A sound governance structure is the foundation of an effective Corporate Compliance program. It will include the Board of Directors and Senior Management setting the tone at the top, hiring a qualified CCO, and properly resourcing the three lines of defense. In an organization such as a bank or a financial institution, the Board of Directors is primarily responsible for setting a strong compliance culture and implementing the compliance program.
The “tone at the top” is a public commitment at the bank’s highest levels to comply with regulatory requirements as part of its core mission and recognition that this is critical to the overall risk management framework of the company.
To ensure appropriate oversight of the compliance culture, the Board of Directors forms a board-level sub-committee to periodically monitor the compliance practices and measures taken by the management.
The Board of Directors may delegate the responsibility to the Board Level Corporate Compliance Committee or BCCC. The members of BCCC periodically conduct compliance meetings, where significant compliance issues, breaches, and new regulatory requirements are reviewed and discussed.
Board-Level Corporate Compliance Sub-Committee
The Board ensures that a strong compliance culture and control environment is maintained. The Board provides oversight and guidance to the Compliance Committee and Senior Management to implement the Compliance program and policies approved by the Board. The management forms the set of processes, reporting lines, systems, and structures that provide the basis for carrying out regulatory requirements across the organization. The control environment relates to the commitment of management and employees to integrity and ethical values.
For internal controls to be effective, an appropriate control environment should demonstrate the following behaviors:
The Board reviews policies and procedures periodically and ensures their compliance;
The Board determines whether there is an audit and control system in place to periodically test and monitor compliance with internal control policies/procedures and to report to the board instances of non-compliance;
The Board ensures independence of internal and external auditors such that the internal audit directly reports to the audit committee of the Board, which is responsible to the Board, and that the external auditor interacts with the said committee and presents a management letter to the Board directly;
The Board ensures that appropriate remedial action has been taken when the instance of non-compliance is reported and that system has been improved to avoid recurring errors or mistakes;
Management information systems provide adequate information to the Board so that the Board can have access to records if the need arises;
The Board and Management ensure communication of compliance policies down the line within the organization;
The Board forms a Board sub-committee, known as the Board Compliance Committee or BCC, to provide strong oversight to the Compliance Committee and the Management, to ensure effective and continued implementation of applicable regulatory requirements.
The BCCC ensures the management implements the board-approved Compliance Program for effective compliance. The BCCC forms a Management level Compliance Committee known as the “Central Compliance Committee” or CCC. The CCC works on behalf of the BCC, regularly reviewing and providing appropriate feedback to the management and employees regarding the organization’s overall compliance profile.
MCC comprises all the departmental heads as members of the MCC, and they meet periodically to discuss the compliance status of their respective departments. The CCO serves as the secretary to the BCC. The CCO prepares and presents the agenda of the BCC meeting before the BCC members before each periodic meeting.
Final Thoughts
A compliance committee, at its most basic, is a group of in-house executives at a company who can assist the company in meeting its regulatory compliance obligations. The committee attempts to ensure that the company is doing everything it is supposed to do in order to fulfill those obligations, and nothing it should not do in order to violate them.