Hopefully these observations don’t apply to you or your business, however they have all appeared in public statements issued by the Jersey Financial Services Commission over the past couple of years or so. A failure in the operation of the compliance function is often cited by the Commission as being a contributory factor in the serious problems faced by a business subject to regulatory sanction.
Similarly, feedback from the Commission’s examination programme invariably highlights concerns over the adequacy of compliance resources, the monitoring plan, compliance reporting to the board and the independence of the compliance function. The Commission, again, raised these concerns at a recent presentation given to the Jersey Compliance Officers Association.
Assessment of compliance risk management
You will be aware that the various Codes of Practice to which financial services businesses must adhere, include a specific requirement for the board of directors or senior management to ensure that an assessment is undertaken, on at least an annual basis, of the extent to which compliance risk is managed effectively. Has your business undertaken such an assessment in the last twelve months? If so, what did it cover, who undertook the assessment and how was it documented?
The Commission doesn’t provide any specific guidance on what their expectations are, which is perhaps unsurprising in a regulatory environment where a risk based approach is encouraged. Whilst this lack of direction can leave a board somewhat uncertain as to how they should proceed, Principle 3 of the various Codes include a clear indication of the expectations of the regulator in respect of the compliance framework and the roles of the key persons. These include:
- A compliance policy;
- A permanent, independent and effective compliance function with sufficient time and resources in order to carry out its responsibilities;
- Suitably skilled and experienced key persons;
- Direct access to the board and senior management by the compliance function and unfettered access to all business areas and relevant information;
- An appropriate compliance monitoring plan;
- Regular written reports to the board on relevant compliance matters; and
- The compliance function to be the principal point of contact with the Commission on day to day regulatory matters.
It would therefore seem logical that an assessment should consider these areas at a minimum. A more comprehensive assessment of compliance risk management should also look at the business risk assessment, interactions between the compliance function, the board and client facing areas, as well as training on AML and other regulatory matters.
Having determined the content of the assessment, the board should consider who should undertake it, bearing in mind available resources and time constraints. If a department or individual is allocated responsibility, then it is important that the work is suitably prioritised, so that it is given sufficient attention and is completed within an agreed timeframe. The value of any review is diminished if there is a lengthy delay between its performance and the formal reporting of the outcome to the board.
Objectivity and independence
A further challenge facing the board is how an assessment of the effectiveness of compliance risk management can be undertaken objectively. An assessment that lacks independence, risks overlooking important factors and could be accused of bias. Is it possible for a board to dispassionately assess the effectiveness of the compliance function, which would involve its own oversight of and interactions with it? Whilst the Codes don’t require an independent assessment, it would certainly be difficult to see how the board could undertake this review, even less so the compliance function, without at least an element of independence or external input. For larger firms, perhaps the internal audit function, or employees from other group offices may be able to assist?
Documentation and monitoring
Once the assessment has been completed, it is essential that it is documented and formally discussed by the board or senior management. Any recommendations or remedial actions arising from the assessment should be addressed within agreed timeframes, with progress being reported back to the board on a regular basis.
It is surprising that the operation of the compliance function so often gets overlooked, when its general state of health and effectiveness is such an important indicator of problems that may lurk in other parts of a business. A programme of ongoing oversight together with a periodic objective assessment of the management of compliance risk should form an essential part of all business risk management frameworks.
Cyan has been engaged by a number of financial services businesses to undertake an independent assessment for the board of the effectiveness of its compliance risk management. We have also assisted in remedial work and provided resources to support compliance functions during periods of shortage or temporary absence.
Please let us know should you wish to discuss how Cyan may be able to assist.