Practical Suggestions and Tips for an Effective BSA/AML Compliance function : Compliance Performance Testing

Transcription

1 Practical Suggestions and Tips for an Effective BSA/AML Compliance function : Compliance Performance Testing IIB AML Seminar May 23, 2011

2 Monique Maranto Director Financial Services Regulatory Advisory Practice

3 What is Compliance Performance Testing? Purpose: - Verify the effectiveness of internal controls; - Ensure personnel are following compliance policies and procedures; and - Verify the quality, timeliness, and accuracy of compliance management information systems. Methods: - Testing Performing steps to ensure procedures are being followed; and - Monitoring Reporting via Key performance indicators and Key Risk Indicators 3

4 Ensures independence and necessary skill sets for functions/staff conducting compliance testing Management should assign well-qualified staff to conduct compliance monitoring and testing. Position descriptions for personnel conducting monitoring / testing should describe required skills and expertise. Personnel conducting monitoring / testing should generally be familiar with regulatory requirements and the operations of the institution. Leverage the results of compliance risk assessments to determine the required skill sets and expertise of persons performing compliance monitoring and testing. These skill sets and other job requirements are incorporated into written job descriptions. Business unit compliance monitoring personnel report to senior line of business personnel and do not typically have other business or operations responsibilities. 4

5 Develop compliance testing methodologies including scope and frequency An effective monitoring program should consider the following: The Compliance Program should specify the institution s expectations relating to the monitoring program and should detail the program s monitoring methodologies. The monitoring program should involve ongoing periodic reviews of the effectiveness of the compliance controls, and an assessment of actions taken to correct previously noted compliance deficiencies. The monitoring system should be incorporated into the normal activities of every department, and used on an ongoing basis. Periodic reviews of applicable business units; Periodic reviews of document filing and retention procedures; Periodic reviews of the internal compliance communication system that provides appropriate updates and revisions of the applicable laws and regulations to personnel. Monitoring and testing methods should be periodically reviewed and updated to reflect business, regulatory, and legal changes. 5

6 Key Risk Indicators and Key Performance Indicators Key Risk indicators ( KRIs ) -- A parameter that effectively measures risks associated with a function supporting a compliance function. Key Performance ( KPIs ) A set of quantifiable measures that gauge or compare performance in terms of meeting compliance goals. 6

7 Reporting Mechanisms The compliance program should detail reporting mechanisms for the results of monitoring activities: Information gained through the monitoring process should be communicated by Compliance to Senior Management and to the BOD on a periodic basis (monthly and quarterly, respectively). Compliance monitoring reports should be provided to line of business management as the reviews are completed, as well as to senior management (at least monthly). Summary monitoring results are also reported to the BOD quarterly. 7

8 Corrective action processes and follow-up activities Corrective actions are designed by business units in conjunction with Compliance; however: Business units are accountable for implementing the corrective actions. Compliance and Internal Audit follow-up on these corrective action plans to ensure they are completed as agreed, are on schedule, and are validated upon 8

9 2011 PricewaterhouseCoopers LLP. All rights reserved. In this document, refers to PricewaterhouseCoopers LLP, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.