dr. frank masi, evp operations. agenda history; definition; compliance monitoring; compliance...
TRANSCRIPT
Compliance MonitorIntroduction to Role
Dr. Frank Masi, EVP Operations
Copyright (2014) ARC Risk and Compliance
Agenda
History; Definition;
Compliance Monitoring;Compliance Monitor;
Purpose;Example Use Cases;Users;Testing\Review; andBenefits.
2
Copyright (2014) ARC Risk and Compliance
“For more than a hundred years, public policy has been advanced via a legal instrument that ensures equal access to standardized information through mandatory public disclosure by companies” (Fastering, 2012)
In the past compliance monitoring was know as self-assessment/self-regulation.
Governmental agencies have created regulatory legislation to force self-assessment or self-regulating on difference industries. Some examples:
FDA on the food processors and pharmaceutical companies;SEC on the financial sector;EPA on corporate manufacturing; andOSHA to protect workers.
3
History of Compliance Monitoring
Copyright (2014) ARC Risk and Compliance
In the area of BSA/AML and OFAC there are considerable regulatory requirements.
Responsible persons:Auditors;BSA/OFAC Officers;Risk Managers; andCompliance Monitors.
Policies, procedures, processes and systems are put into place to automate and maintain regulatory compliance.
4
History of Compliance Monitoring
Copyright (2014) ARC Risk and Compliance
Compliance monitoring is the continued self-assessment and adherence to policies, procedures, and processes within the compliance program.
It is also the continuous validation of model within systems.
This is all in an effort to reduce reputational and regulatory risk.
5
Compliance Monitoring
Copyright (2014) ARC Risk and Compliance
Consider the position Lobue (2002) demonstrated:
If an individual manager is going to affect performance in the business process and learning and growth categories favorably, he/she must first, identify those areas that are producing less than expected results and then second, implement changes that result directly in the improved performance. This responsibility falls classically under the fundamental management function of control. (p. 287)
This is telling because he is presenting that it is in controls and understanding that improvements are made. This directly correlates to compliance monitoring and your understanding of the current state of affairs.
6
Compliance Monitoring
$-
$200,000,000
$400,000,000
Copyright (2014) ARC Risk and Compliance
The role is responsible for internal department compliance and controls. The purpose of the role is to provide ongoing monitoring and focused sampling of processes to validate policies and procedures are complied with. This is not a function of Audit.
It is a documented formal compliance monitoring for the institution. This is done to avoid discovery of issues during annual audit reviews. The compliance monitoring position could provide institution with document controls on policies and procedures in a smaller institution.
One example of responsibility would be to review a number of loan documents to validate all of the data has been entered correctly, completely, and in accordance with policies and procedures. The exercise may be completed a number of times per month or quarter.
7
Compliance Monitor
Copyright (2014) ARC Risk and Compliance
Qualified candidates would have:
5-10 years of AML\BSA and\or OFAC compliance monitoring;Technical\system and\or compliance analyst both would be
best; and\or 5 – 10 years of audit compliance, documentation experience
such as policies and procedures.
The larger the department the more specialized the position can be or the deeper the skill sets. The smaller the institutions the broader the skill sets (many hats) sacrificing length of experience.
8
Compliance Monitor Qualifications
Copyright (2014) ARC Risk and Compliance
This position would report into the BSA\OFAC Officer or CCO directly. This effectively segregates their duties from operational functions. Please example see chart:
9
Organizational Structure
CCO
EVP
BSA\OFAC Compliance
OfficerSVP
BSA
Supervisor
BSA
Analyst
BSA
Analyst
BSA
Analyst
OFAC
Supervisor
OFAC
Analyst
KYC
Senior Analyst
KYCC
Analyst
Compliance Monitor
Audit Analyst
Copyright (2014) ARC Risk and Compliance
Beyond the regulatory requirements (Federal Financial Institutions Examination Council, 2010); Board of Governors of the Federal Reserve System, Supervision and Regulation Letters (SR 11-7) and (SR 11-7a1); testing is conducted in different departments for different purposes. In the IT department you are focusing on software and system quality, bug identification and integration accuracy. The audit and compliance departments are validating the continued accuracy and compliance to policies and procedures.
Why Test
10
Copyright (2014) ARC Risk and Compliance
Compliance Department
Account Opening
Back Office
Lending
Tellers
Account Officer
Broker Dealers
FX
Trade Finance
Trust Manageme
nt
Capital Markets
Wire
11
Distributed Risk Areas
Copyright (2014) ARC Risk and Compliance
12
• Controls• Policies
• Processes
• Training
Branches On-boarding
SalesCompliance
Distributed Risk Controls
Copyright (2014) ARC Risk and Compliance
The purpose of testing is to validate that what was presented and what was delivered is the same. Testing is generally broken down into two types, event testing and monitoring (sampling, on-going, compliance…).
Event testing as the nomenclature represents is in response to an event, such as new system launch or product upgrade.
13
Purpose
Copyright (2014) ARC Risk and Compliance
• Proposal for change;• New product;• Services;• Change management;• Introduction of new process;• New systems; or • Monitoring control.
Event Testing Monitoring Testing
Testing Examples
• Reconciliation;• New product offer;• New service offer;• New transaction code;• KYC data collection process;• Log file reviews; or • System controls.
14
Copyright (2014) ARC Risk and Compliance
“Random sampling is likely to reduce the effectiveness to identify risk or emerging issues” according to (Hyde, G., 2007).
It is these factors that drive monitoring testing. Targeted or focused testing replaces random sampling based on risk and impact. Tests should be created with focus on risk and impact of compliance to policies and procedures. You should leverage year-over-year metrics to baseline, trend, and refine testing focus.
Effectiveness of Testing
15
Copyright (2014) ARC Risk and Compliance
Reconciliation of imported data;Accurately completed KYC forms (targeted sampling);Log file reviews;Loan applications completed correctly;System updates; andRegulatory list updates validated.
Example Use Cases
16
Copyright (2014) ARC Risk and Compliance
Compliance;Compliance Controls;Customer Onboarding\CIP;Technology controls IT;Loan forms;Wire room processes; andAlert\Case SAR\CTR filing.
Example Areas
17
Copyright (2014) ARC Risk and Compliance
Testing Flow
Centralized Testing Process
Accuracy & Appropriateness
Targeted Sampling
Process Monitoring
Log Reviews\Reconciliation
18
Copyright (2014) ARC Risk and Compliance
Testing Process Factors
Reusability
Consistency
Completeness
Reporting
• Repeatable process.
• Validation process
• Thorough understand of policies and procedures.
• Documented approach• Year-over-year metrics
19
Copyright (2014) ARC Risk and Compliance
Consistency Controls and standardization through management; and Review of processes to procedures.
Completeness GAP understanding between procedures and processes; Year over year reviews; and Established validation from previous reviews.
Controls Identification and enforcement of policies and procedures; and Schedulable testing events.
Reporting Documented validation of adherence; and Demonstratable reporting.
Benefits of Monitoring
20
Copyright (2014) ARC Risk and Compliance
The continuous monitoring scenarios are the strength of the position. These documented scenarios and result sets are demonstration of the status of the overall AML\BSA program. By identifying challenges or issue early management can quickly close the GAP on the exceptions. This direct access to senior management presents a clear picture of the status of the compliance function.
The role can add value to the department through communication, efficiency improvements, manual workflow issues or work-around. This activity can be directly correlated to the cost of compliance and staffing improvements.
The value of this role is to detect and identify issues that the different departments are following polices and procedure, developed by compliance, through compliance monitoring with the detail of a compliance professional. This is the greatest value and the largest GAP is created when operational functions are relied upon for managing ongoing compliance. In this scenarios issues are only discover annually by audit or worse examiners when this role does not exist in the organization.
21
Value of Monitoring
Copyright (2014) ARC Risk and Compliance
Compliance monitor can provide a significant advantage in regulatory reviews providing a real-time view into the quality and compliance of the compliance program. This role can decrease institutional risk by identifying the following before they achieve financial concern.
Presenting open issues; Areas of concern; and Non-compliance
22
Conclusion
Janu
ary
Febua
ry
Mar
ch0
2
4
Compliance Monitor Quarterly Management Report
AML ReviewLoan ReviewDodd Frank Review
Revie
w S
cori
ng
We continue to see this role leveraged in some institutions and this role is underutilized in others.
Copyright (2014) ARC Risk and Compliance
References
Board of Governors of the Federal Reserve System Office of the Comptroller of the Currency. (2011, April 4). Supervision and Regulation Letters (SR 11-7a1). Retrieved May 1, 2014, from Board of Governors of the Federal Reserve System: http://www.federalreserve.gov/bankinforeg/srletters/sr1107a1.pdf
Board of Governors of the Federal Reserve System. (2011, April 4). Supervision and Regulation Letters (SR 11-7). Retrieved April 30, 2014, from Board of Governors of the Federal Reserve System: http://www.federalreserve.gov/bankinforeg/srletters/sr1107.htm
Fasterling, B. (2012). Development of norms through compliance disclosure. Journal of Business Ethics, 106(1), 73-87. doi:http://dx.doi.org/10.1007/s10551-011-1055-y
Federal Financial Institutions Examination Council (2010). Bank Secrecy Act/ Anti-Money Laundering Examination Manual. Retrieved June 21, 2013: http://www.ffiec.gov/bsa_aml_infobase/documents/BSA_AML_Man_2010.pdf.
Frank Masi, (2013). “Compliance Testing”, Compliance Professional Resource Newsletter, June.
Frank Masi, (2013). “Compliance Monitoring Position”, Compliance Professional Resource Newsletter, December, pp 3-5.
Hyde, G. (2007). Enhanced audit testing. The Internal Auditor, 64(4), 65-68,8. Retrieved from http://search.proquest.com/docview/202736076?accountid=458
Robert LoBue, (2002) "Team self-assessment: problem solving for small workgroups", Journal of Workplace Learning, Vol. 14 Iss: 7, pp.286 – 297
23
Copyright (2014) ARC Risk and Compliance
Thank You
24
Questions
Contact Information:Frank Masi, [email protected] ext. 102 http://www.arcriskandcompliance.com