BRIEFING PAPER FOR HEAD OF COMPLIANCE AND THE BOARD OF GLOBO Subject: The importance of Monitoring Compliance and the adoption of Risk Based Approach (RBA) in the implementation of a robust monitoring programme. Summary This paper is mentioning the importance of monitoring compliance with the firm’s operational procedures and regulatory requirements as well as the consequences if the monitoring is not carried out.
Furthermore, this paper also discusses the approach and practical steps as a Compliance Monitoring Manager to develop and implement a robust monitoring programme which able to bring a meaningful report to the senior management team. (a) The importance of monitoring compliance with Globo’s operational procedures and regulatory requirements The importance of monitoring compliance with Globo’s operational procedures and regulatory requirements is to mitigate the potential risks like risks of fraud, terrorist financing, money laundering and cyber and security risk. Those risks indirect bring the risk of operation risk, legal risk, reputation risk and could make a bad impact to Globo as well as jeopardise the return and customers confident towards Globo in short and long term. Steffen Ruigrok (2017) argues the importance to meet the KYC requirements in order to identify potential fraud, terrorist financing and money laundering.
Failure to comply with the KYC requirements will bring a bad damage to the reputation of the bank, fines and disallowed from providing certain services and products. A robust KYC mechanism including crossing check customer against the internal and external database to identify subject is falls under blacklisted listing, sanctions listing, local and foreign PEP/RCA, materials adverse news and other high risk factors such as geography with deficiency on AML/CFT control and high risks business like money changing business. It is vital to continue monitor and update the KYC requirements according to the latest development and apply with the bank’s risk appetite and ensure the KYC on-boarding and KYC on-going review are constantly meet with local and international regulatory requirements. Julie Knudson (2017) also argues that cyber and security risk are the main risk in the bank and may cause financial loss and operation risk to the bank. Most of the bank is relying on third party vendor on the technology infrastructure such as upgrading and maintenance of the system. However, the bank shall have an experience and expertise team to oversee and surveillance the vendors as well as the technology infrastructure in the bank in order to ensure the bank is complying with the regulatory requirements and avoid any operation issue due to the failure of the technology infrastructure such as failure of the internet banking services and ATM.
The bank shall ensure the vendors are complying with the code of conduct of the bank and conduct at least once in a year to assess the competency of the vendors. Furthermore, Wanna Cry ransom is a new threat to the bank. Thomson Reuters (2017) claimed WannaCry ransom has spread internationally with the main purpose of extortion and especially Russia was badly impacted by the attack. The virus causes the banking system in Russian paralysed. Russell Brandom (2017), Ransomware attack and spread worldwide in 2017 has affected several industries such as banking and airlines industry and cause a bad damage to it such as failure in baking operation such as infection of ATMs.
The virus is spread via emails. Hence bank staffs shall be educated to be vigilant by not attending to the unknown email and attachments to avoid any unknown cyber viruses spread in the banking system. Furthermore, the bank shall conduct annual refresher on IT security training to all the staffs to educate the staffs. In the event the banking systems are infected by the virus, the bank will face the issue of breaching the PDPDA and leaking or exposure confidential information of the customers. The bank shall ensure the data of the customer information is keep and encrypted with high security in order to avoid leakage of customers’ personal information and breach of PDPDA It is vital to have strong corporate governance in the bank. The compliance strategy for Globo is to ensure the adequacy of the policies and procedures to meet the development of Malaysia and international regulatory requirements.
The governance of the compliance framework shall ensure the role of the 3 lines of defence (first, second and third) are in place. Business Units are the first lines of defence, Compliance is in the second line of defence and internal auditors are the third lines of defence. Brian Tayan (2016) stated the case of Wells Fargo is one of failure of corporate governance illustrations and the cross-selling scandal caused around 5,300 workers has been terminated within 5 years, huge financial fines, loss of the confidence towards the bank’s product and services by customers as well as damage of the bank reputation. The Star (2015) claimed RM53.7 mil fined on Ambank Group by Bank Negara Malaysia for the breaching of S.234 of Financial Services Act 2013 and S.245 of Islamic Financial Services Act.
The bank required to allocate RM25 million per year for consecutive of the 4 years in staff training mainly on AML as well as restructure and enhance the corporate governance. MAS (2016) demonstrated the violation of regulatory requirements would cause a financial penalty as well as revoke of the license. For instance, BIS Bank forced to close down and the Boards and Senior Management are personally liable for the violation of MAS
