Compliance in bank matters

June 1st, 2012

By Felix Majoni

Banks perform a crucial role in every economy. Chief among these are the provision of financing for commercial enterprises, basic financial services to the general public and, above all, making credit and liquidity available to clients, even in tough situations. In terms of s 11(1) of the Banks Act 94 of 1990, as amended, only registered banks should conduct banking business. The banking industry is a regulated industry mainly because of the important functions banks fulfil. Further, it is trite that banks should be solid and regulated in such a manner as to prevent systemic risk through prudential regulation. Prudential regulation creates an environment of bank safety and soundness by establishing procedures to ensure that risk is properly recognised and measured, and that the institutions concerned have adequate capital to support the level of business and risks they run. However, bank regulation and supervision alone cannot achieve this desired purpose. Mechanisms such as capital adequacy and prudential requirements imposed by the central bank work in symbiotic harmony with banks’ internal controls so as to inculcate a sound regulatory compliance regime.

The South African banking sector has evolved significantly over the years. During the 1980s the banking sector was widely overregulated and cooperation with foreign regulators was virtually non-existent. As a result, the regulatory framework became progressively out of line with international best practice. Further, due to apartheid, South Africa became increasingly isolated from the global economy until 1994. This meant that competition from foreign banks was minimal in the 1980s. Legislation also allowed for the blurring of lines between banks and building societies. In the early 1990s the structured regulation moved strongly in the direction of deregulation, with significantly more reliance on market forces. The Mutual Banks Act 124 of 1993 allowed mutual banks to fulfil the role of building societies. Consumer protection issues became paramount and, as a result, corporate governance rules, disclosure, transparency and accountability became the key concepts of regulation. Competition was also increased by deregulation in 1994 and there was an influx of niche and foreign banks, such that by 2000 44 banks were registered. During the latter part of 1999 small to medium banks faced liquidity pressures, which led to many of them exiting the banking system. This downward trend reached its lowest point with the collapse of Saambou Bank and it being placed under curatorship in 2002, and the subsequent integration of BOE Bank into Nedbank. The demise of small banks left only 20 registered banks by 2003. Currently, in South Africa there are ten South African controlled banks, six non-resident controlled banks, 11 local branches of foreign banks and two mutual banks (, accessed 30-4-2012).

South African banks are well managed and make use of sophisticated risk management systems and corporate governance structures in conducting the business of banking. Five major banking groups dominate the sector, namely the ‘big four’ (Absa, First National Bank, Nedbank, Standard Bank) and Investec. To ensure that there is stability in the sector, the Reserve Bank ensures that the ‘big four’ remain untouched by employing the ‘four pillar’ policy. This policy relates to having a minimum number of substantial banks, the so-called pillars on which the domestic banking industry relies, and discourages mergers between any of these four pillars so as to maintain competition in the interests of prudential and systemic stability. Section 37(2) of the Banks Act regulates the acquisition of shares in banks and bank controlling companies. Although the ‘four pillar’ policy is applauded for bringing stability in the sector, there have been accusations of a ‘complex monopoly’ among the ‘big four’. A complex monopoly exists if at least 25% of the market is serviced by companies which are unconnected but conduct business in a manner that prevents, restricts or distorts competition.

In instances where banks have failed, it is evident that management-driven weaknesses have significantly contributed to the decline of these banks. It is thus necessary to have measures and controls in place that guard against management abuse of power. Further, international compliance standards, such as Basel II, have been implemented to improve the soundness of the international financial system by aligning regulatory capital requirements with the underlying risks of the banking industry. It cannot be denied that the legislative and regulatory environment in which banks operate is sophisticated and demanding. Also, unlike other industries such as manufacturing, banks are subjected to more scrutiny by both local and international regulators, which are increasingly building expertise to achieve enforcement of their rules. Effective and proactive compliance is therefore pivotal to the success of the bank as it enables it to foster a sound relationship with the regulators, especially the Reserve Bank. Failure to comply may have catastrophic repercussions, such as substantial fines, sanctions and penalties and, in extreme circumstances, revocation of the bank’s licence.

It was mentioned above that banks are crucial in every economy, hence they are expected to be financially healthy and reputable and they should ensure regulatory compliance at all times. The main reason for this is that banks are at the centre stage of the national payment system and are also custodians of depositors’ funds. A constructive and cooperative relationship with the regulators should therefore be maintained at all times since a good compliance relationship is fundamental to every bank’s success. The Reserve Bank, as the central bank and lead regulator, takes a close interest in all banks’ activities in line with the regulatory framework in place. To this end, every bank is expected to deal with the central bank and other regulators in a cooperative manner. In-house policies and procedures should also be strictly adhered to as they reflect both local and international laws and regulatory requirements.

Banks are also obliged to maintain a compliance manual that includes a summary of all the legislation relating to banking and financial markets. On an ongoing basis, the manual is updated and amendments are circulated to staff. An effective advisory service regarding issues related to the bank’s business should also be readily available. In most cases this service is offered by either the bank’s risk department or corporate governance department. Internal controls, such as compliance risk management plans, should be implemented so as to monitor compliance with regulatory provisions and to achieve the objectives of the legislation and regulatory requirements by creating an effective compliance regime. However, banks can only comply with legislation if they are aware of it and understand how it affects their conduct and the affairs of the business of the bank.

After the 11 September 2001 terrorist attacks in the United States banks saw a swift move to stern compliance measures after the United States embarked on enacting laws and regulations with an international flavour to combat terrorist financing and money laundering. Banks should adhere to these laws because they have extra-territorial jurisdiction, although they can be customised to suit local requirements – for example the Financial Advisory and Intermediary Services Act 37 of 2002 and the Financial Intelligence Centre Act 38 of 2001. These increased global efforts to combat money laundering and terrorist financing means that banks should have appropriate and adequate policies and procedures to assist in complying with the money laundering control objectives of South Africa. This will also assist in protecting the reputation of the bank and meeting its compliance obligations by preventing abuse of its systems by money launderers and terrorist financiers. Besides these global conventional practices, laws and regulations, banks should also comply with established codes of conduct.

The Banks Act and the regulations promulgated in terms of the Act outline the major risks to which banks are exposed as solvency risk, liquidity risk, credit risk, market risk, interest rate risk, counterparty risk, technology risk, operational risk, compliance risk and any other risk regarded as material by a bank. It is therefore paramount to highlight that risk plays an integral role in supporting management strategy and the growth agenda. In banks, risks are both complex and interrelated. For example, credit risk can be linked to interest rate risk and other risks can aggravate liquidity risk. Further, compliance risk can overlap with other types of risks such as operational risk. Because of this interconnectivity, compliance must work closely and communicate well with all risk areas and business units so that risk is managed thoughtfully.

Regulations are fully effective when they are well aligned with good risk management practice so that they accomplish the bank’s objectives with lower compliance burden and provide more scope for healthy innovation in both products and management techniques. Basel II is a good example of this interaction between risk management and regulation and is built on a foundation of a modern risk management practice and will encourage improvement in risk management in banks. Open interchange between different control functions also helps to share observations, devise better conclusions and trim duplication. For example, the internal audit department should work closely with the compliance department so as to curb duplication of effort.

An important point in measuring compliance effectiveness is to develop better ways to measure and manage risk. The compliance function plays a key role in enforcing compliance risk management and, in terms of s 60A of the Banks Act, each bank should appoint a compliance officer who shall have senior executive status in the bank. In conducting his duties, the compliance officer shall function independently from other functions such as internal audit and should report non-compliance with laws, regulations or supervisory requirements to the chief executive officer, the board of directors or the audit committee and, in most circumstances, to the regulatory authorities. An independent compliance function is crucial for every bank. This is also a requirement of the banking regulations. The independent compliance function of the bank augments the internal audit department in ensuring that there are effective compliance risk management systems in place and that any exposures and breaches are reported to the appropriate governance structures. The compliance function is responsible for ensuring that all requisite regulatory requirements are effectively managed. Further, it coordinates the process of identifying, monitoring and assessing the impact of all new and existing regulatory requirements. Banks should therefore protect their reputation and integrity by taking all reasonable precautions, including observing statutory and regulatory requirements relating to money laundering, in order to prevent their use by money launderers and terrorist financiers.

Banks should have an enterprise-wide compliance system in place. However, like other risks, compliance risk is intangible and is thus hard to quantify. Banks should therefore develop more systemic ways to capture compliance risk by using both qualitative and quantitative measures such as surveys and business line input to help grade compliance efforts and create matrices, score cards, heat and bubble maps and various risk-assessment scores. Effective compliance risk management is closely linked to corporate governance. Corporate governance is essential in today’s business world and for the long-term survival of banks. Further, history has shown that poor corporate governance has a catastrophic impact on a bank’s reputation and, above all, can greatly affect its share price. In extreme cases it can lead to criminal prosecution of the directors. Legislation such as the Banks Act, s 60A, and the regulations, especially reg 47, advocate for substantially higher levels of corporate governance, compliance and risk reporting in banking institutions. It therefore becomes apparent that banks need to continuously identify, assess and monitor their operations against all regulatory and legislative requirements to create a pervasive compliance culture, especially when taking cognisance of the fact that the need for effective compliance in the financial services sector, banks included, is stronger than ever – hence banks are faced with a situation of enforcing a growing thicket of regulations and guidelines.

Managing compliance risk is an important aspect in every bank because compliance risk management is now viewed as part of an enterprise risk management (ERM) concept, which takes a holistic approach to managing risk on an enterprise-wide basis. ERM is beginning to attain the status of top corporate priority as companies understand the need for enhanced risk governance management and measurement. The framework contains a risk governance structure, risk appetites, group-wide policies and methodologies that focus on risk identification, risk management and assessment, action plans, monitoring and reporting, all of which are emphasised in s 60A and reg 47. Avoiding reputation-damaging incidents can deliver financial rewards, including higher margins, as well as lower perceived risk and can attract capital. A bank without compliance problems also attracts customers because, like shareholders, customers prefer a trustworthy brand. A strong moral standard must therefore pervade in an enterprise so that the compliance focus is on the spirit and not just the letter of the law. Further, banks should not approach risk monitoring and management as a ‘box-ticking’ exercise in regulatory compliance. A standardised compliance framework across an enterprise can provide the glue to reinforce a compliance culture because when everyone is approaching compliance in the same way, regardless of the business regulatory regime, it is easier to inculcate a compliance culture.

It is therefore important that banks have a compliance risk management framework designed to provide assurance that non-compliance with regulatory requirements does not occur and, if it does, it is detected and monitored at early stages. It is, however, impossible to comply with all applicable policies and legislation. The organisation therefore needs to give top priority to policies and legislation with a major impact on the bank, the customer and government.

Felix Majoni LLB (UZ) LLM (Commercial Law) (Unisa) is a legal consultant at Cyprus Legal and Commercial Consultants in Johannesburg.

This article was first published in De Rebus in 2012 (June) DR 38.