Regulatory compliance – keeping TCSPs awake at night

Regulatory compliance continues to rank as the most pressing issue facing trust and company service providers (TCSPs) according to participants of our latest survey.

We have previously highlighted that the multiplicity of laws to be complied with where TCSPs operate in more than one jurisdiction and the ever-evolving regulatory landscape more broadly makes it difficult for TCSPs to keep on top of their regulatory compliance obligations (see our previous survey results here). In the past year, we have also seen measures to address regulatory fragmentation and/or limitations in some domestic markets shift the dial up a notch.

In Hong Kong, for example, the banking regulator issued a Supervisory Policy Manual for the Regulation and Supervision of Trust Business (SPM) and a Code of Practice for Trust Business (Code) (annexed to the SPM) for banks and subsidiaries of locally incorporated banks to address perceived limitations of the regulatory framework for trustees and trust business. While the applicable regulatory framework for non-bank TCSPs in Hong Kong generally focuses on addressing money laundering risks, non-bank TCSPs are also now "encouraged" to adopt the Code, which goes further and sets out general principles and practical standards to govern the conduct of trustees and their trust business in Hong Kong. If a compliance issue were to arise, it is conceivable that reasonable efforts to adopt the Code may assist to mitigate the fallout and relevant authorities' concerns, and vice versa, even though adoption of the Code is not mandatory for non-bank TCSPs.

In this year's survey, we asked –

Has there been an expansion in the compliance team over the past 12 months in light of an increased compliance burden?

57% of the survey participants responded in the affirmative, i.e. that they have expanded their compliance team in the past 12 months in light of an increased compliance burden. While this is not surprising given increasing regulation and complexity, coupled with a focus on promoting a compliance culture and senior management accountability among other factors, a talent shortage in some jurisdictions has made hiring experienced compliance professionals a challenge.

In Singapore, for example, TCSPs have had to compete for talent with new entrants to the financial services industry such as newly licensed digital banks and payment service providers, along with a growing number of fintech start-ups. The COVID-19 pandemic’s disruption of the labour market also exacerbated the situation.    

Has remote working increased your compliance risk?

The response to this question was fairly evenly split. Just over half (51%) of the survey participants did not consider that remote working had increased their compliance risk, while the remaining survey participants (49%) thought that it had.

Remote and hybrid working arrangements adopted by TCSPs in response to the pandemic and retained in some cases as the "new normal", have seen TCSPs embrace innovative technology solutions to ensure that they can continue to do business and support the needs of staff. Such changes, among others, to policies and operational processes may lead to new risks and risk management challenges, some of which may only emerge over time. TCSPs looking to adopt, or which have adopted, remote or hybrid working arrangements should consider and continue to monitor potential operational risks, information security and technology risks, fraud and staff misconduct risks, and legal and regulatory risks, and take pre-emptive steps to mitigate them.

TCSPs should also be mindful that their people and culture may exacerbate or mitigate the risks referred to above. Blurred lines between work and personal life, disengagement (including by new joiners), unsuitable remote working environments and difficulties role modelling desired ethical behaviour, corporate values and code of conduct are common challenges that remote working may present to organisational culture and conduct. TCSPs should continue to assess the impact of remote working on staff welfare and well-being, as it may not be ideal for everyone.

When it comes to using technology to onboard clients in place of having physical meetings, it is important for TCSPs to have appropriate controls in place to mitigate the risks of fraud and impersonation. In this regard, TCSPs may consider supplementing the use of video-conferencing with additional checks such as verifying the customer’s information against reliable and independent databases or performing a check sum digit test to identify data validation errors in the customer’s ID document.

Increased use of electronic documents and signatures also requires TCSPs to assess the robustness of processes in place to safeguard authenticity and admissibility in court.

Is regulatory intervention in your business inevitable?

80% of the survey participants considered regulatory intervention in their business to be inevitable. This represents a 20% increase compared to last year's survey responses to this same question. In line with our previous comments, this is a fair expectation given the increase in regulation and higher expectations of regulators. It remains important that compliance is taken seriously and is a core business value.

Tips on compliance

Hong Kong's Code of Practice for Trust Business sets out the following general principles which serve as a helpful guide for all TCSPs when thinking about their compliance obligations:

• Principle 1: Fairness, honesty and integrity: A trustee should act honestly, fairly and with integrity in conducting its trust business
• Principle 2: Due skill, care and diligence: A trustee, in conducting its trust business, should act with due skill, care and diligence, and in the interests of its customers. A trustee should ensure that the entity through which trust business is conducted and all relevant staff are fit and proper to perform their roles and functions
• Principle 3: Management and control of trust assets: A trustee should exercise due care in understanding, managing and controlling all assets held within the trust in full conformity with its fiduciary obligations
• Principle 4: Corporate governance and internal controls: A trustee should establish a proper corporate governance structure and implement adequate internal controls and risk management systems to ensure that its trust business is effectively managed
• Principle 5: Compliance with legal and regulatory requirements and standards: A trustee should comply with relevant legal and regulatory requirements and standards applicable to the conduct of its trust business activities
• Principle 6: Co-operation with regulators: A trustee should deal with relevant regulators in an open and co-operative manner

Articles in this series