In recent years, various institutions and other organizations have experienced heightened regulatory scrutiny, negative media attention, reputational damage, legal liability, and other sanctions for violations of compliance obligations. This, in turn, has given rise to an increased attention by regulators and the corresponding regulated institutions on the role of compliance. In addition, regulators have required these institutions to increase the amount of resources they devote to compliance risk management.
Compliance risk management has become more challenging as the number of compliance obligations has proliferated. For example, in the financial industry, regulations have expanded and increased the number of compliance obligations. Examples of proliferating regulators in the financial industry include the Anti-Money Laundering and Counter-Terrorist Financing Obligations of the USA PATRIOT ACT, the Bank Secrecy Act, and the Right to Financial Privacy Act. This has led to a number of regulated institutions employing a number of employees dedicated to ensuring that the institution is compliant with regulations. Conversely, some institutions choose to pay outside providers for assistance with compliance, incurring substantial costs in the process. For smaller institutions, such as many locally owned and operated small businesses, the time and expense necessary to employ full-time compliance personnel or hire an outside provider and keep up-to-date with regulations can be staggering. Even for larger businesses that may be able to afford employing full-time compliance personnel, the amount of work necessary to maintain compliance can be staggering without additional assistance.
Institutions have a need to better and more systematically manage their compliance obligations. This has proven difficult, as demonstrated by the large number of enforcement actions that have been brought in recent years against institutions and other organizations for failure to manage compliance risk. Current methods of managing compliance risk relate to using questionnaires and/or databases to summarize and assess risk based on information provided by the institution. This process makes it difficult for an institution to properly assess risk and, once risk is assessed, not only make changes to become compliant but to also ensure that the institution stays compliant and facilitates regulator visits. Other current methods of managing compliance risk relate to having onsite personnel review documents, policies, and procedures by using checklists and developing recommendation reports. Such a process is difficult for many institutions to implement, due to the expense and logistics involved with accommodating onsite personnel. These processes also suffer from a lack of communication and involvement with the institution itself.
What is missing from current approaches to compliance risk management is a method for assessing compliance risk that uses information from both publicly available sources and key employees of the institution to assess risk and also create a plan of policies and procedures for the institution to follow. Thus, a need exists for a system for assessing compliance risk using information from a publicly available source as well as information from a client questionnaire that is separated into role categories and answered by employees with areas of responsibility corresponding to the role categories.