If you’ve been watching the Financial Services Royal Commission live streaming of evidence it’s clear that the financial institutions giving evidence have trouble complying with “soft” laws.
By “soft” laws I mean principle-based laws (sometimes called fuzzy laws) as opposed to “hard” (or black letter) prescriptive laws.
After all it’s easier for businesses to monitor compliance with a law that says “you must do this in this way” than a law that says, for example, “you must treat a customer fairly” which requires a value judgment.
Frequent court decisions and regulatory actions show that businesses still have difficulty implementing the prohibition against “misleading and deceptive” conduct even though its meaning is well settled.
Laws that require values-based decisions are harder to comply with if staff have not been trained in values and decisions vary depending on the way the business interprets particular circumstances (sometimes called “business rules”).
Its clear that two organisations can approach the same legal obligation differently depending on their size, resources, risk appetite and profit margins. But they both need to comply with the same law.
“The way we do things around here” will influence the ways business comply with the soft laws but a business plan which does not take account of compliance with soft laws in its risk management will run the risk of non-compliance.
Building a compliance framework assumes that the organisation’s KPIs and remuneration are aligned with the risk management policy.
It means that the Board has communicated its values throughout the business. The stated values must be clear, and consistent with the risk appetite and the business strategy. Decision-making must be consistent with the values, risk appetite and business strategy.
At the front-line decisions can be aided by embedded compliance officers. And second and third line compliance and audit should be available to assist and if necessary challenge the interpretation of laws through the business rule filter.
The implementation of “soft” laws may be scalable depending on the size of the organisation but ultimately staff should know whether, for example, they are acting in the client’s interests or not or are acting honestly and fairly.
Boards and management are accountable for compliance and no number of reports and assurances will ensure compliance unless they are satisfied that everyone in the business understands the values required to ensure compliance.
Otherwise we will end up with many more pages of prescriptive laws.