Transcript | Protiviti Risk & Compliance Podcast – Prepping for a monitor visit or regulatory review

Hello, everybody. Good day! This is Josh Heiliczer here on the Protiviti podcast. We’re focusing on risk and compliance issues, today. I’m a managing director here in the Hong Kong office of Protiviti, and I lead the Risk & Compliance practice for Greater China, and I’m the subject-matter expert for financial crime compliance.

It’s great to have Henry Yu with us today. Henry is the head of financial crime for the APAC region at Natixis and was previously involved in managing the monitorship for HSBC here and out in Asia. He has had a number of prior roles at Credit Suisse, Goldman Sachs, with the Hong Kong police — very well distinguished. Also, I should add, he’s a professor, teaching a class at HKU. So, Henry, it’s great to have you on the podcast. How are you doing today?

I’m good. Thank you very much for your invite, Josh. Thank you very much, indeed. It’s my pleasure. It’s my honour to be with you today.

Excellent, Henry. So, we’re here to talk about preparing for a monitor visit or a regulatory exam. It’s a big topic these days. Although it seems as though our regulators are now moving to some virtual exams, they still are coming on-site as well. So, what do you need to do to prepare for an exam? You have a lot of experience with this at HSBC and now at Natixis as well, so I’m eager to hear your thoughts.

Thanks a lot, Josh. Now, before I answer your questions, if I may, I have to do a standard disclaimer. What I’m trying to share with everyone here in this podcast is from my own experience. It’s nothing confidential, so nothing related to particular incidents or particular facts that I have been working on with various banks. It does not represent any of the positions of any of the banks, including the one that I’m working on at the moment.

So, your first question, if I hear correctly, is, “How do we prepare for different types of examinations — either monitor visits or regulator visits?” Before I answer this question, we need to understand why your regulator is coming to you. To understand where they’re coming from is the first thing that is very important, and we need to know about it.

There are different scenarios. It might be just a regular visit. There might be a thematical review: You’re just one of those banks or financial institutions picked out by your local regulators. It might be because of certain incidents that have happened to your financial institution, unfortunately, that we see in different types of monitorship or inspections, per se. So, this is the first one. So, understanding what the regulators are looking for is the most important. There’s what we call the KYR — know your regulators — so this is just like a KYC. You need to understand where they’re coming from.

Then, the second thing we need to bear in mind, the fundamental thing, is to stick to the facts of what happened, because when we’re talking about different types of inspections, review or monitorship, it is a look-back exercise. It’s not about forward-looking exercises, it’s a look-back exercise. So, the rule of thumb is, stick to the facts — understanding the scope as well, understanding where they’re coming from —and understand the scope of your review or inspections or monitorship. That’s very important as well. These are the things that you need to bear in mind as well.

Third, it’s communications, early communications with the regulators or monitorship — understanding what they’re looking for. Most likely, normally, the regulator will come up with a list of questions or a list of expectations as well. So, this is the quick start on how to be first prepared for the visit, and second, internally, once you’ve got all this basic information, you need to mobilise different departments.

The regulator visit is, more likely, not only the compliance work. This is a very important concept. The visit is not just the work of compliance. You need to mobilise different stakeholders within the bank. For example, nowadays, and very importantly, all direct leaders around the world are talking about senior management oversight, so these are the key important things that you need to be aware about. You need to engage your senior management so that they are on top of that. You have the full support of your senior management both locally or regionally, or even globally, about an upcoming regulator visit or inspection. And then —

You mentioned senior management, and that’s really an important topic. Particularly, if it’s an unexpected or difficult request, how do you get their attention quickly, and do you want to prepare them through mock interviews, or how is best to get them ready to particularly, if they have to meet a regulator?

We don’t use mock interviews. This is something that we try to avoid, and, in some circumstances, it will become illegal and not allowable by certain regulators as well. If you’re doing mock interviews, the worst-case scenario would be somebody, when they’re being asked and being pushed, they say, “Well, my compliance guy told me to answer in such a way,” then we come to a very difficult situation. This is not what we want to see.

Having said that, we need to help them prepare and to understand what they are looking at. What do we have, because it’s a look-back exercise? What had happened, whether good or bad, or whether there was something that we have been missing, we were unable to perform perfectly as to what used to be. Just be open, have acceptance of this outcome. This is very important — not trying to cover anything up. That’s another key point, but, having said that, the most important thing is, if we can proactively identify any kind of shortcoming, what is the plan? Are we able to demonstrate to the regulator that this is something that we have already engaged third parties on that are working on it, for an improvement, and that’s a good story to tell — proactiveness, or sometimes you can always mitigate it in practice per se. This is the key.

Being proactive is definitely key. I mean, I’ve definitely seen it with a lot of the regulatory issues that I’ve come across, whether it be from when I joined Protiviti, or even before. I guess, in terms of being proactive, this is also an ongoing exercise. Even through the regulator might be there, it’s also some of that awareness in training. How do you generate that awareness, even before the regulator shows up, around some of the seriousness of the issues and preparing on an ongoing basis? As you’ve mentioned earlier, and rightly so, it’s very key to check what the regulatory expectations and guidelines are, particularly if you’re not able to engage in mock interviews.

That’s a very good question, indeed. At a high level, the culture is the key. If we look back to all the institutions — where they get into trouble of different kinds — they have something in common. Whoever the regulator is, it is also written in some of the regulations, if you look at how they determine the sentencings or the seriousness of the shortcoming or the offenses, it’s systematic error. People, they know it — that culture. So, when you’ve got this, that element, I would have to say that this is a big problem.

The question is, how do we try to avoid that? There are a few things: First of all, tone at the top. We always talk about it, about how we are making sure we are with the tone at the top, how we understand that. One of the very key and very important truths is what we call the risk assessment. From the AML FCC world, we have the institution of risk assessment, but even from the bigger compliance or even at-risk, we have risk assessment. The only recommended risk assessment or self-assessment is helping the financial institutions to self-identify where are the high-risk areas, where are the areas that they need to draw their attention to. And then the second truth is continuing testing, continuing reassurance, internal auditing as well. That’s a very important thing as well.

If there is an upcoming change in regulations, the basic truth for each and every compliance officer to do is to do an in-depth analysis of where your programmes needs to be improved as well. So, in a nutshell, it’s a continuous risk assessment that brings up the awareness of the whole bank, and particularly the senior management is the key. The major banks, nowadays, they are doing pretty good in engaging, but I see that that’s where there were certain incidents where this exercise of risk assessment is still in very, very extreme cases, that people still think that this is only compliance work. No, it is not. It is the most important responsibility of the bank as a whole.

It’s a really good point. Tone at the top and conduct are really going to be focuses for all regulators globally. We’ve seen that recently in some of the recent risk issues that have happened within banks, and making sure that that risk assessment is there, refreshed, and senior management know about it and are aware of all those issues and how you are mediating anything that may have come up are really keys. Henry, I really appreciate you coming on the podcast today, and this is the Protiviti podcast.

 Thank you very much, indeed. It is my pleasure.