Seven steps to compliance

I have been asked on a couple of occasions recently, what are the requirements for a compliance function, a strange question because this was raised by regulated firms.

The firms governing body has overall responsibility for compliance and they must through policies and training communicate its core values. The governing body and senior managers should work with the compliance function to drive the culture and embed a framework of compliance throughout the business, the following seven steps may help

1. Identify the regulations that you must comply with and undertake a risk assessment against each applicable regulation.

This may include:

• Financial Conduct Authority
  Data Protection Act
  Money Laundering Regulations
  Health and Safety
  Advertising standards

The risk assessment must identify the inherent and residual risk, and consider the impact and probability before and after the establishment of your controls. Remember this is a living tool and must be revisited regularly.

2. Create procedures for staff to follow. This includes developing a number of key controls to reduce the impact and probability of your identified risks.

• Procedures should have an owner and be kept up to date and version controlled. These should be made available to all staff.
  Key controls should be identified, documented and assigned a control owners.

3. Assess your controls to ensure that there are no gaps and that they are designed and operating effectively and develop a monitoring process to test whether they continue to operate as designed.
4. Create a compliance manual with all of your procedures, policies and guidelines for staff to follow. This should notify staff of their responsibilities and escalation procedures should they identify incidents or breaches of the regulatory system. The compliance function is there to provide your business with support and advise.
5. Train your staff on relevant regulatory matters. Make sure training is developed in line with your business needs and also covers your legal and regulatory obligations.
6. Carry out regular audits and assessments to ensure that you are still compliant and that your controls continue to meet the requirements. Report findings to relevant risk, compliance or audit committees.
7. Use Management Information and record keeping to demonstrate your compliance with the rules and ensure your key risk indicators (KRI’s) identify and monitor trends. Make sure your records are maintained in line with system and control record keeping requirements.

Policy Governance

To meet the requirements of the FCA Systems and Controls rulebook, in particular rule 6.1.1. A firm must establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives (or where applicable tied agents) with its obligations under the regulatory system and for countering the risk that the firm might be used to further financial crime.

For more information click here Policy Governance

Conduct risk and treating customers fairly

Firms are now preparing their application pack ready for applying to the FCA for authorisation. It is essential that regulated firms can provide management information that evidences that Treating Customers Fairly (TCF) is central to their values and at the heart of their customer relationship.

The customer journey includes product design, marketing, distribution, advice, application and after care service. The customer outcomes must evidence that TCF is embedded within the culture of your firm.

Click here for the framework for Conduct Risk

Risk Management and Internal Control

To meet the requirements of the FCA systems and controls rulebook, in particular rule 7.1.2 your firm needs to establish, implement and maintain adequate risk management policies and procedures, including effective procedures for risk assessment, which identify the risks relating to your firms activities, processes and systems, and where appropriate, set the level of risk tolerated by the firm.

Click here to see more Risk Management and Internal Control

FCA Authorisation Update

Between the 1^st June 2014 and the 31^st March 2016 up to 50,000 firms will be applying for either a variation of permission or authorisation. The authorisation application requires detailed information about your firm, its ownership and structure, your business risks, financial information, your regulated business plan, your corporate governance arrangements, your systems and controls, how you treat customers fairly, and how you monitor compliance with the rulebooks.

Your firm will be required to submit certain key documents and may be required to submit other policies and procedures to support your application.

The FCA recently held a round table event for trade associations which focused on the authorisation process. This is a high level summary of the key points raised:

• Early experience of the applications received so far suggest that firms were finding it more difficult and time consuming to complete the form than they had expected, so it is important that firms make sufficient time to complete the application.
• Firms must provide full documentation as required and be open and honest. Without all the information and supporting evidence the FCA do not class the application as complete, leading to delays and requests for more information.
• Make sure you apply for the right permissions at the right level.
• Do not miss the application slot assigned to your firm as your interim permissions will immediately lapse and cannot be re-instated if you do. The FCA has no scope to consider late applications and firms will be expected to cease trading until authorisation has been obtained.
• Application periods have been assigned on the basis of the OFT categories which firms held as of the 1^st April 2014. These will not vary even if a firm has applied to vary its categories.

If you require any assistance with the application process please call or respond on the website. We will endeavour to respond to you at the earliest opportunity.

Tel mobile: 07597 386728

e-mail: info@internalcontrol.co.uk

Web: www.internalcontrol.co.uk.