Professional Documents
Culture Documents
Article information:
Access to this document was granted through an Emerald subscription provided by emerald-srm:573577 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for
Authors service information about how to choose which publication to write for and submission guidelines
are available for all. Please visit www.emeraldinsight.com/authors for more information.
The current issue and full text archive of this journal is available at
www.emeraldinsight.com/1358-1988.htm
JFRC
19,1
58
Loris Nadotti
Downloaded by University of Sussex Library At 00:07 02 June 2016 (PT)
1. Introduction
The establishment of a specific compliance function in financial firms can be attributed to
a regulatory decision by the Basel Committee which, in 2005, stated that the intermediary
had to organise its compliance function and set priorities for the management of its
The authors thank all the companies taking part in the survey for their availability. The
Research Group, coordinated by Paola Musile Tanzi, is made up of researchers from SDA
Bocconi School of Management. The research was carried out by Adalberto Alberici, Manuela
Gallo, Raoul Pisani, Maurizio Poli, Daniele Previati, Paola Schwizer, Valeria Stefanelli. Sincere
gratitude for the time and commitment goes to AICOM (Italian Compliance Association) and SIA
SSB. We appreciated all the comments and feedbacks received by Claudio Cola, Paola Sassi,
Deborah Traversa and Sara Tovazzi. All remaining errors are the authors own.
compliance risk in a way that is consistent with its own risk management strategy and
structures.
Ten principles were defined by the Committee in order to regulate the responsibilities
of the board of directors (no. 1), senior managers (2-4), the compliance function itself (5),
and the resources involved (6-8). Two final principles were addressed to manage cross
border issues and outsourced processes, respectively.
Our paper focuses on principle no. 7 aimed at describing compliance function
responsibilities which should be to assist senior management in managing effectively
the compliance risks faced by the bank [. . .] If some of these responsibilities are
carried out by staff in different departments, the allocation of responsibilities to each
department should be clear. Particularly, sub points 37, 38 and 39 are devoted to the
identification, measurement and assessment of compliance risk. This raises both a
technical and an organisational concern for compliance officers. Technically, there is no
universally accepted set of metrics to measure the compliance risk, apart from taking into
consideration, on the one hand, legal and regulatory sanctions, and on the other, material
financial losses as operational events. Organisationally, investment firms are expected to
re-engineer their processes in order to map and control all the procedures that could lead
to non-compliance behaviours, in some cases running the risk of overlapping the
responsibilities assigned to other offices, such as risk management, auditing and legal.
Through the analysis of the Italian financial services industry, our objectives can be
listed coherently with the identification, measurement and assessment of compliance
risk assessed by the Committee.
First, according to principle 7.37 (Basel Committee on Banking Supervision, 2005),
the compliance function should, on a pro-active basis, identify, document and assess
the compliance risks associated with the banks business activities, including the
development of new products and business practices, the proposed establishment of new
types of business or customer relationships, or material changes in the nature of such
relationships. As a result, our survey finds out if and how the definition and identification
of compliance factors has been established in financial firms operating in the Italian market.
Second, principle 7.38 (Basel Committee on Banking Supervision, 2005) suggests
that the compliance function should also consider ways to measure compliance risk
and use such measurements to enhance compliance risk assessment. We find out how
effectively measuring approaches to compliance are implemented and whether there is
a significant correlation between the implementation of measuring models, financial
specialisation and international activity of the intermediaries.
Third, principle 7.39 (Basel Committee on Banking Supervision, 2005) recommends
that the compliance function should assess the appropriateness of the banks
compliance procedures and guidelines, promptly follow up any identified deficiencies,
and, where necessary, formulate proposals for amendments. Our objective is to analyse
how financial institutions carry out the compliance risk management, by assessing
controls and tools to transfer economic losses generated by non-compliant behaviours.
Besides the goals previously described to verify whether financial intermediaries
(FIs) operating in Italian markets have developed an effective compliance function
within their organisations, we also evaluate whether the regulatory framework implies
a cost asymmetry due to compliance risk measurement approaches, depending both
on the proportionality principle and on the existence of different supervisors with
a heterogeneous set of enforcement rules (Coffee, 1981; Braithwaite, 2002; Parker, 2006;
59
JFRC
19,1
60
Financial Services Authority, 2009). In particular, our last objective is to verify whether
the actual regulation on compliance induces financial firms clustered by size, business
and area orientation to invest in measuring and managing solutions to face the
compliance risk, generating asymmetric costs.
In Italy, the goals and characteristics of the Compliance Function in banks, financial
and insurance companies are addressed by different regulators. These range from the
supervisory instructions of the Bank of Italy for banks ( July 2007), to the adoption of the
MiFID Directive the MiFID Directive in the Italian financial markets and related banks
and investment companies regulations set out by the Bank of Italy (2007) and Consob
(2008), to the Regulatory Agency for Private and Public Insurance Companies (ISVAP)
rules for insurance companies (2008). External and internal regulations that potentially
fall within the compliance perimeter, cover a wide range of items: from market abuse to
conflicts of interest, from transparency and correct behaviour towards its customers in
money laundering, from privacy to safety at work, up to covering issues of integrity and
business ethics that are endorsed by the companys ethical code. There is no doubt that
this suggests continuing, where company size allows, to set up the function according to
a specialisation criterion for each business area, or to create specialised compliance units
for certain sectors, such as data protection, money laundering and prevention of crimes
of terrorism (Basel Committee, 2005). As already stated, there is also the objective of
integrating compliance risk management by establishing a second level control
structure. This is, however, a weak hypothesis because the specificity of the models and
the measuring and management mechanisms of each type of risk would require a
specialist approach and hence a large differentiation of the roles and responsibilities
within such a function.
Adherence to the external and internal rules of the game is particularly critical
when there is a change in regulation, as is actually occurring in European investment
services because of the MiFID implementation process. This could be considered a
critical point of the current Italian regulation: while the Bank of Italy (2007) for banks
and the ISVAP (2008) for insurance companies are clearly dedicated to defining a list of
measurement guidelines for the compliance function (such as identification of events,
metrics and mitigation), Consob (2008) appears to be more focused on the MiFID
regulation. In particular, the Bank of Italy and ISVAP precisely define the importance of
mapping and measuring the compliance risk, for banks and insurance companies,
respectively. Consob regulation appears to be less measurement oriented for the
compliance risk process.
The impact of these asymmetries can be estimated for intermediaries operating not
only in the domestic areas and with a scale of higher concern for supervisors, especially
after the recent debate on the too-big-to-fail doctrine.
The survey takes an in-depth look at the degree of development of the compliance
risk management process, namely those phases that enable the measurement and,
consequently, active management of the positions at risk. In particular, what emerged
was the priority assigned to the compliance risk management.
Section 2 shows the survey methodology and the characteristics of the interviewed
sample of financial firms. We present our findings: in Section 3, we illustrate the priorities
assigned to the compliance function; Section 4 describes how financial companies
measure the risk; Section 5 explains whether and how financial firms manage and
mitigate losses due to non-compliant behaviours; in Section 6, we discuss our outcomes
in order to find out whether multiple regulation could generate cost asymmetries for FIs.
The paper ends with some concluding remarks.
2. Data and methods
Data were collected between January and February 2009 using a questionnaire.
The structure of the questionnaire was analogous to a previous one (hereafter, 2007
Survey)[1] although the survey was integrated and improved with various in depth
sections (Birindelli and Ferretti, 2008). The questionnaire contains the company
descriptive data section and the investigative section with 11 questions (Appendix).
Some questions are of the closed type with a predefined grid of alternatives, with an
ordinal evaluation (a scale from 0 min; 10 max is used) and a few open questions
(free/spontaneous reply). For an in-depth study, the sample was subdivided and
analysed according to two different drivers:
(1) the context where intermediaries work, analysed according to international and
domestic orientation (Table I, panel A); and
(2) the financial category, which identifies four groups: banks, from which, given
the large size of the sample, we were able to highlight the group of cooperative
banks (CBs), other FIs (asset management firms and investment companies)[2]
and insurance companies (Table I, panel B).
61
Table II gives how domestic (panel A) and international (panel B) intermediaries can be
classified by core activity.
Business lines where FIs mainly work are as follows:
.
retail banking;
.
asset management;
.
wealth management;
.
investment banking;
.
trading; and
.
insurance.
Panel A: market
Domestic
International
Number
Percentage
55
65.5
Banks
29
34.5
43
51.2
Panel A: domestic
Number
Percentage
Banks
Cooperative
Banks CBs
Other FIs
Insurances
Total
11
13.1
11
13.1
Table I.
2009 survey sample:
classification of FIs by
geographic operability
and type of
intermediaries
Panel B: international
Number
Percentage
28
19
50.9
34.5
15
0
51.8
0.0
4
4
55
7.3
7.3
100.0
7
7
29
24.1
24.1
100.0
Table II.
2009 survey sample:
classification by area and
typology of intermediary
JFRC
19,1
62
Table III.
Distribution of the
objectives assigned
to the compliance
function based on main
area of activity of
intermediary (%)
30.9
1.9
38.0
3.4
41.9
2.3
31.6
0.0
27.3
0.0
9.1
9.1
30.9
27.6
20.9
31.6
54.5
36.3
21.8
14.5
100.0
27.6
3.4
100.0
25.6 15.7
9.3 21.1
100.0 100.0
9.1
9.1
100.0
45.5
0.0
100.0
out of them regarded it as a priority compared to 52.7 per cent of the domestic
intermediaries.
This feature makes a distinction based on the typology of the intermediaries
(Table III, panel B): 67.4 per cent of banks associate compliance with safeguarding their
reputation; this compares to 47.4 per cent of CBs (which are mainly small banks),
54.5 per cent of FIs and 36.4 per cent of insurance companies. The latter seem
particularly oriented to minimising the sanctioned implications, with a more traditional
vision of the compliance function. The figures show how the size seems to be more
correlated to a mission that is not merely limited to minimising sanctions.
The exposure to compliance risks was compared in three different situations: failure
to adjust to laws and regulations, to adjust internal codes of conduct and inadequacy of
customer management.
The incapacity to behave coherently with the changing laws and regulations is
widely alleged to be the main source of compliance risk. It is equally correct to believe
that the negligence or non-fulfilment of banks and other intermediaries in protecting
the interests of clients can generate the same risk.
The comparison between national and international operators demonstrates that
the latter show a higher degree of sensitivity to the perception of compliance risk and a
lower variance in behaviour.
4. Measuring the compliance risk
According to the regulatory statements, compliance losses are associated with:
.
legal or regulatory sanctions;
.
financial losses; and
.
reputational impact resulting from the failure to comply with laws, regulations,
rules, related self-regulatory standards and codes of conduct.
Expected and unexpected compliance losses depend on two main factors: the probability
of the event (PE) and its severity. Probability can be estimated both via qualitative and
quantitative approaches. The most commonly used dichotomous approach for
determining compliance with disclosure requirements by a company is the un-weighted
disclosure index, where the behaviour can be either compliant or non-compliant (Yeoh,
2005; Ali et al., 2004; Patton and Zelenka, 1997; Cooke, 1996; Ahmed and Nicholls, 1994;
Wallace et al., 1994). In order to avoid this problem, an alternative method, is the partial
compliance un-weighted approach (Street and Gray, 2002; Al-Shiab, 2008) in which
the degree of compliance is measured by adding the degree of compliance for each
standard and then dividing this sum by the number of standards applicable to each
financial firm (Al-Shiab, 2008; Tsalavoutas et al., 2009). Demirguc-Kunt et al. (2006)
measure compliance using a four-point scale, in order to find out whether behaviours
are, respectively, compliant, largely compliant, materially non-compliant, and
non-compliant.
Severity depends on the impact once the event has been experienced. Expected
sanctions could be the first way to measure the risk. A more effective measurement
process should attempt to estimate the unexpected loss, which needs a time series and,
if necessary, the capability to model a distribution for it. If compliance estimates the
reputational impact for the financial firm, more sophisticated solutions should be
implemented (Gabbi and Patarnello, 2010).
63
JFRC
19,1
64
The investigation into the use of a model to measure compliance risk showed a slight
increase compared to the 2007 survey. While in 2007, only 42 per cent of the sample
stated that they had at least completed the qualitative/quantitative phase of the
measuring process, in 2009 the percentage rose to 46.8 per cent.
What has changed is the spread found when comparing intermediaries, in particular,
those who mainly cover the domestic sector with those more oriented to international
activities or direct foreign governance. In the 2007 survey, only 26.3 per cent of
intermediaries working domestically had an estimation model; in 2009, the percentage
rose to 44.9 per cent. The widening of the sample results in a rebalance for the
intermediaries covering foreign areas: for the international sub-sample, the weight of
those implementing risk measures went from 66.7 to 50.0 per cent (Figure 1).
In 2007, financial firms who measured the compliance risk consisted of 42.1 per cent
of banks and 41.7 per cent of FIs, specialised in asset investing (Securities Investment
Companies (SIMs)) and portfolio managing (Asset Management Companies (SGRs)).
The 2009 survey shows how the variance fell even among the other categories that were
taken into consideration (Table IV).
The main difference lies between insurance companies and CBs: the latter show a
lower value, although not prominent, compared to the average. This could depend on the
different degree of complexity of the CBs that on various occasions do not directly use
risk measurement models, preferring to outsource the process to a network organisation,
and to show how the size affected the investment made in compliance measures.
Nevertheless, we found a significant improvement for measurement approaches.
To evaluate the effectiveness and the degree of progress of the measuring process,
compliance officers were asked to state which phases of risk management were
actually included in the model. The phases were split up into seven estimating steps:
80
2007
2009
70
60
50
40
30
Figure 1.
Domestic and
international financial
firms who adopt
compliance measuring
methodologies (2007 and
2009 surveys, %)
Table IV.
Use of a qualitative or
quantitative measuring
model based on the
typology of the
intermediary (%)
20
10
0
Does measure
Does not
Domestic activity
2007 survey
2009 survey
Does measure
Does not
International activity
Banks
CBs
FIs
Insurances
53.8
47.5
0.0
43.8
31.6
45.5
50.0
(1)
(2)
(3)
(4)
(5)
(6)
(7)
The 2009 survey confirms that the values more frequently observed are concentrated
in the first phases of the measuring process: 57.5 per cent of the sample stated that
they had carried out the identification steps of the risk factors and/or the exposure
estimate. This figure is greater than the 2007 survey (48 per cent) due to the inclusion
in the sample of intermediaries that were smaller in size and in organisational
complexity.
The importance of intermediaries capable of estimating the probability with which
an event occurs, and the effect in terms of loss of given events, increases by 2.5 per cent.
Few firms completed the risk management process to determine the expected and
unexpected losses to allocate the capital.
Table V gives the significant increase of the intermediaries that achieved the first
four stages of compliance risk management. In general terms, the question was
asked following a sequential step process, where the identification of risk factors
is expected to be the first phase of the measurement and the capital allocation the
last one. Therefore, the values of implementation of the steps would normally decrease.
Only one exception is recorded, in which the estimation of the exposure indicator
(step 2) shows a lower percentage of implementation than subsequent steps. This can
be explained by looking at the possibility of estimating the EL with two methods:
(1) multiplying the exposure indicator (EI), the PE and the loss given event rate; and
(2) multiplying the PE and the loss given event (LGE) estimated as a money variable.
Since the second approach requires less effort, it is likely that financial firms prefer to
skip step 2, which would explain our findings. We found that measuring orientation is
substantially higher among intermediaries who mainly work on an international basis
with greater aptitude in determining losses and the capital at risk than that of domestic
banks. Despite the two samples being composed of different participants, it is possible
to compare the dynamics for banks and other intermediaries (Table V) confirming their
ability to map the risk factors and estimate the probability and impact of the events.
The percentage of those estimating the loss generated by missing compliance is still
very low if one excludes a number of exceptions within the large banks.
FIs show the highest capacity to identify the risks. This primacy in our 2009
investigation would however seem to have been substantially filled by other firms,
including smaller sized banks (62.3 per cent), that have equipped themselves to map risk
factors.
Insurance companies and CBs also appear to have invested in the mapping phase of
risk factors; we found only in a few cases in which solutions to estimate probability and
severity of events were introduced. What clearly emerges from the survey is that the
65
Table V.
Adoption of
measurement phases of
compliance risk (total
sample, domestic and
international
intermediaries, typology
of intermediaries, 2007
and 2009 comparison;
percentage of the total
number of intermediaries
in the survey)
Total sample
Domestic
International
Banks
CBs
FIs
Insurance companies
50.0
66.7
40.0
36.8
n/a
69.2
n/a
69.0
67.3
72.4
72.1
63.2
72.7
63.6
25.0
41.7
15.0
21.1
n/a
25.0
n/a
31.0
32.7
27.6
34.9
26.3
27.3
27.3
Exposure
estimate
2007
2009
28.1
41.7
20.0
15.8
n/a
28.1
n/a
35.7
30.9
44.8
39.5
26.3
45.5
27.3
Probability of
events
2007
2009
15.6
25.0
10.0
10.5
n/a
15.6
n/a
2007
LGE
28.6
23.6
37.9
37.2
15.8
27.3
18.2
2009
21.9
25.0
20.0
10.5
n/a
21.9
n/a
2007
EL
7.1
5.5
10.3
9.3
5.3
9.1
0.0
2009
9.4
8.3
10.0
10.5
n/a
9.4
n/a
1.2
0.0
3.4
2.3
0.0
0.0
0.0
Unexpected
loss
2007
2009
66
Identification
of risk factors
2007
2009
6.3
0.0
10.0
5.3
n/a
6.3
n/a
1.2
0.0
3.4
2.3
0.0
0.0
0.0
Capital
allocation
2007
2009
JFRC
19,1
compliance functions within the various FIs have generally not developed solutions
capable of estimating a priori expected and unexpected losses.
Beyond the development of the risk measurement process, the mission of the
compliance function is to prevent the occurrence of the events identified by all the
intermediaries, in order to watch over the companys reputation that, to a large extent,
could depend on non-adherent behaviours (Section 3).
International
Domestic
100
90
80
70
60
%
67
5. Mitigating and managing the compliance risk
The compliance risk exposure allows financial firms to reduce the impact of losses,
through the optimisation of control systems and the use of insurance contracts and
alternative risk transfer solutions, particularly devoted to relocating the economic
impact of sanctions and/or operational losses (i.e. legal expenses, rogue trading).
Among mitigating solutions, we found the use of codes of conduct and of tableaux de
bord to control how risk factors change during time and within different processes.
As far as the use of a compliance code of conduct is concerned, there is only one
negative piece of evidence among domestic operators. Since 2007, the use of codes of
conduct has been increasing for domestic firms, from 93 to 99 per cent.
Only banks showed a few cases where the code of conduct was not implemented.
The presence of a code of conduct based on the different business lines allows for the
analysis of different degrees of susceptibility among operators when it comes to
compliance in the different activity areas they cover. There are no significant differences
between the international and domestic fields, except for retail banking depending on
the few international firms working in this business line (Figure 2).
50
40
30
20
10
0
Retail
banking
Private
banking
Asset
Investment Trading and
Life
management banking
sales
insurance
Non-life
insurance
Figure 2.
Presence of a specific
code of conduct in
international and domestic
intermediaries by business
line (%)
JFRC
19,1
68
On the other hand, Table VI shows that CBs are mostly oriented to the implementation of
codes of conduct, particularly in retail banking. Asset management appears to be
the activity where codes are applied by all the different kinds of intermediaries.
Both commercial banks and CBs show the orientation to cover, in their codes, all the
operational areas, while insurance and financial firms are specialised in their core
business lines.
According to the recommendations of the Basel Committee (2005):
[. . .] a bank should hold itself to high standards when carrying on business and at all times
strive to observe the spirit as well as the letter of the law. Failure to consider the impact of its
actions on its shareholders, customers, employees and the markets may result in significant
adverse publicity and reputational damage, even if no law has been broke.
Therefore, we wished to find out whether financial firms were applying a tableau de bord
to control and manage the compliance risk. The outcome is that this tool is still scarcely
used by those interviewed that work mainly in the domestic field (28 per cent) compared
to slightly more than half (52 per cent) of those that work internationally who declared
using it.
The same instrument shows that there is a circumstance in which banks transfer
information to sales managers, clients and shareholders. However, there is a clear
statement by all firms that a summary report of the configuration and an exposure to
compliance risk are mostly intended as a report for top managers and supervisors
(Figure 3).
Once the mitigation tools have been implemented, compliance managers must define
their transferring approach. The survey shows the practice of compliance management,
particularly relating to the methods and tools used to pursue such an objective.
There is a difference in the domestic and international areas of activity.
By interpreting the absence of answers as a lack of specific tools used to manage risk,
it emerged that only 9.0 per cent of the domestic candidates apply instruments aimed at
limiting risk. The same percentage rose to 28.0 per cent for international firms. Overall,
only 15.5 per cent of the sample implemented tools to manage the compliance risk.
A minority of banks (23.3 per cent among large and 5.3 per cent among BCs) stated that
they used compliance risk mitigation tools, while insurance companies claimed that they
did not use any kind of tool to transfer the risk.
6. Compliance, regulatory conflicts and asymmetries opportunities for FIs
The analysis of the process followed by FIs to introduce the compliance function within
their organisations addresses the fundamental question about the drivers of their
Table VI.
Presence of a specific
code of conduct by
business areas and by
category (%)
Banks
CBs
FIs
Insurance
Total
Retail
banking
Private
banking
Asset
management
Investment
banking
Trading
and sales
Life
insurance
Nonlife
insurance
20.0
80.0
0.0
0.0
100.0
71.4
28.6
0.0
0.0
100.0
50.0
10.0
30.0
10.0
100.0
44.4
22.2
33.3
0.0
100.0
54.5
18.2
27.3
0.0
100.0
50.0
0.0
0.0
50.0
100.0
50.0
0.0
0.0
50.0
100.0
Insurance
Financial intermediaries
Cooperative banks Banks
100
90
69
80
70
60
50
40
30
20
10
0
For
stakeholders
For
shareholders
For top
managers
For sales
managers
For clients
For
regulators
behaviour. In particular, we wanted to find out whether there were any cost asymmetries
among banks, insurance companies, and FIs (SIMs and SGRs), due to the different
approaches of authorities described in Section 1. The asymmetry could be priced
approximately as the cost of a measurement solution and its organisational impact,
potentially creating an unlevelled playing field for specialised financial agents.
We analyse whether this concern emerges within the three risk management steps
we found in Sections 3-5, respectively, mapping the compliance risk event types,
measuring losses and managing the risk.
First, FIs, who are expected to follow the Consob regulation[3] more closely, cite the
main purpose of the compliance function as that of minimising the impact of sanctions in
9.1 per cent of cases, while banks (both commercial and CBs) only in 40 per cent and
insurances in 27 per cent of the sample (Table III). On the other hand, the behaviour
of domestic and international firms appears analogous. This means that the size factor
does not affect the compliance mission, while the specialisation either in banking or in
financial markets appears to be more significant. Since these financial firms report to
different regulators, the question about the impact of multiple control for financial
firms arises.
Second, the adoption of measurement solutions is below average for CBs and FIs
(Table IV). The case for CBs can be explained both by the possibilities granted by the
regulatory authority to small banks to reduce the risk management cost, and by the
outsourcing process which generally characterises small and medium banks.
Figure 3.
Use of a tableau de bord to
manage compliance risk
based on the different
subjects the information
concerns (%)
JFRC
19,1
70
Nevertheless, our findings, particularly the low variance among outcomes by type of
financial firm, do not prove the existence of a cause-effect relationship between rules and
behaviour.
Third, banks are more quantitatively oriented, as given in Table V. In fact,
approximately 37 per cent of banks estimate the impact of compliance losses (LGE)
against 27 per cent of FIs. This evidence could also depend on the timing of Consob and
Bank of Italy regulations, lagged by about one year, just like that of the ISVAP. Table V
also gives that internationally oriented financial companies are more oriented to
measuring the risk, in order to estimate probability, severity and losses. The rationale
for this evidence is probably due to the stronger European attitude to compliance
controls within FIs. This result suggests that in the financial industry the cost
asymmetry could be generated both by the different country approaches to MiFID
introduction and by the size of the financial firm.
Finally, the compliance risk management demonstrates that FIs are very similar to
banks in using tools to transfer losses (18 vs 23 per cent), while none of the insurance
companies answered the question positively. This last finding would seem to go against
previous results regarding measurement approaches over compliance risk among
intermediaries. Nonetheless, large banks show a more active transfer policy, since they
use not only insurance contracts but also financial ones (in 9 per cent of our sample). This
could be interpreted as a sign of a more active risk management approach, due to more
efficient methods of quantifying the exposure to non-compliance behaviours. Small
financial firms confirm a delay in completing the compliance risk management process.
7. Conclusions
The research helps to address four issues:
(1) The main purpose associated with the compliance function after the regulators
imposed the creation of an independent office within the FIs. We found that
specialised agents in the Italian financial markets are sensitive to minimising
civil, administrative or penal sanctions, even though the reputational impact
due to non-adherent behaviours is becoming more important, especially when
compared to the 2007 survey. Few intermediaries associate the compliance
function mission with the minimisation of operational losses. Only small banks
record a high frequency (21 per cent) of failure to answer.
(2) The approach to compliance risk measures. Our sample is almost perfectly
balanced between firms who implemented some methodologies to measure the
risk (47 per cent) and those who did not (53 per cent). During the last two years a
significant improvement was recorded particularly among domestic FIs.
International firms appear to be more sophisticated than domestic ones in their
ability to measure both the probability of non-compliance events and their
severity. There is no substantial difference between the two groups when asked
about the implementation of methods to estimate the unexpected losses and the
capital absorption. Looking at the state of the art by type of firms, large banks
appear to be more measuring oriented, especially in terms of event probability
and LGE. Insurance companies and small banks exhibit lower sensitivity for
the most sophisticated steps of the risk management process.
71
JFRC
19,1
72
Approximately all the financial firms of our sample stated that they adopted a
code of conduct, particularly within trading and sales, asset management and
investment banking, without any significant gap between the international and
domestic firms, while size particularly affects the business line of retail banking.
All these outcomes need to be monitored, in order to find out whether the compliance
functions that had to be organised by the regulatory framework have become more
effective in mapping, measuring and managing the factors generating losses for
financial firms.
Notes
1. In the 2007 survey the poll consisted of 35 financial firms.
2. In our paper, financial intermediaries means players not actually operating as banks or
insurance companies, such as asset managers (SGR) and distributors of financial services
(SIM). Financial firms means all the various intermediaries working in the financial
services industry.
3. This is particularly true for our sample, since other intermediaries essentially developed the
business lines of asset management and trading.
References
Ahmed, K. and Nicholls, D. (1994), The impact of non-financial company characteristics on
mandatory disclosure compliance in developing countries: the case of Bangladesh,
The International Journal of Accounting, Vol. 29 No. 1, pp. 62-77.
Ali, J.M., Ahmed, K. and Henry, D. (2004), Disclosure compliance with national accounting
standards by listed companies in South Asia, Accounting and Business Research, Vol. 34
No. 3, pp. 183-99.
Al-Shiab, M. (2008), The effectiveness of international financial reporting standards adoption on
cost of equity capital: a vector error correction model, International Journal of Business,
Vol. 13 No. 3, pp. 271-98.
Bank of Italy (2007), Disposizioni di Vigilanza, No. 688006, Bank of Italy, Rome, 10 luglio.
Basel Committee on Banking Supervision (2005), Compliance and the Compliance Function in
Banks, Basel Committee on Banking Supervision, Basel, April.
Birindelli, G. and Ferretti, P. (2008), Compliance risk in Italian banks: the results of a survey,
Journal of Financial Regulation and Compliance, Vol. 16, pp. 335-51.
Braithwaite, J. (2002), Restorative Justice and Responsive Regulation, Oxford University Press,
Oxford.
Coffee, J. (1981), No soul to damn: no body to kick: an unscandalised inquiry into the problem
of corporate punishment, Michigan Law Review, Vol. 79, pp. 386-459.
Consob (2008), Avvio del Livello 3 sul nuovo Regolamento Intermediari Confronto con il
mercato, Esito delle consultazioni, 2 maggio.
Cooke, T. (1996), The influence of the keiretsu on Japanese corporate disclosure, Journal of
International Financial Management and Accounting, Summer, pp. 191-214.
Demirguc-Kunt, A., Detragiache, E. and Tressel, T. (2006), Banking on the principles:
compliance with Basel core principles and bank soundness, WP/06/242, IMF,
Washington, DC.
Financial Services Authority (2009), The Turner review, A Regulatory Response to the Global
Banking Crisis, Financial Services Authority, London, March.
Gabbi, G. and Patarnello, A. (2010), Il valore della reputazione bancaria tra risk management
e scelte strategiche, Banca Impresa e Societa`, Vol. 29 No. 2, pp. 305-28.
ISVAP (2008), Regolamento recante disposizioni in materia di controlli interni, gestione dei
rischi, compliance ed esternalizzazione delle attivita` delle imprese di assicurazione, No. 20,
26 marzo, Regulatory Agency for Private and Public Insurance Companies, Rome.
Parker, C. (2006), The Compliance trap: the moral message in responsive regulatory
enforcement, Law & Society Review, Vol. 40, pp. 591-622.
Patton, J. and Zelenka, I. (1997), An empirical analysis of the determinants of the extent of
disclosure in annual reports of joint stock companies in the Czech Republic, European
Accounting Review, Vol. 6 No. 2, pp. 605-26.
Street, D. and Gray, S. (2002), Factors influencing the extent of corporate compliance with
international accounting standards: summary of a research monograph, Journal of
International Accounting, Auditing and Taxation, Vol. 11 No. 1, pp. 51-76.
Tsalavoutas, I., Evans, L. and Smith, M. (2009), Comparison of two methods for measuring
compliance with IFRS mandatory disclosure requirements, mimeo.
Wallace, R.S.O., Naser, K. and Mora, A. (1994), The relationship between the comprehensiveness
of corporate annual reports and firm characteristics in Spain, Accounting and Business
Research, Vol. 25 No. 97, pp. 41-53.
Yeoh, J. (2005), Compliance with mandatory disclosure requirements by New Zealand listed
companies, Advances in International Accounting, Vol. 18, pp. 245-62.
Further reading
Al-Shiab, M. (2003), Financial consequences of IAS adoption: the case of Jordan, PhD thesis,
University of Newcastle Upon Tyne, Newcastle Upon Tyne.
(The Appendix follows overleaf.)
Corresponding author
Giampaolo Gabbi can be contacted at: gabbi@sdabocconi.it
73
JFRC
19,1
74
1. Compliance risk within your Function is associated with the objective of:
a) not incurring civil, administrative or penal sanctions
b) minimising operating losses
c) minimising reputational damage related to the violation of external or internal regulations
d) other (specify) _______________________________________
2. Does the Compliance function use risk evaluation models to estimate Compliance risk?
a) Yes
b) No
3. Of these models, which are used to measure compliance risk (multiple answers are allowed)
a) Identify and map risk factors;
b) Estimate exposure;
c) Estimate the occurrence probability;
d) Estimate severity;
e) Estimate expected loss;
f) Estimate unexpected loss;
g) Estimate the capital at risk
h) Other (specify) _______________________________________
4. Specify which tools are used to mitigate compliance risk
5. Which tools are used to transfer compliance risk:
a) Insurance tools (specify) _______________________________________
b) Financial tools (specify) _______________________________________
c) both
6. Is there a company code of conduct?
a) Yes
b) No
7. Is there a different code of conduct according to the business lines (multiple answers are allowed)?
a) retail banking
b) private banking
c) asset management
d) investment banking
e) trading and sales
f) life insurance
g) non-life
h) other (specify) _______________________________________
8. With reference to investment services, which are the most frequent causes of compliance risk Assign a
score to each risk source (0 = min-10 = max)
a) no adequate compliance with legislative/regulatory norms
b) no adequate internal codes of conduct
c) no protection of clients interestsd) other (specify) _______________________________________
9. Has the Compliance function developed and does it use a Tableau de Bord?
a) Yes
b) No
10. If so, describe how: _______________________________________
11. If so, indicate for which group it has been prepared (multiple answers are allowed):
a) for the stakeholders
b) for the shareholders
c) for top management
d) for the commercial structure
e) for the clients
f) for the control authorities
g) other (specify) _______________________________________