Implementation Of Compliance Monitoring Programme Framework Information Technology Essay

Only UK Financial Services Authority (FSA) alone has issued over £13 million of fines in year 2011 so far (£89m in 2010 and £23 in 2009).

(FSA, 2011) For the larger firms, the monetary value of such fine may be a drop in the ocean. Nevertheless, it may pose a major reputational risk.

According to Bank of International Settlements Principles on compliance function in banks (BIS, 2005:14), the responsibilities of the bank’s Compliance Function (CF) should be to assist senior management in managing effectively the compliance risks faced by the bank.

Furthermore, BIS survey on implementation of compliance principles in banks (2008) shows that the core tasks of the compliance function defined in laws, regulations or binding guidance in respondent jurisdictions are “monitoring and testing compliance” by performing sufficient and representative compliance testing as well as “reporting on a regular basis to senior management” where the results of the compliance testing should be reported in accordance with the bank’s internal risk management procedures.

(BIS, 2005:14; 2008:3)

The importance of an effective Compliance monitoring program is continually growing due to the increased complexity of regulations, rising regulator activity and the growing impact of non-compliance.

Compliance monitoring is, indeed, the heartbeat of any CF. The creation of compliance and policy manuals are important, however, such policy management might be irrelevant without an effective compliance monitoring. (ComplianceTrack, 2011) (Appendix)

Therefore, it is essential that every CF takes advantage of monitoring process to its fullest in order to protect their companies from negative consequences that non-compliance in their area may have.

The aim of this assignment is to briefly outline a framework for Compliance Monitoring Programme for a pan European Financial Services (FS) organisation. This I based on the material discussed in class, further research, as well as my personal experience with Compliance gained in Irish and international companies operating not only in the FS, but also in communications, hospitality and consultancy industries.

The Teamwork

Compliance, with Compliance Monitoring at its core, is considered as the 2nd line of defence in the overall company Integrated Assurance Framework, also known as the Three Lines of Defence. (Appendix)

The business standing in the so called 1st line of defence owns, manages and controls compliance risks through management, procedures, controls, quality assurance.

The compliance monitoring then carried out by the CF in the 2nd line of defence provides assurance that the business adequately manages its compliance risks.

In the final 3rd line of defence the Audit – both internal and external – performs the overall assessment of the adequacy of compliance functions.

BIS (2005:13) suggest there should be appropriate mechanisms for co-operation among all the above assurance providers within the Integrated Assurance Framework and with the head of compliance. These mechanisms should be sufficient to ensure that the head of compliance can perform his or her responsibilities effectively.

Hence, not all compliance responsibilities are necessarily carried out by a “compliance unit”. Compliance responsibilities may be exercised by staff in different departments. (Appendix1, 2) Such coordination with other assurance providers may lead to one of the three following review approaches (Zurich, 2010):

1. Review execution is performed by another assurance provider (e.g. Internal audit performs an AML review). In this case, CF should support the assurance provider with technical expertise during execution of the review (e.g. support in setting up the review program).

2. Joint reviews. CF participates in a review led by another assurance provider. In this case only one report will be written by the assurance provider who has the review lead.

3. Compliance Reviews. If review types 1 or 2 are not feasible or adequate, CF performs an own Compliance review.

BIS Principles (BIS, 2005:14) stress that if some of the Compliance responsibilities are carried out by staff in different departments, the allocation of responsibilities to each department should be clear.

As might be expected, PWC research (2009:16) shows, that in practice the three lines of defence can and often do overlap, depending on the organisational compliance structure (e.g. ’embedded’ compliance staff in the business who undertake real-time surveillance of transactions to ensure compliance with AML, market abuse or client order handling rules).

To resolve these confilicts, PWC recommends to put the CF squarely in the ‘advisory’ category (i.e. in the second line of defence). This means ‘operationalising’ the first line of defence where compliance control and day-to-day monitoring becomes more clearly the responsibility of the business, with the compliance function providing oversight and advice. (Appendix)

The Virtuous Cycle (Compliance assurance process)

1. Risk Assessment

The continuous cycle is usually annual and starts with risk assessment to detect potential compliance issues and risks, in accordance with company’s risk appetite.

The monitoring is typically (Appendix) planned on risk-based basis as this approach enables resources to be targeted to the areas where they are most needed and will prove most effective, potentially not only saving compliance costs but also gaining greater business support for compliance measures. (Better Regulation, 2008)

The following sources need to be considered to determine which compliance risks should be monitored on the highest group company level:

1. Risk assessments, which can, for instance, be categorised by business areas or standards prescribed by regulator (e.g. FSA handbook categories)

2. Regulatory Environment: Laws, regulations, specific requests by the Regulator

3. Monitoring currently executed and planned in the future periods by other assurance providers

4. Local risk assessments and compliance plans

Moreover, the required depth, breath and frequency monitoring activities depend on the size and complexity of the nature of the industry and the company itself.

2. Compliance Plan

Based on this input, CF establishes its review needs, which should subsequently be discussed and coordinated with other assurance providers in order to leverage on the existing review frameworks and to avoid duplication, gaps and to limit business interruption.

All defined reviews on compliance risks, irrespective of which assurance provider executes them, will be included in the annual Compliance Monitoring Plan.

This Compliance Plan typically details the “what” (scope and objectives, problems/risks, priorities), “who” (resources), “when” (start and finish dates, major milestones), and “how” (activities to be carried out and data to be collected).

3. Compliance Data Collection and Testing

The Compliance procedure manual tells you how to comply with the regulator’s rules. How do you, however, ensure that your company has been following this manual? The answer is by conducting compliance testing on a regular basis to see whether those procedures are working as expected, and what the exceptions are. (Cyriac, 2011)

Hence, CF should have a process in place that systematically collects all the compliance-relevant information.

The list below defines the main issue and risk identification activities that CF can use to monitor compliance risks (Zurich, 2010):

Compliance Testing

The aim of compliance testing is to conduct detailed evaluation of compliance-relevant procedures and internal controls (manual and automated) built into company business processes to asses whether these are adequate to manage the risk within the scope of CF.

Tests should be completed clearly, concisely and accurately, in line with CF and company standard methodologies.

Ideally, large portion of such testing population can be sources from company management information system – such as records of complaints, errors, exceptions, mitigating actions and their status, trends, and the like.

Reasonable sample sizes when testing areas with a volume of data (e.g. trades) should be used. (Cyriac, 2011)

Compliance monitoring is meant to be both proactive and reactive. It should collect data to prove the availability of controls and validations and it should also collect data relating to failure. (ComplianceTrack, 2011; PWC, 2005)

The actual frequency of tests is dependant on the abovementioned risk assessments. As a general guideline, higher risk areas are recommended to be tested more regularly, at least monthly, medium risk areas, at least quarterly, and lower risk areas, at least annually. (Cyriac, 2011)

As mentioned earlier, the CF can take advantage of the connections, resources and expertise within the Integrated assurance framework in certain circumstances where the CF may require to increase the independence, quality and/or frequency of their reviews.

The following basic steps may be executed when performing a Compliance test:

Review Preparation and announcement

Inform the Business about the planned review and discuss review process, scope, timing and collaboration

Prepare the review by gathering information and establishing the review program

Fieldwork

Execute the review according to review program and file supporting review documents and evidence

Discuss observations and actions with the Business

Testing by Other Assurance Providers

Regular meetings should be arranged within the Integrated assurance framework to identify potential issues that might have an impact on compliance risks.

Also, CF should be kept in the loop in regards to reports from other assurance providers.

Complaints – External

Perhaps also part of a good MIS, complaint handling procedure should exist where all complaints are registered and tracked for regularly relevant compliance statistics (e. g. number of complaints, summary of major topics, actions taken, status, development needs).

Complaints – Internal

To encourage employees to express concerns, an infrastructure for reports (often anonymous) should be in place (e.g. dedicated contact persons, hotlines, email address, web forms, etc.) and all staff informed and actively reminded of its existence.

Reported issues are investigated and acted upon in timely manner and reported to relevant stakeholders (e.g. number of complaints, major topics, status, channels used for reporting).

Day-to-day Counselling

Compliance should not be seen not just as a monitoring tool but as an active, ongoing support to management.

As business progressively manifests the right behaviour – embodying both integrity and innovation – the need for the CF to “police” its activities diminishes, and the value-adding “counsellor” role comes more to the fore. (Appendix?) (PWC, 2005)

Having a good relationship with the business is vital to the success of the compliance function, particularly when it comes to assessing the compliance risk of the business. Companies with a mature compliance culture tend to think of the compliance function as a vital element of business operations and no decisions on, for example, new business ventures or services would be taken without the involvement of the CF and its advice on all compliance risk areas. (Metheven, 2011)

At the same time, however, the pendulum should not be allowed to swing unreservedly in the “counsellor” direction. Compliance has a critical role to play in compliance oversight and monitoring in order not only to provide the necessary comfort to (senior) management but also to frame the advice it provides going forward. A clear delineation needs to be set between “doing compliance” and “monitoring compliance”.

(PWC, 2005)

Yet, interestingly, in PWC 2009 (:15) survey of 76 financial institutions based in 16 European countries forty-eight percent of respondents say the difference between the compliance management and the compliance monitoring programmes is still not fully understood within their organisation.

Hence, CF should attend all committees where compliance risks may be discussed. Annual Relationship Management plan is a popular solution, outlining minimum required regular meetings with management to discuss potential risks, issues and new developments.

Regulatory Environment Monitoring

Changes in regulation, laws and industry should be monitored systematically. Where action is required, owner of the particular area should be advised of the matter and the deadline for implementation. CF should ensure the owner has all support needed (compliance, legal etc.) so the deadlines and requirements of the new regulation are met. As usual, it is important to keep all stakeholders informed.

Compliance officers increasingly appreciate the need for a coherent dialogue with regulators to gain a better understanding of their changing expectations and the need to monitor the upstream risks of new regulations more effectively. (PWC, 2009:4) To ensure no surprises, or last-minute scrambling and the

associated unnecessary expense, particular attention should be

paid to monitoring new regulatory proposals. (PWC, 2009:9) How do we do it? UK monitor it, tell us about it, agree deadlines, help us to read the docs & ensure interpretation ok, bring directors into the loop,…

Regulatory Action Monitoring

Reviews, investigations and requests from regulatory bodies should be received and analysed. CF must ensure timely resolutions of such requests, possibly also coordinating the whole process.

It is a good practice to share the results of the Regulator’s activities (e.g. regulatory review report including fines or sanctions where appropriate) and implementation progress (status of internal actions) with relevant stakeholders.

Training

The best practice dictates that annual Training Plan should be established to communicate regulatory/compliance matters to employees of the organisation.

These activities can be measured (e.g. coverage, success rate, completed by deadline) and results used as indicators for next periods.

Local CF monitoring

Important part of Compliance monitoring in organisations consisting of various units/branches is to ensure that CFs across the company execute their tasks according to the company principles. (Appendix)

This can be done by regular meetings of group CF with local CF units (e.g. one-to-one/joint, face-to-face/teleconference/online; discussing risks, activities, infrastructure), reporting (e.g. issues, risks, activities, KPI performance), periodic meetings with key local business stakeholders (e.g. satisfaction, cooperation, added-value, prioritization, resource), regular quality assurance reviews (carried out by CF and/or in cooperation with another assurance provider)

Monitoring of Outsourced functions and activities

There are strong parallels in approach in terms of controlling third-party networks and outsourced functions or activities. (Appendix) Key control elements stressed by respondents include:

• Quality of the due diligence exercise prior to entering the relationship

• Contracts and written agreements (service level agreements)

• Robust monitoring by the (local) compliance function and testing exercises (for example, mystery shopping)

• Ongoing communication and training sessions

• Metrics/controls/reporting

• Quality of the compliance function within the third-party distributor or outsourcer, and compliance policies in place, as well as a clear definition of compliance processes

• Onsite reviews by compliance and internal audit

• Complaints analysis

• Dedicated unit within the compliance function to oversee third-party distributors or outsourcers.

Does IT help?

Priority should be placed on the development and use of technology able to help management to really understand, on a timely and consistent basis, what is going on in the business. From the perspective of the CF, a robust technological infrastructure entails both sophisticated tools for monitoring compliance in business activities, together with appropriate tools for streamlining compliance function activities, and facilitating knowledge sharing. (PWC, 2005:11)

The apparently low level of knowledge of IT within compliance functions supports the view that, in many organisations, the IT department is not considered to be a key stakeholder in the compliance function, and vice versa. However, PWC believe that technology is a key enabler to supporting compliance within the organisation, and presents a significant opportunity for many organisations.

This means the use of technology to:

Control and manage processes that cut across systems and organisational boundaries. Compliance touches nearly every operating and administrative unit and business process in an organisation so the task of controlling and managing the compliance process itself is huge. Each of these require appropriate application of technology in order to establish sustainable compliance. (e.g. document management, status reporting, automated internal controls)

Appropriate use of IT can improve the quality of information and speed of delivery transferring data from one system to another, replacing manual processes for execution, analysis and reporting, challenging

the quality of data, modelling alternatives and delivering reports and dashboard information to decision makers. Reliable information increases confidence to take action.

• Identify and manage events in a consistent and auditable manner. Technology is used to identify events and report exceptions. This involves optimising control capabilities in existing business and support systems, use of integration technologies to bring together information from disparate source systems and administering and monitoring of risk and control self-assessments and other surveys.

• Build accountability into the management and reporting of events.

IT help ensure action by creating a “closed loop” environment that incorporates accountability for each incident and requires action.

(PWC, 2005:61)

According to PWC (2005) survey of 73 FS (63% banking, 19% investments, 18% insurance) institutions in 17 countries, 36 percent of respondents considered inadequate IT infrastructure for compliance monitoring as one of the biggest challenges of achieving a compliant organisation.

(PWC, 2005: 19)

4. Data Analysis

Results of reviews on compliance risks, as defined above, should be captured and analyzed.

Every Compliance function should systematically monitor and analyze the captured data in order to identify compliance risks, issues, problems and trends.

Key Performance Indicators reflecting the monitoring activities can be an important part of the reporting dashboard and help to identify trends on a local and group level.

5. Reporting and Follow up

Reports to stakeholders (e.g. those charged with governance) on compliance monitoring and analysis need to present a balanced view of the situation, risks, issues, actions taken, highlighting both positive and constructive/developmental aspects, and proposing improvement actions.

Reporting happens according to reporting standards of the particular company but generally include the following:

Write and discuss report, observations and actions with the business

Share report with relevant stakeholders

Follow up actions

Sample Reporting Content

Executive Summary

Background

Objective and Scope

Description of compliance testing/review carried out

Observations

Rating of quality of controls and processes under review.

Actions

6. Review

Being part of the Integrated assurance framework, Compliance should itself be subject to regular view – usually annual – as mentioned above usually by external and internal audit.

Benchmarking with industry peers is also a beneficial practice.

Without processes to judge program elements and implement necessary improvements, any compliance program will have difficulty staying efficient, effective and up to date. Well-developed routine monitoring and periodic assessment processes, with clear paths for communication of recommended changes, may be the best sign of a mature and effective management system. (OCEG, 2004:2)