Compliance Management System - General principles

A compliance management system is how an enterprise:

• Learns about its compliance responsibilities.

• Ensures that employees understand these responsibilities.

• Ensures that requirements are incorporated into business processes.

• Reviews operations to ensure responsibilities are carried out, and requirements are met.

• Takes corrective action and updates materials as necessary.

An effective compliance management system is commonly comprised of three interdependent elements:

• Strategy

• Management

• Oversight

When all elements are strong and working together, an organisation will be successful at managing its compliance responsibilities and risks now and in the future.

Strategy

The board of directors is ultimately responsible for developing and administering a compliance management system that ensures compliance with British and international laws and regulations and addresses and prevents associated risks of harm to consumers. The tone at the top sets an organisation’s guiding values and ethical climate. Properly fed and nurtured, it is the foundation upon which the culture of an enterprise is built. Ultimately, it is the glue that holds an organisation together. A board can demonstrate commitment to maintaining an effective compliance management system by:

• Demonstrating clear and unequivocal expectations about compliance, not only within the organisation but also to third-party providers.

• Adopting clear policy statements.

• Appointing a compliance officer with authority and accountability.

• Allocating resources to compliance functions commensurate with the level and complexity of the organisation’s operations.

• Conducting periodic compliance audits.

• Providing for recurrent reports by the compliance officer to the board.

Management

Management elements are a vital cog in the compliance management system. Without highly effective management elements, the compliance function will lack the agility to adjust to business changes and dynamic business and innovation climates. It’s a good idea for an organisation to establish a formal, written compliance program. In addition to being a planned and organised effort to guide the organisation’s compliance activities, a written program represents an essential source document that will serve as a training and reference tool for all employees. A well planned, implemented and maintained compliance program will prevent or reduce regulatory violations and provide cost efficiencies for which it is considered a sound business step. It is expected that no two compliance programs will be the same and that the formality of a program will be dictated by numerous considerations, including:

• The size, number of branches, and structure of the organisation.

• Business strategy of the organisation (e.g. community bank versus regional; retail versus wholesale bank).

• Types of products.

• Location of the organisation—its main office and branches.

• Other influences, such as whether the organisation is involved in interstate or international banking.

The formality of the compliance program is not as important as its effectiveness. This is especially true for small organisations where the program may not be in writing, but an effective monitoring system has been established that ensures overall compliance. However, during periods of expansion or turnover of staff, a written compliance program becomes more important because individuals with the particular knowledge or experience may no longer be with the organisation or available for contact. Regardless of the degree of formality, all organisations are expected to manage their compliance programs proactively to ensure continuing compliance. Compliance efforts require an ongoing commitment from all levels of management and should be a part of an organisation’s daily business operations.

Policies and Procedures

Compliance policies and procedures should generally be described in the written compliance program document and reviewed and updated as the organisation’s business and regulatory environment changes. Policies should be established that include goals and objectives and appropriate procedures for meeting those goals and objectives. Generally, the degree of detail or specificity of procedures will vary in accordance with the complexity of the issue or transactions addressed. An organisation’s policies and procedures should provide personnel with all the information needed to perform a business transaction. This may include applicable regulation cites and definitions, sample forms with instructions, organisation policy, and where appropriate, directions for routing, reviewing, retaining, and destroying transaction documents. For example, loan application procedures should be established, so that organisation personnel consistently treat all applicants equitably and fairly. These procedures should incorporate and clearly convey to staff the regulatory requirements and the organisation’s lending policy, including the organisation’s non-discriminatory lending criteria.

Compliance policies and procedures are the means to ensure consistent operating guidelines that support the organisation in complying with applicable laws and regulations like the Consumer Rights Act 2015. Also, these criteria will provide standards by which compliance officers and line managers may review business operations.

Education of an organisation’s board of directors, management, and staff is essential to maintaining an effective compliance program. Line management and staff should receive specific, comprehensive training in-laws and regulations, and internal policies and procedures that directly affect their jobs. The compliance officer should be responsible for compliance training and establish a regular training schedule for directors, management, and staff, as well as for third-party service providers. Training can be conducted in-house or through external training programs or seminars. Once personnel have been trained on a particular subject, a compliance officer should periodically assess employees on their knowledge and comprehension of the subject matter. An effective compliance training program is frequently updated with current, complete, and accurate information on products and services and business operations of the organisation, consumer protection laws and regulations, internal policies and procedures, and emerging issues in the public domain. For example, loan officers, as well as other front-line personnel regularly interacting with loan applicants, should be fully informed about the loan products and services offered by the organisation and thoroughly knowledgeable about all aspects of the consumer credit protection laws and regulations that apply.

Monitoring

Monitoring is a proactive approach by the organisation to identify procedural or training weaknesses in an effort to preclude regulatory violations. Organisations that include a compliance officer in the planning, development, and implementation of business propositions increase the likelihood of success of its compliance monitoring function. An effective monitoring system includes regularly scheduled reviews of:

• Disclosures and calculations for various product offerings.

• Document filing and retention procedures.

• Posted notices, marketing literature, and advertising.

• Various consumer protection laws and regulations.

• Third party service provider operations.

• Internal compliance communication systems that provide updates and revisions of the applicable laws and regulations to management and staff.

Changes to regulations or changes in an organisation’s business operations, products, or services should trigger a review of established compliance procedures. Modifications that are necessary should be made immediately to minimise compliance risk, and applicable personnel in all affected operating units should be advised of the changes.

Monitoring also includes reviews at the transaction level during the normal, daily activities of employees in every operating unit of the organisation. This might include, for example, verification of an annual percentage rate, or a second review of a loan application, before the transaction is completed. Monitoring at this level helps establish management and staff accountability and identifies potential problems in a timely manner. Compliance officers should monitor employee performance to ensure that they are following an organisation’s established internal compliance policies and procedures. The frequency and volume of employee turnover at an organisation should be factored into the schedule for reviews. Such analysis is especially critical after problems have been noted during past audits or examinations, regulations change, new products are introduced, mergers occur, or when additional branch locations are opened.

Consumer Complaint Response

A company should always be prepared to handle consumer complaints promptly. Procedures should be established for addressing complaints, and individuals or departments responsible for handling them should be designated and known to all institution personnel to expedite referrals. Complaints may be indicative of a compliance weakness in a particular function or department. Therefore, a compliance officer should be aware of the complaints received and act to ensure a timely resolution. A compliance officer should determine the cause of the complaint and take action to improve the institution’s business practices, as appropriate.

Oversight

Compliance Reporting

The objective of compliance reporting is to provide the board of directors and compliance committees an end-to-end view of the compliance environment, provide insightful information on the effectiveness of compliance management and to guide decision-making. This includes reporting to:

• Provide an assessment of compliance management performance at the top level, which consists of board of directors, CEO, Group executives and general management.

• Report how the top level is meeting applicable compliance obligations within the current and emerging compliance environment.

• Report how the second line, which consists of Chief Compliance Officer (CCO) and the Group’s Chief Operating Officer & Legal Counsel to the Board (COO) are performing their roles and responsibilities.

• Highlight priority areas that present challenges for compliance (due to the high likelihood or impact of compliance issues, incidents, or weaknesses identified in the compliance control environment).

• Identify areas of actual or potential non-compliance and report on remediation and future prevention strategies.

• Inform decisions on the appropriateness of actions to be taken to address shortcomings.

• Monitor the status of remediation and prevention actions to ensure effective compliance outcomes.

Compliance as a Challenge

The need for compliance management

Setting up and running a compliance management system is more necessary than ever for companies faced with increased legal and social demands in a complex economic environment. Effective compliance reduces the risk of sanctions, financial losses, damage to the company’s reputation, and the loss of its licence to operate. The management’s clear and visible commitment to acting with integrity and law-abidance is of key importance. The Board of Directors and management must take appropriate measures to enforce the policy and code of conduct at all levels, and to establish a risk-based adequate, functioning compliance management system. Risk management, internal guidelines, training concepts and targeted incentives and sanctions are important elements for effectively coping with and avoiding business risks in the area of compliance.

“Good corporate citizens”

Compliance not only involves abiding by the law and internal behavioural guidelines but also ensuring that all the company’s staff members act with integrity. Effective compliance, therefore, strengthens a company’s culture, which not only makes decisions in accordance with economic criteria but also always takes into account the social responsibility of the company as a significant decision-making criterion. Professional compliance management is, therefore, a central component of diligent management and a sign that the company is maintaining a culture of integrity and taking its social responsibility seriously in addition to striving for long-term profitability.

Duty of Executive Management

Setting up and running an effective compliance management system is an important and indispensable task for a company. Depending on the size of the company and its business, the compliance measures that it requires are more or less extensive. Therefore, each compliance management system must ultimately be tailored to fit the company. The compliance expectations of the country and society are the same for any company and must be taken seriously and implemented appropriately. The management is therefore obliged to constantly check whether its business activities and internal organisation are in line with the binding standards of integrity and to correct any shortcomings consistently and in good time.

In conclusion, comprehensive compliance management can be described on the one hand as a challenging joint task, and on the other as an important permanent standing order to the management.