Business Insight

The perils and pitfalls of managing compliance obligations

By Morgan Spain, Chris Baker and Samantha Carroll

09 May 2024

Navigating the labyrinth of compliance obligations can be daunting for organisations, as they grapple with evolving obligations, heightened regulatory scrutiny and the potential for severe penalties for non-compliance.

At Ashurst, we spoke with our clients and other industry stakeholders to understand the most common challenges and we identified 5 key perils and pitfalls.

1. Heightened regulatory vigilance and costs of compliance

The nature, scale and complexity of obligations that organisations must now comply with, coupled with increased regulatory scrutiny, has led businesses to focus and spend much more on compliance.

There is no uniform approach to compliance spend, and organisations that have traditionally invested heavily in their compliance function without a clear roadmap or strategy do not necessarily see the best results. Finding the right balance between efficiency and effectiveness is complicated, and the consequences of getting it wrong can be costly.

Organisations need to put in place solid foundations for a robust compliance framework, and take the time to understand the full scope of what they are trying to achieve from the outset.

2. Rapid pace of regulatory change

The pace of regulatory change is rapidly increasing, in terms of both the scope and detail of requirements, with significant new regimes being introduced and constant updates to existing regimes. Capturing and updating obligations in this turbulent environment, not to mention planning for and managing regulatory change implementation programs, can be a nuanced and arduous task.

Regulatory change is one of the key compliance challenges facing our clients – and for good reason. Ashurst's regulatory scanning identified hundreds of updates – in the financial services sector alone since September 2023, there were 417 updated obligations, 164 new ones and 17 that were repealed. In our experience, few organisations feel they have the capacity or means to meet the challenge of keeping up with changes.

3. Understanding what obligations are applicable

Identifying all of the obligations that are relevant to your organisation, your business operations and the products and services you offer is a complex task, and failing to adequately identify and manage them can lead to intense regulatory scrutiny and catastrophic reputational damage.

Often regulatory obligation subscription services do not provide tailored obligation lists, so undertaking an accurate assessment of the applicability of the suite of potentially relevant obligations is necessary. This involves a thorough understanding of the nature and scope of each obligation, and how each applies to your business. It also requires deep expertise and a significant time investment, and needs to be managed on a regular basis as requirements and business models change.

A well-structured applicability assessment process is imperative to having a comprehensive understanding of what you must and must not do relevant to how you operate. This will allow you to invest your time and effort in putting in place the necessary compliance arrangements and ensure you're not wasting time on compliance with obligations that have no relevance.

4. "Operationalising" obligations

Even organisations that correctly identify the obligations that apply to them can find it challenging to ensure there are adequate arrangements in place across the business to ensure compliance with those obligations.

Building a compliance framework around relevant legislative and regulatory requirements requires a robust methodology that includes a uniform approach and minimum standards consistent across the business. These basic principles help to ensure that changes can be easily understood and deployed into business operations with minimal risk.

Achieving consistency can be tough for organisations, particularly where obligations may apply across multiple business units.

5. Responsibility for managing compliance with obligations

One of the most common questions we get asked by organisations is – how do our people know what they have to do, and how do we ensure they do it? This often stems from organisations not identifying obligations with sufficient granularity so that the people working in Line 1 businesses know what obligations are relevant to their activities, to enable them to assess whether the controls they have in place to comply with relevant obligations are adequate. We have also seen instances where there is a blurring of responsibilities for risk management within business operations and across the '3 Lines of Defence'. This arises because responsibilities are not clearly mapped to obligations with sufficient detail to identify where there are overlapping responsibilities or gaps in responsibilities. This has led to lack of accountability across business operations and, in some cases, risk and compliance functions in Line 2 roles taking additional responsibility for the BAU management of relevant risks and controls. In some other organisations, management of obligations and associated controls is almost entirely owned by Line 2.

Managing compliance obligations where there is a blurring of responsibilities, particularly across the 3 Lines of Defence can materially impact Line 2's ability to independently measure the effectiveness and performance of the compliance management framework. It may also lead to issues with the effective operation of controls because they are not adequately understood or embedded in the business.

It is important for organisations to give Line 1 the tools to effectively manage the compliance requirements relevant to their business to ensure end-to-end accountability. This is particularly important for organisations in the financial services sector with the new Financial Accountability Regime (FAR) coming into force between March 2024 to March 2025. Consistent standards of compliance that are well understood across the business will provide assurance to executives and the Board that the compliance function (which is a primary area of focus under FAR), and other interrelated key functions, are operating effectively which is critical to evidencing reasonable steps when meeting accountability obligations.

Checklist - What should organisations do to counter these perils and pitfalls?

Have a clear strategy for a holistic compliance management framework.
Develop a comprehensive list of obligations that are relevant to your business, including by conducting a thorough and regular applicability assessment.
Use your comprehensive list of obligations as the foundation for your holistic compliance management framework.
Seek to understand how regulatory changes will affect every area of your business, and maintain your register of obligations to reflect change.
Educate the broader business on compliance obligations and clearly identify who is responsible for each obligation.

Want to know more to future proof your business?

Read our article: "Are you future proof? How to keep on top of a rapidly changing risk and compliance landscape", 5 April 2024.

We will continue to share more insights on successful obligation management and how to manage obligations, as well as who 'owns' risk and compliance under the new Financial Accountability Regime.

To learn about how Ashurst can support you to navigate the complex regulatory landscape, please contact us or visit our OMS web page.

Authors: Morgan Spain, Partner; Chris Baker, Partner, Risk Advisory; Sam Carroll, Partner; Ethan Culross, Specialist, Risk Advisory.

This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

This material is current as at 9 May 2024 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.