credit union regulatory updatecredit union regulatory ... · co‐ordinate the regulatory functions...
TRANSCRIPT
Credit Union Regulatory UpdateCredit Union Regulatory Update
Michelle O’DonoghueOisin Stronge
1
IntroductionIntroduction
Senior Manager – Credit Union DivisionWork with Oisin and a team of 12 to lead outWork with Oisin and a team of 12 to lead out services to Credit Unions in areas of:
Internal audit– Internal audit– Risk and complianceE t l dit– External audit
– Due Diligence assignments– Training – Board and Management
Good overview of what is happening in sectorpp g
2
Today’s AgendaToday s Agenda
• Internal audit, risk, compliance – update and experiences in the past yearexperiences in the past year
• Measuring embeddedness• Other regulatory updates – PRISM and S90, GDPR and AML
• Organising the Regulatory Functions
3
Internal Audit
4
Internal Audit - The Last Year
Number of days on site each quarter is increasing
Internal Audit plans are starting to reflect the key risk areas
Additional areas being included that were previously ignored:
Branch controls
End of day cash balancing
AML
Merger integration plans
Member’s draw
Financial controls in certain areas are still weak and need to be monitored –bank recs, segregation of duties, controls over counter transactions
5
IA – Key Experiences From TestingTesting
Strategic plans – still not fit for purpose with robust projections
Outsourcing confusion over what should be on register of Outsourcing – confusion over what should be on register of
outsourcing arrangements
No clearly documented travel and expenses policy
Risk and compliance – struggling to get embedded
Member Third party access – report generation and monitoring
Dormant accounts – adequate oversight Dormant accounts – adequate oversight
Issuing of member statements
6
IA – Key Experiences From TestingTesting
Credit underwriting – robust policy that is adhered to
Governance weaknesses:
Board attendance at meetings – average at 75%
Sufficient focus on strategic plan – too operational
Overall compliance with requirements
Adequate minutes of meetings
Quality of Board Packs Quality of Board Packs
Fraud – bank recs, car draws, other areas
7
Internal Audit- Conclusion
Internal audit should provide independent internal oversight Internal audit should provide independent internal oversight
Assists in identifying areas of control weakness
Fraud – becoming a big issue
Look at controls over counter transactions
Ensure regular testing of transactions processed over the counter
Number of days are increasing BUT still more room for improvement Number of days are increasing BUT still more room for improvement
Still some work on key weaknesses to be addressed
RBK are reviewing plans to address the shortcomings
8
RiskRisk
9
Risk– Year in Review
Outsourcing beginning to increase in popularity:
Outsourced risk – up from 29% to 43% Outsourced risk up from 29% to 43%
Outsourced compliance – up from 36% to 43%
In house risk and compliance officers are functioning
better but are still too focused on operational issues
Risk registers are getting smaller BUT
Still a lot of generic risks out there AND Still a lot of generic risks out there..... AND
New risks are not identified fast enough
10
Risk– Year in Review
Risk management software
Reporting of risk is improving BUT Reporting of risk is improving BUT
Still not seeing a regular report to the board on risk
Greater awareness at Board level about risk
PRISM reviews still note a lack of embeddedness PRISM reviews still note a lack of embeddedness
Annual effectiveness review and training
11
Risk - Key Experiences from TestingTesting
Risks which should be closed as fully mitigated are not being
closed for the following reasons:
Policies have not been updated within the 12 month
timeframe or are missing some of the minimumtimeframe or are missing some of the minimum
requirements
BCP and penetration testing have identified issues that have
not been closed
Strategic plan and projections not robust enough
12
Survey Results – The Top 3 risks
2017 2016
Loan Book Growth Loan Book Growth
Strategy Implementation IT risks ‐ infrastructure, hacking, BCP, broadband
IT & Cyber Security Investment rates of return
13
RiskRisk
The Top Risks – the RBK View
Vi bili h i l b k Viability – growth in loan book
Strategic plan implementation
AML
D t P t ti th i t f GDPR Data Protection – the impact of GDPR
Cyber security
Internal controls failure
14
Risk - Conclusion
Risk awareness is better
Risk registers are getting more manageable
Annual effectiveness review should take place to:
Review scoring methodology within the risk register
Review controls Review controls
Complete a gap analysis
Consider if the top 5 risks are the top 5 risks
Embeddedness – still a work in progress
Ensure risk is reported monthly to risk committee and board –timing issues to be resolved
Prepare for new risks such as Data Protection now
15
Compliance p
16
Compliance – Year in Review p
Compliance is more black and white
Where the function is outsourced – the compliance plan tends to be Where the function is outsourced the compliance plan tends to be
more detailed and the testing conducted on the plans tends to be more
in‐depthin‐depth
In‐house compliance plans don’t set out the detail of the testing to be
conducted purpose section and conclusionconducted – purpose, section and conclusion
Compliance function has equal importance as Risk and IA and sufficient
h ld b ll d iresources should be allocated to it
Compliance breaches identified are low in terms of severity
17
Compliance - Key Experiences from Testingfrom Testing
Huge variance in terms of overall compliance – some good, some bad
Compliance breaches identified are low in terms of severity
Compliance breaches are not being remedied within agreed timelines resulting in escalation
l b f l l h d d A large number of Annual Compliance Statements in the past year did not contain any material breaches
Types of compliance breaches link with risk control weaknesses:Types of compliance breaches link with risk control weaknesses:
Governance issues
Policies and procedures
Operational issues linked to policies and procedures
18
Compliance - Conclusionp
F i h i ki b bl k d hi Function that is working best – black and white
Ensure test plans contain the detail of the scope of the testing
Include new regulations – Data Protection, CP109 etc
Agree timelines to close compliance breaches Agree timelines to close compliance breaches
Maintain breach register and escalate breaches where not
remedied on a timely basis
Ensure compliance function reviews policies for compliance
with legislative requirements but not compliance officers role
to draft policies
19
p
Risk and Compliance p
Measuring EmbeddednessMeasuring Embeddedness
20
Key elements of an Embedded F nctionFunction
Directors / Senior Management aware of Roles/ Responsibilities
St d Cl R ti Strong and Clear Reporting
IA Plan and Risk Registers are a “living document”
Prompt remedial action where shortcomings in internal controls
are highlightedg g
Ownership of Risks / Controls / Processes
Linkage: IA Plan, Risk Register, Compliance Plan, Governance,
Strategy, Regulatory Requirements
21
Measuring EmbeddednessMeasuring Embeddedness
So how do you measure embeddedness?
By doing a SWOT analysis over the following categories:y g y g g
People and resources
Board knowledge
Training and skills
Policies and procedures
Ri k R i t Risk Register
Individual and overall score
Needs to be done ith risk officer and risk committee to ens re objecti e Needs to be done with risk officer and risk committee to ensure objective
22
SWOT AnalysisSWOT Analysis
Some things to consider include Risk awareness of staff and board
Number of risks and allocation of risks to risk owners
Whether the function is resourced internally or externally
Quality of controls, policies and proceduresQ y , p p
Level of training on risk
Impact of regulatory changes Impact of regulatory changes
Risk appetite statement and risk tolerance
23
Measuring Embeddednessg
Area ScoreArea Score
People and resources 8
Board awareness 9
Knowledge and training 8
Policies and procedures 8
Risk Register 9
Overall score 42
Overall score = 42/50 or 84%
Indicates an almost fully embedded risk management system
All CU’s should complete this analysis as part of an effectiveness review
24
Other Regulatory UpdateOther Regulatory Update
PRISM Engagements
Section 90 reviews
AML AML
Data Protection
Central Credit Register
25
PRISM and Section 90 ReviewsPRISM and Section 90 Reviews
Wh t PRISM d S90 i f d ?What are PRISM and S90 reviews focused on?
Viability – do your projections show any issues with viability
S i l i i b d b i i d i l l Strategic plan – is it robust and are targets being monitored against actual results
Operational issues – financial controls, bank recs, AML, accuracy of PR reporting
Board effectiveness and quality of management information
Risk and compliance embeddedness
Credit underwriting
Merger integration
AML
Ongoing compliance with FRS 102
26
AML
Thematic review by Central Bank in 2015 highlighted weakness across the Thematic review by Central Bank in 2015 highlighted weakness across the
sector
Monitoring department of Central Bank now doing AML inspections
Two large fines for two large credit unions
Survey findings – AML does not feature as a key risk – surprised?
RBK conducting specific AML reviews as part of IA Risk and Compliance RBK conducting specific AML reviews as part of IA, Risk and Compliance
Findings consistent with those of Central Bank
Significant areas of weakness to be addressed
General Data Protection Regulations (GDPR)
Th GDPR i ff 1 M 2018
General Data Protection Regulations (GDPR)
The GDPR comes into effect on 1 May 2018
European Regulations – immediate effect – no need for ROI to
transpose into Irish Law
Existing rules remain the same but there are some new elements
Appoint a Data Protection Officer
Monitor ongoing compliance Monitor ongoing compliance
Can be an employee but if have other duties these cannot conflict
with DPO duties
Central Credit Registerg
The Central Credit Register (CCR) is a mandatory credit reporting
system
Credit Unions will have to:
Submit members details re loan applications > €500Submit members details re loan applications > €500
Make an enquiry if loan application is > €2,000
Credit agreements in force on 30 June 2017 are reportable
Will have to link a PPSN number with a loan application
Consider the impact on Data Protection – you will have to inform your
members
Conclusion – Regulatory Update g y p
C di U i d b PRISM d ! Credit Unions need to be PRISM ready – many are not!
Co‐ordinate the regulatory functions to get you ready
Do a mock PRISM review in advance
Get ready for CCR and GDPR now:Get eady o CC a d G o :
Review policies and procedures
Include risks on risk register
Amend compliance plans to test
Get IA to do a review
Organising the Regulatory Functions
3 t di ti t l t f ti t b d d d
g g g y
3 separate distinct regulatory functions to be resourced and managed
Plus MLRO
Plus DPO
How should these functions be managed?
Greater efficiency still needs to be brought to the functions by sharing plans and
streamlining the timing of testing
Who should do this?
Review committee structure ‐ combine audit with risk and compliance
Responsible for External Audit, IA, Risk, Compliance and AML
Ensure comprised of appropriately skilled individuals and the committee is p pp p y
active
Organising the Regulatory Functions
g g g y
Continued move towards outsourcing – brings technical and
operational experience
Consider shared services – requires collaboration
Compliance and AML – go hand in hand?
DPO – will probably need to be outsourced – look at shared DPO – will probably need to be outsourced – look at shared
services
Thank You!Thank You!
Michelle O’Donoghue
Senior ManagerSenior Manager
Phone: 090 6480600 / 087 8337706
E il d h @ bk iEmail: [email protected]
Oisin StrongeOisin StrongeSupervisor
h /Phone: 090 6480600 / 087 1200003
Email: [email protected]
33
34