Sarah Sandiford, the Associate Director leading Deloitte’s Risk and Regulatory services in Jersey, recently spoke at a Jersey Funds Association Risk and Regulatory Masterclass.
The session focused on the risk and regulatory challenges facing Jersey’s funds sector and was aimed at funds professionals, including compliance and risk teams as well as non-executive directors. When completing compliance monitoring within fund service businesses (FSBs), it’s helpful to consider the following ‘Five Rs’:
- A compliance monitoring programme (CMP) is required for all relevant entities;
- It must be risk-based;
- Both the CMP and testing must be robust;
- The CMP must be reviewed;
- Findings must be reported.
Why do you need a CMP for all Relevant Entities?
Wherever there is a key person appointed to an entity, for example, a compliance officer (CO), money laundering compliance officer (MLCO) or money laundering reporting officer (MLRO), there will be a requirement for compliance monitoring.
The activity required will either be general, specific to anti-money laundering and financing of terrorism (AML/CFT) or, more commonly, both. Consider the following three questions:
- Do you have a CMP that covers all your fund service business?
- Do you have separate CMPs for your client FSBs and funds?
- Can they be approved by and reported separately to each board?
- Each board is going to want a CMP that reflects their entities risk profile and provides assurance over their entities’ compliance with the regulatory requirements. The role of compliance monitoring within the funds sector is often underestimated. You can have multiple funds with one client and, consequently, multiple CMPs. Duplicate this across numerous clients and the compliance teams of FSBs can be responsible for completing 10, 20, 30, 40 or 50 etc. CMPs across the business.
Understanding the Importance of Risk
As we have established, the compliance teams of FSBs are often dealing with multiple CMPs, so ensuring that an appropriate risk-based approach is taken, becomes even more important. You cannot test each entity’s compliance with all its legislative and regulatory requirements, and how you determine which areas should be subject to testing during the period will differ between organisations and, indeed FSBs, managed entities and funds.
Some firms may choose to adopt a more complex assessment of risk and others will be simple, both, however, should be effective and proportionate. Top Tip: Don’t forget to use the information that you already collate as a business. For example, breach, error and complaint registers can help identify areas which may present a higher chance of non-compliance.
Going forward this will also include the information submitted to the Jersey Financial Services Commission (JFSC) as part of the National Risk Assessment process and Risk-Based Supervision Data exercise.
You could also use the JFSC’s on-site examination feedback papers that identify common weaknesses across the industry and consider past regulatory action.
- You must have a CMP(s) in place and complete testing;
- You must cover any required areas of monitoring; and
- You must be able to demonstrate how you have determined the priority areas of risk that will be subject to testing, linking it to your relevant risk assessments (including the AML/CFT business risk Assessment).
Implementing a Robust Approach
The board is looking for the compliance monitoring to provide them with the assurance that the business is operating in accordance with legislative and regulatory requirements, or that where it’s not, these areas are proactively identified, escalated and appropriately remediated. The testing, therefore, needs to be robust and independent and may require some creative thinking to design and construct testing that achieves this.
Below are a few examples of poor practice when it comes to compliance monitoring. Although the tasks in this list are important and often completed by the compliance team, they do not provide robust and independent testing of an entities ‘compliance with policies and procedures, or regulatory and legislative requirements:
- A schedule of events, e.g. fee or return due dates;
- Testing an area where the compliance team is heavily involved in the process or procedure. For example, if all complaints are handled by the compliance team, any compliance monitoring of this area will not be independent;
- Placing reliance on verbal confirmations and reporting on registers. Detailed below are few examples of good practice to consider:
- Setting out the objective of each test in working papers, e.g. to form a view of the appropriateness of CPD completed by Trust Company Business Employees,
- Identifying common areas across relevant entities to implement consistent testing;
- Extracting source data from systems to consider and analysis; and
- Verifying statements made by individuals with supporting evidence.
The CMP should be reviewed and approved by the board. Generally, this happens on an annual basis and extends to the client boards where relevant. It should then be under continuous consideration by the compliance team. The world is not static and things change, so you may need to adjust the CMP as the risks change and seek re-approval, as necessary, from the board.
Here are three examples of when amendments may be necessary:
- If you complete monthly monitoring of an area and you repeatedly find no issues, the residual risk may not be as high as you initially thought. It could be better to focus future efforts on another area and reduce the frequency of testing or replace it for the remainder of the year;
- Breaches or errors. If there is a significant event or trend, then you may want to address this through compliance monitoring and further consideration;
- Your compliance resource increases or decreases. Remembering that a minimum level of compliance monitoring must always be completed.
- It is better to show that you have identified changes in priorities and reacted appropriately rather than not delivering on a CMP or missing the true high-risk area.
As noted above, the findings of the testing need to be shared with the board. This doesn’t mean all the working papers but maybe a summary in the quarterly compliance report, including comment on where assurance can be given and specific focus on weaknesses and the remedial action planned. Subsequently, progress with remedial action should also be reported to the board through to closure. In some instances, discussions will need to be held with the directors in a more timely manner, for example, if an issue requires reporting to the JFSC.
The board should show an interest in the compliance monitoring, both championing the work and challenging where necessary.
In conclusion, compliance monitoring needs to be tailored to the risks of each entity, but by implementing the ‘5 Rs’ approach, it is possible to streamline the process to maximise efficiency and provide appropriate assurance to each board.
For further guidance, the JFSC has previously published a Dear CEO Letter and Guidance Note on compliance monitoring. It is a helpful read; however, you have to remember that it is guidance and so you need to consider it in light of what is effective and proportionate for your business.
For further assistance on risk and regulatory best practice, please contact Sarah Sandiford on +44 1534 82 4252 or email@example.com.