Written by Jon Prentice on Monday May 30, 2022
Compliance is made up of many key functions, each of which vary in importance. But two areas that are often underdiscussed – perhaps due to a perceived lack of glamour – are maintenance and record-keeping. Stringent maintenance and record-keeping measures are part of the foundations of an effective compliance and risk management framework, so their neglect is as puzzling as it is unwise.
Though new and emerging technologies have helped compliance evolve, it can be all too easy to overlook the basics. RegTech’s contribution to compliance understandably garners attention, but it is often forgotten that maintenance and record-keeping have long been central to a robust compliance framework; both play crucial roles in ensuring that firms remain compliant with regulations and avoid regulatory sanction, whilst helping put customers’ best interests at the centre of policy making.
Maintenance is a broad term covering a range of different activities. Just as one should maintain a car so that it doesn’t breakdown, or machinery so that it continues to work in the way intended, so it is also vital to incorporate maintenance into an effective GRC programme. Below are some examples of areas that should be the focus of regular maintenance.
Firms should aim to provide customer-centric products that meet the needs, interests, objectives and expectations of consumers, and a key element of the product lifecycle is product maintenance. Once a product is built and put to market, it is vital that it is regularly maintained, and just because a product is fit for purpose at the time of its introduction, that does not mean it is always going to remain so.
Conducting regular product reviews and maintenance throughout the product lifecycle helps to ensure that the product still operates as intended.
In some jurisdictions, regulators and firms are co-responsible for design, distribution and maintenance of financial products through the product lifecycle.
Failure to conduct appropriate product maintenance can lead to products becoming outdated and vulnerable to risk, as well as offering a poor service to customers.
Regularly reviewing and maintaining policies and procedures enables firms to keep up to date with the latest regulations, changes in technology and best practice across the industry. Firms within high-risk or highly regulated sectors, like banking, financial technology, healthcare/pharmaceuticals, gambling, and oil and gas, should place particular emphasis on regular policy reviews.
Moreover, policies and procedures should be living documents, whereby the core elements often stay the same, but the operations adapt according to industry and regulatory developments. Given the sheer volume of tasks that a compliance department must oversee, it is easy to see policy and procedural reviews as a reactive activity, however, it is far wiser to practice proactive maintenance, so as to avoid issues before they become a problem.
Compliance changes quickly, and so it is imperative that staff training is regularly maintained. Training – whether mandatory, company-wide or more specialised targeting a specific team, function or department – should be regularly reviewed to ensure that employees are meeting their legal requirements. Failure to maintain staff training can result in employees following incorrect procedures, not being aware of potential threats or risks, or offering poor customer service, all of which can lead to potential regulatory sanctions or reputational harm.
It is not just the content of the training, but the design of the training itself, that is important. We all know that training is sometimes considered a tick-box exercise, with employees not always fully engaged. Regularly reviewing the way that training is delivered helps keep engagement levels high and improves information retention. E-learning, in particular, has emerged as a popular way of disseminating training content, thanks to its interactive nature.
Maintenance and record-keeping go hand in hand. Certain data must obviously be recorded and stored safely and securely, but when a policy has been reviewed or maintained, or an investigation has taken place, it is important to keep a record of what has been done and why. Compliance and risk management is today incredibly complex, and scrutiny from regulators, customers, shareholders and other stakeholders has never been greater. So, to avoid potential regulatory enforcement action, firms must adopt an effective record-keeping process to ensure data and information is stored safely and kept up to date.
A robust record-keeping programme involves the entire company. From entry level through to senior management and board level, all employees must be aware of their organisation’s record-keeping policies, in addition to acknowledging why storing data in a safe and reliable manner is vital.
For compliance officers, it is their responsibility to ensure that their firm’s record management policies are adhered to and that the policies fall in line with any record retention schedules, as required by law.
Like maintenance, record-keeping is a broad field. Some key considerations include:
In order to effectively maintain records, a record-keeping or record management system should be established. The purpose of a record management system is to store and track compliance-related documents, policies and procedures. An effective system will help ensure that regulatory mandates are met, any documentary evidence is easily available and exposure to risk is reduced.
 FinCoNet, ‘Financial Product Governance and Culture’, June 2021: http://www.finconet.org/Financial-Product-Governance-Culture.pdf – accessed April 2022
 PowerDMS, ‘Why it is important to review policies and procedures’, 22 December 2020: https://www.powerdms.com/policy-learning-center/why-it-is-important-to-review-policies-and-procedures#:~:text=Bottom%20line%2C%20regularly%20reviewing%20your,with%20the%20industry's%20best%20practices – accessed April 2022
 Richard P. Kusserow, ‘Effective Compliance Records Management Program’, February 2020: https://www.compliance.com/resources/effective-compliance-records-management-program/ – accessed April 2022
Thank you. Your comment is awaiting moderation and should appear on the site shortly.
Required fields are not completed, please ensure all required fields (*) have been filled in properly.
You can leave the name empty should you wish to remain Anonymous.