This article elaborates on ‘Compliance Requirements’. To continuously improve and strengthen the internal control system, management regularly performs activities to identify the current and new applicable laws and regulations. The overall internal control system of an organization must support compliance with regulatory and legal requirements with which the organization must comply.
What is Compliance Risk?
Compliance risk is the risk of non-compliance with applicable laws and regulations. Noncompliance with such laws and regulations may lead them to face financial losses, reputational losses, and loss of market share as customers lose confidence in the organization.
Functions and processes where significant compliance requirements are issued by regulators are areas where an organization must establish robust internal controls to avoid sanctions, investigations, and enforcement procedures. These are the processes where the tolerance level is set at a very minimum or zero.
For example, an account must not be opened if the customer’s due diligence process is not completed. Therefore, performing an appropriate due diligence process is a key and significant control in the account-opening process.
Another critical process, which mainly relates to banks and financial institutions is transaction monitoring, where customers’ transactions are monitored on a regular basis to identify any suspicious transaction or activity in the customers’ accounts. Performing investigation of customers’ transactions and activities, due to the breach of transaction threshold built into the AML monitoring system, is an important control activity. Performing such a control activity is a regulatory requirement in many countries around the world.
Compliance risk is mostly interrelated with other categories of risks faced by an organization because it often overlaps with similar activities or sources of risks. However, for the sake of assessing an accurate profile of entity-wide compliance risk assessment, the compliance risk must be measured and managed separately from other categories of risks.
For some areas in an organization, a single activity of a business may lead to multiple sources of risks. For example, the borrower risk assessment is a regulatory compliance requirement, but it may also require the assessment and analysis of the borrower for management of credit risk. In this example, the risks in a single activity (inadequate capturing of the borrower’s information) may lead to multiple loss events, and hence, is a source of multiple risks, including credit risk (risk of loss of lending amount) and compliance risk (risk of regulatory penalties).
Three categories of Compliance Risk
In practice, there are essentially three broad categories in which compliance risk loss events can be categorized:
- Strategic Risk: This category comprises risks which can have an impact on the strategic operations of an organization, such as product license cancelation or market restrictions.
- Reputational Risk: This category describes damages to the reputation in the case of adverse media coverage or any other negative news, which might lead to a loss of customers and partnerships.
- Financial Risk: This category comprises risks and events that may arise as a result of facing financial penalties or fines levied by the regulatory authorities or other enforcement bodies relevant for a particular organization.
Depending on the size of the organization and complexity of business operations, the board and management identify applicable laws and regulations, which the organization must comply with. Usually, the tolerance level is set as zero by the board and management to ensure that employees take the rules and regulations very seriously and comply with the applicable provisions in letter and spirit. Organizations take various measures to control the risks of non-compliance with applicable laws, rules, regulations, and standards.
For this purpose, organizations tend to have a systematic procedure in place to deal with new laws, regulations, and standards being released or existing regulations being updated. The new regulations or updates in most cases are a way forward, but in some cases for organizations, it takes considerable time and effort to implement the changes, which gives rise to the risk of non-compliance.
There are various types of organizations on which different regulatory requirements are applicable.
For example, financial institutions are exposed to unprecedented levels of change in regulatory requirements due to the aftermath of global financial crises. No matter how stringent the regulation is, financial institutions must maintain a zero-risk appetite for compliance risk. Banks are considered the most regulated organizations. Exemplary regulations that banks have to comply with all over the world include Anti-Money Laundering regulations, risk-management regulations, customer relationship management regulations, internet banking regulations, and data-protection regulations. All these regulations are to be complied with by the bank for which the bank’s management is overall responsible.
Another example relates to organizations that are performing e-commerce businesses activities. These organizations are commonly required to ensure compliance with regulations such as data-protection regulations, AML regulations, and various other types of regulations.
In order to continuously improve and tighten the internal control system, the management performs activities that aims to identify the current and new applicable laws and regulations. This article elaborates on ‘Compliance Requirements’.