Originally published on Leaman Crellin. View the original: https://www.leamancrellin.co.uk/post/finding-breaches-is-not-all-bad-news

Rules breaches can have negative connotations after all non-compliance is never good. It can depend of course on what the breach is, whether its material, affects many clients or appears systemic.

A breach that you identify yourself, in-house, perhaps through a review or just by an alert individual, can be good, provided it is handled well.

INTERNAL ENVIRONMENT

Firstly, having the internal environment that enables breaches to be identified shows a good risk culture because you are actively checking and looking for issues. It also reflects an organisation that is comfortable identifying and discussing issues.

People working in a weaker culture may be more inclined to suppress risks and issues until they are identified by audit or a third party. Having a third party identify breaches is never a good place to be because you lose control of the messaging to your regulator. If you self-identify and self-report, you stay in control of the message.

HOW YOU HANDLE A BREACH

Secondly, what you do once you identify an issue that could be a breach is really important. If it looks like a potential breach that is notifiable to the regulators, then you need to tell them quickly.

One of the most important point to remember when dealing with the regulators is being open and honest (Principle 11). There is nothing more irritating as a regulator than a firm calling late in the day\ or week to say they have concluded an investigation and found they are in breach.

You need to give the regulator the heads up that you are looking into an issue and will get back to them once you have more information. It is far better to be calling a few weeks later and saying it wasn’t anything.

Doing so shows a level of maturity in your regulatory engagement and confidence in your internal investigations which are reflective of a good risk and compliance culture.

Giving the regulators the heads up also allows them to ask questions and to consider any internal briefings they may need to prepare, after all the regulator is an organisation with management layers, hierarchy, and accountability.

Being considerate of their needs helps your own situation because no management team likes nasty surprises, and a natural reaction when you are on the receiving end of a nasty surprise is to react and usually ask plenty of questions which makes the messenger reactive rather than proactive.

BUSINESS AS USUAL

Some breaches are just a sign of business as usual, consider rules about operations such as CASS where you will of course get breaks. That might give rise to a breach here and there but provided it’s not material or symptomatic of fundamental underlying issues then that is the sign your operations are functioning normally which must be good. So, finding those breaches is not necessarily bad.

At Leaman Crellin we can help guide you through the good, bad, and downright ugly breaches. We can help you consider your regulatory engagement strategy, breach recording and reporting, remediation and advise you about adjustments you can make to enhance your risk and compliance culture.