All industries have some class of regulatory guidelines by which to operate, and those guidelines can change over time. Meeting regulatory requirements is a complex challenge because the number of constantly changing and growing requirements is large; and the interpretation of the various requirements is difficult (Compliance Institute Southern Africa (CISA): Generally Accepted Compliance Practice Framework – Principles, Standards and Guidelines; January 2013; p 17). Navigating the complex regulatory environment can be a daunting endeavor without the right help on board to deal effectively and creatively with regulatory and compliance issues.
Compliance with regulatory requirements may be interpreted as the necessity for an organisation to meet the regulatory requirements that apply to that particular business sector in which it operates (CISA, p 14). Like every organisation, law firms must comply with various pieces of legislation such as the Companies Act, Labour Relations Act or the Income Tax Act, amongst many others. Practitioners are accountable for meeting the regulatory requirements and have to have a working understanding of the effect of the applicable laws, rules, codes, and standards.
Law firms in South Africa are also accountable institutions for the Financial Intelligence Centre Act 38 of 2001 (FICA) and the Protection of Personal Information Act 4 of 2013 (POPIA) and have extensive reporting and monitoring duties. FICA requires an accountable institution to maintain internal rules providing for the establishment and verification of client identities, keeping of records and reporting of information. FICA requires attorneys, as accountable institutions, to develop, document, maintain and implement a Risk Management and Compliance Programme for anti-money laundering and counter-terrorist financing, and appoint a person with the responsibility to ensure compliance with the Act. POPIA governs how personal information is used, processed and stored, and requires the appointment of an information officer. Every firm carrying on an investment practice is subject to the Financial Advisory and Intermediary Services Act (FAISA) and needs to apply for a license under s 8 of the Act. FAISA does not affect practitioners who confine their activities to the practicing of law.
The ultimate responsibility for understanding and overseeing the management of compliance with the regulatory environment resides with the legal practitioners. Practitioners are responsible for the total process of risk management, which includes oversight, the management of compliance and the governance structure that must facilitate this. The governance structure implemented should ensure that the management of compliance is adequately addressed. The compliance function is ideally suited to deal with compliance risk as part of operational risk (CISA, p 18).
The compliance function advises on regulatory requirements applicable to the business to identify, analyse and understand, and prioritize the regulatory requirements. It is responsible for identifying, assessing, advising on, and reporting on the regulatory compliance risk. The responsibility of the compliance function provides a clear mandate to manage the compliance risk of the practice (David Strachan and Rebecca Walsh ‘Targeting compliance: The changing role of compliance in the Financial Services Industry’ (www2.deloitte.com, accessed 15 March 2023)).
The role of the compliance function is to assist practitioners to comply with the ever-increasing regulatory requirements through the provision of compliance risk management, defining the compliance universe and monitoring activities, and assessing compliance risk of the business. The compliance function assists in complying with the regulatory requirements by finding a balance between meeting the regulatory requirements that demand compliance without impacting on the business imperatives of the organisation negatively (CISA, p 67). The compliance function also provides a clear roadmap of the steps involved to those who are involved in implementing the change. It is an important part of risk management and governance structures of an organisation, responsible for ensuring the organisation meets the regulatory requirements in its day-to- day operations.
Compliance is a multidisciplinary process in which stakeholders should be involved (CISA, p 68)). Identifying the stakeholders who need to be involved in the process and interact with the compliance function, will have a bearing on the successful implementation and maintenance of compliance within the organisation. People are a key ingredient for successful implementation of a compliance programme. The compliance function is responsible for facilitating the development, maintenance and conducting of on-going compliance training programme and promotes the compliance culture. An effective compliance program will include adequate training and communications so that employees understand their compliance obligations.
Compliance training is a key factor in achieving effective compliance with the regulatory requirements (CISA, p 137). Law firms must determine the training needs for each impacted employee associated with the compliance requirements. The training of the employees should be tailored to the obligations and compliance risks related to the roles and responsibilities of the employee. Ensuring that staff members understand the consequences of non-compliance will achieve efficient and effective compliance with regulatory requirements. The tone and culture set by the management, more often than not dictates the compliance behaviour of lower-level employees.
The structure of the compliance function must be appropriate to the business of the organisation (CISA, p 78). The suitability of the compliance function structure varies from organisation to organisation. Smaller firms can engage part-time resources dedicated to compliance. The compliance function must be structured in such a way that enables the function to execute its role and responsibilities effectively and efficiently. The compliance function is an extension of monitoring structure and must be perceived to be independent, associated with all aspects of compliance including the monitoring of the compliance risk process, with routine formal reporting to top management. The compliance function is required to militate against the danger of self-review and should not have a limited focus or be perceived as an internal police officer.
To protect against non-compliance, law firms must implement comprehensive compliance program that includes on-going monitoring, and risk assessment, employee training, and effective policies and procedures. Law firms must be responsive to meet regulatory requirements and should have a documented process outlined to help navigate the required change while ensuring their own policies and guidelines are updated. Practitioners are responsible for the establishment, maintenance and operation of an effective framework of business controls, risk management and corporate governance (CISA, p 24). Each practice should design, develop, implement and maintain a compliance risk management program (CRMP), a compliance framework that will be appropriate to the business. Having a set of process and procedure in place to manage through the change is important to help ensure your legal practice is responding to the regulatory changes. Law firms need to have strategies in place to effectively navigate the constantly evolving regulatory environment to stay fully compliant and minimize risk to the business (Terri Roehrig ‘Navigating Regulatory Compliance’ (https://tier1performance.com, accessed 15 March 2023)).
Law firms must provide for a formal and structured monitoring of compliance process, to ensure compliance with applicable legislation, to establish and maintain a culture of compliance, co-ordination of compliance functions within the organisation, and to focus on compliance risk within a broader risk management framework. The establishment of an independent compliance function will enhance effective co-ordination of compliance strategies in the organisation.
The legal practitioner is responsible for supervising the practice concerning the design and efficacy of the internal risk management and control systems, risks inherent in the practice’s activities and compliance with laws, regulations and internal rules from the compliance management plan perspective. The control environment is the ‘tone’ of the organisation and is the foundation for all other controls. The “tone at the top”, a term that defines management’s leadership and commitment towards openness, honesty, integrity, and ethical behaviour, is one of the largest factors influencing the control environment in an organisation. Legal practitioners should demonstrate leadership and commitment with respect to compliance management system. The management of the organisation and the compliance function should ensure that they are effectively informed on the performance of the organisation’s compliance management system and of its continuing adequacy, including all relevant non-compliance in a timely manner.
An organisation is usually in a state of being in accordance with the regulatory requirements or in the process of becoming so (CISA, p 15). The development of a fully effective compliance function, however structured, can take some time before the value of the function is fully developed. It is advisable to make use of a phased approach in the implementation of a compliance risk management framework (CISA, p 20). Although organisations may not have a fully developed and mature compliance function, it is important that they are constantly working towards that goal through the implementation and monitoring of a coherent compliance strategy rather than being in a reactive mode where compliance is not a priority. Law firms need to be more proactive in creating ethical culture and climate than to be reactive and operate in compliance.
The main objective of the regulators is to maintain stability in the industry by providing guidelines and ensuring compliance therewith (CISA, p 70). The regulators are the custodian of the legislation that regulates the industry and the organisations for which they are responsible and are empowered to promote and/or enforce adherence to the regulatory requirements. There is an expectation on the part of the regulators that the manner in which business is conducted is adjusted to meet the minimum standards (CISA p 71). This includes making sure that the business strategy of the organisation takes into account the regulatory requirements. Participation in such standards will help establish the organisation within the field. Regulators are tasked with monitoring compliance by organisations with the regulatory requirements. The regulators are required to enforce compliance with the regulatory requirements by taking disciplinary action in instances of non-compliance which may include the imposition of fines, or the suspension or withdrawal of a license.
Law firms are obliged to be open and co-operate with the minimum standards set in the regulatory requirements. Licensing ensure that the law firms meet the minimum standards set out in the regulatory requirements. The regulator may withdraw the license or authority to conduct business if certain requirements are not being met or the business no longer complies with the relevant requirements. The compliance function explains the consequences for not following the policy by persuasive, motivational nudging. The purpose of the compliance function is to ensure that legal practitioners act with integrity. It provides advice rooted in law. Protecting your business, employees, and clients are key reasons to have an intentional approach to manage regulatory compliance in legal practice. Compliance with regulatory affairs is a small investment to ensure an organisation’s success in the short and long term, and the long-term sustainability of business.
Law firms must stay up to date with the changes in regulations and industry best practice. It is imperative for law firms to comply with the regulations that apply to its industry to avoid disregarding best practices and violating industry standards. “Commercial lawyers play a crucial role in drafting agreements which enable clients to achieve their commercial objectives while managing risks inherent to doing business” (Sabinet: ‘Sabinet addresses the challenges of regulatory compliance’ (https://sabinet.co.za, accessed 15 March 2023). Regulatory compliance will allow law firms to navigate the regulatory universe to minimize risk and cost to the business.
Adhering to the compliance obligations relevant to the business sector in which it operates is imperative for an organisation to succeed. Compliance means that the law firm meets the required criteria for operating in the legal services industry. Organisations that have effective compliance function can create a competitive advantage for themselves as they are seen in a positive light by all stakeholders, which in turn has the effect of enhancing their reputation and sustainability (CISA, p 16)). Compliance increases the confidence the clients have in your service. It makes good business sense to comply with the relevant compliance obligations.
Please note that our blog posts are informal commentaries on developments in the law at the time of publication and not legal advice.