briefings |

Effective Compliance Monitoring

Failing to implement an effective Compliance Monitoring Plan (“CMP”) continues to be a regular finding arising from on-site examinations conducted by the Jersey Financial Services Commission (“JFSC”).

Barry Faudemer

Failing to implement an effective Compliance Monitoring Plan (“CMP”) continues to be a regular finding arising from on-site examinations conducted by the Jersey Financial Services Commission (“JFSC”).

In its letter addressed to all Chief Executives in 2013 on the subject of Compliance Monitoring the JFSC made it very clear that it considers a CMP to be the assessment of a registered person’s adherence to applicable legislative and regulatory requirements and corresponding controls which should form an integral part of a registered person’s risk management framework; specifically in relation to Compliance Risk. The letter leaves Chief Executives in no doubt that the JFSC expect a registered person to have an effective CMP in place. The letter is a key document and may be taken into consideration in the event that a business fails to instigate an effective CMP.

Effective Compliance Monitoring completed by the Compliance Function should provide the Board with more robust assurance with regard to its management of Compliance Risk and demonstrate to the JFSC that such risks are being proactively managed. It should also give confidence that where there is non-adherence, issues are proactively identified and appropriately escalated and managed. A well-oiled CMP tends to indicate a healthy culture of compliance within a business.

An effective CMP also helps registered persons to demonstrate compliance with Principle 3 of the Codes of Practice, Article 11(11) of the Money Laundering (Jersey) Order 2008 and relevant sections of the Handbook for the Prevention and Detection of Money Laundering and the Financing of Terrorism.

In its basic format a CMP should involve a cyclical feedback process consisting of the following  6 steps:

Step 1: identifying relevant legislative and regulatory requirements;

Step 2: identifying relevant controls;

Step 3: conducting a risk assessment;

Step 4: producing and approving a CMP;

Step 5: undertaking testing;

Step 6: reporting and overseeing remedial action.

Depending on the activities of the registered person, the relevant legislative and regulatory requirements may also include overseas financial service business requirements.

Testing of compliance with the businesses policies and procedures is a key step in the process and demonstrates that the business is proactively managing and strengthening its risk management framework.

Good practice with regards testing includes the following

  • Testing plans should be shared with relevant individuals within the business setting out the detail, the objective and scope of the testing, what work will be undertaken and the proposed timescales.
  • Employees should be encouraged to identify any compliance shortfalls or suggest where the businesses AML defences could be enhanced further.
  • A variety of testing approaches should be used, such as talking with individuals, reviewing customer/client files (holistically or in part), analysing data, reviewing corporate documents and listening to recorded conversations.
  • Where appropriate, sample testing used and the findings  extrapolated e.g. a number of customer/client files are tested rather than all the files.
  • Submitting a candid report to the Board recommending improvements to reduce the risk of legal or regulatory sanction, material financial loss or damage to reputation.

The JFSC has identified and published the following examples of poor practice observed with regards testing.

  • Over reliance is placed on unverified verbal statements.
  • Inadequate or no working papers are maintained to evidence the testing undertaken or support findings.
  • Testing is either not performed at all or undertaken by inexperienced staff resulting in a poor standard of testing.
  • Insufficient resource is allocated to testing as it is not seen as a priority.

Financial Services Businesses often fall into the trap of assuming that if controls are in place then there is no Compliance Risk, without giving consideration to their effectiveness, including the level of adherence. A skilful and capable Compliance Officer is one that identifies the risks to the business and communicates them effectively to the Board. Reflecting back on the many public statements issued and sanctions imposed by the JFSC, it is very apparent that businesses struggle to operate an effective CMP and Boards regularly fail to take ownership of and oversee the operation of its CMP. All too often a Board will make the mistake of simply leaving  oversight of the CMP to the Compliance Officer to deal with or simply failing to appreciate that the buck stops with the Board NOT the Compliance Officer.  Attending at the offices of the JFSC and blaming the Compliance Officer for some material failing tends to indicate that the Board has not taken effective ownership of their CMP. The JFSC recommends that  the compliance function’s written report to the board should include Compliance Monitoring as a standing agenda item and provide details of the Compliance Monitoring completed in the period (including relevant findings and corresponding remedial action) and progress with remedial action since the previous report. With Principal Persons at risk of being personally liable for civil penalties up to £400,000 for significant and material breaches of JFSC Codes of Practice such individuals should be taking a keen interest in their CMP and to avoid negligently falling foul of the requirements assessing how such CMPs are operating.

Assessing the effectiveness of a CMP is highly recommended and Baker Regulatory Services can provide such reassurance to the business preparing an independent report to the Board.