The National Monetary Council (CMN) has regulated – through the CMN Resolution 4,595, of August 28, 2017 - the compliance policy applicable to financial institutions authorized to operate in Brazil by the Central Bank, but not applicable to consortium administrators and payment institutions.
It is interesting to point out that the CMN allowed the financial institutions to hire specialists to execute activities inherent to the compliance policy, as long as the attributions and responsibilities of the administration council and, in the absence thereof, the institution’s executive board are respected. Another wise decision was to prevent the impact on its compensation arising from the performance of the business areas.
Thus, the financial institutions can adopt a single compliance policy, by conglomerate or cooperative credit system, approved by the administration council. They must implement and maintain said policy compatible with (i) the nature, (ii) the size, (iii) the complexity, (iv) the structure, (v) the risk profile and (vi) the institution’s business model, in order to ensure the effective management of their compliance risk.
The context determined by the CMN for the compliance policy is interesting because, differently from what usually occurs in Brazil, the council made the issue of proportionality clear to start demanding how robust the compliance program should be, depending on all the markers mentioned above.
The CMN also made it equally clear that the compliance policy should comprise minimally:
- objective and scope of the compliance function;
- the clear division of responsibilities of the people involved in the compliance function, in order to avoid possible conflicts of interest, mainly with the institution's business areas;
- the allocation of sufficient personnel, adequately trained and with the necessary experience to exercise the activities related to the compliance function;
- the position, in the organizational structure of the institution, of the specific unit responsible for the compliance function, when constituted;
- the necessary measures to guarantee independence and adequate authority to those responsible for activities related to the compliance function at the institution;
- the allocation of sufficient resources for the performance of the activities related to the compliance function;
- the free access of those responsible for activities related to the compliance function to the necessary information for the exercise of their attributions;
- the communication channels with the executive board, the administration council, and the audit committee, when constituted, necessary for the reporting of results arising from activities related to the compliance function, of possible identified irregularities or failures; and
- the procedures for the coordination of the activities related to the compliance function with risk management functions and the internal audit.
A very relevant point instituted by the CMN was to segregate the action of the compliance activity of the activity exercised by the audit, thus establishing two distinct filters in the implementation of the compliance policy and the consolidation of ethical principles throughout the organization. And to these professionals acting in compliance, the CMN listed their main tasks:
- test and assess the adherence of the institution to the legal framework, infra-legal regulations, recommendations of the supervisory bodies and, when applicable, to codes of ethics and conduct;
- provide support to the administration council and executive board of the institution regarding the observance and correct application of the item above, including keeping them informed of the relevant updates in relation to the item above;
- assist in the informing and training of all employees and relevant third-party service providers on matters relative to compliance;
- review and monitor the resolution of the points raised in the report of legal and regulatory devices breach drafted by the independent auditor, in accordance with specific regulation;
- prepare a report, with a minimum frequency of once a year, containing the summary of the activity results related to the compliance function, its main conclusions, recommendations, and provisions taken by the institution’s administration; and
- systematically and timely report the results of activities related to the compliance function to the administration council.
The CMN ended by guaranteeing the following to the administration council (and in its absence, the institution’s executive board):
- ensure (i) the proper management of the compliance policy in the institution, (ii) the effectiveness and continuity of the compliance policy application, (iii) the communication of the compliance policy to all relevant employees and third-party service providers; and (iv) the dissemination of integrity and ethical conduct standards as part of the institution's culture;
- ensure that corrective measures are taken when compliance failures are identified; and
- provide the necessary means so that the activities related to the compliance function are adequately exercised.