated.
Clearly, this study shows that there is a growing appreciation of compliance risk as an integral part of the overall risk profile
of the organisation. However, the substantial interplay between the various risks faced by an organisation needs to be better
understood before it can be managed professionally. Management, evidently, needs to focus more on the granularity of
compliance risks, progressively undertaking detailed assessments throughout all levels of the business, enabling fuller risk
appreciation both top-down and bottom-up. As the 2004 survey indicated, considerably more attention is paid currently to
quantifiable risks, such as credit risk, market risk and operational risk, particularly in the context of the Basel II Accord. Much
of this effort, however, can feed into the assessment of compliance risks. The Risk Management Association’s working group
focusing on key risk indicators has identified over 1,000 indicators which will offer its members potential menu of options.
A balanced set of performance measures would focus on:
• Organisation, people and culture (e.g., ethics hotline statistics, employee survey results)
• Compliance process effectiveness (e.g., number of incidents/events, key process metrics around key issues)
• Key stakeholders (e.g., number and severity of regulatory issues, external press and market perceptions)
• Costs (e.g., direct programme costs, indirect programme costs, fines, penalties and settlements).
17 PricewaterhouseCoopers/EIU Briefing Programme: Uncertainty tamed?
The evolution of risk management in the financial services industry, July 2004

60 © PricewaterhouseCoopers - Protecting the brand, May 2005
Quantifying the value of compliance
The study demonstrated that some progress is being made in quantifying the value of the compliance function, but reluctance
to measure the full cost of compliance - and non-compliance - remains. Measuring the cost is, however, essential to
discovering the inherent value. When compliance functions cannot measure their effectiveness and performance, they face
barriers to effectively carrying out their role within the organisation. Compliance touches almost every business process within
financial institutions in some way, and understanding this impact will help compliance functions better demonstrate their value.
This will provide their organisations with a sounder basis on which to build business cases for improving compliance
performance more widely.
It needs to be emphasised though that quantification may also be necessary to provide justification for maintaining - let
alone increasing - Compliance human, financial and technological resources, if management attitudes do not evolve further.
The inability of Compliance to focus on cost and performance measurement is directly tied to the limited focus on the use of
technology, and to the perceptions of Compliance within organisations currently.

© PricewaterhouseCoopers - Protecting the brand, May 2005 61
Technology
The apparently low level of knowledge of IT within compliance functions supports the view that, in many organisations, the IT
department is not considered to be a key stakeholder in the compliance function. Similarly, the responses also suggested
that knowledge within IT departments of the compliance function’s requirements may also be limited. However, we believe
that technology is a key enabler to supporting compliance within the organisation, and presents a significant opportunity for
many organisations. There is also an opportunity to leverage technologies being put in place to support Basel II to better
manage compliance risk. Successfully establishing a sustainable and cost-effective process for on-going compliance
requires leveraging technology to achieve efficiency and effectiveness in a company’s control environment, as well as their
compliance process. This means the use of technology to:
• Control and manage processes that cut across systems and organisational boundaries. Compliance touches nearly
every operating and administrative unit in an organisation so the task of controlling and managing the compliance
process itself is huge. However, there is the equally massive task of controlling and managing the underlying business
processes. Each of these require appropriate application of technology in order to establish sustainable compliance. In
the first instance, technology is used to facilitate retrieval and updating of documentation, analysis and status reporting.
In the latter instance, manual controls are automated.
• Improve the quality of information and speed of delivery. Inaccurate, incomplete or late information impedes action.
Reliable information increases confidence to take action. Appropriate use of technology can improve quality and speed by
transferring data from one system to another, replacing manual processes for execution, analysis and reporting, challenging
the quality of data, modelling alternatives and delivering reports and dashboard information to decision makers.
• Identify and manage events in a consistent and auditable manner. When incidents of non-compliance go unnoticed
risk increases. Technology is used to identify events and report exceptions. This involves optimising control capabilities in
existing business and support systems, use of integration technologies to bring together information from disparate
source systems and administering and monitoring of risk and control self-assessments and other surveys.
• Build accountability into the management and reporting of events. When negative events are noted (e.g., in a log file)
but no action is taken, risk increases and poor information often contaminates subsequent processes. Business process
management and business rules engine technologies help ensure action by creating a “closed loop” environment that
incorporates accountability for each incident and requires action.
An important lesson of the recent past is the recognition that compliance is ultimately executed at multiple corporate levels -
enterprise, business unit and business process. While many compliance functions have focused on the first two, companies
are discovering that the opportunity to create real value through technology lies at the business-process level. To capture

62 © PricewaterhouseCoopers - Protecting the brand, May 2005
this value, companies must develop compliance technology architectures to pull together data from disparate systems,
using it to enforce compliance, improve data quality, or identify incidents. In taking this approach, companies bring
compliance to life for a fraction of the cost it took them to implement other business applications.
There is no single technology solution which enables the actions described above. Instead they are supported by
several building blocks, or types of functionality - some of which are available in most companies’ current technology
environment. Others are available in the “out-of-the-box” solutions which are flooding the marketplace. A compliance
technology architecture incorporates components from each of the following:
• Core business processing: Core front, middle and back office systems, financial systems, human resources and other
systems are used to run the business at most major companies. Many key compliance controls are executed in these
systems, and much of the data to support compliance reporting, including key risk indicators, resides in these systems.
• Data integration: Ability to get information from core business systems to systems used for event identification and
reporting. Technologies range from enterprise application integration to databases and XBRL/Web services.
• Process monitoring and event identification: Ability to apply key controls that cut across core business systems as
well as identify and manage compliance events as business activities are occurring. Technologies that support this
functionality include business process management platforms (which can be used to automate manual processes,
enabling better process monitoring), business rules engines (which can help to set and manage thresholds and
tolerances) and various process monitoring platforms such as AML technologies, business activity monitoring and
security event management technologies.
• Core risk and compliance management: Functionality specific to the management of the compliance function itself,
including the management of policies and procedures, the support of risk assessment processes, the facilitation of the
analytical aspects of compliance/risk management, the project management of key compliance initiatives, the tracking of
key compliance obligations and the organisation’s performance against these, etc.
• Risk and compliance reporting tools: Address risk analytics, key performance indicators and management reporting.
Technologies which support this functionality include business intelligence and corporate reporting platforms.

© PricewaterhouseCoopers - Protecting the brand, May 2005 63
Based on our analysis, we suggest that:
• Management should strive for a coherent response overall to managing risk, developing holistic strategic risk
assessments which explicitly encompass compliance risk within the overall risk profile of the organisation. Particular
attention should be paid to the interaction between Compliance and other risk management functions, while
recognising the difference in emphasis when management compliance risk.
• As with any other intrinsic part of the business, boards and senior management should focus more on measuring
the real cost of compliance and non-compliance, as a means to ensuring appropriate cost management strategies,
ameliorating their understanding of Compliance’s value, and finally permitting an effective balance between
compliance costs and value generated.
• Equivalent, if not higher, priority should be placed on the development and use of technology able to help
management to really understand, on a timely and consistent basis, what is going on in the business. From the
perspective of the compliance function, a robust technological infrastructure entails both sophisticated tools for
monitoring compliance in business activities, together with appropriate tools for streamlining compliance function
activities, and facilitating knowledge sharing.
• Compliance should develop more in-depth awareness of the technologies used by the organisation, including legacy
systems, and be consulted with regards to new systems developments. At the same time, the IT department should
develop greater awareness of the needs of the compliance function.

ANNEX

Annex I
Overview of regional and national requirements for compliance functions
Asia and Australia
© PricewaterhouseCoopers - Protecting the brand, May 2005 65
Australia
The first attempt in Australia to state objectively what was required for an effective compliance system was made in 1998 by
Standards Australia, when it released AS 3806-1998: Compliance Programs, after a long period of industry consultation. In
the same year, the funds management industry also came under increased compliance obligations with the enactment of the
Managed Investments Act 1998, which made it compulsory for all managed investment funds to have a compliance plan
registered with the Australian Securities and Investment Commission (ASIC) prior to becoming operational or accepting any
funds. Since that time, Australian regulators have increasingly acknowledged the important role of compliance systems in
supporting the development and maintenance of appropriate standards of corporate governance, codes of conduct and
ethics. This acknowledgement has been reflected in the reports of a number of Federal Government reviews of the financial
service sector, including CLERP 6, whose recommendations formed the basis of the recent Financial Services Reform Act
2001 which requires licensees to implement compliance programmes substantially based upon AS 3806. Maintenance of an
effective programme is required in order to meet the Australian Financial Services Licence requirements under that Act. The
latest example of the regulator focus on compliance is the release in December 2004 of the Australian Prudential Regulation
Authority’s (APRA) draft standard that requires all eligible foreign life insurance companies to establish and operate a
compliance committee.
December 2004 also saw Standards Australia issue a new draft compliance standard aimed at responding to criticism
that the 1998 version of AS3806 did not provide sufficient guidance on how to implement an effective compliance
programme. The new draft provides additional guidance on the specific types of documents/activities that should be
undertaken when developing a compliance framework. In particular, it suggests that organisations should establish
compliance management processes, with a documented compliance management plan. A compliance policy should be
developed in consultation with interested parties within the firm, and endorsed by the board and executive. Business line
managers and staff should be made responsible for managing compliance, together with the board and top management.
Firms should also nominate a chief compliance officer (“competent senior executive”) who would take primary responsibility
for compliance issues within the organisation.
The new draft standard sets out rules supporting the development of compliance programmes within firms, for instance
by linking performance pay to achievement of compliance obligations. Senior management are charged with the
responsibility to promote awareness and train staff on the importance of compliance, in particular those employees whose
work activities have a potential to cause a deviation from compliance obligations. The draft standard also recommends that
firms document and report on compliance performance regularly to internal and external stakeholders. Regular reviews of
the compliance programme are also recommended to ensure that it supports the compliance objectives of the firm and is
adapted to the changing internal and external operating environment.
Legal base:
Corporations Act 2001.
Managed Investments Act 1998.
Financial Services Reform Act 2001.
ASIC Policy Statement 164: August 2003.
AS 3806-1998: Compliance programs (Standard).
SAA HB 133-1999: A guide to AS 3806-1998
Compliance programs (Handbook).
Draft Prudential Standard: Compliance Committees
for eligible foreign life insurance companies.

66 © PricewaterhouseCoopers - Protecting the brand, May 2005
Anti-money laundering
Anti-money laundering requirements have existed in Australia for over 15 years having been introduced by the Financial
Transaction Reports Act (FTRA) 1988. The Act did not specify the appointment of a compliance officer for AML purposes.
The FTRA covered cash dealers. New legislation, expected by the end of March 2005, is to be risk-based and have a
broader coverage of parties involved. It will cover parties involved in financial transactions (the legislation includes a broader
definition of a financial transaction) covering a much broader range of financial institutions, both bank and non-bank. It also
covers lawyers, accountants, bullion dealers and real estate agents.
Legal base:
Securities:
Management, supervision and internal control
guidelines for persons licensed by or registered with
the securities and futures commission. April 2003.
Securities and Futures Ordinance.
Banking:
Statutory guideline: IC-1 General Risk Management
Controls (from the Supervisory Policy Manual).
Insurance:
Statutory guideline: GN10 Guidance Note on The
Corporate Governance Of Authorised Insurers.
Insurance Companies Ordinance.
Hong Kong
In Hong Kong, financial institution supervision is shared amongst several regulators. The Hong Kong Monetary Authority (HKMA)
is responsible for banking supervision; the Securities and Futures Commission (SFC) is responsible for the market supervision
and regulation of the securities and futures markets; while the Office of the Commissioner of Insurance (OCI) supervises the
insurance industry. The Mandatory Provident Fund Authority oversees the regulation of the mandatory retirement funds.
The Commissioner of Banking (the former regulatory body for the banking industry) issued a best practice guideline on
Duties and Responsibilities of Directors of Authorised Institutions which stated that directors are held responsible for the
institution’s compliance with the requirements under the Banking Ordinance. On 1 April 1993, the HKMA was established by
merging the Office of the Exchange Fund with the Office of the Commissioner of Banking. Under the statutory guidelines IC-1
General Risk Management Controls (from the Supervisory Policy Manual) specific provisions address the compliance
function. The HKMA website also makes reference to current work on developing more detailed compliance rules.
The SFC regulates the securities and futures market in Hong Kong. In the same way as banks, investment firms in
Hong Kong are required to have a compliance function, which implements compliance policies established by management.
The Management, Supervision and Internal Control Guideline broadly describes the compliance duties that may be
undertaken by the compliance function.
The OCI issued a guidance note which addresses corporate governance of authorised insurers. The guidance note
specified that the board must ensure corporate compliance with all the relevant ordinances, regulations, guidance notes,
industry standards and guidelines. An authorised insurer is encouraged to appoint a compliance officer to oversee
compliance by it and its staff with the relevant laws, regulations, guidance notes and industry standards and codes of
practice. The guidance note indicates that the compliance officer must also report to the board at regular intervals.
Anti-money laundering
The HKMA issued guidance on AML in 1997, which was subsequently amended to reflect the Organised and Serious Crimes
(Amendment) Ordinance 2000 and again in 2004. Current guidelines stipulate that an authorised institution must appoint a
compliance officer as a central reference point for reporting suspicious transactions. This compliance officer should play an
active role in the identification and reporting of suspicious transactions.

© PricewaterhouseCoopers - Protecting the brand, May 2005 67
Japan
The Financial Services Agency in Japan (JFSA) established in 2000, regulates the financial services sector. From 1998 to
2000, the Financial Supervisory Agency played the same role. Previously, the Ministry of Finance had long regulated the
Japanese financial services sector.
In 1992, the Securities and Exchange Surveillance Commission was set up by an amendment to the Securities and
Exchange Law. This Commission was empowered to survey whether rules are observed in the securities market. Under the
Securities and Exchange Surveillance Commission, a self-regulatory body - the Japan Securities Dealers Association (JSDA)
- established rules for its members in 1992 concerning the appointment of internal control managers. The JSDA requires all
investment firms to appoint a general manager for internal control as well as internal control managers for each subsidiary.
There are no specific rules for appointing compliance officers, however the chief compliance officer is obliged to participate
in a training programme organised by the JSDA every year. Firms are encouraged to appoint compliance managers who
have passed the internal control manager certification examination held by the JSDA. The chief compliance officer should be
a member of the board. The president of the organisation will determine how often the chief compliance officer will report.
Late in the 1990s, JFSA decided to prepare its Inspection Manual, a guidebook both for its inspectors and financial
institutions. This guidebook covers compliance and risk management. The Inspection Manual for deposit-taking institutions
was first published in 1999, followed by that for insurance companies in 2000, and the one for securities firms in 2001. In
these Inspection Manuals, the JFSA provides that the compliance function should be marked as a first priority in managing
financial institutions. For example, the board should discuss all compliance matters, as well as sales promotion; a
compliance manual should be prepared and disseminated to all the employees; and the compliance programme should be
approved by the board and executed regularly throughout the organisation.
Legal base:
Banking Law
Insurance Law
Securities and Exchange Law
JFSA: Inspection Manual for banks, insurance
companies and securities companies
Anti-money laundering
Anti-money laundering efforts were launched in July 1990 when financial institutions were required to identify their
customers. The Government also established the suspicious transactions reporting system requiring financial institutions to
file reports on transactions suspected to involve laundering of the proceeds from drug offences, under the “Anti-Drug
Special Law” which came into force in July 1992. Under the Anti-Organised Crime Law, effective February 2000, the
Government enhanced the suspicious transaction reporting system. The new law expanded the scope of offences to cover
all serious crimes. The law also empowered the Commissioner of the Financial Services Agency to collect and analyse
suspicious transaction reports and disseminate the information to law enforcement agencies. The Law on Customer
Identification and Retention of Records on Transactions by Financial Institutions came into effect on 6 January 2003. This
Law obliges financial institutions to perform customer’s identification procedures and keep records on their transactions.

68 © PricewaterhouseCoopers - Protecting the brand, May 2005
Europe
Legal base:
Directive 2004/39/EC: Markets in Financial
Instruments Directive (MiFID)
Directive 91/308/EEC: 1st Anti-Money Laundering
Directive.
Directive 2001/97/EC: 2nd Anti-Money Laundering
Directive.
European Union
Traditionally, EU legislation focused primarily on requirements for adequate administrative and internal controls systems in
financial institutions. With the recent adoption of the Markets in Financial Instruments Directive (MiFID), there is now an
explicit requirement for investment firms and banks to establish a “permanent and effective” compliance function. MiFID is
one of the first, and definitely the most extensive, piece of legislation to be subject to the “Lamfalussy procedure”: whereby
“Level 1” legislation is adopted through the traditional co-decision procedure (involving the European Council and the
European Parliament) and Level 2 legislation is developed by the European Commission, upon advice from a Lamfalussy
committee - in this case, the Committee of European Securities Regulators (CESR) - and in collaboration with the European
Securities Committee (comprising representatives of national governments).
Work is currently ongoing on the MiFID Level 2 measures. The European Commission recently announced a
postponement 17 in the date of implementation by one year to April 2007, to allow additional time to elaborate the Level 2
details and for regulators to implement the necessary national measures, once these details were agreed. CESR’s advice
includes principles relating to the compliance function, compliance policies and procedures, and compliance oversight.
MiFID, however, also establishes high-level organisational and conduct of business standards, covering issues such as
managing conflicts of interests, best execution, pre- and post-trade transparency, customer classification and suitability
requirements for customers.
There are no similar requirements, as yet, at the EU level for insurance companies.
Anti-money laundering
Two community directives have been adopted in the field of anti-money laundering, the first in 1991 and the second in 2001.
The first directive made the reporting of money laundering an obligation and required financial institutions to identify and
know their clients, to keep appropriate records, and establish anti-money laundering training programmes. The second
directive extended the scope of the directive beyond the financial sector (i.e. asset managers, insurance undertakings,
investment firms and credit institutions) to embrace professions such as accountants, external auditors and lawyers.
In June 2004 the Commission proposed a third AML directive, which is currently being considered by the European
Parliament and the Council of Ministers. The European Commission issued the draft directive in order to align EU standards
fully with the Financial Action Task Force on Money Laundering (FATF) 40 recommendations. Inter alia, it subjects insurance
intermediaries to equivalent requirements to those imposed on other financial services intermediaries.
17 Approval of the Council of Ministers and European Parliament currently pending.

© PricewaterhouseCoopers - Protecting the brand, May 2005 69
Austria
The requirements for an independent compliance function were introduced in 1993 on a voluntary basis based on a self
regulation of the sub-organisations for credit institutions, insurance companies and pension fund associations within the
Austrian Chamber of Commerce. There are currently no legal requirements for the appointment of a compliance officer or
establishment of a compliance function. The main principles are:
• Definition of restricted areas which will normally deal with sensitive information
• Listing and monitoring of restricted securities (i.e. securities which must be traded by the company or its employees)
• Listing and monitoring of monitored securities (trades in these securities will be investigated by the compliance function).
Currently, the activities of the compliance function are limited mainly to the prevention of insider trading or other prohibited
transactions as defined in the Austrian Securities Exchange Act and the Austrian Securities Supervision Act.
Austrian anti-money laundering regulations adopted EU-standards in 1993. The most recent amendment was in 2003
when the 2nd EU AML directive was transposed. These regulations specify the appointment of an independent AML
compliance officer, who shall not have wider compliance responsibilities. In a circular in March 2004, the Austrian Financial
Market Authority (FMA) stated that, in principle, the compliance function, the AML compliance function and internal audit
must not be fulfilled by one organisational unit/person. Nevertheless they admitted that - depending on the size of the entity,
the number of employees, the business conducted, and the number and complexity of transactions relevant for Compliance
and/or AML - these functions could be conducted by one person, provided that an independent review is undertaken.
The FMA is currently in discussions with industry as to its understanding of the compliance function requirements in
the context of MiFID. These new rules are expected to lead to significant change in the meaning of compliance in Austria
and, therefore, will impact the approach to compliance functions.
Belgium
The Banking, Finance and Insurance Commission (BFIC), created through the integration of the Insurance Supervisory
Authority (ISA) into the Banking and Finance Commission (BFC), has been the single supervisory authority for the Belgian
financial sector since 1 January 2004.
In Circular D1 2001/13, the BFIC set out its position on the organisation of a comprehensive compliance function in
credit institutions, enumerating 10 principles. The circular requires credit institutions to set up an independent compliance
function with the aim of ensuring that the firm complies with the rules relating to banking “integrity”. It identifies the areas to
which the integrity policy should give priority. The executive committee is responsible for drawing up an integrity policy and
the board of directors is responsible for its adequacy. At least once a year, the executive committee reports to the board of
directors on the compliance, through the audit committee if one exists. The circular stipulates that professional competence,
integrity and discretion are essential qualities of the compliance staff for the proper functioning of the compliance function.
In November 2002, the Belgian regulator issued a similar circular stipulating that the compliance function in investment firms
Legal Base:
Standard Compliance Code of the Austrian Credit
Institutions Sector.
Standard Compliance Code of the Austrian Insurance
Sector.
Standard Compliance Code of the Austrian Pension
Fund Associations.
Legal Base:
Law of 22 March 1993 and associated royal decrees.
Circular D1 2001/13 to credit institutions,
18 December 2001.
Circular D1/EB/2002/6 on the internal control and the
function of the internal audit and the compliance
function in investment firms, 14 November 2002.
Circular PPB/D.255 to insurance companies,
10 March 2005
Law of 11 January 1993 and associated royal
decrees and BFIC circulars.

70 © PricewaterhouseCoopers - Protecting the brand, May 2005
should be independent: in March 2005, similar requirements were imposed on insurance companies. These circulars are
supplemented by a June 2004 circular which confirmed that the compliance requirements apply to credit institutions and
investment firms in terms of all outsourced activities.
Prior to 2001, requirements for a limited compliance function were established for all financial institutions (banks,
investment firms and insurance companies) by the anti-money laundering law of 11 January 1993, which inter alia, required the
appointment of a compliance officer. Similar requirements relating to ‘special mechanisms’ (anti-fraud and tax evasion) were
also in effect at that time. The law of 11 January 1993 transposed the first EU AML Directive (91/308/EEC). The second EU
Directive (2001/97/EC) was transposed by the Law of 12 January 2004. Article 21bis of this law provided that the BFIC should
define the specific implementation rules applicable to institutions it supervises and these rules were promulgated by the BFIC
circular of 27 July 2004 which was subsequently approved by the Royal Decree of 8 October 2004.
Legal base:
Compliance arrangements:
• AMF General Regulation.
• Commission Bancaire draft proposals on
compliance arrangements, within the existing
Regulation 97-02 on internal controls -
implementation anticipated 30 June 2005.
AML:
• Regulation 91-07 of the CRBF (banking and
investment firms).
• Regulation 02-01 of the CRBF (banking and
investment firms).
• Instruction 00-09 of the Commission Bancaire.
France
The Autorité des Marchés Financiers (AMF, formerly CMF), the French regulator of investment firms, was the first regulator in
France to establish requirements regarding compliance arrangements. The General Regulation requires that a “déontologue” is
appointed in each entity who is responsible for the definition, and implementation, of conduct of business rules throughout the
institution. Recently, the Commission Bancaire, the French banking regulator, issued a series of proposals on compliance
arrangements. Those proposals apply to both banks and investment firms, as the Commission Bancaire supervises both groups
of institutions. These form part of the current regulation on internal controls (Regulation 97-02).
The proposals introduce a definition of “non-compliance risk”, based on the Basel Committee’s definition as set out in
the October 2003 consultation paper. AML is included within the scope of non-compliance risk although not explicitly. The
main proposals are the following:
• Appointment of a dedicated and independent compliance officer
• Implementation of a compliance monitoring programme
• Implementation of specific procedures with respect to new products approval
• Implementation of specific procedures in terms of breach identification, escalation process and record-keeping
• Implementation of a non-compulsory whistle-blowing process (i.e. each employee must be given an opportunity to blow
the whistle if he/she deems this necessary, but must be under no compulsion to do so).
In addition to the above, the new proposals (due to come into force on 30 June 2005) include specific requirements on
outsourcing and introduce a requirement to split internal controls and internal audit functions (internal controllers being now
referred as “permanent controllers”). The compliance function is a permanent control function, compared with internal audit
which is now referred to as a “periodic control function”.
A series of specific AML-related regulations - beyond definitions of money laundering practices and related sanctions
that are of a legal nature - are in place (see table above), but no recent change as been introduced.
No compliance regulation exists for insurance companies at that stage. However specific AML requirements are in place.

© PricewaterhouseCoopers - Protecting the brand, May 2005 71
Germany
Germany’s financial services regulators merged into a single entity during 2002, forming the Federal Financial Supervisory
Authority (BaFin). BaFin is responsible for the supervision of financial institutions, including insurance undertakings and
pension funds, and the regulation of securities trading and the investment business (investment companies). The supervision
of financial services institutions is dual faceted, split between solvency and market supervision.
Financial services institutions
Market supervision
Looking at the financial services industry in Germany the term “compliance” is closely linked to all issues regarding the
securities sector and investor protection. The basis for supervision, and the groundwork for investor protection, is provided by
the rules of business conduct for investment services enterprises set out in the Securities Trading Act (WpHG).
A further fundamental component of market supervision is supervision in accordance with the Safe Custody Act
(DepotG). For financial services institutions, whose regular business is the provision of investment services (investment firms),
the compliance function has been a part of the regulatory regime since 1994 when certain rules for staff transactions came
into force. The role was further developed in the Securities Trading Act (WpHG) and corresponding supervisory guidelines
covering organisational requirements and rules of conduct. Since 2002, BaFin also monitors securities analysis provided by
investment firms. In October 2004 Germany transposed the European Directive on insider dealing and market manipulation
(Market Abuse Directive) establishing organisational duties and rules of conduct for all kinds of financial analysts creating and
distributing investment recommendations.
Compliance function structures, and compliance processes, are governed by the BaFin guideline on organisational
duties pursuant to Sec 33 WpHG. These include, for example, obligations for companies to maintain the necessary level of
resources for the compliance function, and obligations for addressing conflicts of interests. The compliance function should fit
to the nature and structure of the investment firm’s business(es). Detailed minimum requirements are stipulated. The
compliance function should be a standalone department. Irrespective of the functions of the compliance office, the overall
responsibility for compliance remains with the management.
BaFin monitors compliance with the rules of business conduct and the Safe Custody Act. External auditors undertake
annual audits of financial institutions, checking compliance. BaFin evaluates the resulting audit reports.
Beyond the securities sector, there are only few specific requirements relating to compliance, but more extensive
requirements relating to internal control.
Legal base:
Securities Trading Act (WpHG - 1994) as amended
October 2004.
Banking Act (KWG) as amended April 2004.
Investment Act (InvG) as amended October 2004.
Insurance Supervision Act (VAG) as amended July
2004.
Money Laundering Act (GwG) as amended August
2002.
Solvency supervision
The groundwork for internal control and compliance (in a broader sense) is provided by sec. 25a of the Banking Act (KWG)
supplemented by several BaFin guidelines. The three major ones i) Minimum requirements for the Trading Activities of Credit
Institutions (MaH, 1995), ii) Minimum requirements for the credit business of credit institutions (MAK, 2002) and iii) Minimum

72 © PricewaterhouseCoopers - Protecting the brand, May 2005
requirements for the internal audit function of credit institutions (MaIR, 2000) will be merged in 2005 into the Minimum
requirements for Risk Management (MaRisk). The new MaRisk will implement the second pillar of Basel II (Supervisory
Review Process and Internal Capital Adequacy Assessment Process, Sound Practices for the Management and Supervision
of Operational Risk).
Insurance
The basis for supervision of the insurance industry is the Insurance Supervision Act (VAG). BaFin circular 29/02 deals with the
requirements regarding investment of insurance undertakings. This circular requires, amongst other things, a “compliance
report” regarding investments of an insurance undertaking confirming compliance with the legal, regulatory and internal
regulations and guidelines.
Investment Companies
According to German law, investment companies are specialised credit institutions. The Investment Act provides a catalogue
of permissible assets that may be freely combined within the investment limits. The Derivatives Ordinance (2004) governs the
specific risk management and risk measurement policies, required under the Investment Act, when using derivatives in funds.
Reporting obligations are designed on exceeding investment limits, statement of assets and material transactions to intensify
and improve the market supervision of funds.
Anti Money Laundering
The Money Laundering Act (GwG) and the “Guidelines of the BaFin concerning measures to be taken by credit institutions to
combat and prevent money laundering” are the main regulations designed to combat money laundering. The Money
Laundering Act, which entered into force at the end of 1993 and was updated in 2002, specifies statutory duties for credit
institutions and other businesses (financial services institutions, as well as some kinds of insurance business). The guidelines
of the BaFin clarify the main statutory duties. These regulations represent minimum requirements. Credit institutions are called
upon to make additional organisational and administrative arrangements.
Legal base:
Legislative decree n° 58/98.
Bank of Italy, Circular 229/99.
Bank of Italy, Circular 216/96.
Bank of Italy, regulation of 1/7/98.
Italy
The Bank of Italy and CONSOB regulate the banking and securities sectors in Italy. The insurance sector is supervised by
ISVAP. The three supervisory bodies, especially Bank of Italy, have clearly defined the internal control framework for the Italian
companies, but requirements regarding the compliance function are not stipulated in current regulations. Both Bank of Italy
and CONSOB regard compliance monitoring as an activity within the internal audit function and related processes.
Bank of Italy is about to issue a new Circular which will regulate the Investment and Asset Management companies
operations in accordance with UCITS III directive. The draft circular states that the internal audit function has to perform the
activities connected with the “compliance function”.

© PricewaterhouseCoopers - Protecting the brand, May 2005 73
Luxembourg
The Commission de Surveillance du Secteur Financier (CSSF) supervises the financial services sector in Luxembourg,
including credit institutions, investment firms, investment funds and pension funds. On 27 September 2004, following
consultation with industry, the CSSF issued a circular (CSSF 04/155) providing detailed guidelines for the setting up of a
compliance function in banks and investment firms. This function will be mandatory in all Luxembourg banks and investment
firms as from 1 January 2006.
The introduction of a compliance function does not lead to an additional level of supervision. Rather it aims at ensuring
proper co-ordination, organisation and structuring of controls, already carried out in accordance with the provisions of the
circular on internal control, but which are often split amongst different departments and handled at different organisational
levels.
According to the circular, the board of directors must adopt a positive attitude towards compliance, ensure the
effectiveness of the compliance function, and approve the compliance policy and the compliance charter defined by the
management. The compliance policy must include the fundamentals of the compliance risk, clarify the broad principles for
managing the compliance risk, define the compliance function, its objectives and independence, prescribe the charter process
and define the training programme. The compliance charter, communicated to the entire staff, governs the objectives and
responsibilities of the compliance function. The compliance charter must include the compliance function’s objectives,
responsibilities, independence and permanence, relationships with other units, access to all necessary information, reporting
lines and access to the management bodies. Management is in charge of developing and implementing the compliance
policy, as well as of setting up a compliance function which is in accordance with stated principles. Management must
appoint one of its members, whose name must be communicated to the CSSF, as the person directly in charge of the
compliance function.
The circular also stipulates that the compliance function shall be independent from all commercial, administrative or
control functions and shall exist on a permanent basis. It has the power to start investigations and controls on its own
initiative, and has the right to access any kind of information. The institution has to designate an employee in charge of the
compliance function, the “compliance officer”, whose name has to be communicated to the CSSF. The compliance officer
must, in principle, be dedicated on a full-time basis to the compliance function. Small-scale institutions engaged in low-risk
activities are allowed to fulfil their compliance function on a part-time basis, with prior authorisation from the CSSF.
Certain tasks assigned to the compliance function may be delegated to other services provided that such tasks are
compatible with other tasks for which the personnel of these services are responsible. In such cases, the compliance function
assumes a coordination role between the services carrying out these tasks. In any event, the responsibility for the tasks
remains with the compliance function.
The Commissariat aux Assurances (CAA) supervises the insurance industry in Luxembourg. The CAA has not issued any
specific regulations on the compliance function for the insurance sector, as yet.
Legal base:
Law of 5 April 1993 on the financial sector
CSSF Circular 04/155 on compliance function

74 © PricewaterhouseCoopers - Protecting the brand, May 2005
Legal base:
Securities Markets Supervision Act 1995 (Wet toezicht
effectenverkeer 1995).
Decree on Supervision of the Securities Markets 1995
(Besluit toezicht effectenverkeer 1995.
Further regulations on market conduct supervision of the
securities trade 2002 (nadere regeling gedragstoezicht
effectenverkeer 2002).
Further regulations on prudential supervision of the
securities trade 2002 (Nadere regeling prudentieel
toezicht effectenverkeer 2002).
Act on the Supervision of Credit Institutions 1992
(Wet toezicht Kreditwezen 1992, Wtk 1992).
Regulations on Organization and Control (Regeling
Orginsatie en Beheersing).
Act on the supervision of insurance companies 1993
(Wet toezicht verzekeringsbedrijf 1993).
Pension Fund and Savings Fund Act
(Pensioen- en Spaarfondsenwet).
Act on the disclosure of unusual transactions
(Wet melding ongebruikelijke transacties).
Legal base:
Law 24/1988, 28 July, Stock Market.
Law 26/1988, 19 July, Discipline and Intervention of
Credit Entities.
Law 26/2003, 17 July, in order to increase the
transparency on public limited liabilities companies.
Order ECO/3722/2003, 26 December, on the annual
report of the corporate government and other
information instrument of the public limited liabilities
companies and other entities.
Law 44/2002, 22 November, Financial System reform
measures.
Anti-money laundering law 19/1993 and
implementing regulations.
Netherlands
Financial markets are regulated by the Autoriteit Financiële Markten, the Financial Markets Authority (AFM), in so far as it
relates to market conduct supervision. Prudential requirements for banks, securities institutions, pension funds, investment
institutions and insurance companies are supervised by the Dutch Central Bank, De Nederlandsche Bank (DNB).
Investment institutions and securities institutions and credit institutions in the Netherlands are obliged by regulations to
retain one or several compliance officer(s). The Regulations on Organisation and Control (Regeling Organisatie en Beheersing
or ‘ROB’) stipulate that the compliance function should be independent with direct reporting lines to the management board,
and in case the integrity of the management board is in doubt the compliance officer should have access to a delegate of the
supervisory board.
Although not mandatory, the compliance officer is expected both to monitor and control the institution’s activities, as well
as consult on the implementation and interpretation of rules and regulations and advising management on compliance issues.
There are only very limited rules for appointing a compliance officer and even though there are certification programmes
offered by commercial training entities for compliance officer they are not compulsory.
Under the Dutch act that covers the AML (Wet melding ongebruikelijke transacties), there is no obligation to appoint a
compliance officer. However, this is common practice as it is perceived that the tasks under the AML act are best performed
by one person, in general or preferably, the compliance officer.
Spain
In Spain, the supervision of the financial sector is carried out by the Bank of Spain (banking activities), the Spanish National
Securities Exchange Commission (stock market) and the General Directorate of Insurance and Pension Funds (insurance
activities).
Under Spanish law applicable to financial entities, compliance requirements have traditionally applied within the
regulatory regime in terms of the rules on conduct of business, conflict of interest, internal control and adequate level of
administrative resources. According to this approach to the compliance function, Spanish general regulation on financial
institutions provides general conduct of business standards, general principles on conflict of interest, and specific regulatory
obligations regarding customer and operations. Since 2003 certain legislation focused on internal control resources, corporate
governance, transparency and investor protection has been adopted accordingly.
Spanish anti-money laundering rules have recently been modified to implement additional quality control measures such
as enhancing corporate governance within the financial institutions’ AML framework, particularly strict know-your-customer
rules, and the adoption of qualified control and supervisory measures applicable to those high-risk areas within financial
institutions according to the nature of their activities, and type of clients, amongst other things. Amongst the changes
introduced by the new AML regulatory framework, financial institutions are now subject to a compliance review of their internal
procedures by an external expert.

© PricewaterhouseCoopers - Protecting the brand, May 2005 75
Sweden
Finansinspektionen (FI), an integrated regulator supervising all sectors in the Swedish financial services industry, was
established in 1991.
There is a regulatory code (FFFS 2002:5-7) requiring all investment firms and banking institutions, licensed to conduct
securities operations, to have a compliance function. An investment firm must have one or more compliance officers who are
responsible for ensuring that employees within the firm, and its board of directors, are acquainted with the rules governing the
conduct of its operations. It is the responsibility of the board of directors to ensure that the compliance officer reports directly
to them or to the company’s management. Banks and insurance companies (regulatory code 1999:12 and 2000:3) are
required to have an internal control function that is responsible for the compliance with internal as well as external rules and
regulations.
United Kingdom
The Financial Services Authority (FSA), the UK regulator, an integrated regulator set up by the Financial Services and Markets
Act 2000 (FSMA 2000), was established in 1997 and assumed full responsibility for the financial services sector in 2001,
succeeding the Securities & Investments board which was established in 1985.
Since the late 1980s, the vast majority of financial services firms in the UK have been required to have a compliance
officer. An investment firm must allocate a director or senior manager as having responsibility for the oversight of the firm’s
compliance and should report directly to the firm’s executive board. The compliance function is a “controlled function” in the
United Kingdom, which means that a candidate proposed as head of compliance cannot be appointed until approval has
been given by the FSA. The FSA must be satisfied that the person is fit and proper in accordance with the “fit and proper
test for approved persons”. Outsourcing compliance to external consultants is allowed, but responsibility rests with one or
more directors or senior managers of the firm as head of compliance.
The compliance officer consults all business lines, and does not solely have a control function. Compliance generally
means respecting the Principles for Businesses and Senior Management, and rules for Conduct of Business (COB), the
Collective Investment Schemes (CIS) and Money Laundering (ML). Heads of compliance will normally have responsibility for
overseeing a firm’s relationship with the FSA.
Compliance is defined by the FSA Handbook section “Senior Management Arrangements, Systems and Controls”
Chapter 3 and the Money Laundering sourcebook.
Legal base:
FFFS 2002:5-7 Regulations governing rules of the
conduct on the securities market.
FFFS 1999:12 Regulations governing rules of the
conduct on the banking market.
FFFS 2000:13 Regulations governing rules of the
conduct on the insurance market.
AML-law 1993:768.
FFFS 1999:8 Regulation for AML.
Legal base:
FSMA 2000.
FSA Handbook section “Senior Management
Arrangements, Systems and Controls” chapter 3,
December 2001.

76 © PricewaterhouseCoopers - Protecting the brand, May 2005
Legal base:
BMA Rule Book.
Amiri Decree Law No. 23 of 1973 (the “BMA Law”).
BC/13/99 - Circular: Compliance, Risk Management
and Internal Controls.
Non-EU Europe and Middle East
Bahrain
The Bahrain Monetary Agency (BMA), in its capacity as the regulatory and supervisory authority for all financial institutions in
Bahrain, issues regulations with which licencees are legally obliged to comply under the BMA law.
The BMA recognised that due to the complex structure and underlying risks of banks and other financial institutions,
the spreading of responsibility for compliance across various entities and functions without an internal single central coordinating
point may lead to certain areas of compliance not being covered effectively and efficiently. Consequently, on 15
June 1999, the BMA issued a circular, Compliance, Risk Management and Internal Controls requiring a senior member of
management to monitor compliance risk.
Such a member should be vetted by the BMA before appointment. Furthermore, the BMA requires financial institutions
to outline how the compliance function fits into the institution’s reporting structure and the circular further states that the
compliance officer should have access to the board of directors.
The role of the compliance officer may perform other functions such as anti money laundering, legal as well as internal
audit.
Legal base:
Swiss Banking Law.
SFBC Circular 04/01 of April 21, 2004 on the
Supervision of large banks.
SFBC circular on supervision within banks (expected
by mid 2005).
Switzerland
The Federal Banking Commission (SFBC) is the licensing and supervising body in Switzerland for banks and securities firms.
The Swiss Banking Law is the main legal basis in regulating compliance. More guidance is included in SFBC circulars.
Compliance, as part of internal controls, was first mentioned in the circular on internal controls issued by the Swiss Bankers
Association in 2002. In a SFBC circular, expected by mid 2005, banks and securities dealers will be required to establish a
compliance function. However, the implementation of compliance functions is common practice nowadays in Switzerland.
Due to its large community of international banks, national standards are strongly influenced by international best practice
and the work of international standard setters.
The SFBC views compliance as a staff function: it should independent and should not have operational responsibilities.
It should have direct reporting lines to the board of directors.
The Anti-Money-Laundering Ordinance was due to be totally implemented by 30 June 2004. The implementation was
audited and a separate report must be filed to the SFBC by 15 March 2005.

© PricewaterhouseCoopers - Protecting the brand, May 2005 77
North America
Canada
Deposit-Taking Institutions, Insurance Companies, and Pension Plans
(Banks, Insurance Companies, Trust and Loan Companies, Cooperatives, and Pension Plans)
At the federal level, the Office of the Superintendent of Financial Institutions Canada (OSFI) regulates federally regulated
financial institutions, including banks and insurance companies. Under the Office of the Superintendent of Financial
Institutions Act, OSFI was given the powers to supervise and regulate all federally regulated financial institutions. Under Bill
C-15 OSFI’s mandate was clarified to include promoting sound business practices to reduce the risk that financial
institutions will fail.
OSFI supervision is in accordance with its Supervisory Framework (1999) and related Supervisory Framework Rating
Assessment Criteria (2002) supplement. In 2000, OSFI introduced the Interim Guideline Legislative Compliance Management
(LCM), which was replaced in 2003 with Guideline E-13, Legislative Compliance Management for Sound Business &
Financial Practices (2003) which conveys OSFI’s expectations of federally regulated institutions. E-13 stipulates, inter alia, a
compliance function including an enterprise-wide framework of compliance controls, a head of compliance accountable for
LCM oversight, adequate resources to manage compliance and an integrated communications and reporting network.
In addition, all banks and federally incorporated or registered insurance companies, trust and loan companies, and
cooperative credit associations are regulated by the Financial Consumer Agency of Canada (FCAC). The FCAC is
responsible for enforcing many of the federal laws that protect consumers in their dealings with financial institutions. The
mandate of the FCAC focuses on consumer protection and consumer education. In 2003, the FCAC released 2003 FCAC
Mystery Shopping Results whereby the FCAC sent mystery shoppers into 1,653 bank branches across Canada to identify
best practices in banks with respect to the type and availability of information they are providing to their customers
At the provincial level there are regulations governing pensions, insurance, trust companies, credit unions, “caisses
populaires”, cooperatives and mortgage brokers. These regulations are administered by each province’s respective Ministry
of Finance.
Legal base:
Bank Act.
Insurance Companies Act.
Trust and Loan Companies Act.
Cooperative Credit Associations Act.
Financial Consumer Agency of Canada Act.
Office of the Superintendent of Financial Institutions
Act.
Bill C-15.
Legislative Compliance Management (LCM) Sound
Business & Financial Practices.
2003 FCAC Mystery Shopping Results.
Provincial Securities Acts.
Investment Dealers, Mutual Fund Dealers, and Investment Counsel and Portfolio Managers
In Canada, the regulation of the securities industry is the responsibility of provincial securities commissions that oversee a
provincial securities act. Each provincial securities act is a set of laws and regulations which defines the activities that can be
undertaken by participants. The provincial securities commissions delegate certain aspects of securities regulation to the
following self regulatory organisations (SRO): i) the Investment Dealers Association of Canada (IDA); ii) Mutual Fund Dealers
Association of Canada (MFDA); and iii) Market Regulation Services Inc (RS). The IDA and MFDA have been delegated
responsibility by the provincial governments to ensure that their respective SRO members meet certain agreed upon

78 © PricewaterhouseCoopers - Protecting the brand, May 2005
standards written into the provincial securities laws. RS is the independent regulation services provider for Canadian equity
markets and is recognised by the provincial securities commissions in Alberta, British Columbia, Manitoba, Ontario and
Quebec.
Overview of SRO regulatory responsibilities:
• IDA - regulates the activities of investment dealers for both capital adequacy and conduct of business, e.g., registration,
sales compliance and financial compliance.
• MFDA - regulating all sales of mutual funds by its members and capital adequacy.
• RS - ensures market integrity by regulating trading on marketplaces to ensure transactions are executed properly, fairly
and in compliance with trading rules.
Investment Counsel and Portfolio Managers are regulated by the provincial securities commissions.
In 2000, the MFDA introduced rule 2.5.2 requiring Members to designate a trading officer as a compliance officer. The
MFDA was recognised as a self-regulatory organisation (SRO) by a number of Canadian Securities Commissions in 2001. In
2001, IDA introduced By-Law 38 requiring members to designate an officer to act as the Ultimate Designated Person and to
appoint an Alternative Designated Person to act as Chief Compliance Officer (CCO). In 2002, the Universal Market Integrity
Rules (UMIR) were adopted to replace the rules and policies of the Toronto Stock Exchange and the Canadian Venture
Exchange. UMIR Rule 7.1 Trading Supervision Obligation sets out requirements for the appointment of supervisory staff and
written trading policies and procedures.
Anti-money laundering
In 1993, the Canadian Federal government introduced the Proceeds of Crime (Money Laundering) Suspicious Transaction
Reporting Regulations applicable to all financial institutions. This was replaced in 2001, by the Proceeds of Crime (Money
Laundering) and Terrorist Financing Suspicious Transaction Reporting Regulations. In 1999, the Ontario Securities
Commission (OSC) introduced Rule 31-505 Conditions of Registration requiring a registered dealer or adviser to designate a
registered partner or officer as the compliance officer. OSC amended Rule 31-505 in 2003 to include a requirement for a
registered adviser to designate a senior officer as the Ultimately Responsible Person for the compliance function and for the
day-to-day supervision to be undertaken by a chief compliance officer.

© PricewaterhouseCoopers - Protecting the brand, May 2005 79
United States
Investment Management Companies
The Securities and Exchange Commission (SEC) has adopted rules under the Investment Company Act of 1940 and the
Investment Advisers Act of 1940 which require each investment company and investment adviser registered with the SEC to
adopt and implement written policies and procedures reasonably designed to: (i) prevent violation of the federal securities laws,
(ii) review those policies and procedures annually for their adequacy and the effectiveness of their implementation, and (iii)
designate a chief compliance officer to be responsible for administering the policies and procedures. In the case of an
investment company, the chief compliance officer reports directly to the fund board. The rules are designed to protect investors
by ensuring that all funds and advisers have internal programmes to enhance compliance with the federal securities laws.
Legal basis:
Investment Management: SEC Rule: Compliance
Programs of Investment Companies and Investment
Advisers
Rule 38a-1 under the Investment Company Act, and
related Rule 206(4)-7 under the Investment Advisers
Act.
Broker-Dealers: NASD Rules 3010, 3012 and 3013
and NYSE Rule 342.
Broker-Dealers
The National Association of Securities Dealers (NASD) and the New York Stock Exchange (NYSE) have rules regarding the
supervisory system, supervisory control and certification procedures of their member firms which have been approved by the
SEC. Rule 3010 requires the establishment of a supervisory system which includes policies and procedures reasonably
designed to achieve compliance with rules and regulations. Rule 3012 specifically requires that firms identify principals who
will be responsible for establishing, maintaining and enforcing a system of supervisory control policies and procedures which
test and verify a firm’s supervisory procedures. Rule 3013 requires CEO certification that there exists a process to ensure the
controls required by Rules 3010 and 3012 are in place. NYSE Rule 342 requires NYSE member firms to create verification
procedures for supervisory procedures over specific areas and a method to test those procedures.
Banks
While banks, like other US financial institutions, must establish an anti money-laundering compliance programme, US
banking law and regulation does not mandate general banking law compliance programme requirements for US banks.
The US bank regulators, through regulation, supervision and on-site examinations, seek to ensure that US banks operate in
a safe and sound manner. In this connection, US bank regulators expect banks to have a compliance risk management
system that is designed to be effective within the context of the size, scope, complexity, and nature of a banking
organisation’s business activities and legal structure. Compliance with these expectations is assessed and enforced largely
through the bank examination and supervision process.
Insurance Companies
Under the McCarran-Ferguson Act, the regulation of the business of insurance in the US occurs at the State level. Insurance
companies are regulated by State Insurance Commissioners, which coordinate their activities through the National
Association of Insurance Commissioners. Any compliance programme requirements or expectations for insurance
companies would thus be assessed and enforced by State Insurance Commissioners. It is beyond the scope of this survey
to identify possible requirements at the State level.

80 © PricewaterhouseCoopers - Protecting the brand, May 2005
Annex II
Current regulatory challenges
Region/Country
Asia & Australia
Current Regulatory Challenges
Region/Country
North America
Current Regulatory Challenges
Australia
Hong Kong
/China
• International Financial Reporting Standards (IFRS)
• Sarbanes Oxley
• Basel II
• APRA licensing and Super Choice (Superannuation industry only)
• Anti-Money Laundering (AML)
• For Australian Financial Services Licensees: Conflict of interest management (PS 181) and
disclosure (dollar and general disclosure)
• For APRA regulated firms: fit and proper persons obligations
• Draft standards on Unit Pricing.
• IFRS/International Accounting Standards (IAS)
• Basel II
• Sarbanes Oxley for US listed companies
• AML
• Independent Financial Advisory (IFA) supervision in Hong Kong.
Canada
United States
• New legislation:
- AML
- Privacy
• Existing areas of current regulatory risk / concern:
- Insider trading and Chinese walls
- Mutual fund trading abuse.
• Bank Secrecy Act/Anti-Money Laundering/OFAC (Office of Foreign Assets Control)
• Fair and Accurate Credit Transactions Act (FACT ACT) (Identity Theft/Fair Credit Reporting)
• Privacy/Information Security (Privacy is also affected by the FACT ACT)
• Compliance Programme Requirements (Investment Management Companies)
• Mutual Fund Trading Practices
• Best execution (Broker-Dealers)
• Insurance industry broker issues.
Japan
• Basel II
• Protection for Privacy Act (starting April 2005)
• SOA302-like regulation (possibly 404-like in the future)
• Business Continuity Programme
• Strengthening internal audit function (based upon Inspection Manual)
• Stricter assessment of asset (loan) quality (based upon Inspection Manual)
• IFRS.
Europe
Austria
Belgium
• IFRS and prudential filters
• Basel II/Capital Requirements Directive (CRD) discussion is underway; regulators have
already defined their expectations:
- Minimum standards for measuring credit risk and conduct of financing
business rules
- Minimum standards for internal audit
• Increased expectations of regulators on implementation of best practice solutions
• Transposition of EU-Directives (e.g., Market Abuse Directive, Transparency Directive)
• Company Law will be changed in 2005 to increase confidence in Austrian Capital market,
new definition of the role of the supervisory board.
• Circular on good practices for outsourcing (external but also intra-group) with deadline
for compliance by end of 2005 (all outsourcing should be governed by SLAs, meeting
principles outlined in the regulation)
• New regulation (Royal Decree) on AML/KYC/Transaction Monitoring
• Recommendations on Business Continuity Plan. Though not formally a regulation, this is
a strong warning from the BFIC that compliance will be expected by 2007. This derives
from the work performed at the level of the Financial Stability Working Committee being
established at the Belgian National Bank (BNB)
Belgium (cont’d)
France
• IFRS is very hot on the agenda as it will imply change in the monthly regulatory reporting
to the BFIC which is processed via the BNB. IFRS is compulsory for all quoted banks or
having to issue consolidated Financial Statements as from 2005. NSA (New Schema A)
reporting under IFRS will start as from January 2006
• Basel II.
• AML: although no change has occurred in the existing AML regulation in France, this is
still a topic which sits high on the financial institutions’ agenda. Regulators’ tolerance
is nil, as evidenced by recent sanctions
• Basel II: as the date of application is looming, institutions are focusing on the
implementation of Basel II arrangements. Some diagnostics are still underway but
implementation is the key element and new issues are starting to emerge, such as the
interaction with regulatory reporting
• Compliance arrangements: it is the new key issue, in view of the recent consultation held
by the Commission Bancaire on this topic. This is about to lead to a specific Compliance
regulation and date of entry is expected to be end of June 2005
• IFRS: 2005 being the first year of application at consolidated level, not surprisingly,
institutions are currently focusing on this intently.

© PricewaterhouseCoopers - Protecting the brand, May 2005 81
Region/Country
Current Regulatory Challenges
Region/Country
Europe
Current Regulatory Challenges
Europe
Germany
Italy
Banking sector:
• Basel II (including supervisory review process and minimum requirements for risk
management (MaRisk)
• IFRS (mostly public sector; the major private credit institutions already comply)
Banking sector/Investment firms (market supervision - Compliance issues):
• Transposition EU Market Abuse Directive into German Law (German Act on the
Improvement on Investor protection): main issues - accepted market practices versus
market manipulation, insider lists, reporting of suspicious transactions)
Insurance
• Solvency I and (upcoming) Solvency II
• Insurance Supervision Act: amendments of the investment ordinance and changes in risk
management approach
• IFRS (ED 7).
• IFRS/IAS: mandatory for listed companies and all financial institutions under supervision
of Bank of Italy (2005 Consolidated financial statements mandatory, individual financial
statements voluntary. Both mandatory in 2006)
• Basel II
• Sarbanes-Oxley for US listed companies
• New Bank of Italy Legislative decree (related to UCITS III) on investment companies’
operations: to be issued in the next few months
• Legislative decree 231/2001 on companies responsibilities and internal control framework
to prevent frauds and administrative crimes.
Sweden
Switzerland
• Basel II/CRD
• IFRS, in particular IAS39/32
• Financial Conglomerates Directive
• Solvency II
• Draft law on integrated financial supervision (proposal to integrate the Swiss Federal
Banking Commission, the Swiss Private Insurance Commission, and the Swiss Money
Laundering Control Authority)
Banking and Investment firms
• Basel II
• Banking Commission Circular on the supervision of large banks, issued in April 2004
• Regulation on financial conglomerates
Insurance
• Solvency I and II and regulation on supervision of financial conglomerates
• New Act on on insurance supervision
• Private insurance contract law: total revision of the relevant body of law in status of
preparation
Company law
• Corporate Governance - bill on compensation transparency
• UCITS III
• Anti-Money Laundering, insider dealing
• Proposed law to comply with FATF related requirements
• Revision of scope and appraisal of insider dealing.
Luxembourg
• IFRS
• AML (new law of 12 November 2004)
• Compliance Function (new CSSF circular of September 2004)
• UCITS III
• Basel II/CRD
• Solvency II.
United Kingdom
• Capital requirements for Banks and Investment firms (Basel II/CRD)
• Changes in international accounting standards
• The regulation of Mortgage and General Insurance Business
• FSA’s expectations with regard to treating customers fairly
• Also future impact of Directive for Markets in Financial Instruments (MiFID).
Netherlands
• Basel II
• Solvency II
• Insurance Mediation Directive
• Integrity conduct
• Outsourcing
• Anti-competition requirements
• AML.
Bahrain
• Basel II
• IFRS
• AML
• Prudential regulation requirements - the regulator have adopted the Basel papers.
Spain
• AML Regulations (Changes on 2003 & 2005) and Specific Recommendations on
Compliance Functions by Spanish Regulator
• UCITS III
• Basel II
• Solvency II
• IAS.

82 © PricewaterhouseCoopers - Protecting the brand, May 2005
Annex III
Selection of recent related surveys and white papers
Recent Surveys:
• 8th Annual Global CEO Survey, 2005: Bold Ambitions, Careful Choices
• PricewaterhouseCoopers Management Barometer, July and November 2004
• Private Banking/Wealth Management, Global Survey 2004: Leveraging Compliance and Risk Management for Strategic
Advantage
• Banana Skins 2005 (Annual Survey by CFSI, sponsored by PricewaterhouseCoopers)
White Papers:
The PricewaterhouseCoopers/Economist Intelligence Unit Briefing Series:
• Governance: From compliance to strategic advantage
• Compliance: The gap at the heart of risk management
• Uncertainty tamed? The evolution of risk management in the financial services industry
The Future of Compliance Series:
• Best Practice and Delivering Value, 2002
• Using Technology to Deliver Value, 2003
• An Efficient and Effective Commercial Operation, 2004
Integrity-Driven Performance TM - A New Strategy for Success Through Integrated Governance, Risk and Compliance
Management: A White Paper, January 2004,
Regulatory Compliance: Adding value - a review of future trends, 2002
Available on the PricewaterhouseCoopers website at www.pwc.com/financialservices

PricewaterhouseCoopers (www.pwc.com) provides industry-focused assurance, tax and advisory services for public and private clients. More than 120,000 people in 139 countries connect their thinking,
experience and solutions to build public trust and enhance value for clients and their stakeholders.
This study is not intended to provide specific advice on any matter, nor is it intended to be comprehensive. If specific advice is required, or if you wish to receive further information on any matters referred to in
this briefing, please speak to your usual contact at PricewaterhouseCoopers or those listed in this publication.
For additional copies please contact Jurgen De Greef at PricewaterhouseCoopers on 32 2 710 9716 or e-mail at jurgen.de.greef@pwc.be.
© 2005 PricewaterhouseCoopers. All rights reserved. ‘PricewaterhouseCoopers’ refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and
independent legal entity. *connectedthinking is a trademark of PricewaterhouseCoopers LLP.

PricewaterhouseCoopers Regulatory and GRC Contacts
Global
Regulatory:
GRC:
AML:
Charles Ilako, Partner,
Global Leader, Financial Services
Regulatory Practice
charles.ilako@uk.pwc.com
Wendy Reed, Senior Manager
wendy.reed@pwc.be
Sandra Birkensleigh, Partner,
Global GRC Co-Leader
sandra.birkensleigh@au.pwc.com
Dan DiFilippo, Partner, Global
Performance Improvement Leader
dan.difilippo@us.pwc.com
John Campbell, Partner, U.S.
john.w.campbell@us.pwc.com
Andrew Clark, Partner, EMEA
andrew.p.clark@uk.pwc.com
Dominic Nixon, Partner, AsiaPac
dominic.nixon@sg.pwc.com
Europe, Middle East & Africa
Austria
Belgium
France
Germany
Ireland
Italy
Andrea Cerne-Stark, Partner
andrea.cerne-stark@at.pwc.com
Gerhard Margetich, Manager
gerhard.margetich@at.pwc.com
Josy Steenwinckel, Partner
josy.steenwinckel@pwc.be
Denis Caprasse, Director
denis.caprasse@pwc.be
Guy Flury, Partner,
Head of Financial Services
Regulatory Practice
guy.flury@fr.pwc.com
Marine Laufer-Tourte,
Senior Manager
marine.laufer-tourte@fr.pwc.com
Günter Borgel, Partner
guenter.borgel@de.pwc.com
Martina Rangol, Senior Manager
martina.rangol@de.pwc.com
Alan Merriman, Partner
alan.merriman@ie.pwc.com
Marion Kelly, Senior Manager
marion.kelly@ie.pwc.com
Giacomo Neri, Partner
giacomo.neri@it.pwc.com
Fabiano Quadrelli, Director
fabiano.quadrelli@it.pwc.com
Luxembourg Olivier de Vinck, Partner
olivier.de.vinck@lu.pwc.com
Emmanuelle Henniaux, Director
emmanuelle.henniaux@lu.pwc.com
Netherlands Ger Roeleven, Senior Manager
ger.roeleven@nl.pwc.com
Martin Eleveld, Senior Manager
martin.eleveld@nl.pwc.com
Spain
José Luis López Rodriguez, Partner
jose.luis.lopez.rodriguez@es.pwc.com
Enric Doménech, Director
enric.domenech@es.pwc.com
Sweden André Wallenberg, Director
andre.wallenberg@se.pwc.com
Switzerland Pascal Portmann, Partner
pascal.portmann@ch.pwc.com
Christiana Suhr Brunner, Director
christiana.suhr.brunner@ch.pwc.com
United Kingdom John Tattersall, Partner
john.h.tattersall@uk.pwc.com
Stuart Crotaz, Senior Manager
stuart.crotaz@uk.pwc.com
North America
Canada
United States
Asia & Australia
Australia
Brenda Eprile, Partner
brenda.j.eprile@ca.pwc.com
Dorothy Sanford, Partner
dorothy.a.sanford@ca.pwc.com
Regulatory:
Bill Lewis, Partner (Banking)
bill.lewis@us.pwc.com
Gary Welsh, Managing Director
gary.welsh@us.pwc.com
Tony Evangelista, Partner
(Investment Management)
tony.evangelista@us.pwc.com
Roger Coffin, Partner
(Capital Markets)
roger.coffin@us.pwc.com
Ellen Walsh, Partner (Insurance)
ellen.walsh@us.pwc.com
GRC:
Miles Everson, Partner
miles.everson@us.pwc.com
Peter Trout, Partner
peter.trout@au.pwc.com
Kate Clarke-Palmer, Director,
Performance Improvement
kate.clarke-palmer@au.pwc.com
Middle East
Elham Hassan, Partner
elham.hassan@bh.pwc.com
Hong Kong/
China
Rick Heathcote, Partner
rick.heathcote@hk.pwc.com
Madhukar Shenoy, Director
madhukar.shenoy@bh.pwc.com
Evi Sukardi, Manager
evi.sukardi@hk.pwc.com
South Africa
Tom Winterboer, Partner
tom.winterboer@za.pwc.com
Japan
Hajime Yasui, Director
Email: hajime.yasui@jp.pwc.com
Central &
Eastern Europe
David Wake
david.wake@hu.pwc.com
Akira Yamate, Partner
akira.yamate@jp.pwc.com

www.pwc.com