Sunday 17th November 2024
Twitter Facebook Twitter LinkedIn RSS

Comsure operates in:the UK, Jersey, Guernsey

On the 6 December 2013 the JFSC have issued a guidance note titled compliance monitoring document overview

The purpose of the paper is to outline an approach to Compliance Monitoring and provide examples of good and poor practice identified during the Commission’s on-site examinations over the past 18 months. It is expected that senior management (including the board) of registered persons consider this paper against their own arrangements and take action where necessary. The contents of the paper is as follows 2 Compliance Monitoring ………………………. 1

3 Approach to Compliance Monitoring ……………. 2

Legislative and Regulatory Requirements ………… 3

Controls ……………………………………. 4

Risk Assessment ……………………………… 4

Compliance Monitoring Programme ……………….. 4

Testing ………………………………………5

Reporting …………………………………… 6

Remedial Action ……………………………… 7

4 Benefits of Compliance Monitoring ……………. 7

5 Conclusion ………………………………… 8

2 Compliance Monitoring 2.1 The Commission considers Compliance Monitoring to be the assessment of a registered person’s adherence to applicable legislative and regulatory requirements and corresponding controls.

2.2 Compliance Monitoring should therefore be an integral part of a registered person’s risk management framework; specifically in relation to Compliance Risk[1].

[1] Compliance Risk (as defined by the Basel Committee on Banking Supervision):

the risk of legal or regulatory sanctions, material financial loss, or loss to reputation a [registered person] may suffer as a result of its failure to comply with

laws, regulations, rules, related self-regulatory organisation standards, and codes of conduct application to its [regulated activities].

2.3 It can occur throughout the business and need not be solely undertaken by the Compliance Function[2].

[2] The Compliance Function is assumed in this Guidance Note to include the Compliance Officer, Money Laundering Reporting Officer, Money Laundering Compliance Officer and staff who directly report into the individuals appointed to these Key Person positions.

However it is noted that the Compliance Function may comprise one person.

2.3 [cont.] – However, Compliance Monitoring completed by the Compliance Function should provide the Board with more robust assurance with regard to its management of Compliance Risk.

2.4 It also helps registered persons demonstrate compliance with

Principle 3 of the Codes of Practice,

Article 11(11) of the Money Laundering (Jersey) Order 2008 and

relevant sections of the Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism.

2.5 The remainder of this paper focuses on Compliance Monitoring undertaken by the Compliance Function.

3 Approach to Compliance Monitoring 3.1 Because Compliance Functions have finite resources subject to competing demands, it is often necessary to adopt a risk-based approach to Compliance Monitoring and focus on the areas that present the highest perceived risk of non-compliance.

3.2 The first three steps described under 3.3 should form part of a registered person’s general compliance framework. For example,

Compliance Functions should always be aware of changes in the regulatory environment and report relevant developments to senior management.

However they also provide important inputs into the determination of a risk-based Compliance Monitoring Programme (“CMP”).

3.3 The determination of a risk-based CMP should involve a cyclical feedback process consisting the following steps:

3.3.1 identifying relevant legislative and regulatory requirements;

3.3.2 identifying relevant controls;

3.3.3 conducting a risk assessment;

3.3.4 producing and approving a CMP;

3.3.5 undertaking testing;

3.3.6 reporting; and

3.3.7 overseeing remedial action.

Further detail on the Commission’s expectations regarding these steps is provided below.

Legislative and Regulatory Requirements

3.4 The first step is to identify the legislative and regulatory requirements concerning Compliance Risk that are relevant to the registered person.

3.5 For example, the relevant legislative and regulatory requirements for a registered person carrying on trust company business will include, as a minimum:

3.5.1 the Financial Services (Jersey) Law 1998 and any subordinate legislation;

3.5.2 the Codes of Practice for Trust Company Business issued by the Commission;

3.5.3 all relevant legislation and guidance to counter money laundering and the financing of terrorism; and

3.5.4 the Commission’s Policy Statement and Guidance Notes on: (1) Outsourcing; and (2) Delegation by Jersey Certified Funds and Fund Services Businesses.

3.6 It should be noted that for Fund Services Business the minimum relevant legislative and regulatory requirements are more comprehensive because the Codes of Practice for Fund Services Business require robust arrangements for compliance with Applicable Rules; a definition which includes, amongst other things,

the constitutive documents and

prospectuses of funds.

3.7 Depending on the activities of the registered person, the relevant legislative and regulatory requirements may also include overseas financial service business requirements.

3.8 The registered person may wish to extend the remit of Compliance Monitoring beyond the legislative and regulatory requirements applicable as a result of being a registered person to consider areas such as:

3.8.1 other Jersey legislation, such as the Data Protection (Jersey) Law 2005 or the Corruption (Jersey) Law 2006;

3.8.2 standards which are not mandatory within the regulatory regime in Jersey; and

3.8.3 contractual obligations regarding compliance monitoring.

3.9 However it is essential that consideration is given to the priorities and resources of the Compliance Function to ensure that an appropriate focus remains on the relevant Jersey legislative and regulatory requirements.

3.10 As previously noted, there should be an ongoing review of legislative and regulatory requirements concerning Compliance Risk and any relevant changes should be reflected in the risk assessment and, where appropriate, the CMP.

3.11 Once the relevant legislative and regulatory requirements have been established, the controls in place to manage the risk of non-compliance with each requirement need to be identified. Controls comprise

policies,

procedures and

activities,

and may include oversight by Business Control Units, (“BCUs”), or

Internal Audit.

3.12 Registered persons completing this exercise for the first time may identify gaps in controls that require remedial action.

Risk Assessment 3.13 The identification of controls should then be used to complete an assessment of the Compliance Risk of each relevant legislative and regulatory requirement.

This assessment should comprise

impact and probability and

consider the risk of non-compliance before (inherent) and

after the controls have been applied (residual).

3.14 This will also enable the key controls to be identified.

The key controls are those that significantly reduce the risk of non-compliance and tend to be subject to oversight by BCUs or Internal Audit.

3.15 Where available, the risk assessment should include quantitative as well as qualitative information and draw upon the experience and knowledge of the Compliance Function and other relevant individuals, including senior management.

Compliance Monitoring Programme 3.16 The CMP should be derived from the risk assessment and include those legislative and regulatory requirements where the residual risk (i.e. after controls have been applied) of non-compliance is highest.

Good practice:

the risk assessment considers information sources such as relevant revenue, complaints,breaches, operational incidences, the Commission’s publications (including public statements, on-site examination feedback and Guidance Notes), previous Compliance Monitoring, audit reports and concerns of senior management.

Good practice:

the risk assessment uses a form of rating, such as red, amber and green or a numerical scale.

Poor practice:

the risk assessment over relies on “negative assurance”, such as assuming compliance with legislative and regulatory requirements on the basis that no breaches have been recorded.

Poor practice:

the risk assessment assumes that if controls are in place then there is no Compliance Risk, without giving consideration to their effectiveness, including the level of adherence.

3.17 It should also include mandatory compliance monitoring [3] not completed elsewhere within the business.

[3]= Mandatory compliance monitoring may include the performance of service providers, as required by Core Principle No 3 of the Commission’s Policy Statement and Guidance Notes on: (1) Outsourcing; and (2) Delegation by Jersey Certified Funds and Fund Services Businesses.

3.18 The registered person may wish to extend the CMP to include relevant legislative and regulatory requirements where a more informed or updated view of the effectiveness of controls is required for the risk assessment.

3.19 The content of the CMP may differ greatly between registered persons.

This is expected as a result of a risk-based approach being applied to registered persons with different characteristics.

However it is important to note that the Commission would always expect a registered person to have a CMP in place.

3.20 The CMP should detail the legislation, regulation and/or controls to be tested, any other restrictions to the scope e.g. a focus on a particular business line/department/team and a timetable for completion.

3.21 The CMP should be reviewed on a regular basis and periodically approved by the Board to ensure that changes to the registered person’s Compliance Risk are appropriately reflected.

Testing 3.22 Before the testing commences a document should be produced that details how each test will be conducted.

Many different approaches can be taken to the testing;

however it is important that each test produces robust findings that can be used to report on the registered person’s compliance with

legislation,

regulation and/or

controls.

3.23 Working papers should be used to record the results of the testing and be supported by documentary evidence wherever possible.

Good practice:

the CMP includes areas where testing has previously identified weaknesses in order to test the effectiveness of the remedial action completed.

Good practice:

the CMP is reviewed and approved by the Board on an annual basis and reviewed by the Compliance Function on a quarterly basis with any significant changes being reported to the Board.

Poor practice:

the CMP is not formally considered or approved by the Board.

Poor practice:

the CMP is a fixed schedule of tests to be completed on a periodic basis without consideration to changes in Compliance Risk, including the reduction of residual Compliance Risk as a result of the satisfactory completion of remedial action.

Poor practice:

where a registered person is part of a wider group, the only CMP implemented is a group CMP that does not adequately reflect the Compliance Risk in Jersey.

Reporting 3.24 The findings of the testing should be shared with relevant individuals within the business for comment and remedial action should be agreed (see below), before being shared with the board, unless findings are identified which require more expedient escalation.

3.25 The Compliance Function’s written report to the board should include Compliance Monitoring as a standing agenda item and provide details of the Compliance Monitoring completed in the period (including relevant findings and corresponding remedial action) and progress with remedial action since the previous report.

3.26 Where there are instances of non-compliance with relevant legislative or regulatory requirements, consideration must be given to the regulatory requirement for a registered person to be open and co-operative with the Commission and reports of breaches should be made where necessary.

Good practice:

testing plans are produced and shared with relevant individuals within the business which detail the objective and scope of the testing, what work will be undertaken and the proposed timescales.

Good practice:

a variety of testing approaches are used, such as talking with individuals, reviewing customer/client files (holistically or in part), analysing data, reviewing corporate documents and listening to recorded conversations.

Good practice:

where appropriate, sample testing is used and the findings are extrapolated e.g. a number of customer/client files are tested rather than all the files.

Poor practice:

over reliance is placed on unverified verbal statements.

Poor practice:

inadequate or no working papers are maintained to evidence the testing undertaken or support findings.

Poor practice:

testing is not undertaken or completed to an adequate standard because of resource constraints.

Good practice:

a summary of testing, findings and remedial action is documented in Compliance Monitoring reports and extracts are contained in the Compliance Function’s report to the Board.

Good practice:

the Compliance Function’s report to the board includes progress against the approved CMP.

Good practice:

ratings are given to individual findings and overall Compliance Monitoring reports.

Poor practice:

the board fails to support the completion of remedial action resulting from testing.

Poor practice:

no report to the Board is provided on Compliance Monitoring.

Remedial Action

3.27 Where the testing identifies weaknesses or non-compliance, steps should be identified and taken to address the findings.

3.28 Responsibility for the remedial action should be allocated to appropriate individuals and the Compliance Function should have oversight of its completion and monitor progress against specified timescales.

4 Benefits of Compliance Monitoring 4.1 The benefits for registered persons having a robust approach to Compliance Monitoring include:

4.1.1 an enhanced risk management framework;

4.1.2 being able to demonstrate the board’s oversight of the effectiveness of controls implemented to mitigate Compliance Risk;

4.1.3 proactive identification of control weaknesses, incidents and breaches of relevant legislative and regulatory requirements;

4.1.4 being able to target business improvements to reduce the risk of legal or regulatory sanctions, material financial loss, or damage to reputation; and

4.1.5 having data to inform the completion of the annual declarations required under the relevant regulatory requirement, such as the Financial Services (Trust Company and Investment Business (Accounts, Audits and Reports)) (Jersey) Order 2007.

4.2 It is also important to note that material breaches identified by the registered person and reported to the Commission tend to be considered more favourably than if the Commission (or third party acting on behalf of the Commission) identifies a material breach.

This is because it demonstrates effective governance by a registered person and enables the registered person to also report the remedial action taken and/or planned to address the issue.

Good practice:

where an issue is identified the wider implications are considered with the purpose of identifying any systemic weaknesses or trends that should be addressed.

Good practice:

remedial action is agreed between the Compliance Function and relevant individuals within the business.

Good practice:

ratings are given to the findings of the testing, including recognising the materiality of any breaches.

Good practice:.

any breaches of regulatory requirements or controls are recorded centrally.

Poor practice:

a defensive statement is provided by the business in relation to any findings and no remedial action is agreed.

5 Conclusion 5.1 The Commission does not expect each registered person to undertake Compliance Monitoring in the same way.

This is because Compliance Monitoring should be risk-based and depend on the nature, size and complexity of the business.

However the Commission does expect senior management and the board of a registered person to understand and demonstrate the importance of Compliance Monitoring and for the approach to Compliance Monitoring to be documented and corresponding records to be appropriately maintained.


1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

WP2Social Auto Publish Powered By : XYZScripts.com