Compliance Function: International Best Practice

Questions and Answers

Where should compliance start according to the content?

At the compliance staff level

At the bottom

At the top (correct)

At the middle management level

Compliance is the responsibility of specialist compliance staff alone.

False

What is the purpose of the Compliance Manual?

To formally document the standards to be followed by all employees in their personal conduct and in conducting business with customers and counterparties.

According to BIS Principle 6, the compliance function should have the ______ to carry out its responsibilities effectively.

resources

What are the key purposes of a well-run compliance function?

provide reassurance to the board and senior management, provide advice and assistance, identify good and bad practices, provide analysis of regulatory changes, build good relationship with regulators, respond to proposed legislation

What is one way in which technology can be utilized in developing performance indicators for compliance risk assessment?

Filtering data that may indicate potential compliance problems

The compliance function must establish a method for reviewing every item of processed work.

False

The compliance function needs to monitor and test compliance by performing sufficient and representative compliance ________.

testing

Match the compliance monitoring programme stages with their descriptions:

Stage 1 - Information Gathering = Gathering data on potential adverse events Stage 2 - Scoring = Scoring events for financial impact, exposure, and probability Stage 3 - Mitigation Plan = Developing a plan to improve the risk position of the business

What does exposure frequency score measure?

How often the activity occurs that could give rise to an adverse event

Low PORC factor indicates a high likelihood of an adverse event occurring.

False

What variable can affect the weighting of priority subjects for inclusion in the monitoring program?

Anxiety weighting, Perspective, Days since last tested

Internal policies and procedures reflect the firm's interpretation of the ____________.

regulations

Match the following terms with their definitions:

Regulations = Provided by governments and regulatory bodies to give clear minimum rules by which businesses can operate Internal policies = Created within each firm to guide staff and management in respect of the core principles by which the firm will achieve compliance Procedures = Provide detailed guidance on the action to be taken by management and staff

What are common methods used to monitor compliance?

All of the above

What is the main purpose of a firm's code of conduct?

To document the expectations of how staff and management will act in various matters.

The compliance function should have independence within a firm.

True

Manual processes are open to error; human beings will make mistakes; fully automated processes can be vulnerable if system problems arise. Compliance __________ provides the second line of defence.

monitoring program

Match the following compliance roles with their responsibilities:

Educating staff on compliance issues = Training material review and regulatory updates Acting as a point of contact for compliance queries = Compliance helpdesk and FAQ guide Providing written guidance to staff = Support business areas in maintaining standards

What does a regulator expect a firm to do when outsourcing tasks?

All of the above

What needs to be done with minor regulatory breaches?

recorded in a breaches log and a record kept of the resolution

According to the European Banking Authority guidelines on outsourcing, who remains responsible for all activities, including those that are outsourced?

Financial institution's management

If a breach is notifiable, to whom should a report be made?

Regulator

What is the consequence of failing to report suspicions of financial crime?

criminal offence

Outsourcing by financial institutions in the US is not subject to any regulations.

True

Risks can be mitigated, eliminated, or ________.

accepted

What is considered tipping off in the context of financial crime?

Informing the client that a report is being made about them

What is the purpose of the compliance team's periodic internal updates?

To summarise regulatory themes or specific matters of interest and provide a 'call to action' for the firm.

Which of the following are examples of methods for monitoring an individual’s compliance? (Select all that apply)

Regular appraisal of performance by senior staff

Low-impact firms are usually required to send regulatory reports more frequently than larger firms.

False

For high-impact firms, the regulator may apply a closer monitoring regime which involves a planned ongoing schedule of visits to the firm to meet the firm’s directors and senior management ___________.

regularly

Why do regulators collect information from small firms?

To identify collective risks and improve standards across the industry

What is the key role of compliance staff in building a relationship with the regulator?

To build a good relationship with the regulator based on mutual trust and open communication

What is the purpose of a regulator's consultation papers?

To allow firms to formally express their opinions on forthcoming regulations

What is the purpose of a regulatory visit?

To undertake risk assessments, thematic research, and investigation, and to discuss specific areas of the firm's business

Firms can refuse to cooperate with a regulatory visit.

False

What should firms do in the event of a dawn raid?

Check the warrant, ensure that all investigators are named, and brief employees on the scope of the warrant

Study Notes

The Compliance Function

• International best practice in compliance involves implementing systems and controls to ensure a firm operates in line with regulatory standards
• Compliance is most effective in a corporate culture that emphasizes honesty and integrity, led by the board of directors and senior management
• Compliance is a concern for everyone in an organisation and should be viewed as an integral part of everyday activities
• A firm needs to establish, implement, and maintain adequate policies and procedures to ensure compliance with regulatory obligations

Organising Appropriate Systems and Controls

• Compliance risk is the risk of legal or regulatory sanctions, material financial loss, or loss to reputation due to non-compliance
• A compliance function should operate independently, be sufficiently resourced, and have responsibilities including assessing and monitoring compliance and advising on compliance obligations
• The Basel Committee on Banking Supervision (BCBS) has issued ten principles on compliance and the compliance function, applicable to firms across the financial sector

Responsibilities of the Board and Senior Management

• The board of directors is responsible for overseeing the management of compliance risk, approving the compliance policy, and assessing the effectiveness of compliance risk management
• Senior management is responsible for managing compliance risk, establishing and communicating a compliance policy, and reporting to the board on compliance risk management

Adequate Resources

• The compliance function should have sufficient and appropriate resources to carry out its responsibilities effectively
• Compliance function staff should have necessary qualifications, experience, and professional and personal qualities to perform their duties
• Regular and systematic education and training are necessary to maintain the professional skills of compliance function staff

Compliance Manual and Policies

• A compliance manual formally documents standards to be followed by all employees in their personal conduct and business activities
• The manual serves as a guide on compliance-related content of the company's corporate governance manual
• The compliance manual provides employees with information required to comply with rules and regulations applicable to their activities

An Effective Compliance Function

• An effective compliance function can add value to a business by providing reassurance, advice, and assistance to senior management and staff
• The compliance function should take a proactive approach to monitoring the business and providing advice to senior management
• The compliance function can help build a strong reputation and attract business by identifying and recording good and bad practice and providing feedback on failures in controls and compliance

Identification, Measurement, and Assessment of Compliance Risk

• The compliance function proactively identifies, documents, and assesses compliance risks associated with the firm's business activities
• Compliance risk assessment involves measuring compliance risk and using such measurements to enhance compliance risk assessment
• Technology can be used to develop performance indicators and identify potential compliance problems

Monitoring, Testing, and Reporting

• The compliance function monitors and tests compliance by performing sufficient and representative compliance testing
• The results of compliance testing are reported to senior management, including any identified breaches and corrective measures recommended
• The compliance function reports to senior management on compliance matters, including compliance risk assessment, identified breaches, and corrective measures taken### Compliance Monitoring Programme
• The programme involves reviewing and testing documentation and completed work items to identify findings and recommendations for improvements
• Specific working papers are used to ensure the scope of each monitoring review is achieved
• The programme must be risk-based and independent of operations
• Senior management of the operational area concerned must understand the findings and agree on remedial action to be taken

Three Key Stages of Compliance Monitoring Programme

• Stage 1 – Information Gathering
  • Identify potential adverse events that may arise in the activities undertaken by the firm
  • Examples of adverse events include: payments not made on time, suspicious activity not reported, failure to complete reconciliations, etc.
• Stage 2 – Scoring
  • Events are scored for financial impact, exposure, and probability
  • Financial impact reflects the magnitude of financial cost were the adverse event to crystallise
  • Exposure refers to the frequency of the activity that could give rise to the adverse event
  • Probability weight reflects the annualised likelihood of an event occurring given the management controls in place
• Stage 3 – Weightings
  • Additional variables are considered to determine the priority subjects for inclusion in the monitoring programme
  • Examples of weighting variables include: anxiety weighting, perspective, and days since last tested

Integration of Regulatory Requirements

• Firms must ensure that operational processes and procedures deliver the outcomes required by regulation
• The firm's board of directors, management, and staff must consider whether they have the appropriate organisation and controls to ensure regulatory requirements are integrated and compliance is embedded in the firm's ethos
• Key elements of integration include:
  • People: establishing an appropriate recruitment programme and hiring staff with the right skills, knowledge, and experience
  • Allocation of responsibilities: using written job descriptions to guide individuals and set regulatory responsibilities
  • Training: providing comprehensive training programmes, including induction courses, on-the-job training, and continuing professional development
  • Procedures: having written procedures in place for all areas of the business that incorporate compliance processes
  • Systems: designing operational systems that incorporate regulatory requirements

Regulations, Internal Policies, and Procedures

• Regulations provide clear minimum rules by which businesses can operate
• Internal policies are created within each firm to guide staff and management in respect of core principles and processes to be followed
• Procedures provide detailed guidance on the action to be taken by management and staff
• Regulations, internal policies, and procedures serve distinct purposes, but conflicts can arise, particularly in international businesses

Regulatory Implications of Business Strategies

• Outsourcing: firms retain regulatory responsibility for outsourced tasks, and must advise regulators in advance
• Capital requirements: regulators set out how to determine capital adequacy given the types of business and levels of risk
• Examples of international capital adequacy approaches include Basel II and III Accords and the EU's Solvency II Directive### Business Strategy and Capital Adequacy
• A firm's business strategy and risk appetite have significant implications for capital adequacy and regulatory requirements
• Any changes to the business strategy should consider capital requirements to avoid substantially increasing regulatory capital

Variation of Permission (VOP)

• Regulators control risks by limiting regulated activities a firm may undertake
• Firms must hold relevant permissions for their business and ensure they don't hold excess authorisations
• VOP is the process to amend authorisation, involving early planning and involvement of the compliance function
• Minor variations require minimal documentation and take 2-8 weeks for approval, while major variations take longer (up to a year) and require more evidence

Control Framework

• A key part of business strategy is understanding and managing key risks
• Risks can be mitigated, eliminated, or accepted
• The compliance officer must ensure regulatory consequences of change are understood and planned for

Preparing Compliance Reports

• There is no prescribed layout for compliance reports, but they should consider:
  • Initial steps (title page, template, introduction)
  • Report scope, parameters, and people
  • Significant pages (contents, executive summary, report findings and recommendations)
  • The right of reply (incorporating management responses)
  • Issuing the report and document version control

The Compliance Function

• The compliance function needs access to any staff member and records necessary to carry out responsibilities
• The compliance function should be able to independently carry out investigations and report irregularities to senior management
• The compliance function should have direct access to the board of directors or a board committee when necessary

Records Accessed by Compliance

• Basic records: customer applications, suitability test records, contract notes, etc.
• Periodic records: prospectus, staff records, training and CPD, etc.
• Non-essential records: supplier invoices, management accounts, etc.

Responsibilities and Accountabilities

• Executive management is responsible for ensuring the firm remains compliant with regulations
• Staff and management must ensure operational processes follow prescribed procedures
• Staff and management must ensure training is current and suited to their role

Monitoring Compliance

• Methods used to monitor compliance include:
  • Interviewing staff, management, and directors
  • Observing processes and reviewing evidence of controls
  • Testing statistically-based samples of transactions
  • Reviewing reports, audit reports, and key management information

Risks of Non-Compliance

• No firm can always remain fully compliant with regulations
• Breaches can lead to regulatory action, fines, and reputational damage
• Firms must distinguish between isolated failings and systemic problems

Independence of the Compliance Function

• The compliance function should be independent and have a formal status within the firm
• The head of compliance should not have conflicting responsibilities
• The compliance function should have access to information and personnel

Relationship between Compliance and Other Departments

• The three lines of defence approach:
  • First line: operational controls
  • Second line: compliance monitoring programme
  • Third line: internal audit function
• Compliance provides written guidance to staff and acts as a point of contact for compliance queries

Description

Test your knowledge on the compliance function, including implementing systems and controls to meet international regulatory standards.