Authored by: Michael Henry, executive director of Morgan Stanley and chief compliance officer for the Investment Management division’s private equity, private credit, infrastructure, and real estate investing businesses.
As has been observed by at least one Greek philosopher, "change is the only constant in life."1 This principle seems to be borne out in spades in the regulatory arena; within the past decade, we have seen a significant uptick — not only in the sheer number of rules and regulations (individually and collectively referred to herein as the "Rules"), but also the pace at which they are introduced and their overall complexity.
This phenomenon is of course not limited to the United States — just by way of illustration, the European Union has released a number of Rules with potential for substantial local and extraterritorial impact on the financial services industry, like the updated Markets in Financial Instruments Directive and accompanying regulation (effective January 3, 2018) and the Market Abuse Regulation (effective July 3, 2016). Compliance, legal, and risk management — that is, getting up to speed on, and guiding clients through, a dense thicket of new regulatory compliance obligations and their potential impact. Here are a few thoughts on best practices:
1. Actively seek (and collaborate) to understand the new landscape.
Once news of the impending Rules has be circulated, it is important to get through the various "stages of grief" as quickly as possible, in order to come to acceptance of the new or changed landscape in which your business will likely be required to operate.
It is critical for compliance, legal, and risk professionals to work with internal and external counsel and industry associations (e.g., SIFMA, AFME, ASIFMA, and AIMA) to get familiar with the Rules and confirm best industry practices for compliance. An initial survey of the landscape should ultimately provide some perspective on the COST:
- Catalyst: Who/ what is driving the Rules' implementation — what are the regulatory underpinnings?
- Objectives: What are the overarching main goals and principal requirements imposed to accomplish them?
- Scope: Is there any intent/ potential for extraterritorial reach with respect to any of your firm's activities that would ordinarily be expected to be outside of the Rule's jurisdiction, and if so, what are the possible trigger points?
- Timeframe: When is the effective date for Rules implementation, and what are the key dates for pre- and post-implementation deliverables?
The foregoing exercise should help at least preliminarily confirm [i.e., before the full fledged gap analysis as described below is completed] the extent to which the Rules might present a conceptual overlap, contradiction, or expansion or your firm's existing regulatory compliance framework.
2. Assess inherent impact on the business.
The value of reaching an initial, preliminary consensus among risk, legal, and compliance professionals before the business unit stakeholders are convened cannot be overemphasized — even if that consensus view is not fully cemented and reliant on working assumptions that will need to be stress tested with other stakeholders at a later date.
Each substantive element of the Rule should be mapped to your firm's known existing activities and corresponding compliance controls. Even where a Rule's impact on any particular area of the business is uncertain, compliance and legal professionals should strive to sketch a coherent outline of potential ways forward and related risks based on their understanding of the relevant business and the Rule's technical requirements and key objectives. Having outside counsel that has expert knowledge of the relevant Rule, and is at least generally familiar with your firm's existing policies and procedures framework, is critical at this juncture.
This initial touchpoint is a golden opportunity to demonstrate collective leadership and build trust among those other stakeholders who may likewise go through at least some of the aforementioned "stages of grief," and will therefore need to lean heavily on your counsel. This will also make it easier for stakeholders to grab the reins and hit the ground running on any changes that will need to be implemented once the gap analysis has been completed.
3. Confirm and engage senior management.
Once legal and compliance have reached general consensus regarding their initial assessment of the intent, scope, and impact of the Rules, a comprehensive list of affected stakeholders for all potentially affected business units should be compiled. All potentially impacted groups (risk, operations, finance, technology, tax, etc.) should have a seat at the table; it is better to be overly inclusive at the initial meeting than to have to belatedly add constituencies. Ultimately, all affected stakeholders should be engaged, and all business unit actors and sponsors in the regulatory change management process — including a central project manager — would ideally be established at this point.
4. Perform residual impact assessment and gap analysis.
The category or objectives, and the inherent impact of the Rules should be comprehensively mapped against all known existing controls, including policies and procedures, training, testing, supervisory framework, and more. This particular step can be extremely involved, especially for global/ multinational businesses that already rely on multiple overlapping or complementary compliance frameworks — enterprise-wide, regional and local.
As noted above, a preliminary version of this exercise should ideally be performed by legal and compliance professionals, and other professionals who possess the best current knowledge of the relevant Rule, as well as intimate knowledge of existing controls — with a follow-on confirmation with the actual stakeholders.
This critical step may be quite time consuming for the legal/ compliance team, but could ultimately result in quicker consensus building and firm-wide implementation efficiencies. For example, a detailed mapping study could show that only minor changes are needed and confirm the efficacy of existing controls. Quickly communicate all gaps (minor or major) to senior management and all affected stakeholders. These may involve not just gaps in process or controls, but also in supervisory or other human resources as well.
5. Implement and test new controls.
Work with stakeholders to implement all new or updated policies, procedures, supervisory framework, training within predetermined timeframes — ideally with some margin between the anticipated completion date and the Rule's effective date. Further, help train all affected constituencies, and add newly imposed controls to periodic test plan inventory and report any test results to such constituencies, including senior management.
Promises by politicians and predictions from pundits to clear the regulatory thicket notwithstanding, it would seem reasonable to expect that we are still a ways off from any significant slowdown in the pace of Rules introduction and implementation, especially as regulatory agencies look to assert their authority over their respective (and sometimes overlapping) domains. Seasoned practitioners know instinctively that the regulatory change management process is at least as much art as it is science. But the steps outlined above should hopefully steer the process closer to a result that is more sublime than sub-optimal.
For further reading, enjoy a 30-day trial membership with the Association of Corporate Counsel and browse our online library.