Regulatory Compliance Officer (Level 4) Free Practice Test Set Two

Correct: Under FCA COBS 11.2A, firms are required to monitor the effectiveness of their execution arrangements and policy to identify and correct any deficiencies. This includes assessing whether the venues listed in the policy continue to provide the best possible result for the client on a consistent basis. This approach ensures the firm meets its duty to act in the best interests of its clients, aligning with the broader expectations of the Consumer Duty to deliver good outcomes for retail and professional customers.

Incorrect: Requiring a manual price comparison for every single trade is often impractical and does not address the systemic requirement to monitor venue performance over time. Choosing venues based solely on trading volume ignores other critical factors like price, speed, and likelihood of execution, which are necessary for a comprehensive best execution assessment. Focusing exclusively on minimizing explicit brokerage commissions for retail orders is insufficient, as the FCA requires firms to consider total consideration, which includes the price of the financial instrument and all costs related to execution.

Takeaway: Firms must systematically monitor and review execution venues to ensure they consistently provide the best possible results for their clients.

Correct: A hard-coded system control provides a preventative barrier that ensures segregation of duties is maintained at all times. This aligns with the FCA’s SYSC (Systems and Controls) requirements, which mandate that firms must take reasonable care to establish and maintain such systems and controls as are appropriate to its business to counter the risk that the firm might be used to further financial crime, including internal fraud.

Incorrect: The strategy of updating the staff handbook relies on deterrent controls which do not physically prevent a fraudulent transaction from being completed. Simply conducting quarterly reviews of a small sample of overrides is a detective approach that only identifies failures after the risk has already materialized and the funds may have left the firm. Opting for a one-off training session addresses staff awareness but fails to address the underlying technical vulnerability that allows the override to occur in the first place.

Takeaway: Robust fraud prevention requires automated, preventative controls that enforce segregation of duties rather than relying on detective or administrative measures alone.

Correct: The FCA has three operational objectives under the Financial Services and Markets Act: consumer protection, integrity, and competition. The integrity objective specifically focuses on protecting and enhancing the soundness, stability, and resilience of the UK financial system. This includes preventing market abuse, ensuring orderly markets, and combating financial crime. Implementing robust trade surveillance to detect market manipulation is a direct application of maintaining market integrity.

Incorrect: The strategy of maintaining high capital ratios is a prudential requirement focused on financial stability and solvency, which falls primarily under the remit of the Prudential Regulation Authority rather than the FCA’s integrity objective. Focusing on fee disclosures and risk warnings is an exercise in transparency that aligns with the consumer protection objective. Choosing to review product value under the Consumer Duty is a critical regulatory requirement, but it specifically addresses the consumer protection objective and the higher standards of care for retail customers rather than the systemic integrity of the financial markets.

Takeaway: The FCA integrity objective focuses on the orderly operation of markets and the prevention of market abuse and financial crime within the UK system.

Correct: Under Principle 11 of the FCA’s Principles for Businesses, firms must deal with their regulators in an open and cooperative way. Promptly notifying the regulator of a significant breach, even before a full fix is in place, demonstrates transparency. Providing a remediation timeline and an impact assessment shows that the firm is taking accountability and understands its obligations to maintain market integrity and protect consumers.

Incorrect: The strategy of delaying notification until a fix is implemented fails the requirement for timely disclosure and prevents the regulator from assessing ongoing risks. Focusing only on high-level notifications that omit critical details is likely to be viewed as a lack of transparency and may actually increase the likelihood of a Section 166 review. Opting for external auditors to manage all regulatory correspondence is inappropriate because the FCA expects Senior Management Functions to take direct responsibility for the firm’s regulatory relationship and accountability.

Takeaway: Effective regulatory engagement requires proactive, transparent disclosure of significant issues alongside a clear plan for remediation and impact assessment.

Correct: Performing a gap analysis and implementing a remediation plan ensures the firm meets the requirements of the Money Laundering Regulations 2017. This approach addresses the specific failure to verify the Source of Wealth for high-risk clients like PEPs. It demonstrates a proactive, risk-based response to identified control weaknesses within the acquired business unit.

Correct: Under UK MAR and the associated FCA handbook requirements, firms must maintain effective arrangements and systems to detect and report suspicious orders and transactions. A surveillance system that only monitors individual trade sizes while ignoring patterns or cumulative impacts is not considered effective for detecting sophisticated market abuse like spoofing. Internal audit must identify this as a control weakness because the calibration fails to address the risk of fragmented orders used to manipulate market prices.

Incorrect: The strategy of relying solely on fixed quantitative thresholds is insufficient because market abuse often involves patterns of smaller trades designed to bypass simple filters. Opting to report every single alert to the regulator without internal investigation would overwhelm the Financial Conduct Authority and contradicts the requirement for firms to perform their own meaningful assessment of suspicion. Focusing only on technical system uptime ignores the critical human element and the qualitative judgment required to interpret surveillance data and ensure regulatory compliance.

Takeaway: Surveillance systems must be calibrated to detect patterns and cumulative activities rather than just isolated transactions to satisfy UK regulatory expectations for market conduct monitoring.

Correct: Under FCA SYSC 10, firms are required to take all reasonable steps to identify and prevent or manage conflicts of interest. The regulatory framework establishes a clear hierarchy where disclosure is considered a measure of last resort. Firms must first implement effective organizational and administrative arrangements to ensure that the risk of damage to client interests is prevented. Disclosure should only be used when these arrangements are not sufficient to ensure, with reasonable confidence, that the risk of damage to client interests will be prevented.

Incorrect: Focusing only on record-keeping and client signatures for disclosure documents fails to address the regulatory requirement to prioritize the prevention and management of conflicts through structural controls. The strategy of updating the gift and hospitality register, while a valid compliance activity, does not address the specific structural conflict between advisory and distribution roles identified in the audit. Opting for a non-executive director to approve every individual trade is an impractical and disproportionate control that does not address the underlying systemic conflict or align with the expected hierarchy of conflict management.

Takeaway: Firms must prioritize organizational arrangements to prevent conflicts of interest, treating disclosure only as a secondary measure of last resort.

Correct: Under the FCA Consumer Duty (PRIN 12), the Price and Value outcome requires firms to ensure there is a reasonable relationship between the price a consumer pays and the benefits they receive. For legacy products, firms must proactively assess whether the product still offers fair value, especially if the fee structures were designed under older regulatory frameworks. Failing to conduct a substantive value assessment for these 4,500 clients means the firm cannot evidence that these customers are not suffering foreseeable harm through high costs that are no longer justified by the product’s utility.

Incorrect: Focusing only on the lack of side-by-side fee comparisons relates more to the Consumer Understanding outcome rather than the substantive assessment of whether the price itself is fair. The strategy of assuming a violation occurs because clients weren’t automatically moved to the cheapest share class is incorrect, as the Duty requires fair value but does not strictly mandate the lowest possible price in every instance. Opting for a comparison of profit margins against industry averages is insufficient because the FCA focuses on the value provided to the specific customer base rather than the firm’s relative profitability compared to its peers.

Takeaway: The Consumer Duty requires firms to proactively assess and evidence that all retail products, including legacy ones, provide fair value to customers.

Correct: Under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), UK firms are required to take appropriate steps to identify and assess the risks of money laundering and terrorist financing. This includes a requirement to keep the risk assessment up to date. By failing to update jurisdictional ratings and ignoring the UK National Risk Assessment, the firm is unable to demonstrate that its controls are proportionate to the actual risks it faces in the current regulatory environment.

Incorrect: Suggesting that the Financial Conduct Authority must provide annual sign-off on individual firm risk assessments misinterprets the regulator’s role, as they supervise firms rather than approving internal operational models. The strategy of requiring the Money Laundering Reporting Officer to manually perform every assessment ignores the necessity of scalable, technology-enabled systems in modern investment firms. Focusing on the automatic termination of clients based on jurisdictional shifts is an overly rigid approach that contradicts the risk-based principle of applying enhanced due diligence where appropriate.

Takeaway: UK firms must regularly update their AML risk assessments to reflect the current regulatory environment and national risk findings as required by MLR 2017.

Correct: A robust compliance risk assessment must distinguish between inherent risk and residual risk to determine if existing controls are sufficient. In the UK regulatory context, this framework must also align with the firm’s internal risk appetite and the FCA’s Consumer Duty, which requires firms to proactively assess and manage risks to consumer outcomes.

Incorrect: Relying on a fixed biennial schedule is insufficient because it fails to account for rapid regulatory shifts or changes in the firm’s product complexity. The strategy of keeping risk identification solely within compliance ignores the vital first-line perspective, leading to a disconnected and potentially incomplete risk profile. Opting for a focus on capital and liquidity metrics is more appropriate for prudential risk management rather than a comprehensive compliance risk assessment, which must prioritize conduct and consumer protection.

Takeaway: Effective compliance risk assessments must evaluate residual risk against the firm’s appetite while integrating regulatory priorities like consumer outcomes and conduct.

Correct: In a Mudaraba contract, the Rab-al-Maal (investor) provides the capital and bears the financial risk of loss, provided there is no negligence or misconduct by the Mudarib (bank). The bank contributes expertise and management; if a loss occurs, the bank receives no compensation for its work, representing its share of the loss.

Incorrect: The strategy of providing a contractual guarantee of principal is prohibited in Mudaraba as it transforms the investment into a loan, creating a Riba-based transaction. Focusing on equal sharing of losses regardless of capital contribution describes a different partnership structure and ignores the specific roles in a Mudaraba contract. Opting for a model where the bank absorbs a fixed percentage of loss as an incentive violates the principle that the capital provider bears the financial risk.

Takeaway: In a Mudaraba arrangement, the capital provider bears the financial loss while the manager loses their effort and potential profit.

Correct: In a Mudaraba contract, the Rab-al-mal (capital provider) bears all financial losses up to the limit of their investment, provided the loss did not result from the manager’s negligence or breach of contract. The Mudarib (manager) loses the value of their labor and expertise, as they receive no share of profit. This distribution of risk is a core requirement for the contract to remain Shariah-compliant and must be clearly disclosed to UK retail clients under the FCA’s Consumer Duty to ensure they understand the risks involved.

Incorrect: The strategy of sharing losses in the same ratio as profits is incorrect because it describes a Musharaka (partnership) rather than a Mudaraba, where only the capital provider risks financial loss. Opting for a principal guarantee by the manager would violate Shariah principles by removing the risk-sharing element and effectively turning the contract into a loan with interest (Riba). Choosing to carry the loss forward against the manager’s personal capital is inconsistent with the limited liability of the manager for market-driven losses in a Mudaraba structure.

Takeaway: In a Mudaraba, the capital provider bears all financial losses while the manager loses only their time and effort.

Correct: Under an Ijara wa Iqtina Home Purchase Plan in the United Kingdom, the bank must hold legal ownership of the asset to validly lease it to the customer. This structure satisfies Shariah requirements for asset-backed financing and is recognized under the FCA MCOB rules. The customer pays rent for the portion of the property they do not yet own and makes additional payments to gradually acquire the bank’s share, eventually leading to a transfer of legal title.

Incorrect: Treating the arrangement as a simple cash loan with a rebranded profit rate fails to meet the Shariah requirement for a trade-based or lease-based transaction and misrepresents the legal structure of an HPP. Suggesting the bank guarantees against capital loss violates the Shariah principle that risk must be shared and cannot be fully guaranteed in a partnership-style arrangement. Asserting the client holds all legal ownership from the start while the bank is just an agent describes a Wakalah or Murabaha structure rather than the leasing model required for Ijara.

Takeaway: UK Ijara Home Purchase Plans require the bank to hold legal title while the client acquires equity through rental and capital payments.

Correct: In a Wakala model, the Takaful operator acts strictly as an agent for the participants. The operator’s compensation is limited to a known, upfront fee for managing the fund. Since the participants are the owners of the risk fund, any remaining surplus after claims and expenses belongs to them. This structure provides the transparency required by UK regulators regarding how customer money is handled and ensures the operator does not profit directly from the underwriting results.

Incorrect: The strategy of sharing the underwriting surplus between the operator and participants is characteristic of the Mudaraba model, which is often avoided in underwriting due to Shariah concerns regarding profiting from risk-sharing. Choosing to transfer the surplus to the operator’s shareholders treats the Takaful fund like a conventional proprietary insurance company, which contradicts the mutual nature of Shariah-compliant risk sharing. Focusing on using the surplus only to offset future management fees ignores the participants’ right to a direct distribution or the maintenance of a collective reserve fund.

Takeaway: In the Wakala Takaful model, the operator receives a fixed fee while the participants retain all rights to the underwriting surplus.

Correct: In Islamic capital markets, when a company passes the primary business screen but has a small amount of impure income, the process of purification is required. This involves identifying the portion of the dividend derived from non-permissible activities and cleansing it by donating it to charity. This ensures the investor only receives the halal portion of the earnings, maintaining the integrity of the Shariah-compliant investment vehicle.

Incorrect: The strategy of reinvesting the entire dividend into the company’s shares is flawed because it merely transforms the prohibited income into another asset class rather than removing it from the fund. Choosing to use the non-permissible funds to cover brokerage fees is prohibited as it provides a direct financial benefit to the fund from haram sources. Opting to reduce management charges with these funds is also non-compliant because the fund manager cannot derive any benefit or cost-offset from prohibited income.

Takeaway: Purification requires donating the non-permissible portion of dividends to charity to ensure the remaining investment returns are Shariah-compliant.

Correct: The Islamic Financial Services Board (IFSB) is the international standard-setting body specifically tasked with promoting the stability and resilience of the Islamic financial services industry by issuing prudential and supervisory standards. Its standards cover capital adequacy, risk management, and corporate governance for Islamic financial institutions, complementing the work of the Basel Committee on Banking Supervision.

Incorrect: Relying on the Accounting and Auditing Organization for Islamic Financial Institutions (AAOIFI) is incorrect because that body focuses primarily on Shariah, accounting, and auditing standards rather than prudential capital adequacy frameworks. Consulting the International Auditing and Assurance Standards Board (IAASB) is inappropriate as they set global standards for auditing and quality control rather than specific Islamic prudential requirements. Focusing on the Financial Reporting Council (FRC) is insufficient because, while it is the UK regulator for accounting and actuarial work, it does not provide the specialized prudential standards required for Islamic financial instruments.

Takeaway: The IFSB sets the global prudential and supervisory standards for Islamic finance, focusing on capital adequacy and risk management.

Correct: Shariah-compliant fund management requires the purification of any incidental non-permissible income, such as interest earned by underlying companies. The fund manager must calculate the tainted portion of the dividends or capital gains and proactively remove it from the fund’s distributable income. This amount is then donated to a charitable cause to ensure the remaining returns are halal for the investors, adhering to both Shariah principles and the fund’s stated investment mandate.

Incorrect: The strategy of retaining interest income to pay for operational costs like Shariah audits is prohibited because non-permissible funds cannot be used for the benefit of the fund or its management. Choosing to reinvest the impure income back into the fund’s assets fails to remove the prohibited element, thereby compromising the Shariah status of the entire portfolio. Opting to distribute the income to investors with a disclosure notice is insufficient as the fund manager has a fiduciary and Shariah duty to ensure the fund remains compliant at the source before distribution.

Takeaway: Fund managers must purify incidental non-permissible income by donating it to charity to ensure the fund remains Shariah-compliant for investors.

Correct: Gharar refers to excessive uncertainty or ambiguity in a contract. For a transaction to be Shariah-compliant, the subject matter must be clearly defined, in existence, and capable of delivery. Selling an item that is not owned or whose delivery is contingent on an uncertain event creates Gharar Fahish. This invalidates the contract under Shariah principles to prevent exploitation and disputes.

Correct: The Shariah Supervisory Board requires full operational independence and access to information to perform its oversight role effectively. This aligns with AAOIFI Governance Standard for Islamic Financial Institutions No. 1, which emphasizes the need for an internal Shariah review to verify that the management complies with the SSB’s rulings. In the UK, while the Financial Conduct Authority does not regulate Shariah compliance itself, it expects firms to have robust systems and controls to deliver what they promise to consumers under the Consumer Duty.

Correct: Under Shariah principles, a Qard is an interest-free loan where the borrower (the bank) is only required to return the principal amount. Any contractual agreement to pay a surplus or benefit to the lender (the depositor) as a condition of the loan is considered Riba (interest). While the bank may choose to give a gift (Hibah) to the depositor, this must be entirely at the bank’s discretion and cannot be promised, guaranteed, or linked to a specific balance requirement in the contract.

Incorrect: Simply re-labeling a guaranteed return as a service incentive does not change the underlying nature of the transaction and remains a violation of the prohibition of Riba. Suggesting a Mudaraba structure with a guaranteed principal and a fixed return is incorrect because Mudaraba is a profit-sharing contract where the capital provider must bear the risk of loss, and the bank cannot guarantee returns. Opting for a Wadiah contract with a fixed, pre-determined reward percentage is also prohibited, as any return in a safekeeping arrangement must remain discretionary and non-contractual to avoid being classified as interest.

Takeaway: In Qard or Wadiah deposit products, any returns to the customer must be discretionary and cannot be contractually guaranteed or promised.

Correct: In a Mudaraba (trustee finance) arrangement, the capital provider (Rab-al-Maal) bears all financial losses because they are the sole provider of the capital. The fund manager (Mudarib) contributes expertise and labor rather than capital; therefore, their loss is the ‘opportunity cost’ of their time and effort, for which they receive no fee or profit share if the venture is unsuccessful. This holds true as long as the loss was not caused by the manager’s negligence, misconduct, or breach of contract.

Incorrect: The strategy of sharing losses in the same proportion as profits is incorrect because it describes a Musharaka (partnership) where both parties contribute capital, rather than a Mudaraba. Choosing to indemnify the capital provider for the principal amount would invalidate the Shariah compliance of the contract, as a Mudarib cannot guarantee the capital. Opting for an equal split of losses ignores the fundamental principle that financial liability in a Mudaraba is strictly tied to capital ownership.

Takeaway: In Mudaraba contracts, financial losses are borne exclusively by the capital provider, while the manager loses their time and effort.

Correct: In a Musharaka contract, Shariah principles and AAOIFI standards allow partners the flexibility to negotiate and agree upon a profit-sharing ratio that does not necessarily match their capital contributions. However, losses are considered a capital impairment and must be shared strictly in proportion to the capital invested by each partner at the time the loss occurs. This ensures that no partner is unfairly burdened with financial loss beyond their ownership stake, maintaining the equity-based nature of the contract.

Incorrect: The strategy of requiring both profits and losses to follow the capital ratio is a common misconception that overlooks the contractual freedom to negotiate profit distribution differently. Focusing only on a fixed percentage of property value for the bank would transform the arrangement into a debt-like instrument, which violates the prohibition of Riba and the risk-sharing essence of Islamic finance. Opting for a pre-agreed ratio for losses that deviates from capital ownership is prohibited under Shariah law, as losses must always follow the ownership of the underlying assets.

Takeaway: In Musharaka, profit sharing is determined by mutual agreement, but loss sharing must strictly follow the proportion of capital contribution.

Correct: In Shariah investment screening, a company is generally considered Haram if its income from prohibited activities, such as tobacco, alcohol, or gambling, exceeds a specific threshold, typically 5% of total revenue. Since the retail group generates 8% from tobacco, it fails the qualitative business activity test and must be excluded from the Shariah-compliant portfolio.

Correct: In modern Islamic finance, equity screening allows for a ‘de minimis’ amount of non-permissible income (typically up to 5% of total revenue). This interest income must be ‘purified’ by donating the proportional amount to a charity to ensure the remaining returns are Halal for the investor.

Incorrect: The strategy of categorizing any company with minor interest exposure as Haram is an overly restrictive approach that would exclude almost all publicly traded companies in a conventional financial system. Relying on the Financial Conduct Authority for Shariah waivers is incorrect because the FCA regulates market conduct and consumer protection rather than religious compliance. Choosing to offset interest with speculative derivatives is a violation of the prohibition on Maysir (gambling) and would introduce further Shariah non-compliance rather than resolving the Riba issue.

Takeaway: Shariah-compliant equity funds use financial screening and purification to manage incidental interest income within conventional markets.

Correct: In a Murabaha contract, the financier must own the asset before selling it to the customer. This requirement for possession, whether legal or constructive, ensures the transaction is a genuine trade of an asset rather than a loan of money. By taking ownership, the bank assumes the risk associated with the asset, which justifies the profit margin (markup) under Shariah principles, distinguishing it from Riba-based interest.

Incorrect: Focusing only on the client’s income for profit calculation ignores the fundamental cost-plus structure of the Murabaha contract. The strategy of requiring a guarantee against property value depreciation inappropriately shifts all commercial risk to the buyer and contradicts the principles of risk-sharing in Islamic finance. Choosing to act as an agent for a conventional mortgage is incorrect because it involves facilitating an interest-bearing loan, which is strictly prohibited regardless of the rate obtained.

Takeaway: Murabaha requires the financier to possess the asset before resale to ensure the transaction is a valid trade rather than a loan.

Correct: In a Mudaraba arrangement, the bank acts as the Mudarib (manager) and the customer as the Rab-al-mal (investor). Shariah principles require that the profit-sharing ratio is determined as a percentage of the actual profit at the start of the contract. Crucially, the investor bears the financial risk of loss, while the bank loses its effort and time, provided the bank has not been negligent or acted in bad faith. This structure must be clearly disclosed to comply with the FCA Consumer Duty regarding the customer’s understanding of risk.

Incorrect: The strategy of guaranteeing the principal or a specific return is prohibited because it effectively turns the investment into a loan with interest, which constitutes Riba. Relying on a fixed interest rate linked to central bank benchmarks as a guaranteed payment violates the requirement that returns must be derived from actual underlying profit-generating activities. Choosing to share financial losses equally between the manager and the investor is a characteristic of a Musharaka (partnership) contract rather than a Mudaraba contract, where the manager does not contribute capital and therefore does not bear financial loss.

Takeaway: In Mudaraba, profits are shared by a pre-agreed ratio while financial losses are borne solely by the capital provider.

Correct: In a Musharaka (partnership) contract, Shariah principles dictate that while profit-sharing ratios are flexible and determined by mutual agreement, losses must be distributed strictly according to the capital contribution of each partner. This ensures that the financial risk is aligned with the ownership stake in the venture, which is a fundamental requirement for a valid partnership. This approach also aligns with UK regulatory expectations for transparency and fairness in risk disclosure.

Correct: Qiyas, or analogical reasoning, is the process where Shariah scholars extend a ruling from a primary source (the Quran or Sunnah) to a new case that is not explicitly mentioned, provided both cases share the same effective cause (‘illah). In the context of modern UK Islamic finance, this allows for the Shariah-compliant treatment of contemporary financial instruments by linking them to established principles.

Incorrect: Relying on the unanimous agreement of qualified Shariah jurists on a particular issue describes the concept of consensus rather than analogy. Focusing on the recorded practices, sayings, and approvals of the Prophet refers to the second primary source of Shariah law. The strategy of justifying a ruling based on the broader public interest or general welfare of the community refers to a different secondary principle used when no specific text or analogy is available.

Takeaway: Qiyas is the secondary source of Shariah that uses analogical reasoning to apply existing rulings to modern financial innovations through shared causes.

Correct: Under FCA SYSC 6.1, firms must maintain adequate policies and procedures to ensure compliance with regulatory obligations. In a change management context, the Compliance Officer must ensure that system migrations do not create compliance blind spots. Pausing the rollout to perform a gap analysis and implementing compensatory controls ensures that the firm remains compliant with its monitoring obligations. Briefing the Senior Manager aligns with SM&CR accountability requirements by ensuring the individual with the relevant Statement of Responsibility is aware of the residual risk.

Incorrect: Increasing the sampling size of manual reviews across the entire firm is an inefficient strategy that fails to specifically mitigate the risk of the failed automated flags. The strategy of requesting a regulatory waiver for core monitoring requirements is unlikely to be successful and does not fulfill the internal advisory duty to manage change effectively. Pursuing a total system reversion is a disproportionate response that ignores the business need for innovation and fails to provide constructive support for the transition process. Focusing only on technical patches without implementing immediate compensatory controls leaves the firm in a state of non-compliance during the interim period.

Takeaway: Change management support requires balancing business objectives with regulatory requirements through risk-based gap analysis and robust governance under the SM&CR framework.

Correct: A tiered approach ensures training is relevant to specific job functions, aligning with FCA expectations for individual competence. Knowledge assessments provide objective evidence of understanding. Feedback loops allow for continuous improvement.

Incorrect: Relying solely on generic annual e-learning fails to address the nuanced risks inherent in different operational roles. Simply collecting digital signatures on policy documents does not prove that employees can apply the rules. Focusing only on senior management workshops leaves the frontline staff without the practical guidance needed for daily compliance.

Takeaway: Effective implementation requires role-specific training and measurable assessments to prove that compliance policies are genuinely embedded across the entire organization.