TOR for Chief Compliance Officer

Home , Chief compliance officer

Chief Compliance Officer:1 Role and Responsibility Assessment Tool2 Part of IFC’s Advanced Methodology for Financial Institutions

ACCEPTABLE BETTER DESIRABLE BEST PRACTICE I. Personal 1. Integrity and 1. Same.3 1. Same. 1. Same. Qualifications understanding of 2. Same. 2. Same. 2. Same. duties of loyalty and 3. Same. 3. Same. 3. Same. care. 2. Communication skills. 3. Honesty and ethical behavior. II. Professional 1. General familiarity 1. Same, and minimum 1. Same, and ability to 1. Same. Qualifications and with laws and two years’ experience provide technical 2. Same. Skills regulations governing in a financial guidance and direction 3. Same. financial institutions. institution in the in banking operations 4. Same. 2. General familiarity compliance area, with and lending compliance. 5. Knowledge of with laws and proficient knowledge 2. Same. compliance law and regulations governing of laws and 3. Same. regulation in leading companies (and, if the regulations in the 4. Technical proficiency in jurisdictions. bank is publicly listed, jurisdiction.4 financial crime regulations and laws 2. Same. prevention and covering public 3. Same, but with in- detection.

1 Depending on the institution, some functions of the Chief Compliance Officer (CCO) may be allocated to the Chief Risk Officer (CRO), Chief Financial Officer (CFO), and others. The main responsibility of the CCO is to focus on mechanisms and processes to implement the policies of the bank and ensure that the institution complies with all the relevant laws and regulations. In all cases, functions should be coordinated so that there are no gaps. 2 Prepared by Sinclair Capital, a G3 affiliate. 3 “Same” in a column means that the recommendation with the same number in the column immediately to the left is carried over into that column. Where the recommendation is the same but with additions, the additions are in italics. 4 Generally, in smaller financial institutions, CCOs have, at a minimum, two to five years’ related experience. At larger, more complex financial institutions, functioning in multiple jurisdictions and having multiple business lines, the minimum is six years’ experience.

IFC Advanced Methodology for Financial Institutions Chief Compliance Officer Role and Responsibility Assessment Tool 1 ACCEPTABLE BETTER DESIRABLE BEST PRACTICE companies). depth knowledge of 3. Basic knowledge of AML/CFT and general familiarity requirements. with prevention of money laundering and financing terrorism (AML/CFT). Ensures that qualified staff and adequate systems are in place for compliance with AML/CFT. III. Appointment 1. Appointed by the CEO, 1. Same. 1. Same. 1. Same. CFO, CRO, or general 2. The board is 2. Same. 2. Same. counsel. informed of the appointment. IV. Reporting Line 1. Independent of any 1. Same. 1. Same. 1. Same. and Accountability business line (to avoid 2. Same, and has 2. Same, or to management 2. Same. conflicts of interest). unrestricted access to committee or executive 2. Reports to senior-level CEO and CFO. committee. official (maximum two steps removed from the CEO). V. Reporting 1. Reports to CEO and 1. Same. 1. Same. 1. Same. board on all instances 2. Same. 2. Same. 2. Same. of whistle-blowing. 3. Same. 3. Same, and assists senior 3. Same. 2. Reports findings of management and the 4. Same. ongoing monitoring of board in drafting activities and compliance reports for operations with regard inclusion in the bank’s

IFC Advanced Methodology for Financial Institutions Chief Compliance Officer Role and Responsibility Assessment Tool 2 ACCEPTABLE BETTER DESIRABLE BEST PRACTICE to compliance to the annual report. board. 4. Ability to raise concerns 3. Provides summary to the board or data on compliance appropriate board issues to board, as committees. needed but at least annually. VI. Resources 1. Adequate time to fulfill 1. The CCO role is the 1. Same 1. Same. CCO role (if not the individual’s only role 2. Same. 2. Same. individual’s only role within the bank. 3. Same. 3. Same. within the bank). 2. Same. 4. Same. 4. Same. 2. Adequate expertise 3. Same. 5. Same. 5. Same. and resources to fulfill 4. Same. 6. Same. 6. Same, as well as the compliance 5. Appropriate access to appropriate training function. necessary broadly throughout 3. Ability to engage infrastructure the bank. appropriate external support, such as IT. assistance. 6. Ongoing training is 4. Adequate resources to provided to all be able to meet relevant staff. regulatory requirements. VII. Responsibility - 1. Developing 1. Same. 1. Same. 1. Same. Policy compliance (and 2. Recommending 2. Same. security) programs for enhancements to the 3. Assessing the bank’s the bank and bank’s security controls compliance culture subsidiaries, based on periodic and designing training consistent with laws assessments. programs to address and regulations. gaps.

IFC Advanced Methodology for Financial Institutions Chief Compliance Officer Role and Responsibility Assessment Tool 3 ACCEPTABLE BETTER DESIRABLE BEST PRACTICE VIII. Responsibility - 1. Ensuring compliance 1. Same. 3. Same. 1. Same. Implementation with applicable 2. Same. 4. Same. 2. Same. domestic law and 3. Same. 5. Same. 3. Same. regulations. 4. Same. 6. Same. 4. Same. 2. Ensuring compliance 5. Same. 7. Same. 5. Same. with AML/CFT 6. Same. 8. Same. 6. Same. requirements; in 7. Same. 9. Same. 7. Same. particular, account 8. Same. 10. Same. 8. Same. activity reviews and 9. Same, and ensuring 11. Same. 9. Same. investigations to that those policies are 12. Same. 10. Same. identify unusual and disseminated, as 13. Same. 11. Same. suspicious patterns needed, throughout 14. Same. 12. Same. (increasingly involves the bank. 15. Same. 13. Same. detection software). 10. Same. 16. Establishing a close 14. Same. 3. Ensuring compliance 11. Reviewing new working relationship 15. Same. with the bank’s products and services with the chief 16. Same. internal policies, (and marketing information officer 17. Same. including adequate materials) to ensure (CIO) to leverage 18. Same. knowledge of them compliance with technology for 19. Same. and documentating applicable rules, compliance monitoring 20. Together with risk compliance. regulations and and initiatives and for management and 4. Ensuring compliance regulatory policies. managing records. internal audit, with ethics policy and 12. Ensuring the 17. Monitoring pending contributing to implementation of adequacy and regulatory changes and establishing an whistle-blowing effectiveness of the preparing for enterprise-wide risk procedures. compliance and compliance with them. management 5. Responding to security training 18. Ensuring dissemination framework, for all regulatory findings, programs, including of updates to companies in the deficiencies and employee and officer regulations and group and at all levels, violations, in training on AML/CFT compliance procedures consistent with

IFC Advanced Methodology for Financial Institutions Chief Compliance Officer Role and Responsibility Assessment Tool 4 ACCEPTABLE BETTER DESIRABLE BEST PRACTICE conjunction with the policies. to business units, requirements of COSO chief of internal audit. 13. Maintaining a control units, the CEO II. 6. Monitoring resolution comprehensive list of and the board. 21. Monitoring and of consumer related parties, as 19. Ensuring that a testing new complaints. required by law. documented code of compliance 7. Overseeing fraud ethics is periodically technologies and investigations disseminated to and procedures, such as involving customer acknowledged by intelligent transaction accounts and recovery employees. monitoring systems. of funds, and coordinating investigations with appropriate internal resources and external investigation and enforcement officials. 8. Conducting internal investigations of employee activities where there are violations of bank policy or regulation. 9. Maintaining effective documented compliance and security programs. 10. Overseeing the records retention program, with appropriate attention

IFC Advanced Methodology for Financial Institutions Chief Compliance Officer Role and Responsibility Assessment Tool 5 ACCEPTABLE BETTER DESIRABLE BEST PRACTICE to safeguarding customer privacy.5

Acceptable Minimum acceptable practices in corporate governance and compliance. Elementary. Meets the basic regulatory and legal requirements. Reflexive.

Better Taking further steps to strengthen corporate governance and compliance. More established. Beginning to form a system. Meeting some internal and external regulatory/legal requirements.

Desirable Major contributor to improving corporate governance and compliance nationally. Established. A system is in place. Meets all internal and external requirements. Proactive and forward-looking. Working toward best practices.

Best Practice Conforms with international best practices in the industry. Well-established system. Compliance is integrated into the corporate governance framework of the organization. Forward-looking and focused on continuous improvement.

5 May be the responsibility of the general counsel.

IFC Advanced Methodology for Financial Institutions Chief Compliance Officer Role and Responsibility Assessment Tool 6