This document discusses developing a compliance capability for an organization. It outlines principles for taking an end-to-end view of business processes to ensure compliance. Ownership and accountability for compliance must be clear from leadership down. Compliance processes should be integrated into business functions from the start. Automating compliance functions and integrating compliance into transaction lifecycles can help comprehensively control processes. Self-assessments can identify compliance capabilities and gaps to help define a target compliance state.
Economic Risk Factor Update: April 2024 [SlideShare]
Compliance Capability
1. Towards a Compliance Capability
Nikat Malik
January 2014
All Rights Reserved
Compliance Capability
2. Compliance Capability - Principles
Compliance Capability
End-to End View of the process path encompassing the business life cycle to completion. This will provide
effective compliance control of functional business processes and activities along the desired path.
Ownership of the compliance process must be explicitly clear and accountability held from leadership
through to operational level.
Compliance processes should be positioned at forefront of business functions , not as an after event.
Regulatory and compliance requirements should be addressed as part of the business operating model in
a partnering approach to be effective.
The compliance function together with processes should be fully automated to account for operational
risk and efficiency.
Compliance processes should be identified and integrated into the transaction life cycle route for
comprehensive control and to ensure business processes are compliant with requirements.
Consistency of controls and procedures should be maintained at both strategic and operational level with
change methodology applied judiciously.
High risk audit points must be examined across business processes and controls applied adequately.
Clear escalation path for efficient resolution must be put in place to ensure efficient business operations.
3. Compliance Capability – Applied Methodology
Compliance Capability
Understand business model and strategic objectives comprising of profit model,
customer model, product model and control model.
Evaluate impact of regulation and compliance requirements on business model.
Develop and confirm integrated operating model.
Undertake self assessment to identify compliance capability and its strengths and
weaknesses.
Identify gaps in specific level of capability required.
Develop the capability framework...
In reference to ….
• Business Context
• Operating Environment
• Customer Base
• Risk Appetite
• Technology
Comprising ….
• Behaviour
• Performance
• Conduct
• Skills Training
• Systems Required
4. Compliance Capability – Self Assessment (1 of 2)
Compliance Capability
Objectives
• To identify levels of capability required in light of operating environment and regulatory demands
in local, regions and host country
• To assess current compliance standards
• To proactively manage risk exposures
• To define target state to fulfil business objectives
Self Assessment is completed through facilitated expert judgement that considers risk and controls information to
define a set of impacts and directive efforts
Risk and Control Framework
• Money Laundering
• Sanctions
• Bribery
• Terrorist Financing
• PEP Finance/Payments
• Cross Border Breech
• Unlawful Payments
• Conduct / Mis-Selling
• Client Identification
• Fraud & Security
Regulatory Risks Risk & Control Assessment
Key Indicators
Internal Incidents
External Events
Expected Loss
Self Assessment
Results
Financial & Reputation Impact
Proactive &
Remedial
Action
Governance Identify Risk Appetite Assess Control Report
5. Compliance Capability – Self Assessment (2 of 2)
Compliance Capability
Self Assessment Process
Scope Build Assess Validate
• Develop draft Self
Assessment
Questionnaire for
each risk including
drivers and impacts
• Ensure appropriate
involvement from
functional experts,
businesses and legal
• Agree audit and
compliance points for
each risk by business /
country
• Plan Self Assessment
workshops and
attendees
• Leadership provided
by Group Risk &
Compliance
Committee and Self
Assessment Task Force
• Involvement and input
from Business and
Global Functions
• Agreement on Risks to
be included and
Businesses to cover
• Assess impact of
questionnaire results
• Assessment to include
an assessment of local
controls and
management actions
required taking into
account risk appetite
• Undertake impact
assessment for all
possible scenarios incl.
typical and rare events
• Validate impact of risk
and functional review
• Undertake
quantitative validation
incl. severity and
benchmarking
• Action Plan to Group
Risk & Compliance
Committee
• Annual model review
6. Compliance Capability – Structure
Compliance Capability
Front Office Mid Office Back Office
Customer Centric Control Centric Service Centric
Prevention Investigation Detection
EntityFocusRoleComplianceRequirements
KYC / KYCC
FATCA
CDD / PDD / EDD
SANCTIONS
ATF
ABC
AML
C/P FRAUD
DODD FRANK
EMIR
BCBS 248
BASEL
FDSF / Stress Test
MIFIR
BCBS 239
COREP / FINREP
SOX
FRAUD – Internal
SECURITY
7. Compliance Capability – In Action
Trade Management Process, an example
Customer
Management
Trade
Validation
Trade
Execution
Trade
Processing
Clearing &
Settlement
Compliance &
Accounting
Checks:
•Terms & product
•Legal Agreement
•Credit Limit
•Collateral
•Margin
Addl. Compliance
Control Checks:
•Sanctions
•KYCC
•FATCA
•CDD
•ATF
•AML
•Customer/Country
Risk Rating
•Capital/Liquidity
•Matching
•Confirmation
•Allocation
•Booking
•Netting
•Exposure
Management
•Pricing
•Valuation
•Analytics
•Portfolio Position
•Trade Initiation
•Relationship
Management
•Client On
Boarding
•Limit Setting
•Payment
•Settlement
•Custody
•Exchange
•Collateral
Management
•P/L
•Counter Party
Management
•Regulatory
Reporting
•Compliance
Control
CurrentStateTargetStateProcess
“ “ “ “ “
Trade Compliance Committee –
escalation & governance procedure to manage Alerts & Suspicious Activity for timely clearance and resolution
Value Statement
Positions compliance at forefront of business process
Mitigates risk at potential point of occurrence
Real time feedback result
Ease of monitoring & efficient control
Clean data ensures accuracy
Compliance Capability