The 20 Rising Stars of Compliance 2007 - (Page 19) sponsored article For example, an internal audit might seek to determine whether particular transactions or clients have been filtered against applicable sanctions lists. It is less likely, however, that the internal audit will assess the search logic and name-matching capabilities of the filter tool being used to conduct the sanctions monitoring. Similarly, a typical audit might confirm that all AML investigations have been timely completed and logged into the institution’s investigation database. It is less likely that the scope of the audit work plan will include a more comprehensive review of investigation files to assess the completeness of the work performed, the clarity of the basis upon which the conclusion is based and the competence of the investigator. The more limited scope of a typical audit in contrast to comprehensive effectiveness testing is, in some cases, due to constrained resources within audit, greater demands on audit to conduct additional reviews, and a lack of necessary technical expertise and substantive compliance experience within the audit personnel. • • • • • Thus, robust effectiveness testing is not necessarily accomplished through the normal audit process. This is not to say, however, that effectiveness testing could not be successfully conducted by audit. As long as the methodology and testing program is developed by someone with a sufficient understanding of the underlying legal and regulatory requirements and related guidelines, as well as the relevant internal operating systems of the institution, then the effectiveness testing can be carried out by any group within the institution. Some institutions have developed specific “quality review” teams within the compliance or risk management functions for the purpose of effectiveness testing. As long as the testing program is properly designed, the testing can be performed by any designated person or group provided that the testers are sufficiently independent from the staff responsible for the function being tested, and that the testers be adequately trained. HOW TO TEST “EFFECTIVENESS?” Like all aspects of compliance programs, effectiveness testing should be risk based. The specific aspects of a program to be tested, the frequency of testing and the extent of testing should be based on the degree of risk to the institution from non-compliance. The testing program should be tailored in a manner that best suits the institutions specific circumstances. There are various methods for testing that can be adopted. These, too, should be tailored to the institution and the function being tested. Methods that an institution may choose to employ as part of its effectiveness testing include: • Tracking and Assessing the Disposition of Enquiries. Evaluating the types of enquiries, as well as the manner in which they are handled, may indicate a need for greater employee training or enhanced procedures. • Interviews. Interviews of individual staff members can identify inconsistencies in their understanding of roles and responsibilities, or in their approach to handling similar matters. Trend Analysis. Developing trends can be an indicator of compliance effectiveness or potential problems. For example, an upward swing over time of SAR filings may be an indicator of more effective monitoring and employee awareness of red flags. On the other hand, it may also be an indicator of breakdowns or deficiencies in the client take-on controls. Compliance Post Mortems. Conducting a full scope review on the heels of a regulatory event can expose flaws in the compliance program. Functional Testing. Critical technology tools—such as securities surveillance systems, sanctions filters, and AML monitoring programs—should be tested to ensure that they are functioning as intended. “Dummy” transactions can be created to test that alerts are triggered when the requisite indicia is present in the transaction. Reviewing Reports. Reviewing available reports can be useful in assessing program effectiveness. In some cases reported issues may not, by themselves, suggest a program flaw or deficiency. When reviewed in conjunction with information contained in other independent reports, the issues may become more apparent and concerning. Examples of reports that can be useful in this regard include internal audit reports, regulatory examination reports, exception reports, management reports and committee minutes. Benchmarking. Benchmarking a compliance program’s components against regulator expectations and industry norms and trends is a good way to maintain effectiveness. Participation in industry associations and informal peer meetings, as well as compliance conferences and seminars, can reveal techniques or tools used by others which may improve the effectiveness of your institution’s compliance program. Additionally, informal meetings or conversations with regulators can produce helpful suggestions for improvement. An institution may want to aggregate and consider all such advice as part of its effectiveness testing. EFFECTIVENESS = SUCCESS Having a compliance program in place will not necessarily result in a successful examination. An effective compliance program, on the other hand, significantly reduces the risk of material findings by the regulators. And if the regulators do raise program problems or deficiencies, the fact that such problems or deficiencies were first identified by the financial institution through effectiveness testing may serve to lessen the severity of the finding, provided that a plan toward remediation was already implemented by the institution. Self-testing the effectiveness of your compliance program can pay big dividends. Don’t wait for the regulators to test the effectiveness themselves. A failing grade can be costly. COMPLIANCE RISING STARS 19 SEPTEMBER 2007
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.