Compliance and Risk Management groups within Financial Services organizations are responsible for setting up and managing an effective compliance program covering:
Establish and adopt written policies, procedures, and standards of conduct
Create a programming oversight
Provide staff training and education
Compliance Programs are setup for
Risk Identification
Identify the different types of risks an organization may face e.g. fraudulent customer, customer engaging in activities which are not permitted etc.
Risk Analysis
Analyze the impact of each risk on the organization e.g. will it result in non compliance with laws or generally accepted business practices? Could it result in closure of the business, censure and fines or loss of business?
Response Planning
Based on the above, determine if the risk needs to be flagged for review and approval, declining the business or something else.
Risk Mitigation
If directed to review and approval, what are the steps that may be taken to mitigate the risk.
Risk Monitoring
Risk is not static, if it can change over time, should the risk be periodically monitored and at what frequency
Regulatory authorities are increasing the coverage of their oversight on compliance.
Examples are:
GDPR – General Data Protection Regulation
PCI DSS – Payment Card Industry Data Security Standard
SOX – Sarbanes Oxley Act
GLBA – Gramm-Leach-Bliley Act
PSD2 – Payment Services Directive
Basel III
NYDFS – New York Department of Financial Services Cybersecurity Regulation