The design and implementation methods for monitoring compliance vary across the different industry sectors, as well as between firms within the same sector, but the objective remains the same.
Whilst it is sometimes difficult to measure the true value to the business of an effective CMP, the financial and reputational cost of an ineffective CMP is evident from the enforcement action taken by both the GFSC and JFSC in recent years. The JFSC in particular has been focussing its attention on compliance monitoring for a number of years and undertook a thematic review of compliance monitoring between Q4 2019- Q1 2020. In December 2020, the JFSC published a report of its findings which highlighted in the Executive Summary: ‘Of particular concern, the majority of the findings identified during this review were also highlighted by the JFSC the last time this type of review was undertaken by the JFSC in 2013’.
Some shortfalls identified by the JFSC’s thematic review included:
- Compliance reports tabled to the Board not including compliance monitoring as a standard agenda item;
- CMPs not being reviewed on a regular basis;
- CMPs not being periodically approved by senior management to ensure that changes to the compliance risk assessment were appropriately reflected;
- The lack of a documented approach for testing to be performed; and
- Inadequate retention of working paperwork/evidence to support any CMP testing undertaken.
As a result of the repeat findings, the JFSC has stated that it intends to continue to review the adequacy and effectiveness of CMPs in 2021. No doubt, the GFSC will be similarly focussed upon reviewing the CMPs of its licensees during its supervisory engagements in 2021 and beyond. Whilst a regulator will generally give a licensee an opportunity to address compliance monitoring deficiencies in the first instance, repeat failings will invariably be treated more severely.
On the positive side, the JFSC did find examples of good practice which included:
- A designated Board member having oversight of the CMP which enabled a clear and direct line to the Board for the raising of any issues;
- A CMP clearly mapped to the firm’s BRA and the regulatory framework;
- CMPs being submitted to senior management for approval at the beginning of the year and minutes recording the discussion, scrutiny, challenge and subsequent agreement of the CMP coverage for the coming year; and
- The provision of regular and clear reporting to senior management detailing the activities performed and the resultant findings, with clear actions and remediation detail included.
If you are looking for clear and concise information about CMPs, then look no further than the JFSC’s guidance note on compliance monitoring which outlines the approach firms should take to compliance monitoring and gives examples of good and bad practice as observed by the JFSC.
The JFSC’s guidance note sets out the 7-steps to building an effective CMP, as illustrated below. Like any process, each step in the CMP is critical to ensuring its overall effectiveness:
Benefits of Compliance Monitoring
The benefits to a firm of having a robust approach to compliance monitoring include:
- Supports good corporate governance;
- Fulfils a significant part of the firm’s risk management framework;
- Ensures the effectiveness of the firm’s procedures and control framework;
- Provides demonstrable evidence of the Board’s oversight of the management of compliance risk;
- Offers timely information to enable the Board to take action to reduce the risk of legal action, regulatory sanctions, financial loss or reputational damage; and
- Helps identify training needs for staff.
BDO Cerberus Regulatory Consulting
For most firms, designing and implementing a CMP requires significant time and commitment from the Board of Directors and the firm’s Compliance Officer/Money Laundering Compliance Officer. It is a continual and evolving process which needs to be reviewed and updated at least annually.
BDO Cerberus Regulatory Consulting is well-placed to help with any aspect of your firm’s CMP to enhance your risk management framework, as well as to ensure you satisfy the heightened scrutiny of the regulator. Our advisory staff include ex-regulators with many years of experience in assessing the CMPs of regulated firms and are adept at identifying and reporting upon inadequacies, as well as helping you find pragmatic solutions bespoke to your firm’s specific requirements.
CMPs can be administratively cumbersome, with many firms still using static Excel spreadsheets. These spreadsheet based CMPs can lack accessibility and versatility, and require regular manual intervention when laws and rules change, and in the production of Board reporting.
BDO Cerberus Regulatory Consulting has sought to rectify this with the creation of Hyperion - a bespoke compliance monitoring tool offering an intuitive, real-time solution.
For further information on Hyperion can be found in our flyer, and to arrange a demonstration please contact Paul Robinson.