Handbook On Compliance - Compliance Institute
Handbook On Compliance - Compliance Institute
Handbook On Compliance - Compliance Institute
1. INTRODUCTION
March 2008
SECTION 2
1.2 Benefits
The establishment of an independent Compliance Function holds, inter a/ia,
the following benefits for the entity:
(a) Lower impact of reputational risk due to, inter alia, a specific focus on:
- maintaining the highest personal standards of integrity at all levels;
- the importance of true and fair dealing with all clients;
- the provision of qualitative and competent services;
- putting the entity's interests above those of individual employees.
(b) L o w e r i mp a c t o f r e g ul a t o r y r i s k d u e t o a c o n t i n u o u s f o c u s
and/or awareness on compliance to all applicable laws, regulations
a n d supervisory requirements.
1.3 Conclusion
The implementation of an independent compliance function is a requirement of
new le gislatio n and is in line with inte rnational de velop me nts. This w ill
de finite ly have a po sitive effe ct o n the imp act o f co mpliance risk o n an
organisation.
March 2008
SECTION 2
1.4
The need for compliance
The reasons for establishing an independent compliance function include the
following:
(a) To comply with relevant legislation
Regulation 47 of the Banks Act No 94 of 1990 and the Financial Advisory
and Intermediary Services Act No 37 of 2002 (FAIS) stipulate that an
independent compliance function must be established in banking and
financial services organisations respectively.
(b) To provide for a formal and structured monitoring of compliance A
compliance manual provides for a specific compliance monitoring
process that should not only be formal, but also structured and therefore
more visible to all the relevant stakeholders.
(c) To facilitate the establishment and enhancement of a compliance
culture
A compliance culture can only be established effectively if staff members
perceive compliance as being more than just manuals and checklists.
Staff members must realise that an effective compliance system depends
on a continuous awareness of compliance issues, which should be one of
the Compliance Function's main responsibilities.
(d) To co-ordinate all the relevant compliance functions within the
Group
The establishment of a central and independent Compliance Function at
Group level should enhance effective co-ordination of compliance
strategies throughout the business.
(e) To give specific focus to compliance risk within a broader risk
management framework
The Compliance Function is ideally positioned to deal with compliance
risk as part of operational risk that should fall within the scope of the
bigger risk management strategies.
(f) To be in line with international developments/trends
Compliance Functions have been established at most of South Africa's
international competitors and/or trading partners. Local business must
follow suite if they intend to retain, or improve, their international
competitive edge.
(g) Benefits
The establishment of an independent Compliance Function provides, inter
alia, the following benefits:
(i) Lower impact of reputational risk due to, a specific focus on: -
Maintaining the highest personal standards of integrity at all
levels;
The importance of honest and fair dealing with all clients;
The provision of qualitative and competent services;
Putting the business interests above those of individual
employees.
(ii) Lower impact of regulatory risk due to a continuous focus and/or
awareness on compliance to all applicable regulatory requirements.
(h) Conclusion
The implementation of an independent compliance function is a
requirement of new legislation and is in line with international
developments. This will definitely have a positive effect on the impact of
compliance risk on the business
March 2008
SECTION 2
1.5
Why comply
(a) Introduction
Broadly speaking, there are two reasons why a business should comply
with regulatory requirements.
Firstly, because it is the law, and secondly, because it makes good
business sense!
(b) It is the law
B usine ss do es no t, from a leg al standp oint, have any cho ice as to
whether they should or should not comply with the regulatory
requirements - they are obliged to comply. Failure to comply is likely to
result in appropriate sanctions being imposed.
( c ) Go o d Bu s i n es s P ra c ti c e
Compliance with regulatory requirements makes good business sense.
In the final analysis, there is a direct link between client satisfaction and
confidence and the businesses that observe the applicable regulatory
requirements. These two aspects will be considered:
March 2008
SECTION 2
2.
IDENTIFICATION OF KEY ROLE-PLAYERS
Board of Directors;
Audit Committee;
Chief Executive Officer/Executive Management Committee;
Line Management and/or Boards for Divisions and Subsidiaries;
Internal Audit function
Compliance Function;
External Audit function;
All employees; and
Regulators.
General guidelines for the roles and responsibilities of each of these role-players,
with specific reference to compliance, are briefly described in the following sections.
March 2008
SECTION 2
An additional check would be for the Internal Audit Manager, as part of their
normal audit responsibility, to review certain aspects of the work carried out
by the Compliance Officer. Due to the overlap between the Audit and
Compliance Functions, a sound and an interactive relationship between the
two must be maintained.
(f) Compliance Function
The Compliance Function is an independent function, which is associated with
all aspects of compliance, including the monitoring of the compliance risk
processes. It is imperative that the Compliance Officer has the necessary
rights and powers to fulfil this role impartially and effectively.
(i) St a n da rd s et ti ng
Set standards for achieving compliance with the relevant regulations;
ensure that these standards and other compliance principles are
effectively communicated; secure the commitment of Executive
Management for the application of these standards and finally ensure
consistency of approach and practice.
( i i ) P r o vi di ng a d vi c e
Provide a central point of reference and expertise in compliance-related
matters and, in particular, advise on the policy and strategic decisions
that might have compliance implications. An example of this would be to
provide an independent view in the formulation or amendment of the
policy regarding the managing of conflict of interest.
(iii) M o n i t o r i n g
The implementation of the entire compliance process and the subsequent
monitoring of the level of compliance within the business is the
responsibility of this Function — refer to Section 13 for a more detailed
description of this process.
( i v) Maintaining external relations
The Compliance Officer must strengthen the working relationship with
the Regulators appropriately by:
Being the senior point of contact with the Regulators;
Collating, co-ordinating and representing the business's views on
sector and industry-wide matters by direct representation to the
Regulators; and;
Liaise with relevant internal, as well as external stakeholders.
(v) Resolving issues of non-compliance
The Compliance Officer is not only responsible for the reporting of issues
of non-compliance through to the monitoring process (refer Section 13),
but is also required to resolve issues of non-compliance efficiently and
effectively. Depending on the seriousness and impact of the specific
non-compliance, this could involve facilitating the process of ensuring the
necessary and the responsible line manager implements appropriate
corrective measures.
(vi) T r a i n i n g
The Compliance Officer is also, as part of the responsibility to enhance a
compliance culture, responsible for promoting an effective compliance
system through appropriate training interventions and awareness
campaigns. These interventions will vary from brief discussions to more
detailed and comprehensive programmes with the intention to keep
March 2008
CCrTTARI
2.2 King II
The King Report on Corporate Governance for South Africa (also known as King II)
was first published in March 2002. As a result this report, a Code of Corporate
Practices and Conduct was drawn up. It is referred to as the 'King Code'.
The 'King Code', is structured under the following headings:
Boards and directors
Risk management
Internal audit
In te g r a te d su s t ain ab il i t y re p o r ti ng
Accounting and auditing
Compliance and enforcement
2.3 Conclusion
Co mpliance is ab out mo re than just manuals, che cklists and p ro cedure s. The
extent to which the importance of compliance is correctly perceived will depend on
the effectiveness of the interaction between the different role -players described
ab o ve. This can o nly be achieved if e ach ro le - playe r fully unde rstand s the ir
individual roles (mandate), as set out in this Section.
©Compliance Institute of
South Africa
APPENDIX 1
Handbook for
Members
March
2008
APPENDIX
1
External Audit Function The external auditors are required to
The external auditors are required by review the risk processes as part of
statute to conduct an audit on the their statutory audit duties imposed
business on an annual basis. Auditors on them by the Companies Act, Banks
also provide other services. Act and other applicable legislation.
Handbook for
Members
March
2008
APPEN
DIX 1
Handbook for
Members
Marc
h 2008
SECTION 3
The actions of rogue trader Nick Leeson, an employee of Barings Bank, which
ultimately led to the demise of the Bank, is a classic example of financial regulation
emerging in the wake of a financial scandal. The facts of the demise of Barings
Bank are as follows: Leeson, who was employed by Barings Bank, applied to
register as a trader with the Securities and Future Authority (the U.K. regulator for
the financial services industry) in London, but his application was turned down
because he had misrepresented certain information. He then transferred to
Singapore where he applied to the local regulator for registration. Not knowing that
he had been turned down in London, Singapore registered Leeson as a trader.
Although Barings Bank had a compliance function; there was no proper separation
of duties as well as ineffective and inadequate controls.
The following extract from the conclusion of the Bank of England Report on the
Collapse of Barings (paragraph 13.13) provides an indication of the inadequate
controls in Barings Bank:
"The fact that Leeson was permitted throughout to remain in charge of both front
office and back office at BFS was a most serious failing. Witnesses whom we have
interviewed on this point agreed that the need for a separation of responsibilities
was fundamental. Tony Hawes, the Group Treasurer, had relatively early on (in
February 1994) identified this as unsatisfactory. He subsequently made his views
known to James Baker, prior to James Baker's internal audit of BFS undertaken in
July/August 1994. Although the internal audit did not unearth the existence of the
unauthorized activities, the internal audit report did make specific recommendations
as to the separation of roles. These recommendations were never implemented".
The Bank of England Report (paragraph 13.11) also provides an indication of where
the responsibility for the inadequate controls in the Bank lay:
"We consider that those with direct executive responsibility for establishing effective
controls must bear much of the blame. We identify below the ways in which, we
have concluded, they failed to discharge this responsibility; and how others at lower
levels of management were also at fault for failing to act effectively in relation to
their own responsibilities".
The collapse of the bank resulted in significant changes to the way in which the
regulatory authorities were structured and in the regulatory requirements
themselves.
"The Economic Secretary for the United Kingdom, Ms Helen Liddell, has
recently stated that she fails "to see the difference between over-trading
and theft, between trading on your own account to your client's
disadvantage and theft and between deceiving clients to profit from their
loss and theft." Page 18, Newton.
Other examples of financial scandals include the collapse of the banking systems in
many of the Southeast Asian countries. These Countries suffered severe economic
To quote Gill Marcus, at the time Chairperson of the Policy Board for
Financial Services and Regulation: "The importance of designing and
maintaining an efficient and effective system to regulate financial markets,
financial institutions and financial services lies at the very core of our
nation's well being" Foreword to Financial Regulation in South Africa
The FAIS Act is an example of regulation that aims to protect consumers. The
requirements of the Act stipulate that:
o Persons who sell financial and investment products are "fit and proper";
and
o They adequately disclose certain information relevant to the transaction to
the client.
Explanation:
Definition
"Regulatory requirements" is the term that is used to collectively describe the
requirements set out in:
A ct s o f P a rl i ame n t ( e . g . the F I C A ct )
Subordinate legisl ation, (e.g. the regulations to the FIC Act), and
Supervisory requirements (e.g. guidance notes issued by regulators)
T h e r e i s n o d o u b t t h a t , o n a d a i l y b a s i s , t he r e a r e m o r e a n d m o r e re g u l a t o r y
requirements with which compliance officers must comply. Some examples are:
Al t ho ug h c o mp l ia n ce w it h re g ul a to r y re q u ir e me n t s re p re se n t s a sig ni fi c an t
challenge, the purpose is not to frustrate business activity. The aim is to support
the development of business while protecting investors, depositors and consumers.
In the final analysis, co mpliance is simp ly "go od b usine ss" . Much o f w hat is
included in the regulatory requirements represents good business practice. For
example, FAIS co ntains requirements that will result in good client service, if
applied appropriately. Businesses that have effective compliance functions will
usually be seen in a positive light by stakeholders, which in turn will p rotect or
enhance their reputation.
All financial service providers who wish to operate a long -term sustainable business
must successfully manage complia nce with regard to the applicable regulatory
requirements!
3.4 Regulators
Reg ulato rs are appo inted to p ro mo te/enfo rce ad he re nce to the se reg ulato ry
requirements. These regulators are created and derive their power from certain
pieces of legislation.
The South African Reserve Bank (SARB) — created in terms of the South
African Reserve Bank Act/the Banks Act; and
The Financial Services Board (FSB) — created in terms of the Financial
Services Board Act.
These Acts make it illegal to conduct a specific type of business unless the financial
service provider is authorised or licensed to conduct such business. The financial
service provider is required to undergo a process of licensing and to enter into a
relationship with the regulator in terms of which the financial services provider
undertakes to comply with the regulatory requirements.
The regulatory requirements also s tipulate that any licensed financial services
provider report must complete an annual compliance report for the regulator. The
purpose of this report is to enable the regulator to monitor compliance with the
legislation.
The legislation mandating a regulator will set out that regulator's powers, which
include the power to take disciplinary action. Such disciplinary action could be in
the form of:
However, not only do business owners need to concern themselves with the
perception of the regulator with regard to the manner in which the business is
conducted, but business owners must also take into account the perceptions of
clients and investors with regard to how they conduct business.
The UK and USA supervisory regimes have embraced an increasing focus on the
supervision of money laundering control requirements. This trend is also being
adopted in South Africa. (Take note: The supervisory role that is played by the
Financial Intelligence Centre, the Reserve Bank, and/or the Financia l Services
Board, regarding money laundering control is beyond the scope of this Manual).
3.8 Legislation
The table below provides an overview of some of the legislation that has been put in
place with regard to the differing types of businesses.
Acts Regulator Business
3.9 Stakeholders
The following diagram graphically represents the stakeholders within the regulatory
environment.
GRAPHIC REPRESENTION
OF THE REGULATORY ENVIRONMENT
GOVERNMENT
CONSUMERS
REGULATORS INVESTORS
DEPOSITORS
F
I
N
A
N
C
I
A
L
S
E
R
V
I
C
E
S
P
R
O
V
I
D
E
R
S
M
A
N
A
G
E
M
E
N
T
E
M
P
L
O
Y
E
E
S
C
O
M
P
L
I
A
N
C
E
O
F
F
I
C
E
R
S
3.10 Conclusion
Whether as a result of international trends or pressure from stakeholders, the
intensity of regulation is increasing. Managing compliance with these regulatory
requirements will remain a significant challenge to management.
APPENDIX 2
M
i
n
i
s
t
e
r
o
f
F
i
n
a
n
c
e
P
o
li
c
y
B
o
a
r
d
f
o
r
F
i
n
a
n
c
i
a
l
S
e
r
v
i
c
e
s
a
n
d
R
e
g
u
l
a
ti
o
n
Department of
Trade & Industry
Office of the
Registrar of
Companies Financial Advisory South African
Services Board Committees Reserve Bank
Banks
Office of the Office of the
Executive Registrar of
Officer and Financial Markets
Long term Insurers Banks
Registrar of Short-term insurers
Financial Pensions
Institutions CIS
FAIS
Appeal Boards
Financial
Financial Collective Services
Providers Banks
Markets Investment
JSE Schemes
BESA
STRATE
Insurers
Pension
funds
Friendly
societies
As indicated in the diagram, the South African Reserve Bank regulates banks while
other financial services institutions are regulated by the FSB.
17
©Compliance Institute of South Africa
Handbook for Members
March 2008
The mandates of the above regulators are set out in the legislation that makes
provision for the establishment of each particular regulator.
In order for regulators to discharge their responsibilities they require information. This
can be obtained in a number of different ways. For example:
Routine reports received from the businesses themselves, e.g., the "DI returns"
which must be submitted by Banks to the Reserve Bank. These cover the financial
position, income statement, liquidity, capital adequacy and other risks of the bank.
On-site inspections conducted by the regulator.
Information requested by the regulator on matters that the regulator may be
investigating.
Information or complaints received from customers and investors.
They may also issue appropriate guidance notes or directives to assist in the
interpretation of regulatory requirements or to enhance the regulatory requirements.
In view of the need to promote a sound financial system, banks are regulated to
ensure they are prudently managed. The Bank Supervision Department (BSD) of the
SARB undertakes this function, the head of which is the Registrar of Banks. Although
BSD forms part of the SARB, it operates somewhat independently from the SARB.
19
©Compliance Institute of South Africa
Handbook for Members
March 2008
SECTION 5
5.1 Introduction
Newton writes the following in his book, 'The Handbook on Compliance', on the role
of the regulators in the United Kingdom:
There is an ongoing requirement in this regard. At any time after obtaining the
licence/authorisation to conduct business, the regulator may withdraw the
licence/authority to conduct business if certain requirements are not being met. For
example, for any registered bank, the SARB could withdraw their banking licence if
the bank no longer complies with the relevant requirements.
For example, the FICA requires that accountable institutions "identify" and "verify"
their clients. This means that all account opening procedures must be adjusted to
ensure compliance.
Businesses that fall within the definition of "accountable institutions" are specified
in Schedule 1 of the Financial Intelligence Centre Act. Some examples include:
Banks
A t to r n ey s
Estate agents
Any "long-term insurance business"
Members of a stock exchange, etc
The above list is by no means complete and is included for illustration purposes
only.
For example, the Financial Intelligence Centre Act (see Section 43 of the Act)
requires that a financial services provider appoint a compliance officer to be
responsible for compliance with the regulatory requirements.
Most large organisations have employed compliance officers in their head-offices, as
well as in their business units, to assist senior management in implementing
compliance risk management systems.
5.5 Reporting
In order to monitor compliance with the regulatory requirements, the Regulators
require business to report on compliance with specific regulatory requirements
within specified timeframes, for example on a monthly, quarterly or annual basis.
An example of this is the "DI Returns" that are submitted to the Bank Supervision
Department of the SARB. In these DI Returns, senior management of the financial
services providers are required to confirm by signature that, for example:
Another example is the requirement in terms of sec 17(4) of the FAIS Act that
annual compliance reports be submitted to the FSB.
This complaints resolution process requires interaction between the business and
the Regulator.
5.7 Monitoring
Regulators are tasked with monitoring compliance with regulatory requirements.
Methods to monitor compliance that are imposed on a business include:
Reporting (as discussed above).
Complaints handling (as discussed above).
Requests for information directly from the business:
The regulator has the power to request any information from the business in
respect of compliance with a regulatory requirement.
On site investigations:
o The regulator has the authority to conduct an on-site investigation in respect
of compliance with the regulatory requirements. Such on-site investigations
can take anything from a few days to a couple of weeks to complete.
5.9 Conclusion
Regulators impact on business in the following respects:
22
©Compliance Institute of South Africa
Handbook for Members
March 2008
SECTION 6
6. COMPLIANCE OBJECTIVES
6.1 Introduction
This section sets out the main objectives of the Compliance Function and specifies
the role of the Compliance Officer.
6.4 Conclusion
In striving to achieve these objectives the Compliance Officer should act proactively
and constructively and assist line management in running an efficient and profitable
business, without violating statutory, regulatory and supervis ory requirements.
Compliance Officers should also strive to gain the support of line management
without jeopardising their independence.
7. COMPLIANCE STRUCTURES
7.1 Introduction
This section provides the reader with a perspective on the underlying principles that
should be taken into consideration in determining an effective compliance structure.
7.2 Background
The fostering of a culture of compliance, as well as optimising relations with the
relevant Regulators requires a multidisciplinary approach that can only be effective
if all the relevant role-players actively support the compliance system and its
objectives. Therefore it is imperative that the relations and communication channels
between the different role-players are clearly set out in an appropriate structure. (A
comprehensive list of the relevant role-players that are likely to be part of this
process can be found in section 11 of this Handbook).
Although the format of the compliance system will differ from business to business,
in order to implement an effective compliance system, it must be based the
principles as set out in Regulation 47 of the Banks Act No 94 of 1990. These
principles require that any compliance system that is implemented enables the
Compliance Officer to:
(a) Provide the Board of Directors with regular information as regards with the
level of compliance to supervisory requirements;
(b) Function independently from other functions of internal control;
(c) Ensure that no conflict of interest exists with other internal control functions,
for example, the Internal Audit Function;
(d) Report issues of non-compliance to the CEO and the Board of Directors in a
timely manner;
(e) Have direct access to the Chief Executive Officer (CEO); and
(f) Have senior executive status in the business.
Large organisations may have a Compliance Officer for the holding company as well
as Compliance Officers for the different business units and /or subsidiaries.
Although the Compliance Officer for the holding company (Group Compliance Officer
(GCO)) will take overall responsible for compliance, the Compliance Officers in the
business units and subsidiaries (Business Unit Compliance Officers (BCO)) will assist
the GCO by taking on responsibility for compliance within their specific business
units. In a smaller business that has a simpler compliance structure, the
compliance function may be the responsibility of one person.
25
©Compliance Institute of South Africa
Handbook for Members
March 2008
SECTION 8
8.1 Introduction
The compliance function plays an invaluable role in any business. It is relied
on to assist the business in complying with the ever-increasing obligation of
regulatory requirements. This is driven, on the one hand, by regulatory
requirements that demand compliance and, on the other hand, by business
imperatives that recognise that compliance is simply good business practice.
Compliance risk is the risk that the procedures implemented by the business
to ensure compliance to relevant statutory, regulatory and supervisory
requirements are not adhered to and/or are inefficient and ineffective.
Compliance risk consists of both a regulatory and reputational element:
Regulatory risk is the risk that a business does not comply with regulatory
requirements or excludes provisions of relevant regulatory requirements from
its operational procedures.
Reputational risk is the risk that the business might be exposed to negative
publicity due to the contravention of applicable regulatory requirements.
The scope of the Compliance Officer function must not be defined too
narrowly, as this may result in the compliance risk being unacceptably high.
26
©Compliance Institute of South Africa
This theme is emphasised in section 60A of the Banks Act that states that:
27
©Compliance
Institute of South
Africa
March 2008
(1 ) N o tw i th s t and ing an y thi ng t o the co nt r a r y in an y l aw , a b a nk s ha ll
establish an independent compliance function as part of the risk
management framework of the bank.
CCrTTARI
Although the FAIS Act does not recognise the compliance "risk role" to the
same extent as the Banks Act, it specifies that each financial services provider
(with more than one key individual or representative) must appoint a
compliance officer and establish compliance procedures to be followed by it
and its representatives.
It is noted that, to a large extent, the FAIS Act's focus is on monitoring. For
instance, compliance officers are required to submit a compliance report to
the Registrar of Financial Services Providers. This report is, in essence, a
"checklist" covering key compliance matters.
The specifications contained in the likes of the King II report and certain
regulatory requirements (such as regulation 47) are considered to be in line
with international practice.
10
©Compliance Institute of South Africa
9.1 Introduction
The first step in meeting the compliance challenge lies in setting up an appropriate
compliance structure and appointing a compliance officer to assist management in
complying with the regulatory requirements.
Every employee must also be trained in respect of the regulatory requirements that
impact upon his/her job and they must assume responsibility for compliance with
such regulatory requirements. Further, it is in the interests of the employee to
ensure that he/she effectively manages compliance, as it should be included as an
important aspect of a performance assessment.
8.4.1 ensure compliance within the group or entity in line with current laws,
regulations and supervisory requirements or provisions;
8.4.2 report non-compliance to laws and regulations or supervisory
requirements to the chief executive officer, the board of directors and the
audit committee in a timely manner;
8.4.3 provide the board of directors and the audit committee with regular reports
9.4.4 information as regards the level of compliance by the entity to laws and
regulations or supervisory requirements;
The Board and CEO is accountable for ensuring that the entity complies with all
applicable laws, regulations and supervisory requirements but they will rely on the
Compliance Officer to assist them in discharging that accountability.
Responsibilities for Compliance Officers can never be prescriptive, but the
aforementioned responsibilities or at least elements thereof should be present in all
job descriptions/Key Performance Areas (KPA's) for Compliance Officers.
Definition:
Regulatory risk is the risk that the bank does not comply with the applicable
regulatory requirements.
Regulation 47(3) provides that the compliance function shall have adequate
resources and stature to ensure that non-compliance with laws and
regulations or supervisory requirements by the bank can be addressed
adequately.
Section 17(1) of the Act specifies that any authorised financial services
provider (with more than one key individual or one or more representatives)
must, appoint one or more compliance officers to monitor compliance
with this Act.
Section 17(1), read in conjunction with section 19(5), specifies that if the
appointment of a compliance officer of an authorised financial services
provider is terminated, the compliance officer must submit to the Registrar
of Financial Services Providers a statement of what the compliance officer
believes to be the reasons for the termination. The requirements relating to
compliance reporting to the Registrar are also specified.
March 2008
ccri-Tr+1 0
Section 17(4) specifies that a compliance officer or, in the absence of such
officer, the authorised financial services provider concerned, must submit
reports to the registrar in the specified manner.
For ease of reference the requirements of section 17 of the FAIS Act are
detailed in Section 10.
(c) Section 42 and 43 of FICA
A further example of regulatory requir ements relating to compliance officers
is contained in section 43(b) of FICA. This section requires an accountable
institution to appoint a person with the responsibility of ensuring compliance
by:
The employees of the accountable institution with the prov isions of this
Act and the internal rules applicable to them; and
The accountable institution with its obligations under this Act.
Section 42 sets out the internal rules that must be formulated and
implemented to comply with the Act and requires that these rules be made
available to all employees.
These functions are in line with the recommendations that are contained in the King
II Report.
( a ) S e rv i c es
(i) Providing advice on regulatory requirements
O n e o f t h e c o r e f u n c t i o n s o f t he c o m p l i a n c e o f f i c e r i s a d v i s i ng
management on the regulatory requirements applicable to the business
conducted.
March 2008
SECTION 9
requirements.
March 2008
(ii) Oversee implementation of compliance procedures
The compliance officer should assist management in:
Identifying control measures that will ensure compliance with the
regulatory requirements; and
The implementation of these control measures.
(iii) Reporting
The compliance officer must keep the Board of Directors and
management informed of the level of compliance being achieved. This
is und e rta ke n, fo r e xa mp le , thro ug h co mp lia nce re p o rts th at a re
submitted to the respective stakeholders on a regular basis.
( i v ) Co nt a ct w it h r eg u l a to rs
The first point of contact for the Regulator is normally the compliance
office r. The compliance office r sho uld be available to resolve any
regulatory issues that may arise. The regulators expect issues to be
dealt with promptly and thoroughly.
(b) Training
The co mpliance office r assists in d e velop ing a co mp liance culture. All
employees should be encouraged to not merely comply with the rules, but to
rather adopt a values-based system whereby they emb race the objectives
underlying the regulato ry requirements. This can be achieved thro ugh
appropriate training.
The compliance officer should see to it that the compliance issues are
integrated into the training received by an employee in respect of his/her
responsibilities.
It is noted that the compliance officer need not deliver the training. This
could be done by the training department or by external training providers.
The compliance function will, however, play a key role in coordinating the
efforts to train staff members. The compliance officer is often expected to
play a "train the trainer" role in rolling out compliance training to staff
members.
(c) Monitoring
Compliance monitoring is undertaken in order to evaluate whether business
is co nducted in co mp liance w ith re gulato ry req uire me nts. This can be
achieved through routine/ongoing monitoring procedures, or through the
application of specific monitoring techniques, e.g. adequacy, consistency or
substantive reviews.
March 2008
SECTION 9
9.7 Conclusion
On the one hand, the compliance officer assists manage ment to co mply with
regulatory requirements, including producing solutions to compliance challenges
faced by management. On the other hand he/she must remain sufficiently
independent to be able to discharge his/her obligations.
The quote below illustrates the challenges facing th e compliance officer today.
"Compliance professionals are often a focal point for the conflict and
frustration which regulation can generate. Every day they are called upon
to use their professional judgment to identify ways of achieving the
objectives behind the regulations without producing unnecessary
restriction on the activities of their employers, or incurring any undue
commitment of resources". Newton, Page xiv.
APPENDIX 3
BANKING COMPLIANCE RESPONSIBILITIES
Regulation 47
Regulation 47(4) sets out the responsibilities of the compliance officer and provides
that, as a minimum, the compliance officer of a bank shall-
Effectiveness
(a) Have senior executive status in the bank;
(b) Have direct access to and demonstrable support from the chief executive officer of
the bank;
(c) Function independently from functions such as internal audit and shall be
demonstrably independent;
(d) Report non-compliance with laws and regulations or supervisory requirements to
the chief executive officer, the board of directors and the audit committee of the
bank in a timely manner;
(e) Submit a report on the level of compliance with laws and regulations or
supervisory requirements by the bank at every meeting of the board of directors or
the audit committee of the bank and provide the Registrar with a copy of such a
report; and
(f) Ensure, as far as possible, that no conflict of interest with/between other internal
control functions exists.
Monitoring
(g) Be responsible for establishing a compliance culture in the bank that contributes
to the overall objective of prudent risk management by the bank;
(h) Establish a line of communication to line management, in order to monitor
continuously compliance with laws and regulations or supervisory requirements by
the bank;
(i) Reauire line management to monitor compliance with laws and regulations or
supervisory requirements as part of their normal operational duties;
(j) Require regulatory requirements to be incorporated into operational procedure
manuals when appropriate; and
(k) Make recommendations whenever necessary in order to ensure that there is
compliance with laws and regulations or supervisory requirements.
Reporting
(I) Establish prompt mechanisms for reporting and resolving non-compliance with
laws and regulations or supervisory requirements;
(m) Ensure that resolutions are signed off; and
(n) Document the compliance officer's findings including any remedial action, as
part of the compliance-monitoring programme.
Resources
(o) Recruit sufficient staff of suitable aualitv in order to monitor and test
continuously the bank's compliance with laws and regulations or supervisory
requirements; and
(p) Ensure that compliance staff are trained on a continuous basis to ensure
adequate technical knowledge of the regulatory framework that applies to the bank,
as well as the risks to which the bank is exposed.
Manual
(q) Compile and maintain a compliance manual that:
(i) Adequately addresses all material risks to which the bank is exposed;
(ii) Adequately addresses all material objectives and aspects of applicable
legislation;
(iii) Refers to specific legislation, rules and regulations when appropriate;
(iv) Is readily available to all relevant staff; and
(v) Is reviewed and updated at least once a year.
36
©Compliance Institute of South Africa
Handbook for Members
March 2008
APPENDIX 4
APPENDIX 4
FAIS COMPLIANCE RESPONSIBILITIES
Section 17
Section 17 of the FAIS Act sets out requirements/arrangements relating to compliance
officers.
Section 17(2) specifies that a compliance officer must be approved by the registrar in
accordance with the criteria and guidelines determined by the Advisory Committee.
Section 17(3) specifies that an authorised financial services provider must establish and
maintain procedures to be followed by the provider and any representative concerned,
in order to ensure compliance with this Act.
Section 17(4) specifies that a compliance officer or, in the absence of such officer, the
authorised financial services provider concerned, must submit reports to the registrar in
the manner and regarding the matters, as from time to time determined by the registrar
by notice in the Gazette for different categories of compliance officers, after consultation
with the Advisory Committee.
Section 17(5) specifies that the provisions of subsections (3) and (4) apply mutatis
mutandis to any authorised financial services provider who carries on a business with
only one key individual or without any representative.
APPENDIX 5
FICA COMPLIANCE RESPONSIBILITIES
Section 42
(1) An accountable institution must formulate and implement internal rules concerning-
(a) The establishment and verification of the identity of persons whom the
institution must identify in terms of Part 1 of this Chapter;
(b) The information of which record must be kept in terms of Part 2 of this
Chapter;
(c) The manner in which and place at which such records mu st be kept;
(d) The steps to be taken to determine when a transaction is reportable to ensure
the institution complies with its duties under this Act; and
(e) Such other matters as may be prescribed.
(2) Internal rules must comply with the prescribed requirements.
(3) An accountable institution must make its internal rules available to each of its
employees involved in transactions to which this Act applies.
(4) An accountable institution must, on request, make a copy of its internal rules
available to —
( a) T h e Ce n tr e ; a n d
( b) The supervisory body that performs regulatory or supervisory functions in
respect of that accountable institution.
Section 43
An accountable institution must —
(a) Provide training to its employees to enable them to comply with the provisions of
this Act and the internal rules applicable to them;
(b) Appoint a person with the responsibility to ensure compliance by -
The employees of the accountable institution with the provisions of this Act and
the internal rules applicable to them; and the accountable institution with its
obligations under this Act.
39
©Compliance Institute of South Africa
Handbook for Members
March 2008
SECTION 10
10.1 Introduction
This section describes the requirements for and suggested content of a
compliance manual. The various requirements in applicable legislation for the
financial service industry will provide minimum standards with which a compliance
manual must comply.
10.2 Background
The Compliance Officer should facilitate the compilation of a compliance manual
(manual) for the business in conjunction with the relevant role-players described
in Section 11 of this Handbook. The manual must be based on the standards and
norms provided by the Compliance Institute of South Africa. The manual should
not only be customised for the business and the specific environment in which it
functions, but it should also endeavor to:
(a) Address all the risks that fall within the scope of the compliance function;
(b) Address all material objectives and aspects of applicable regulatory
requirements;
(c) Refer to specific legislation, rules and regulations applicable to a specific
business and, where appropriate also focus on the "spirit of the law";
(d) Be practical and easily understood to enhance implementation;
(e) Be readily available to all staff members; and
(f) Be reviewed and updated according to applicable legislation.
Given the complexity and often-diverse activities of the different business units
within a large organisation, in most cases it will be necessary to compile separate
compliance manuals for each business unit. The compilation of a compliance
manual for a business unit is the responsibility of the Compliance Officer for the
specific business unit. Furthermore, depending on the compliance policy, the
manual must:
1. Be based on the compliance manual for the organisation; and
2. Should be compiled in consultation and, in conjunction, with the Group
Compliance Officer.
The manual on its own cannot and will never ensure effective compliance, but it
serves as the basis for establishing an effective compliance culture.
10.3 Format
The manual is an area where "substance" is more important than format, because
inaccuracies and errors will most certainly cause the manual to lose credibility
with users. However, the format is important in so far as it determines the
effectiveness with which users will implement the standards and comply with the
norms contained therein. Use the following principles as guidelines when
determining the format of a compliance manual:
(a) A very theoretical and complex format should be avoided;
(b) Language should be kept simple and in cases where more complex legal
terms have to be used, explanations must be provided;
(c) The more diagrams and practical examples that are included, the easier it is
for users to understand and implement the manual;
(d) An electronic version of the manual will not only enhance the regular
updating of it, but will also make distribution more economical; and
(e) A standard format for the manual will enhance standardisation and
consistency, as well as improve the effectiveness and efficiency of training in
this regard.
10.4 Content
The format of the manual is likely to differ from business to business; however, it
must contain at least the following elements:
0
CCrTTARI 4 %
10.5 Conclusion
The manual should be comprehensive in the sense that it covers all matters
relating to compliance for the business. It should, however, be user-friendly and
easy to understand to ensure full implementation thereof by all staff members.
APPENDIX 6
EXAMPLE: Letter of Endorsement from the CEO
Dear Sirs/Madams
Ongoing changes to legislation, together with the introduction of new legislation, has
placed a greater emphasis on the formal and structured monitoring of compliance to,
regulatory requirements.
The XYZ Group Limited recognises its accountability and responsibilities to all
stakeholders under the legal, regulatory and supervisory requirements applicable to its
business. Therefore the Board of Directors has approved the establishment of an
independent Compliance Function as part of its current Compliance Policy.
However, it must be emphasised that the primary responsibility for complying with any
regulatory requirement lies with each members of staff conducting the particular
transaction or activity to which regulation applies. All relevant staff must therefore be
conversant with appropriate legislation and subordinate regulations, conditions and rules
promulgated by Regulators as well as with the compliance manual and/or technical
guidance notes applicable to their specific area of responsibility. Your staff members
must understand that they are expected to comply both with the letter and with the spirit
of these requirements.
The Board of Directors regards compliance as a matter of high priority. All staff must
understand that failure to comply can result in exposing the Group to liabilities and/or
risk of loss of authorisation to conduct business in the financial services industry.
There is a growing need for management to have professional support from the Group
Compliance Function to identify potential problems and advise on practical solutions.
Staff need to provide a constructive service to the business and must help to protect the
reputation of the Group. This is not something that compliance officers can achieve on
their own; there must be a determined team effort together with the management and
staff of the business.
As part of this effort a compliance manual has been drafted. This manual documents
how compliance should be conducted in a specific business unit by complying with the
relevant compliance policy and standards. In addition, it documents how all the
applicable laws, regulations and supervisory requirements are being managed and
controlled. Non-adherence to the standards documented in this manual can lead to
disciplinary action and dismissal.
The importance of protecting the Group's reputation in all its operations cannot be
overemphasised. An appeal is made to all staff to acquaint themselves with the contents
of the compliance manual to enable them to meet the responsibilities in their work
environment.
Yours faithfully
11.1 Introduction
Why should a business have policies and procedures in place?
Handbook for
Members
March
2008
SECTION
11
policy sets out what is expected from staff members, who are an integral
part of an effective compliance system. This will, to an extent, determine
the culture with regard to compliance.
Handbook for
Members
March
2008
SECT
ION 11
(i) Introduction
Information should be provided regarding ownership, approval, review,
scope and implementation of the policy.
(ii) Compliance policy statement
The compliance policy statement should describe the business
commitment and approach to comply with applicable legal and
regulatory requirements. Although not always necessary, it could be
helpful to base this statement on the vision, mission and core values of
the business. An example of a compliance policy statement is as
follows:
"The business recognises its accountability to all its stakeholders under
the legal and regulatory requirements applicable to its business and is
committed to high standards of integrity and fair dealing in the conduct
of its business. It is committed to comply with both the spirit and the
letter of applicable requirements and to always act with due skill, care
and diligence."
(iii) Philosophy
The philosophy provides general background information on compliance
and usually covers aspects such as:
(1) The motivation for establishing the compliance functions;
(2) The history of the Compliance Function;
(3) The standards and norms that compliance is based on, for
example, reference to standards and norms adopted by the
Compliance Institute of South Africa (CISA); and
(4) Reference to other related philosophies in the business, e.g. the
philosophy of the sales department, human resources, etc.
(iv) Framework
The framework should provide information regarding the following
aspects:
(1) How compliance forms a part of the overall risk management
framework; and
(2) A brief overview of a methodology to be followed.
Handbook for
Members
Mar
ch 2008
SECT
ION 11
regarding compliance and should be widely distributed throughout
the business. Care should also be taken to make this a very user-
29©Compliance Institute of
South Africa
Handbook for
Members
Mar
ch 2008
CCrTTARI 11
Each standard must be clearly specified. For example , the standard covering
staff training could read as follows:
12.1 Introduction
We have seen that responsibility for complying with regulatory requirements
rests with management. The compliance officer facilitates the implementation of
a compliance system to manage regulatory risk.
Phase 1
Compliance Risk Identification
The co mpliance o ffice r assists manage ment in ide ntifying the re gulato ry
requirements that apply to the business.
All the regulatory requirements that have been identified together form the
regulatory universe of the business.
The co mp li an ce o f fi ce r a ss is t s m an ag e me n t in an a ly s ing t he re g ul a to r y
requirements.
Phase 2
Compliance Risk Assessment
The compliance officer assists management to prioritise the
regulatory requirements by rating each according to their risk.
Phase 3
Compliance Risk Management
The compliance officer assists management to develop control measures that
will ensure compliance and facilitate the implementation thereof.
Phase 4
Compliance Risk Monitoring
The compliance officer monitors the controls that have been implemented to
determine the level of compliance and whether the controls are effect.
49
©Compliance Institute of South Africa
Handbook for Members
March 2008
SECTION 12
Phase 1
Compliance Risk Identification
Step 1
The first step in the compliance management process is to identify the
regulatory requirements that must be complied with.
Definition
Remember that "regulatory requirements" is the term that is used to
collectively describe the applicable "rules" set out in:
A cts of P ar liam ent
Subordinate legislation
Supervisory requirements
March 2008
SECT
ION 12
Step 2
The next step in this phase of the compliance management process
involves analysing the regulatory requirements.
34©Compliance Institute of
South Africa
Handbook for
Members
Mar
ch 2008
SECTION 12
(i) Seriousness
"Seriousness" indicates the potentially negative impact that non-
compliance with a regulatory requirement will have on the business
as a whole. It is made up of the following elements:
Monetary impact:
This refers to the potential monetary loss, as a result of fines
imposed or losses suffered due to non-compliance. The greater
the amount of monetary loss, the greater the "seriousness" of
the non-compliance.
Impact on image:
This refers to the extent to which non-compliance may impact
negatively on stakeholders' perceptions. Stakeholders include
regulators, investors, depositors, consumers, employees and
government. The greater the potential negative impact on the
image of the business, the greater the "seriousness" of the non-
compliance.
(ii) Probability
"Probability" indicates the likelihood that non-compliance with a
specific regulatory requirement might occur. This is determined by
the effectiveness of the control mea sures that have been
implemented.
The seriousness and probability considerations should be rated on a
scale of high, medium and low to determine the compliance risk.
March 2008
CCrTTARI 1 ,
March
2008
(c) Compliance Risk Management
Phase 3
Compliance Risk Management
March 2008
APPENDIX 7
APPENDIX 7
EXAMPLE OF RISK MANAGEMENT PLAN
Section No and Regulatory requirement Analysis of regulatory Risk Control measures
heading requirement rating
Identification and 3(1) An accountable institution In respect of South African High All account opening forms must
Verification FICA must obtain from, or in respect citizens and residents, include fields where the following
Regulations 3(1) & of, a natural person who is a regulations 3 & 4 compel an must be completed:
4(1)(a)(i) citizen of, or resident in, the accountable institution to
Republic, that person's- obtain and verify the following Full names
(a) full names; particulars in respect of a Date of birth
(b) date of birth; customer: Identity number
(c) identity number; income tax registration number
(d) income tax registration Residential address
number, if such a number has
been issued to that person, Full names; A copy of the customer's identity
(e) residential address. Date of birth; document must be obtained to verify
Identity number; the customer's identity. Copies of
4 (1) An accountable Residential address. documents, which verify the
institution must verify the full income tax registration number correctness of the above
names, date of birth and (note - the above has been information, must be obtained and
identity number of a natural aimed at senior management. annotated "original sighted." The
person referred to in regulation More detail would be required copy must be date stamped and the
3 (1) (a), (b) or (c)...by at an operational level) name and designation of the staff
comparing these particulars member opening the account must
with be recorded thereon.
(a) (i) an identification
document of that person; or.....
March 2008
SECTION 12
The approach that is adopted in the rollout of the compliance process will
depend on the particular circumstances of the business. It is noted that some
adaptation may be required to meet the needs of each individual business.
12.3 Conclusion
The 4 phases of the compliance risk management process set out above represents an
effective structure within which to implement an effective compliance system.
APPENDIX 8
A SSESS M ENT SC A LE
The assessment scale could be calibrated as set out below, namely, ratings between 1
and 10 allocated for Seriousness and Probability. The table provides a guideline which
can be used to facilitate the ratings:
Seriousness Probability
Scale Key Scale Key
1 Insignificant impact 1 Low Risk
2 2 (Fully effective)
3 3
4 Minor impact 4 Medium Risk
5 5 (Partially effective)
6 6
7 Material impact 7
8 8 High Risk
9 9 (Ineffective)
10 Disastrous impact 10
( b) T o a ch i ev e ef f e ct i v e c om pl ia n c e
Section 12 addressed the compliance risk management, as well as the
need to design and implement control measures to ensure that regulatory
requirements are complied with.
For example: Staff should understand that all the procedures and
documents that must be completed to properly identify a customer as
required by FICA may help to identify criminals and ultimately stop crime!
In the final analysis, all staff members have a responsibility to conduct all
business in compliance with applicable regulatory requirements. However,
it is submitted that it is not appropriate to place the responsibility for
compliance on any individual, unless that individual is not satisfactorily
trained.
For instance, where staff members understand the rationale behind the
reporting of suspicious transactions, they will report such transactions
more effectively and frequently.
The above is not exhaustive and is included for illustration purposes only.
It demonstrates the increasing importance being placed on compliance
training.
(a) Introduction
Now that the objectives of compliance training are understood, it is
important to consider how compliance training could be undertaken.
Step 1:
Identify training needs
As in all other areas of compliance, training resources are not unlimited.
Accordingly, a risk-based approach in prioritising training needs should be
adopted. In phase II of the compliance process (described above)
compliance risk assessment was looked at in order to determine which
regulatory requirements should be prioritised. In determining the risk
rating of a regulatory requirement, the following two elements were
discussed:
Seriousness (the potential negative impact of non-compliance);
and
Probability (the likelihood of non-compliance occurring).
For example, FAIS and FICA are considered high-risk and training on both
of the relevant requirements of these Acts must be prioritised.
Step 2:
Identify who requires training
The second step in developing a training programme is to determine who
must be trained and what they must be trained on. It is not practical or
economical to simply train all staff in respect of all the regulatory
requirements.
March 2008
SECTION 13
Step 3:
Design or source training material
Now that the employees who must be trained have been identified, it is
important to either design and develop or source the training material
required.
Step 4:
Methods of rollout
Before the various methods of rollout are considered, it is important to
decide who should deliver the training material — the compliance function
or management?
Step 5:
Assessment
It is important to assess employees in respect of the compliance training
undertaken. Not only is it important to know whether the training has
been effective and whether actual compliance knowledge has been
imparted, it also essential from a legal perspective.
As discussed earlier, certain legislation makes it compulsory to train
employees. If the accountable institution does not provide the training as
required in terms of Section 43 of FICA (see p54), the accountable
institution will be held liable in the event of a breach resulting from
45©Compliance Institute of South Africa
March
2008
SECTION 13
inadequate training.
March
2008
SECTION 13
Another example is the FAIS Act that requires that employees who provide
advice must be 'fit and proper'. If such an employee does not pass an
assessment, the employer will be forced to suspend that employee from
providing advice or otherwise it runs the risk of exposing itself to risk as a
result of using staff that are not deemed competent.
Step 6:
Record-keeping
Attendance registers must be kept of all employees who attend compliance
training. Further, following an assessment, the results of the assessment
should be kept.
March
2008
SECTION 14
Definition
Monitoring in the compliance environment can be defined as:
March 2008
SECTION 14
APPENDIX 9
APPENDIX 9
The Compliance Process
The text highlighted in red indicates where monito ring applies in the compliance
process. The compliance process consists of the following four phases:
3
Prioritise the identified requirements by rating each in terms of
Probability and Seriousness. (The provisions of each requirement
should also be analysed and prioritised, if applicable, on the same
basis)
4
Plot the requirements according to the ratings on a scatter diagram.
5
Classify requirements into high, medium and low risks.
7
Include Compliance Risk Management Plan in the compliance manual.
9
Report findings of the review process to the relevant role-players.
March 2008
14.2 Why Monitor?
Brian Sharpe writing in his book, "Making Legal Compliance Work", makes the
following comments:
"Effective monitoring aims to check that people are doing what they ought to be
doing and that the system is operating satisfactorily. As monitoring is what
frequently identifies problems, a failure to monitor adequately is likely to be
regarded as showing a lack of real commitment."
Monitoring:
(g) Be responsible for establishing a compliance culture in the bank that
contributes to the overall objective of prudent risk management by the
bank;
(h) Establish a line of communication to line management, In order to monitor
continuously compliance with laws and regulations or supervisory
requirements by the bank;
(i) Require line management to monitor compliance with laws and regulations
or supervisory requirements as part of their normal operational duties;
(j) Require regulatory requirements to be incorporated into operational
procedure manuals when appropriate; and
(k) Make recommendations whenever necessary in order to ensure that there is
compliance with laws and regulations or supervisory requirements.
STRATE Rules
15.5 Insurers and intermediaries shall, within 6 months from the date of
coming into operation of these Rules, ensure that they provide -
(a) For monitoring systems to measure compliance with these Rules.
March 2008
SECTION 14
This section of the handbook deals with how the role players carry out their
respective functions.
Compliance is more than just manuals and procedures and the extent to which
this is correctly perceived depends totally on the effective interaction between the
various role-players in the management compliance matters. Interaction between
the role-players will only become effective once each of the role-players fully
understand their individual roles (mandate).
The co mp l i an ce f un c ti o n m a y b e ce n t r al ise d , d e ce nt r a li se d o r a
combination of both. The structure that is put in place will clearly have
an impact on the nature of the monitoring that is conducted.
March 2008
CCrTTARI
1 A
The above activities indicate the role that the compliance function
should play in supporting management. In addit ion to this,
compliance officers must also undertake compliance monitoring.
Handbook for
Members
March
2008
CCrTTARI
1 A
business is exposed. It is ultimately their responsibility to oversee that
the business complies with applicable laws, regulations and supervisory
requirements. These risk management/ control responsibilities can be
delegated to appointed individuals, committee s and functions.
Handbook for
Members
March
2008
SECTION 14
March 2008
APPENDIX 10
APPENDIX 10
MONITORING ROLE PLAYERS AND THE TYPES OF MONITORING THAT THEY UNDERTAKE
GROUP
COMPLIANCE3
BUSINESS UNIT
COMPLIANCE3
INTERNAL
AUDITS
EXTERNAL
AUDIT6
REGULATORS1
This table indicates the types of monitoring typically undertaken by the respective role players.
Handbook for
Members
March 2008
SECTION 14
This section covers how and when monitoring is undertaken. This is graphically illustrated in the diagram.
IDENTIFICATION
Management Remedial Understand your
Action business Identify all applicable
legislation
Phase I Categorise
Report
COMPLIANCE PROCESS FOR
REGULATORY OR BUSINESS A
ENVIRONMENT -
h EXISTING AND ANTICIPATED P Prioritise S
S
a h E
Phase III
Review Process S
s Risk Management Plans
Plot
S
a
Control Measures
FORMALISED IV s M
MONITORING
e Assign Responsibilities
e
Classify E
RISK II
MANAGEMENT
71
©Compliance Institute of South Africa
Handbook for Members
March 2008
SECTION 14
Although some of the control measures that will be identified in Phase III will comprise
continuous monitoring activities by management, the formal compliance monitoring
activity is the fourth phase of the compliance process.
It is typical that when a compliance function is initially introduced, monitoring will take
some time to be implemented in an effective manner.
Maturity
The table below should be read in conjunction with the Compliance Process for Regulatory
or Business Environment diagram on the previous page.
Stage 1 — Undeveloped
Stage 2 — Developing
Stage 3 — Developed
Stage 4 — Fully Effective
This table illustrates the possible relationship between the maturity level of the
compliance function and the implementation of the different phases of the
compliance process.
IV
III V V V
II
I
March 2008
SECTIO
N 14
( b ) Complaints Review
A business should have written procedures for the effective consideration
and proper handling of customer complaints. Part of the compliance
process would be the monitoring of customer complaints to establish
p o s sib le a re a s o f n o n - co mp li an ce . Co mp l ai n ts mu s t b e i mp ar t i all y
considered by either the compliance officer or a member of line
management of suitable seniority.
Date of occurrence
Division/business unit
Description of the incident
Seriousness
Person/s involved
Actions taken/to be taken
Person responsible for action
Date of resolution
A section blocked out from view to all the business units, which contains
the compliance officer's comments, follow up and date of resolution.
(d) Dashboard
The dashboard is a tool or early warning device for ongoing monitoring
that alerts the compliance officer to changes in the compliance
environment that could lead to an increased probability of non -
compliance occurring.
59©Compliance Institute of South
Africa
Handbook for
Members
March
2008
SECTIO
N 14
On a business unit level, the dashboard will typically be more detailed
and focused on the business unit activities whereas a g roup dashboard
Handbook for
Members
March
2008
CFCTTAN 1 A.
will tend to be more high-level; less detailed and focussed on the group
compliance risk areas.
Ideally, the dashboard should be automated and linked into the business
units' management information system.
( f ) Walking Around
Line management should be actively involved with staff at all levels in
order to be able to quickly identify issues of non-compliance.
( g ) Physical Checks
Line management needs to physically check that the procedures and
other controls are being carried out.
( i ) Mystery Shopping
Compliance officers can identify exceptions through mystery shopping.
For example, this may entail the compliance officer or appointed person
actually opening an account at a bank branch to identify whether staff
members correctly follow the designated procedures in practice.
This compliance monitoring process requires the compliance officer to perform a series
of procedures and activities:
March 2008
CFCTTA
N 1 A.
The methods used to obtain information to produce the aforementioned output take the
form of questionnaires, one-on-one discussion, workshops and stand-alone work, for
example, walkthrough reviews and analytical reviews.
All team members and any specialists that may be engaged on the compliance
review must be identified and documented during this phase to take the
aforementioned into account.
If we agree the minutes of the annual general meeting with the copy of the
return submitted to the Registrar of Banks (book of record to a source
document), this would be vouching and if we agree the minutes and return
to the confirmation letter received from the Registrar of Banks, this would be
a verification procedure (agreeing information to other sources of information
such as from a third party).
The test for existence involves selecting only one item from a population.
The adequacy test must be documented in a working paper, which serves as
evidence of the work done and any pertinent information gathered and
should state whether the control is adequate or inadequate.
If a control is adequate, then its consistency must be reviewed.
Report
Report
1111110.
Substantive Review
(i) D et e rm i n e S c op e
For the purpose of this example, it would be assumed that the scope of
the review covers a reporting period, for example, the previous financial
year. (Also refer to Materiality discussed in paragraph 4.2.5 (d) below).
( i i ) Sam pl e Selection
If during a financial period, a 100 transactions have taken place, these
100 transactions, numbered 150 to 250, make up the population. A
sample must then be selected (of say 30 items), from this population of
100 items. These 30 items will be reviewed.
( i i i ) T e s t i n g o f It em s
The items are tested and the results indicate that one item is not in line
with the controls. A further sample could be selected for every item
that is not in line with the control. The reason for the increase in the
sample size is that the compliance officer requires further evidence that
the sample is representative of the population, namely, in view of the
exception found. If further sampling reveals that all items are in order,
the conclusion that could be reached is that the controls are effective.
If any of the items in the extended sample group are not in line, the
conclusion is that the controls are ineffective.
samples and the conclusion reached must all be recorded in the working
papers.
In determining whether an item is material, the following factors can be take n into
account:
P rob ab ility and se rio usne ss rating s could also be app lied to de te rmine the
materiality levels, where only items above a certain probability and seriousness
level will be reviewed.
(f) Sampling
Why is sampling used?
The compliance officer has to obtain sufficient and reliable evidence to express a
valid and credible opinion. It is virtually impossible to review every transaction,
due to the size and complexity of larger organisations and the cost factor involved
in a 100% review. The compliance officer therefore has to select a sample of
items within a population, which is then tested and the findings are evaluated in
order to draw a conclusion.
Sampling Terminology:
(i) Population: This is the entire set of data or items from which a sample
is selected and on which the compliance officer will draw a conclusio n. For
example, a population could be all Trust Departments, or all bank
reconciliation's at a branch for the 2000 financial year -end.
(ii) Sampling Risk: Is the risk that the compliance officer's conclusion,
which is based on the sample selected, may be differ ent from the conclusion
that he would have reached if he tested the entire population.
(iii)Sampling Units: These are the items that make up the population
(iv)Review Sampling: This involves the application of review procedures to less
than 100 % of the items in a population.
(v) Tolerable Error: This is the maximum number of errors in a population that
the compliance officer is willing to accept and still conclude that the result from
the sample has achieved the stipulated objective.
(vi)Materiality: The level of materiality set by the compliance officer and
management will determine the extent of the review done.
Sampling Methods
The compliance officer has different sampling methods that can be used. The
method of sampling that is chosen depends on the nat ure of the population and
the objective of the test. This is illustrated in the discussions on the various
methods below. Compliance officers may outsource the selection of sample to
internal audit, for example.
The compliance officer can use a statistical or non-statistical approach to select
his/her review sample.
Statistical Sampling:
Statistical sampling has the following characteristics:
Can be randomly selected (use of computer programme) where every
item in the population has an equal chance of selection; and
Can be systematically selected (use of a computer programme) where the
first item is randomly selected and then say every 10 th item is selected.
The Banks Act requires sector classification of advances from banks. Monetary
unit sampling can be applied to test whether items are classified correctly.
Selecting the largest items under each sector classification speeds up the
process.
Sampling for attributes - calls for yes or no, right or wrong answers is
usually used to estimate the number of errors or some other characteristic in a
population. This sampling is concerned with the number of items and not the
value of the items. For example, the number of forensic reports that are
submitted after the 7-day deadline period. The more variable the items in a
p op ulatio n, the large r the sample size need ed - this is de te rmined w ith
reference to statistical tables.
For example, if all the characteristics are either 'yes' or 'no', then there is no
great variability. A formula consisting of two parts is used in calculating the
sample.
March 2008
CFCTTA111 1 A.
function. The compliance officer would select their sample of items from this
period.
In principle, if the sample reveals errors or concerns, the sample size should
be expanded, taking into account the circumstances and nature of the findings.
For example, it may be appropriate to expand the sample size by one third for
each error found, however, this will depend on circumstances and is not a
general rule.
Working papers should also take the following matters into account:
Documentation — the manner in which the information is arranged should be
consistent — preformatted working papers meet this requirement.
Objective of the test, scope and regulatory requirements, section/subsection and
provision— must be clearly stated on the working papers.
Work done/comments — the manner in which the sample was drawn and the actual
work done etc.
Conclusion — the conclusion reached by the compliance officer on the work done.
Results should consist of the following:
Findings to be communicated to management (this is when non-compliance has
been identified).
Effect of this non-compliance must be explained.
Recommendation/s — the control that must be implemented to ensure
compliance to the relevant requirement/s.
Management comments - consists of the response to the above which must also
be documented.
Indexing and cross-referencing;
Supervisory review- to be completed in the review notes section of the working
paper; and
Ownership — name, signature and date on every working paper.
APPENDIX 11
EXAMPLE OF WORKING PAPERS
An example of a working paper follows:
Reference
Date
Signature and Name:
Compliance officer
Compliance Manager
Regulatory Requirement:
Section/ Subsection:
Provision:
Objective:
Scope:
Test:
Work Done:
Results:
Conclusion:
82
©Compliance Institute of South Africa
Handbook for Members
March 2008
SECTION 14
(a) Introduction
During this final phase of the compliance review process, the evidence that
was gathered and committed to working papers must be evalua ted to
determine whether the evidence is sufficient and appropriate. The reported
conclusion must be based on the evaluation of the person responsible (usually
the manager) for the review.
There should be a flagging and follow -up system to ensure that the
matter/problem is resolved or dealt with properly. This system will be the
responsibility of line management. The compliance officer will facilitate and
advise on these systems.
The report should address the positive and the adverse findings of the
compliance review. The reporting of positive findings provides
management with the assurance that controls are sound and are in place.
The report of adverse findings serves as a preventative tool as it alerts
management on what action needs to be taken. The adverse report on
controls may be as a result of controls falling into misuse after
management had implemented a plan of action previously. In cases such
as these, the review report must support management so that the issue
reported is not construed as criticism.
A few examples of issues that could feature in the effect of the deficiency
aspect of the report are cost-benefit analysis, further illustrations on how
things could get worse if the control is not adhered to and setting out a
percentage or a rand value of the breach and its effect in terms of fines
and penalties.
Expressing a deficiency, its underlying causes and its effect, will give the
c o m p l i a n c e o f fi c e r a lo g i c a l f o u nd a t i o n t h a t w i l l a s s i s t i n m a k i n g
recommendation/s.
If there is more than one option available to address the non -adherence
to the control, the alternatives should be set out in the recommendations.
However, the compliance officer must beware of providing an overload of
advice in these situations.
March
2008
CFCTTAN 1
A.
"We strongly recommend that the...."
"It is advisable for management to implement the....."
"It is essential that management puts the ......
March
2008
SECTION 14
( 2 ) The Compliance Division
The compliance division should adopt the following control
procedures:
• Professional Requirements - independence, integrity,
objectivity, confidentiality and professional behaviour.
March
2008
CFC
TTAN 1 A.
Individual Assignments
The compliance officer should implement the quality control
procedures that are the policies and procedures of the compliance
division, to the individual reviews as well. The following could be
adopted:
Direction — The compliance team to whom work is delegated
need appropriate direction on their responsibilities and the
objectives of the procedures to be performed, nature of the
business, budget constraints etc.
Supervision — This involves monitoring the progress of the
review, assisting the junior compliance officers with queries and
issues requiring professional judgment.
Review — The work performed by each assistant needs to be
reviewed by personnel of at least equal competence to consider
whether or not:
> The work has been performed in accordance with the
programme.
> The work performed and the results obtained have been
adequately documented.
> Significant matters have been resolved.
> Objectives of the review procedures have been achieved.
> Conclusions expressed are consistent with the results of the
work performed and support the compliance opinion.
March 2008
APPENDIX 12
APPENDIX 12
PRACTICAL EXAMPLES OF INDEPENDENT MONITORING
Practical examples to further illustrate Independent Monitoring techniques
Example 1
Assuming that the scope of this review is for the period 1 March 2000 to 28 February
2001. The secretarial department controls 100 companies that are subsidiaries,
associates or joint ventures of the holding company.
Substantive REVIEW
The Act also prescribes (1)A preformatted (1)Inspect a sample or 30
that the following agenda, which sets out minutes of meetings held to
matters must be dealt the prescribed matters ensure that all prescribed
with at the Annual to be discussed at the matters have been dealt
General Meeting: meeting. with as prescribed.
-Acceptance of the (2)A checklist which the
Annual Financial company secretary ticks
Statements at the meeting to
-Appointment and ensure that all
Remuneration of prescribed matters are
Directors discussed
-Appointment of (3)The company
Auditors secretary documents
minutes, which are
preformatted with the
issues to be discussed.
APPENDIX 13
Example 2
Banks are required to submit returns to the Reserve Bank. These returns are for the Bank to
confirm that certain requirements of the Bank's Act are complied with. The compliance officer
conducts adequacy, consistency or substantive review on the controls or information in place in
order to confirm to the Reserve Bank that it complies with these regulatory requirements.
PROVISION CONTROL TEST
The DI 820 return A manager in charge in Adequacy Review:
that the Bank the Treasury department Select any one-day and
Compliance reviews the liquid asset inspect the register for
Fu n c t io n h a s to records as a percentage as evidence of the Treasury
complete is that well as in Rand value on a Department manager's
the Bank is daily basis and signs the signature confirming that
complying with the liquid asset register to the daily balance complies
average minimum confirm that the minimum with the Act.
amount of liquid amount of liquid assets
assets, as provided held by the Bank at the S e l e c t a n y w e e k a n d
for in section 72 of close of business on any inspect the register to
the Act? day during the holding c o n f i r m th a t t h e R i s k
period did not decrease to Management department
an amount less than an manager has signed the
amount equal to 75% of register to confirm that
the average daily amount the daily balance complies
of liquid assets required to with the Act.
be held?
Consistency Review:
The manager in the Risk Randomly select 10 days
Management department of a month in the current
monitors the balance on a financial year and inspect
weekly basis and signs the the register for evidence of
register to confirm this the Treasury Department
amount. manager's signature
confirming that the daily
balance complies with the
requirements of the Act.
Randomly select 10 weeks
of the current financial
year and inspect the
register for evidence of the
Treasury Department
manager's signature
confirming that the daily
balance complies with the
requirements of the Act.
Substantive Review:
Calculate the average
amount of the liquid
assets during a holding
period.
Ca l c u l at e 7 5 % o f th e
average amount of the
78©Compliance Institute of South Africa
March
2008
APPENDIX 13
Conclusion
Compliance monitoring is one of the cornerstones of the compliance function. The application
thereof will depend on the monitoring objectives and on the circumstances.
March
2008
SECTION
15
15.2 Background
The program will be divided into two important subsections, i.e., the general
awareness program for the employees and a formalised intensive training
program of Compliance Officers or any employee whose job contains specific
compliance tasks or responsibilities.
15.3.1 Education
Education ensures that employees understand the relevant topic.
Education needs to be carried out by a number of means and repeated
at intervals. The methods that could be used are:
i) Circulars
ii) Manuals
iii) Booklets
iv) Presentations
v) Briefings
Compliance monitoring will indicate all the areas that the employees
do not comply with. These areas would need to be emphasised and the
education program would be adjusted accordingly to accommodate
these areas.
Handbook for
Members
March
2008
SECTION
15
15.3.2 Communication
Communication reinforces the compliance system's importance to all
employees and management and ensures that they remember the
items with which they have to comply.
Communication should be brief and easily absorbed and should be
designed just to jog the memory.
The methods for communication should include:
(a) Oral presen tation;
(b) Short articles or reminders in internal journals;
(c) Messages on electronic mail system; and
(d) Even occasional posters.
Communication overlaps with education and should be two-way.
Communication from the workplace back to the Compliance Officer
should be encouraged because it will:
(i) Express ideas;
(ii) Facilitate the resolution of problems;
(iii) Note difficulties in a system that needs improving; and
(iv) Assist employees to feel comfortable about seeking help.
Handbook for
Members
March
2008
SECTION
16
Handbook for
Members
March
2008
SECTION
17
work discipline. Repeated misconduct will warrant warnings which
themselves may be created according to degrees of severity. More
Handbook for
Members
March
2008
SECTION 16
92©Compliance Institute
of South Africa
Handb
ook for
Member
s
March 2008
SECTION
17
17.1 Introduction
Procedures and controls to accommodate customer complaints according to,
inter alia, the Code of Banking Practice, The Financial Advisory and
Intermediary Services Bill 2000 and the Policy Holder Protection Rules, are
discussed in this section.
17.2 Background
An entity must have written procedures for the effective consideration and
proper handling of customer complaints and must also ensure:
(a) that each of its employees is aware of these procedures and of the
obligation to follow them;
(b) a proper handling of the complaints from customers are relevant to its
complaints, with the principles and the rules applicable to the conduct of
that business;
(c) that any appropriate remedial action on those complaints is promptly
taken; and
(d) where the complaint is not promptly remedied, the customer is advised
of any further avenues for complaint available to him.
17.3 Procedure
The procedures are mainly concerned with "significant complaints". The term
significant complaint includes one which cannot be settled quickly and directly
and one which involves material amounts in relation to the financial
circumstances of the complaint or one which alleges:
(a) a breach of any relevant legislation;
(b) a breach of the customer mandate;
(c) bad faith, malpractice, impropriatory, repetition or recurrence of any
matter about which there has been a recent complaint.
It is important that line management keep track of the complaint until it has
been completely resolved.
Handbook for
Members
March
2008
SECTION
18
negatively on an entity.
Handbook for
Members
March
2008
SECTION
19
The Board of Directors and management will rely on the compliance function to obtain
an appropriate understanding of the level of compliance with regulatory requirements.
In placing reliance on the function, they will need to know whether the compliance
officer is sufficiently independent.
(a) Introduction
There is, to some degree, a natural conflict between the interests of business
and complying with regulatory requir ements. For instance, where
management's performance is primarily assessed on income/profit that is
g e ne rate d , it is like ly that thi s is w he re the p rimary fo cu s w ill re main.
Compliance, on the other hand, may result in restrictions being placed on
business opportunities.
This is reflected in regulation 47(1) of the Banks Act that provides that:
For instance:
Firstly, the compliance officer is reporting the failure directly to the
person responsible for the failure; or
Secondly, the report may be squash ed and never reach the Board who
is ultimately responsible for compliance.
The internal and external auditor functions have gone to great lengths to
establish standards that promote independence. The compliance function
is faced with similar challenges.
Handbook for
Members
March
2008
SECTION
20
However, it is also detrimental to be too independent as the compliance
officer runs the risk of becoming an "outsider." The compliance function
Handbook for
Members
March
2008
CFCTTAN i co
must ensure that it remains part of the day -to-day business decisions
by assisting management in p laying a role of being "part of the solution"
in complying with regulatory requirements. If compliance is structured
along the lines of an internal audit function, it risks being reactive rather
the pro-active.
The compliance officer should not have any conflict of interest that would
impair their independence.
March 2008
19. COMPLIANCE FUNCTION REPORTING LINES
The diagram that is set out below serves to highlight compliance reporting lines that
could be put in place in a large organisation:
BOARD OF DIRECTORS
At
CHIEF EXCUTIVE BOARD AUDIT
OFFICER COMMITTEE
I At
COMPLIANCE OFFICER
MANAGEMENT
I I
STAFF
DIRECT
REPORTING
LINES
March 2008
SECTION 20
For example, a business has a client (of 25 years standing) who is a director in a mining
company and wishes to sell a portion of the company. Another client wishes to invest in
mining. A situation arises where these clients have opposing interests. Whose
interests come first? Can the information obtained from one client be used for the
benefit of the other client?
Clearly the business should guard against committing market fraud, breaching fiduciary
duties and committing insider trading offences. More importantly, there is the risk of
reputational damage if any of the above was found out.
The compliance function plays a valuable role in that it assists management to ensure
that control measures are in place to avoid or manage conflicts of interest adequately.
(a) Introduction
Where a business holds a particular share and wishes to sell it at the highest
possible price and another, a customer instructs them to purchase that particular
share on his/her behalf but at the lowest possible price, a potential conflict of
interest arises.
Does the trader act in the best interests of the business and sell at the highest
possible price to the customer, or does he give the customer a "good deal" and
prejudice the interests of the business?
How does a compliance officer assist management to ensure that such conflicts of
interest are appropriately managed?
It is acknowledged that much of the information contained in this section has been adapted from the
96©Compliance Institute of South Africa
March 2008
SECTION 96
Financial Services Authority — United Kingdom
March 2008
SECTION 20
Handbook for
Members
March
2008
Appropriate management of conflicts of interest is essential to maintain
stakeholder confidence in a business.
Handbook for
Members
March
2008
SECTION 22
Reporting:
(c) Document the compliance officer's finding, including any remedial action,
as part of the compliance-monitoring programme.
97
©Compliance Institute of South Africa
Handbook for Members
March 2008
CFCTTAN 11
(b) Services
In Section 7, various aspects of compliance services were considered which
included the provision of advice on regulatory requirements, overseeing the
implementation of the compliance process, contact with the regulators and
reporting.
March 2008
CFCTTAN 11
(iii) R e p o r t i n g
Compliance officers produce a number of reports in the normal course of
their day-to-day activities. These include:
Compliance reporting;
Management reporting; and
Board reporting.
Clearly copies of the reports will serve as a record of the work done by the
compliance officer/function.
Copies of any and all reports to the regulator on compliance issues should
be kept on file.
21.3 Training
It is good practice to keep records (attendance registers) of all employees who have
attended compliance training. Where assessments of staff members that are trained are
undertaken, the results of the assessment should be kept.
From a compliance perspective, this will serve as evidence of the responsibility to train
staff having been fulfilled.
These records should identify who received compliance training, as well as what they
received training on and the results of any assessment conducted. Record keeping
provides evidence of compliance with regulatory requirements.
21.4 Monitoring
Compliance monitoring activities provide an essential understanding of how well the
business is complying with the regulatory requirements.
The recording of monitoring activities is essential. The nature of the records will vary
according to the type of monitoring that takes place.
The results of monitoring that is conducted should be communicated to a number of
stakeholders. These include:
Management
Staff Members
Internal Audit
Risk or Audit Committees
Board of Directors
99©Compliance Institute of South Africa
March 2008
SECTION 21
In order to assist management and the Board, they must be adequately informed of the
status of compliance. How is this achieved? One of the key means of providing the
required information is through compliance reports.
( b ) Compliance reporting
There are a number of regulatory requirements that require business to undertake
compliance reporting.
For example, Regulation 47 of the Banks Act specifies that a bank compliance
officer must submit a report on the level of compliance with laws and regulations
or supervisory requirements at every meeting of the Board of Directors or the
Audit Committee of the bank.
Regular reporting is essential from the lowest levels of the business through to the
top levels of management and ultimately to the Board. Compliance challenges,
significant events, breaches and action taken or proposed to remedy the
aforementioned should be reported.
APPENDIX 14
ROLL UP OF COMPLIANCE REPORTING
The roll-up of reporting within large organisation is illustrated below. This is by no means the
only way in which this can be structured and the illustration is only intended to demonstrate
key aspects of the reporting.
The compliance reporting to management and the Board of Directors provides the
EXECUTIVE
COMMITTEE
BOARD OF
DIRECTORS
AUDIT
COMMITTEE
GROUP
COMPLIANCE
/
•
0
__
L BUSINESS BUSINESS
L UNIT UNIT
U
P
102
©Compliance Institute of South Africa
Handbook for Members
March 2008
SECTION 23
(a) Introduction
"You need their continuing permission in order to conduct business. You are
obliged to be open and co-operative with them. They can ask you for almost
any information or documentation and they can inspect your business at any
time with or without notice. If they do not like what they see, your firm can be
warned, fined, pilloried, ordered to pay compensation or have its profits
redistributed among claimants. Ultimately, they can suspend or terminate
your firm's authorization, and can prevent any individual from taking up or
remaining in employment in the financial services industry in the United
Kingdom and, practically speaking, in any major financial centre in the world.
Neither you nor your firm can afford to incite them to action."
Newton on the role of the regulator.
The regulator holds the key that allows the conduct of business. A good
relationship with the regulator is critical to the sustainability of the business in
the long term. Such a relationship is only established through effective liaison
with the regulator.
It is clearly advisable that business ensures that the relationship with the
regulator is one of open and effective communication. In playing "open cards"
with the regulator, a level of trust is developed and the business will gain a
reputation of being co-operative.
The compliance officer is also res ponsible for reporting compliance issues to
t h e r e g u l a t o r . F o r e x am p l e , R e g u l a t i o n 4 7 o f t h e B a n k s A c t r e q u i re s t h e
March 2008
CFCTTAN 7'a
Further, the FAIS Act requires the compliance officer of a financial services
provider to submit an annual compliance report to the Registrar.
Exp e rie nce has sho w n that t he w ay in w hich b usine ss is vie w e d b y the
regulator, is to some extent, a s a result of the nature of the relationship
between the business (and in particular the compliance o fficer) and the
regulator.
104©Compliance Institute of
South Africa
Handbo
ok for Members
March 2008
INDEX
24. ACKNOWLEDGEMENTS
Regulatory requirements
References to the regulatory requirements that are imposed are made in the body of this
course.
Other references
Specific references that have been used in the production of this course are set out below:
King II Report on Corporate Governance for South Africa - Institute of Directors in South
Africa - March 2002
- Financial Regulation in South Africa - Roy Bamber, Hans Falkena, David Llewellyn, Tim
Store - SA Financial Sector Forum - 2001
- The Internal Auditing Handbook - K.H. Spencer Pickett - Published by John Wiley and
Sons1999
The Handbook of Compliance - Making Ethics Work in Financial Services Newton, Andrew
1998
- Making Legal Compliance Work — Brian Sharpe — CCH Australia Ltd 1996
105
©Compliance Institute of South Africa
Handbook for Members
March 2008