Regulatory guidance for banks has become increasingly forceful. Recent developments are making it clear that should is to be interpreted as shall. Financial institutions are working to establish compliance frameworks to meet these standards. It is critical that your organization develop a strategy for how to assess compliance with applicable guidance and enhance your enterprise compliance management program.
Strategic self-assessments are an important tool to help identify and assess how compliance risks are overseen at both line-of-business and enterprise levels. They help to identify issues and non-compliance, allowing time to address and correct them prior to internal audits and regulatory examinations. It is used as a basis for analyzing certain aspects that are key components for a compliance program framework.
Based on compliance program gaps that are identified using self-assessments, there should be a compliance-specific strategic plan. You can base it on your answers from the following questions:
- What does our compliance function seek to achieve?
- What is the mission and vision of compliance?
- How will compliance support core business goals?
- Is there an opportunity to drive further cost efficiency through use of technology and tools?
Testing and monitoring in a world-class compliance program takes the pulse of the program, ensuring its ongoing health. It is a critical element of an effective compliance program and a required component in certain industries. Why? Without testing, it’s difficult or impossible to understand what’s working and what needs enhancement.
Robust monitoring programs serve as an early warning system, allowing compliance professionals to identify – sooner rather than later – potential issues. A lack of effective testing and monitoring can have a ripple effect on other areas of the program.
In a number of recent studies and surveys, compliance professionals indicated frustration with the quality of metrics used to measure effectiveness of compliance programs. Outcomes of ongoing testing and monitoring, especially when considered over time, drives metrics that point to the effectiveness of the program design and its operations.
Testing and monitoring provides relevant and reliable information about the compliance program to stakeholders. Regulators view these activities as demonstrations of the company’s commitment to compliance. For some industries, i.e., financial services, these are a regulatory requirement and companies may face fines or penalties for failing to implement them.
Boards require substantiated information on the effectiveness of ethics and compliance programs in order to execute their fiduciary duties. Internal and external counsel point to these activities as indicators of a company’s diligence around ethics and compliance as part of legal strategies.
Employees, customers and investors desire deeper understandings of ethics and compliance programs and may even use this information to make employment, purchase or investment decisions.
- Many ethics and compliance professionals use testing and monitoring interchangeably.
- While they may be two sides of the same coin, and one cannot be fully optimized without the other, these activities are not interchangeable.
- Many believe both the design and desired outcomes are quite different.
- Testing program: Dynamic, risk-based, independent compliance oversight process designed to periodically select and review samples of business products, services, communications and other areas to gauge and report on operating effectiveness of compliance controls and/or adherence to stated policies and procedures.
- Monitoring program: Ongoing surveillance, review and analysis of key business performance and risk indicators that allows organizations to identify potential compliance violations. While many seek to implement automated monitoring programs, these activities can be either automated or manual.
The following are the hallmarks of a great testing program:
- Compliance is tested at the level of accountability.
- 1st line of defense: Business unit leadership invests time and resources to determine that controls and activities are adequately designed and operating effectively.
- 2nd line of defense: Individuals who perform testing must not be the same individuals responsible for execution of controls. These individuals are accountable to the independent compliance function, regardless of whether it resides at corporate level or within the business unit, under a federated compliance model.
- 3rd line of defense: Internal audit should be responsible for testing the tests. In some industries, internal audit plays a broader role.
- In all instances and at all levels, independence is an essential aspect of effective testing.
How does your bank stack up against these criteria? It’s time to refresh and update your compliance program if you haven’t taken a good look at it in a long while. We at Mercadien pride ourselves on staying ahead of the curve when helping clients through these challenges. Contact me at firstname.lastname@example.org or 609-689-9700, or any of our Financial Institutions Services professionals, for further information on how we can help you.