Compliance Management in Banks – Automation Challenges
In April 2020, RBI asked banks to periodically carry out Money Laundering (ML) and Terrorist Financing (TF) Risk Assessment and mitigation exercise, and complete first such internal risk assessment by June 30, 2020.
Oh my! One more repetitive complex task!
How do we cope with this?
If we fail to monitor compliance, would we get penalized?
These are the daily rumblings in the financial sector!
During the RBI financial year 2019-20 (July-June) penalties worth Rs.60.87 crores were levied on 57 banks, with multiple penalties being levied on few of them. The penalties levied by few other authorities are extra. It is a huge amount of public money that doesn’t get recovered from non-compliant employees (Compiled from RBI Press Releases)
Robust Supervision of Financial
Post financial crisis of 2008, the financial sector, the backbone of economy, has witnessed tighter regulatory environment. This implies more rule-based functioning, more risk assessment and mitigation exercises for banks, financial institutions and NBFCs. Also, with expanding span of activities of the financial sector and offerings of technology-based products & services, the past decade itself has witnessed emergence of more than 10 new authorities or entities issuing directives to the financial sector, adding to the already bulging list of authorities regulating financial sector.
Significant Challenges for Compliance
This implies significant compliance challenges for financial sector entities! During the financial year 2019-20, Banks, FIs, NBFCs witnessed onslaught of 2125 new and revised circular instructions, issued by various regulators; RBI alone contributing more than 280 circulars. Many of these circulars, especially Master Directions / Circulars run into hundreds of pages each. Apart from the quantum of instructions, Compliance Function as a whole is being disrupted by the complexity of new regulations with very tight timelines for implementation, and penalties associated with non-compliance.
Mind blowing Regulatory & Statutory Obligations
The volume of regulatory obligations emanating from these thousands of circulars running into lakhs of pages is humongous. Apart from these regulatory obligations, banks and other financial sector entities, are also required to comply with statutory obligations based on hundreds of Central and State laws, rules & regulations. Many banks, have to comply with national and international regulations in case they have branches in other countries or they are branches of banks in other countries. Many regulations are broad, and at times vague, and yet, have stringent timelines for compliance.
Major challenges faced by Compliance Functionaries:
- Developing a one-time Compliance Obligations Register or a Repository specific to each entity based on its business activities;
- Updating the Obligations on a day-to-day basis based on few thousand circulars and hundreds of gazette notifications issued each year; and
- Monitoring compliance across the bank with each and every compliance obligation.
- Testing Compliance
- Assessing Compliance, Reputation and Legal Risks
- Aligning Internal Controls to facilitate compliance
Automation of compliance monitoring, risk assessment, testing, incident management, and handling of other important compliance functions is inevitable.
But there is endless confusion in the arena of automation of “Compliance Management”, “Anti Money Laundering Measures”, and “Risk Management”.
Well, the confusion doesn’t lie in the prime focus of these three most important functional wings in the financial sector, despite interwoven nature of activities associated with each of these functions. Each function has matured and the function heads know and safeguard their turf very well.
But, the confusion arises, rather it is being shaped by advocates of GRC solutions (suppliers and consultancy firms), who are aggressively setting their footprints in the Indian Financial Sector, knowing well that their very solutions and advisories could neither predict not prevent global financial crisis of 2008, which originated in the United States of America, the home to these GRC Companies.
In fact, the irony was that the very banks that had well embraced GRC solutions for more than a decade, had collapsed!
Just because, each of these functions involves risk assessment, GRC solution advocates emphasize on an omnipotent software solution that would address concerns in all the three different areas.
Except for risk assessment, there is vast distinction between the functions and focus of Risk Management, AML Measures, and Compliance Management, each of which needs to be addressed separately with different software solutions, as there cannot be, and should not be a common software that can automate all the activities handled by the three functions.
Do we not know that Microsoft, has been providing separate software solutions in Office Suite such as Word, Excel, Power Point, Front Page, Outlook, Internet Explorer, etc. Each of these has some similar functionalities of another software, but to an extent warranted by the basic purpose of each software. For more functionalities and advanced features, there has to be a separate software.
Is Microsoft not capable of providing an omnipotent single software solution? Obviously, yes. But that is not required. Why unnecessary load a system and make its usage very complicated? Microsoft did try and provided Vista, a humongous system, but miserably failed and people found it very inconvenient to use. Similar was the case with GRC Solutions, which were widely used in western countries, and yet no one had any inkling of the financial crisis that happened in 2008 and swept away with it quite a few large banks and several small and medium sized banks.
So, let not smart talk from advocates of GRC solutions influence automation decisions of different functions, especially Compliance Function, which requires automation for multiple activities, not just for risk measurement or assessment. Let’s understand the tasks/activities of Compliance Function.
Important Tasks of Compliance Function vs Mandated Regulatory Requirements
Sourcing of Regulatory Instructions
- While this is not a function mandated by regulatory prescriptions, but for convenience and control, compliance function sources regulatory instructions issued daily by more than 26 regulatory, quasi-regulatory, self-regulatory authorities and other Government entities from their respective websites or any single trusted source, where available
- Forwards the regulatory instructions to respective Functions for taking the bank’s own stand on these instructions or framing suitable policy and operating instructions thereon
- Keeps track through spread sheets or suitable tracking tool, over ‘Action Taken’ by the respective Functions
Vet the internal guidelines / circulars with regulatory guidelines
- Compliance function to vet the guidelines/circulars prepared by respective Business Functions to ensure that these are in compliance with regulatory requirements
Prompt dissemination of information on regulatory prescriptions
- Set up mechanism like Intranet or sophisticated software tool with workflow-based compilation, vetting, approval and prompt dissemination of regulatory guidelines / instructions to the operating units
- Keep track over prompt dissemination
Periodic updating of Operational Manuals
- Once, respective Functions take action on any new or changed regulatory prescriptions and issue operating instructions, ensure that these get appropriately incorporated in the respective Operations Manuals which may be made available to operating units through Intranet or sophistical software tool
Monitor compliance with the regulatory guidelines / instructions
- Develop Compliance Obligations Register or Compliance Obligations Repository
- Identify and assign compliance, legal and reputational risks associated with non-compliance of each obligation
- Regularly update this register or repository
- Define monitoring periodicities based on risks, business or transaction volume in numbers or amount, or other relevant parameters
- Monitor compliance with each and every regulatory obligation at pre-defined periodicities
- Test compliance through sufficient and representative compliance testing
Compliance Risk Assessment and Reporting to Senior Management & Board of Directors
- Measure compliance risk and use such measurement to enhance compliance risk assessment and formulate plans to manage them
- Submit to the Senior Management/Board quarterly/yearly to make informed judgement on effective compliance risk management
Align Internal Controls
- Based on the compliance risk assessment, identify control processes that need enhancement and align these for better compliance.
Compliance Failure Incident Tracking & Resolution
- Track incidents of material compliance failures that may attract significant risk of legal or regulatory sanctions, material financial loss or loss to reputation
- Provide prompt resolution and prevent recurrence.
Suite of Compliance Automation Tools used by most Banks in India
- Knowledge Management Tools (KMT+)
A single point trusted source for all regulatory and statutory instructions, gazette notifications
- Spot Tracker+
A smart tool to pull daily circulars from KMT, facilitate pushing to respective functions, and track action taken
Highly advanced substitute to Intranet based system for dissemination, a workflow-based tool to facilitate drafting of internal notes and circulars based on regulatory instructions, getting these checked, vetted and approved from multiple senior management functionaries, and instantaneous hosting for immediate access by operating functionaries across the entity.
This software also facilitates search of past circulars through a powerful multi-parameter search, subject-wise index, and facilitate queries & responses through the system itself, with many more functionalities.
Most unique compliance monitoring tool provided along with the one and only exhaustive Compliance Obligations Repository of regulatory & statutory instructions, with mitigating control processes, associated risks, monthly updating facility, and much more…
- Compliance Test Check (CTC+)
A new software in the works to facilitate organization-wide onsite and offsite risk-based test check of compliance for quantitative assessment of compliance.
A software in the works to facilitate reporting, investigating, resolving and tracking incidents of compliance failure with addon facility for Whistle Blower anonymous reporting.
- Compliance Risk Assessment System
A software at the design stage to facilitate maintenance of Risk Register for all Compliance Obligations, tracking controls related to each risk and assess function-wise risk index.
Disclaimer: All views, thoughts, and opinions expressed in the blog / article belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual(s).