In recently announcing its examination programme for 2020, the JFSC has emphasised the importance with which it regards the compliance monitoring programme (CMP). In Quarter 1, the CMP will continue to be the focus of thematic examinations and regulated businesses should be prepared if the regulator comes calling.
In its announcement, the JFSC stated that compliance monitoring should be an integral part of a regulated business’ management framework. In recent examinations they have continued to identify regulated businesses which do not fully comply with the regulatory framework in respect of this crucial control.
From our own experience in assisting regulated businesses, Cyan would echo the JFSC’s conclusions. This is disappointing, particularly as the JFSC has published a helpful guidance note on compliance monitoring which emphasises the cyclical nature of the CMP process as an integral part of the general compliance framework.
The JFSC has specifically stated that it will test the governance, oversight and effectiveness of a regulated business’ CMP. It is clear therefore, that the role of the Board in reviewing and approving the CMP and its ongoing active interest and involvement in the results of the testing programme will be of particular interest to the regulator.
These are our top tips in implementing an effective CMP:
- Focus on the legal and regulatory requirements
The Compliance department must have a good understanding of the legal and regulatory requirements to which the business is subject. Undertake a gap analysis of these requirements against the controls, policies and procedures that are in place to ensure that they are adequately addressed. Whilst a CMP may cover other areas, priority and resources should be directed towards the relevant legal and regulatory requirements.
- The Business Risk Assessment is essential
A business risk assessment which comprehensively identifies, assesses and prioritises the key risks and controls a business is exposed to is essential in implementing an effective and risk-based CMP. There should be a clearly documented link between the areas of highest risk identified in the business risk assessment (in particular compliance and regulatory) and where CMP activity and resources are focused.
- Board engagement is equally important
As we have already said, the CMP is an integral part of the compliance framework and therefore the Board should be actively interested in its content and methodology. Board review and approval of the CMP should be evidenced in the board minutes on at least an annual basis and also where material changes are proposed.
It is also essential that the board engages with the CMP on an ongoing basis and pays close attention to the monitoring findings reported each month by the Compliance Function. We have seen a number of instances where Compliance has reported “no CMP findings”, not because the control environment is strong, rather the testing has been weak. As a result, directors have had ill-founded confidence in their systems and controls. No business is perfect and if the monitoring results are too good to be true….….they probably are!
- Keep good records
A CMP policy and procedures must be in place, to explain the methodology as well as each step of the process, from formulating the CMP and its approval, notifying business areas of planned monitoring, conducting testing, reporting findings and addressing deficiencies.
Whilst a variety of monitoring methods may be used, it is important that test sheets and working papers are maintained to evidence the testing and support the findings.
It is very likely that matters will crop up during the year which impact on the carrying out of the documented CMP. A serious complaint, loss of key personnel or demands placed upon Jersey staff by Group could result in resources being diverted from planned CMP activities to deal with the matter. This is quite understandable.
However, such changes to a CMP should be documented and agreed by the board if material and steps taken to ensure that the CMP does not fall too far behind. It may be that an urgent review of a control process prompted by the occurrence of a serious matter can be regarded as a CMP activity itself if properly documented as such.
- Clear, comprehensive and prompt reporting
The outcome of tests and monitoring activities should be documented and reported to the relevant business areas and individuals. Material findings or potential/actual regulatory breaches must be promptly escalated to the Head of Compliance, senior management and the board so that appropriate action can be considered and taken, which may include a notification to the JFSC.
Compliance must also periodically report to the board on the CMP. Reporting should include details of monitoring activity that has taken place and the progress against the plan, material findings, details of remedial actions and the status of previously reported findings. Make sure you avoid “copy and paste” reporting, where comments are automatically repeated from one report to the next. As with all reporting, it is important that careful thought is given to CMP reports.
- Effectively address deficiencies
Where testing and monitoring identifies weaknesses in policies and procedures or areas of non-compliance, steps must be taken to address them. Responsibilities and realistic timeframes should be agreed and documented, and the Compliance Function should oversee completion and progress against specified timescales. The board should also be kept regularly informed.
A well thought out, risk-based and comprehensive CMP will not only provide your business with a regulatory “thumbs up”. It is an essential part of the risk management framework and will also provide you with assurance that key legal and regulatory requirements are being complied with, deficiencies are being identified and are then addressed effectively.