Internal controls mean an internalized version of otherwise imperfect external controls that include supervision and regulations. Developed nations such as the US and UK have long facilitated financial firms to bolster their internal controls as part of their drive for ethical management and prevention of increasingly sophisticated financial crime. It was in 2017 when Korea promulgated the Act on Corporate Governance of Financial Companies (“Corporate Governance Act”, hereinafter) and mandated financial firms to comply with the law, manage their business soundly, and follow a set of standards and procedures (“internal control standards”, hereinafter) in carrying out their duties for protecting shareholders and other stakeholders. In the recent event of a mis-selling on the high risk financial products, we have the different perception on internal controls between regulatory authorities and financial firms.
The internal control and compliance program of U.S. securities firms developed based on the supervisor liability provisions under the Securities and Exchange Act and its related FINRA rules. Under the Securities and Exchange Act, supervisor responsibility only presents requirements for the exemption of supervisory responsibility, and this negative method requires securities companies to prove that they have established reasonable supervisory systems and procedures. For this reason, securities firms or CEOs have incentives to prepare and utilize reasonable and effective compliance programs for their defense against supervisory responsibility. FINRA regulations, self-regulatory forms, supplement the supervisor responsibility, presented only as an exemption clause, by specifically requiring a minimal operating system related to compliance program. While imposing high sanctions to reflect the high social cost and low possibility of detection of white-collar crimes, the U.S. has developed the programs reducing its sanctions for companies with compliance programs, voluntarily reporting, or cooperating with government investigations. Finally, U.S. regulatory features related to the internal control and compliance program emphasize 'reasonable' or 'reasonable level'
The UK has strengtened its internal control system since the global financial crisis. Both the FCA and PRA established the regulations about the duty of responsibility, which take enforcement action against Senior Managers if they are responsible for the management of any activities in their firm in relation to which their firm contravenes a regulatory requirement, and they do not take such steps as a person in their position could reasonably be expected to take to avoid the contravention occurring or continuing. In connection with the regulations, the Financial Services Market Act includes the sanctions, which can be imposed not only on financial companies but also on individual high-level executives, in case of violations due to lack of internal control. Similar to the US, internal controls have functioned as a useful incentive―not as a tool for imposing penalties―that provides penalty reductions under the premise of strong supervisory responsibility.
We provide some policy directions that are expected to give financial firms an incentive to exert self-effort for bolstering internal controls. First, CEOs and other supervisors should take stronger responsibility. Second, internal controls should serve as an incentive that enables penalty reductions, instead of being used for the purpose of imposing penalties. Third, the internal control duty should be governed not by law, but by self-regulation. Fourth, it is necessary to prepare internal control guidelines for each industry that financial companies can comply with at a reasonable level. Fifth, in order to induce financial companies to strengthen their internal control capabilities, we need to review a plan to disclose the main status of internal control through mandatory submission of internal control evaluation reports.