Setting Up a Compliance Framework as a Start-Up892 views
By Oyetola Muyiwa Atoyebi, SAN, FCIArb. (UK).
In July 2022, two (2) Nigerian businessmen were jailed for breaking Anti-Money Laundering laws in the United States of America. Anslem Oshionebo and Opeyemi Ode, CEO and COO respectively of Fintech start-up, Ping Express, both recently received 27-month prison sentences for intentionally transferring criminal proceeds.
The above underscores the need for start-ups to take compliance seriously in order to prevent criminal liability.
This article examines what a compliance framework is (and what it is not), the need for a compliance framework, cost-effective strategies for establishing a compliance framework as a start-up and finally, the advantages of having a compliance framework.
What is Compliance?
In a business, there are essentially three (3) lines of defence: Internal management, risk management/compliance and external audit.
According to the Oxford Learner’s Dictionary, Compliance refers to the practice of obeying rules or requests made by people in authority. In corporate and business terms, it is making sure that your company adheres to its obligations under the various laws, regulations, industry practice guidelines and organizational guidelines that apply to it.
A compliance framework is a structured set of guidelines to aggregate and harmonize, then integrate, all compliance requirements applicable to an organization.
Every company has specific compliance obligations that it must comply with to keep its licenses, operate in a lawful manner, and satisfy the requirements of internal and external auditing. However, the process of setting up a framework that covers all of a company’s framework is requires a lot of time and effort to set up. This is also a particularly difficult process for start-ups because they are usually in their first stage of operations, without the same financial and human resource depth that more established companies have.
Securing Your Business
As earlier defined, a compliance framework is a structured set of guidelines to aggregate and harmonize, then integrate, all compliance requirements applicable to an organization. Put differently, it is a scheme that incorporates different authorities, laws, and regulations into one cohesive system that ultimately goes to improve the company’s output and productivity. It streamlines several laws into a focused administrative process.
In order to operate smoothly within the Nigerian business environment, start-ups need to be in lockstep with the various regulations that apply to them. This is also compounded for start-ups, especially in the tech space, because the regulatory framework for start-ups in Nigeria is still in its infancy. The passage of the Start-up Bill will go a long way to hasten the development of the regulatory framework for start-ups in Nigeria.
For a start-up to set up a compliance framework, it needs to principally understand what type of business it is. This is important because every other step in setting up a compliance framework flows from this. More specifically, the company must understand its structure, funding sources and the various contracts and agreements that it has entered into. It must also understand what its brand and reputation are, collate internal documents and policies on things like employee behaviour, and establish a company vision and goal. These are internal sources of its compliance framework and will serve to guide the company as it goes about setting the right tone for its documents.
Externally, the company must understand the regulatory environment in which it operates. In order to do this, a company should have copies of laws, circulars and guidelines that directly or indirectly affect its business practices. It is also a good practice to monitor upcoming bills in various houses of legislature that have the potential to impact its business. For example, a company that is registered as a private limited liability company may decide not to have a company secretary as it is not mandatory for small companies to have one under the Companies and Allied Matters Act (CAMA) 2020.
Companies also need to be abreast of global compliance frameworks that may affect them directly. For example, the European Union adopted the General Data Protection Regulation (GDPR) in 2018 and this sparked major changes in European data privacy laws. This new law also applied to international companies doing business in the EU. Non-compliance with the GDPR carried large financial penalties.
When these laws and regulations have been identified, next the step is identifying the companies’ obligations under these rules and regulations and collating them in an internal register.
YOUR COMPLIANCE TEAM
Once this is done, the compliance team should be assembled and primarily tasked with identifying the gaps in the laws and regulations. The compliance team is to note existing obligations to report regularly to the appropriate regulator. The goal at this point is to understand the existing obligations, their applicability and where necessary updates should be made.
Once gaps have been identified, it becomes important to develop systems to fill in the gaps. This is important in risk management and avoidance while running a business.
Compliance teams in start-ups mostly focus on filing annual returns at the Corporate Affairs Commission as and when due, adhering to Anti-Money laundering laws, Data Protection and obtaining the appropriate business licenses. It should be noted that the areas noted above are by no means exhaustive. Ultimately, compliance teams deal with regulated conduct – government regulations that set out business requirements.
In day-to-day operations, compliance teams deal with corporate governance issues, build out systems and processes, and honour company policies and external requests from government regulators.
There also has to be a system for reporting systems and reporting instances of non-compliance with these systems. Incidents of non-compliance must be taken note of, tracked and resolved. There should be a formal reporting system that the company’s management oversees.
In addition to the above, companies will also be served by developing a good operational compliance relationship with regulators, that also accommodate responding to ad-hoc queries and information requests.
BUILDING A COMPLIANCE TEAM
Principally, founders and entrepreneurs should make sure that their compliance framework is commensurate with the risks and resources of the company. Sometimes a full-blown team may be too expensive for an early-stage start-up. If you are also working with more established partner companies, you may also depend on their compliance framework to cut costs.
As the company grows and you raise some money, you can hire a compliance officer who is knowledgeable about your specific compliance needs and has a great relationship with regulators in your industry.
Ideally, your first compliance hire should have a growth perspective and should be focused on trying to help your company grow and scale. It is also important that founders are clear to their new hires about the nature and future growth of their jobs.
COMPLIANCE HIGHLIGHTS IN NIGERIA
- Companies and Allied Matters Act (CAMA) 2020: Under the Companies and Allied Matters Act, start-ups must take note of the different companies under the Companies and Allied Matters Act and their minimum issued share capitals.
Companies are also required to file annual returns once a year at the Corporate Affairs Commission. This is important because it informs the commission and the general that the company is still active. Failure to do this leaves the company and every director/officer of the company liable to a penalty as may be prescribed by the Commission. New companies are not required to file annual returns in the year of their incorporation or the following year, as long as it holds their first Annual General Meeting (AGM) within 18 months of incorporation.
- Nigerian Data Protection Regulation (2019): Under these regulations, a data subject’s consent must always be sought in other to obtain and process their data. In order for this to be done lawfully, it must be without undue influence, fraud and coercion.
The NDPR also mandates all organizations that process the personal data of more than 1000 data subjects in a period of 6 months, and 2000 Data Subjects in a period of 12 months, to submit a Data Protection Audit report to NITDA not later than 15th March, every year.
Other compliance requirements can also be seen in Taxation, Anti-Money Laundering/ Counter Terrorism Financing and Technology Acquisition and Promotion.
THE NEED FOR A COMPLIANCE FRAMEWORK
- A compliance framework is a guide used to build a compliance program, to ensure that the program fulfils the compliance obligations to keep an organization safe from lawsuits, fines and other penalties stemming from non-compliance.
- A compliance framework provides a methodology; an organized set of guidelines and best practices, that spells out the process by which a company can meet its regulatory requirements.
- The objective is to keep a company in compliance with all regulations at all times. Some frameworks address specific areas of your business processes, such as data security; and provide the specific controls, procedures, or processes you could implement to achieve compliance with various data security standards that might apply to your business.
- An organization can use compliance frameworks to enhance security, improve business processes, and realize other business objectives, such as qualifying to bid on contracts managed by government agencies.
Finally, a founder should always ensure that he/she periodically reviews its compliance framework, in order to effectively avoid/mitigate risks of non-compliance without creating additional responsibilities for its administration and day-to-day operations. At a minimum, an annual self-assessment exercise should be conducted.
Companies should also ensure that they hire external auditors to conduct periodic assessments of their compliance frameworks when they scale.
AUTHOR: Oyetola Muyiwa Atoyebi, SAN, FCIArb. (UK).
Mr. Oyetola Muyiwa Atoyebi, SAN is the Managing Partner of O. M. Atoyebi, S.A.N & Partners (OMAPLEX Law Firm) where he also doubles as the Team Lead of the Firm’s Emerging Areas of Law Practice.
Mr. Atoyebi has expertise in and a vast knowledge of Corporate and Commercial Law and this has seen him advise and represent his vast clientele in a myriad of high level transactions. He holds the honour of being the youngest lawyer in Nigeria’s history to be conferred with the rank of a Senior Advocate of Nigeria.
He can be reached at firstname.lastname@example.org
CONTRIBUTOR: Nnamdi Okoronkwo.
Nnamdi is a member of the Corporate and Commercial Team OMAPLEX Law Firm. He also holds commendable legal expertise in Start-up Advisory and Taxation.
He can be reached at email@example.com.