On reading rulebooks for what they do not say

A useful regulatory rulebook teaches you the rules. A more useful one teaches you what the regulator chose not to write down.

This is not about loopholes. Looking for loopholes in financial services regulation is a short career strategy. What is interesting about the spaces between the rules is what they tell you about the regulator's appetite. A rulebook that mandates a quarterly liquidity report and is silent on weekly stress testing is a rulebook that expects the weekly stress testing to exist anyway. The mandate is what the regulator needed to put in writing because the industry could not be trusted to do it without prompting. The silence is what the regulator expects of a firm that is meant to take itself seriously.

The Senior Managers and Certification Regime in the UK is the clearest version of this. It is a thin rulebook by financial-services standards. What it does is map responsibilities onto named individuals. What it leaves alone is the question of what each named individual should actually do day to day. That space is enormous. It is left to firms because the regulator wants firms to fill it. A firm that reads the regime and concludes 'we have to file a statement of responsibilities and an annual fitness review' has missed the point. The regime is a frame. The conduct is the picture.

The Dubai DFSA rulebook reads differently and is also worth reading for its silences. It is more prescriptive on the front end and more permissive on the supervisory tone. The first reading produces a tidy compliance plan. The second reading shows you where the supervisory team is going to ask questions that the rulebook itself does not answer. Those questions are usually about culture, decision quality, and management information. A firm preparing for a DFSA visit on the strength of the rulebook alone will be surprised by the conversation.

The Bahamian framework is the most relationship-driven of the three I work with. A new firm reads it and finds it almost spare. A long-tenured firm reads it and finds it precisely sized for the supervisory practice that has grown up around it. The silences are where the regulator's expectation of the licensee's senior team lives, including the expectation that the resident director and the named MLRO will pick up the phone when the supervisor calls and will know the answer to the question being asked. That expectation is not in the rulebook. It is in the practice.

There is a craft skill in reading regulatory text for what is not there. The craft is built by reading consultation papers, supervisory thematic reviews, speeches by senior regulators, and the public outcomes of enforcement cases. The rulebook is the minimum. The expectations are the floor. The firms that get into trouble are usually the firms that read the minimum as the ceiling.

My working test for whether a firm is reading its rulebook well is to ask the compliance team to draft a one-page note for the chief executive on three things the rulebook does not say but the regulator expects. If the team can draft that note in an afternoon, the firm is in good shape. If the team has to ask what I mean by the question, there is work to do.