Compliance Is Not About Control. It's About the Infrastructure of Trust

First, we need to clarify what we mean by a diversified holding. For Freedom Holding, it's not only about having multiple business lines — both financial and non-financial. It also means operating in more than 20 jurisdictions with multi-layered regulatory requirements. At the same time, the company is growing rapidly, which increases the scale and complexity of compliance. Today, there are approximately 200 compliance officers working in the Group across different countries.

In this environment, the mission of compliance is straightforward: not to slow down growth, but to make it safe, manageable and predictable. In other words, our task is to act as both an accelerator of business development and a guarantor of sustainable share price growth.

When a group operates across many jurisdictions and sectors, compliance becomes an essential tool for ensuring unified standards of conduct, regulatory alignment and consistent decision-making. This is critical for building trust among our clients, partners and regulators in both what we offer and how we grow.

In this sense, compliance forms the infrastructure for sustainability. It supports scaling the business while reducing the risk of critical miscalculations, reputational damage and costly corrections.

There are several areas that always remain top priorities. At the Group level, unified policies and standards have been developed for all key compliance risks. These align with international requirements while also taking into account the specific regulatory environments in which the Group's companies operate.

First, there are sanctions and anti-money laundering (AML) risks. These include client, transaction and counterparty verification; compliance with sanctions regimes; and ensuring transparency regarding sources of funds and cross-border transactions. In the current geopolitical and regulatory environment, this area remains one of the most sensitive for any international group.

Second, regulatory resilience across multiple jurisdictions. Companies must manage the regulatory requirements of each market where they operate while minimizing the risk of gaps between global standards and local implementation.

Third, anti-corruption risks (ABAC — anti-bribery and anti-corruption). A robust anti-corruption program, strict oversight of interactions with third parties and transparency in business relationships are essential elements of a mature compliance framework.

Market conduct is also extremely important. This includes handling insider information, preventing market manipulation, maintaining accurate and transparent client communications, and adhering to proper standards of conduct in financial markets.

For a diversified holding company, managing conflicts of interest is equally critical — both at the transaction level and in management decisions. Transparency and timely disclosure of conflicts are key elements of building and maintaining trust.

Finally, there are risks related to data and technology. In a digital holding company, it is impossible to manage compliance risks effectively without high-quality data, transparent IT controls, proper access management and auditable processes. Today, technological maturity directly influences compliance maturity.

At a holding company, the CCO is rather the architect of the control environment and its "integrator" for the business. In a rapidly changing world, this is very important. My job is to ensure uniform standards and prioritization of compliance risks. At the same time, we avoid creating a "one-size-fits-all" compliance system and instead develop requirements proportionate to the business model and jurisdiction.

The second important aspect is communication and culture. Compliance only works when management and employees understand the rules and view compliance as a partner, not just a control and oversight function. To achieve this, it's crucial to be able to speak the same language as the business, share its goals and explain complex requirements in simple terms.

We put significant effort into creating a unified compliance brand within the holding company, viewing it as an important part of the management system and the development of a compliance culture across the Group's companies. For us, this goes beyond internal rules and procedures: the professional community, expertise and knowledge sharing play a vital role.

The compliance team actively participates in professional conferences and industry discussions, where we share practical experience and showcase our team's expertise. We believe it's important not only to participate in such events but also to create them. The holding company organizes and sponsors professional events dedicated to compliance, risk management and corporate ethics.

Developing an internal professional community is equally important. We create a space for the regular exchange of experience between compliance teams across the Group, discussing case studies and disseminating best practices. This helps us develop common approaches and maintain a high professional level among our specialists.

We place special emphasis on employee development: training, sharing expertise, developing competencies and creating an environment in which compliance specialists can grow professionally and share experiences. I'm convinced that a strong professional team and an open culture of collaboration are the foundation of a sustainable and effective compliance system.

Furthermore, as an international group, we have to interact with a large number of supervisory authorities. This applies not only to government regulators per se, but also to numerous external stakeholders who expect a transparent and effective compliance system. These include investors, rating agencies, external auditors, stock exchanges and our international banking partners. Currently, building trusting and long-term relationships is impossible without demonstrating a consistent and verifiable risk management and compliance system that allows all stakeholders to understand how the company makes decisions, manages potential risks and ensures compliance with international standards. Ensuring such a system and maintaining the trust of external stakeholders is one of the key tasks of the holding's compliance function.

Indeed, the holding's companies are very diverse in both their development history and level of maturity. Some began as startups and scaled up, while others were acquired as established businesses, complete with all the accompanying legacy.

These are two different types of complexity. In a startup, it's easier to establish the right DNA: processes, roles, reporting and controls. The challenge lies in the high speed, uncertainty and often the lack of a developed risk culture or the practice of documenting decisions.

Mature businesses typically already have processes and established practices, but the challenge lies in changing ingrained practices, retraining and sometimes rebuilding the compliance risk management system and its checkpoints.

Therefore, the approaches are different: in a startup, we work as "architects," while in a mature business, we act as "modernization engineers."

When entering new markets, a key focus is regulatory design. It is very important to do some homework in advance: to understand the requirements and adjust products and processes so that there is no need to recalibrate the business once it is already launched. This is cheaper, faster and better for the company's reputation. For a large international company, compliance is a way of thinking, part of strategy and part of shareholder value.

As a company scales, compliance becomes more about systemic mechanisms — standards, unified principles, digital solutions, metrics, training and control lines of defense — rather than sporadic control here and there. This approach is consistent with international practice among large financial and technology groups, where compliance is built as an integrated risk management system based on the "compliance by design" principle and the three lines of defense model.

At the same time, it is crucial for us that scaling the compliance function is efficient in terms of resource utilization. Business growth should not automatically mean a proportional increase in costs for supporting functions. This is why we are developing centralized services and unified processes that allow us to serve a larger number of companies and operations without excessively expanding the organizational structure.

Thus, the holding's compliance function includes a dedicated Support Office, which provides support for 19 Group companies. This center performs a number of compliance functions and controls though outsourcing, ensuring unified standards and methodology for companies interacting with more than 9,500 counterparties in total.

Amid the holding's rapid growth, this approach allows us to maintain a balance between quality control, operational efficiency and the efficient use of resources.

The top priority is cross-border requirements and uniform international standards applicable to any public or international company. This includes compliance with international sanctions regimes and financial transparency standards, such as the recommendations of the Financial Action Task Force on Money Laundering (FATF), an intergovernmental organization that develops global standards in the field of combating money laundering and the financing of terrorism (AML/CFT); the requirements of the Foreign Corrupt Practices Act (FCPA), a federal law of the United States on combating corruption in international activities, which has extraterritorial effect; the Office of Foreign Assets Control (OFAC), a division of the U.S. Department of the Treasury that deals with financial intelligence issues and the planning and implementation of economic and trade sanctions; EU sanctions regimes; and other international anti-corruption and compliance standards covering issues of financial transparency, sanctions regulation, combating financial crimes, disclosure of information, data protection and corporate governance.

It's crucial for us to maintain consistent core standards and approaches regardless of the countries where the Group operates. This ensures process comparability, predictability of decisions and trust from regulators and investors.

The regulatory framework and compliance risk management system have become part of our "license to grow." The more transparent and verifiable the system, the easier it becomes to scale and attract capital.

It has become more dynamic, technologically advanced and comprehensive. Products offered to clients have become more complex. Changes are occurring faster, requirements are becoming more detailed and regulators increasingly expect not just formal compliance with regulations, but a demonstrable and effective risk management system.

The role of cross-border regulation has increased, with greater focus on management responsibility and the quality of internal controls. Furthermore, digitalization has changed the very nature of oversight: requirements related to data, cyber resilience, information security and transaction traceability have become part of the overall regulatory framework.

We recently updated our database on the total number of regulators that influence the operations of the holding's companies in the markets where they operate in one way or another. We counted 40 regulators with direct supervisory powers and more than 50 with indirect ones.

These impressive figures clearly demonstrate the complexity of the regulatory landscape we face. Moreover, requirements are not always harmonized: they can be inconsistent and even conflicting. In such circumstances, having the right tools and methodology is truly crucial.

One of the key projects we are currently implementing is the creation of regulatory mapping at the holding level. Simply put, this is a systematized map of requirements across various jurisdictions, aligned with our internal policies, processes and controls. This helps avoid duplication and inconsistencies between local and global requirements, establish a single minimum standard for the entire Group while simultaneously taking into account the specifics of a particular country and accelerate the implementation of changes.

At the same time, we are strengthening our compliance risk assessment methodology and standardizing our control approaches to ensure comparability across jurisdictions. Our goal is not simply to comply with various regulations, but to make the system transparent, scalable and understandable for both businesses and regulators.

The absence of incidents is an important indicator, but it reflects past performance. Therefore, we use metrics that help evaluate a proactive approach and demonstrate system maturity: risk coverage by controls, speed of change implementation, early compliance engagement, audit results, training and culture.

The idea is to measure not only the presence or absence of fires, but also the effectiveness of the alarm and fire-suppression system.

In a modern holding company, data and automation are key enablers of compliance: transaction and client monitoring systems, risk analytics, policy and control management tools, and case management systems for investigations. This enables a shift from reactive control to earlier detection of deviations and anomalies.

A separate area of focus is the development of a unified Enterprise Compliance Risk Management System. We are building it as a modular platform that integrates compliance risk management, the control environment, regulatory mapping, incident management, counterparty due diligence tools, training and reporting.

The goal is to create a unified digital architecture where compliance risks, requirements, controls and data are interconnected, and information is available in near real time. Such a system will improve transparency, data comparability across jurisdictions and accelerate decision-making.

We are also closely exploring the potential for using AI technologies in compliance. This is a crucial area for building the technological foundation for our future work. We analyze and identify processes where the application of AI models would be most effective. AI can help analyze large datasets, identify atypical patterns in transactions, automatically prioritize cases by risk level and support compliance with regulatory requirements. It is important to us that such tools are used to support professional analysis rather than as standalone solutions.

I believe that culture can't be measured by numbers alone. It's evident in how people make decisions when the situation isn't black and white.

Of course, there are measurable indicators — the quality of feedback, the nature of requests and the dynamics of repeated violations. International practice shows that the level of compliance culture is assessed not only by controls but also by behavioral signals within the organization: the extent to which managers demonstrate a "tone from the top," how ethical dilemmas are discussed and the extent to which compliance is integrated into daily business processes. However, a truly mature culture is evident when the right decision is made not out of fear, but from an internal sense of responsibility. Compliance must become part of the mindset, not just a set of rules.

The opportunity to be at the intersection of strategy and responsibility. I can see the business in different dimensions: strategy, operational processes, technology and human behavior — and make the system more resilient.

I'm interested in building an architecture that helps a company grow safely. When you see that the implemented processes are truly effective, preventing risks, increasing transparency, and simplifying decision-making, it gives you a sense of real impact.

Furthermore, this role requires constant development. The regulatory environment is changing, and new technologies and business models are emerging. The CCO's job is a constant intellectual challenge and requires anticipating the company's development several steps ahead. It is this combination of strategy, responsibility and dynamism that makes this profession truly inspiring.

Three things I consider key: the ability to negotiate and explain complex issues in simple terms; the ability to see the big picture and understand the connections; and discipline and calm. Compliance often operates under pressure and uncertainty, and it's important to keep a cool head.

I enjoy several very different activities that help me reset — alpine skiing, motorcycling and light aviation. I guess I compensate for what's missing in my work. Seriously, though, these hobbies require balance, timely decisions and responsibility.