2024 compliance monitoring examination feedback
2024 compliance monitoring examination feedbackExecutive summary
Compliance monitoring is how registered and supervised persons assess their own adherence to applicable legislative and regulatory requirements and test the effectiveness of the corresponding controls in place. We set out our expectations relating to compliance monitoring in our guidance note, which is published on our website.
Overview of the thematic examination
Our compliance monitoring thematic examination evaluated adherence to key elements of Principle 3 of the sector-specific codes of practice and section 2 of the AML/CFT/CPF handbook. Specifically, we assessed how firms:
- tested compliance with internal policies, procedures, and applicable legal and regulatory requirements
- verified the effectiveness and implementation of systems and controls
- took timely and appropriate action to address identified deficiencies
Compliance monitoring was selected for review due to recurring findings in both financial crime and thematic examinations despite previous feedback issued following a similar thematic in 2019-2020.
Firms were required to submit their compliance monitoring plans and details of all testing conducted during the review period. For each firm, we selected eight tests covering both conduct and financial crime controls. We also reviewed supporting documentation, including board minutes, risk assessments, compliance policies and procedures, and records of any identified issues and remediation efforts.
All firms received direct feedback. Where deficiencies were identified, firms were required to submit formal remediation plans outlining corrective actions and timelines.
Key findings
Overall, our thematic examination showed a good level of compliance with the obligations relating to compliance monitoring with no key trends identified. Consequently, firms in the main were seen to be monitoring, managing and mitigating their risks effectively.
Areas where we identified the most findings were in relation to internal systems and controls specifically:
- ineffective testing: we identified incomplete tests or issues not being identified during testing
- inadequate policies and procedures: they lacked sufficient detail in relation to how compliance monitoring was to be developed, approved, delivered, reported and/or how remediation should be actioned
- inadequate and/or inaccurate records: mainly pertaining to board minutes and compliance monitoring reporting
When compliance monitoring is ineffective, weaknesses in a firm’s control environment may be missed or overlooked and the board may not have an accurate understanding of the level of risk present in the business. This increases the risk of non-compliance with legal and regulatory obligations and may result in a conduct risk crystalising or an increased risk that the business may be involved in facilitating financial crime.