Risk-Based Compliance: Why Oversight Of Outsourcing Is Critical

May 10 2017 | 7:02pm ET

Editor’s Note: Compliance is notoriously one of the trickiest middle office functions for funds to consistently master, not only because it’s a regulatory minefield, but also because the requirements are complex, constantly changing, and expensive to manage. The advent of risk-based compliance is a welcome development, writes KOGER’s Wasseem Ghorayeb in this contributed article, but it can quickly become very onerous. The result, especially for smaller firms, can be a fire-and-forget approach to the outsourcing of this critical function that carries its own set of risks. 


By Wasseem Ghorayeb

The big buzz and effort in today’s anti-money laundering and counter terrorist financing front is to create a proper, scalable, and efficient risk-based approach to compliance process and procedures.  This objective is driving more funds to turn to administrators and other third party service providers to take the responsibility off the fund manager or the C-level as appropriate.  Given the complexity of today’s international regulatory climate, it is critical to understand that if you outsource, you still must maintain some form of oversight.

Risk-based compliance has really come to take shape and draw increased attention with the adoption and implementation of the anti-money laundering directive IV (AMLD IV) in the European Union.  In its simplest form, compliance is an effort to ensure laws are adhered to and enforced through day to day activities and efforts.  Adding the idea of basing it on risk adds an element where risk evaluation becomes necessary.  

How do you determine which criteria should be used in the risk calculation, and how should each one be weighted to determine a score or risk level?  These factors differ from country to country and jurisdiction to jurisdiction based on the laws, past infamy, or proclivity towards secrecy.  For asset managers, it is not enough to simply realize someone is a new client, a politically exposed person, or falls into another high-risk category.  Fund managers must create a system that equally and fairly gives consistent weight to each of these aspects and potentially many more.

Once this scoring system is created, it must be placed against a scale, with each level increasing the due diligence and identification processes.  This step is typically where the task becomes too onerous, especially for lightly resourced organizations that try to be as lean as possible to maximize growth.  Fund managers often decide to utilize a third party that already has a good system in place, and through economies of scale can manage it at a significantly more favorable cost.  

Fund organizations can opt for outsourcing of risk-based compliance whether or not they are still doing their own register tracking and reporting.  Many fund managers believe they do not have the knowledge to effectively create, implement and adhere to a system that is risk-based because it is too complex to really understand.  This attitude often leads to the inaccurate assumption that if you outsource the work to a third party, they become responsible, thus creating a false sense of trust.  That situation is where the real unknown risk lies.  If you don’t handle the critical due diligence yourself, you must at least have some form of oversight.

This situation applies especially to smaller funds that may have limited resources and staff.  What is important for all fund managers to understand is that the potential cost and consequences of a mistake or non-compliance would be far greater than your internal time or budget investment. 

The need for supervision becomes more crucial with the law that looms for assigning compliance responsibility directly to financial advisors, which was proposed by the U. S. Treasury Department through the Bank Secrecy Act.  The law will affect all SEC registered investment advisors.   Assuming the law is enacted, they will be another group scrambling to try and create a process for a time-consuming area that is not black and white, leading to the idea of outsourcing to remove responsibility.  This wrong assumption could lead to many landing afoul of the SEC without realizing they could.  

The final regulatory issue at hand involves investor privacy and protection laws, the latest of which is the General Data Protection Regulation that will be implemented by the European Union in May 2018.  This regulatory change will require the purging of individual investor data after its specific use is completed, or at the request of an investor who may have ended a relationship.  With more individual investors, the greater the need of financial organizations for a methodical and practical way to purge data, manage the addition and removal process, and fulfill requests following terminated relationships.  It would not be a major surprise to see some similar consumer advocacy and privacy considered in the United States.

While President Trump has vowed to relax U.S. financial regulation, risk-based compliance is seen as critical to security and counter-terrorism.  It plays on a world stage and is strategic to international law enforcement.   With the high stakes, and the growing complexity of laws in multiple countries, asset managers and financial organizations can‘t afford to just outsource it and forget it. 


Wasseem Ghorayeb is Vice President of Operations for KOGER, a financial services technology company that specializes in software for fund administration and compliance.

In Depth

bfinance: Interest Grows In Active Currency Management As Climate Improves

Jun 29 2017 | 11:25pm ET

Institutional investors are taking a more active approach to managing portfolio-...


CFA Institute To Add Computer Science To Exam Curriculum

May 24 2017 | 9:25pm ET

Starting in 2019, financial industry executives sitting for the coveted Chartered...

Guest Contributor

Steinbrugge: Asia-Focused Hedge Funds Offer Great Opportunities

Jun 23 2017 | 3:33pm ET

Emerging market strategies have outperformed their developed-market peers for five...


From the current issue of