Supporting Effective Compliance Programs

Similar documents
PHI Air Medical, L.L.C. Compliance Plan

Compliance Requirements for Healthcare Carriers

White Paper: The Seven Elements of an Effective Compliance and Ethics Program

COMPLIANCE PROGRAM GUIDANCE FOR MEDICARE FEE-FOR-SERVICE CONTRACTORS

INSTITUTIONAL COMPLIANCE PLAN

BAPTIST HEALTH CORPORATE COMPLIANCE PLAN

February Audit committee performance evaluation

COUNTY OF ORANGE DEPARTMENT OF HEALTH. Corporate Compliance Plan

Anti-Money Laundering Policy Manual Table of Contents [Sample Client] Table of Contents

Are You Ready for the New Foreclosure Processing Regulations?

MEDICARE COMPLIANCE TRAINING EMPLOYEES & FDR S Revised

Federal Bureau of Investigation s Integrity and Compliance Program

Health Sciences Compliance Plan

OCC 98-3 OCC BULLETIN

Mental Health Resources, Inc. Mental Health Resources, Inc. Corporate Compliance Plan Corporate Compliance Plan

TENET HEALTHCARE CORPORATION S QUALITY, COMPLIANCE AND ETHICS PROGRAM CHARTER. Updated May 7, 2014

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF EVERBANK FINANCIAL CORP

PROCEDURES FOR REPORTING BY EMPLOYEES OF COMPLAINTS AND CONCERNS REGARDING QUESTIONABLE ACTS

IMAX CORPORATION PROTOCOL FOR REPORTING SUSPECTED VIOLATIONS OF THE IMAX CODE OF ETHICS. (Whistle Blower Program)

Board of Directors and Management Oversight

Accountable Care Organization. Medicare Shared Savings Program. Compliance Plan

Corporate Compliance and Ethics

AUDIT COMMITTEE BEST PRACTICES CHECKLIST

Any business relationship between a bank and another entity, by contract or otherwise

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Reports of Compliance Concerns and Violations

VCU HEALTH SYSTEM Compliance Program. Updated August 2015

II. Compliance Examinations - Compliance Management System. Compliance Management System. Introduction. Board of Directors and Management Oversight

Sempra Energy Corporate Compliance and Ethics Plan This page is managed by the Director of Business Conduct (Last revised on )

6/8/2016 OVERVIEW. Page 1 of 9

SALESFORCE.COM, INC. CHARTER OF THE AUDIT AND FINANCE COMMITTEE OF THE BOARD OF DIRECTORS. (Revised September 11, 2012)

HALOZYME THERAPEUTICS, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS ORGANIZATION AND MEMBERSHIP REQUIREMENTS

MEDICAID COMPLIANCE POLICY

Corporate Compliance and Ethics Program Effective as adopted on February 21, 2012

IMMUNOTEC INC. AUDIT AND DISCLOSURE POLICY MANAGEMENT COMMITTEE CHARTER AND WHISTLEBLOWER POLICY

Fraud Risk Management Procedures

MISSION VALUES. The guide has been printed by:

M-Aud. Comptroller of the Currency Administrator of National Banks. Internal and External Audits. Comptroller s Handbook. April 2003.

Sample Healthcare Compliance Program

EFFECT OF THE SARBANES-OXLEY ACT OF 2002

WHITE PAPER THIRD PARTY MANAGEMENT: FUNDAMENTALS

Establishing An Effective Corporate Compliance Program Joan Feldman, Esq. Vincenzo Carannante, Esq. William Roberts, Esq.

UNIVERSITY COMPLIANCE PLAN

Client Update Basel Committee 2015 Corporate Governance Principles

How To Be A Successful University

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

REGULATORY COMPLIANCE SERVICES for Financial Institutions

COMPLIANCE MANAGEMENT SYSTEM

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

Financial services regulatory compliance. Changing demands require the right perspective

POLICY AND PROCEDURES MANUAL FRAUD, WASTE, AND ABUSE

PINE VALLEY HEALTHCARE & REHABILITATION CENTER. Corporate Compliance Plan v5

Puerto Rican Family Institute, Inc.

White Paper on Financial Institution Vendor Management

THE FCA INSPECTOR GENERAL: A COMMITMENT TO PUBLIC SERVICE

COUPONS.COM INCORPORATED CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

Policy : Fraud and Abuse Whistle Blower Protection Act Program... 1

What is a Compliance Program?

POLICY SUBJECT: EFFECTIVE DATE: 5/31/2013. To be reviewed at least annually by the Ethics & Compliance Committee COMPLIANCE PLAN OVERVIEW

FINRA E-Learning Courses

Accountability: Data Governance for the Evolving Digital Marketplace 1

Vendor Risk Management in the New Regulatory Environment. kpmg.com

CVS HEALTH CORPORATION A Delaware corporation (the Company ) Audit Committee Charter Amended as of September 24, 2014

a. employees Company; or

This chapter examines an essential element of a

FERRARI N.V. AUDIT COMMITTEE CHARTER (Effective as of January 3, 2016)

Sample Financial institution Risk Management Policy 2011

Approved by the Audit and Compliance Committee of the Providence Health & Services Board of Directors

3 rd Party Risk Management is Broken Critical Vendors Should be Exam-Ready.

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

AMERICAN AIRLINES GROUP INC. AUDIT COMMITTEE CHARTER

Integrity. Providence Integrity and Compliance Program Description

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

Vendor Management Best Practices

UNFAIR, DECEPTIVE, OR ABUSIVE ACTS OR PRACTICES (UDAAP)

Anti-Money Laundering Program and Suspicious Activity Reporting Requirements For Insurance Companies. Frequently Asked Questions

Federal False Claims Act

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

A Resource for Health Care Boards of Directors

UMDNJ COMPLIANCE PLAN

FFIEC Cybersecurity Assessment Tool

CORPORATE COMPLIANCE PROGRAM

APEC General Elements of Effective Voluntary Corporate Compliance Programs

The ADT Corporation. Audit Committee Charter. December 2014

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Broker-Dealer and Investment Adviser Compliance Programs

Transcription:

October 2015 Supporting Effective Compliance Programs The Oversight Roles of the Board Audit and Risk Committees in Regulatory Compliance By Paul Osborne, CPA, CAMS, AMLP, and Peggy Sepp, CIA To be effective, a financial organization s compliance program must be an integral part of strategic planning, ongoing operations, and daily decision-making. To support the audit and risk committees oversight roles, the organization s risk and compliance officers should provide regular, succinct communication. In its oversight role, the applicable committee should ask the necessary questions to assure itself of the program s effectiveness. Depending on the organization s size and complexity, a financial organization s board of directors delegates oversight of compliance program activities to the audit and risk committees and in some cases one committee that encompasses both. Compliance for financial institutions can be divided into many areas, with numerous governing bodies providing standards and guidance. The nature, scope, and complexity of the financial institution will determine the assignment of duties and responsibilities, the time allocated, staffing, and the program s degree of formality. Typically, the risk officer is responsible for management oversight of the overall compliance program, which encompasses many business units and disciplines. Consumer compliance oversight typically is the responsibility of the compliance officer, who often reports to the risk officer. If the organization does not have a risk officer, the responsibility may be shared directly by multiple managers, including the compliance officer, chief accounting officer, and credit officer. In this article, we refer to management responsible for compliance as the risk and compliance officers. The compliance landscape has become increasingly complex for financial institutions. The number of governing bodies overseeing financial institutions, as well as the depth of their reach, has grown since the early 2000s. This level of compliance places a large burden on management and the board. Governing bodies providing standards and guidance for financial institutions include the following: Commodity Futures Trading Commission Consumer Financial Protection Bureau Federal Deposit Insurance Corp. Federal Financial Institutions Examination Council Federal Reserve Board Financial Crimes Enforcement Network 1

Crowe Horwath LLP Financial Industry Regulatory Authority National Association of Insurance Commissioners National Automated Clearing House Association National Credit Union Administration Office of Foreign Assets Control Office of the Comptroller of the Currency Securities and Exchange Commission U.S. Department of Justice U.S. Department of the Treasury Various state regulatory authorities A typical audit or risk committee meets at least once per quarter, and members have the critical responsibility of understanding and overseeing the effectiveness of the organization s compliance program. With the high volume of information presented in a short time at these meetings, it is important to make the most of these opportunities. Effective communication between the risk and compliance officers and the audit and risk committees is vital for effective oversight of the compliance program. Therefore, risk and compliance officers must meet the challenge of providing the appropriate level of detail in a written report in advance of the meeting and a concise presentation of important trends and risks during the meeting. The attributes of an effective compliance program provide a framework that includes governance oversight. To exercise their fiduciary responsibilities, the audit and risk committees should receive regular reports on the elements of an effective compliance program: High-level oversight Standards of conduct Open lines of communication Education and training Risk assessment, auditing, and monitoring Response to detected deficiencies Consistent enforcement standards Throughout this article, readers will find portions of sample reports the audit and risk committees might receive from the risk and compliance officers, as well as groups of questions the audit and risk committees should consider asking the risk and compliance officers. By addressing these questions, the audit and risk committees will go a long way toward fulfilling their fiduciary responsibility of providing oversight to the effectiveness of the organization s compliance program. 2

Supporting Effective Compliance Programs: The Oversight Roles of the Board Audit and Risk Committees in Regulatory Compliance High-Level Oversight The audit and risk committees must promote a culture of compliance and support the risk management process. Designating a high-level individual to oversee all aspects of a compliance program, including program effectiveness, sends the message that compliance is a high priority. In addition, to support the risk and compliance officers, a compliance committee should be established to advise the compliance officers and assist with managing the program. The committee would serve as an additional opportunity for training and emphasizing the importance of compliance. The tone at the top and the overall culture of an organization are the keys to the success of the compliance program. Compliance Program Oversight The management compliance committee s membership was expanded to include the new third-party risk manager. The committee s membership now includes: Compliance officer chair General counsel Internal audit manager Chief information officer Risk officer Chief security officer Credit policy officer Director of operations Director of retail operations Third-party risk manager Human resource director Compliance Program Effectiveness The annual compliance program effectiveness assessment was conducted. The assessment identified the following needs: The compliance program cannot be viewed as an activity separate from daily operations. Focusing on delivering education annually to all employees Conducting a thorough annual compliance-related risk assessment as an area for improvement Following up more consistently to confirm that corrective actions have been implemented and are effective 3

Crowe Horwath LLP 1. How is the organization s compliance program structured? 2. Has management allocated sufficient resources to the program? 3. In what ways does the tone at the top support a culture of ethics and integrity for all employees? 4. Do the risk and compliance officers have sufficient authority to manage the program effectively? 5. How are regulatory requirements identified, communicated, and properly implemented? 6. Who is monitoring external issues that could affect the organization? 7. What conclusions can be drawn from compliance, internal audit, and exam results? 8. Are our risk and compliance officers speaking with peers about the regulatory experiences of similar institutions to gain insight into best practices our institution should adopt? Standards of Conduct, Policies, and Procedures It is critical for an organization to create a culture of integrity and communicate to employees the standards and procedures to which they should adhere as well as the consequences for them when standards are not met. Therefore, the organization should have standards of conduct approved by the board of directors that articulate the organization s commitment to ethical business practices and describe the behavior expected of all full-time, part-time, and temporary employees, board members, contractors, and vendors. In addition, the standards should include information summarizing requirements and penalties related to fraud and abuse, false claims, privacy and security, and conflicts of interest. In support of the standards of conduct, policies and procedures should be in place to provide specific direction in various risk areas. Management should periodically review and update the standards of conduct, as well as the policies, to remain consistent with regulations and business practices. The updates should be presented to the audit and risk committees for approval. 4

Supporting Effective Compliance Programs: The Oversight Roles of the Board Audit and Risk Committees in Regulatory Compliance Standards of Conduct Management reviews the standards of conduct annually to determine whether updates or changes are necessary. After the most recent review, no modifications were recommended. The management compliance committee was in agreement. Compliance-Related Policies and Procedures The management compliance committee has reviewed and updated the following policies: Privacy and security policy Third-party vendor management policy Bank Secrecy Act and anti-money laundering policy Conflicts of Interest On an annual basis, the organization s directors, officers, and employees are required to complete a conflict-of-interest disclosure questionnaire. One hundred percent of those who were required to complete the questionnaire did so. The compliance officer investigated and addressed each of the disclosures that involved a potential conflict of interest. 1. What steps has management taken to gain acceptance of the standards of conduct throughout the organization, including among employees, contractors, vendors, and board members? 2. How does management know that the standards of conduct are understood and accepted throughout the organization? 3. Does the organization have policies in place that address compliance risk areas, such as complaint management, customer harm and abusive practice principles, consumer protection, and fair lending? Reporting: Open Lines of Communication Section 806 of the Sarbanes-Oxley Act encourages the disclosure of corporate fraud as well as the use of hotlines, emails, written memoranda, newsletters, and other forms of information exchange to maintain open lines of communication in the organization. Section 806 also encourages individuals to ask questions and report concerns. Specifically, organizations should create and maintain a reporting mechanism for employees to voice allegations and concerns anonymously and without fear of retaliation. The risk or compliance officer should provide the audit and risk committees with summary information about calls and reports received, including details about any significant issues identified, any trends or patterns in reports or calls, and any corrective actions taken to remediate identified concerns. 5

Crowe Horwath LLP Hotline Calls and Other Reports The following table summarizes the hotline activity for the first quarter. The volume of calls increased 20 percent from the prior quarter, indicating that more employees might consider it worthwhile to make such reports. The number of calls is consistent with national norms. Category Total Calls Substantiated Corrective Action Fraud, Waste, and Abuse 1 1 Accounts were corrected, employees were educated, and monitoring was put into place. Management 5 1 A manager was counseled. Human Resources 10 0 Policies and Procedures 5 1 Employees were re-educated. Privacy and Security 5 1 An employee was re-educated. TOTAL 26 4 The five calls in the Management category were from the same department. The manager was new to the organization and was not following the policy on overtime appropriately. Two privacy complaints were reported via reporting channels other than the hotline activity recorded in the table. Both of those complaints were substantiated breaches involving inappropriate disclosures of confidential information to individuals who were not authorized to receive the information. The employees involved were disciplined and educated on the proper procedure for sharing information. 1. How are reporting systems, such as the compliance hotline, monitored to verify that reported matters have been resolved appropriately? 2. What actions are taken currently to inform employees of the availability of the hotline and other reporting mechanisms and to encourage their use without fear of retaliation? 3. Are significant issues that come to light investigated without retaliation, and are corrective actions taken? 4. Are patterns or trends in calls or reports identified and further investigated? 6

Supporting Effective Compliance Programs: The Oversight Roles of the Board Audit and Risk Committees in Regulatory Compliance Education and Training An effective compliance program includes the education of directors, officers, managers, employees, contractors, and vendors about compliance program standards and procedures, as well as related responsibilities. Additional education about specific risk areas should be provided to those who work or practice in areas with higher inherent risk. In addition, directors should be educated on all facets of the programs being reviewed by examiners to ensure that communications with regulators are meaningful. Directors should understand items such as the difference between safety and soundness (from an institution s composite rating under the Uniform Financial Institutions Rating System) and consumer reviews, as well as specialty areas such as Bank Secrecy Act, anti-money laundering, and technology reviews. Directors and management can take advantage of resources their primary regulator and the Consumer Financial Protection Bureau provide to understand the regulatory process. New-Employee Education All new employees received compliance education within 30 days of being employed, as required by policy, and they signed the Compliance Program Acknowledgment Statement indicating that they understand their responsibilities related to the compliance program and will act accordingly. Annual Education Ninety-eight percent of employees and contractors completed the annual compliance program education in the past year. Compliance Risk-Specific Education Education was provided to the suspicious activity investigators about the requirements for documenting investigation of alerts received from the anti-money laundering system. 1. Is compliance education provided to the entire organization? 2. Has the effectiveness of the compliance program education been assessed, and, if so, what were the results? 3. What policies and other measures have been developed to enforce education requirements and provide remedial education as needed? 7

Crowe Horwath LLP Risk Assessment, Auditing, and Monitoring An annual risk assessment, as well as auditing and ongoing monitoring, are important components of an effective compliance program. A robust risk assessment process identifies risk areas that become part of the annual compliance monitoring work plan. To assess and address risks on an ongoing basis, organizations should employ a means to monitor internal systems to identify potential gaps in compliance with applicable laws, regulations, and policies. Monitoring helps identify potential compliance concerns early, thereby substantially reducing exposure to government or whistleblower claims. In addition to the compliance monitoring performed, internal audit performs an audit risk assessment, which includes compliance testing. Audit testing results are presented in a separate report to the audit committee by the director of audit. Compliance Risk Assessment A recently conducted compliance program risk assessment led to the development of the Annual Compliance Work Plan attached to this report. Fiscal Year Compliance Plan Update Following is a summary of progress made on the current compliance monitoring work plan. Item Q1 Q2 Real Estate Settlement Procedures Act Completed with minor issues noted Fair Lending and Fair Banking Completed Flood Disaster Protection Act of 1973 Completed with issues noted Vendor Management Completed with minor issues noted Regulation Z Corrective Action Privacy Act of 1974 Q3 In process In process Q4 Corrective Action Additional employee training performed No issues noted Remediation in process for untimely force-placed flood insurance 5 annual assessments not timely Customer Complaints Scheduled Emerging Risk Areas Related to the Compliance Program The compliance department monitors significant compliance investigations and regulatory developments in the financial industry. The following noteworthy areas are summarized in the appendix: Enforcement actions and penalties The regulatory exam schedule Current complaints 8

Supporting Effective Compliance Programs: The Oversight Roles of the Board Audit and Risk Committees in Regulatory Compliance 1. How effective is the annual risk assessment process in identifying high-risk compliance concerns? 2. What assurance is there that high-risk items are being proactively monitored or audited? 3. How are the audit and risk committees kept apprised of significant regulatory and industry developments that could affect the organization s risk? 4. Is the compliance risk assessment being updated proactively to address industry issues affecting other financial organizations? Response to Detected Deficiencies Once a potential compliance issue has been identified, the organization must respond. Even when standards and procedures are in place and an avenue is available for employees to voice their concerns, progress will not be made unless the organization responds to the identified situation and makes concerted efforts to prevent similar conduct or issues from arising in the future. Compliance Concerns Update The following compliance concerns were identified this past quarter: Adjustable-rate mortgage reset rates An unrelated inquiry resulted in the discovery of certain adjustable-rate mortgage resets not being set up appropriately in the subsidiary system, resulting in overpayment of interest by the customers affected. The investigation narrowed the issue to 20 customers, and restitution was calculated and mailed to them. The cause was determined to be systemic. Since the incident, the bank has outsourced mortgage servicing, including adjustable-rate mortgage resets, to a vendor whose system is able to calculate them correctly. Periodic reviews of the vendor s system calculations are performed as part of vendor oversight. Servicemembers Civil Relief Act A customer complained of being charged an interest rate above 6 percent on his residential real estate loan despite the letter he submitted to the bank explaining his deployment as an active military service member. The investigation revealed that the issue was isolated and caused by human error, and the rate was adjusted retroactively. Government investigation A letter was received from the Justice Department requesting records related to a nationwide investigation into money laundering. Legal counsel is overseeing the record disclosure process. 9

Crowe Horwath LLP 1. What is the process by which the organization evaluates and responds to suspected compliance concerns? 2. What processes are in place so appropriate measures are taken in response to identified weaknesses? 3. Has management provided the compliance officer with the necessary autonomy and sufficient resources to perform assessments and respond appropriately to compliance concerns? 4. Are compliance issues appropriately reported to the applicable government agency and repayments made as necessary? 5. Are corrective action plans implemented and appropriately monitored? Consistent Enforcement Standards Consequences for noncompliance should be in place, and they should be applied consistently regardless of an individual s position in the organization. An employee performance evaluation should include the employee s commitment and adherence to the standards of conduct and the compliance program. Privacy Breach: Disciplinary Actions Discipline was applied in relation to privacy breaches. One breach involved customer information not being secured during nonbusiness hours in the lending department. A second breach was identified during a compliance monitoring review and involved a branch banker giving customer information to someone on the phone without asking the proper questions to ensure the caller s identity. 1. Do management and the board receive reports demonstrating that the standards of conduct are communicated and followed and that, when they are not followed, employees are held accountable? 2. Are disciplinary actions applied consistently across the organization? 3. How does management ensure consistent enforcement of standards? 10

Supporting Effective Compliance Programs: The Oversight Roles of the Board Audit and Risk Committees in Regulatory Compliance Conclusion An organization s compliance program supports leadership by proactively identifying and addressing compliance concerns, and the audit or risk committee plays an important role in the program s oversight. An audit or risk committee that considers the answers to the questions here and conducts appropriate oversight is not only fulfilling an important part of its fiduciary responsibilities but also increasing the likelihood of an effective compliance program. Further, the compliance program cannot be viewed as an additional activity separate from day-to-day operations. It might seem cliché, but compliance is the responsibility of every member of the organization. To be truly effective, compliance must be an integral part of strategic planning, ongoing operations, and daily decision-making. References 1 Office of the Comptroller of the Currency, Compliance Management System: Comptroller s Handbook, August 1996, http://www.occ.gov/publications/publications-by-type/comptrollers-handbook/cms.pdf 2 Office of the Comptroller of the Currency, Risk Management of New, Expanded, or Modified Bank Products and Services, OCC Bulletin 2004-20, May 10, 2004, http://www.occ.gov/news-issuances/bulletins/2004/ bulletin-2004-20.html 3 Office of the Comptroller of the Currency, The Director s Book, October 2010, http://www.occ.gov/ publications/publications-by-type/other-publications-reports/the-directors-book.pdf 4 Board of Governors of the Federal Reserve System, SR 08-8, Oct. 16, 2008, http://www.federalreserve.gov/ boarddocs/srletters/2008/sr0808.htm 11

Contact Information Paul Osborne is a partner with Crowe Horwath LLP and can be reached at +1 317 706 2601 or paul.osborne@crowehorwath.com. Peggy Sepp is with Crowe and can be reached at +1 646 231 7232 or peggy.sepp@crowehorwath.com. Adapted from The Oversight Role of the Audit Committee in Healthcare: Supporting Effective Compliance Programs, published in March 2015 by Crowe Horwath LLP. In accordance with applicable professional standards, some firm services may not be available to attest clients. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. 2015 Crowe Horwath LLP, an independent member of Crowe Horwath International crowehorwath.com/disclosure FS-16003-078

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information