What steps have you taken this year to better protect yourself and your business from the multitude of compliance risks? If you can list at least a few steps taken, congratulations are in order. You have recognized that, much like you need homeowner’s insurance to protect your home and your physical assets, you need to protect your business and your income from regulators, plaintiff attorneys, and even from insurance carriers that could choose to terminate your contract with them if things turn sour.
But this doesn’t mean that mean you should check compliance off your “to do” list and forget about it. Regulations change, new risks emerge, and sometimes regulators change their focus and their enforcement policies. And because compliance is an ever-evolving risk, it’s an area that you need to focus on as you scale your business. How do we monitor, test, and scale our compliance processes? Let’s look at a few ideas.
Monitoring and Testing Compliance Processes
It is important for your continued business compliance to periodically take a few minutes to ensure that your process is working, and is working as intended. Remember, process is good, if the process is good. If the process has not been created to adequately address your risk or is not working as intended, it could be creating risk for you by ensuring that something you don’t want to happen is happening consistently. Monitoring and testing can also be instrumental in identifying areas for improvement or updates that are needed due to changing requirements.
Monitoring in Practice
To illustrate the need for monitoring and testing, here is an example of what can happen if monitoring and testing isn’t incorporated into your process. We had a producer engage us to review his advertising (website, seminars, mailers, radio shows, charts, books, social media posts, etc.). The producer had tasked an employee with ensuring that everything was approved by us prior to use. The process worked well for a few weeks but then the volume diminished significantly. Eventually, we reached out to the producer to ensure that everything was okay.
It turned out that the employee who was tasked with sending advertising to us was terribly busy with some other responsibilities. This employee decided on their own to stop sending us advertising for review to save themselves time. The producer was shocked to find out that he had been using “unapproved” materials for weeks. The moral of the story is simple: establishing a method to protect yourself is only part of the solution. Spending a little time ensuring that your protection is working is also an essential part of the solution.
Keep in mind that monitoring and testing don’t have to be complicated. Here are a couple of examples that don’t take much time and are easy to implement:
Physically Monitoring for Risk:
If you have a policy against leaving confidential client information unsecured after business hours, perform an after-hours security check. Walk through your office after everyone has left for the day. Look for confidential information left on printers, sticky notes, computer screens, etc. Were policy applications left on desks or in unlocked cabinets? This type of monitoring will only take a few minutes and you can calendar it for a few times per year.
Put Your Files To Use:
If you have a procedure to ensure that client files include certain information, periodically sample a few. Check to see if the information you want to be included is, in fact, included. It will only take a few minutes and can be highly effective.
Engage an Independent Assessment:
If you want greater assurance that things are working as they should be, you can always get a third-party like a compliance partner to perform an assessment. These types of assessments can be very broad or can have a narrow scope focused on just a few desired areas or functions. An independent assessment can also be helpful because you gain an additional perspective and can leverage the third-party’s expertise, experience, and best practices.
Scaling your Compliance Program
Remember that your compliance program doesn’t have to be perfect. A best practice is to get started with something and then continue to improve as you go along. Prioritize your compliance risks and address them one at a time. You will be making progress and continually reducing your risk over time. Regulators view this approach much more favorably than not making any attempt at compliance, or any attempt at improvement. What key events should you be aware of that may trigger an internal review of your compliance processes?
Key Events that may lead to Scaling your Compliance
- Significant increases in types of clients (life, annuity, LTC, securities, etc.)
- New compliance requirements
- Customer complaints
- Adding staff to your practice
- Results of regulatory audits/investigations
- Engaging in new types of businesses (e.g., starting an RIA)
These events should serve as triggers that you may need to develop new processes or improve existing ones. Don’t forget about the corresponding training for your staff as well.
Implementing policies, procedures, and processes to address compliance risks is vital to protecting the long-term success of your business. However, don’t fall victim to thinking that you can ignore it once you put it into place. Periodically take a few minutes to perform some monitoring and testing. Be aware of events that should prompt you to examine your compliance program and identify necessary changes. Doing these things will help you keep the practice you worked so hard to build.