EghtesadOnline: According to the CBI directive, banks and financial institutions are obliged to set up an independent compliance department.
Whilst this action is commendable on the part of policymakers, one cannot lose sight of the fact that establishing an independent compliance function is a complicated and sophisticated process and demands dedicated, determined and progressive management to embark on such a project with the necessary tools and means to ensure success. The past experience of setting up compliance functions in Europe and US serves to provide a reminder that the key practical challenges in effective implementation of this function are manifold and should not be underestimated.
First of all from human capital perspective, the availability of experienced compliance professionals is very limited. As well as having the necessary qualifications, compliance professionals should possess the necessary work experience and know-how. This is particularly important at the management level and above.
Compliance function should be designed, built and operated at world class level with sufficient robustness and controls in order to withstand the toughest compliance audit and reviews and attestations to be conducted by external auditors. Robust compliance function should prove to be a distinct advantage differentiating the firm from its competitors.
Additionally, world class compliance function should incorporate the following features:
- Compliance with regulatory requirements, both global and local
- Designing, building and installing key systems and controls within the business lines around AML, CTF and KYC key risks.
- Active risk management and monitoring
- Having the framework to actively identify key risks in the lines of business, including their materiality level, and design a process to monitor and report these risks.
• Developing and managing a robust risk identification and assessment process
• Developing and enforcing standards for an effective risk-mediation process (for example, root-cause analysis and performance tracking) to ensure it addresses underlying causes of compliance issues rather than just “treating the symptoms”
• Establishing standards for training programs and incentives tailored to the realities of each type of job or work environment
• Approving clients, transactions, and products based on predefined risk-based rules
• Performing a regular assessment of the state of the overall compliance program and developing appropriate metrics to test its performance
• Understanding the bank’s risk culture and its strengths as well as potential shortcomings
• Setting up a program of continuous training to ensure all staff are aware of their compliance roles and responsibilities and are kept up to date with the current regulation.
Compliance Department is expected to collect and understand all applicable laws and more importantly translate how each of these regulation impact the lines of business in the form of standard operational requirements. The design of the compliance function’s operating model is increasingly important. Thus, it demands a shift from a siloed, business-unit-based coverage to a model where business-unit coverage is combined with horizontal expertise around key compliance areas and key compliance controls are designed and built into the operating model and procedures of the various departments of the financial institution. This requires a deep understanding of the business lines as well as compliance laws and regulations.
Rather than identifying all risks and all mitigating controls which entail significant amount of time and effort and could potentially detract from drilling into issues that truly matter , the risk based approach staring point is defining which risks apply to a given business process and identifying where exactly in the process they occur (known as “breakpoint analysis”). Informed by the identified process breakpoints, Key Risk Indicators (KRIs) can then be designed that directly measure the residual risk exposure. This approach leads to far more efficient system with fewer items to test and much more robust insights into what the key issues are. Moreover, it provides the essential fact base to guide and accelerate the remediation process and resource allocation.
Compliance risks are driven by the same underlying factors that drive other banking risks, but their stakes are higher in the case of adverse outcomes (for example, regulatory actions that can result in restriction of business activities and large fines). Therefore, it’s only fitting that a modern compliance framework needs to be fully integrated with the bank’s operational-risk view of the world.
Integrating the management of these risks offers tangible benefits. First, it ensures the enterprise has a truly comprehensive view of its portfolio of risks and visibility into any systemic issues (for example, cross-product, cross-process), and that no material risk is left unattended. Second, it lessens the burden on the business (for example, no duplicative risk assessments and remediation activities) as well as on the control functions (for example, no separate or duplicative reporting, training, and communication activities). Third, it facilitates a risk-based allocation of enterprise resources and management actions on risk remediation and investment in cross-cutting controls.
Clearly, regulatory compliance has affected banks in a variety of challenging ways, increasing the cost of service and sometimes making the delivery of great customer experiences more difficult. However, as the regulatory environment evolves, a major opportunity exists for compliance function to get ahead of the curve by implementing targeted changes to its operating model and processes, and thus delivering a better quality of oversight while at the same time increasing its efficiency. Banks that successfully make this shift will enjoy a distinctive source of competitive advantage in the foreseeable future, being able to deliver better service, reduce structural cost, and significantly de-risk their operations.