Compliance Risk - DOC

advertisement
Compliance Risk
Compliance risk is the current and prospective risk to earnings or capital arising from violations of, or
nonconformance with, laws, rules, regulations, prescribed practices, internal policies, and procedures, or
ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank
products or activities of the Bank’s clients may be ambiguous or untested. This risk exposes the institution
to fines, civil money penalties, payment of damages, and the voiding of contracts. Compliance risk can
lead to diminished reputation, reduced franchise value, limited business opportunities, reduced expansion
potential, and an inability to enforce contracts.
Quantity of Compliance Risk Indicators
The following indicators should be used when assessing the quantity of compliance risk.
Low
Violations or noncompliance issues are insignificant, as measured by their number or seriousness.
The institution has a good record of compliance. The Bank has a strong control structure that has proven
effective. Compliance management systems are sound and minimize the likelihood of excessive or serious
future violations or noncompliance.
Moderate
The frequency or severity of violations or noncompliance is reasonable.
The institution has a satisfactory record of compliance. Compliance management systems are adequate to
avoid significant or frequent violations or noncompliance.
High
Violations or noncompliance expose the company to significant impairment of reputation, value, earnings,
or business opportunity.
The institution has an unsatisfactory record of compliance. Compliance management systems are deficient,
reflecting an inadequate commitment to risk management.
Quality of Compliance Risk Management Indicators
The following indicators should be used when assessing the quality of compliance risk management.
Strong
Management fully understands all aspects of compliance risk and exhibits a clear commitment to
compliance. The commitment is communicated throughout the institution.
Authority and accountability for compliance are clearly defined and enforced.
Management anticipates and responds well to changes of a market, technological, or regulatory nature.
Compliance considerations are incorporated into product and system development and modification
processes, including changes made by outside service providers or vendors.
When deficiencies are identified, Management promptly implements meaningful corrective action.
Appropriate controls and systems are implemented to identify compliance problems and assess
performance.
Training programs are effective, and the necessary resources have been provided to ensure compliance
Compliance management process and information systems are sound, and the Bank has a strong control
culture that has proven effective.
The Bank privacy policies fully consider legal and litigation concerns.
Satisfactory
Management reasonably understands the key aspects of compliance risk. Its commitment to compliance is
reasonable and satisfactorily communicated.
Authority and accountability are defined, although some refinements may be needed.
Management adequately responds to changes of a market, technological, or regulatory nature.
While compliance may not be formally considered when developing products and systems, issue are
typically addressed before they are fully implemented.
Problems can be corrected in the normal course of business without a significant investment of money or
management attention. Management is responsive when deficiencies are identified.
No shortcomings of significance are evident in controls or systems. The probability of serious future
violations or noncompliance is within acceptable tolerance.
Management provides adequate resources and training given the complexity of products and operations.
Compliance management process and information systems are adequate to avoid significant or frequent
violations or noncompliance.
Bank privacy policies adequately consider legal and litigation concerns.
Weak
Management does not understand, or has chosen to ignore, key aspects of compliance risk. The importance
of compliance is not emphasized or communicated throughout the organization.
Management has not established or enforced accountability for compliance performance.
Management does not anticipate or take timely or appropriate actions in response to changes of a market,
technological, or regulatory nature.
Compliance considerations are not incorporated into product and system development.
Errors are often not detected internally, corrective action is often ineffective, or Management is
unresponsive.
The likelihood of continued violations or noncompliance is high because a corrective action program does
not exist, or extended time is needed to implement such a program.
Management has not provided adequate resources or training.
Compliance management processes and information systems are deficient.
Bank privacy policies are nonexistent or do not consider legal and litigation concerns.
Download