The term “forensics compliance” came to light in 2006/07 in a letter sent by the US Securities and Exchange Commission to chief compliance officers (CCOs), with examples of how to perform forensic testing. The objective of the letter was to recommend an approach for CCOs to evaluate the effectiveness of their firms’ compliance programmes.
The letter suggested five main themes
While the above are five basic themes, we want to help our readers understand what makes a forensics compliance programme different. Let me begin by including this quote:
A firm’s CCO is always on the lookout to detect, avert and correct potential and existing non-compliance. A CCO’s role is even more pivotal in a forensic context, as a CCO needs to understand whether the existing surveillance mechanism has the potential to address organisational risk. Surveillance programmes in some firms are outdated in terms of current thresholds and regulatory expectations. Now, more than ever, organisations are exposed to higher compliance risk and hence, CCOs need to be proactive and have an effective risk management system in place. This would involve identifying a firm’s risk appetite, efficient risk mapping, and hedging strategies. We cannot mitigate risks until we know whether they exist or not. A forensic programme assists a firm by clearly demarcating the applicability of certain risks, by detailing facts and evidence as to why a particular risk does not apply to that particular firm. This approach helps organisations tailor their strategies on an ongoing basis.
Consider a scenario where a forensic review states that a particular risk applies to your firm: in these circumstances, forensics support you with an in-depth review of the risk limits, not just by making the firm aware of the scope and impact, but also by helping to identify whether this risk needs ongoing monitoring. Conditions relating to the review findings framework and methodologies are established to actively assess and mitigate these risks.
The term “third-party solutions” has increased in use in recent years, especially in the field of compliance, and a CCO may seek a plug-and-play solution in the market to address the risk. However, most third-party solutions are not created using the data sources available within the firm but are built based on rules that market participants have used. While this may seem like an ideal approach, it is imperative to first evaluate whether this risk applies to a firm before making an investment. Many firms have acquired third-party solutions for which they do not have a corresponding risk; a forensic analyst would have first assessed whether this risk is even applicable to the firm.
While the above tests may be conducted to address an existing risk, risk evolves on a daily basis and to capture this, we would need to look at things differently, including risk alerts issued by regulators. Regulators send out risk alerts on an ongoing basis to help firms understand what they see during their examinations or in the market. Capturing this is key, as the alerts would enable CCOs to keep abreast of risks faced in the market and help the regulators test whether that particular risk applies to the firm.
Using data to your advantage is key to a forensic review and is what makes it different from an ongoing surveillance. Connecting data to different sources identifies patterns, which would broaden a CCO’s view to compare and benchmark data. While performing daily surveillance our focus areas gets limited to pre-checks and timely completion which leads us to a tunnel vision. Such surveillance mechanism would not provide clarity if the underlying risks are with certain employees or is it extended to departments
To conclude, I would like to highlight that forensic analysis does not refer to a compliance team reviewing hundreds of exceptions, but reviewing and addressing one risk at a time. As mentioned in my previous blog, a forensic review is not a one-time solution; it is an ongoing effort to help a firm meet regulatory requirements, fiduciary responsibilities, and client expectations. We factor in global risks to institutions and create local solutions for a robust and effective compliance framework. The forensic approach evolves from regulation and enforcement action to an effective suite of solutions to risks otherwise unaccounted for.
Acuity Knowledge Partners’ solution
We aim to create an approach that develops controls that are dynamic, robust and proficient, to address risk at all levels of a firm. We are experienced in identifying and reviewing gaps in compliance programmes, meeting regulatory requirements and providing unique solutions with the help of our state-of-the-art technology.
With our focused set of offerings in the areas of forensic analysis, compliance testing, monitoring programmes, risk trend analysis and risk mitigation, we customise and design reviews dedicated to your firm’s risks, keeping the latest regulatory expectations in mind. We offer a well-thought-out approach — from initial analysis to end documentation and recommendation — to provide you with a holistic view of your business’s risks and how to safeguard it.
About the Author
Manish Mohan Raj, Delivery Manager, Forensic Compliance, is the delivery manager and subject matter expert for the forensic compliance practice. He has over 8 years of experience in the financial services industry. Prior to joining Acuity Knowledge Partners he worked as an associate with Goldman Sachs — GSAM Compliance. He was part of the global forensics team and was part of the marketing and portfolio management compliance team. Manish was also part of the controls management team for the asset & wealth management team at JP Morgan and was part of the HSBC KYC remediation team for multiple lines of business.