EXECUTIVE SUMMARY
Let’s face it – adhering to regulatory and internal certification requirements becomes an increasingly daunting challenge as the number of policies, employees, consultants, vendors, clients and business lines grow.
That challenge is further complicated by the ever-changing regulatory risk management landscape and the resulting need to constantly update policies and procedures. A widely adopted process for ensuring compliance is to require a signed certification document, attesting adherence to those policies. However, even a few employees completing four quarterly and two annual certifications can create hundreds of documents to issue, track and archive every year – neither a quick nor easy task.
To keep up with the quarterly, annual and ad hoc certifications, many firms rely on online calendar functionality, their email systems, and spreadsheets – a patchwork system that increases the odds you’ll miss something or someone. Add to that, the frustrating reality of compliance staff turnover and the real problems begin. What happens when a long term certification analyst departs and takes the institutional knowledge that served as the foundation for a firm’s workflow and process organization? There must be a better way.
The good news is there are strong, best practice approaches that leverage established RegTech platforms for solid certification and archiving workflows. This tech-enabled practice provides monitoring and control tools, enabling active supervision. It also helps to build a culture of compliance, something regulators now expect. Throughout this paper, we will review the “who, what, where, when, why and how” of deploying robust and industry validated technology to achieve an efficient, repeatable process.
We will begin with an overview of certification platform minimum requirements, recommendations, and best practices before highlighting some of the most commonly used certifications. From there, we’ll review additional considerations and certification process best practices such as frequency, scheduling, archiving, change control, how and when to deploy, as well as how to maximize the timely participation of those subject to certification. This guide will include tips and tricks that 1,100+ clients have shared with us since ComplySci launched its first platform in 2007.
CERTIFICATION PLATFORM BEST PRACTICES
A well-designed technology-enabled certification platform will include at least three types of certification options:
1.Policy-based so that employees can certify that they have been provided policy documents, read, and understood those policies.
2. Data-driven so that any specific information (data) disclosed by the employee can be certified.
3. Question/Answer format so that employees can demonstrate knowledge of the requirements across any of the above.
Ideally, the platform will offer the flexibility to design custom certification formats, mixing and matching the above options and allowing firms to target all or part of their employee population as needed.
The platform should also allow firms to include multiple attestations in a single certification form.
BEST PRACTICE FUNCTIONALITY
A best-in-class platform should offer the following functionality:
QUESTION SETS
The questions you include on certifications should be tailored to your firm’s needs, but once you’ve designed the content, your compliance platform should allow you to modularize questionnaires, use question sets on multiple certifications, re-order sets, mix questions with data records, and re-use questions. You should also have the ability to apply different question sets to different groups and to assign monitoring tasks to different individuals or teams.
TWO-WAY DOCUMENT SHARING
Many technology solutions allow the compliance department to include policies, procedures, or other documents or document links inside certifications, so employees can review and attest to those documents. Your platform should also allow employees to upload documents to support their responses, for supervisory or compliance department review.
RICH TEXT
Creating engaging certifications can help drive timely completions. Your platform should allow the firm to highlight, bold, italicize, and change font sizes and colors. You should also have the ability to insert hyperlinks that point to relevant information shared on your firm’s intranet, document sharing sites, and external websites.
BRANCHING LOGIC
When an employee responds to a certification question in a certain way, your compliance team may need to drill down further, probing for additional information. Your compliance platform should include decision tree functionality and branching logic, so that “yes” or “no” answers to specific questions trigger one or more additional questions. This allows you to streamline questionnaires for most employees, only requiring additional responses when warranted by an employee’s initial response.
COMMONLY USED CERTIFICATIONS
Regardless of your firm’s business model or jurisdiction, a number of certifications are de facto standards widely implemented by the majority of firms.
These are listed below in no particular order. This brief review will include the general ground they cover and suggestions for implementing a robust tech platform. We recommend firms have a qualified lawyer or compliance expert help draft the legal wording and opine on the effectiveness of the specific attestation.
NEW HIRE ON-BOARDING DISCLOSURE CERTIFICATIONS
As part of the general terms and conditions that most financial services companies extend when bringing on a new hire, certain disclosures have become standard. Most notably is a disclosure by the employees of any brokerage account in which they have a direct or beneficial interest, including blind trusts. Often the disclosure requirement extends to members of the employee’s household as well.
Along with this disclosure is a report of all pre- employment holdings in those accounts as of the hiring date, and in some cases a separate statement listing any “private” assets/ investments (see the Brokerage/Investment Account Holdings certification).
This type of disclosure and certification is typically due within 10-30 days of the employee’s hire date.
The certification should stress that the employee has made a complete and full disclosure as required by applicable regulations (i.e. 204A=1 of the US Advisors Act, 17j-1 of the Investment Company Act, or UK FCA COBS 11.7) and/ or the firm’s Code of Ethics (see the Account Holdings and Trades certification).
With today’s technology-driven workflows, a best practice is to have the employee populate the data themselves into a database-driven system manually or, where possible, through an automated feed from the employee’s broker (if available*). Either way this certification often melds both data-driven design with policy delivery.
*Note: The broker feed data alternative may not always result in the delivery of the data within the 10 day on-boarding period so be sure to understand the broker’s timetable.
CODE OF ETHICS/ CODE OF CONDUCT ACKNOWLEDGEMENTS AND CERTIFICATIONS
The most common of all on-boarding certifications is the Code of Ethics/Conduct.
As it is often a lengthy policy document, it is important that the system allows verification that the employee actually read the material and did not just click on an attestation link.
Some systems rely on technology that forces employees to scroll to the bottom of a policy document and/or try to measure how long the policy document remained “open” by the user as a means to verify completion.
Unfortunately, neither of those techniques can reliably determine if an employee actually read it or not. Best practices now suggest that clients use a system’s ability to present questions that must be answered (correctly) before allowing completion of the certification process. This helps verify that the material was read and understood. Adding questions does not guarantee people have read the material, but it is credible support that the firm has a robust process in place.
PERSONAL TRADES/PERSONAL ACCOUNT DEALING REPORTS
Another common requirement is the disclosure by every covered person (employees and consultants subject to the policy) of all investment accounts and transactions completed by them in a prior period. This is often a quarterly certification and is delivered at the conclusion of the trading period it spans.
A classic example of a data-driven certification, this disclosure should list each trade executed (including derivatives) and any additional information required by the firm. In some instances, certain activity may be exempt from reporting requirements, such as trades in government issued securities, cash transfers/ deposits, DRIPS, and corporate actions.
The certification format should include the brokerage account(s) details, security names and identifiers for publicly-traded securities (ticker, CUSIP, etc.) and other pertinent details such as trade date, buy/sell, quantity and price.
The trade data on the certification is typically captured in the system on a T+1 basis if it’s been automatically provided by a data feed from the broker. Not all brokers offer a feed, in which case the trade data will have been manually entered either by the compliance department, the employee, or their designee.
If there are trades that are executed on or close to the last day of the reporting period it may be best to wait a few days before starting the certification to account for the lag in data delivery to the system by the broker.
In general, for data-driven certifications, rules will need to be established around “missing” or incorrect data. For example, if a policy is one where data cannot be certified until it has been corrected (very common), then covered persons should understand the process for updating data before they certify. Most firms provide a thirty-day period to complete and submit certifications.
If an employee certifies to an inaccurate report, then upon notice, the firm may choose to cancel (rescind) the certification and issue a new, accurate one. From a books and records point of view, it would be appropriate to archive both, demonstrating full and timely supervision and control.
If an employee reports a trade that is “missing” from the certification, it can be useful to examine the reasons for the oversight:
- Was there a problem stemming from the broker?
- Was the certification issued before all confirms were sent?
- Did the employee accidentally open and trade in a new account and not disclose it in a timely manner?
Either way, it should be tested for “conflict” on a post-trade basis as part of the certification update process.
Last but not least, it is also important to issue a “null” certification (certifying that there was no trading activity in the period). Not all covered persons are active traders so it is not uncommon to have no activity to certify. However, good practice requires certification of no activity.
BROKERAGE/INVESTMENT ACCOUNT HOLDINGS CERTIFICATIONS
Investment Account Holdings certifications disclose all holdings in every brokerage account held by the covered person. However, unlike personal trading account certifications, individual trades are not listed, just the overall position in the asset. Therefore, price is not typically applicable as the holding may be the result of multiple trades at various prices over time.
To the extent that private investments are reportable, they too will be included.
All other considerations around errors and omissions and null reporting mentioned earlier are apropos to this certification and are commonly required during the new employee onboarding process.
ACCOUNTS, HOLDINGS AND TRADES COMBINED CERTIFICATIONS
Given the overlap across the “Accounts”, “Holdings” and “Trades” individual certifications, a combination of all three certifications could be a convenient and efficient option for both firms and employees. These certifications are typically required and scheduled at the same time throughout the year. Combining them into a single certification should be a common configuration option in any RegTech system.
GIFT AND ENTERTAINMENT (“G&E”) AND OUTSIDE BUSINESS ACTIVITY (“OBA”) CERTIFICATIONS
These data-driven certifications typically list employee self-reported data entered into the system by either the employee, a proxy user working on their behalf, or by compliance staff.
The G&E certification should reflect date of the activity, amount or value given or received, counterparty, nature of the gift/entertainment and cover a given prescribed reporting period.
OBA certifications should include the date the OBA began, the role, the counterparty, and any other information required by applicable regulations or firm policies.
Once again, the typical considerations around completeness and accuracy are assumed.
MISCELLANEOUS AND AD HOC CERTIFICATIONS
In addition to the standard certifications mentioned above, other policies or regulatory driven certifications may need to be completed on a regular, calendared basis or on a one off, ad-hoc basis.
Examples could include a deal-specific certification, an NDA, or virtually any other attestation either accompanied by a document, policy or by other materials.
A comprehensive platform should allow for multi-departmental utilization. For example, if HR needs employees to sign off on the firm’s discrimination policies, the system should support that certification.
In addition to considerations around what’s “standard”, it is useful to highlight how technology can help you manage the rest: the “who, where, when, and how.”
In summary, the aforementioned certifications are the most common best practices in the global financial services industry. These are also the certifications most frequently used by ComplySci clients.
FREQUENCY OF CERTIFICATIONS
A flexible platform will allow your firm to schedule distribution of certifications that meet different policy or regulatory-driven timelines. Solid technology provides the ability to “set it and forget it.” In other words, your platform should allow you to define recurring quarterly certifications which automatically get sent to specific groups.
Clients appreciate the ease of use this provides, especially when the system “knows” who has joined the firm since the last certification cycle and automatically includes them in the next cycle.
Options include:
- Initial—reserved for new hires.
- Recurring—could include any recurring certification – daily, weekly, monthly, quarterly, semi-annual, annual, and bi- annual.
- One time—ad-hoc certifications that can be pushed as needed to one or more recipients.
In most cases, a certification request is not open-ended and the recipient is instructed as to the start date of the certification request as well as the deadline for completion. If your firm operates across multiple time zones, your employees should not have to try to do the math to determine when their responses are due. The platform should localize due dates so employees see certification period schedules and deadlines in their local time and formatted for their location.
Using a technology-enabled platform, firms can program start dates and deadlines while easily tracking the status of certifications in process. The system should also include functionality that can alert supervisors or the compliance department when users fail to complete mandatory certifications within the required time period.
When configured properly, compliance platforms should automatically alert the target audience to the start of a certification period via both email and the user dashboard and should send automatic reminders to users who still need to take action.
ESCALATION
In a perfect world, certification requests are completed on time – every time. The reality, especially in firms with large employee populations, is not everyone does so. The ability to escalate or otherwise notify an employee’s supervisor of deadline issues is another benefit of a well-designed system.
ComplySci helps clients establish employee groups on the platform, allowing supervisors of those groups to actively monitor the timeliness of completion.
EMPLOYEE GROUPS
When configuring an effective certification workflow, the ability to establish employee groups by department, function and/or geography is critical.
While it is typically the case that “all” covered persons are included in all certification cycles, firms should have the ability to carve out specific groups who need to certify based on special criteria.
Either way, a robust platform will connect all covered persons to one or more groups (the default is “All” and the most granular is a group with only one member) so that distribution, tracking, reminders, escalation and reporting can be configured with maximum flexibility.
As the global regulatory environment has become “small, flat and crowded” it is increasingly likely that staff in the US, UK and China, for instance, will all need to certify to the same policies.
Accessibility is also a key benefit and is best achieved by using a secure platform that supports both internet and mobile access for this purpose. As the use of mobile devices continues to grow, your RegTech solution should incorporate full mobile responsiveness, and should allow the compliance department, supervisors, and employees to view, complete, submit, and manage certifications using mobile devices.
ARCHIVING, AUDIT TRAIL AND CHANGE CONTROL
It is also important to consider how to clearly demonstrates supervision while cataloging communicate the strength of your certification periodic updates to policies and procedures as audit trail with third parties (SEC, FSA, Internal separate records. This concept is also known as Audit and Investors).
Change is constant and it is critical that your firm preserves the facts and circumstances surrounding your Written Supervisory Procedures, compliance policies, and your books and records in an audit trail. The objective is to maintain and demonstrate the consistency and integrity of policies and certifications.
A comprehensive platform stresses the importance of maintaining an audit trail that clearly demonstrates supervision while cataloging periodic updates to policies and procedures as separate records. This concept is also known as “data state maintenance” meaning the original documentation or supporting data is preserved to prove an employee’s certification.
In a nutshell, verify that your firm’s past certifications and policies are locked down and preserved as initially recorded and are thus immutable in your system. This will provide a clear track record of activity for any potential audit or investigation.
FINAL THOUGHTS AND CONSIDERATIONS
No matter the organization’s size or the scope of applicable regulatory mandates, the advantages of standardizing workflows with robust technology are becoming increasingly clear. Cost efficiency and risk reduction are immediate and obvious benefits.
Additionally, leveraging market-leading best practices will position compliance teams for success.
Download this paper to learn the “who, what, where, when, why and how” of deploying robust and industry-validated technology to achieve an efficient, repeatable process.