Our new e-book on all things control room will be available soon, so be sure to keep an eye on this space. In the meantime, to provide our loyal readers with a teaser, we’re releasing two chapters here today
The Compliance Officer's Guide To All Things Control Room—Who Needs One, How To Build One, And Why The Future Is Now. So reads the subtitle for Star’s newest e-book—The Compliance Control Room Handbook—and the focus and scope of this expansive work couldn’t be more tidily encapsulated. Co-authored by veteran control room officer Steve Brown of Compliance Risk Concepts, a financial compliance consulting firm, The Compliance Control Room Handbook endeavors to give compliance leadership A to Z guidance for thinking about and building out a control room from scratch.
In today’s preview, we offer excerpts from two sections of the e-book: dedicated to helping readers determine whether they need a control room and, if so, how to determine scope and mandate.
SECTION 2: DO YOU NEED A CONTROL ROOM?
That depends. On a whole host of factors. From the type of activity you’ll be dealing with, to MNPI, to what happens when someone does something they shouldn’t have
Type of activity, breadth of activity, and MNPI
Whether or not a firm needs control room is not a black-and-white call. Size has something to do with it, but not everything. It also comes down to the breadth of activity, the amount of MNPI in play, and the kind of business activities the firm engages in. Does the firm have relationships with private equity? Does it assist them with M&A advisory or acquisition financing? Does the firm offers equity or fixed-income research to support sales and trading efforts? The list goes on. It's when these types of complex business activities and the resulting regulatory challenges start to emerge—where existing controls need to be enhanced to manage the risk—that a real need emerges for a control room.
And sometimes, something happens that could be an impetus for automation or formalization of the control room function. Someone does something they shouldn’t have and a regulator issues a fine or a cease-and-desist order. Regulators may also require firms to retain an independent consultant to address deficient areas. Perhaps a banker isn't reporting watch list items, clearing conflicts, or giving the control room notice a deal is about to be announced. If bankers fail to provide this type of information, regulatory and/or policy violations may occur.
Brown is also clear about the distinction between regulatory violations and policy violations. “If someone doesn't pre-approve a trade, as long as they're not trading on inside information, it's a policy violation. Not to downplay policy violations, but focusing on the risk spectrum there's a big difference between policy violations and regulatory violations. Firms simply can’t mess around with regulatory violations. No one should trade on inside information, fail to monitor research, or fail to report watch or restricted list items. These are all potential regulatory violations.”
Speaking of regulations, you would think that perhaps that’s at least one area where the lines are tidily laid out for all to follow. Alas, this is rarely the case. “Like with most things regulatory,” says Brown, “when it comes to insider trading and fraud, you’re often told what you’re supposed to do, but not how to do it. That’s up to each firm to figure out. When it comes to information barriers, insider trading, and MNPI, firms have to turn to case law and industry precedent in order to determine the best course.”
SECTION 3: DETERMINING SCOPE & MANDATE
If you think your firm needs a control room, this is where to start wrapping your head around the concept on a practical level—how it should look for your firm in particular and how to think about making the case for it
Assess who has access to MNPI
The starting point for determining the scope of the control room and developing a clear mandate is to assess what businesses and employees have access to MNPI and should therefore be monitored by the control room. A lot of deal-critical information zips around a firm at any given time, and MNPI can originate from the private as well as the public side of the information barrier. But no matter where it comes from, unaccounted-for MNPI can endanger deals and reputations. You’re undertaking a risk-assessment at this point, and it will position your firm to be able to properly develop and implement policies and procedures. This risk assessment should include:
- All legal entities
- The rules, regulations, and market conventions applicable to each business
- Industry best practices for protecting client and customer information
Potential steps may include:
- Conduct interviews to assess each business unit
- Assess legal entities and regulatory requirements
- Assess the physical location of employees in all facilities
- Inventory types of products offered by business units
- Inventory types of MNPI obtained and generated by business units
- Identify types of collateral produced by business units
- Assess how the businesses interact with each other
- Identify the back-office support the front-office businesses rely upon
- Assess the licensing and supervisory universe, including who’s licensed vs. who’s required to be
Here are specifics to think about as you begin to outline scope and mandate for your control room:
- At some point your employees will become aware of MNPI. What are you going to do when this occurs? What are the controls that will be put into place? All firms must develop policies, procedures, and training to deal with instances when employees become aware of MNPI.
- Smaller firms reach an inflection point where they have too many employees, too much information in motion, and not enough compliance resources or automation. Are you at that point? If not, can you define what that inflection point would look like so you can be prepared?
- Compliance management will need to balance staffing with automation. This may mean adding internal headcount, utilizing outsourcing or offshoring, and developing or purchasing automation tools. Make sure you have a line item in your scope for the purchase of such tech.
Here’s what goes into building a deal team for a complex transaction, like a merger-and-acquisition advisory or financing assignment:
- There’s likely a finite set of senior bankers available with the experience to work on a large, complex transaction such as this, so the pool of possible deal-team members may be limited. This means you need a very clear understanding of who is assigned to what deal, the MNPI they have access to, and how you’re going to manage potential assignment challenges.
- If potential deal team bankers or the firm have conflicts, they may not be available to be staffed on a particular deal. This may occur during M&A auction situations, and also where the bank may have multiple clients seeking advisory or financing services.
- This may also be the case if the firm is already working with a client involved in the transaction, has prior commitments to clients, has made non-compete promises to clients, or has knowledge of employee limitations.
- In these situations, multiple deal teams will need to be established and the firm must consider how to wall off and separate the teams. Sometimes this may be referred to as multiple deal teams, or deal trees.
- These staffing decisions are complicated and will vary depending on the structure of the transaction and the products involved.
Here are some things to think about as you seek buy-in for the formation of the control room department:
- If leadership doesn’t understand or doesn’t have experience dealing with MNPI, then compliance management will need to educate leadership of the regulatory risks. Be prepared to educate, and to share real-life examples of firms who may have allowed risk to go unmonitored for too long.
- If people haven't come from bulge bracket or Wall Street shops, employees at every level are going to complain about the rigorous oversight control room involves. Tone from the top involves buy-in from the top, which will naturally curb complaints as the rest of the firm sees the level of support coming from leadership.
- Establishing the appropriate culture is key. Obviously, the message should come from senior management first and foremost, but middle management also has responsibility to set the tone for relationship managers, bankers, traders, sales, research, and support personnel.
“The thing is,” says Brown, “they’re aren’t explicit rules that speak to what a control room does. The regulations simply state that firms need to have ‘adequate policies and procedures in place to prevent and detect insider trading.’ It’s up to firms to assess the products and services they offer, determine which generate MNPI and which don’t, and then develop the processes to monitor and control its flow.”
Looking for more actionable advice on the control room function? Look no further. The Control Room Handbook is now available. Download your FREE copy by clicking on the banner below.