Regulatory Compliance: Anti-Money Laundering, Regulatory Compliance Management System, and Privacy Compliance.
In conducting a review of the effectiveness of the compliance regime, the scope of our work covers all organization and subsidiaries operating activities that have obligations under the PCMLTFA and FINTRAC Guidance.
The objective of the review is to determine the effectiveness of the documented compliance program as required by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. The five pillars of a successful compliance program will be reviewed.
1. Appoint a compliance officer responsible for the implementation and oversight of the compliance program;
2. Develop and apply written compliance policies and procedures that are kept up to date and approved by a senior officer;
3. Apply and document a risk assessment, including mitigation measures and strategies;
4. Develop and maintain a written training program for employees, agents, and others authorized to act on your behalf; and
5. Review the compliance program (policies and procedures, risk assessment and training program) every two years for the purpose of testing its effectiveness.
The processes will include reference to the following materials:
- Proceeds of Crime (Money Laundering) and Terrorist Financing Act Regulations of the PCMLTFA
- FINTRAC Guidance, and other FINTRAC summaries, interpretations and publications
- FINTRAC’s Risk-based approach workbook for Credit Unions
- OSFI B-8 Guideline
Procedures will consist of inquiry, inspection, tests and sampling. Procedures will address all elements of the AML/ ATF program. Specific procedures will include:
- Interviews with the Chief Anti Money Laundering Officer (CAMLO)
- Interviews with a sample of staff to determine their knowledge of the legislative requirements, policies and procedures, and to confirm ongoing training
- A review of the design of the AML training program
- A review of AML Policies and Procedures
- A review of the criteria and process for identifying and reporting reportable transactions
- A review of reports submitted to FINTRAC
- A test of the monitoring system in place for capturing reportable transactions
- A review of ongoing monitoring procedures
- A test of the record keeping system for compliance with the legislation
- A review of the risk assessment and risk mitigation procedures
- A review of the AML monitoring software
- Remediation of prior Biennial reviews and FINTRAC examination deficiencies
Regulatory Compliance Management System:
The Office of the Superintendent of Financial Institutions (OSFI) Guideline E-13 Regulatory Compliance Management (RCM) sets out expectations for Financial Institutions regarding controls through which they manage regulatory risk inherent in their activities. Non-compliance with regulatory requirements can have a critical impact on an institution’s reputation as well as soundness. OSFI’s key expectation with respect to RCM is that the Financial Institution will establish and maintain an enterprise-wide regulatory framework of regulatory risk management controls including oversight by functions that are independent of the activities they oversee.
The guideline was revised in November 2014 and implemented May 2015, to more effectively align with updated OSFI Guidelines and complement OSFI’s Supervisory Framework and Assessment Criteria. The revised Guideline does not create new regulatory requirements. Rather, it communicates OSFI’s key expectations in respect of the need for FRFIs to establish and maintain an enterprise-wide framework of regulatory risk management controls.
Within the specific processes to review and test, the objectives of our internal audit were as follows:
- Assess corporate compliance with governing statutes, regulations, and OSFI guidelines;
- Identify any internal control weaknesses that would expose your organization to regulatory risk;
- Assess the adequacy of the controls in place to ensure regulatory compliance and adherence to the 9 key controls of the framework:
- Role of the CCO
- Procedures for identifying, risk assessing communicating, effectively managing and mitigating regulatory compliance risk and maintaining knowledge of applicable regulatory requirements
- Day to day compliance procedures
- Independent monitoring and testing procedures
- Internal reporting
- Role of Internal Audit or other independent review function
- Adequate documentation
- Role of Senior Management
- Role of the Board
- Validate the effectiveness of the Regulatory Compliance Management Function. Specifically, to verify, on a sample basis, management’s assertions on compliance.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations. It sets out to govern the collection, use and disclosure of personal information by organizations. In BC the Personal Information Protection Act (PIPA) goes beyond the federal PIPEDA in that it applies to employee as well as member information and is not limited to commercial activities. The federal legislation still applies to organizations in the collection, use and disclosure of personal information across provincial borders in a commercial context, such as BC data backup facilities, use of a credit bureau outside BC, and any Bank subsidiary operating outside the province.
Privacy breaches can result in significant adverse publicity damaging to the reputation of your organization. Privacy complaints by members, if not dealt with appropriately, may also impair reputation. The Office of the Privacy Commissioner of Canada is empowered by legislation to conduct investigations and enquiries and impose fines of up to $100,000 (PIPEDA s28) for noncompliance. These risks are mitigated by an effective privacy compliance regime.
Our objectives are to assess corporate and branch compliance with the Personal Information Protection and Electronic Documents Act, as monitored and administered by Office of the Privacy Commissioner of Canada, regarding personal information of Bank customers and employees, in terms of:
- Privacy Management (Accountability, Purpose and Monitoring)
- Privacy Officer
- Policies and Practices
- Information Collection
- Information Use and Disclosure
- Information Access and Recourse
- Accuracy and Security
We will utilize the following resources to conduct the audit:
- Personal Information Protection and Electronic Documents Act, current to March 5, 2018
- Privacy Toolkit for Businesses (December 2015), Getting Accountability Right with a Privacy Management Program, PIPEDA interpretation bulletins and Key Steps for Organizations in Responding to Privacy Breaches (August 2007)