OPINION
2021 May/18
Directions for Improvement in Internal Controls of Financial Firms
May. 18, 2021
PDF
- Summary
- In developed nations including the US, internal controls have functioned as a useful incentive―not as a tool for imposing penalties―that provides penalty reductions under the premise of strong supervisory responsibility. In Korea, however, it is relatively harder to hold top-level supervisors liable for administrative offenses. Hence, the Act on Corporate Governance of Financial Companies allows to sanction CEOs for neglecting their duty to establish internal controls. Although Korean financial firms view internal controls as part of regulation, a substantial number of them fail to view them as part of enterprise and operational risk management, and thus are passive about devising and complying with their own internal control standards. This article presents three conditions that could give financial firms an incentive to exert self-inflicted effort to improve their internal controls. First, supervisory responsibility should be strengthened. Second, internal controls should be used as a useful incentive that enables penalty reductions. Third, the duty to establish internal control standards should be governed by self-regulation, rather than be mandated by law.
Internal controls in financial firms
Internal controls mean an internalized version of otherwise imperfect external controls that include supervision and regulations. Developed nations such as the US have long facilitated financial firms to bolster their internal controls as part of their drive for ethical management and prevention of increasingly sophisticated financial crime. It was in 2017 when Korea promulgated the Act on Corporate Governance of Financial Companies (“Corporate Governance Act”, hereinafter) and mandated financial firms to comply with the law, manage their business soundly, and follow a set of standards and procedures (“internal control standards”, hereinafter) in carrying out their duties for protecting shareholders and other stakeholders.1) Internal controls cover all activities done for the purpose of adherence to compliance policy, credible financial reporting, and more efficient business management. This has evolved into the concept of “enterprise and operational risk management”. The internal control standards adopted in the financial industry also define the scope as including every business activity ranging from compliance, consumer protection, internal accounting controls, and risk management, to information protection.
Although major supervisory authorities developed internal controls into the concept of enterprise and operational risk management, domestic and overseas financial firms have narrowly perceived internal controls as adherence to compliance. With globalization and ICT advancement, financial firms have seen their work scope become broader and more complex, which resultantly gave rise to repeated incidents of financial accidents. One of the exemplary cases in this area would be Barings Bank that went bankrupt in 1995. Early in the 1990s, the headquarter of the bank failed to recognize the potential risks and cumulative losses related to the high-risk derivatives positions in its Singapore branch, which escalated into bankruptcy. Lack of internal controls was behind all large-scale scandals such as Enron’s accounting fraud in early 2002, large investment banks’ losses from high-risk derivatives investment during the 2008 global financial crisis, MF Global’s Ponzi scheme in 2011, a Korean brokerage firm’s option trading error in 2013, and Korea’s recent fiasco involving private equity funds. The fundamental reason behind the continuous scandals attributable to lack of internal controls lies in financial firms’ timid response to the issue, which stems from their common misperception that fails to recognize internal controls as part of a broader concept of enterprise and operational risk management. Against the backdrop, this article first points out the different perception on internal controls between regulatory authorities and financial firms, and briefly outlines internal control systems in developed countries based on which I present future directions for improvement.
Different perception between regulatory authorities and financial firms
Regulatory authorities have long perceived financial firms’ sound management and investor protection as a daunting task unless CEOs bear legal responsibility. More recently, Korea’s financial authorities have issued a disciplinary warning and a cautionary warning to the CEOs of major financial firms about their failure to establish effective internal control standards when selling derivatives-linked funds and private equity funds. According to the authorities, although financial firms should formulate their own internal control standards and adhere to them under Article 24-1 of the Corporate Governance Act, a substantial number of them failed to establish effective standards. The authorities believe that their penalties against the CEOs of corporate offenders are reasonable under the Corporate Governance Act.
On the other hand, financial firms perceive internal controls as better governed by industry self-regulation, instead of being forced by laws and regulations. Advances in ICT have broadened the business scope of financial firms, and have increased the use of non-financial data. Under the circumstances, it is barely impossible to come up with flawless internal control standards that would effectively prevent all financial accidents, they argue. They also believe that, as “the duty to establish internal control standards” (“internal control duty”, hereinafter) under the Corporate Governance Act is just a declaration, it would be somewhat far-fetched to sanction CEOs for their negligence in establishing internal control standards to deal with a financial accident.
Internal controls in developed nations
The US, known for first introducing internal controls, has developed them by internalizing external controls as part of attempt to overcome the shortcoming of administrative regulation. With the rapid rise in white-collar crime after the 1930s, the US came to perceive the immense difficulty in detecting and preventing financial crime in advance. In response, the US government chose to impose tough penalties by strengthening sentencing guidelines, under which a corporate offender would be imposed of tough civil fines for administrative offenses. But any offender who establishes and complies with internal controls would be subject to fine reductions, which helped internal controls to function as an effective incentive. Moreover, the US has sought to bolster supervisory responsibility by assigning legal responsibility to CEOs and middle managers that was expected to help induce ethical management and effectively prevent financial accidents in advance.
In terms of the internal control duty, the strictness of regulation varies across countries, namely, the US, Japan, and Korea. It is hard to regard the US and Japan as mandating internal controls by law just as Korea does under the Corporate Governance Act. The two nations do require financial firms to build an internal control system under the Sarbanes-Oxley Act and the Companies Act, respectively. However, the scope of internal controls in the two legislations is limited to compliance to internal accounting controls. This is a concept somewhat different from enterprise and operational risk management. The US and Japan chose not to stipulate in laws the internal control duty as they believe it rather falls under the concept of enterprise and operational risk management. This almost surely reflects the two nations’ philosophy that internal controls cannot be forced by law.
The two nations also widely differ from Korea in terms of penalties related to internal controls. In the US, if financial firm staff violates major administrative regulation, the staff as well as the firm are imposed tough civil fines. However, if the firm proves that it established and complied with internal controls, it would be subject to fine reductions. What is particularly interesting is that fines could be reduced also if a corporate offender proves its effort to establish and abide by internal control standards even after a financial accident. Whereas the US uses internal controls as a useful incentive that provides penalty reductions, Korea uses them merely for the purpose of imposing penalties. In Korea, not only financial firm staff but also CEOs will be imposed by penalties for any failure to formulate effective internal controls, regardless of whether there is any administrative offense or not.
Another difference between the two nations and Korea is the responsibility of supervisors including CEOs. When an employee commits an administrative offense in the US, supervisors at all levels and the firm would have civil and criminal liability for their negligent supervision over the offender. Negligent supervision in this case includes intentional negligence in supervision, collusion with the offender, and unlawful exercise of force. It is possible to hold middle- or top-level supervisors liable depending on the severity of offenses or negligent supervision. Because holding CEOs and top-level supervisors liable for employee offenses is impossible in Korea, the Corporate Governance Act prescribes that supervisors and CEOs can be held liable for their negligence in establishing internal control standards. But it is pointed out that the internal control duty prescribed in the Corporate Governance Act lacks clarity in terms of the objectivity of negligence and the range of supervisors.
To sum up, developed nations including the US have developed internal controls into the concept of enterprise and operational risk management. Particularly notable is the US case that capitalizes internal controls as a useful incentive that provides penalty reductions on the premise of strong supervisory responsibility. Instead of mandating the establishment of internal controls, the US induces financial firms to use self-regulation to bolster their internal controls. By contrast, Korean financial firms used to narrowly define internal controls as adherence to compliance, taking only passive and unsophisticated action towards the issue.
Directions for improvement in financial firms’ internal controls
In conclusion, there are three policy directions that are expected to give financial firms an incentive to exert self-effort for bolstering internal controls. First, CEOs and other supervisors should take stronger responsibility. Second, internal controls should serve as an incentive that enables penalty reductions, instead of being used for the purpose of imposing penalties. Third, the internal control duty should be governed not by law, but by self-regulation.
With regard to the first direction, it would be wise to create a new provision that would hold middle managers or CEOs liable for negligent supervision when there is an administrative offense by employees. The provision should be able to set forth every detail such as the range of supervisors and the types of negligence, as seen in the US case. Another idea is to assign different levels of final responsibility to the middle- and top-level managers including CEOs depending on the significance of violation and the predetermined roles and duties of staff.
Second, internal controls should be used as not a tool for imposing penalties, but an incentive that would enable firms to reduce penalties. This could be done with an immunity scheme that will reduce penalties and administrative fines on an offender who established and complied with internal controls. Also necessary is a system that reduces penalties on a corporate offender who, even after a financial accident, is exerting sufficient effort for improving and abiding by internal control standards. However, the first step towards internal controls functioning as an incentive would be a shift away from personal penalties to monetary penalties. This should be supported by an effective penalty regime that toughens the current administrative fines scheme and increases the level of fines.
Last but not least, it is desirable to induce the internal control duty to be self-regulated rather than forced by law. By nature, internal controls are a means of internalizing external controls, and were initially derived from delegating the economic function of external controls to financial firms’ self-regulation. For inducing financial firms to self-regulate internal controls, the internal control duty prescribed in the Corporate Governance Act should be regarded just as a declaration, or in the long run be scrapped. By bolstering supervisory responsibility for administrative offenses and by giving an incentive to firms with proper internal controls in place, regulators could expect financial firms to voluntarily make their utmost effort to devise and observe internal control standards. Also worth considering on top of that is to induce overall financial firms to report their improvement in this area to the authorities who will share the knowledge with the whole industry. This will certainly help financial firms strengthen their internal control capability. To facilitate Korean financial firms to build their strength in this area, it would be of tremendous help to learn from the case of the US when considering broadening training programs to internal control staff and introducing a certification scheme.
1) Article 24-1, Act on Corporate Governance of Financial Companies
Internal controls mean an internalized version of otherwise imperfect external controls that include supervision and regulations. Developed nations such as the US have long facilitated financial firms to bolster their internal controls as part of their drive for ethical management and prevention of increasingly sophisticated financial crime. It was in 2017 when Korea promulgated the Act on Corporate Governance of Financial Companies (“Corporate Governance Act”, hereinafter) and mandated financial firms to comply with the law, manage their business soundly, and follow a set of standards and procedures (“internal control standards”, hereinafter) in carrying out their duties for protecting shareholders and other stakeholders.1) Internal controls cover all activities done for the purpose of adherence to compliance policy, credible financial reporting, and more efficient business management. This has evolved into the concept of “enterprise and operational risk management”. The internal control standards adopted in the financial industry also define the scope as including every business activity ranging from compliance, consumer protection, internal accounting controls, and risk management, to information protection.
Although major supervisory authorities developed internal controls into the concept of enterprise and operational risk management, domestic and overseas financial firms have narrowly perceived internal controls as adherence to compliance. With globalization and ICT advancement, financial firms have seen their work scope become broader and more complex, which resultantly gave rise to repeated incidents of financial accidents. One of the exemplary cases in this area would be Barings Bank that went bankrupt in 1995. Early in the 1990s, the headquarter of the bank failed to recognize the potential risks and cumulative losses related to the high-risk derivatives positions in its Singapore branch, which escalated into bankruptcy. Lack of internal controls was behind all large-scale scandals such as Enron’s accounting fraud in early 2002, large investment banks’ losses from high-risk derivatives investment during the 2008 global financial crisis, MF Global’s Ponzi scheme in 2011, a Korean brokerage firm’s option trading error in 2013, and Korea’s recent fiasco involving private equity funds. The fundamental reason behind the continuous scandals attributable to lack of internal controls lies in financial firms’ timid response to the issue, which stems from their common misperception that fails to recognize internal controls as part of a broader concept of enterprise and operational risk management. Against the backdrop, this article first points out the different perception on internal controls between regulatory authorities and financial firms, and briefly outlines internal control systems in developed countries based on which I present future directions for improvement.
Different perception between regulatory authorities and financial firms
Regulatory authorities have long perceived financial firms’ sound management and investor protection as a daunting task unless CEOs bear legal responsibility. More recently, Korea’s financial authorities have issued a disciplinary warning and a cautionary warning to the CEOs of major financial firms about their failure to establish effective internal control standards when selling derivatives-linked funds and private equity funds. According to the authorities, although financial firms should formulate their own internal control standards and adhere to them under Article 24-1 of the Corporate Governance Act, a substantial number of them failed to establish effective standards. The authorities believe that their penalties against the CEOs of corporate offenders are reasonable under the Corporate Governance Act.
On the other hand, financial firms perceive internal controls as better governed by industry self-regulation, instead of being forced by laws and regulations. Advances in ICT have broadened the business scope of financial firms, and have increased the use of non-financial data. Under the circumstances, it is barely impossible to come up with flawless internal control standards that would effectively prevent all financial accidents, they argue. They also believe that, as “the duty to establish internal control standards” (“internal control duty”, hereinafter) under the Corporate Governance Act is just a declaration, it would be somewhat far-fetched to sanction CEOs for their negligence in establishing internal control standards to deal with a financial accident.
Internal controls in developed nations
The US, known for first introducing internal controls, has developed them by internalizing external controls as part of attempt to overcome the shortcoming of administrative regulation. With the rapid rise in white-collar crime after the 1930s, the US came to perceive the immense difficulty in detecting and preventing financial crime in advance. In response, the US government chose to impose tough penalties by strengthening sentencing guidelines, under which a corporate offender would be imposed of tough civil fines for administrative offenses. But any offender who establishes and complies with internal controls would be subject to fine reductions, which helped internal controls to function as an effective incentive. Moreover, the US has sought to bolster supervisory responsibility by assigning legal responsibility to CEOs and middle managers that was expected to help induce ethical management and effectively prevent financial accidents in advance.
In terms of the internal control duty, the strictness of regulation varies across countries, namely, the US, Japan, and Korea. It is hard to regard the US and Japan as mandating internal controls by law just as Korea does under the Corporate Governance Act. The two nations do require financial firms to build an internal control system under the Sarbanes-Oxley Act and the Companies Act, respectively. However, the scope of internal controls in the two legislations is limited to compliance to internal accounting controls. This is a concept somewhat different from enterprise and operational risk management. The US and Japan chose not to stipulate in laws the internal control duty as they believe it rather falls under the concept of enterprise and operational risk management. This almost surely reflects the two nations’ philosophy that internal controls cannot be forced by law.
The two nations also widely differ from Korea in terms of penalties related to internal controls. In the US, if financial firm staff violates major administrative regulation, the staff as well as the firm are imposed tough civil fines. However, if the firm proves that it established and complied with internal controls, it would be subject to fine reductions. What is particularly interesting is that fines could be reduced also if a corporate offender proves its effort to establish and abide by internal control standards even after a financial accident. Whereas the US uses internal controls as a useful incentive that provides penalty reductions, Korea uses them merely for the purpose of imposing penalties. In Korea, not only financial firm staff but also CEOs will be imposed by penalties for any failure to formulate effective internal controls, regardless of whether there is any administrative offense or not.
Another difference between the two nations and Korea is the responsibility of supervisors including CEOs. When an employee commits an administrative offense in the US, supervisors at all levels and the firm would have civil and criminal liability for their negligent supervision over the offender. Negligent supervision in this case includes intentional negligence in supervision, collusion with the offender, and unlawful exercise of force. It is possible to hold middle- or top-level supervisors liable depending on the severity of offenses or negligent supervision. Because holding CEOs and top-level supervisors liable for employee offenses is impossible in Korea, the Corporate Governance Act prescribes that supervisors and CEOs can be held liable for their negligence in establishing internal control standards. But it is pointed out that the internal control duty prescribed in the Corporate Governance Act lacks clarity in terms of the objectivity of negligence and the range of supervisors.
To sum up, developed nations including the US have developed internal controls into the concept of enterprise and operational risk management. Particularly notable is the US case that capitalizes internal controls as a useful incentive that provides penalty reductions on the premise of strong supervisory responsibility. Instead of mandating the establishment of internal controls, the US induces financial firms to use self-regulation to bolster their internal controls. By contrast, Korean financial firms used to narrowly define internal controls as adherence to compliance, taking only passive and unsophisticated action towards the issue.
Directions for improvement in financial firms’ internal controls
In conclusion, there are three policy directions that are expected to give financial firms an incentive to exert self-effort for bolstering internal controls. First, CEOs and other supervisors should take stronger responsibility. Second, internal controls should serve as an incentive that enables penalty reductions, instead of being used for the purpose of imposing penalties. Third, the internal control duty should be governed not by law, but by self-regulation.
With regard to the first direction, it would be wise to create a new provision that would hold middle managers or CEOs liable for negligent supervision when there is an administrative offense by employees. The provision should be able to set forth every detail such as the range of supervisors and the types of negligence, as seen in the US case. Another idea is to assign different levels of final responsibility to the middle- and top-level managers including CEOs depending on the significance of violation and the predetermined roles and duties of staff.
Second, internal controls should be used as not a tool for imposing penalties, but an incentive that would enable firms to reduce penalties. This could be done with an immunity scheme that will reduce penalties and administrative fines on an offender who established and complied with internal controls. Also necessary is a system that reduces penalties on a corporate offender who, even after a financial accident, is exerting sufficient effort for improving and abiding by internal control standards. However, the first step towards internal controls functioning as an incentive would be a shift away from personal penalties to monetary penalties. This should be supported by an effective penalty regime that toughens the current administrative fines scheme and increases the level of fines.
Last but not least, it is desirable to induce the internal control duty to be self-regulated rather than forced by law. By nature, internal controls are a means of internalizing external controls, and were initially derived from delegating the economic function of external controls to financial firms’ self-regulation. For inducing financial firms to self-regulate internal controls, the internal control duty prescribed in the Corporate Governance Act should be regarded just as a declaration, or in the long run be scrapped. By bolstering supervisory responsibility for administrative offenses and by giving an incentive to firms with proper internal controls in place, regulators could expect financial firms to voluntarily make their utmost effort to devise and observe internal control standards. Also worth considering on top of that is to induce overall financial firms to report their improvement in this area to the authorities who will share the knowledge with the whole industry. This will certainly help financial firms strengthen their internal control capability. To facilitate Korean financial firms to build their strength in this area, it would be of tremendous help to learn from the case of the US when considering broadening training programs to internal control staff and introducing a certification scheme.
1) Article 24-1, Act on Corporate Governance of Financial Companies