Compliance Monitoring - the heartbeat of a compliance function

Compliance monitoring is the heartbeat of any compliance function. Without this, the consequences of failure can be disastrous. The creation of compliance and policy manuals are important, however, such policy management is irrelevant without an effective compliance monitoring.

In 2008 alone, the UK Financial Services Authority (FSA) issued over £22 million of fines. For the bigger firms, the monetory value of the regulator’s fine may be a drop in the ocean; however, it is a major reputational risk.

For the smaller firms, the value of the fines itself can seriously hamper their ability to continue as a going concern. If you analyse the reason behind these fines, it is clear that many of the firms fined had inadequate compliance functions.

There were not enough staff and resources to carry out compliance monitoring work. This would have been simple and inexpensive to correct compared to the level of fines.

One of the key areas of work for a compliance function is compliance monitoring. This is the 'heartbeat' of the compliance function, without this, the business is exposed to compliance risks, and is not in a position to protect itself from a) failures and breakdown in processes, and b) regulator visits. This can result is losses and fines.

Whilst having good compliance manuals is important, without a compliance monitoring, they have little value. Policies management and compliance monitoring make up complete and balanced compliance function.

Developing a compliance monitoring programme needs several steps, each needs sufficient time and attention. All the areas of the business that are affected by regulation need to be covered.

This is something that organisations can miss out and effectively end up with a 'lite' compliance monitoring programme, which is unlikely to satisfy the regulators and leaving the firm open to potential fines, penalties and 'special conditions'.

By considering the overall risk and the risky areas of a business, the firm is better placed to make a decision on its compliance monitoring. In making this decision, the firm needs to make a judgement by considering its activities, the level of internal controls, its risk appetite and staff competencies.

In addition, there is a need to consider the areas that are topical now, such as senior management performance, best execution, conflicts of interest, and treating customers fairly. These should be given a higher risk rating as they under scrutiny.

Categorising the business areas and appropriately assigning risk levels (Example: High, Medium and Low) is an important task. The frequency and the quality and depth of testing is dependent on the risk level of each area. For example, if best execution is a risky area for the firm, then you may want to increase the sample size for testing, from say 10% to 25%.

The final element of a compliance monitoring programme is allocating responsibility to oversee or carry out the testing programme. The regulator would like to see responsibilities properly allocated. The assignee should be of sufficient competence and experience.

Finally, the compliance monitoring programme should be reviewed regularly, at least annually, if not more often, to ensure that new rules and changes are reflected and the compliance programme is kept up to date. Constructing a compliance monitoring programme in this way will go a long way for preventing lapses, failures and breaches, potentially resulting in large fines.