How to get the best from your Compliance Monitoring Plan

As a regulated firm you’ll be well aware of the FCA’s gargantuan handbook which sets out the rules that govern how you conduct your business. If printed out in paper form you’re apparently looking at 10,000 pages with multiple rules on each of those! Thankfully, for most firms, the scope is a magnitude less than this.

One of those rules, tucked away in the Systems and Controls 6 sourcebook, requires that a firm should monitor and, on a regular basis, assess the adequacy of its risk mitigation measures, policies and procedures, and the actions taken to address deficiencies in the firm’s compliance with its obligations. This is effectively facilitated via a compliance monitoring plan, or CMP for short.

Monitoring challenges

There can be a number of challenges when implementing a robust CMP for the coming 12 months. For smaller, less complex organisations the plan should aim to review every regulatory policy area at least once, with perhaps ‘live’ areas receiving more frequent scrutiny. An example of this would be the various registers that have to be maintained, including the risk register, conflicts of interest register and gifts and hospitality register which would all warrant perhaps quarterly review. The purpose of this is to pick up early on any recording or policy adherence issues and not have these accumulate across a year if otherwise left, leading to potential breaches.

For larger, multi-departmental, jurisdictional or product-focused firms, compliance resources may preclude review of every single regulatory element within the business over the 12 months. On this basis the challenge is to determine what to look at and when. This can be achieved taking a risk or theme-based approach on business activities, garnered through metrics based for example on previously assessed risks, reported breaches and errors, complaints, departmental requests, new product lines, regulatory changes, and audit findings to name but a few.

In all cases, a firm’s Board should ordinarily approve the approach of the CMP and be made aware on a periodic basis of progress, and for risk and thematic-focused plans, any changes that are required during the year.

Carrying out the CMP

Underlying the areas marked for review in the CMP will be specific tests to determine if the regulatory obligations for that area are being complied with by the firm, or to flesh out suspected issues. The tricky part here for a lot of firms is ensuring that the testing gets to the heart of what the firm actually does versus what the firm should be doing in accordance with the rules. More often than not, especially for smaller firms without dedicated compliance resources, the testing is light touch and is not framed to really understand if any issues exist, which if they do may ultimately manifest into material breaches, leading to client detriment and the attention of the FCA.

It is quite common therefore to see firms’ outsource the task of this monitoring to specialist third party compliance consultancies, much as they would for say fund administration duties, albeit the ultimate responsibility for compliance remains with the firms authorised compliance officer (SMF16). Even where a compliance function exists, the assurance provided from expert overview means that the directors have one less thing to worry about in the long run.

To maintain a good audit trail, a subsequent report outlining the testing should be prepared, including the findings and proportionate actions to address any issues. The timescales for completing these actions should be realistic, and this is where it is key for Board involvement to ensure items are not missed, forgotten, or inadequately fixed.

Prior to beginning any new CMP period, it shouldn’t just be assumed that the existing CMP will be fit for purpose, and so it must always be reviewed to remove, add, and adjust areas and tests as appropriate based on the position of the business at that point in time.

How we can help

Adempi is an FCA compliance consultancy and provides support with compliance monitoring. Our work ranges from undertaking the monitoring on your behalf so your firm easily stays up to date with its obligations, to reviewing the robustness of the tests you have in place. To help build confidence that you are meeting FCA expectations, we can also train your team on how to undertake compliance monitoring or provide feedback on the outcome of your internal testing.

To speak to one of the team about compliance monitoring, you can reach us at contact@adempi.co.uk or on 0203 925 4761.