Enterprise Risk Management
IORWG ConferenceApril 2015
Donna Brenner Federal Reserve Bank of Philadelphia
Compliance Survey Results
Sponsored By:
Enterprise Risk Management
Compliance Survey:
Objective - Develop a profile on central banks’ compliance programs and activities that may be used as a springboard for future expert groups
Thirty-five central banks responded to the survey (almost 60%)
2
Compliance
3
Enterprise Risk Management
What is it? Conforming to stated requirements
How is it achieved?
Through management processes that identify the applicable requirements, assess the state of compliance, assess the risks and potential costs and impact of noncompliance against the projected expenses to achieve compliance, and prioritize, fund, and initiate any corrective actions deemed necessary.
What is Compliance Risk? According to the Basel Committee on Banking Supervision’s “Compliance and the Compliance Function in Banks” (2005):
• The risk of legal or regulatory sanctions, material financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization standards, and codes of conduct applicable to its banking activities (together, “compliance laws, rules, and standards”)
Main Areas of Compliance Programs
4
Enterprise Risk Management
Compliance Area #
Ethics 26
Insider Trading/ Market Abuse/ Corruption 24
Regulatory Requirements 17
Human Resources Laws 15
Data Protection Laws 21
Terrorist Financing Laws 21
Tax Laws 11
Fraud 20
Anti-Money Laundering 24
Compliance Policy and Procedures 14
MOUs with Government 4
Other 7
Main Compliance Unit Roles
5
Enterprise Risk Management
Role #
Training/Awareness 26
Identification/Assessment of Compliance Risk 20
Monitoring, Testing, and Reporting 20
Development of Compliance Checklist 3
Compliance Breach Report 17
Whistle-Blowing 13
Compliance Policies and Procedures 21
Other 2
Compliance Interaction
6
Enterprise Risk Management
Internal Audit- Shares reports and information- Conducts audits - Monitors compliance issues- Supports investigations- Collaborates on internal control system- Acts as the third line of defense on compliance
Line Management- Evaluates donations, gifts, and hospitality- Acts as the first line of defense on compliance- Adheres to risk management policies and compliance framework- Operates within the Bank’s risk appetite- Has effective controls related to compliance and has sufficient
resources- Reports non-compliance
Compliance Interaction
7
Enterprise Risk Management
Risk Management- Includes compliance risks in the mapping process- Shares reports and information- Attends Risk Committee meetings- Acts as a second line of defense
Legal- Acts as head of the legal department and as compliance
officer in many cases- Oversees compliance of contracts and internal regulations
with laws and outside regulations - Reinforces prevention of non-compliance- Provides advisory services
Compliance Interaction
8
Enterprise Risk Management
Human Resources - Deals with compliance violations- Handles conflicts of interest and additional business rules- Monitors compliance related to the ethics framework- Provides training
Board- Reviews compliance reports- Holds regular meetings- Has ownership of compliance risks- Handles exceptional ethics matters
45% of the Banks conduct compliance risk self-assessments
Significant Challenges in Compliance Programs
Establishing the right indicators to identify compliance issues
Setting up centralized incident management for risks
Training staff and making them aware of their roles and responsibilities for compliance
Solution: Staffed compliance area with experienced officers Engaged Internal Audit Allowed the governance bodies of the bank to set the scope and responsibilities
Maintaining and training staff members who are well versed in compliance regulations and bank compliance and ethics policies and the business of the bank yet are agile enough to respond to new risks
Solution: Instituted a formal reporting process for breaches
9
Enterprise Risk Management
Significant Challenges in Compliance Programs
Implementing new functions; newness of functions presents challenges in getting employees to embrace compliance
Solution: Completed Compliance Management framework,
Documentation Guidelines, and Compliance Planning Standard as planned
Plans to develop a communication plan, form a compliance working group, provide compliance training, and develop or source interim compliance management tools
Striking a balance between detailed reporting in terms of zero tolerance prompts versus the practicalities of such reporting
10
Enterprise Risk Management
Significant Challenges in Compliance Programs
Difficulty in adhering to high standards; no system so far has ever proved watertight
Solution: Newcomers receive messages from general manager and
deputy; compliance unit conducts regular checks
Making staff aware of the guidelines in regard to accepting invitations and presents
Solution: Training sessions are organized
11
Enterprise Risk Management
Significant Challenges in Compliance Programs Adapting generally accepted compliance standards to the unique requirement of a central bank
Having limited staff resources; performing a compliance risk assessment (resources)
Trying to follow laws even though the central banks are not always bound by those laws
Strengthening the bank’s ability to limit exposures to legal or administrative penalties associated with noncompliance
Developing a framework
Shifting governance and minimizing redundancy among control groups
12
Enterprise Risk Management
Significant Challenges in Compliance Programs Designing, implementing, and monitoring a compliance system that is in line with best practices Solution: Developed a formal mandate, hired competent staff, built the function, established
networks, set up documents such as code of conduct, developed working methods, and established information technology (IT) systems
Having the right tools and processes in place to have an efficient implementation
Staying up to date on new and emerging risks
Developing value-added integrated risk management and reporting protocols to provide value to management while limiting administrative burden
Dealing with Human Resources problems since more of the compliance function is embedded in operational analysis Solution: Requested additional recruitment
13
Enterprise Risk Management
Central Banks without a Compliance Program
14
Enterprise Risk Management
Roles are managed in the following ways: The roles are embedded in Internal Audit. Line Management owns the risks, with Legal addressing legal
requirements and Risk Management handling compliance risk as part of the operational risk management process.
Human Resources, Legal, and Internal Audit play a combined role.
The rationale is primarily one of the following: Several central banks plan on implementing a program in the next year
or so. Several banks noted that the use of the three lines of defense model
negates their need for a compliance function. The bank has been comfortable with a hybrid approach of Legal,
Human Resources, and business lines managing compliance.
Laws and Regulations
15
Enterprise Risk Management
Central banks identify new laws or changes to laws that may have an impact on operations through: Committees established from different departments Leadership from the Legal Department Legal subscription services Work performed by department management in the
business areas Notification from government entities
Approximately 77% of the central banks provide training for their staff on applicable laws and regulations.
Best Practices Related to Compliance
16
Enterprise Risk Management
Usage of e-learning modules on compliance that all staff members are required to complete
Documented policies and procedures that staff members are obligated to follow
An annual report (based upon the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework), which includes compliance, that is prepared and sent to the board; utilization of the COSO framework
Provision of workshops by the Legal Department on administrative rules and regulations; tailoring of sessions for smaller groups or individuals involved in a particular process
Training session on anti-money laundering and terrorist financial laws, personal data protection, and IT security
Awareness campaigns related to IT security
Best Practices Related to Compliance
17
Enterprise Risk Management
Utilization of the three lines of defense model and maintaining transparent channels for reporting
Experts in specific business units who support the compliance program
Presentations for new staff on the code of conduct and relevant rules
Coverage at Risk Committee of all functions, including compliance issues and relevant mitigating measures
Cultivation of strong collaboration between the compliance function and the lines of business
Separation between legal function and compliance function
Establishment of an Integrity and Ethics Committee
Summary Conclusions
18
Enterprise Risk Management
Many central banks have compliance functions, programs, and/or frameworks
Compliance functions may be organized as part of a standalone unit or business Line Management, or embedded in Internal Audit, Legal, or Risk Management
The favored approach is a decentralized model
The predominant areas of focus are on ethics, insider trading, memorandums of understanding (MOUs), terrorist financing laws, and data protection for those central banks that perform compliance activities. In addition, those areas focus primarily on training, whistle-blowing,
monitoring, testing, and developing policies
Summary Conclusions (continued)
19
Enterprise Risk Management
Several central banks are in the process of setting up formal compliance programs (Since many of the programs are in their formative stages, a number of challenges were identified):
Operating within resource constraints, training staff, developing the value proposition for a compliance program, not placing excessive burden on staff, and having the right tools to administer a compliance program
There are a number of best practices to consider when setting up a compliance program
Use of e-learning modules, training programs, relationship cultivation, clear documentation of policies and procedures, and awareness campaigns
Concluding Discussion
Is there further work warranted on the subject of compliance?
Questions and Comments
20
Enterprise Risk Management
21
The IORWG acknowledges responses from the following entities to generate the central bank compliance results:
Reserve Bank of Australia Banca D’Italia
Central Bank of the Republic of Azerbaijan Banque Centrale du Luxembourg
National Bank of Belgium Bank of Lithuania
Bank for International Settlements Central Bank of Jordan
Banco Central do Brasil Bank Al-Maghrib
Banco Central de Bolivia Bank Negara Malaysia
Deutsche Bundesbank Central Bank of Malta
Bank of Canada Federal Reserve Bank of New York
Banco de la República – Colombia Oesterreichische Nationalbank
Central Bank of Curaçao and Saint Maarten Norges Bank
Banco de España Federal Reserve Bank of Philadelphia
Bank of Estonia Bangko Sentral ng Pilipinas
European Central Bank Narodowy Bank Polski
Banque de France Monetary Authority of Singapore
Bank of Greece Sveriges Riksbank
Hong Kong Monetary Authority South African Reserve Bank
Central Bank of Ireland Swiss National Bank
Bank of Israel
Enterprise Risk Management