FINANCIAL SERVICES FLASH REPORT

Transcription

1 FINANCIAL SERVICES FLASH REPORT Draft Regulatry Cmpliance Management Guideline Released by the Office f the Superintendent f Financial Institutins May 5, 2014 On April 30, 2014, the Office f the Superintendent f Financial Institutins (OSFI) issued fr cmment a revised draft Guideline E-13 (renamed Regulatry Cmpliance Management [RCM], frmerly Legislative Cmpliance Management [LCM]), representing the first update t the Guideline in eleven years. An update was deemed necessary t bring the Guideline int alignment with the revised Supervisry Framewrk, Crprate Gvernance Guideline, draft Operatinal Risk Guideline and ther internatinal guidance. Additinally, OSFI stated that it has, ver the years, identified a number f issues within Federally Regulated Financial Institutins (FRFIs) that it believes wuld be well served by additinal and clarified guidance. The draft Guideline is ut fr industry cmment until June 20, This Financial Services Flash Reprt highlights the prpsed key updates t the Guideline. Bradening f the Definitin f Regulatry Risk In previus LCM guidance, regulatry risk was defined as the risk f nn-cmpliance with applicable regulatry requirements. And fr the purpses f the LCM Guideline, applicable regulatry requirements were defined t include thse in: a. The FRFI s gverning federal legislatin, regulatins and regulatry directives, and b. Other legislatin, regulatins and regulatry directives applicable t the activities f the FRFI r its subsidiaries wrldwide. In the draft RCM Guideline, the term nw used is regulatry cmpliance risk, which is the risk that arises frm an FRFI s ptential nncnfrmance with laws, rules, regulatins, prescribed practices r ethical standards in any jurisdictin in which it perates. And regulatry requirements are defined as prvisins in legislatin, regulatins r regulatry directives (i.e., rules, guidelines, expectatins, and guidance issued by respnsible regulatrs) applicable t the FRFI r a subsidiary wrldwide that require the FRFI t d (r prhibit it frm ding) certain things r t act r cnduct its affairs in a particular manner. What has been remved is the cncept f Gverning and Other legislatin that renders all legislatin f equal status. Als, the definitin f regulatry cmpliance risk includes nt just laws, regulatins and regulatry directives, but als prescribed practices and ethical standards.

2 The RCM Framewrk An RCM framewrk is defined in the draft Guideline as the structures, prcesses and ther key cntrl elements thrugh which a FRFI and its subsidiaries manage and mitigate regulatry cmpliance risk inherent in their activities enterprise-wide. The fllwing table prvides a cmparisn between the key cmpnents f the LCM Framewrk and the updated RCM Framewrk: Definitin RCM Framewrk Structures, prcesses and ther key cntrl elements thrugh which the FRFI and its subsidiaries manage and mitigate regulatry cmpliance risk inherent in their activities enterprise-wide. OSFI expects the RCM framewrk t enable the FRFI t identify, riskassess, cmmunicate, manage and mitigate regulatry cmpliance risk. The framewrk shuld als include a definitin f regulatry cmpliance risk apprpriate fr the FRFI. LCM Framewrk LCM is t prvide a cntrl framewrk fr the mitigatin f regulatry risk in an FRFI. The framewrk shuld include an enterprise-wide definitin f regulatry risk. It shuld utline the prcess thrugh which it is t be identified and assessed, and utline the key cntrls thrugh which it is t be managed/mitigated thrughut the FRFI and its subsidiaries. Levels f Cntrl Key Cntrls (Elements) Operatinal management (day-t-day cntrls fr regulatry cmpliance risk) Onging enterprise-wide versight f dayt-day cmpliance cntrls Internal audit r ther independent review functin RCM Framewrk Key Cntrl Elements i. Prcedures fr identifying, risk assessing, cmmunicating, managing and mitigating regulatry cmpliance risk and maintaining knwledge f applicable regulatry requirements ii. iii. iv. Day-t-day cmpliance prcedures Independent mnitring and testing prcedures Internal reprting a. Reprting prcedures b. Cmpliance reprts t senir management and the bard r cmmittee(s) f the bard c. Internal audit r ther independent review functin reprts t senir management and the bard r cmmittee(s) f the bard v. Adequate dcumentatin Day-t-day Independent versight Key LCM Cntrls i. Identificatin, assessment, cmmunicatin and maintenance f applicable regulatry requirements ii. iii. iv. Cmpliance prcedures Mnitring prcedures Reprting prcedures v. Cmpliance versight functin reprts t the bard f directrs vi. vii. viii. Internal audit r ther independent review functin reprts t the bard Dcumentatin Regular review and imprvement Prtiviti 2

3 The FRFI is expected t administer the key cntrl elements thrugh a methdlgy that establishes clear lines f respnsibility and a mechanism fr hlding individuals accuntable. First Line f Defence Respnsibilities The draft RCM Guideline clarifies that there are tw levels f cmpliance cntrl, supplemented by a third line f defence. The first level f cntrl resides with peratinal management in the first line f defence. Operatinal management fr a given business activity is primarily respnsible fr thse cntrls used t manage all the regulatry cmpliance risks within an activity n a day-t-day basis. The Guideline clarifies that peratinal management is respnsible fr ensuring that there is a clear understanding by FRFI line staff f the regulatry cmpliance risks that are psed by its activity and must be managed, and that the plicies, prcedures and resurces are sufficient and effective in managing thse risks. Additinally, it reinfrces that senir management is respnsible fr ensuring that the RCM framewrk is implemented. It clarifies that day-t-day cmpliance prcedures shuld include mnitring and testing f the adequacy f, adherence t and effectiveness f cmpliance prcedures in business peratins. This replaces previus expectatins fr mnitring and reprting prcedures. This is an explicitly new requirement fr testing in the first line f defence. Secnd Line f Defence Respnsibilities The draft RCM Guideline reiterates the need fr nging enterprise-wide versight f day-t-day cmpliance cntrls by individuals r versight functins that are independent f the activities they versee (e.g., a cmpliance versight functin), led by a chief cmpliance fficer (CCO). It als clarifies that the adequacy f, effectiveness f and adherence t day-t-day cmpliance prcedures, including day-t-day mnitring and testing prcedures, shuld be independently mnitred and tested by the CCO and ther versight functins as apprpriate n an nging basis using a risk-based apprach. Where apprpriate, the mnitring and testing methdlgy shuld be sufficiently cnsistent enterprise-wide s that it enables aggregatin f infrmatin t identify any patterns, themes r trending in cmpliance cntrls that may indicate weaknesses. Hwever, it is nt clear what where apprpriate means. Verificatin f key elements f pertinent infrmatin used in key reprts, including CCO reprts t senir management and the bard, shuld be included as part f the mnitring and testing prgram. Third Line f Defence Respnsibilities Internal audit r anther independent review functin is expected t validate the effectiveness f and adherence t the RCM Framewrk enterprise-wide by risk-based testing n a rtatinal r ther regular basis. This includes bth testing f peratinal and independent versight levels f cmpliance cntrls. The Guideline als states that auditrs r reviewers respnsible fr this third line f defence review must have the apprpriate skills and knwledge f the business and regulatry envirnment t cnduct the reviews. Reprting Prcedures Reprting prcedures nw require that reasnably verifiable infrmatin abut RCM adequacy and effectiveness be cmmunicated n a timely basis t individuals with RCM respnsibilities. Previusly, reprting was fcused n senir management and the bard, and there was n requirement fr verifiability f infrmatin. Additinally, there is nw a requirement fr Prtiviti 3

4 aggregatin f mnitring and testing results within and acrss areas f business activity pertinent t the RCM respnsibilities f reprt recipients. With respect t the CCO reprting t senir management and the bard, the draft RCM Guideline prvides additinal guidance as t what is expected: Reprts shuld cver the results f enterprise-wide cmpliance versight, including Material RCM framewrk weakness Instances f material nncmpliance Material expsures t regulatry cmpliance risk Related remedial actin plans It s imprtant t nte that the definitin f materiality needs t be established in cnjunctin with the bard. Reprts shuld prvide an bjective view n whether the FRFI is perating within the RCM framewrk and identify prblems r issues t senir management and the bard, as apprpriate. The CCO shuld prvide an pinin t the bard n a regular basis, but at least annually, n the adequacy and effectiveness f the RCM framewrk, and whether, based n the mnitring and testing perfrmed by the cmpliance versight functin, the FRFI is in cmpliance with applicable regulatry requirements. The pinin shuld be based n enugh pertinent infrmatin that is verified r reasnably verifiable, t supprt the pinin. The CCO shuld meet with the bard n a regular basis, including, as apprpriate, in camera meetings. Rle f the Chief Cmpliance Officer As in the riginal LCM Guideline, verall respnsibility fr cmpliance shuld be assigned t a member f senir management wh shuld be designated, at least functinally, as the FRFI s CCO. Clarificatin that the CCO shuld nt be directly invlved in a revenue-generating functin r in the management f any business line r prduct f the FRFI is prvided. Rle f Internal Audit r Other Independent Review Functin The rle f internal audit r ther independent review functin has been described in much mre detail. The scpe f the wrk undertaken shuld include: Cnsideratin f the reliability f the RCM framewrk Management s identificatin f material regulatry cmpliance risks and their crrespnding cntrls The accuracy f reprting n cmpliance t senir management and the bard An assessment f hw effectively the cmpliance versight functin fulfills its respnsibilities Internal audit r ther independent review functin methdlgies need t be supplemented by effective challenge and an attitude f prfessinal skepticism by internal auditrs. Like the CCO s reprts t the bard, internal audit r ther independent review reprts shuld cntain sufficient pertinent infrmatin t facilitate the bard s versight f the RCM framewrk s adequacy and effectiveness, while maintaining their independence. These reprts shuld assist the bard in assessing the reliability f the RCM assurances prvided t the bard by the CCO and senir management. Prtiviti 4

5 Smaller, Less Cmplex FRFIs Oversight Functins and Independent Review Functins Flexibility is prvided t smaller, less cmplex FRFIs when it cmes t the versight and independent review functins. OSFI states that the presence and nature f versight functins are expected t vary based n the nature, size and cmplexity f the FRFI and its inherent risks. Where the FRFI lacks sme f the versight functins, it is nt sufficiently independent, r it desn t have enterprise-wide respnsibility, OSFI expects ther functins, within r external t the FRFI, t prvide the independent versight needed. Als, ne persn may have mre than ne set f versight respnsibilities. Where an institutin lacks an versight functin, OSFI will lk t ther versight functins fr cmpensating cntrls t prvide the type f cntinuus versight expected. In the absence f ther independent versight functins r cmpensating cntrls, versight wuld be expected t remain with senir management. In smaller, less cmplex FRFIs, the independent review functin r assurance prvider (i.e., the rle nrmally fulfilled by internal audit) culd be an external cnsultant such as a public accunting firm, cnsulting cmpany, legal firm, security rganizatin, r an internal audit department f a third-party service prvider. Summary The definitin f regulatry (cmpliance) risk has been bradened t include prescribed guidance and ethical standards. An RCM framewrk is defined as the structures, prcesses and ther key cntrl elements thrugh which a FRFI and its subsidiaries manage and mitigate regulatry cmpliance risk inherent in their activities enterprise-wide. The first line f defence must nw mnitr and test cmpliance cntrls. The secnd line f defence must nw have a mnitring and testing methdlgy that is sufficiently cnsistent enterprise-wide and enables the aggregatin f infrmatin acrss the enterprise where apprpriate. The third line f defence must explicitly test bth the first and secnd lines f defence with respect t the RCM framewrk, and have apprpriate skills and knwledge t d s. Reprting needs t be reasnably verifiable with respect t the adequacy and effectiveness f RCM. Reprting n mnitring and testing results must be aggregated within and acrss areas f business activity pertinent t the RCM respnsibilities f reprt recipients. Material RCM framewrk weakness must be defined in cnjunctin with the bard. Reprting frm the CCO must include an pinin n the state f the RCM framewrk s adequacy and effectiveness, and whether the FRFI is in cmpliance with applicable regulatry requirements, in additin t in camera sessins. The CCO shuld nt be directly invlved in a revenue-generating functin r the management f any business line r prduct f the FRFI. Internal audit r ther independent review functin s rle with respect t RCM has been prvided in much mre detail, and its methdlgies must be supplemented by effective challenge and prfessinal skepticism. Prtiviti 5

6 Smaller, less cmplex FRFIs are prvided flexibility and guidance with respect t alternative structures fr versight functins and independent review functins. Abut Prtiviti Prtiviti ( is a glbal cnsulting firm that helps cmpanies slve prblems in finance, technlgy, peratins, gvernance, risk and internal audit, and has served mre than 40 percent f FORTUNE 1000 and FORTUNE Glbal 500 cmpanies. Prtiviti and its independently wned Member Firms serve clients thrugh a netwrk f mre than 70 lcatins in ver 20 cuntries. The firm als wrks with smaller, grwing cmpanies, including thse lking t g public, as well as with gvernment agencies. Prtiviti is a whlly wned subsidiary f Rbert Half (NYSE: RHI). Funded in 1948, Rbert Half is a member f the S&P 500 index. Cntacts Carl Beaumier carl.beaumier@prtiviti.cm Cry Gundersn cry.gundersn@prtiviti.cm Karen Irwin karen.irwin@prtiviti.cm 2014 Prtiviti Inc. An Equal Opprtunity Emplyer M/F/D/V. Prtiviti is nt licensed r registered as a public accunting firm and des nt issue pinins n financial statements r ffer attestatin services.