How to Report Compliance Gaps and Deficiencies?

One important question just came into my mailbox: "What to do and how to report instances when we know we are not compliant or did not do what we planned to do"?

Yes, this is a great question, which is why I added a new section to our workshop agenda. This workshop?– Annual Compliance Reporting is taking place on March 21st, 2023 at 1 PM.

In this newsletter, I would like to highlight why Compliance Reporting should never be weaponized or used by compliance or audit to score any "wins" against the management.

What is really sad and devastating for the FinTech industry is to see how some creators of outdated guidelines?and narrow-thinking extremely conservative professionals use the recent turbulence with Signature, Silvergate, SVB, and other incidents to argue that these incidents could have been prevented by more reporting and additional disclosures.

Compliance reporting is?NOT a hedging strategy and it is NOT an insurance policy.?

Compliance reporting, in my opinion,?should never be used for any of the following:

• Trying to make the Boards fearful and suspicious of possible internal and external audit discoveries, which makes audit scoping and calibration completely dysfunctional.
• Hijacking audit processes to make audit findings look scarier, riskier, and more serious than they really are to secure additional resources, budgets, and headcount for compliance or risk functions.
• Claiming that “the business and its first line of defense must own their risks”.

All of the above leads to the complete erosion of trust in the company, makes it impossible to take reasonable risks, and slows down innovation. In a way, these ill-intended strategies are a total abuse and misuse of the Three Lines of Defense concept.

Most FinTech founders and the majority of non-banking professionals have never heard of the Three Lines of Defense principles, but once they start hearing about it, their first (and lasting) reaction is that it's one of the most useless theoretical constructs ever designed in the ivory tower by people who have never run a company (which may or may not be the case, but this is entirely beside the point).

Now – let’s break it down and see what this concept is really all about.

Essentially, the Three Lines of Defense is a risk management concept, that was formalized and brought into many national legislations in Europe after the financial crisis of 2008-2010. The ultimate goal of the policy-makers?was to clarify the decision-making responsibilities in the banking sector with respect to risks and risk acceptance. To put it simply, the concept suggests that there are 3 levels where organizations make decisions about risks.

• The first level (1st line)?covers decisions done by people doing their jobs: engineers writing codes, customer support agents resolving customer tickets, marketing managers writing marketing campaigns, and sales managers negotiating with clients. These actors must be capable and empowered to do their jobs but they also need to know where and how they need to involve other teams or get additional approvals. Actually, many tasks of the 1st line can be automated and performed by various tools and technology.
• The 2nd line of defense?is essentially a layer where organizational frameworks and policies and rules are being created and enforced. For example, salespeople would have rate cards stipulating how they can negotiate prices or grant discounts.?Customer onboarding agents?have guidelines from which countries they can accept customers and which documents they need to request and review. Engineers would have a process around code reviews, testing and quality assurance controls before the code is deployed into production. The procurement team must know when they need approval from finance to spend money or make purchasing commitments. Those guidelines and frameworks must normally provide clarity and speed up processes, and eliminate the need to ask for permissions on a case-by-case basis.
• The 3rd line of defense?is supposed to provide assurance that teams and departments are actually doing what they are supposed to be doing and offer objective and independent feedback for the company, management, and the teams on where they have weaknesses or inefficiencies, but also where they are being too slow, too costly, or not competitive.

This is unfortunately not what happens on the ground in many cases.

The concept of 3 Lines (when misinterpreted and abused) induced more organizational conflicts, delayed more decisions, and triggered the creation of so many redundant jobs and needless tasks than potentially any other financial regulation on this planet.

Why? – Because many representatives of?the 2nd line of defense (sometimes without even realizing it) interpreted?the concept of the 3 lines of defense as permission not to make any decisions and instead to push all the risk acceptance and uncertainties either?down (to the individual functions) or up (to the auditors or senior management or boards).

When you face a compliance reporting "problem" because of missing processes, tools, or commitments that you did not fulfill, it is highly likely that you first created or adopted an unrealistic plan or unrealistic policy that you are not able to follow. Very often you adopted it because your compliance and legal team suggested that it would be better to create a policy that reflects an "ideal" compliance situation and then, if it is not followed, to?document?the deficiency. The compliance team may have felt that having a "perfect situation" policy protects them and protects the company, however, it is a very common misconception that creates a lot of externalities,?complicates the reporting, and actually creates regulatory vulnerabilities that may not exist.

To address this very common issue,?I?will cover?specific scenarios on how to document gaps and deficiencies, and exceptions (and also how to avoid them) during the workshop.

FULL AGENDA:

• Annual MLRO reporting, key?reportable AML metrics to help you prepare for??AML audits;
• Annual Risk Assessment (template included) and Risk Acceptance Framework
• Execution of the Compliance Plan (template included)
• Effectiveness of the Internal Controls Framework
• Reporting incidents and special events (Covid, Brexit ...)
• Reporting gaps, deficiencies, and exceptions (recently added section).

Sign up TODAY for this workshop!

Bonus Offer:?Has your entity been impacted by WaveCrest, Wirecard, Railbank, Silvergate, Signature & Co fallouts???

If you would like to attend this special training on how to select and vet your future financial partners and how to review their AML program and avoid creating duplicated AML controls over joint customers, I have a special offer for you.

If you decide to join my?Compliance Collective membership,?you will pay the same price of 297 EUR, and not only you will both the Compliance Reporting and Partner Due Diligence?workshops included in your membership program during the first month, but you will also be invited to join Office Hours Coaching Call?with me on April 3rd, 2023 and every first Monday of the month thereafter.?Click here to learn more about the?Compliance Collective!