Earlier this young year, my post-holiday, semi-delusional state of mind inspired this article about various considerations for your compliance obligation management program.
Now that the sugar and the frivolity of the holiday season have worn off, let’s talk more about the different types of compliance management activities that will ensure your obligations are met, and some of the specific needs around them.
The first of the seven elements of an effective compliance program is implementing written policies and procedures, but for some industries, there are more stringent examples.
U.S.-based banks must comply with Regulations V and Z, which require them to establish and implement reasonable written policies and procedures regarding the accuracy and integrity of consumer information furnished to credit bureaus as well as policies and procedures around other topics such as loan originator compensation practices, steering, loan originator registration, and identification requirements.
Having a policy management system in place to help administer these policies and procedures (review and approval, publishing, and attestation) and being able to link those policies and procedures to a register of your compliance obligations help ensure that the proper policies exist and that they are properly reviewed, handled and distributed.
Another element of an effective compliance program is training and education. Companies who are governed by OSHA, FAA, or DOT must provide their employees specific safety-based training.
The Bank Secrecy Act requires certain organizations to provide periodic Anti-Money Laundering (AML) training. How this training is delivered can range from a classroom session with a sign-up sheet for attendance tracking to a more sophisticated Learning Management System (LMS), but having a compliance solution that allows you to manually enter or import training records makes it easier to audit those training records.
3. Annual Reporting
OSHA 300 logs, SEC filings, Internal Control Reports, annual statements, FINRA Rule 3130 certifications … these are just a few examples of those pesky annual reporting requirements that companies face. Listing out these compliance obligations in a centralized register makes certain that you have the proper visibility to do what needs to be done.
Being able to confirm these obligations are met by attaching copies of the necessary reports or statements helps clearly illustrate to your compliance professionals and to any external auditors that the obligations have been properly met. Bonus points if you choose a solution that automatically reminds you when it is time to meet these obligations or better yet, collects information to help automate the generation of some of these reports!
4. Exception Tracking and Reporting
Any compliance regulation worth its salt (seriously, another food metaphor?!?) is going to provide some sort of guidance around what to do when exceptions occur.
Serious injury in the workplace? Better report that to OSHA within 24 hours to avoid financial penalties. A security breach exposed personal data? Under GDPR, failure to notify your Data Protection Agency (DPA) within 72 hours can result in lower level penalties of up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher!
When a breakdown occurs, then, you want a solution that allows employees (or even customers) to report the incident, alerts the proper resources to investigate and confirm the incident, drives the notification of the proper authorities in a timely manner, and enables you to quickly identify any trends in these incidents to further reduce their likelihood of recurrence…all the while being able to quickly confirm these efforts.
Some regulatory obligations require you to create processes to handle situations. To comply with Article 17 of the GDPR, the “right to be forgotten” expects you to provide your customers with a process for requesting erasure “without undue delay.”
Deploying an automated workflow that is able to route that request to the proper parties and through the proper steps can help ensure the consistent and timely response to these requests. Sarbanes-Oxley requires a Code of Ethics which, among other things, provides a method for the “disclosure to an appropriate person or persons…of any material transaction or relationship that reasonably could be expected to give rise to” a conflict of interest.
Being able to prove that conflicts of interest are reported and, when necessary, acted upon appropriately (and being able to track and report on that process) gives evidence of an effective compliance effort.
Another key element of your effective compliance program is the ongoing monitoring and auditing of its various elements. Regardless of the type of compliance activity in place for meeting your obligations, you can’t just “set it and forget it” like a countertop kitchen appliance.
If your anti-bribery policy hasn’t been reviewed in five years, if you haven’t updated your safety training since the “aughts”, if you haven’t seen a reduction in alleged ethics violations reported internally (or worse yet, aren’t sure how many violations were reported or how they were handled), these are all signs that you aren’t adequately maintaining your compliance activities to meet your obligations.
Having a single system that lists all of your obligations and their related compliance activities and allows you to provide evidence of the periodic auditing of these compliance activities by linking the audits back to their associated obligations to further validate compliance? This makes it much easier to audit your compliance program, and brings more defensibility to how well you are truly meeting your compliance obligations.
7. Corrective actions
Finally, some compliance activities might be as simple as a recurring action, such as a monthly reminder to review the exception logs generated by your monitoring solution. Along with these recurring activities, your auditing program will likely result in findings that require corrective actions (coincidently, the seventh element of your effective compliance program) for resolution.
How better to prove you are responding promptly to detected offenses, implementing new controls when problems arise, and completing any compliance actions than to have them all together in a single system, with email reminders and escalations to keep things on track?
As you know, meeting your obligations, regardless of their source, involves a variety of compliance activities and periodic review/verification to ensure that the activities are performed correctly and are achieving the expected results.
If you would like more information about how a comprehensive, flexible, integrated solution that helps execute and monitor these activities makes it easier to answer the question, “how do I know we’re compliant?”, contact us!