compliance survey results - banco de españa · pdf filecompliance survey results...

Enterprise Risk Management

IORWG ConferenceApril 2015

Donna Brenner Federal Reserve Bank of Philadelphia

Compliance Survey Results

Sponsored By:


Compliance Survey:

Objective - Develop a profile on central banks’ compliance programs and activities that may be used as a springboard for future expert groups

Thirty-five central banks responded to the survey (almost 60%)

2

Compliance

3


What is it? Conforming to stated requirements

How is it achieved?

Through management processes that identify the applicable requirements, assess the state of compliance, assess the risks and potential costs and impact of noncompliance against the projected expenses to achieve compliance, and prioritize, fund, and initiate any corrective actions deemed necessary.

What is Compliance Risk? According to the Basel Committee on Banking Supervision’s “Compliance and the Compliance Function in Banks” (2005):

• The risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities (together, “compliance laws, rules, and standards”)

Main Areas of Compliance Programs

4


Compliance Area #

Ethics 26

Insider Trading/ Market Abuse/ Corruption 24

Regulatory Requirements 17

Human Resources Laws 15

Data Protection Laws 21

Terrorist Financing Laws 21

Tax Laws 11

Fraud 20

Anti-Money Laundering 24

Compliance Policy and Procedures 14

MOUs with Government 4

Other 7

Main Compliance Unit Roles

5


Role #

Training/Awareness 26

Identification/Assessment of Compliance Risk 20

Monitoring, Testing, and Reporting 20

Development of Compliance Checklist 3

Compliance Breach Report 17

Whistle-Blowing 13

Compliance Policies and Procedures 21

Other 2

Compliance Interaction

6


Internal Audit- Shares reports and information- Conducts audits - Monitors compliance issues- Supports investigations- Collaborates on internal control system- Acts as the third line of defense on compliance

Line Management- Evaluates donations, gifts, and hospitality- Acts as the first line of defense on compliance- Adheres to risk management policies and compliance framework- Operates within the Bank’s risk appetite- Has effective controls related to compliance and has sufficient

resources- Reports non-compliance


7


Risk Management- Includes compliance risks in the mapping process- Shares reports and information- Attends Risk Committee meetings- Acts as a second line of defense

Legal- Acts as head of the legal department and as compliance

officer in many cases- Oversees compliance of contracts and internal regulations

with laws and outside regulations - Reinforces prevention of non-compliance- Provides advisory services


8


Human Resources - Deals with compliance violations- Handles conflicts of interest and additional business rules- Monitors compliance related to the ethics framework- Provides training

Board- Reviews compliance reports- Holds regular meetings- Has ownership of compliance risks- Handles exceptional ethics matters

45% of the Banks conduct compliance risk self-assessments

Significant Challenges in Compliance Programs

Establishing the right indicators to identify compliance issues

Setting up centralized incident management for risks

Training staff and making them aware of their roles and responsibilities for compliance

Solution: Staffed compliance area with experienced officers Engaged Internal Audit Allowed the governance bodies of the bank to set the scope and responsibilities

Maintaining and training staff members who are well versed in compliance regulations and bank compliance and ethics policies and the business of the bank yet are agile enough to respond to new risks

Solution: Instituted a formal reporting process for breaches

9



Implementing new functions; newness of functions presents challenges in getting employees to embrace compliance

Solution: Completed Compliance Management framework,

Documentation Guidelines, and Compliance Planning Standard as planned

Plans to develop a communication plan, form a compliance working group, provide compliance training, and develop or source interim compliance management tools

Striking a balance between detailed reporting in terms of zero tolerance prompts versus the practicalities of such reporting

10



Difficulty in adhering to high standards; no system so far has ever proved watertight

Solution: Newcomers receive messages from general manager and

deputy; compliance unit conducts regular checks

Making staff aware of the guidelines in regard to accepting invitations and presents

Solution: Training sessions are organized

11


Significant Challenges in Compliance Programs Adapting generally accepted compliance standards to the unique requirement of a central bank

Having limited staff resources; performing a compliance risk assessment (resources)

Trying to follow laws even though the central banks are not always bound by those laws

Strengthening the bank’s ability to limit exposures to legal or administrative penalties associated with noncompliance

Developing a framework

Shifting governance and minimizing redundancy among control groups

12


Significant Challenges in Compliance Programs Designing, implementing, and monitoring a compliance system that is in line with best practices Solution: Developed a formal mandate, hired competent staff, built the function, established

networks, set up documents such as code of conduct, developed working methods, and established information technology (IT) systems

Having the right tools and processes in place to have an efficient implementation

Staying up to date on new and emerging risks

Developing value-added integrated risk management and reporting protocols to provide value to management while limiting administrative burden

Dealing with Human Resources problems since more of the compliance function is embedded in operational analysis Solution: Requested additional recruitment

13


Central Banks without a Compliance Program

14


Roles are managed in the following ways: The roles are embedded in Internal Audit. Line Management owns the risks, with Legal addressing legal

requirements and Risk Management handling compliance risk as part of the operational risk management process.

Human Resources, Legal, and Internal Audit play a combined role.

The rationale is primarily one of the following: Several central banks plan on implementing a program in the next year

or so. Several banks noted that the use of the three lines of defense model

negates their need for a compliance function. The bank has been comfortable with a hybrid approach of Legal,

Human Resources, and business lines managing compliance.

Laws and Regulations

15


Central banks identify new laws or changes to laws that may have an impact on operations through: Committees established from different departments Leadership from the Legal Department Legal subscription services Work performed by department management in the

business areas Notification from government entities

Approximately 77% of the central banks provide training for their staff on applicable laws and regulations.

Best Practices Related to Compliance

16


Usage of e-learning modules on compliance that all staff members are required to complete

Documented policies and procedures that staff members are obligated to follow

An annual report (based upon the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework), which includes compliance, that is prepared and sent to the board; utilization of the COSO framework

Provision of workshops by the Legal Department on administrative rules and regulations; tailoring of sessions for smaller groups or individuals involved in a particular process

Training session on anti-money laundering and terrorist financial laws, personal data protection, and IT security

Awareness campaigns related to IT security

Best Practices Related to Compliance

17


Utilization of the three lines of defense model and maintaining transparent channels for reporting

Experts in specific business units who support the compliance program

Presentations for new staff on the code of conduct and relevant rules

Coverage at Risk Committee of all functions, including compliance issues and relevant mitigating measures

Cultivation of strong collaboration between the compliance function and the lines of business

Separation between legal function and compliance function

Establishment of an Integrity and Ethics Committee

Summary Conclusions

18


Many central banks have compliance functions, programs, and/or frameworks

Compliance functions may be organized as part of a standalone unit or business Line Management, or embedded in Internal Audit, Legal, or Risk Management

The favored approach is a decentralized model

The predominant areas of focus are on ethics, insider trading, memorandums of understanding (MOUs), terrorist financing laws, and data protection for those central banks that perform compliance activities. In addition, those areas focus primarily on training, whistle-blowing,

monitoring, testing, and developing policies

Summary Conclusions (continued)

19


Several central banks are in the process of setting up formal compliance programs (Since many of the programs are in their formative stages, a number of challenges were identified):

Operating within resource constraints, training staff, developing the value proposition for a compliance program, not placing excessive burden on staff, and having the right tools to administer a compliance program

There are a number of best practices to consider when setting up a compliance program

Use of e-learning modules, training programs, relationship cultivation, clear documentation of policies and procedures, and awareness campaigns

Concluding Discussion

Is there further work warranted on the subject of compliance?

Questions and Comments

20


21

The IORWG acknowledges responses from the following entities to generate the central bank compliance results:

Reserve Bank of Australia Banca D’Italia

Central Bank of the Republic of Azerbaijan Banque Centrale du Luxembourg

National Bank of Belgium Bank of Lithuania

Bank for International Settlements Central Bank of Jordan

Banco Central do Brasil Bank Al-Maghrib

Banco Central de Bolivia Bank Negara Malaysia

Deutsche Bundesbank Central Bank of Malta

Bank of Canada Federal Reserve Bank of New York

Banco de la República – Colombia Oesterreichische Nationalbank

Central Bank of Curaçao and Saint Maarten Norges Bank

Banco de España Federal Reserve Bank of Philadelphia

Bank of Estonia Bangko Sentral ng Pilipinas

European Central Bank Narodowy Bank Polski

Banque de France Monetary Authority of Singapore

Bank of Greece Sveriges Riksbank

Hong Kong Monetary Authority South African Reserve Bank

Central Bank of Ireland Swiss National Bank

Bank of Israel


compliance survey results - banco de españa · pdf filecompliance survey results...

Documents