In conducting a review of the effectiveness of the compliance regime, the scope of our work covers all organization and subsidiaries operating activities that have obligations under the PCMLTFA and FINTRAC Guidance.
The objective of the review is to determine the effectiveness of the documented compliance program as required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. The five pillars of a successful compliance program will be reviewed.
1. Appoint a compliance officer responsible for the implementation and oversight of the compliance program;
2. Develop and apply written compliance policies and procedures that are kept up to date and approved by a senior officer;
3. Apply and document a risk assessment, including mitigation measures and strategies;
4. Develop and maintain a written training program for employees, agents, and others authorized to act on your behalf; and
5. Review the compliance program (policies and procedures, risk assessment and training program) every two years for the purpose of testing its effectiveness.
The processes will include reference to the following materials:
Procedures will consist of inquiry, inspection, tests and sampling. Procedures will address all elements of the AML/ ATF program. Specific procedures will include:
The Office of the Superintendent of Financial Institutions (OSFI) Guideline E-13 Regulatory Compliance Management (RCM) sets out expectations for Financial Institutions regarding controls through which they manage regulatory risk inherent in their activities. Non-compliance with regulatory requirements can have a critical impact on an institution’s reputation as well as soundness. OSFI’s key expectation with respect to RCM is that the Financial Institution will establish and maintain an enterprise-wide regulatory framework of regulatory risk management controls including oversight by functions that are independent of the activities they oversee.
The guideline was revised in November 2014 and implemented May 2015, to more effectively align with updated OSFI Guidelines and complement OSFI’s Supervisory Framework and Assessment Criteria. The revised Guideline does not create new regulatory requirements. Rather, it communicates OSFI’s key expectations in respect of the need for FRFIs to establish and maintain an enterprise-wide framework of regulatory risk management controls.
Within the specific processes to review and test, the objectives of our internal audit were as follows:
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out to govern the collection, use and disclosure of personal information by organizations. In BC the Personal Information Protection Act (PIPA) goes beyond the federal PIPEDA in that it applies to employee as well as member information and is not limited to commercial activities. The federal legislation still applies to organizations in the collection, use and disclosure of personal information across provincial borders in a commercial context, such as BC data backup facilities, use of a credit bureau outside BC, and any Bank subsidiary operating outside the province.
Privacy breaches can result in significant adverse publicity damaging to the reputation of your organization. Privacy complaints by members, if not dealt with appropriately, may also impair reputation. The Office of the Privacy Commissioner of Canada is empowered by legislation to conduct investigations and enquiries and impose fines of up to $100,000 (PIPEDA s28) for noncompliance. These risks are mitigated by an effective privacy compliance regime.
Our objectives are to assess corporate and branch compliance with the Personal Information Protection and Electronic Documents Act, as monitored and administered by Office of the Privacy Commissioner of Canada, regarding personal information of Bank customers and employees, in terms of:
We will utilize the following resources to conduct the audit: