On February 8, the US Department of Justice (DOJ) released their latest guidance on corporate compliance programs, the first formal guidance issued by the Fraud Section since President Trump took office on January 20. This latest document includes sample questions that might be asked of compliance departments and legal staffs when an investigation is launched and the “Filip Factors” are triggered.
Several of the questions are particularly relevant to Chief Compliance Officers of financial services firms as they think about their compliance processes:
1) Funding and Resources – The DOJ is interested in knowing how resource allocations have been made in the past, and in particular, whether or not Compliance and/or relevant control functions have requested resources that have been denied due to budgetary constraints.
Our takeaway: Firms should never be settling, or shying away, from adequate spending on compliance and control functions. The very best solutions are required to protect the firm’s reputation, assets and clients.
2) Approval/Certification Process – The DOJ wants to know how approval/certification personnel decide what misconduct to look for, and which occurrences of misconduct they choose to escalate.
Our takeaway: A robust technology solution can help compliance staffs easily and automatically establish and monitor complex workflows. Reviews of all data inputs can then be conducted in real-time against firm policies and business rules, and compliance staff can be notified proactively when a potential occurrence of misconduct occurs and is escalated based upon the configuration of their specific dynamic workflows and priorities.
3) Information Gathering and Analysis – What metrics or information has the firm been collecting in relation to the misconduct in question? How has that information informed the firm’s compliance program?
Our takeaway: Data collection is only one part of a strong corporate information/data regime. Data integrity (breadth, depth, and accuracy) should also be a paramount concern to ensure that anything collected by the firm is accurate and complete. Only then can Compliance be confident that they are able to identify all or most possible misconduct.
4) Effectiveness of the Reporting Mechanism – How has the company collected, analyzed and used the information from its reporting mechanisms? Has the Compliance function had full access to reporting and investigative information?
Our takeaway: Too many Compliance teams still do not have full access to their data for their reporting function, creating operational inefficiencies and crippling their ability to mitigate risk. When Compliance staff are at the mercy of oft-overtasked and backlogged IT and Operations departments in order to run reports or access critical data, the Compliance team’s ability to respond to issues in real-time is severely hampered.
5) Evolving Updates – How often has the company updated its risk assessments and reviewed policies, procedures and best practices? What steps have been taken to ensure suitability for particular business segments/subsidiaries?
Our takeaway: Firms should be reviewing their policies, procedures and best practices regularly. More importantly, once this review has taken place, Compliance teams must ensure that their systems are agile enough to implement changes to workflows, operational processes and firm-wide procedures. Using a dynamic technology solution makes policy changes far quicker and easier to implement and manage centrally.