Compliance MonitorIntroduction to Role

Dr. Frank Masi, EVP Operations

Copyright (2014) ARC Risk and Compliance

Agenda

History; Definition;

Compliance Monitoring;Compliance Monitor;

Purpose;Example Use Cases;Users;Testing\Review; andBenefits.

2

Copyright (2014) ARC Risk and Compliance

“For more than a hundred years, public policy has been advanced via a legal instrument that ensures equal access to standardized information through mandatory public disclosure by companies” (Fastering, 2012)

In the past compliance monitoring was know as self-assessment/self-regulation.

Governmental agencies have created regulatory legislation to force self-assessment or self-regulating on difference industries. Some examples:

FDA on the food processors and pharmaceutical companies;SEC on the financial sector;EPA on corporate manufacturing; andOSHA to protect workers.

3

History of Compliance Monitoring

Copyright (2014) ARC Risk and Compliance

In the area of BSA/AML and OFAC there are considerable regulatory requirements.

Responsible persons:Auditors;BSA/OFAC Officers;Risk Managers; andCompliance Monitors.

Policies, procedures, processes and systems are put into place to automate and maintain regulatory compliance.

4

History of Compliance Monitoring

Copyright (2014) ARC Risk and Compliance

Compliance monitoring is the continued self-assessment and adherence to policies, procedures, and processes within the compliance program.

It is also the continuous validation of model within systems.

This is all in an effort to reduce reputational and regulatory risk.

5

Compliance Monitoring

Copyright (2014) ARC Risk and Compliance

Consider the position Lobue (2002) demonstrated:

If an individual manager is going to affect performance in the business process and learning and growth categories favorably, he/she must first, identify those areas that are producing less than expected results and then second, implement changes that result directly in the improved performance. This responsibility falls classically under the fundamental management function of control. (p. 287)

This is telling because he is presenting that it is in controls and understanding that improvements are made. This directly correlates to compliance monitoring and your understanding of the current state of affairs.

6

Compliance Monitoring

$-

$200,000,000

$400,000,000

Copyright (2014) ARC Risk and Compliance

The role is responsible for internal department compliance and controls. The purpose of the role is to provide ongoing monitoring and focused sampling of processes to validate policies and procedures are complied with. This is not a function of Audit.

It is a documented formal compliance monitoring for the institution. This is done to avoid discovery of issues during annual audit reviews. The compliance monitoring position could provide institution with document controls on policies and procedures in a smaller institution.

One example of responsibility would be to review a number of loan documents to validate all of the data has been entered correctly, completely, and in accordance with policies and procedures. The exercise may be completed a number of times per month or quarter.

7

Compliance Monitor

Copyright (2014) ARC Risk and Compliance

Qualified candidates would have:

5-10 years of AML\BSA and\or OFAC compliance monitoring;Technical\system and\or compliance analyst both would be

best; and\or 5 – 10 years of audit compliance, documentation experience

such as policies and procedures.

The larger the department the more specialized the position can be or the deeper the skill sets. The smaller the institutions the broader the skill sets (many hats) sacrificing length of experience.

8

Compliance Monitor Qualifications

Copyright (2014) ARC Risk and Compliance

This position would report into the BSA\OFAC Officer or CCO directly. This effectively segregates their duties from operational functions. Please example see chart:

9

Organizational Structure

CCO

EVP

BSA\OFAC Compliance

OfficerSVP

BSA

Supervisor

BSA

Analyst

BSA

Analyst

BSA

Analyst

OFAC

Supervisor

OFAC

Analyst

KYC

Senior Analyst

KYCC

Analyst

Compliance Monitor

Audit Analyst

Copyright (2014) ARC Risk and Compliance

Beyond the regulatory requirements (Federal Financial Institutions Examination Council, 2010); Board of Governors of the Federal Reserve System, Supervision and Regulation Letters (SR 11-7) and (SR 11-7a1); testing is conducted in different departments for different purposes. In the IT department you are focusing on software and system quality, bug identification and integration accuracy. The audit and compliance departments are validating the continued accuracy and compliance to policies and procedures.

Why Test

10

Copyright (2014) ARC Risk and Compliance

Compliance Department

Account Opening

Back Office

Lending

Tellers

Account Officer

Broker Dealers

FX

Trade Finance

Trust Manageme

nt

Capital Markets

Wire

11

Distributed Risk Areas

Copyright (2014) ARC Risk and Compliance

12

• Controls• Policies

• Processes

• Training

Branches On-boarding

SalesCompliance

Distributed Risk Controls

Copyright (2014) ARC Risk and Compliance

The purpose of testing is to validate that what was presented and what was delivered is the same. Testing is generally broken down into two types, event testing and monitoring (sampling, on-going, compliance…).

Event testing as the nomenclature represents is in response to an event, such as new system launch or product upgrade.

13

Purpose

Copyright (2014) ARC Risk and Compliance

• Proposal for change;• New product;• Services;• Change management;• Introduction of new process;• New systems; or • Monitoring control.

Event Testing Monitoring Testing

Testing Examples

• Reconciliation;• New product offer;• New service offer;• New transaction code;• KYC data collection process;• Log file reviews; or • System controls.

14

Copyright (2014) ARC Risk and Compliance

“Random sampling is likely to reduce the effectiveness to identify risk or emerging issues” according to (Hyde, G., 2007).

It is these factors that drive monitoring testing. Targeted or focused testing replaces random sampling based on risk and impact. Tests should be created with focus on risk and impact of compliance to policies and procedures. You should leverage year-over-year metrics to baseline, trend, and refine testing focus.

Effectiveness of Testing

15

Copyright (2014) ARC Risk and Compliance

Reconciliation of imported data;Accurately completed KYC forms (targeted sampling);Log file reviews;Loan applications completed correctly;System updates; andRegulatory list updates validated.

Example Use Cases

16

Copyright (2014) ARC Risk and Compliance

Compliance;Compliance Controls;Customer Onboarding\CIP;Technology controls IT;Loan forms;Wire room processes; andAlert\Case SAR\CTR filing.

Example Areas

17

Copyright (2014) ARC Risk and Compliance

Testing Flow

Centralized Testing Process

Accuracy & Appropriateness

Targeted Sampling

Process Monitoring

Log Reviews\Reconciliation

18

Copyright (2014) ARC Risk and Compliance

Testing Process Factors

Reusability

Consistency

Completeness

Reporting

• Repeatable process.

• Validation process

• Thorough understand of policies and procedures.

• Documented approach• Year-over-year metrics

19

Copyright (2014) ARC Risk and Compliance

Consistency Controls and standardization through management; and Review of processes to procedures.

Completeness GAP understanding between procedures and processes; Year over year reviews; and Established validation from previous reviews.

Controls Identification and enforcement of policies and procedures; and Schedulable testing events.

Reporting Documented validation of adherence; and Demonstratable reporting.

Benefits of Monitoring

20

Copyright (2014) ARC Risk and Compliance

The continuous monitoring scenarios are the strength of the position. These documented scenarios and result sets are demonstration of the status of the overall AML\BSA program. By identifying challenges or issue early management can quickly close the GAP on the exceptions. This direct access to senior management presents a clear picture of the status of the compliance function.

The role can add value to the department through communication, efficiency improvements, manual workflow issues or work-around. This activity can be directly correlated to the cost of compliance and staffing improvements.

The value of this role is to detect and identify issues that the different departments are following polices and procedure, developed by compliance, through compliance monitoring with the detail of a compliance professional. This is the greatest value and the largest GAP is created when operational functions are relied upon for managing ongoing compliance. In this scenarios issues are only discover annually by audit or worse examiners when this role does not exist in the organization.

21

Value of Monitoring

Copyright (2014) ARC Risk and Compliance

Compliance monitor can provide a significant advantage in regulatory reviews providing a real-time view into the quality and compliance of the compliance program. This role can decrease institutional risk by identifying the following before they achieve financial concern.

Presenting open issues; Areas of concern; and Non-compliance

22

Conclusion

Janu

ary

Febua

ry

Mar

ch0

2

4

Compliance Monitor Quarterly Management Report

AML ReviewLoan ReviewDodd Frank Review

Revie

w S

cori

ng

We continue to see this role leveraged in some institutions and this role is underutilized in others.

Copyright (2014) ARC Risk and Compliance

References

Board of Governors of the Federal Reserve System Office of the Comptroller of the Currency. (2011, April 4). Supervision and Regulation Letters (SR 11-7a1). Retrieved May 1, 2014, from Board of Governors of the Federal Reserve System: http://www.federalreserve.gov/bankinforeg/srletters/sr1107a1.pdf

Board of Governors of the Federal Reserve System. (2011, April 4). Supervision and Regulation Letters (SR 11-7). Retrieved April 30, 2014, from Board of Governors of the Federal Reserve System: http://www.federalreserve.gov/bankinforeg/srletters/sr1107.htm

Fasterling, B. (2012). Development of norms through compliance disclosure. Journal of Business Ethics, 106(1), 73-87. doi:http://dx.doi.org/10.1007/s10551-011-1055-y

Federal Financial Institutions Examination Council (2010). Bank Secrecy Act/ Anti-Money Laundering Examination Manual. Retrieved June 21, 2013: http://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2010.pdf.

Frank Masi, (2013). “Compliance Testing”, Compliance Professional Resource Newsletter, June.

Frank Masi, (2013). “Compliance Monitoring Position”, Compliance Professional Resource Newsletter, December, pp 3-5.

Hyde, G. (2007). Enhanced audit testing. The Internal Auditor, 64(4), 65-68,8. Retrieved from http://search.proquest.com/docview/202736076?accountid=458

Robert LoBue, (2002) "Team self-assessment: problem solving for small workgroups", Journal of Workplace Learning, Vol. 14 Iss: 7, pp.286 – 297

23

Copyright (2014) ARC Risk and Compliance

Thank You

24

Questions

Contact Information:Frank Masi, Ph.D.Frank.Masi@arcriskandcompliance.com609-730-4123 ext. 102 http://www.arcriskandcompliance.com