U.S. Regulatory/Compliance Orientation Program for Head Office and Recently Arrived Officers and Representatives of International Banks Organized by the

U.S. Regulatory/Compliance Orientation Program for Head Office and Recently Arrived Officers and Representatives

of International Banks

Organized by the Conference of State Bank Supervisors and The Institute of International Bankers

Gary M. WelshManaging DirectorPricewaterhouseCoopers

July 16, 2007New York CityAssociation of the Bar of the City of New York

Page 2PricewaterhouseCoopers

Topics

• How Do U.S. Regulators Define Compliance Risk?• How Do International Banks Manage Compliance Risk to Meet U.S. Regulatory Expectations?

• What Is Enterprise Compliance?• What Is the Role of Internal Audit in Compliance?• What Happens If Compliance Risk Is Not Effectively Managed?

• Is Too Much Compliance A Bad Thing?


How Do U.S. Regulators Define Compliance Risk?

•©New Yorker Cartoons


How Do U.S. Regulators Define Compliance Risk?

•Compliance Risk is --

“…the risk of legal or regulatory sanctions, financial loss, or damage to reputation and franchise value that arises when a banking organization fails to comply with laws, regulations, or the standards or codes of conduct of self-regulatory organizations applicable to the banking organization’s business activities and functions.” – Federal Reserve Governor Mark Olson (5/16/06)


Compliance Risk Has Attracted Increased Regulatory Scrutiny and Expectations

• “Financial services companies involved in recent scandals learned that no one had the 25,000-ft view of what was happening across the organization, and this led to internal control shortcomings that were not identified.” (Susan Bies, Federal Reserve)

• “It is clear that all organizations must find ways to effectively manage compliance risk--and there is growing consensus within the industry that for some of the largest and most complex organizations, an enterprise-wide approach to controlling compliance risk is no longer just a "nice thing to have." Rather, it has become an essential element of effective risk management.” (Mark Olson, Federal Reserve)


Compliance Risk is Interrelated with Other Risks That Also Have To Be Considered

• Regulatory Risk – Compliance failures can lead to regulatory enforcement and other actions.

• Operational Risk – Compliance risk is “operational risk come alive.” Operational risk has been defined as the risk of reputational damage, regulatory intervention or financial loss resulting from inadequate or failed internal processes or systems.

• Legal Risk – Compliance failures can lead to litigation and associated damages or penalties.

• Reputational Risk – Compliance failures can severely damage a firm’s reputation, brand and market value.


How Do International Banks Manage Compliance Risk to Meet U.S. Regulatory Expectations?

A Top-Down Risk-Based Approach Is the Place to Start


Know, Assess and Control Your Compliance Risks• Compliance is now viewed in the U.S. as a Risk Management

discipline- You can’t eliminate compliance risk but you can identify, manage, monitor

and control your risks• What key laws, rules and regulations apply to the business activities

conducted in the U.S.?• What level of risk does each key ;aw, rule or regulation pose to the

organization? Consider both issue and business unit specific factors• Where should we focus our compliance efforts?

- What controls are in place to mitigate those risks and how effective are they?

• Are there any metrics in place to objectively assess their effectiveness?

• How should we remediate weak or inadequate controls?


Compliance Issue Identification and Risk Rating

• Identify the key laws, rules, regulations and other relevant guidance– the “compliance issues” – that apply to the business activities conducted in the U.S.

• Implement a risk rating methodology to prioritize compliance resources and efforts

• Risk rate the compliance issues based on inherent or specific risk factors, for example --

- Current examination/enforcement focus of regulatory agencies- Current enforcement/investigative focus of law enforcement agencies- Subject of new or recently amended law or regulation- Substantial operational risks due to shifts in volume of transactions and

dependence on technology - Risk of escalating administrative sanctions/penalties for violations- Private litigation risk, e.g., class action suits- Media Attention/reputational risks


How Do You Control Compliance Risks?

• International Bank Management should evaluate whether it has controls in place that adequately address its compliance risks

- A control consists of a specific set of policies, procedures, and activities designed to meet an objective

- A control may exist within a designated function or activity in a process- Controls have unique characteristics – they can be: automated or manual;

segregation of duties; review and approval authorizations; safeguarding and accountability of assets; and others

- Controls can be preventive – have the objective of preventing the occurrence of violations

- Controls can be detective – have the objective of detecting violations or errors that could lead to violations that have already occurred

• U.S. Regulators do not usually mandate specific controls; they look for a comprehensive compliance program that provides reasonable assurance against the occurrence of systemic or material violations that could damage the institution, its customers or broader U.S. public interests


How Do You Know Controls Are Working -- Compliance Testing

• Testing is used to assess the state of compliance and the effectiveness of compliance controls

- Targeted Compliance Issues - Enterprise-Wide (e.g. AML)- Targeted Business Units/Areas

• Testing utilizes resources with the appropriate level of compliance experience and expertise

• Commonly we see three levels of compliance testing:- Level 1 – Review of policies and procedures and conduct interview-based

assessment of quality of controls (design assessment)- Level 2 – Level 1 plus review of sample compliance monitoring documentation

and transaction testing - Level 3 – Level 2 plus detailed customer transactional data testing

• Key Issues and Findings From Testing Reported to Senior Management- Centralized issue-resolution tracking- Follow-up validation of higher risk issues


What Is Enterprise Compliance?

Enterprise-Wide Compliance: Managed Complexity at the Corporate Level

•A wise monk once said that people prefer “managed complexity” to “unmanaged simplicity”•U.S. Regulators are expecting large complex U.S. and International banking organizations to “manage complexity” by increasing their regulatory expectations for an effective enterprise-wide compliance program that manages risks across silos – whether they be business lines, business units, legal entities or offices •The fundamentals of compliance remain – embed compliance in the business units and make them accountable – but a strong, corporate/centralized compliance function is also needed for large complex banking organizations

-To establish system-wide policies and procedures, e.g., AML & Privacy,-To ensure the compliance process across the organization and within Business Units is based on sound standards that

•Ensure a fundamental consistency in compliance program elements wherever located and•Facilitate an informed risk assessment at the corporate level of those issues within a large complex organization that are likely to present material or systemic concerns that require the attention of senior management and the board of directors


Enterprise-wide Compliance for International Banks• Expectation: International banks have a consolidated view of

US activities onshore.

• Expectation: International banks need role clarity between:

- Head office management and local management;- Head office compliance and local compliance;- Line of business compliance personnel (embedded) and risk

management/control function roles and responsibilities (e.g., Legal, Compliance, Risk Management); and

- Compliance and Internal Audit.


What Is the Role of Internal Audit?


Role of Internal Audit in the Compliance Program

• Testing of the Compliance Program

• Testing of Compliance with Laws and Regulations

• Coordination with Compliance on Risk Assessment Methodologies

• Validation of Control Assessments


What Happens If Compliance Risk Is Not Effectively Managed?

“Bummer of a birthmark, Hal”

• The Far Side, Gary Larson


Costs of Noncompliance

• Between January 1, 2003 and January 1, 2006, 800 banks paid $492 million in connection with 2,500 publicly announced sanctions

• During his tenure as New York State Attorney General, Eliot Spitzer negotiated more than $7 billion in fines, restitutions or disgorgements

• Between 2001 and 2005, the SEC brought 3,604 enforcement actions against securities firms

• In 2005, U.S. public companies paid more than $3.5 billion to settle securities class action lawsuits (excluding the $6.1 billion WorldCom settlement)

• Cost of major compliance failures on corporate reputation and strategic objectives -- PRICELESS


Is Too Much Compliance A Bad Thing


Is Too Much Compliance A Bad Thing

- In compliance, as in most areas, one must always be aware of the “Law of Unintended Consequences”

• Increased Cost of Compliance can impact institutions’ willingness to serve certain markets, e.g., embassy banking, money services businesses, low-and-moderate income markets

• Too Much Information (TMI) flowing up and around about compliance can overwhelm rather than support identification of highest risks and create false sense of security

• Attempts to Quantify Compliance Risks have their limits – practical as well as financial- Ultimately need to have a compliance program built on Intelligent Design, though

divine inspiration is not required• Reduce costs and better manage information through intelligent “convergence” of

overlapping streams of information, e.g., Internal Audit, SOX, operations risk, regulatory exams, ERM, et al

• Ensure focus is on intelligent monitoring and testing to identify risks with “systemic” implications, e.g., which indicate potential compliance program failures

• Don’t forget that at its heart compliance is more sociology than numerology – compliance as the intelligent application of individual and corporate knowledge and experience to identify, monitor, manage and control compliance issues that can impede the institution’s ability to accomplish its strategic objectives and reward its stakeholders


© 2007 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP (a Delaware limited liability partnership) or, as the context requires, other member firms of PricewaterhouseCoopers International Ltd., each of which is a separate and independent legal entity. *connectedthinking is a trademark of PricewaterhouseCoopers LLP.

Documents

U.S. Regulatory/Compliance Orientation Program for Head Office and Recently Arrived Officers and Representatives of International Banks Organized by the