Taking too long? Close loading screen.

Regulatory compliance, anti-money laundering, know your customers, reporting (FATCA and CRS) and corporate governance are strategic requirements and key focus areas for financial institutions across the world.

We provide end-to-end FRC services to institutions seeking to enhance their compliance and governance frameworks.

Our GRC solutions include:

Following the global financial crisis, regulators globally have introduced tougher regulations with enhanced monitoring. The CBB Rule-book and the Basel paper on ‘Compliance functions in banks’ set standards for banks’ compliance functions.

The CBB Rule-book is module-based and contains ‘requirements’ and ‘guidelines’ for banks. Module-specific requirements may involve multiple functions and processes. Each task has to be assigned or delegated, roles and responsibilities must be defined and a monitoring mechanism has to be established for on-going compliance.

Compliance levels must be periodically reviewed. Featuring examinations of internal policies, procedures and checklists – as well as discussions with relevant decision makers – our compliance reviews are both module- and function-based.

The process includes:

  • Reviewing the tools used to determine compliance status
  • Creating module-specific checklists of key requirements and actions
  • Determining monitoring requirements by module
  • Assessing how date-sensitive reporting requirements are monitored
  • Reviewing compliance set-up – centralised, de-centralised or hybrid
  • Assigning ownership with defined actions and target dates
  • Reviewing annual compliance plans for risk-based checks
  • Reviewing the process of reporting to boards and management
  • Assessing annual disclosures, corporate governance reporting and CBB reporting

Keypoint’s review model considers qualitative (empirical) and quantitative (specific) regulatory requirements based on criticality. In discussions with the head of the compliance function and others involved in the implementation process, our FRC team examines policies, procedures and processes.

After assessment, compliance levels are scored. Based on risk-weighted parameters, a final score indicates the level of overall compliance. Keypoint’s customised process identifies gaps and recommends steps to enhance compliance.

Compliance function reviews include:

  • Benchmarking of the compliance function against CBB regulations and leading practice
  • The roles, responsibilities and authorities of the compliance function leader
  • Compliance charters, frameworks and manuals
  • Compliance monitoring tools
  • Reporting structures and processes
  • Stakeholder communications
  • Annual checks on compliance programmes
  • Monitoring of submission of reports to the CBB and other regulators
  • Processes for handling non-compliance and issues of concern
  • New product approval processes
  • Gap assessments

A framework is a structured set of guidelines that details an organisation’s processes for maintaining compliance with regulations, specifications or legislation. Frameworks outline the regulatory compliance standards relevant to an organisation, as well as the business processes and internal controls it has in place to adhere to those standards.

Frameworks can include communication processes, risk controls and governance practices for maintaining compliance.

Compliance frameworks identify compliance process overlaps and help eliminate redundancies.

As regulations have proliferated, there is an increasing need for organisations to develop comprehensive compliance frameworks.

Our framework enhancements include:

  • Developing and deploying frameworks that are aligned with organisational setup and process flows
  • Documenting policies (such as AML, KYC, compliance, corporate governance, board charters, codes of conduct, whistle blowing and disclosures) and procedures for those policies
  • Developing a risk-based approach
  • Reviewing forms, typologies, and other enablers
  • Reviewing process flows and reporting

Compliance monitoring systems & annual compliance plans

A compliance monitoring system (CMS) helps ensure employees understand their compliance responsibilities and incorporate requirements into business processes. A CMS can be developed to ensure that responsibilities are correctly carried out and requirements are met. An effective CMS includes three interdependent elements:

  • Board and management oversight
  • Compliance programmes
  • Compliance audits

Financial institutions in Bahrain and across the GCC are expected to develop a formal, documented CMS. A CMS that is well planned, implemented, and maintained should help reduce regulatory violations and increase cost efficiencies.

Our FRC function can benchmark and assess the implementation of regulatory requirements (as set out in the CBB’s FC module). We work to understand compliance with each type of requirement, identifying gaps and assessing compliance with both regulatory provisions and leading practice.

As well as looking at board and senior management roles, we assess clients’ MLRO and AML functions and examine management reporting levels from a risk-based perspective. We investigate KYC policies and processes and customer profiles.

We examine internal policies, procedures and processes. In discussions with the MLRO and other key persons in the implementation process, we assess:

  • Transaction monitoring and suspicious activity reporting
  • Monitoring of high risk accounts and activities (including correspondent banking, electronic transfers, trade finance, money transfer services and cash couriers)
  • Policies and procedures
  • Training and awareness
  • Other measures (such as record keeping, annual reports, screening and sanctions)

We list divergences from leading practice and suggest mitigation strategies.

An AML framework must include policies, procedures and implementation processes. Consistent, risk-based control and monitoring mechanisms need to be adopted so that regulatory provisions are adequately covered.

By examining internal policies, procedures and processes, holding discussions with key persons and examining implementation and operations processes, audit reports and other related documents, Keypoint’s FRC team can:

  • Review policies, procedures and processes for all product and delivery channels to assess consistency with regulatory requirements
  • Recommend enhancements to frameworks to address gaps
  • Review risk-based transaction monitoring and customer on-boarding processes
  • Review processes to assess country risk, maintain correspondent banking relationships and monitor trade finance activity
  • Implement, review and upgrade organisations’ AML systems
  • Document alert generation rules and monitoring processes
  • Report on processes for dealing with suspicious transactions and activities

Assessing AML risk involves examining the risks associated with enterprise level structures, entities, products, customer types, delivery channels, geographic spread and other operational factors. Based on these factors, we develop a model which identifies risks, assigns risk ratings, analyses risk mitigation measures and provides an overview of AML risk at an enterprise level.

Assessing AML risk helps organisations:

  • Comply with key regulatory requirements
  • Understand their AML risk
  • Keep boards and management updated on AML risks
  • Identify areas for improvement in AML policies, procedures and processes
  • Make informed decisions about risk appetite, control efforts and the allocation of resources
  • Align business lines’ AML programmes with overall risk profiles
  • Develop internal controls to lower residual risk exposure
  • Increase awareness of key risks, control gaps and remediation efforts
  • Make strategic decisions regarding commercial exits or de-risking

Keypoint develops comprehensive, risk-based profiles of an institution’s customers, products, services, processes and geographies. The process is specific to the institution, its strategic focus and its areas of operation. Our teams typically assess:

  • Compiling of customer data and AML risk classifications
  • Products and their risks, based on defined criteria
  • Geographic distribution of activities by country
  • Services by distribution
  • Processes involved in product delivery (and their AML risks)
  • AML frameworks, policies and procedures to assess how identified risks are addressed – and the tools used to mitigate those risks
  • Risk rating models and risk registers
  • Risk appetites and de-risking options
  • Report analysis

Customer on-boarding processes and KYC management are fundamental to any financial institution and is a primary AML requirement. KYC risk classification, periodic reviews and record-keeping are major ongoing requirements.

During the KYC review process, we review the customer onboarding process (whether manual or systems-based), examine data (mandatory and optional) capturing controls in systems and review records (system and files). We review existing customer data for quality assurance.

Our KYC management process includes:

  • Reviews of KYC and customer onboarding policies and procedures
  • Reviews of on-boarding processes and data quality
  • Risk classifications of customers and reviews of KYC data
  • Suggestions to improve KYC management, data capture and system synchronisation
  • Establishing a risk-based process for periodic KYC reviews and monitoring
  • Reviews of ‘high risk’ and preferred customers
  • Combining FATCA and CRS requirements under KYC

FATCA is a 2013 law, aimed at curbing tax evasion by US citizens and residents. It requires foreign (non-US) financial institutions (FFIs) to identify their US clients (both individual and entities) and report on their financial activities to the US Internal Revenue Service (IRS). Non-compliance may attract a withholding tax on payments to customers and isolation from other participating financial institutions.

Bahrain adopted FATCA in 2013 using an inter-government agreement (IGA). The final IGA model 1 agreement was signed in January 2017 and was circulated by the CBB in May 2017. On-going compliance, including identifying reportable accounts, setting up and maintaining reporting processes and developing system interfaces and reporting formats is complex and may differ for each jurisdiction.

FATCA compliance requires:

  • Policies and procedures
  • Updated KYC forms that record customers’ US status
  • Updated IT systems
  • Processes to collect required information
  • Training
  • Reviews
  • Periodic health-checks and support

The OECD, working with G20 countries and in close cooperation with the European Union (EU) and other stakeholders, developed a standard for the automatic exchange of financial account information in 2015, referred to as the common reporting standard (CRS).

About 130 countries have signed up to CRS. Bahrain adopted a ‘wider approach’ to CRS in 2017.

Similar to FATCA, CRS requires that financial institutions identify the tax resident status of all their clients (individual and entities) and annually report financial information of ‘reportable accounts’ to the respective reportable jurisdictions through a local competent authority (in Bahrain, the CBB).

CRS compliance requires:

  • CRS policies and procedures
  • Updated KYC forms that record customers’ tax resident status
  • Updated IT systems
  • Processes to capture required information in the appropriate format
  • Training
  • Compliance reviews
  • Periodic health-checks and support

Our health-check service, offering ongoing support, helps ensure FATCA and CRS processes are kept up-to-date with regulatory changes, key tasks are performed regularly, data is clean and the reporting process is smooth. Additionally, we provide ‘on call’ support.

Our health-checks include:

  • Periodic reviews and revisions of FATCA and CRS policies and procedures
  • Clarifications on FATCA and CRS-related queries
  • Guidance on reporting documents
  • Reviews of data extraction processes and reportable data maintenance
  • The timely conduct of due diligence processes
  • Reviews of reporting processes and templates
  • Assistance with online reporting
  • Training

Corporate governance is the framework which monitors the activities and conduct of a company to protect the interest of all its stakeholders. The OECD and the Basel Committee have guided central banks on corporate governance standards, reflected in the high-level controls module of the CBB’s rule book.

Our FRC function can both review and enhance organisations’ corporate governance functions.

When reviewing corporate governance functions, our team reviews policies, board and committee charters, board committees and their functioning, codes of conduct, performance reviews, conflict of interest policies and other related documents. We interact with the board secretary, the head of the compliance function and other functionaries to:

  • Identify requirements based on the Bahrain corporate governance code, the CBB rulebook (HC module) and the Basel paper
  • Benchmark requirements and assess compliance, based on a model
  • Review or – as necessary – develop a board charter
  • Assess the roles and responsibilities of the board and its committees
  • Develop organisation and governance structures
  • Assign roles and responsibilities to senior management and the board secretary
  • Review or – as necessary – develop codes of conduct, conflict of interest policies and insider trading policies
  • Document performance evaluation and disclosure policies
  • Communicate with shareholders
  • Analyse gaps and suggest enhancements
  • Evaluate – based on a quantitative scoring model – board performance
  • Facilitate reporting to shareholders

Keypoint is proud of its reputation for developing and delivering cutting-edge, customised training which can be delivered in a variety of modes – including classrooms and e-learning portals – and at a number of different levels – from awareness sessions to advanced training programmes, including:

  • AML – from basic awareness training for staff to advanced programmes for senior management
  • KYC management
  • FATCA and CRS programmes
  • Compliance management
  • Corporate governance (for directors’ CPD)
Sindhu Balasubramanian
Senior Manager