Heightened standards for compliance risk management Lines of defense — compliance’s role

1

Post-financial crisis, the Office of the

Comptroller of the Currency (OCC) developed

a set of heightened expectations to enhance

the risk management practices of large banks.

On September 2, 2014, the OCC issued a set

of final rules and guidelines to expand these

previously non-codified expectations into a

set of enforceable minimum standards that

require management to demonstrate a strong

risk governance framework. The final rules and

guidelines will apply to banks with average

total consolidated assets equal to or greater

than US$50 billion as of the effective date of

November 1, 2014.

The final rules and guidelines provide greater

clarity and specificity around expectations for

the design, implementation and oversight of

an institution’s risk governance framework.

Future OCC examinations will broadly focus on

an institution’s operating model and execution,

with a specific focus on the following four areas:

• Board of director oversight

• Personnel management

• Lines of defense

• Risk appetite

This paper focuses on the lines of defense,

specifically related to compliance’s role.

1 As highlighted in Supervision and Regulation Letters SR 08-8 and SR 12-17 issued by the Board of Governors of the Federal Reserve System.

Lines of defense — independent risk managementThe final rules and guidelines define the roles and responsibilities for front line units, independent risk management (inclusive of the compliance function) and internal audit. Specifically, an independent risk management function should:

• Take primary responsibility and accountability for designing a risk governance framework commensurate with the size, complexity and risk profile of the bank

• Establish and adhere to enterprise risk policies

• On an ongoing basis, identify and assess material aggregate risks and determine which actions to take to strengthen risk management or risk reduction

• Identify and communicate to the CEO and the board material risks as well as significant instances where a front line unit is not adhering to the framework, or where independent risk management and front line unit assessments differ

What should banks do now?Going forward, the banking regulators broadly continue to expect strong risk management frameworks, with defined roles and responsibilities for each line of defense. Specifically, the oversight of compliance risk should not rest purely on the Compliance function. To address these requirements, banks should assess the structure of their current compliance framework, establish clear accountability and ownership of compliance risks, and consider the following key areas of the compliance risk management approach:1

• Clearly defined roles and responsibilities for compliance risk management, including the monitoring and oversight of compliance risks outside of Compliance (e.g., Business, Operations, Finance, Market or Credit Risk, Technology)

• Firmwide approach to enhance coverage and consistency of the compliance risk management/oversight across the bank

• Independence, stature and influence of compliance staff demonstrated through the ability to effectively challenge business and affect business decisions

• Sound practices for compliance monitoring and testing to stay abreast of changes that may indicate potential increases to compliance risk

2Heightened standards for compliance risk management |

3 | Heightened standards for compliance risk management

To translate the above key areas into elements of success, banks should assess whether there is a consistent and comprehensive approach for the following:

1 Banks should foster the stature and independence of Compliance, balancing its role as business advisor and its responsibility for oversight and broad risk management, by establishing:

• Clear roles and responsibilities for compliance oversight

• Reporting relationships between the global chief compliance officer (CCO) and lines of business (LOBs) and regional CCOs

• Communication and reporting between compliance, senior management and the board

• Escalation and reporting protocols

2Banks should strive for consistency of scope and approach across LOBs and geographies. Additionally, clear accountability and ownership of compliance risks should be established, by defining:

• The coordination between Compliance and other functions to provide comprehensive coverage of compliance management activities, gain efficiencies where possible and avoid unnecessary duplication

• Standards for consistency in application and approach to address similar risk issues, share common views of compliance risk and facilitate central oversight

• A reporting framework and process for normalizing and aggregating information across the enterprise

Board

Global CCO

Enterprise team

Seniormanagement

Consistent standardsacross LOBs and regions

LOBcompliance

Agg

rega

te, a

naly

ze a

nd r

epor

t

LOBcompliance

Set s

trat

egic

vis

ion

and

prio

ritie

s

LOBcompliance

Regionalcompliance

Regionalcompliance

Regionalcompliance

Organizational structure

Enterprise-wide approach

Enterprise teamGlobal CCO

Board

Seniormanagement

Region 1CCO

Region 2CCO

LOB 1CCO

LOB 2CCO

4Heightened standards for compliance risk management |

3A sustainable compliance program should address a set of integrated activities to identify, assess, control, measure, monitor and report on compliance risk. Additionally, the program should:

• Support the execution of activities with sufficient resources of the requisite knowledge, expertise and skills (e.g., technology, testing)

• Enhance systems and technologies for integrated and consistent coverage of compliance processes (e.g., common platforms to address compliance risks)

Compliance life cycle

RiskassessmentInventory

A. Identifying regulations and assessing

Technology enablement

Reporting

D. Communicationand reporting

Issuetracking andescalation

Testing

C. Compliance monitoring

Monitoringsurveillance

B. Policy framework

Business linesOperationsTechnologyRegulators

Advisory activities

Organization, statureand objectivity

TrainingPolicies

Governance and oversight

Establishing a set of integrated activities and components for the compliance life cycle will facilitate a comprehensive and sustainable compliance risk management framework.

5 | Heightened standards for compliance risk management

How we can helpOur Regulatory Compliance team brings deep experience in current supervisory expectations and the range of practices in the financial services industry. Specifically, we can assist with compliance function strategy and design reviews to help our clients identify practical opportunities for improvement. The reviews provide an independent perspective on issues, gaps and benefits related to the current compliance structure, as well as recommendations for enhancements.

In addition, we have facilitated workshops with compliance management to create action plans to remediate issues identified through our reviews and to determine the direction of the organization moving forward. Our team has also provided numerous educational sessions for compliance organizations in the areas of supervisory expectations, strategic planning, execution of key compliance activities and the scope of compliance.

We have also assisted clients with aligning their organizations to supervisory expectations and industry practices through the creation of a target operating model. The intent of the target operating model is to create a compliance organization that enables stronger governance and oversight, promotes consistency and standardization of approach, and clearly delineates roles and responsibilities across the organization.

Timeline

Compliance dates

2014 2015 2016

9/2/2014:Final rules and guidelines effective date

5/1/2015:Compliancefor banks with less than US$750 billion but greater than or equal to US$100 billion

5/1/2016:Compliance date for banks with less than US$100 billion but greater than or equal to US$50 billion

Ernst & Young LLP contactsMichael R. Patterson Principal, Advisory Financial Services +1 212 773 2824 michael.patterson1@ey.com

Madeline Miller Executive Director, Advisory Financial Services +1 212 773 7615 madeline.miller@ey.com

6Heightened standards for compliance risk management | 6Heightened standards for compliance risk management |

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.

EY is a leader in serving the global financial services marketplaceNearly 43,000 EY financial services professionals around the world provide integrated assurance, tax, transaction and advisory services to our asset management, banking, capital markets and insurance clients. In the Americas, EY is the only public accounting organization with a separate business unit dedicated to the financial services marketplace. Created in 2000, the Americas Financial Services Office today includes more than 6,900 professionals at member firms in over 50 locations throughout the US, the Caribbean and Latin America.

EY professionals in our financial services practices worldwide align with key global industry groups, including EY’s Global Wealth & Asset Management Center, Global Banking & Capital Markets Center, Global Insurance Center and Global Private Equity Center, which act as hubs for sharing industry-focused knowledge on current and emerging trends and regulations in order to help our clients address key issues. Our practitioners span many disciplines and provide a well-rounded understanding of business issues and challenges, as well as integrated services to our clients.

With a global presence and industry-focused advice, EY’s financial services professionals provide high-quality assurance, tax, transaction and advisory services, including operations, process improvement, risk and technology, to financial services companies worldwide.

© 2015 Ernst & Young LLP.All Rights Reserved.

SCORE No. CK09401504-1439248 NYED None

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

ey.com