Upload
others
View
3
Download
2
Embed Size (px)
Citation preview
Your State Association Presents
Building and Maintaining
an Effective Compliance
Management System
Program Materials
Use this document to follow along with the webinar
presentation. Please test your system before the broadcast.
Be sure to print enough copies for all listeners.
Friday, July 1, 2016
Presenters: Shawn Kirshner
Michael Holley
Technical Support (for faster service please submit inquiries via email or online): (Registration & Tech Support): Email- [email protected], Phone- (877)988-7526 FOR ADDITIONAL ASSISTANCE PLEASE REFER TO OUR FAQs
1
© 2016 Crowe Horwath LLP
Building and Maintaining an Effective
Compliance Management System
July 1, 2016
Shawn Kirshner, CRCM, PMP
Michael Holley, CRCM
2
© 2016 Crowe Horwath LLP 22
Today’s Agenda
• Introductions
• Overview of Compliance Management Systems (“CMS”)
• Structure, Oversight, and Governance
• Policy and Procedures
• Compliance Risk Assessment
• Monitoring and Testing
• Regulatory Change Management
• Training
• Internal Audit
• Issue Management
• CMS Metrics
3
© 2016 Crowe Horwath LLP 33
CMS Overview
4
© 2016 Crowe Horwath LLP 44
Compliance Management System Overview
• The CMS should be clearly established as a “Second Line of Defense” function within the organization.
• When the regulatory environment shifts or changes, an effective compliance system should not merely update policies, but rather initiate project and action plans designed to assess
impact at an enterprise level as well as tactically in the business lines.
• Sound change management enhances your current Compliance System and helps ensure the success of the other areas such as: risk assessment, staffing, self-monitoring, training, policy and procedure enhancements, auditing, reporting and utilization of technology.
• These impacts may result in product and service offering revisions, executive management education, developing or amending risk assessments, audit program changes, business process changes or other changes required to remain in compliance.
• Common deficiencies identified during regulatory examinations include:
• Deficient systems of periodic monitoring;
• Weak independent compliance audits;
• Compliance systems maintaining first line responsibilities.
5
© 2016 Crowe Horwath LLP 55
Compliance Management System Overview (Continued)
An integral part of your compliance management system
• Regulator scrutiny increases as inherent risk exposure increases and examiners are looking to understand if the organization has:
• Assessed all applicable laws and regulations across all relevant business lines and product and service offerings
• Manages these regulatory obligations in an effective manner consistent with the intent of the law
• Ensured regulatory requirements have been accurately interpreted and effectively implemented
• Ensures regulatory change managed through an effective regulatory change management process
6
© 2016 Crowe Horwath LLP 66
Structure, Oversight,
and Governance
7
© 2016 Crowe Horwath LLP 77
Structure, Oversight, and Governance
• What does your Board expect from its Compliance Management Program? If you don’t know that answer, it’s time to ask the question or ask it a different way.
• Whether the Compliance Officer reports directly to the Board or a committee thereof, there is certain information necessary to allow the Board or designated committee to understand
enough to make decisions.
• According to the CFPB, “In a depository institution, the board of directors is ultimately responsible for developing and administering a compliance management system that ensures compliance with Federal consumer financial laws and regulations and addresses and prevents associated risks of harm to consumers.”
8
© 2016 Crowe Horwath LLP 88
Structure, Oversight, and Governance
Board Responsibilities:
• Establish policy and program
• Promote strong values – Tone at the top
• Ensure issues are identified, addressed and resolved
• Annual assessment of program
The key to direction - Good Information
Sources of good information:
• Risk assessment
• Audits and internal monitoring results
• Compliance committee reports
• Exception tracking reports
• Key trends and issues
• Compliance Officer updates
• Regulatory agencies
9
© 2016 Crowe Horwath LLP 99
Structure, Oversight, and Governance
Senior management responsibilities are to:
• Establish, communicate, and enforce policy
• “The duty of senior management is to ensure that the compliance policy is observed and
entails responsibility for ensuring that appropriate remedial or disciplinary action is taken
if breaches are identified”
Senior management should, with the assistance of the compliance function:
• Ensure that a permanent and effective compliance function is in place
• At least once a year, identify and assess the main compliance risk issues facing the company and the plans to manage them
• At least once a year, report to the board on the organization’s management of its compliance risk
• Assist the board in making informed judgments on whether the organization is managing its compliance risk effectively
• Report promptly to the board any material compliance failures
10
© 2016 Crowe Horwath LLP 1010
Policies and Procedures
11
© 2016 Crowe Horwath LLP 1111
Policy and Procedures
Compliance policies and procedures should be documented and in sufficient detail to implement the board-approved policy documents. Overall, examiners are looking to determine
whether compliance policies and procedures:
• Are consistent with board-approved policies
• Address compliance with applicable Federal consumer protection laws in a manner
designed to prevent violations and to detect and prevent associated risks of harm to consumers
• Cover all product and service lifecycles
• Are maintained and modified to remain current and to serve as a reference for employees in their day-to-day activities
12
© 2016 Crowe Horwath LLP 1212
Risk Assessment
13
© 2016 Crowe Horwath LLP 1313
Compliance Risk Assessment
• Compliance identifies the relevant inherent risks to the organization’s products, services, business strategy, based upon the institution’s operating model. Executive, senior business
and compliance management needs to be in alignment regarding risk appetite.
• The enterprise compliance risk assessment should define the inherent risks relevant to the institution, and then map those risks to the appropriate business lines.
• The residual risk ratings are determined by the effectiveness of the compliance controls in
place that have been validated through compliance monitoring, internal audits, and/or regulatory examinations. The business should have ownership and understanding of the relevant compliance risks and controls to sufficiently mitigate the regulatory risk to an acceptable level agreed upon by senior management and compliance.
• Business line leaders should collaborate in the mapping process and help to identify the controls in place or the there lack of that will drive the residual risk ratings. This may be a
learning process for the business and provide a forum for compliance to begin building first line compliance control responsibilities.
14
© 2016 Crowe Horwath LLP 1414
Monitoring and Testing
15
© 2016 Crowe Horwath LLP 1515
Monitoring and Testing
Expectations:
• Monitoring is scheduled and completed and leads to timely corrective actions where appropriate
• Monitoring confirms that transactions and other consumer contacts are handled according to the entity’s
policies and procedures
• Monitoring and testing consider the results of risk assessments or other guides for prioritizing reviews
• Monitoring addresses deficiencies identified in internal or external audits and the board’s or
management’s directives on resolving the deficiencies
• Findings are escalated to management and to the board of directors when appropriate
• Support of Business:
• The compliance function provides advice and guidance on compliance issues to the business as a result of the monitoring
• Compliance provides advice on controls necessary to mitigate risk
• Compliance provides support during contemplation of third party relationship (i.e. collections, call center assistance, etc.)
• Designation of appropriate training needs given roles and responsibilities
16
© 2016 Crowe Horwath LLP 1616
Monitoring and Testing
Monitoring is a critical component of the CMS and may take various forms from different areas, such as business line self-testing and monitoring and structured monitoring and
testing conducted by the compliance department
The compliance function should monitor and test compliance by performing sufficient and representative compliance testing. The results of the compliance testing should be reported up through the compliance function reporting line in accordance with the bank’s internal risk management procedures. Coverage should include:
• Core compliance transactions (lending, deposits, privacy, etc.)
• Content of consumer disclosures, agreements and notices (prescriptive requirements & UDAAP)
• Fair Lending and Community Reinvestment Act
• Marketing material, scripts or guides for employee contact with consumers
• Bank Systems (bank web-site, mobile pay, automated phone systems)
• Call Centers (marketing, issue resolution, sales, new accounts)
• Vendor Relationships (Do vendor management procedures consider compliance risks?)
• Social Media and complaints
• Lending trends
17
© 2016 Crowe Horwath LLP 1717
Monitoring and Testing
• Monitoring program should be risk-based, approved by the Board and in-line with the annual compliance objectives approved by the Board and/or other committee(s) overseeing
compliance/risk management
• Plan should be based on the results of a compliance risk assessment that considers the
inherent and residual risk for each area and considers all key compliance regulations applicable to the operations
• The monitoring program should be committed to writing in a set of operating procedures addressing (at a minimum):
• Annual plan / coverage / scope and frequency
• Sampling methodology
• Planning and reporting
• Working paper documentation and quality control/technical review
• Issue follow-up and remediation testing
• Reporting: Formalized and considers control environment, root cause identification, prescriptive recommendations aligned with root cause, and follow-up of management action plans
18
© 2016 Crowe Horwath LLP 1818
Regulatory Change
Management
19
© 2016 Crowe Horwath LLP 1919
Change Management Capturing and Evaluating the Relevant Regulations
• Identifying relevant new proposed or changes to existing regulatory requirements to determine the inherent risks:
• Depending upon the regulatory agency that supervises your institution
there are numerous ways to remain connected and receive updates
• For example, the OCC, CFPB, and FDIC publish proposed regulatory changes and with sufficient time to evaluate the implications and provide feedback on interpretation
• Compliance function or legal may review the proposed regulatory change and evaluate and affirm the relevance to your institution
• The Business is highly dependent on Compliance for understanding
what new or revised regulations are applicable and what actions are necessary
• Compliance should contemplate working with the business lines in
determining relevant impact and establishing an impact analysis for new laws and regulations, as applicable
20
© 2016 Crowe Horwath LLP 2020
Change Management: Disseminating Regulatory Impacts to the Business Lines
• Once the impact analysis is reviewed and approved by compliance, the analysis should be socialized with the key stakeholders and will be needed to help ensure the proper changes
will occur in a timely and efficient manner
• Depending upon the complexity of the impacts, a planning meeting(s) will need to be held
with the key stakeholders to discuss the regulatory change(s) and the impacts to the current state. During these meeting(s), the following should result:
• Business informed and understands the regulatory change along with the corresponding impacts to
controls, processes, systems, and products/services.
• Business lines provide feedback and occurrence is achieved on the impacts
21
© 2016 Crowe Horwath LLP 2121
Change Management: Impact Analysis
• Once the regulatory change has been identified and affirmed as inherent risks, your institution should take the next steps:
• Perform a timely and accurate impact analysis that identifies the following:
• What products and services may be impacted?
• What business lines and corporate functions may be impacted?
• What system/s may be impacted?
• What processes may require change?
• What new or modified controls may be required?
• What training may be required and at what level?
• What polices and procedures may be impacted?
• The impact analysis should be documented and follow a standard process that captures all the above points and completed by a compliance manager/officer with sufficient experience and knowledge of the institution
22
© 2016 Crowe Horwath LLP 2222
Change Management – determine approach
• Once the impact analysis is finalized, Compliance should then socialize the impacts with the appropriate business lines to obtain their feedback and occurrence. This is a critical step to
include key business line process owners to verify assumptions and gain better clarity to process and application level impacts.
• Once the impact analysis is vetted and agreed upon Compliance will be well positioned to determine the proper planning, communication, and collaboration with the business to help ensure the necessary changes occur to effectively met the regulatory requirements.
23
© 2016 Crowe Horwath LLP 2323
Supporting Change Management
• Once the impact analysis is fully vetted and concurrence achieved with the business by incorporating relevant feedback into the impact analysis,
Compliance needs to support the change management process.
• Compliance should have a change management process established that
coordinates and, if necessary, facilitates the required changes with the business.
• This should include developing or supporting the following:
• Project plan that identifies activities, tasks, resources, deliverables, milestones, constraints, and dependences that provide for an accurate and feasible
implementation timeline.
• Provide guidance on the design of compliance controls, monitoring, and reporting.
• Communications to the business announcing the changes and subsequent milestones
that are achieved though the implementation.
• Providing the business with guidance and recommendations to proposed process changes, compliance control design, monitoring and reporting.
24
© 2016 Crowe Horwath LLP 2424
Supporting Change Management
• This should include developing or supporting the following:
• Training of appropriate personnel and management
• Gating criteria for each phase of the implementation
• Agreed upon key success factors for the implementation process
• Walkthrough and or test the adequacy of the proposed new or amended processes, systems, products and/or services will met the regulatory requirements prior to implementation.
• Address Gaps identified in the walkthrough or testing prior to implementation.
• Once the change management process has been completed hold a final meeting with the business to affirm changes are in place ready to met the new regulatory requirements.
25
© 2016 Crowe Horwath LLP 2525
Supporting Change Management
• Once the change management process is completed, the following should occur:
• Compliance should coordinate with the business to evaluate the post implementation success or not based upon the agreed criterion for success.
• This post-implementation review should identify lessons learned for subsequent changes and implementation.
• Follow-up monitoring should occur after the processes, system, and compliance controls have had to process transactions and become seasoned.
26
© 2016 Crowe Horwath LLP 2626
Training
27
© 2016 Crowe Horwath LLP 2727
Training Program
Education of an entity’s board of directors, management, and staff is essential to maintaining an effective compliance program. Board members should receive sufficient information to
enable them to understand the entity’s responsibilities and the commensurate resource requirements. Management and staff should receive specific, comprehensive training that reinforces and helps implement written policies and procedures. Requirements for compliance with Federal consumer financial laws, including prohibitions against unlawful discrimination and unfair, deceptive, and abusive acts and practices, should be incorporated into training for all relevant officers and employees, including audit personnel.
Examiners are looking to determine whether:
1. Compliance training is current, complete, directed to appropriate individuals based on their roles, effective, and commensurate with the size of the entity and nature and risks to consumers presented by its activities
2. Training is consistent with policies and procedures and designed to reinforce those policies and procedures
3. Compliance professionals have access to training that is necessary to administer a
compliance program
28
© 2016 Crowe Horwath LLP 2828
Internal Audit
29
© 2016 Crowe Horwath LLP 2929
Independent Testing of the Effectiveness of the CMS
• An independent, risk-based audit of compliance should be conducted
• Audit of the adequacy and effectiveness of the program
• Compliance with policy and program
• Risk based testing of controls
• Compliance function and the audit function should be separate, to ensure that the activities of the compliance function are subject to independent review
• Clear understanding and documentation within the company as to how risk assessments and testing
activities are divided between audit and compliance
• Head of audit should keep the head of compliance informed of compliance related findings
• Effective management of outsourcing arrangements
• Third parties conducting testing or consulting
• Third party training (online/in person)
• Models used for regression, data analysis
30
© 2016 Crowe Horwath LLP 3030
Issues Management
31
© 2016 Crowe Horwath LLP 3131
Issues Management
Banks should have effective tracking and monitoring processes in place to ensure that compliance issues identified through internal audit, compliance monitoring, regulatory
examinations and consumer complaints are properly remediated.
• Use of issue tracking databases or issue tracking processes
• Sufficient and complete tracking of the key areas to provide for reasonable management of
compliance risk.
• Delinquent, higher risk items should be reported to senior management and the board as appropriate.
32
© 2016 Crowe Horwath LLP 3232
Compliance Metrics
33
© 2016 Crowe Horwath LLP 3333
Reporting and KPIs and KRIs
Compliance should develop KPIs and KRIs in order to baseline the current state and have quantitative measures in place as the CMS matures.
This would include the following:
• Reduced compliance errors for impacted business lines.
• Improved efficiency in processing transactions as result of better controls and monitoring during the process.
• KPIs enable compliance to measure the current state to the post-implementation
environment to determine if the process/systems changes actually achieved the desired compliance results.
• Examples: Complaint trending by product, by line of business, by individual; Lending activity in regard to pricing and underwriting overrides, timeliness of decisioning, timeliness of approval to close;
• Training. How effective has training been in improving compliance? Do we have metrics to measure training effectiveness year over year?
34
© 2016 Crowe Horwath LLP 3434
Questions
35
© 2016 Crowe Horwath LLP
In accordance with applicable professional standards, some firm services may not be available to attest clients.
This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction.
© 2016 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure3535
Thank youFor more information, contact:
Shawn Kirshner, CRCM, PMP
Direct 818.325.8661
Michael Holley, CRCM
Direct 954.492.4419