Advice From A Consultant: Reviewing Your Compliance Policies & Procedures
25th September 2024 by Samuel Rossiter
When was the last time you reviewed the compliance policies and procedures for your regulated firm?
It can be easy to get lost in the endless work of a compliance department and push aside a regular review of your policies and procedures. But it’s vital to review your documents regularly to ensure that everything is kept up to date and that best practice is embedded throughout. If the regulator ever comes knocking, an out-of-date policy is easy to spot from a mile away, and you can quickly become non-compliant if you introduce new business lines without updating your policies to ensure proper oversight across all regulated activities.
In our second article of Advice From A Consultant, we’ve collaborated with Peter Bowyer, Senior Compliance Consultant at Bovill Newgate, to give you advice on what best practice looks like when reviewing your policies and procedures. You can read the first article around what to consider when conducting your e-communications risk assessment here.
Let’s get started…
How Often Should You Review Your Compliance Policies & Procedures?
Peter says:
“As general guidance, we recommend that firms should review their policies and procedures at least annually or sooner if there is a trigger event or material change to the business which would leave the document out of date and inaccurate. Things can change quite a lot year to year, so an annual review ensures that documents remain accurate and effective. If you work for a firm with more complex business, then it may be worth reviewing your policies more frequently. Policies and procedures serve a purpose and are linked to the mitigation of risks posed to your business. Without a regular review which is aligned to the size, scale and complexity of your business, your documents may become less effective leading to an increase in risk.”
If you do make any changes to your policies or procedures, such approving new communication channels like WhatsApp for use at work, then ensure that this is communicated to your staff. It can be easy to forget to send an email with an updated policy to relevant staff when you have a million and one things to do, as is common in compliance!
What Should A Good Communications Supervision Policy Contain?
We provide regulated firms with a communications supervision policy, which is an excellent template for firms to see what a proportionate policy should contain including a detailed process of how to investigate potential high-risk activity within your communications.
Download your template communications supervision policy
What Are Some Major Signs That Your Compliance Policies Should Be Reviewed & Updated Now?
Peter says:
“A common sign of an ineffective policy or procedure is an increase in breaches or errors. This could be identified as part of compliance monitoring, through customer complaints, or general quality assurance by your business. If staff cannot refer to clear and accurate documents, then it increases the risk of non-compliance. You could also see an influx of queries from the business. If you find yourself constantly being asked “I’ve checked the policy, but I still don’t know what I need to do…” chances are the document needs to be updated.”
Here are some signs that you should review and update your compliance policies now:
- Your policies are unclear and don’t provide the necessary insight or knowledge into what they’re trying to get across
- Both the content and tone of your policy is not appropriate. Either your policy is not detailed enough (bad content) or your policy is not written in a clear manner that an external party to your business could understand (bad tone)
- Your policies are out of date and have not been reviewed for longer than one year
- Your policies are ‘off the shelf’ and have been written as a standard document by an external party and have not been appropriately tailored for your firm
What Is Essential To A Good Compliance Policy?
Peter says:
“The best policies are specific, clear and tailored to your firm. It’s quite common for smaller firms to purchase pre-made ‘off the shelf’ policies from third parties. There is nothing wrong with doing this as a starting point, but firms must ensure that they tailor these policies appropriately. If you acquire a pre-made policy and the only thing you do is put your firm’s name and header on it, then the template will not have the specifics of your business or reference your regulated activities. This is the type of thing that auditors and regulators will pick up on.
The struggle we often have as consultants is that we are an external third party and so we don’t have the detailed background knowledge that one gets when they have worked at a business for years. Typically, the policy writer has this knowledge, and may make certain assumptions or omit important context when writing the document. By the time we review these policies, we can find them to be unclear because we cannot fill in the gaps left by the policy writer’s assumptions. As a result, the policy might make sense to employees, but not to an external party.
How does this become an issue? If the FCA reads your policies but doesn’t understand what the document is trying to convey, they may not see it as ‘fit for purpose’. Also, a new employee won’t have existing knowledge of the business either – if they cannot understand the policy or use it to act in a compliant manner, it ceases to be effective. To that end, a good compliance policy should be clear in its aims and content and not assume the knowledge of the reader.”
A good compliance policy should have:
- An owner
- A track record of review
- A record of changes made to the policy and when
- Clear content with appropriate context – the policy should make clear what it is trying to achieve and how
- A cross reference to other policies when necessary. For example, a MAR policy and a communications supervision policy are likely to reference each other to establish how to supervise your communications for MAR behaviours. Make sure to highlight that these policies should be read in conjunction with each other within your document.
Fingerprint provides regulated firms with a communications compliance platform which contains an in-platform supervision policy that can be tailored to fit your exact requirements and drives the way the platform searches through your data to find high-risk activity. Our platform can also ingest and monitor WhatsApp so you can use this channel completely above board. Book a quick 30 mins chat with us if you’d like to learn more!
You can head over to our Articles page to read more useful content on communications compliance, along with our views on the latest news in the industry. You can also head to our Guides page to access more useful resources.
Stay tuned for more advice from Peter in our Advice From A Consultant series.