Upload
john-white
View
218
Download
0
Embed Size (px)
Citation preview
U.S. Regulatory/Compliance Orientation Program for Head Office and Recently Arrived Officers and Representatives
of International Banks
Organized by the Conference of State Bank Supervisors and The Institute of International Bankers
Gary M. WelshManaging DirectorPricewaterhouseCoopers
July 16, 2007New York CityAssociation of the Bar of the City of New York
Page 2PricewaterhouseCoopers
Topics
• How Do U.S. Regulators Define Compliance Risk?• How Do International Banks Manage Compliance Risk to Meet U.S. Regulatory Expectations?
• What Is Enterprise Compliance?• What Is the Role of Internal Audit in Compliance?• What Happens If Compliance Risk Is Not Effectively Managed?
• Is Too Much Compliance A Bad Thing?
Page 3PricewaterhouseCoopers
How Do U.S. Regulators Define Compliance Risk?
•©New Yorker Cartoons
Page 4PricewaterhouseCoopers
How Do U.S. Regulators Define Compliance Risk?
•Compliance Risk is --
“…the risk of legal or regulatory sanctions, financial loss, or damage to reputation and franchise value that arises when a banking organization fails to comply with laws, regulations, or the standards or codes of conduct of self-regulatory organizations applicable to the banking organization’s business activities and functions.” – Federal Reserve Governor Mark Olson (5/16/06)
Page 5PricewaterhouseCoopers
Compliance Risk Has Attracted Increased Regulatory Scrutiny and Expectations
• “Financial services companies involved in recent scandals learned that no one had the 25,000-ft view of what was happening across the organization, and this led to internal control shortcomings that were not identified.” (Susan Bies, Federal Reserve)
• “It is clear that all organizations must find ways to effectively manage compliance risk--and there is growing consensus within the industry that for some of the largest and most complex organizations, an enterprise-wide approach to controlling compliance risk is no longer just a "nice thing to have." Rather, it has become an essential element of effective risk management.” (Mark Olson, Federal Reserve)
Page 6PricewaterhouseCoopers
Compliance Risk is Interrelated with Other Risks That Also Have To Be Considered
• Regulatory Risk – Compliance failures can lead to regulatory enforcement and other actions.
• Operational Risk – Compliance risk is “operational risk come alive.” Operational risk has been defined as the risk of reputational damage, regulatory intervention or financial loss resulting from inadequate or failed internal processes or systems.
• Legal Risk – Compliance failures can lead to litigation and associated damages or penalties.
• Reputational Risk – Compliance failures can severely damage a firm’s reputation, brand and market value.
Page 7PricewaterhouseCoopers
How Do International Banks Manage Compliance Risk to Meet U.S. Regulatory Expectations?
A Top-Down Risk-Based Approach Is the Place to Start
Page 8PricewaterhouseCoopers
Know, Assess and Control Your Compliance Risks• Compliance is now viewed in the U.S. as a Risk Management
discipline- You can’t eliminate compliance risk but you can identify, manage, monitor
and control your risks• What key laws, rules and regulations apply to the business activities
conducted in the U.S.?• What level of risk does each key ;aw, rule or regulation pose to the
organization? Consider both issue and business unit specific factors• Where should we focus our compliance efforts?
- What controls are in place to mitigate those risks and how effective are they?
• Are there any metrics in place to objectively assess their effectiveness?
• How should we remediate weak or inadequate controls?
Page 9PricewaterhouseCoopers
Compliance Issue Identification and Risk Rating
• Identify the key laws, rules, regulations and other relevant guidance– the “compliance issues” – that apply to the business activities conducted in the U.S.
• Implement a risk rating methodology to prioritize compliance resources and efforts
• Risk rate the compliance issues based on inherent or specific risk factors, for example --
- Current examination/enforcement focus of regulatory agencies- Current enforcement/investigative focus of law enforcement agencies- Subject of new or recently amended law or regulation- Substantial operational risks due to shifts in volume of transactions and
dependence on technology - Risk of escalating administrative sanctions/penalties for violations- Private litigation risk, e.g., class action suits- Media Attention/reputational risks
Page 10PricewaterhouseCoopers
How Do You Control Compliance Risks?
• International Bank Management should evaluate whether it has controls in place that adequately address its compliance risks
- A control consists of a specific set of policies, procedures, and activities designed to meet an objective
- A control may exist within a designated function or activity in a process- Controls have unique characteristics – they can be: automated or manual;
segregation of duties; review and approval authorizations; safeguarding and accountability of assets; and others
- Controls can be preventive – have the objective of preventing the occurrence of violations
- Controls can be detective – have the objective of detecting violations or errors that could lead to violations that have already occurred
• U.S. Regulators do not usually mandate specific controls; they look for a comprehensive compliance program that provides reasonable assurance against the occurrence of systemic or material violations that could damage the institution, its customers or broader U.S. public interests
Page 11PricewaterhouseCoopers
How Do You Know Controls Are Working -- Compliance Testing
• Testing is used to assess the state of compliance and the effectiveness of compliance controls
- Targeted Compliance Issues - Enterprise-Wide (e.g. AML)- Targeted Business Units/Areas
• Testing utilizes resources with the appropriate level of compliance experience and expertise
• Commonly we see three levels of compliance testing:- Level 1 – Review of policies and procedures and conduct interview-based
assessment of quality of controls (design assessment)- Level 2 – Level 1 plus review of sample compliance monitoring documentation
and transaction testing - Level 3 – Level 2 plus detailed customer transactional data testing
• Key Issues and Findings From Testing Reported to Senior Management- Centralized issue-resolution tracking- Follow-up validation of higher risk issues
Page 12PricewaterhouseCoopers
What Is Enterprise Compliance?
Enterprise-Wide Compliance: Managed Complexity at the Corporate Level
•A wise monk once said that people prefer “managed complexity” to “unmanaged simplicity”•U.S. Regulators are expecting large complex U.S. and International banking organizations to “manage complexity” by increasing their regulatory expectations for an effective enterprise-wide compliance program that manages risks across silos – whether they be business lines, business units, legal entities or offices •The fundamentals of compliance remain – embed compliance in the business units and make them accountable – but a strong, corporate/centralized compliance function is also needed for large complex banking organizations
-To establish system-wide policies and procedures, e.g., AML & Privacy,-To ensure the compliance process across the organization and within Business Units is based on sound standards that
•Ensure a fundamental consistency in compliance program elements wherever located and•Facilitate an informed risk assessment at the corporate level of those issues within a large complex organization that are likely to present material or systemic concerns that require the attention of senior management and the board of directors
Page 14PricewaterhouseCoopers
Enterprise-wide Compliance for International Banks• Expectation: International banks have a consolidated view of
US activities onshore.
• Expectation: International banks need role clarity between:
- Head office management and local management;- Head office compliance and local compliance;- Line of business compliance personnel (embedded) and risk
management/control function roles and responsibilities (e.g., Legal, Compliance, Risk Management); and
- Compliance and Internal Audit.
Page 15PricewaterhouseCoopers
What Is the Role of Internal Audit?
Page 16PricewaterhouseCoopers
Role of Internal Audit in the Compliance Program
• Testing of the Compliance Program
• Testing of Compliance with Laws and Regulations
• Coordination with Compliance on Risk Assessment Methodologies
• Validation of Control Assessments
Page 17PricewaterhouseCoopers
What Happens If Compliance Risk Is Not Effectively Managed?
“Bummer of a birthmark, Hal”
• The Far Side, Gary Larson
Page 18PricewaterhouseCoopers
Costs of Noncompliance
• Between January 1, 2003 and January 1, 2006, 800 banks paid $492 million in connection with 2,500 publicly announced sanctions
• During his tenure as New York State Attorney General, Eliot Spitzer negotiated more than $7 billion in fines, restitutions or disgorgements
• Between 2001 and 2005, the SEC brought 3,604 enforcement actions against securities firms
• In 2005, U.S. public companies paid more than $3.5 billion to settle securities class action lawsuits (excluding the $6.1 billion WorldCom settlement)
• Cost of major compliance failures on corporate reputation and strategic objectives -- PRICELESS
Page 19PricewaterhouseCoopers
Is Too Much Compliance A Bad Thing
Page 20PricewaterhouseCoopers
Is Too Much Compliance A Bad Thing
- In compliance, as in most areas, one must always be aware of the “Law of Unintended Consequences”
• Increased Cost of Compliance can impact institutions’ willingness to serve certain markets, e.g., embassy banking, money services businesses, low-and-moderate income markets
• Too Much Information (TMI) flowing up and around about compliance can overwhelm rather than support identification of highest risks and create false sense of security
• Attempts to Quantify Compliance Risks have their limits – practical as well as financial- Ultimately need to have a compliance program built on Intelligent Design, though
divine inspiration is not required• Reduce costs and better manage information through intelligent “convergence” of
overlapping streams of information, e.g., Internal Audit, SOX, operations risk, regulatory exams, ERM, et al
• Ensure focus is on intelligent monitoring and testing to identify risks with “systemic” implications, e.g., which indicate potential compliance program failures
• Don’t forget that at its heart compliance is more sociology than numerology – compliance as the intelligent application of individual and corporate knowledge and experience to identify, monitor, manage and control compliance issues that can impede the institution’s ability to accomplish its strategic objectives and reward its stakeholders
Page 21PricewaterhouseCoopers
© 2007 PricewaterhouseCoopers LLP. All rights reserved. "PricewaterhouseCoopers" refers to PricewaterhouseCoopers LLP (a Delaware limited liability partnership) or, as the context requires, other member firms of PricewaterhouseCoopers International Ltd., each of which is a separate and independent legal entity. *connectedthinking is a trademark of PricewaterhouseCoopers LLP.