Cover Page

The Wiley Finance series contains books written specifically for finance and investment professionals as well as sophisticated individual investors and their financial advisors. Book topics range from portfolio management to e-commerce, risk management, financial engineering, valuation, and financial instrument analysis, as well as much more. For a list of available titles, visit our Web site at

Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Australia, and Asia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers' professional and personal knowledge and understanding.

The Compliance Revolution

How Compliance Needs to Change to Survive



Title Page

To my family


This book is about maturity—corporate maturity—how businesses grow up and become more reasoned and responsible, and also more effective and better performing. It is also about the maturing of compliance into a profession, a critical function that sits at the interface between business and wider society. The quest is relevant to all forms of business and to many functions and the models presented here have general applicability.

What maturity is and how to grow is subtle and complex. We contend that however you define or try to create maturity, it is recognizable to customers, employees, and investors—and to regulators, who are increasingly concerned with corporate culture, integrity, governance, and conduct risk.

We use as our example financial services, a sector whose responsibility has been much challenged of late and where regulatory approaches and compliance practices are changing apace. Financial services also impacts many other areas of business that are dependent on its role while, as we have seen since the 2008 global financial crisis, its influence spreads out into the wider economy of Main Street and influences the opportunities and prosperity of many across our communities. Compliance has a key position, mediating between the powerful drivers in a highly competitive, complex, and internationalizing industry and the needs of the encircling realm of its multiple stakeholders. We will consider how compliance can use its pivotal role in strategically directing companies towards a more mature and responsible culture. In doing so, the function also transforms itself and demonstrates considerable value.

The rate of change in regulation and compliance has hastened in recent years, partly reflecting the rapid development within the financial services industry and partly because of an internal momentum within regulation that seeks new methodologies and procedures in pursuit of the long-term goal of greater effectiveness and efficiency. This internal momentum generates layer-upon-layer of regulatory reform and consequent compliance evolution, but the processes underlying change have reached such a pitch that recent stages can only be described as requiring a “compliance revolution.” This revolution is just starting, and the most significant steps are still to come.

However, few in compliance, regulation, or senior management are aware of this revolution, its implications for the wider business, and how compliance needs to prepare and lead. A primary purpose of this book is to make compliance practitioners aware of this revolution, how to manage change, and what is required of them. If compliance fails to step up, it is likely that the function will lose influence and become marginalized. The opportunity for professionalizing may not return.

Part of the armory of any profession is a clear model and narrative of how it adds value to businesses and the wider economy. This is absent for compliance, which has been historically reactive, subject to fashion, and somewhat cyclical. Here we attempt to fulfill the urgent need for an overall development model for compliance and regulation. We also add a new suite of technologies and methodologies that give more meat to its practices and buttress a claim for professionalism.

The book comprises three parts:

  1. Part I: Theory—a model of regulatory and compliance development
  2. Part II: Practice—tools and techniques to improve compliance performance
  3. Part III: Purpose—the overall aims and drivers of new compliance

Compliance is at a fork in the road. If compliance steps up its value, its status will be enhanced; miss the opportunity, and other functions may well appropriate traditional territory. This book aims to help compliance, regulators, and businesses make wiser, more mature choices.

David Jackman


The concepts and tools here are the product of a long and almost continual internal conversation, informed by endless field testing on firms, sectors, and industries in different jurisdictions. The thesis does not draw heavily on any existing body of work or adopt a particular philosophic position, but picks, jackdaw-like, from a wide selection of relevant sources and examples—we hope constructed to form an elegant whole.

Many say ethics and compliance are important but few wish to think very deeply, and would rather be told. This is, of course, part of the problem we address. Some elements are pioneering and ahead of their time but many are now, pleasingly, embedded in the mainstream. This book weaves these threads together and provides an opportunity to look into the distance once again.

Places have been more yielding. Much of this text has been composed during wanderings in Easedale, which the poet Thomas de Quincy correctly called “paradise in miniature.” Inspiration has also come from Edinburgh, Singapore, Dublin, Sligo, and Shrewsbury.

I am grateful for the support of Geoffrey Rowell, Howard Davies, Phillip Thorpe, Sue Proudfoot, Cameron Butland, British Standards (BSi), PayPlan Ltd., Patricia Lee, and many classes of students.

Finally, I am indebted to Alexander for his incisive editing, and my wife, who is better qualified in these areas than most of us.

About the Author

David Jackman, MA, PGCE, FRSA, had an Exhibition to Oxford and double distinction from Cambridge, as well as experience in an executive-tier bank management scheme and in teaching, before entering regulation in 1990. He co-founded the Securities Institute (now the Chartered Institute for Securities and Investments) and developed an agenda of prevention, education, and ethics applied at IMRO and during the formation of the UK's Financial Services Authority (FSA).

On Halloween 2002, David launched “An Ethical Framework for Financial Services”—the first ethical statement published by a financial regulator. The concepts in FSA Discussion Paper 18 now underpin approaches to regulation in many jurisdictions.

Following a chief executive role for the Financial Services Skills Council, and then visiting professor for the London Financial Academy, The Ethical Space was formed to work on this broad agenda with boards and organisations from all sectors. David has non-executive directorships and lectures and commentates on the BBC and in the press and researches. He has a long association with the regulator-supported Singapore ICTA diplomas and master classes inKuala Lumpur.

As primary author of the UK National Standards for Sustainable Development (BS8900) and Sustainable Communities (BS8904), David also leads the UK's contribution to groundbreaking international standards for sustainable communities and smart cities. He has founded a Community Interest Company, the 21st Century Charter, the World Open Forum, the Ethics Mark, and the Ethics Foundation.

A portal is offered in support of this book:

Part One

The landscape of regulation and compliance is changing fundamentally. New elements are emerging that bring new sets of priorities, approaches, and methodologies. Chapter 1 shows how compliance needs to move in a more strategic direction.

To understand this change in direction, we need a map. A theoretical model is set out in Chapter 2 giving a coherent picture of the past and future development of regulation and compliance. This is our base map for understanding the past and future development of regulation and compliance. This framework also helps to explain why change happens, and what regulation and compliance should do to be properly prepared and fully engaged.

The model is based on financial services but could be applied to any industry or sector. While we primarily use examples from the UK and Singapore, which are both leading the way in their respective spheres, similar patterns can be found around the world. Not all jurisdictions are travelling at the same rate, so the model can be used to classify them and predict their future path.

Chapter 3 reminds us that the record of compliance over the last decade has been difficult. This is partly because the changes underway prior to the Global Financial Crisis (GFC) of 2008 were not properly embedded by the time they were severely tested. This demonstrates clearly those firms and compliance practitioners who fail to understand the Bigger Picture and embed change are running a significant individual and corporate risk.

Chapter 1
New Compliance

See the whole among the pieces.

—Cameron Butland and David Jackman, Twenty-First Century Charter (21CC; June 2, 2009)

The Challenge

Compliance is undergoing a revolution in underlying principles, practices, role, expectations, and value. But many involved in governance, risk, and compliance (GRC) do not recognise the importance of the changes underway or understand how best to react and lead. This book aims to explain the significance of the phase we are now entering in financial services and provides a guide for compliance practitioners to navigate the transition in a way that is applicable to any sector or jurisdiction.

Compliance is growing rapidly across the world as regulatory requirements become more complex and international. The compliance function is now growing faster than many other roles but in many cases remains operational and mechanical; relative to its level of responsibility and potential impact, compliance is low status and poorly integrated into mainstream business activities. It is often considered an expensive add-on, marginalised, seen as a barrier to successful business, bedeviled by silo mentality and simplistic approaches.

This has to change. Compliance must show itself to be high-value, pivotal, and strategic. To achieve this there needs to be a fundamental shift in:

Yet the primary reason for this change is not self-preservation or self-enhancement, but because the aims and deliverables of compliance are so important to so many. The outcomes of compliance are critical to individual customers, families, businesses, and to the interests of the wider economy and society.

Turning Point

A turning point has been reached in financial services regulation. This text picks up the story of regulatory and compliance development at this crucial inflection. This is the moment at which compliance comes of age. It is no longer acceptable or credible to hide behind box ticking or “having appropriate systems and controls in place.” The differentiator is professional maturity. This is not possible without a focus on corporate and sector-wide maturity.

The journey on which compliance—and regulation—is embarking runs uphill. The path is steep and at times indistinct and difficult. There is a need to develop many tools and resources to assist the climb. However, this book sets out a general direction of travel and equips the reader with as much of the basic equipment as is possible to make a safe and successful ascent.

What is paramount is speed. The journey needs to be embarked upon soon and with urgency. What is undoubtedly true is that the range and complexity of the problems mounting are extraordinary and the need for solutions in an unequal and globalizing world is pressing. Compliance and regulation generally has a valuable role in making or facilitating and, on occasion, leading progress for both firms and the wider community, far beyond its popular image.

Traditional Compliance

Traditional compliance, as we shall refer to mechanical practices, is not covered here. There are many texts on introducing risk-based approaches or capital models. Other traditional elements of compliance include basic fitness and properness tests, authorization, client money rules, know your customer, market manipulation rules, transparency requirements, and financial promotions regulations and conduct of business rules. These are all important but they represent the foundation level of regulation and compliance and are not sufficient to constitute a sophisticated control environment or justify compliance as a full profession.

Similarly, fighting financial crime and money laundering have a basic of traditional compliance but have a sufficiently different set of objectives and processes to mark them out as a separate sub-discipline. It is more difficult to apply the models and tools introduced in this book to this parallel stream.

A final traditional tenet to be challenged is that compliance is not synonymous with or part of risk; it is much bigger than that. There may be compliance or regulatory risks within a risk framework but it does not follow from that that compliance is in some way subservient to risk or should be part of the risk department. Compliance, as we shall see in Parts II and III, has a much more strategic and wide-ranging scope and should report to the board independently and directly. Having a compliance person or specific non-executive director (NED) on the board is a clear sign that compliance has stepped up and not been left behind.

New Compliance

More than can perhaps be imagined depends on a new compliance emerging. This requires regulators and compliance to engage in a shared journey in which both are investing heavily in research, education, and discussion while establishing new joint approaches and infrastructures. We examine these new structures and elements and how they work together for a new compliance in Part II.

Shared Journey

It is important that the journey to new compliance is a shared one with compliance and regulation following the same map—the map is suggested in Chapter 2.

Ideally, regulation and compliance should be able to move forward in partnership at the same rate, but too often one side is playing catchup. If regulation is ahead of compliance, firms may be subject to increased regulatory risk, and if compliance gets ahead of regulation, then the risk is of unexpected interpretations increasing regulatory firm risk and regulators suffering reputational damage and loss of support by appearing flatfooted.

Regulation's role is to reflect and mediate the expectations and requirements of the wider public and economy. Regulatory objectives are rarely unreasonable, but regulators often lack the practical business experience to know how to implement them effectively and in a balanced way. Conversely, compliance should have the hands-on experience but may be more distant from the policy agenda or democratic public needs. Obviously, a dynamic process of learning from each other is ideal, but this needs a facilitative infrastructure, a basis of trust, and extensive practice. The crucibles for building mutual understanding may be shared training vehicles, informal discussion groups, frequent communication documents, and staff exchange programmes.

The most important shared understanding is that regulation and compliance are not ends in themselves. This self-delusion is dangerous and both compliance practitioners and regulators need to remind each other of their wider role and the implications of their actions. Both needs to have a shared answer to the question: Why do we do what we do? We consider that in Part III.

Chapter 2
General Model of Regulatory and Compliance Development

It is not the strongest or the most intelligent who will survive but those who can best manage change.

—Charles Darwin

Introduction to Development Models

Charles Darwin set out a general model to describe the evolution of species and the principles of competition and natural selection. Adam Smith, similarly, provided a general model of economic development and described the operation of comparative advantage.

So development models usually have two basic components:

  1. An overall direction and stages of development
  2. Processes underlying change.

Regulation and compliance needs an overall picture of its development, including the major stages in that journey and an explanation of the processes by which change occurs. A general model is proposed here to help explain the pathway of change and to uncover the processes driving development. This in turn gives a clearer view of the future.

The usual caveats about models apply: there are variations in the fine detail, different cultures and jurisdictions develop at different rates, and progress is rarely linear. But models provide an easily comprehended picture that we can then re-complicate, adding all the appropriate variables to apply it to our own situation and circumstances.

Crucially, a model gives us vision, a way of summarising the past and helping us deal with future uncertainties. This is what compliance needs so badly: a narrative about where it has come from, and a map for its future progress and development.

General Model of Regulatory and Compliance Development

The model in Figure 2.1 describes a process of maturity. This is the development of regulation and compliance from start-up, through early and “teenage” years, to a more grownup state. This provides a model for understanding and evaluating each stage of a regulatory–compliance system. It also supplies a roadmap for future growth and improvement and may be considered at the levels of a:


Figure 2.1 General Model of Regulatory and Compliance Development

It is not necessarily the case that all firms operating from or within a jurisdiction will be at the same level of maturity as the jurisdiction as a whole. There will be a range of maturities of individual firms or even subsectors, and this causes interesting problems both for the laggards and for the regulators concerned.

The model identifies five stages. These are clearly not mutually exclusive but blend one into another, each building on the others:

  1. Start-up: Establishing credibility by using direct, often simple and easy-to-implement measures to combat an obvious and commonly agreed problem. Enforcement at this stage is often punitive, and rule breaches are described in technical terms. Regulation may operate in an apparently business-friendly way, and may be through self-regulatory organisations that are close to the issues and allow governance by peers. This stage may offer perfectly adequate protection for some societies and be a rational place to remain for some time, but regulators credibility and effectiveness may be undermined when crises emerge.
  2. Crises: This stage is characterised by reactive and often disorganised or disproportional responses to emergent problems (e.g., 2008 GFC), or the unexpected consequences of earlier interventions (e.g., UK 1980s and 1990s pensions mis-selling). Changes are often driven by public opinion and political necessity that may see extra regulation as the only credible quick fix. This may be the trigger for a secondary wave of reform involving the rationalisation of regulatory and compliance structures. Societies may revert to these crisis conditions at any time in the development path and can cause progress to temporarily retreat down the curve.
  3. Expansion: Here, regulation becomes more proactive and confident, often associated with clearer objectives (e.g., UK Financial Services and Markets Act 2000), and extensions of scope into more fringe areas (e.g., insurance and mortgages), usually based on the pressing consumer protection expectations of a newly wealthy middle-class. Regulation almost inevitably becomes more expensive, bureaucratic, and unresponsive under the pressure of size, and therefore potentially higher risk. This is compounded by resistance and lack of consensus within the industry, which now seems more distant.
  4. Sustainability: Recognition that expansion cannot continue exponentially. Regulatory and compliance toolboxes become more fit-for-purpose and sophisticated. Methods of rationalisation and performance improvement now include:
    • Risk-focused compliance
    • Cost-benefit analysis
    • Principles-based regulation
    • Emphasis on prevention—focusing on corporate culture (conduct risk), ethics, and governance

      The emphasis here shifts significantly from controlling precisely individual internal process to framing the internal and external environment around a firm or sector in such a way as to increase the likelihood of positive behaviours.

  5. Outcomes-led: Focus on systemic outcomes on the wider economy and society (and occasionally, environment). By evaluating impacts as part of the regulatory mix, regulation incorporates an understanding of the community purposes of regulation and the effects in social and economic terms that interventions are seeking to create. An outcomes-based system allows for far more creative methods of compliance and regulation where systems and processes is not the ultimate goal. New external criteria bring new criteria for success and enforcement, and allow regulation to be employed for a wider range of objectives.

The Difficult Step—Stage 3 to 4/5

Each stage builds on the last and introduces additional regulatory and compliance tools and priorities. Part II will focus on the new components introduced in stages 4 and 5. In Part III we will see how these stages add the essential components of an infrastructure (we shall call this the Ethical Space) necessary to enable compliance to be strategically effective and contribute towards corporate maturity. We will also find in Part III that the processes at work in stages 1–3 reach a critical point when entering stages 4 and 5. This “difficult step” is from stage 3 to 4/5 and requires a revolution in commitment and the depth and rate of change.

Limitations of the Model

Any development model has limitations and some of the questions to consider are:

  • Is the length of each stage the same, or can stages be elongated or shortened?
  • Is it possible to skip a stage entirely and move from one stage to the next without, for example, the stage of crises?
  • Is it possible to regress? Is progress irreversible?
  • Can you get stuck in one stage? If so, why?
  • Is a final downturn inevitable, or will the curve continue upwards?

In some cases crises set the underlying development curve back a stage or two as regulators can often feel more secure and demonstrate credibility by resorting to “tougher,” more familiar ways. But this effect is usually short-lived and can be detrimental to restoring confidence because enforcement actions become more visible and numerous and undermine the maturity of the relationship between regulator and industry sector. It is better in the long term for regulators to keep their eye fixed on the development model and to return to the trajectory as soon as possible.

In the specific case of the 2008 financial crisis, the progression to a more sustainable stage had started before the crisis broke. The shift of approach was not dependent on the crisis as a trigger. However, the crisis, while causing a short-term step backwards in the way suggested above, further drove the progression of regulation and set more favourable conditions for both achieving sustainable regulation and also refocusing on outcomes. The foremost lesson for politicians and the public from the 2008 crisis is that “Problems of Wall Street cause problems on Main Street.”

International Comparisons

It is possible to place regulatory regimes or jurisdictions along the development curve in terms of their stage in the journey. Some may be large and powerful regulators in terms of legal powers, reach and style of enforcement action but that does not mean that they are sophisticated in terms of the mix of approaches used. Equally, this does not mean that such regimes are not effective, but they could be more effective if they advanced their methodologies and added to their regulatory toolkit. It is also the contention that compliance will be more embedded and therefore resilient under pressure if regulators move up the development curve. Stages 4 and 5 are inherently lower cost and so more sustainable in the long term.

In general terms many regulatory–compliance systems are not as far along the curve as they need to be given the challenges they face and increasing public expectations. This partly explains why regulation and compliance has been viewed as less-than-fully-effective during and after the 2008 financial crash – as we will explore in Chapter 3. There have also been examples of regulatory failure in other sectors, e.g., phone hacking in the UK media, which gives the impression that regulation in general, is ineffective.

Regulation is a social activity, and the development of one regulatory system tends to drag along others. Some regulators tend to be cautious and do not want to be ‘first movers,’ while others are more competitive or seek to be the beacon in a particular region or sector. If advancements made by one seem to be successful, it is only a matter of time before other regulators follow. The key to future international success is that there is a critical mass of regulators that pursue the direction towards stages 4 and 5, impressing on those in stages 1–3 the need to move forward. This is particularly important simply to reduce the opportunities for arbitrage between jurisdictions.

To re-emphasise a conclusion from Chapter 1, the primary advantage of the regulation–compliance system progressing along the developmental model curve is that it can deliver more effectively the social/economic outcomes for the wider community. This is the end; compliance and regulation are only means to that end.

Example of the UK

The UK is a useful example of the development of a financial services regulatory system (see Table 2.1) and has been tracked to a greater or lesser extent by many other jurisdictions, including Singapore.

Table 2.1 Examples of the general model of regulatory and compliance development from UK financial services regulation—characteristics from each stage Jackman, D 2015

Stage Example
1986–1992 Start-up Establishment of sectoral self-regulatory organisations (SROs) at deregulation; The Securities Association (TSA), the Life Assurance and Unit Trust Regulatory Organisation (Lautro), the Financial Intermediaries, Managers and Brokers Regulatory Authority (FIMBRA) and the Investment Management Regulatory Organisation (IMRO) overseen by the Securities and Investments Board (SIB).
Process rules for fact-finds, transparency, and training and competence.
Bank of England supervises large banking institutions.
1992–1998 Crises Bank of Credit and Commerce International (BCCI), Polly Peck and Mirror Pension Scheme (Maxwell) raised concerns about corporate governance and Bank of England banking oversight. Pensions mis-selling and Equitable Life suggested self-regulators too close to industry.
1998–2007 Expansion Formation of Financial Services Authority (FSA) under Financial Services and Markets Act (FISMA) 2000, combining 10 prior regulatory bodies, including SROs.
Extending depth of regulation (for example, in banking) and scope (e.g., mortgages and general insurance).
FSA rulebook expands to 9,500 pages, although supervision increasingly risk based and statutory requirement for cost-benefit analysis (CBA). Increasing consumer focus.
2007–2013 Sustainable Recognition that regulatory burden is counterproductive, costly, and discouraging location of international businesses in London. Shift to more principles-based regulation (MPBR).
Increased emphasis on ethics, culture, and “treating customers fairly” (TCF). Rationale reinforced by 2008 financial services crisis.
Focus on high-risk sectors using wider range of regulatory tools and themed reviews and visits.
Enforcement action escalates, resulting in higher levels of fines.
2013–future Outcomes-led Formation of Financial Conduct Authority (FCA) in 2013 following dissolution of FSA. Bank of England regains systemically significant banking supervision through Prudential Regulatory Authority (PRA).
FCA concentrates on culture (conduct risk) and governance issues (e.g., LIBOR fixing, money laundering, data controls).
Supervision is more thematic and outcomes led.

Using Regulatory Toolkits

It is the combination of approaches and tools that delivers effective compliance and regulation, not one set replacing the previous set. There exists a growing compliance and regulatory menu or toolkit, but it is how the elements are selected and used together that is the real skill. The range of tools available and the sophistication with which they are combined and used determines the maturity of the jurisdiction and the professionalism of the compliance sector. How the mix is balanced and selected for any one firm or set of circumstances is decided upon and delivered by regulators and compliance officers making critical judgments, not following checklists or risk models only. How good these professional judgments are really matters. Quality judgment is what firms and societies pay for.

To decide how successful a regulator is in using this toolkit, the Monetary Authority of Singapore (MAS), has the following tests or tenets:


This chapter provides the framework for the remainder of the book: a model to evaluate differing regulatory systems and a roadmap for the future.

Before we explore stages 4 and 5 in detail, and even suggest a stage 6, we will just reflect on recent experience and the difficulty some leading jurisdictions have had in stepping up from stage 3 to 4/5. Obviously, this transition, which we recognize is the most difficult in conceptual and practical terms, has been made even more difficult by the 2008 GFC. The GFC placed strains on the early steps in this transition as change had not had the chance to become sufficiently embedded. So now these jurisdictions have a chance to make the transition for a second time and ensure that it sticks.