Compliance Risk Assessments Components and Trends FIRMA March

Compliance Risk Assessments: Components and Trends FIRMA March 28, 2012 1: 15 – 2: 15 PM Patricia A. Hackett, Esq. The PNC Financial Services Group, Inc.

Table of Contents § Framework § Components § Trends 1

Compliance Risk Assessments: Framework Periodically report results that assess the compliance risk component of the firm’s operational risk profile to Business Risk Committees and executives. Track completion of Report monitoring events and other identified activities. Implement risk mitigation activities and monitor results. Re-evaluate and update periodically. Identify Review monitoring results, inputs from business, Regulators, Internal Audit, etc. Report Compliance Metrics, Issues, Risk Assessment Results Assess Risk Mitigation Activities (Metrics, Issues, Training, etc. ) Monitor Determine Inherent Risk; evaluate Quality of Risk Management; create recommendations and document controls. Complete annually; review periodically. Track recommendations to be completed to monitor and/or improve Quality of Risk Management. 2

Compliance Risk Assessment Components: Definition § Compliance Risk: Risk of legal or regulatory sanctions, material financial loss, or loss to reputation firm may suffer as a result of its failure to comply with laws, regulations, rules, related self-regulatory organization, standards and codes of conduct applicable to its financial services activities. (Basel Committee on Banking Supervision) § Reminder: Business “owns” risk. 3

Compliance Risk Assessment Components: Analysis INHERENT RISK – QUALITY OF RISK MANAGEMENT = RESIDUAL RISK § Inherent risk: Level of uncontrolled risk combined with the likely impact of a compliance violation, based on the firm’s business activities, before applying any controls or undertakes risk management activities. § QRM: Factor in institution’s controls and mitigants (consider manual or automated, complexities of process, etc. ). § Residual Risk: What is “left over. ” 4

Compliance Risk Assessment Components: Factors 5

Compliance Risk Assessment Components: Example Risk Categories § EXAMPLES OF ROLL-UP CATEGORIES: CHOICES AND COMPLEXITY ARE DEPENDENT UPON THE INSTITUTION AND ITS ACTIVITIES § Client: Fairness; Marketing Disclosure; Suitability; Charges and Pricing; Client Assets; Valuation; Real Estate Settlement; Client Confidentiality; Conflicts of Interest; Credit Reporting; Debt Collection; Complaints; Dispute Resolution; Business Practices Trading: General Administration-B/D Activities; Insider Trading–Investment, Research; Investments and Variable; Trading and Sales; Underwriting Activities; Central Clearing and Settlement Trust Administration : Personal; Pension/Retirement; Institutional Administrative: Education; Regulatory Reporting; Registration and Licensing; Affiliate Transactions; Insider Lending; Conflicts of Interest; Information Security and Confidentiality; Vendor Management; Record Retention AML: CIP; Transaction Monitoring; Sanctions; Other Financial Crime § § 6

Compliance Risk Assessment Components: Purpose § Determines compliance risk profile for enterprise and business units at a particular point in time, and on-going. § Ensures businesses work towards, achieve and maintain a “strong” compliance risk management environment. § Identifies and quantifies risks applicable to an institution’s business activities, especially those that require immediate action by business unit management. § Assesses effectiveness of controls designed to mitigate compliance risks. § Identifies emerging compliance risks on the foreseeable horizon. § Identifies instances where residual risks can be mitigated through strengthening of controls and identification of alternative control methods. § Provides effective reporting to senior management regarding significant, current, and emerging compliance risks. 7

Compliance Risk Assessment Components: Players § Compliance Personnel: – Define roles and responsibilities (analysis and data input, review, approval) – Potentially develop junior employees § Others to Involve Early in Process: – Enterprise/Corporate Compliance: To ensure consistency across business units – Compliance Testing and Internal Audit: For agreement and buy-in § What about the business? 8

Compliance Risk Assessment Components: The Business § How involved should the business be in the process? § When should the business be brought into the process? § How to respond to push back from the business? § Who owns follow-up? § Tension and Balancing: Risk assessment should be independent, with business input and buy-in, since business owns risk. 9

Compliance Risk Assessment Components: The Business § Providing data, information and support. § Accepting responsibility for controlling compliance risks to acceptable levels. § Developing mitigation plans, facilitated by Compliance. § Ensuring timely response to compliance issues. § Identifying alternative control strategies that might be more effective or efficient, especially in areas where compliance risks are high or growing quickly and control processes are highly reliant on manual controls. § Identifying new or heightened compliance risks that are likely to emerge on the foreseeable horizon and reporting them to Compliance. 10

Compliance Risk Assessment Components: Summary of Process 11

Compliance Risk Assessment Components: Getting Started § Determine Risk Assessment Scope: – Inventory Business Units (complexity dependent on size of institution): § Facilitates risk-based allocation of resources for compliance control; and § Satisfies requirements for risk assessments by legal entity. – Inventory compliance obligations (e. g. laws, regulations, codes of conduct, etc. ): § Group obligations into standard, broad categories and subcategories. § Leverage Operating Risk and/or other areas. 12

Compliance Risk Assessment Components: Getting Started § Gather background data: – Business Risk Profiles/Quarterly Risk Reports – Key Management Reports – Minutes from appropriate Board and management committees – Key Business Initiatives – Operational/Strategic Plans – Prior Internal Audit Reports – Regulatory Exam Reports – Consumer Complaint Reports – External Audit Reports – Industry reports/trends, economic considerations, and market developments 13

Compliance Risk Assessment Components: Calendar Example Timeline: § Prepare Assessment: January to early March § Meet with Business: March to early April § Governance Roll-up: April to early May 14

Compliance Risk Assessment Trends: Frequency § Compliance Risk Assessments are an on-going activity. Not a static process. § Conduct full Compliance Risk Assessment process annually. § In addition, periodically (ex. minimum of two times each year), Compliance consults with Business, updates inherent risk ratings, control effectiveness ratings and resulting residual risk ratings. § What would lead to an update? Changes in compliance obligations, business activities, regulatory emphasis, and other factors that cause compliance staff to reconsider its past judgments. 15

Compliance Risk Assessment Trends: Results § In light of potential business resistance to risks identified as “high”, emphasize that the Compliance Risk Assessment results are not intended to be “Scorecards. ” – Primary driver for our compliance activities at an enterprise and business level. – Supports the allocation of resources to manage compliance risk within tolerances set by the Board and senior management. – Encourage collaborative approach to Compliance in order to prioritize and review institution’s compliance risks. – View results as enhancement opportunity. 16

Compliance Risk Assessment Trends: Reporting § Provide business management and governance committees a summary (audit trail) of agreed upon findings: – Tailor data presentation and level of detail to forum and audience. – Circulate draft reports to senior management in advance (both business level and aggregate/roll -up reports) 17

Compliance Risk Assessment Trends: New Rules & Regs § When to include a new rule/reg in analysis? – 408(b)(2) – Broker-Dealer Fiduciary Standard – Dodd-Frank Swaps Rules – CFPB § How to analyze/characterize a new/pending rule? – If still working on implementation elements, rate as “Needs Improvement”? § Coordinate regulatory change process and Compliance Risk Assessment – At hand-off, confirm where/how new rule to be analyzed 18

Compliance Risk Assessment Trends: QRM § Consider manual vs. automated solutions Systems that are not integrated across multiple businesses lead to manual processes and increased risk of error. § Coordinate Compliance Risk Assessment with Key Risk Indicators, Monitoring and Mitigation activities § Consider including “strong” rating to demonstrate areas of strength (new expectations of regulators) § Include more “subjective” assessment categories such as “Culture of Compliance” 19

Compliance Risk Assessment Trends: Value Add § Identification and assessment of compliance risks are core elements of an effective, independent compliance function and a key component of effective, enterprise-wide compliance risk management. § Importance of compliance risk assessments was made clear by regulatory guidance: § New compliance obligations proliferate § Regulatory and other agencies have increased their scrutiny of bank compliance § “Satisfactory” is not sufficient for large, complex organizations. “Strong” compliance risk management is the minimum standard. 20

Questions and Answers 21

Contact Information: § Patricia A. Hackett, Esq. Vice President, Compliance Group Manager § The PNC Financial Services Group, Inc. Two PNC Plaza 620 Liberty Avenue, 26 th Floor Pittsburgh, PA 15222 § Phone (412) 768 -6888 patricia. hackett@pnc. com THANK YOU! 22