Part I
The Elements of Internal Control in Banks and Financial Institutions
1
The Role of Internal Control in the Meta-Regulation of Financial Institutions
THIS BOOK EXAMINES the role of internal control in banks and financial institutions. Although internal control functions form part of the back office of banks and financial institutions, and do not hog prominent headlines in popular discussions relating to financial regulation, they have become increasingly important as part of (a) the prudential regulation framework that governs risk-taking at financial firms; (b) the conduct of business regulation framework that governs behaviour of firms vis a vis markets, regulators and stakeholders; and (c) the wider question of financial sector culture that has fallen into notoriety since the onset of the global financial crisis of 2008ā09. Regulatory obligations for financial sector firms have increased dramatically post-crisis and regulators look to a range of methodologies to secure firm compliance with regulatory objectives. The role of internal control is an important piece in the mosaic of methodologies towards securing regulatory objectives. Internal control, located within a firm, can provide support to secure the firmās meeting of regulatory objectives, and thus also meet regulatory expectations. The role of internal control in financial sector firms can now be regarded as supporting regulatorsā meta-regulation of firms where prescriptive and command-and-control type regulations are inappropriate. As regulators now see the role of internal control in securing the compliance of firms as becoming much more pronounced with the advent of greatly increased demands on firms to meet new regulatory obligations, internal control functions are also subject to new regulatory frameworks and expectations.
Internal control functions in financial sector firms are first and foremost self-monitoring mechanisms and therefore act as lines of defence before firm irregularities may become externalised. Firms have an essential self-interest in instituting effective internal control, but firm-centric notions of the effectiveness of internal control may not be socially optimal in the view of regulators. Regulators have increasingly come to regard firm internal control as a plank of governance that secures regulatory objectives. This is because internal control functions are well placed to monitor the firm from the inside, and reaches where regulatory supervision and enforcement may not. The role of internal control at firms is therefore regarded as having the potential to support the attainment of regulatory objectives. In the post-crisis environment, the role of internal control at financial sector firms is subject to enhanced regulatory expectations. This is manifested in regulatory reforms that have established more prescriptive regulatory frameworks for internal control functions.
The book will discuss the pre-crisis and post-crisis regulatory frameworks for internal control and critically discuss to what extent internal control functions in banks and financial institutions can meet enhanced regulatory expectations and serve a governance function in the overall financial regulation agenda. Regulatory expectations would introduce upheaval in terms of how the role of internal control is perceived by the organisations and the individuals concerned. This book will critically analyse how and to what extent the efficacy of internal control functions in meeting enhanced regulatory expectations is affected by (a) the regulatory framework for internal control; (b) conceptions of professionalism; and (c) regulatory enforcement. The book will conclude with some suggestions towards enhancing the efficacy of internal control functions in light of such heightened regulatory expectations.
A. INTRODUCTION TO INTERNAL CONTROL
Internal control in the financial sector has had a long history of development. It is generally regarded both as a principal means to manage business risks in order to further the success of a business,1 as well as a means to assure regulators of compliance with securities reporting obligations.2 The institution of effective internal control is regarded as a best practice, the responsibility for which is reposed at the highest level of managementāthe Board of Directors.3 In the UK, the Turnbull Guidance4 which supports the implementation of the Corporate Governance Code defines internal control as a system that
encompasses the policies, processes, tasks, behaviours and other aspects of a company that, taken together:
Facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company's objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed.
Help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organisation.
Help ensure compliance with applicable laws and regulations, and also with internal policies with respect to the conduct of business.
The US Committee of Sponsoring Organizations of the Treadway Commission (COSO) also defines internal control similarly, referring to it as a process ādesigned to provide reasonable assurance regarding the achievement of objectives ā¦ in relation to operations, reporting and complianceā5 With regard to financial institutions, the Basel Committee on Banking Supervision6 defines the role of internal control at banks to be for three purposes: to assist in achieving profitability and performance, to ensure the reliability and integrity of financial information relating to the bank and to assist in external compliance with regulations. In sum, internal control may be regarded as an internal form of gatekeeping7 to prevent businesses from succumbing to wrongdoing, and to ensure that business objectives and accountability requirements are met.
In the case of financial institutions, internal control has also evolved to meet changing regulatory requirements such as in relation to internal fraud, financial crime, prudential regulation and compliance with capital markets reporting and client-facing regulation.8 With the advent of intensive European legislative harmonisation in financial services regulation from 2000, internal control in banks, investment firms, collective investment schemes and now alternative investment fund managers has become a subject of regulation in itself. However, the regulatory framework for internal control, as will be discussed in detail in chapters two to four, has been skeletal in nature in the years prior to the global financial crisis of 2008ā09. Post-crisis, the regulatory framework for the organisation and efficacy of internal control in financial institutions has been significantly ramped up.
Regulatory interest in the institution of internal control at banks and financial institutions lies in its organisational position and role. Internal control has proximity to inside knowledge and issues, and acts as an internal gatekeeper for banks and financial institutions. It may be argued that such an organisational position and role could also serve the regulatorās objective of securing the financial institutionās compliance with regulatory requirements. In other words, internal control is increasingly being fashioned as an internal gatekeeper which also serves gatekeeping purposes for the regulator.
The move towards reframing the role of internal control post-crisis has its roots in the diagnosis of what went wrong in the crisis. In the wake of the global financial crisis of 2008ā09, poor risk management has been highlighted as a key factor in the failure of a number of fi...