Compliance practitioners have long sought to implement compliance monitoring and testing functions . But what does that mean in today ’ s data-driven world , where customer onboarding and transactions occur at the speed of a click , blurring the boundaries of what is real and what is virtual ? Compliance professionals cannot fall into the proverbial trap of implementing a quality assurance or quality control function and thinking it meets what is necessary today in our rapidly evolving digital world . Rather , a new framework for compliance monitoring and testing needs to be developed . Such a framework should not just incorporate data but rather embrace data as a foundational element . The digital revolution has provided criminals with new avenues with which to exploit financial systems for illegal activities , so the framework needs to continue to evolve to answer the question , “ What does my data tell me about my state of compliance and the effectiveness of my compliance risk management efforts ?”
When thinking about this new framework , it is helpful to consider the three lines of defense ( 3LoD ):
1 . Line of business 2 . Compliance risk management 3 . Internal audit
Because internal audit has its own unique set of standards and requirements , our focus will be on the first two lines of defense .
The first line of defense ( 1LoD ): Line of business
The 1LoD is the starting point for establishing business relationships . A great deal of data must be captured to define and support that relationship . The 1LoD needs to align the business and compliance requirements . Then the question is , “ What data elements captured to support the business relationship are necessary to also support the regulatory requirements ?” And if they are not sufficient to support compliance , it must be determined which additional data elements are needed , how they will be captured , and from where .
The digital revolution has also created unprecedented volumes of data , making traditional anti-money laundering ( AML ) compliance methods inadequate . So , the first essential part of an effective monitoring and testing program , as it relates to the 1LoD , is to understand the regulatory requirements ( i . e ., key risks ) that pertain to the business and the key data elements ( KDEs ) necessary to not only define the business relationship but to also represent the compliance requirements . These are known as key risk indicators ( KRI ). Effective monitoring and testing must evaluate three components : what and how KRIs are identified ; what KDEs effectively capture that risk ; and how those KRIs are effectively included in management reporting .
Moving on from the identification of KDEs and KRIs , the 1LoD needs to ensure that the data , and specifically the KDEs , are part of the organization ’ s overall data governance framework . That framework should outline specific requirements around ( among other things ) the completeness and accuracy of both business and compliance KDEs . The 1LoD will need to establish controls to ensure the standards of completeness and accuracy are met and then monitor not only the actual completeness and accuracy of the data but also the performance of the controls designed to ensure it . This would be done through key performance indicators ( KPIs ) that measure the effectiveness of the internal controls .
Each KRI and KPI should have an expected value or threshold . Actual values should then be compared to expected values and actions triggered if thresholds are exceeded or expectations are not met . These KRIs and KPIs should be monitored on an ongoing basis .
The second line of defense ( 2LoD ): Compliance risk management
Depending on the scope of responsibility , the 2LoD will have similar requirements to the 1LoD ( e . g ., performing certain functions such as know your customer processes , transaction monitoring or sanctions screening ). They will also have additional responsibilities to evaluate the process by which the 1LoD identifies risk , establishes controls and monitors the level of risk and performance of controls . In today ’ s world , however , the 2LoD will need to focus on the data used by the 1LoD to monitor KRIs and KPIs . A number of questions should be asked , such as the following :
• Have all the risks been identified ?
• Has the best available data element ( s ), including KDE , been identified to measure that risk ?
• What controls are in place to ensure the completeness , accuracy , integrity , etc ., of the KDEs ?
• What KPIs are in place to monitor the performance of the controls ?
Once these questions have been answered , the 2LoD will need to establish substantive tests of the data elements and controls assessments to ensure the controls are functioning as designed . Today , substantive tests are no longer based on a manual review
ACAMS Today September – November 2023 87