6 Tips to Implement Compliance Controls That Work

In late 2024, the European Securities and Markets Authority (ESMA) published its first consolidated report of the sanctions and measures issued by EU member states for breaches of the laws within ESMA’s remit. It found that 2023 saw more than 970 administrative fines, worth an accumulated €71 million, imposed on companies and individuals across the bloc.

This includes contraventions of the Market Abuse Regulation (MAR), the Markets in Financial Instruments Directive (MiFID II) and other such legislation relating to the financial services industry. The scale of sanctions should act as a warning to organisations across the European Union that regulators are alert to breaches of the law and will not hesitate to impose measures. Alongside this potential financial risk, there is the possibility of reputational damage for companies seen not to abide by the law and the risk that clients and investors may lose trust in any such business.

As such, companies should have in place effective compliance controls and this article explains what they are and how to implement them.

Table of Contents

The four types of compliance controls

Tips to implement compliance controls

1. Identify your compliance obligations

2. Align with your corporate culture

3. Build your compliance control strategy

4. Implement compliance controls

5. Monitor and test controls

6. Create a compliance culture

Common challenges and pitfalls in compliance controls

FAQ

Conclusion

References and Further Reading

Key takeaways

EU regulators are actively issuing sanctions against businesses and individuals that fail to meet the necessary compliance standards.

There are four types of compliance controls that you can use in combination to create a compliant environment.

A robust compliance culture is essential for ensuring buy-in from employees and senior management to help with meeting your requirements.

Risk management means you should monitor, test and adapt your internal controls on a regular basis with an internal audit, ensuring you always meet with the latest legislation.
Embed compliance into your daily operations to ensure it comes naturally to all internal stakeholders.

The four types of compliance controls

Compliance controls are the policies, procedures and other elements you have in place to help your business meet its obligations under the relevant laws and regulations.

There are four main types of compliance controls used by businesses:

Type	Explanation	Example
Preventive controls	Designed to stop compliance breaches before they occur	Pre-clearance processes for employee personal trading Whistleblowing policies that set out sanctions for retaliating against reporting persons
Detective controls	Identify compliance problems after they have occurred	Automated monitoring tools that flag suspicious trading or when an employee enters into a conflict of interest Whistleblowing reporting channels that allow internal stakeholders to report misconduct that they witness
Corrective controls	Address and resolve problems in the business after these issues have come to light	Retraining employees who fail to follow the correct procedures, such as when creating insider lists or carrying out market soundings Reinstating a whistleblower who was demoted as punishment for making their report
Compensating controls	Secondary controls as safeguards for when primary controls aren’t feasible or fully effective	External whistleblowing reporting channels as an alternative when a reporting person is not satisfied with the result of the internal process When there is no option to fully automate employee personal trade surveillance, assigning compliance officers with carrying out enhanced manual reviews of personal account dealing activity

Tips to implement compliance controls

1. Identify your compliance obligations

Consider your industry, the structure of your business and the legislation that affects you at a national and union level. This includes:

Financial regulations, such as MAR, that seek to prevent market abuse and other such disruption to the capital markets

Data protection and privacy, concerned with how you obtain, use and store the personal information you collect, in accordance with the information security legislation in GDPR

Industry-specific mandates, such as REMIT in the energy and utilities sector and REACH in the chemicals industry

ESG and sustainability requirements, like those in place under the Corporate Sustainability Reporting Directive and EU Taxonomy.

2. Establish the essential building blocks

Start from the very basics of your approach to compliance in order to understand what your compliance controls should include. This means carrying out a risk assessment in the first instance to understand the potential outcomes of failing to meet your compliance obligations. The assessment should also analyse your current checks and balances to help identify the gaps that you need to address.

Once you know the requirements on you and the extent to which you currently comply, you can build the elements of your compliance controls to meet your needs. This should include:

Policies and procedures to formalise the company’s stance on each of the pertinent compliance areas and standardise the way in which employees should approach them.

Employee training programmes to help internal stakeholders understand the reasons behind the internal controls, how they work and what happens if they fail to implement those controls.

Monitoring to ensure that the controls are being used in the appropriate manner and are working effectively to prevent or manage compliance matters in the organisation.

Incident response protocols as a back-up to the controls so that the company has a backstop it can put in place. This helps prevent any issues from slipping through the cracks and causing long-term damage.

3. Build your compliance control strategy

Now you have the overarching elements of your controls, you can become more granular in implementing them into your operations. You need to build a compliance strategy.

Designate ownership of each of the internal controls to a competent person or department, putting them in charge of that aspect of your regulatory approach. This provides accountability, encouraging them to carry out their tasks to the best of their ability.

With a growing regulatory burden, cybersecurity issues and resources limited in the current economic climate, it has never been more important to implement digital solutions to standardise your workflows, creating secure and streamlined processes that reduce manual workload. Taking advantage of automation, access controls and intuitive dashboards, you keep on top of the status of your compliance efforts and can delegate responsibilities whilst ensuring you protect the data of all parties involved.

Select complementary tools and technology to help with your compliance programme. Examples include:

TradeLog automated preclearance and conflict of interest software. Employees must request permission for personal trading through the system, which won’t allow them to apply for trades that you have deemed to be non-compliant. It also cross-references your employees’ external positions and interests against the client and vendor lists you provide to alert you to any potential conflicts of interest.
InsiderLog insider list management software for creating and managing insider lists that help you remain compliant with the requirements of MAR. It also automates the process of informing your insiders of their obligations and receiving their confirmation of understanding.
IntegrityLog whistleblowing platform that allows for both confidential and anonymous reporting whilst still facilitating open communication between the reporting person and the investigating party. Secure access control helps to protect the details of the case, as is required by national whistleblowing laws across the EU.

4. Implement compliance controls

Make sure you align your compliance controls with your existing business processes, rather than holding them separate. Map your regulatory requirements onto your operational workflows so that compliance becomes a seamless part of how things are done within your organisation.

For example, your insider list processes should integrate with HR onboarding, trade permissions and project workflows to ensure stakeholders understand what insider lists are. They should also be aware of when to use these lists, rather than them being managed in isolation by your legal or compliance functions alone.

This requires cross-functional collaboration between departments, taking a holistic approach to compliance, rather than leaving it as an afterthought. Make it part of day-to-day operations and ensure employees have access to the latest versions of all internal policies so that everyone understands the latest best practices.

5. Monitor and test controls

When implementing controls, you need to also ensure you take oversight and monitor and test them on a regular basis. Integrate checks into your standard business processes, such as those you require to allow employee personal trading.

Compliance doesn’t stand still, and you should be alert to the need to update or adapt your controls based on emerging risks. These could be due to:

Regulatory changes
New business activities
Findings from previous breaches or incidents.

Carry out internal audits to test how your controls work in practice, identifying any weaknesses and closing any gaps in a timely manner.

6. Create a compliance culture

Your culture spreads from the top down, so ensure that your senior leadership team is onboard with your approach. The board should play a role in the oversight of compliance across the organisation, helping to steer the business away from risk.

Show a commitment to ethics and compliance, promoting whistleblowing channels and displaying how much the company values reporting of wrongdoing to create a safe and encouraging environment as well as to meet compliance requirements.

Building this compliance culture means making compliance visible throughout the working life of your team. In onboarding, on shared workspaces and all other areas. Promote your code of ethics and conduct and report on the results of investigations with what you have learnt and what will change as a result.

Common challenges and pitfalls in compliance controls

Disconnected governance, risk and compliance (GRC) efforts, siloed across departments and leading to duplicated work or gaps that you do not notice until something slips through. This makes it difficult to maintain a coherent risk profile. Create cross-functional teams to ensure everyone understands who is carrying out which tasks.
Inadequate training and awareness can negate even the best-designed compliance controls. Concentrate both on what users must do to carry out their duties and on why the controls are in place so that there is some context to their efforts.
Incomplete documentation and weak record control is problematic if there is an audit or investigation to understand the causes of a compliance issue. By keeping proper documentation, you can show intention to comply, which might mitigate sanctions if there is a failure. Without that evidence, the fines could be more severe.

FAQ

1. Who is responsible for implementing compliance controls?

Senior management and compliance officers are primarily responsible for implementing compliance controls, often in collaboration with relevant department heads to ensure integration of efforts.

2. Who should be involved in compliance monitoring?

Compliance teams, internal auditors and relevant operational managers should all be involved in monitoring these internal controls to ensure the ongoing effectiveness of your compliance programme.

3. What’s the difference between compliance and internal controls?

Compliance controls are those measures in place to prevent failures to meet all regulatory requirements. Internal controls refer to procedures that verify the integrity of a range of different practices within the business, such as financial reporting, as well as compliance.

4. How often should compliance controls be reviewed?

Compliance controls should be reviewed regularly. This usually means at least annually or whenever there are regulatory changes, changes to the nature of your business or you carry out an internal audit and need to implement the findings.

Conclusion

The key to implementing compliance controls is to work across departments to ensure the whole business is on board with the systems and processes that protect you from regulatory risk. By helping staff understand the reasons for the internal controls being in place, the way to integrate them into their workflow and the consequences of failing to comply, you create a compliance culture where the controls form a seamless part of the work of the business. The following tools will help you manage your compliance controls with ease:

IntegrityLog to help you receive and manage whistleblowing reports effectively.
InsiderLog to create and manage compliant insider lists.
TradeLog for employee personal trade and conflict of interest compliance.

References and further reading

How to develop a strong compliance strategy

Digital transformation in risk and compliance

Insider trading compliance

Why you need a whistleblowing process

Study: Control activities and compliance behaviour

Share this post

IR.Manager

Shareholder Analysis

LiveEquity

Post Listing Advisory

ESG Advisory

Need a different solution?

InsiderLog

IntegrityLog

TradeLog

LEI Services

Admincontrol Board Portal

Admincontrol Board Evaluation

Admincontrol Data Room

EngageStream

EuroStockNews

The Palazzo Mezzanotte

Need a different solution?

Discover the portal

Essential Solutions

Advanced Solutions

Strengthen Investor Relationships

Transform shareholder knowledge into strategic advantage

Showcase your share price in real-time

Post Listing Advisory

ESG Advisory

Planning & Executing the IR Program

Preparing for an IPO

Investor Engagement & Targeting

Post-IPO Market Positioning

Preparing for a Capital Markets Day

Investor Transparency & ESG Storytelling

Need a different solution?

Essential Solutions

Advanced Solutions

Ensure MAR compliance & manage insider lists

Monitor employee personal trading activity

Establishing secure, online whistleblowing channels

Stay compliant with global LEI requirements

Run secure & efficient board meetings

Comprehensive MAR Compliance

Comprehensive Regulatory Compliance

Governance & Ethical Oversight

Multi-Jurisdictional Regulatory Compliance

Executive Leadership & Board Efficiency

Accelerate M&A deals while protecting sensitive data

Need a different solution?

Essential Solutions

Advanced Solutions

Ensure fast & compliant market disclosures

Communicate updates with engaging webinars and webcasts

Crisis Response & Reputation Protection

Leadership Communication

Communicating Financial Results & Key Disclosures

Secure Board & Committee Communications

Need a different solution?

Essential Solutions

Advanced Solutions

Gain expertise in capital markets communications

Gain essential compliance knowledge

Professional Development & IR Expertise

Bespoke in-person training

Need a different solution?

Visit the academy

Our certifications

View all courses

Bespoke training

Our certification programmes

IR Certification Programme

Capital Markets Compliance & Integrity Manager Certification

ESG Coaching

MAR training

Whistleblowing training

Need a different solution?

Browse by type

Browse by topic

ESG Self-Assessment for Issuers

Browse

Filter by topic

Need a different solution?

Browse