Are your Compliance Monitoring Plans Effective?

The themed examination paper spells out very clearly the views of the regulator in relation to compliance monitoring.

“Effective compliance monitoring is an invaluable process that enables senior management to demonstrate that they have implemented and maintained adequate and effective systems and controls (including policies and procedures), that they are being complied with, and that timely action is being taken to remedy any deficiencies brought to their attention”.

Despite such importance being placed upon compliance monitoring, which was introduced in 2008, it comes as something of a surprise that 41 findings were categorised as non-compliant with the Money Laundering (Jersey) Order 2008, or a statutory obligation or regulatory requirement described in the regulators AML/CFT Handbook, or the Codes of Practice, or was relevant to all three regulatory requirements. Unsurprisingly, given the results, the JFSC has declared that it intends to make compliance monitoring one of their areas of focus in 2021.

Jersey Financial Services Commission Compliance Monitoring Plans Thematic Review

The report highlights some of the main failings identified;

• the Compliance Report to the Board not including compliance monitoring as a standard agenda item;
• the Compliance Monitoring Plan (‘CMP’) not being reviewed on a regular basis;
• the CMP not being periodically approved by senior management (it is required, at least, annually) to ensure that changes to the Registered Person’s Compliance Risk Assessment are appropriately reflected;
• the lack of a documented approach for testing to be performed; and
• no or incomplete retention of the working paperwork/evidence collected during that testing.

It is not all doom and gloom however, as the JFSC noted many good practices including;

• a designated Board member having oversight of the CMP allowing for oversight not just from a resource perspective but to ensure that there is a clear and direct line to the Board for the raising of any issues;
• a CMP which is clearly mapped to the Registered Person’s Business Risk Assessment (“BRA”) and the regulatory framework. This displays that Registered Persons have a good understanding of the risks faced, had considered local statutory obligations and regulatory requirements, had implemented systems and controls designed to mitigate or manage those risks and had developed a CMP which is designed to test the adequacy and effectiveness of those systems and controls;
• CMPs are submitted to senior management for approval at the beginning of the year and minutes make reference to the discussion, scrutiny and challenge and subsequent agreement of the coverage for the coming year; and
• the provision of regular and clear reporting to senior management detailing the activities performed and the resulting findings with clear actions and remediation detail were included.

The JFSC has issued a warning to all businesses concerning CMPs, particularly since the same findings were also highlighted in the last review undertaken in 2013.

The JFSC stipulate that;

“All Registered Persons should consider their own arrangements in relation to the Guidance Note and the findings of this paper and where necessary, consider enhancing systems and controls, so that they are able to demonstrate full compliance with the regulatory framework”.

Compliance monitoring should be an integral part of a Registered Person’s risk management framework. When executed effectively and in conjunction with other activities, an effective CMP enables the Registered Person to evidence that risk is being proactively and appropriately managed.  In 2021 businesses need to be able to demonstrate that their CMP has been revisited and where necessary updated, thereby avoiding the failings identified in the feedback paper.