Current compliance trends in Q&A

Martin, you have been focusing on the financial market regulation and compliance for almost twenty years. What has been the developments in the area of compliance over that period?

You are right, I have been focusing on the regulation and regulatory compliance since 2005; during that time, I have gained experience in the executive area at the Securities Commission and the Czech National Bank and in the legislative area at the Ministry of Finance. It is no exaggeration to say that I have been observing the development of regulatory compliance in the Czech Republic first-hand.

The fashion of compliance penetrated into the Czech Republic actually through the sector financial market laws and everyone saw then it as the impact of a regulatory obligation necessitated by the notorious scandals in the financial market. The compliance function won its undying fame in April 2005 when the importance and functional content of compliance in banks was first systematically defined by the Basel Committee for Banking Supervision. Unfortunately, it also became associated at that time with the reputation a regulatory obligation, cost factor and yet another supervision body which grew into further sector laws as the time went by. Luckily, more enlightened view of compliance officers as people trying to protect society from negative impacts of regulation without blocking the path of business has recently become a bit more prevalent. To me, a good compliance officer of today is a multidisciplinary person able to orient themselves in the applicable laws and interpretation opinions on one hand, while, on the other hand, being able to understand the processes in the society in which they operate and its needs and possibilities, knowing the market standards and orienting themselves in the trends and, last but not least, being able to estimate the risks associated with each respective procedure and the best ways to mitigate or to eliminate such risks.

So much about the development of this function’s content in the regulated world where the obligation of the compliance function or of the compliance officer is provided by law. The traction which the compliance function or at least a regulatory and legal risk manager who is senior enough gains in the non-regulated sector should not be disregarded. Even non-regulated entrepreneurs, and not just the major ones, have started realizing the need for this approach, the benefit of the compliance function for the company and its representatives, and the actual added value which a correctly set compliance environment provides. The more success we gain in demonstrating that compliance does not necessarily have to be expensive, the bigger the number of companies able to reap these benefits will get.

Last but not least, we should note that a certain internal control counts as good manners in business or, respectively, sound economic management.

Aktuální trendy v compliance v Q&A

What benefits are we talking about? What is it that motivates entrepreneurs to have compliance officers without actually being under a statutory obligation to do so?

The answer is quite simple: the same thing that motivates them to have, let’s say, financial controlling; it simply pays off. In fact, there are several reasons, and for most of the companies, more of them are at play at the same time. Let’s start with the most general one, criminal liability for wrongful acts of the company. I do not mean criminal liability of legal entities under the act that about ten years ago first triggered the fashion of compliance programs, from the serious efforts to implement a compliance culture to the foolish efforts to buy a “policy” in the form of a black box solution that some companies started offering in this country. Except for criminal liability of legal entities or of certain company representatives for the failure to frustrate or to report a crime, liability of members of the governing bodies for company business management, thus for controlling the company must be also taken into consideration; where the company is sanctioned or fined or becomes the subject of a negative media campaign or incurs any other damage resulting from an undetected compliance problem, the degree of liability of members of the governing bodies for such damage to the company is often being investigated into.

Moreover, there is a social appeal, a demand for ethic business. And this is where the world meets with the regulation. While on one hand, one can no longer ignore the upcoming generations for whom ethic and social sustainability is a criterion not only for selecting a product but also for choosing a job or an employer, on the other hand, there goes the regulation which forces entrepreneurs to meet that demand.

Are you talking about ESG?

Not only about ESG. Lately, there have been a whole lot of new regulatory requirements, and a compliance program is the answer to them all. As an example, the whistleblowing regulation requires that everyone who employs more than 50 people introduce an internal whistleblowing system in case of an imminent harm to certain interests protected by law, to put it simply. Again, how you look at this act is the matter of your mindset. Many people see it as a denunciatory act adding to their duties. The best entrepreneurs, however, have already introduced a similar concept earlier, not in order to support informers or to create an atmosphere of fear in the company but to be able to continue improving their processes and to avoid the risk of a single dishonest employee spoiling years of work of building the brand, product, reputation or cooperation.

Let’s get back to ESG. The third pillar of the framework is Governance which is commonly referred to in Czech as “corporate management” or “good management”. It includes also monitoring compliance with the applicable laws and managing legal and reputational risks. Also here is a significant impulse for the introduction of a compliance system. In my opinion, all these things meet at the same time and at one place in a perfect symbiosis, and you can either perceive these issues separately and look for a costly solution to each of them separately, or you can see it as an opportunity and smartly, in just a few steps, strengthen the company’s resilience against many risks, while not closing the door on its future.

How is this all related to compliance?

There are many compliance standards, the best known is perhaps the current ISO 37301 regulating compliance management system. All these standards are very robust and complex to accommodate the largest multinational corporations. All of them have a common basis for compliance risk management, though, which can be scaled down to small companies as well. To put it in very general and simple terms, compliance management involves defining the basic compliance risk management strategy, followed by continuously improving the environment in order to approximate that plan. In the first stage, compliance strategy is defined and recorded. This may sound very sophisticated but ultimately, it involves answering two questions: what are the requirements imposed on me and which of the requirements I want to satisfy, so above all, it is the matter of making a list of individual – and let me add “important” – requirements of the regulation, business partners, clients, purchasers, suppliers, community etc., and I must set a priority for each of them and determine to what degree I want to satisfy them, in other words, where I perceive that my objectives are and what my willingness to accept non-conformity with some of the objectives is. Then, I can write these objectives down, including the plan for satisfying them, and then, I can keep on reviewing the objectives and reflecting them in the corporate processes and checking compliance with these objectives. As I said, the point is that all these steps have already been imposed on me, to a certain degree, by law and if I can properly combine them, I have a bigger part of the problem solved.

Let’s take a look at what the regulation requires or will be soon requiring and let’s simplify it a bit: a code of ethics regulating ESG, i.e. relation to environmental sustainability, social topics such as relation to forced labor and corruption, including e.g. policy on gifts, and responsible corporate management … all of which are things that many companies already have because their customers request them. In the future, we can expect that such regulations will become a standard without which a company will not be able to get funding either from banks or from private investors because the regulation or their risk policy will not allow it.

To avoid that these principles remain only on paper, compliance with them must be promoted on one hand and checked on the other. As far as the promoting is concerned, all stakeholders, not only employees or members of the corporate bodies but also, for instance, suppliers must be acquainted with it; we are talking again about the practice already encountered by most of the entrepreneurs – suppliers usually want a confirmation that the entrepreneurs are familiar and comply with the suppliers’ ethical principles. As far as checking compliance is concerned, I have already mentioned the new whistleblowing act; in general, a correctly set policy on reporting non-ethical or illegal acts is the best preventive and detective measure one can implement, in particular if it is set as a measure expert and independent enough. And now, we are getting back to the notion that a well-thought-out implementation of the current requirements within a single, interlinked solution is in fact the basic, though robust, building block of a compliance system able to provide benefits beyond compliance with the legal obligation – from mitigating losses resulting from internal fraud or minor theft, streamlining of procurement by restricting various “bribes” and mitigating employment-related risks at the workplace, to the potential system of limitation of public liability of the entrepreneur and members of the governing bodies.

You said that the new focus on compliance program was bringing ESG with it. If we disregard the “G“, governance or good management, where can we expect synergies with the existing compliance program or opportunities to use that change to implement such a program?

Building on my previous thoughts, a simple insight into ESG would be the following: Within a few years, most of the large companies will become subject to the current obligations and they will have to balance their sustainability with economic and social impacts of their activities. The problem (or the feature, depending on your point of view) of the new regulation is that it is concerned only with you burning brown coal or employing illegal immigrants or even children; I dare say that this is no longer a systemic problem in our circumstances today. The new challenge is that you must watch the upstream, i.e. sustainability of your inputs which you use in your production process. In other words, if your supplier, in his factory in India, Pakistan or China, is burning brown coal, your product is still “dirty” and non-environmental-friendly, although no area in Europe or in the Czech Republic gets suffocated by the smoke from its production process. There is an even better example in the social area – public opinion, and not only public opinion, is now shaming some clothing chains for their products being sewn by people and, frequently, also children in substandard conditions, getting salaries that match the definition of a new-age serfdom or exploitation.
If a large corporation is made responsible for ESG compliance by its suppliers, it is only understandable that the corporation will require certain guarantees and assurances that no risk will come to it from that direction or, respectively, it will select such suppliers who will be able to provide such guarantees. Even today, it is a standard practice that such corporations request various representations or even a submission of the respective ESG policies from their suppliers, even though these suppliers might not necessarily be subject to these regulations yet. In the future, we can expect that the system of proving ESG compliance will have a cascade, indirect impact on a major part of the industry. Also, as expectations and controls over supplier chain will become standardized, these compliance-proving processes will become more sophisticated and certain certification requirements might emerge; that way, these suppliers who really opted for the change will be differentiated from those who only pretended to be sustainable.

It is important to note, though, that the legislation somehow only catches up in this with the sentiments of a growing part of society, especially the upcoming generations who authentically care about these issues; you cannot say that we are just checking some legal boxes here. It is quite likely that in the future it will not be the fine but the loss of reputation what will be able to bring down or at least seriously harm even a very successful brand. A recent example: look at the losses suffered by some brands from the boycott related to the Ukraine crisis or, to be more precise, from their unwillingness to leave the Russian market.

ESG is often being mentioned in connection with banks. What is the role of banks in this area?

Not only the banks but also other financial institutions are obligated to watch over the sustainability of their portfolios. The banks have already started monitoring loans, how many of them are sustainable and to what degree. Similarly, investment companies watch the composition of their funds and brokers watch the sustainability of products they offer. The regulation currently brings a new provision that investors should be able to choose the sustainability parameters they request for their investments, and the financial institutions should structure their offers accordingly.

Yet another level of the impact of ESG is hidden behind this – the risk of non-sustainable investments as the financial institutions are not supposed to monitor these aspects of their portfolios as an end in itself. We can expect that non-sustainable companies will be facing a lot of threats which will make their lives complicated in the future. On one hand, it will be the foreseeable impacts such as increases of the costs of inputs or, respectively, the production costs, where the production process will be burdened by growing prices of energies or direct or indirect fines in the form of fees for non-ecological resources, such as emission allowances. The events of today again demonstrate the truth of the notion that reliance on fossil fuel of third countries might not always be the cheapest solution. It will be associated with the risk that such producers will become unacceptable to their suppliers due to an increased burden on the supplier’s sustainability, due to reputational risks or for simply becoming uncompetitive. And it is these risks that the banks have already started evaluating and appraising, by means of interest surcharges or even impaired creditworthiness. In the future, we can expect that bank financing will become significantly more expensive for non-sustainable companies, or they might even have a problem to get any bank loan.

And of course, the same problem can be expected with other types of financing, either in the form of entry of an investor or by means of debt securities; funds have already started watching the sustainability of their portfolios and in the future, they will be carefully evaluating the impacts of sustainability risks on the company’s potential profits. Each potential investor does the same math, and it will have an impact on the price of investment or the amount of interest yield; everyone will exact payment for taking the risk. Finally, we can estimate that within several years, non-sustainable companies will become unsellable or sellable only with a significant discount to reflect the investments needed for the conversion to a sustainable business model.

All these prognoses and similar expectations lead me to the notion that now is the best time to start with the introduction of general compliance and analysis of the specific risks, or to replace the current non-working solution with a well-thought-out model which does not ultimately have to be expensive to implement or maintain. The whole world is literally giving us a signal that now is the right time to start, even if you are not a believer in global warming; a great many purchasers and customers believe in the benefits of the ESG regulation and these criteria will become more and more involved in their business and consumer decisions in the future. The current energy situation shows that relying on forever-cheap gas might not be, and indeed is not, the solution. And on top of that, new acts are coming, leading us more or less softly to the reasonable implementation of compliance functions even in smaller companies which are not yet subject to the regulation. Just like German chancellor Scholz quoted recently in Prague, I would like to finish with the famous slogan of the revolutions of 1989: ”If not now, when, and if not us, who?”

Martin Frolík

This article was published in Lawyers & Business magazine (10/2022).