Implementation Of Compliance Monitoring Programme Framework Information Technology Essay

Implementation Of conformance Monitoring Programme Framework Information Technology assayOnly UK financial Services Authority (FSA) alone has issued over 13 million of fines in year 2011 so far (89m in 2010 and 23 in 2009).(FSA, 2011) For the larger firms, the monetary value of such fine may be a drop in the ocean. Nevertheless, it may pose a major reputational assay. harmonise to Bank of International Settlements Principles on respectfulness function in banks (BIS, 200514), the responsibilities of the banks Compliance Function (CF) should be to assist senior management in managing effectively the compliancy gambles faced by the bank.Further much, BIS peck on implementation of submission principles in banks (2008) shows that the core tasks of the accord function defined in laws, regulations or binding focusing in respondent jurisdictions atomic number 18 monitoring and testing conformism by performing sufficient and representative compliance testing as well as reporting on a symmetric basis to senior management where the results of the compliance testing should be reported in accordance with the banks internal endangerment management procedures.(BIS, 200514 20083)The importance of an effective Compliance monitoring program is continually growing out-of-pocket to the increased complexity of regulations, rising regulator action at law and the growing impact of non-compliance.Compliance monitoring is, indeed, the heartbeat of any CF. The creation of compliance and policy manuals are significant, however, such policy management might be irrelevant without an effective compliance monitoring. (ComplianceTrack, 2011) (Appendix) in that locationfore, it is essential that every CF takes advantage of monitoring process to its fullest in order to protect their companies from negative consequences that non-compliance in their area may have.The aim of this assignment is to briefly out edge a framework for Compliance Monitoring Programme for a pan European Financial Services (FS) organisation. This I based on the material discussed in class, further research, as well as my personal experience with Compliance gained in Irish and international companies in operation(p) not only in the FS, but too in communications, hospitality and consultancy industries.The TeamworkCompliance, with Compliance Monitoring at its core, is considered as the 2nd line of demurrer in the overall federation Integrated Assurance Framework, also known as the Three Lines of Defence. (Appendix)The business standing in the so cal conduct maiden line of defence owns, manages and controls compliance risks through management, procedures, controls, smell office.The compliance monitoring then carried out by the CF in the 2nd line of defence provides assurance that the business adequately manages its compliance risks.In the final 3rd line of defence the Audit twain internal and external performs the overall sagaciousness of the adequacy of compliance functions .BIS (200513) suggest there should be appropriate mechanisms for co-operation among all the above assurance providers inwardly the Integrated Assurance Framework and with the head of compliance. These mechanisms should be sufficient to assure that the head of compliance notify perform his or her responsibilities effectively.Hence, not all compliance responsibilities are necessarily carried out by a compliance unit. Compliance responsibilities may be exercised by staff in different departments. (Appendix1, 2) Such coordination with other assurance providers may lead to one of the triplet following look backward approaches (Zurich, 2010)1. Review execution is performed by another assurance provider (e.g. Internal audit performs an AML palingenesis). In this case, CF should support the assurance provider with technical expertise during execution of the review (e.g. support in setting up the review program).2. Joint reviews. CF participates in a review led by another assurance pro vider. In this case only one report will be written by the assurance provider who has the review lead.3. Compliance Reviews. If review types 1 or 2 are not feasible or adequate, CF performs an own Compliance review.BIS Principles (BIS, 200514) stress that if some of the Compliance responsibilities are carried out by staff in different departments, the allocation of responsibilities to each department should be clear.As might be expected, PWC research (200916) shows, that in practice the three lines of defence can and often do overlap, seeing on the organisational compliance structure (e.g. embedded compliance staff in the business who assume real-time surveillance of transactions to ensure compliance with AML, market abuse or client order handling rules).To resolve these confilicts, PWC recommends to put the CF foursquare in the advisory category (i.e. in the second line of defence). This means operationalising the first line of defence where compliance control and day-to-day mon itoring becomes more clearly the responsibility of the business, with the compliance function providing oversight and advice. (Appendix)The Virtuous Cycle (Compliance assurance process)1. Risk AssessmentThe continuous cycle is usually annual and starts with risk assessment to detect potential compliance issues and risks, in accordance with societys risk appetite.The monitoring is typically (Appendix) planned on risk-based basis as this approach enables resources to be targeted to the areas where they are most call fored and will prove most effective, potentially not only saving compliance costs but also gaining great business support for compliance measures. (Better Regulation, 2008)The following sources need to be considered to determine which compliance risks should be monitored on the highest group company level1. Risk assessments, which can, for instance, be categorised by business areas or standards prescribed by regulator (e.g. FSA handbook categories)2. regulative Enviro nment Laws, regulations, specific requests by the Regulator3. Monitoring before long executed and planned in the future periods by other assurance providers4. Local risk assessments and compliance plansMoreover, the required depth, breath and frequency monitoring activities depend on the size and complexity of the nature of the industry and the company itself.2. Compliance PlanBased on this input, CF establishes its review needs, which should subsequently be discussed and incorporate with other assurance providers in order to leverage on the exist review frameworks and to avoid duplication, gaps and to limit business interruption.All defined reviews on compliance risks, irrespective of which assurance provider executes them, will be holdd in the annual Compliance Monitoring Plan.This Compliance Plan typically details the what (scope and objectives, problems/risks, priorities), who (resources), when (start and wind dates, major milestones), and how (activities to be carried out and data to be collected).3. Compliance Data Collection and TestingThe Compliance procedure manual tells you how to comply with the regulators rules. How do you, however, ensure that your company has been following this manual? The answer is by conducting compliance testing on a regular basis to see whether those procedures are working as expected, and what the exceptions are. (Cyriac, 2011)Hence, CF should have a process in place that systematically collects all the compliance-relevant reading.The list below defines the main issue and risk identification activities that CF can use to monitor compliance risks (Zurich, 2010)Compliance TestingThe aim of compliance testing is to conduct detailed evaluation of compliance-relevant procedures and internal controls (manual and automated) built into company business processes to asses whether these are adequate to manage the risk at heart the scope of CF.Tests should be completed clearly, concisely and accurately, in line with CF and comp any standard methodologies.Ideally, large portion of such testing population can be sources from company management information system such as records of guardianships, errors, exceptions, mitigating actions and their status, trends, and the like. liable sample sizes when testing areas with a volume of data (e.g. trades) should be used. (Cyriac, 2011)Compliance monitoring is meant to be both proactive and reactive. It should collect data to prove the handiness of controls and validations and it should also collect data relating to failure. (ComplianceTrack, 2011 PWC, 2005)The actual frequency of tests is dependant on the abovementioned risk assessments. As a general guideline, higher risk areas are recommended to be tested more regularly, at least monthly, medium risk areas, at least quarterly, and lower risk areas, at least annually. (Cyriac, 2011)As mentioned earlier, the CF can take advantage of the connections, resources and expertise within the Integrated assurance framework in certain circumstances where the CF may require to increase the independence, quality and/or frequency of their reviews.The following basic steps may be executed when performing a Compliance testReview Preparation and resolveInform the Business about the planned review and discuss review process, scope, timing and collaborationPrepare the review by gathering information and establishing the review programFieldworkExecute the review agree to review program and file supporting review documents and evidenceDiscuss observations and actions with the BusinessTesting by other(a) Assurance ProvidersRegular meetings should be arranged within the Integrated assurance framework to identify potential issues that might have an impact on compliance risks.Also, CF should be kept in the loop in regards to reports from other assurance providers.Complaints ExternalPerhaps also part of a good MIS, complaint handling procedure should exist where all complaints are registered and tracked for regu larly relevant compliance statistics (e. g. number of complaints, summary of major topics, actions taken, status, development needs).Complaints InternalTo throw out employees to express concerns, an infrastructure for reports (often anonymous) should be in place (e.g. dedicated contact persons, hotlines, email address, web forms, etc.) and all staff informed and actively reminded of its existence.Reported issues are investigated and acted upon in timely manner and reported to relevant stakeholders (e.g. number of complaints, major topics, status, channels used for reporting).Day-to-day CounsellingCompliance should not be seen not just as a monitoring tool but as an active, ongoing support to management.As business progressively manifests the right behaviour embodying both integrity and innovation the need for the CF to police its activities diminishes, and the value-adding counsellor role comes more to the fore. (Appendix?) (PWC, 2005)Having a good relationship with the business is vital to the success of the compliance function, particularly when it comes to assessing the compliance risk of the business. Companies with a mature compliance culture tend to think of the compliance function as a vital ingredient of business operations and no decisions on, for example, impertinent business ventures or services would be taken without the involvement of the CF and its advice on all compliance risk areas. (Metheven, 2011)At the same time, however, the pendulum should not be allowed to swing unreservedly in the counsellor direction. Compliance has a critical role to play in compliance oversight and monitoring in order not only to provide the necessary comfort to (senior) management but also to frame the advice it provides going forward. A clear delineation needs to be set between doing compliance and monitoring compliance.(PWC, 2005)Yet, interestingly, in PWC 2009 (15) survey of 76 financial institutions based in 16 European countries forty-eight percent of respo ndents say the difference between the compliance management and the compliance monitoring programmes is still not fully understood within their organisation.Hence, CF should attend all committees where compliance risks may be discussed. Annual Relationship Management plan is a popular solution, outlining minimum required regular meetings with management to discuss potential risks, issues and new developments.Regulatory Environment MonitoringChanges in regulation, laws and industry should be monitored systematically. Where action is required, owner of the particular area should be advised of the matter and the deadline for implementation. CF should ensure the owner has all support needed (compliance, legal etc.) so the deadlines and requirements of the new regulation are met. As usual, it is important to keep all stakeholders informed.Compliance officers increasingly appreciate the need for a coherent dialogue with regulators to gain a better understanding of their changing expectati ons and the need to monitor the upstream risks of new regulations more effectively. (PWC, 20094) To ensure no surprises, or last-minute scrambling and theassociated unnecessary expense, particular attention should bepaid to monitoring new regulatory proposals. (PWC, 20099) How do we do it? UK monitor it, tell us about it, agree deadlines, help us to read the docs ensure interpretation ok, bring directors into the loop,Regulatory Action MonitoringReviews, investigations and requests from regulatory bodies should be received and analysed. CF must ensure timely resolutions of such requests, possibly also coordinating the whole process.It is a good practice to share the results of the Regulators activities (e.g. regulatory review report including fines or sanctions where appropriate) and implementation progress (status of internal actions) with relevant stakeholders.TrainingThe best practice dictates that annual Training Plan should be established to communicate regulatory/compliance m atters to employees of the organisation.These activities can be measured (e.g. coverage, success rate, completed by deadline) and results used as indicators for next periods.Local CF monitoringImportant part of Compliance monitoring in organisations consisting of various units/branches is to ensure that CFs across the company execute their tasks according to the company principles. (Appendix)This can be done by regular meetings of group CF with local CF units (e.g. one-to-one/joint, face-to-face/teleconference/online discussing risks, activities, infrastructure), reporting (e.g. issues, risks, activities, KPI performance), fortnightly meetings with key local business stakeholders (e.g. satisfaction, cooperation, added-value, prioritization, resource), regular quality assurance reviews (carried out by CF and/or in cooperation with another assurance provider)Monitoring of Outsourced functions and activitiesThere are strong parallels in approach in terms of controlling third-party net works and outsourced functions or activities. (Appendix) Key control elements stressed by respondents include Quality of the due diligence exercise prior to entering the relationship Contracts and written agreements (service level agreements) Robust monitoring by the (local) compliance function and testing exercises (for example, mystery shopping) ongoing communication and training sessions Metrics/controls/reporting Quality of the compliance function within the third-party distributor or outsourcer, and compliance policies in place, as well as a clear definition of compliance processes Onsite reviews by compliance and internal audit Complaints analysis Dedicated unit within the compliance function to carry off third-party distributors or outsourcers.Does IT help?Priority should be placed on the development and use of technology able to help management to really understand, on a timely and consistent basis, what is going on in the business. From the perspective of the CF, a robust technological infrastructure entails both sophisticated tools for monitoring compliance in business activities, together with appropriate tools for streamlining compliance function activities, and facilitating knowledge sharing. (PWC, 200511)The apparently low level of knowledge of IT within compliance functions supports the view that, in legion(predicate) organisations, the IT department is not considered to be a key stakeholder in the compliance function, and vice versa. However, PWC believe that technology is a key enabler to supporting compliance within the organisation, and presents a significant opportunity for many organisations.This means the use of technology toControl and manage processes that cut across systems and organisational boundaries. Compliance touches nearly every operating and administrative unit and business process in an organisation so the task of controlling and managing the compliance process itself is huge. Each of these require appropriate occupation of technology in order to establish sustainable compliance. (e.g. document management, status reporting, automated internal controls)Appropriate use of IT can improve the quality of information and speed of delivery transferring data from one system to another, replacing manual processes for execution, analysis and reporting, challengingthe quality of data, modelling alternatives and delivering reports and dashboard information to decision makers. true(p) information increases confidence to take action. Identify and manage events in a consistent and auditable manner. Technology is used to identify events and report exceptions. This involves optimising control capabilities in existing business and support systems, use of integration technologies to bring together information from disparate source systems and administering and monitoring of risk and control self-assessments and other surveys. Build right into the management and reporting of events.IT help ensure action by creating a c losed loop environment that incorporates accountability for each incident and requires action.(PWC, 200561)According to PWC (2005) survey of 73 FS (63% banking, 19% investments, 18% insurance) institutions in 17 countries, 36 percent of respondents considered inadequate IT infrastructure for compliance monitoring as one of the biggest challenges of achieving a conformable organisation.(PWC, 2005 19)4. Data AnalysisResults of reviews on compliance risks, as defined above, should be captured and analyzed.Every Compliance function should systematically monitor and analyze the captured data in order to identify compliance risks, issues, problems and trends.Key Performance Indicators reflecting the monitoring activities can be an important part of the reporting dashboard and help to identify trends on a local and group level.5. Reporting and Follow upReports to stakeholders (e.g. those charged with governance) on compliance monitoring and analysis need to present a match view of the si tuation, risks, issues, actions taken, highlighting both positive and constructive/developmental aspects, and proposing improvement actions.Reporting happens according to reporting standards of the particular company but generally include the followingWrite and discuss report, observations and actions with the businessShare report with relevant stakeholdersFollow up actionsSample Reporting ContentExecutive Summary accentuateObjective and ScopeDescription of compliance testing/review carried outObservationsRating of quality of controls and processes under review.Actions6. ReviewBeing part of the Integrated assurance framework, Compliance should itself be subject to regular view usually annual as mentioned above usually by external and internal audit.Benchmarking with industry peers is also a beneficial practice.Without processes to judge program elements and implement necessary improvements, any compliance program will have difficulty staying efficient, effective and up to date. We ll-developed round monitoring and periodic assessment processes, with clear paths for communication of recommended changes, may be the best sign of a mature and effective management system. (OCEG, 20042)