Compliance Risk Assessment

We touched upon the obligation of the Compliance Function to conduct a risk assessment in our write up concerning the Compliance Monitoring Program, highlighting that such program should be grounded on the assessment of the relevant major risk factors which are more likely to disrupt compliance with applicable laws and regulations.

The obligation of the Compliance Function to conduct a risk assessment to ensure that compliance risks are identified and comprehensively monitored constitutes one of the pillars of the role of the Compliance Function. Its purpose is to determine the priorities and the focus areas in terms of monitoring, advisory, and assistance activities.

During our hands-on experience, we often come across regulated entities the Compliance Function of which, through several compliance processes, do effectively carry out the process of risk assessment. Such entities assess compliance risks within areas of the internal processes and policies while reviewing and updating the internal policies and while monitoring for any new rules, regulations, or legislation issued. Moreover, the Compliance Function becomes aware of the compliance risks emanating from the activities and services of the Company through its involvement within internal committees, such as the Product Governance Committee, the Risk Management Committee etc. Yet, it is very common that the Compliance Function fails to record the compliance risks assessment exercises conducted, including inter alia, the manner in which the assessment of new compliance risks has been conducted, any new compliance risks identified, and any controls put in place as a countermeasure to new compliance risks identified.

Considering these findings, we would like to emphasise the importance of documenting in writing the risk assessment conducted by the Compliance Function of the regulated entity. The compliance risk assessment may enable the Compliance Function to identify the priorities and the focus of the monitoring, advisory, and assistance activities only if the manner in which the compliance risk assessment is conducted, its results, and any controls and measures adopted thereunder are duly documented. It will also allow the Compliance Function to allocate the necessary resources in a manner which reflects the risks considered, enhancing the effectiveness of the Compliance Function itself (For further information on the Effectiveness of the Compliance Function please refer to https://www.zerafa.com.mt/the-effectiveness-of-the-compliance-function/).

On a related note, we would like to point out that even the reviewing process of the internal policies and procedures per se, should be based on a risk-based approach, i.e. on the outcome of the compliance risk assessment, where the frequency of the review process of a particular policy or procedures should be determined based on the compliance risk assessment.

When conducting the compliance risk assessment, the Compliance Function should consider the compliance risks which might emerge from all the areas of the services, activities, and ancillary services provided by the regulated entity. In addition, the Compliance Function should assess the complexity of activities carried out, the financial products traded and distributed, the categories of clients serviced, the distribution channels and the internal organisation of the regulated entity.

The compliance risk assessment should also consider the results of any monitoring activities and of any relevant internal or external audit findings. In this regard, the Compliance Officer shall take into account reports presented by the internal audit function, the risk management function, and any other internal or external audit functions. In order to conduct a proper assessment, the Compliance Function should avail itself of risk matrix templates or risk assessment tools prepared in line with the principles set out in the internal policies.

Furthermore, the compliance risk assessment should consider the applicable obligations under European directives and regulations, national implementing rules and policies, procedures, systems, and controls implemented within the regulated entity in the area of the services and activities it undertakes. We recommend that for such purpose, the Compliance Officer monitors on a regular basis any new rules, regulations, or legislation issued which are relevant to the activities of the regulated entity to ensure that it updates its internal processes in line with such legislative updates ensuring that the regulated entity remains compliant with all the applicable rules and regulations at all times.

Once again, our suggestion in this regard is that the Compliance Officer documents any new compliance risks emanating from legislative updates identified through such exercise by conducting a compliance risk assessment on such newly identified risk scenarios and updating the records documenting the compliance risk assessment conducted accordingly. Moreover, the process followed by the Compliance Officer in monitoring on a regular basis any new rules, regulations, or legislation issued which are relevant to the activities of the Company should be documented. This may be achieved by including in the compliance reports presented to the Board a section on regulatory updates containing a summary of the main points of the updates made to the applicable regulations and rules, and any relevant circulars, notices, and updates issued by competent authorities (Find hereto more info on the contents of the Compliance Report https://www.zerafa.com.mt/compliance-report-what-to-report-on/ ).

Lastly, we would like to remind the Compliance Function of regulated entities that “The compliance risk assessment should be reviewed on a regular basis, and, when necessary, updated to ensure that the objectives, focus and the scope of compliance monitoring and advisory activities remain valid”. Therefore, we suggest that the Compliance Function conducts a compliance risk assessment on a periodic basis and each time new compliance risk scenarios are identified ensuring that the compliance risk assessment is duly updated documenting such newly identified compliance risk scenarios.

The information contained in this write up is provided for general informational purposes only. It does not, and is not intended to, constitute legal advice on any subject matter. You should not act or refrain from acting on the basis of any content included in this write up without seeking legal or other professional advice for your individual situation.