What is compliance? Compliance assessment

1. Compliance

In recent years, the term "compliance with laws and regulations" has been frequently used in the supervision and management of my country's commercial banks. However, many people have a superficial understanding of the concept of "compliance". Some people understand "compliance" as the business management behavior of banks and their branches must comply with the rules and regulations formulated by the bank's head office; some people simply understand "compliance" as compliance with regulations, and non-compliance with regulations is a violation of regulations. Obviously, these understandings are inconsistent with the international banking industry's understanding of "compliance".

The Guidelines for Compliance Risk Management of Commercial Banks also defines the meaning of compliance as follows: "It means that the business activities of commercial banks are consistent with laws, rules and standards." Laws, rules and standards related to banking operations include regulations such as anti-money laundering and prevention of terrorist financing activities, and standards related to banking operations, including avoiding or reducing conflicts of interest, privacy, data protection, and consumer credit. In addition, according to the different supervision and management models adopted by the regulatory authorities or the banks themselves, the above laws, rules and standards can also be extended to laws, rules and standards outside the scope of banking operations, such as labor and employment laws and tax laws.

Laws, rules and guidelines may have different sources, including those set by regulatory authorities, market conventions, industry codes of conduct set by industry associations, and internal codes of conduct applicable to bank employees. They include not only those legally binding documents, but also broader codes of conduct on honesty, integrity and fair dealing.

2. Compliance Risk

According to the definition of the New Basel Accord, "compliance risk" refers to the risk that a bank may suffer legal sanctions or regulatory penalties, significant financial losses or reputational damage due to its failure to comply with laws, regulations, regulatory requirements, rules, relevant guidelines formulated by self-regulatory organizations, and codes of conduct that are applicable to the bank's own business activities.

From the connotation point of view, compliance risk mainly emphasizes the economic or reputational losses suffered by banks due to their own reasons for leading violations of laws, regulations and regulatory rules. This type of risk is more serious and causes greater losses.

The relationship between compliance risk and the three major risks of banks

Traditional bank risks include three risks: credit risk, market risk, and operational risk. Compliance risk is a more basic risk based on the three risks. Compliance risk and the three major risks of banks are both different and closely related. The difference is that compliance risk is simply the risk or loss caused by the bank doing something it shouldn't do (illegal, illegal, unethical, etc.), and the bank's own behavior is more dominant. The three major risks are mainly based on the risks or losses formed by internal and external environments such as customer credit, market changes, and employee operations. The external environmental factors are more accidental and irritating. The connection is that compliance risk is an important inducement for the existence and manifestation of the other three major risks, especially operational risk, and the existence of the three major risks makes compliance risk more complex and changeable and difficult to control, and their results are basically the same, that is, they will bring economic or reputational losses to the bank.

In the past, commercial banks usually regarded compliance risk as operational risk and paid more attention to setting up checkpoints in business operation links and operators. However, the results were not effective. Operational risk still existed in large numbers among bank internal personnel and kept changing its methods. This shows that simply equating compliance risk with operational risk is incomplete and inaccurate. Although a large number of operational risks are mainly manifested in the operation links and operators, they are often caused by unreasonable operation links and lack of compliance awareness of operators. In most cases, bank compliance risk originates from the institutional decision-making level of the bank and managers at all levels, and often has institutional defects and upper-level colors. Therefore, in reality, even if the bank prevents the occurrence of operational risks of grassroots institutions and personnel, it may not be able to prevent the occurrence of compliance risks in the system or management. Therefore, special attention must be paid to compliance risk, because the harm and loss it causes are sometimes much greater than general operational risks.

The necessity of establishing a compliance risk management mechanism

Compliance risk management refers to the bank's proactive avoidance of violations, proactive discovery and appropriate measures to correct violations that have occurred. Its job manual is also a cyclical process of continuous revision of relevant systems and corresponding practices. This compliance risk management process is the foundation and core of building an effective internal control mechanism for banks.

According to the Basel Committee on Banking Supervision's definition of compliance risk, bank compliance specifically refers to compliance with laws, regulations, regulatory rules or standards. The three traditional types of risk, namely operational risk, credit risk and market risk, may cause losses to bank capital, but compliance risk mainly depends on whether the bank's business process is law-abiding or illegal. Some cases within banks that have been "exposed" in recent years just show that the "compliance culture" is superficial or absent in my country's banking industry, and the management concept of "compliance culture" has not yet permeated the daily management and decision-making of banks.

Wang Huaqing, director of the Shanghai Regulatory Bureau of the China Banking Regulatory Commission, emphasized that the core of the current construction of the "compliance culture" of commercial banks is the construction of compliance mechanisms and the establishment of relatively independent compliance departments. It is necessary to change the long-standing extensive management routines, build a thorough "compliance culture" as soon as possible, and always adhere to the compliance judgment and decision-making in every detail and link of operation and management, so as to gradually form a new "compliance culture tradition" for the operation and management of commercial banks.

Most foreign commercial banks have compliance departments, whose responsibilities include identifying, monitoring, evaluating and reporting compliance risks, timely discovering and preventing risks and the damage caused by them; sorting out and integrating various rules and regulations of the bank, compliance training, participating in the organizational structure and business process reengineering of the bank, and providing compliance support for new products. For most domestic commercial banks, building a compliance risk management mechanism is a long and arduous task. The most obvious problem is that there is no separate compliance department, or its functions are shared by the audit department, legal affairs department or supervision department, and the specific functional positioning is limited to routine inspections in accordance with the requirements of the regulatory authorities, and there is no necessary preparation for how to establish an effective compliance system. Therefore, it is imperative for commercial banks to cultivate a "compliance culture" and establish a compliance risk management mechanism.

An effective way to build a compliance risk management mechanism

On April 29, 2005, the International Basel Committee on Banking Supervision released a high-level document entitled "Compliance and Internal Compliance Departments in Banks", which proposed 10 guiding principles for bank compliance management and the establishment of compliance departments. It can be said that this has established a standard for compliance management in the international banking industry.

Compliance is a core risk management activity in the banking industry. A sound and effective compliance risk management mechanism is the basis for implementing risk-based supervision. Commercial banks can build a compliance risk management mechanism from the following five aspects.

1. Establish active compliance awareness and overcome passive compliance mentality. Compliance is a basic internal requirement for the sound operation of the banking industry and an important part of banking culture.

First, the concepts of compliance being everyone’s responsibility, proactive compliance awareness, and compliance creating value should be established among bank employees. This will remind employees of the need to review compliance risks when they come into contact with each business, and advocate proactive discovery and exposure of compliance risk hazards or problems so that timely rectification can be carried out.

Second, compliance culture is supported by a set of systems, methods and tools, which requires banks to strengthen the post-evaluation of rules and regulations. Appropriate improvements should be made to business policies, behavioral manuals and operating procedures in response to the problems found, so as to avoid any similar violations and correct the violations that have occurred, and take necessary disciplinary measures against the relevant responsible persons. If compliance risks are discovered but concealed, once verified by the internal audit department or external regulators, those who concealed and failed to report must be punished more severely; and those who actively report problems or hidden dangers can be given lighter penalties, exemptions or even rewards depending on the circumstances.

Third, the performance appraisal mechanism should be regarded as an important part of cultivating a compliance culture to fully reflect the value concepts of commercial banks in advocating compliant operations and punishing violations.

2. Formulate compliance policies and establish compliance departments. The compliance department is an independent functional department that supports and assists the senior management of the bank to do a good job in compliance risk management. The front-line business departments are directly responsible for compliance, and the senior management is ultimately responsible for the compliance operation of the bank. To build a compliance risk management mechanism for commercial banks, it is necessary to set up a full-time compliance department, and ensure that the compliance department can discover and investigate problems without interference, so that compliance personnel can participate in the reconstruction of the bank's organizational structure and business processes in a timely manner, so that the principle of legal and compliant operation can be truly implemented in every link of the business process and even every employee. At the same time, it is necessary to formulate and approve an effective compliance policy that conforms to the characteristics of commercial banks themselves. It is a programmatic document for the compliance risk management of banks; through practical experience accumulation, an effective operating mechanism for managing compliance risks and a good solution for managing operational risks can be explored. However, it must be made clear that the compliance department's work should not be used as an excuse for the bank's business departments and senior management to shirk their responsibilities. The compliance department must not become a "scapegoat" for the accountability of senior management and other departments.

3. Establish a reporting supervision mechanism. In order to raise awareness among employees of operating in compliance with laws and regulations and controlling compliance risks, a reporting supervision mechanism must be established to provide employees with necessary channels and means to report violations and illegal acts, and to establish an effective reporting protection and incentive mechanism.

4. Establish a risk assessment mechanism. We must establish and improve the risk identification and assessment system as soon as possible, earnestly learn from international advanced experience, actively use modern scientific and technological means, establish and improve a monitoring, assessment and early warning system covering all business risks, attach importance to early warning, and conscientiously implement the major default registration and risk warning system.

5. Establish the compliance risk management mechanism on the basis of " process bank ". We must completely break the "department bank" system that has been inherited for many years in a stable and closed market environment and during the planned economy period with a single financial product, break the departmental risk management model where each department is divided into sections and each department is responsible for a certain section, effectively avoid the phenomenon of each department acting independently and wrangling with each other, establish a unified closed process centered on customer needs, and optimize and streamline business processes based on the principle of serving customers well and controlling various risks including compliance risks.

III. Compliance Management

According to the definition in the "Trial Provisions on Compliance Management of Securities Companies", compliance management refers to the behavior of securities companies in formulating and implementing compliance management systems, establishing compliance management mechanisms, cultivating compliance culture, and preventing compliance risks. Compliance management is "a core risk management activity within the company". Compliance management departments can be divided into broad and narrow senses. In a broad sense, the compliance management department is a general term for the business lines and branches of the entire banking system that are responsible for performing compliance management duties. In a narrow sense, the compliance management department is an independent functional department that identifies, evaluates, notifies, monitors and reports on the compliance risks of the bank. Compliance risk management is the common responsibility of the entire bank, and is not simply performed by the compliance management department itself. The role of the compliance management department is mainly to assist in the management of the bank's compliance risks. The compliance management department should actively identify and manage compliance risks in accordance with the compliance management procedures,

Report in a timely manner according to the reporting route and reporting requirements of compliance risks. The compliance management department and the risk management department cooperate with each other in compliance management. The compliance management function is separated from the internal audit function, and the performance of the compliance management function is subject to regular independent evaluation by the internal audit department. The internal audit department is responsible for the compliance audit of various business activities of commercial banks. The internal audit plan includes an audit evaluation of the appropriateness and effectiveness of the compliance management function, and the risk assessment method of internal audit should include an assessment of compliance risks.

4. Compliance Culture

The compliance culture of a bank is a definition of how banks can manage compliance risks based on the compliance risks stipulated in the Basel Accord. The construction of a compliance culture is part of compliance risk management and also part of corporate culture construction. If compliance risk management is regarded as part of corporate culture construction, then compliance risk management will stagnate in the field of awareness, which is not conducive to the risk prevention of banks. If the entire bank strictly abides by high standards of ethical behavior, then the management of compliance risks of the bank will be most effective. The board of directors and senior management should take a series of measures to promote the construction of the bank's organizational culture and encourage all employees, including senior management, to comply with laws, rules and standards when conducting banking business. When establishing an internal compliance department, the bank should follow the principles set forth in this document, and the compliance department should support the management department in promoting a vigorous and dynamic compliance culture based on professional ethics, thereby promoting the formation of an efficient corporate governance environment. Banks are typical risk management enterprises. Their risk management characteristics determine that the bank's business activities are always accompanied by risks, and its business process is the process of managing risks. This requires banks to change their extensive management routines and establish a complete set of professional behavioral norms and methods to effectively manage various risks. In addition, a strong compliance culture must be formed within the bank to ensure that everyone complies with the regulations. All employees must have sufficient professional prudence, personal integrity and integrity, as well as good risk awareness and behavioral norms. The bank must have a clear responsibility and accountability system, as well as corresponding incentive and constraint mechanisms, to form an atmosphere in which all employees are naturally responsible for their professions and positions, and gradually form a new compliance culture for the operation and management of China's banking industry. This is itself the process of building a compliance risk management mechanism for banks. The formation of such a compliance culture is crucial for the effective management of banks.

The main characteristics of an efficient compliance culture are that employees have a good grasp of the laws, regulatory provisions, rules, and relevant departmental guidelines formulated by the Trust Industry Association applicable to trust companies, as well as the code of conduct applicable to the trust company's own business activities, and are highly sensitive to violations. It requires compliance awareness to run through the behavior of all employees of the company and become a conscious and inevitable code of conduct. The company's board of directors and senior management should show all business departments and management departments that they attach importance to compliance and sound operations and bear ultimate responsibility, and at the same time require business departments and management departments to bear direct responsibility for compliance operations. Department managers should take the initiative to ask the company's board of directors and senior management for the reasons for expanding management and investment authority. The establishment and changes of financial accounts and the use of large amounts of funds should be handled in accordance with operating procedures. Employees in compliance positions should perform their duties diligently, have sufficient experience and the courage to "dare to pull down the emperor at the cost of their lives". With the means given by the company, they should actively and independently analyze and inquire about the risks of an act, adhere to principles and report the analysis of violation risks to relevant departments and leaders, so as to deprive the risk from the act. Trust business managers and general employees of management departments should also perform their duties and "fight for land" in the process of controlling risks. Only by forming a compliance culture that integrates top-down and bottom-up operations and is fully implemented can the flag of compliant operations fly high.

Compliance means that the activities of a trust company are consistent with applicable laws, regulatory requirements, rules, relevant department guidelines formulated by the Trust Industry Association, and the code of conduct applicable to the trust company's own business activities. Compliance risk refers to the risk that a trust company may suffer legal sanctions or regulatory penalties or major financial losses due to its failure to comply with compliance laws, rules and guidelines. Compliance risk is an important inducement for the generation or formation of other risks in trust companies. Compliance is a risk management activity within trust companies. The process of compliance risk management is the foundation and core of trust companies in building an effective internal control mechanism. Only on the basis of effective compliance risk management can trust companies manage other related risks such as operational risk, market risk, credit risk, etc. more effectively, and the highest level of compliance risk management should be to establish a compliance culture. Trust companies should advocate and cultivate their own compliance culture and regard compliance culture as an important part of the corporate culture of trust companies.

V. Responsibilities of the Compliance Department

1. Assist the leadership in building the company's compliance management system, formulate and revise the company's compliance manual and other compliance risk management rules and regulations; 2. Draft the annual compliance management plan;

3. Proactively identify, assess, monitor and report compliance risks;

4. Responsible for the formulation of specific compliance work plans to ensure the smooth implementation of compliance work;

5. Draft compliance reports;

6. Participate in the development of new products, identify and assess compliance risks, and provide compliance support;

7. Investigate and handle violations and draft decisions on handling violations;

8. Sort out the company's internal control processes and put forward relevant improvement suggestions;

9. Review the company's internal management system and business procedures, and provide compliance improvement suggestions;

10. Carry out anti-money laundering related work;

11. Organize compliance training and provide compliance consultation to company employees;

12. Follow up the changes and developments of laws, regulations, supervisory requirements and industry self-regulatory rules, and propose suggestions for the formulation or revision of the company's internal rules and regulations in accordance with their relevant requirements;

13. Other work assigned by the leader and other related assistance.