Compliance for Business in Regulated Sectors

What is compliance?

Compliance is a system of measures that ensures a company's activities conform to applicable laws, regulatory acts, industry standards, and internal policies.

In today's regulatory environment, compliance is not a "check-the-box" function but a strategic asset. Compliance violations lead to:

Regulatory fines (sometimes existential in scale: $8.9 billion fine for BNP Paribas in 2014 for violating US sanctions)
Criminal liability for executives
Reputational damage
Loss of licenses
Civil lawsuits

Key Compliance Areas

AML/CFT: Anti-Money Laundering and Counter Financing of Terrorism

Main requirements (based on FATF recommendations):

KYC (Know Your Customer): identification of clients, verification of identity, documentation
CDD (Customer Due Diligence): standard and enhanced screening for high-risk clients
EDD (Enhanced Due Diligence): for PEP (Politically Exposed Persons), high-risk jurisdictions
Transaction monitoring: systems to monitor suspicious transactions
SAR (Suspicious Activity Reports): mandatory notification to the regulator about suspicious operations

Global fines for AML violations (2021–2023):

Goldman Sachs (1MDB scandal): $3.9 billion
HSBC: $1.9 billion (2012, historic fine)
Westpac: A$1.3 billion (2020, Australia)
BitMEX: $100 million (crypto, 2021)

UAE AML context: In 2022, the FATF placed the UAE on the "grey list" due to insufficient action against money laundering. The UAE government adopted tough measures — strengthened regulation, fines, DNFBP reforms (Designated Non-Financial Businesses and Professions: real estate agents, jewelers, lawyers). In 2024, the UAE was removed from the grey list.

Sanctions compliance

Key sanctions regimes:

OFAC (USA): Office of Foreign Assets Control — administers sanctions against Iran, Cuba, North Korea, Russia, specific individuals and companies
EU CFSP (Common Foreign and Security Policy): EU sanctions
UN Security Council sanctions
UK OFSI: Office of Financial Sanctions Implementation

Liability: Violating sanctions is a criminal offense for individuals + massive fines for companies. Crucially: US sanctions are extraterritorial — European companies conducting business in dollars or via American financial institutions fall under OFAC jurisdiction.

GDPR and Data Protection

GDPR (General Data Protection Regulation, EU, since 2018):

Grounds for data processing (consent, legitimate interest, contract performance)
Rights of data subjects: access, correction, deletion, portability
Privacy by design: data protection is built into the product, not added after the fact
DPO (Data Protection Officer): mandatory for certain organizations
Fines: up to €20 million or 4% of global annual revenue

Largest GDPR fines:

Meta (2023): €1.2 billion for data transfer to the US without proper safeguards
Amazon (2021): €746 million (Luxembourg)
WhatsApp (2021): €225 million

ESG compliance

A growing area. The EU CSRD (Corporate Sustainability Reporting Directive, 2023) requires large companies to provide detailed ESG reporting.

SFDR (Sustainable Finance Disclosure Regulation): Disclosure requirements for asset managers in the EU.

UK Taxonomy: The British equivalent of the EU taxonomy of sustainable investments.

Building a Compliance Program

Three lines of defense:

Business units: primary control at the operational level
Compliance function: policy development, monitoring, training
Internal audit: independent assessment of the system's effectiveness

Key elements:

Tone from the top: the CEO and board of directors set the tone
Policies and procedures: documented, accessible, up-to-date
Staff training: regular, mandatory
Whistle-blowing: safe channel for reporting violations
Monitoring and testing: checking the effectiveness of controls
Remediation: systematic elimination of identified violations