HSBC's excellent service has been widely recognized, and its awards include: Financial Asia, the best foreign bank in China, Assets, the best fund management bank in China, Global Finance, the best private bank, Banker, the best bank in Asia and Western Europe, Eurocurrency, as the "best foreign bank in China" (for four consecutive years), and the compliance risk management experience of foreign commercial banks.
(1) Senior management attaches importance to compliance.
The consequences of compliance risk are not only legal sanctions or regulatory penalties, but also significant financial losses, and more seriously, reputation damage. For commercial banks operating funds, reputation loss will seriously harm their development. Therefore, many foreign banks attach great importance to compliance risk, set up full-time compliance risk managers, and regard compliance management as an important defense line. At the same time, they realize that compliance risk management must meet two conditions: first, corporate culture emphasizes honesty and integrity. Second, the board of directors and senior management must set an example. For example, Citibank and Standard Chartered Bank have established the primary responsibility of the board of directors and senior management, and made it clear that compliance risk management is the main line of defense of the whole bank.
(2) Constantly adjust and improve the organizational structure of compliance risk management to ensure the relative independence of the compliance department.
In practice, there are two main organizational structures for compliance risk management of foreign-funded commercial banks, one is centralized and the other is decentralized. In the reporting route of branches, there are matrix and linear reporting routes in both organizational structures.
1. Centralized organizational structure
The main feature is that the head office and all branches (or regional headquarters) have compliance departments, and the compliance department of the head office is the direct leader of the compliance departments of all branches. The Compliance Department of the Head Office reports directly to the bank's senior management (president or chairman) and has the right to report directly to the board of directors or its subordinate committees. There are two organizational structures: one is to set up a single independent compliance department. The other is to combine legal and risk management functions to form a legal compliance department or a risk management and compliance department.
Take ABN Bank of America, Deutsche Bank and Standard Chartered Bank as examples. ABN Amro is an independent compliance department and a matrix reporting route. Deutsche Bank's independent compliance department has added a straight-line reporting route. The compliance function and legal function of Standard Chartered Bank are integrated together, forming the matrix reporting route of the Legal Compliance Department.
(1)ABN Amro- independent compliance department plus matrix reporting channel. Matrix reporting route, that is, while reporting to the superior compliance supervisor, it must also report to the administrative supervisor of the branch where the compliance department is located. ABN amro Compliance Department was separated from the Legal Affairs Department in 2004 and established an independent Compliance Department. On the reporting route, the head of the Compliance Department of the Head Office reports directly to the Chairman, and the compliance director of the branch adopts the matrix reporting route. For example, the Compliance Director in China should report to the counterpart department of the Head Office and also to the Chief Operating Officer in China.
(2) Deutsche Bank, an independent compliance department, added a straight reporting route. Linear reporting route, that is, the lower-level compliance department reports directly to the higher-level compliance department. If the starting point of the reporting route is China, the manager of the Compliance Department of Deutsche Bank China directly reports to the Compliance Director of North Asia, who directly reports to the Compliance Director of Asia Pacific (excluding Japan), and then reports to the senior management through the head of the Compliance Department of the Head Office. Deutsche Bank pays attention to the participation of compliance department in business management. For example, China Compliance Manager is also a member of China Business Management Committee and Branch Management Committee.
(3) Standard Chartered Bank-integrating compliance function and legal function to form a matrix reporting route of the Legal Compliance Department.
The Legal Compliance Department of Standard Chartered Bank in China is responsible for all compliance matters, including the Director of Compliance Department, the Compliance Manager of Corporate Banking Department, the Compliance Manager of Personal Banking Department, the Compliance Manager of Global Marketing Department, the Compliance Manager of Guangzhou Branch, the Compliance Manager of Shanghai Branch, the Compliance Manager of Beijing Branch and several legal managers. The reporting path of branches adopts matrix.
2. Decentralized organizational structure
The main feature is to set up a compliance department in the head office, but it is not necessary to set up an independent compliance department at the branch level, but to set up compliance officers in all branches and business lines to undertake the compliance responsibilities of their respective departments. Compliance departments will also be established according to the needs of management in different countries or regions, such as China or Asia-Pacific Compliance Department. If HSBC adopts a decentralized organizational structure and matrix reporting route, every employee of HSBC should be responsible for compliance management within the scope of his authorization. For example, the president of the branch is responsible for the compliance work in the area under the jurisdiction of the branch and reports to the superior business director in the area. Citigroup adopts a decentralized organizational structure with a straight reporting line.
(3) Clarify the responsibilities of the compliance department and handle the relationship between compliance and internal audit.
Both the Compliance Department and the Internal Audit Department aim at preventing risks. The internal audit department pays attention to the "after-the-fact" audit, and the internal audit department cannot control the occurrence of risks in the business process. The Compliance Department pays attention to "before" and "during" risk control, and optimizes the business operation process and internal system of commercial banks by studying laws and regulations, so as to prompt and find risk points at any time during the operation and achieve the purpose of risk management. The compliance departments of many foreign-funded commercial banks are relatively independent and have established a compliance risk system of "the first line of defense for business departments, the second line of defense for compliance departments and the third line of defense for audit departments". The Compliance Department and the Internal Audit Department are clearly defined, supporting, coordinating and supervising each other.
1. the relationship between ABN amro compliance and internal audit under centralized organizational structure
The front-line business departments are directly responsible for compliance, and the senior management is ultimately responsible for the compliance operation of the bank. The Compliance Department has independent reporting channels, investigation power and performance appraisal system. These ensure that the compliance department has considerable independence. At the same time, the responsibilities of the Compliance Department and the Internal Audit Department are clearly defined. ABN Amro has defined clear responsibilities and authorities. "The compliance department shall timely judge, evaluate and monitor the compliance risks of the Bank, and provide advice and reports to the senior management and the board of directors when violations are found; Minimize the possibility of violation by implementing systematic compliance measures or procedures. The internal audit department is separated from a large number of compliance risk management affairs and undertakes the re-control function of the internal control system to ensure the effectiveness of the internal control system. However, the bank also stipulates that the internal audit function department should regularly review the business of the compliance function department and conduct on-site compliance inspection of the bank. " In addition, the relationship of mutual support, coordination and supervision between the compliance department and the internal audit department is also determined. The compliance department provides the inspection direction and focus for the internal audit department, and the compliance inspection results of the internal audit department become an important source for the compliance department to collect compliance risk information and risk points, forming a mutually supportive relationship between compliance and internal audit; In the whole risk prevention system, the compliance management department is the "middle desk" of the bank, which reviews and supervises the compliance of the business handled by the "front desk", while the internal audit department performs the re-supervision function in the "background".
2. The relationship between compliance and internal audit of Citigroup with decentralized organizational structure
Citigroup has two layers of protection measures to prevent compliance risks, and the internal audit department is the last layer. Those who really manage business operations should be responsible for compliance risks, which is the first layer of preventive measures. Secondly, the functional departments responsible for identifying, evaluating or monitoring compliance risks, such as legal affairs, finance, independent risk management, human resources, operation technology department and compliance department, are the second-tier preventive measures. The internal audit function department is the third layer of preventive measures.
(4) Establishing a compliance risk management framework on the basis of an effective organizational structure.
In risk management, it is very important to establish a complete risk management system including risk identification, risk early warning, risk monitoring and risk decision. As an important part of risk management, it is very important to establish an effective compliance risk management framework. This first requires ensuring that the compliance risk management department has clear responsibilities and relative independence in the organizational structure. In addition, cooperate with other business departments and internal audit departments to continuously find risks, control risks and optimize processes; Select high-quality personnel familiar with business, laws and regulations to engage in compliance management.
Take Citigroup's compliance risk management framework as an example. Three layers of preventive measures have been set up in the organizational structure, and compliance risk management has penetrated into front-line business personnel, forming a good compliance culture and compliance risk management framework, ensuring the effective implementation of compliance risks. Citigroup's compliance risk management framework consists of seven parts. 1. The board of directors and senior management personnel bear the main supervisory responsibilities. The board of directors and senior management supervise compliance through independent committees, forming an atmosphere in which senior management and front-line employees attach great importance to compliance. 2. The organizational structure and staffing model are reasonable. Reporting channels can ensure the independence of compliance work, equip with sufficient resources and qualified employees, and ensure the good career development of qualified managers. 3. Formulate clear compliance policies and procedures. The evaluation and approval process ensures consistency and risk control in the operation process. The evaluation of global compliance policies is completed through internal self-evaluation and testing as well as internal and external evaluation. 4. Independent monitoring and evaluation. There are various monitoring methods, compliance schemes and supervision systems at the operational level. The Compliance Department understands and consults the business situation and improves the monitoring and supervision level. 5. Regularly report the regulatory issues covered by the process, the follow-up of rectification measures and the formulation of key risk indicators. 6. Pay attention to training. Citigroup adapts to the ever-changing regulation through continuous training. The training content includes: formal training for compliance managers and mandatory training for important policies and procedures. The training method is mainly online training to ensure the timeliness of the world, supplemented by face-to-face real-time training. 7. The compliance department interacts with the internal audit department. Internal audit regularly evaluates compliance work. In the process of internal audit, in addition to the internal audit department, other functional departments, such as human resources department, finance department, risk management department, operation technology department, especially legal functional departments, actively participate.
(V) Combining compliance risk management with business process optimization to reduce risks.
A good system is the premise of compliance management. Taking the Bank of East Asia as an example, in view of the business scope and product types in China, the headquarters in China District has formulated a unified business operation manual, which permeates the requirements of laws and regulations and describes the operation processes of various businesses in detail. The business operation manual is revised regularly in combination with the development of laws and regulations, the change of business varieties and the opinions of the internal audit department. When the business changes significantly, the operation manual will be updated in time. By establishing operational norms that meet the requirements of laws and regulations, compliance is no longer an empty concept but every process and step. Handling banking business in strict accordance with the operation manual ensures the standardization and consistency of banking business.
(6) Cultivate a good compliance culture.
Cultivating a good bank compliance culture is not only the work of the compliance department, but also the need to cultivate the compliance awareness of employees within the bank. On the one hand, the bank's business manuals, operating procedures and work instructions should fully reflect the requirements of compliance management, and there should be rules and laws to follow in the system; On the other hand, it is necessary to instill compliance requirements and spirit into employees and colleagues through regular and timely training, and establish a general awareness of compliance, so as to make it a part of the corporate culture of banks.
From the experience of Standard Chartered Bank, we should pay attention to the following points in cultivating compliance culture: 1. Start training from the position of employees and establish the concept of compliance culture. 2. Establish a credit mechanism. Actively encourage employees to report all kinds of illegal acts found in the scope of work and violations of Standard Chartered Bank's code of conduct or internal rules. 3. Combination of compliance and performance appraisal. Compliance risk management, as an important evaluation index, enters the performance evaluation system and is directly linked to performance bonus.
Second, the enlightenment to the compliance risk management of commercial banks in China
(1) Improve corporate governance and enhance the management responsibility of the board of directors and senior management for compliance risks.
Chinese banks emphasize "operating according to law", but compliance risk management is not really linked to the responsibilities of the board of directors and senior management, and there are no effective measures to ensure the implementation of compliance risk management. Only when commercial banks, especially state-owned commercial banks, have serious compliance risk cases, managers realize the backwardness of the "risk control" system. Some Chinese commercial banks, such as China Merchants Bank, have proposed to change from "risk control" to "risk management", which shows that the risk management level of Chinese banks in China is gradually developing. From the experience of foreign commercial banks, compliance risk management must start from the top to be the most effective. As Liu, chairman of China Banking Regulatory Commission, pointed out in his speech at the first annual meeting of Shanghai banking industry in 2006: "The CEO is the CEO and chief ethics officer of the bank, responsible for effectively managing the compliance risk of the bank." Therefore, Chinese banks should improve the management responsibility of the board of directors and senior management for compliance risks. The Board of Directors and senior management are directly responsible for compliance risk management. Starting from the top, they should promote the business philosophy of honesty and integrity, cultivate a compliance culture, make every employee pay attention to compliance, consciously realize compliance in the business process, find risks, improve processes, and make compliance risk management the most effective.
(B) to establish a clear strategic positioning and a reasonable organizational structure
Most foreign commercial banks have clear strategic positioning, such as the retail business of Citibank and HSBC, the SME banking business of Standard Chartered Bank and the investment banking business of Deutsche Bank, which are gradually formed through long-term investment and accumulation according to the established strategic positioning.
At present, Chinese-funded commercial banks in China are in the process of changing from homogeneous competition to differentiated competition, from low-level competition focusing on price and scale to competition focusing on risk, cost, efficiency and customer experience. Some banks have begun to establish unique business advantages, such as ICBC's asset custody business, CCB's provident fund loans, BOC's international trade financing business, China Merchants Bank's credit card and online banking business, personal loans and trade financing issued by Shenzhen, and Huaxia Bank's cash management products. However, few Chinese banks have a clear strategic positioning at the company level. Organizationally, some Chinese-funded commercial banks have gradually started to establish a "front, middle and back office separation" structure, and gradually began to implement vertical management in functional lines such as risk control, financial management and internal audit. Many Chinese-funded banks have begun to implement vertical management in credit card business. Compliance risk management can only be greatly improved after the strategic positioning of banks and the standardized operation of business lines. Therefore, Chinese banks should determine their own advantages and core competitiveness as soon as possible, and make strategic positioning in combination with market conditions. On the basis of standardized management of business lines, we will reform the operating system, promote compliance risk management, and choose an appropriate organizational structure for compliance management to ensure the orderly implementation of compliance management.
(C) Pay attention to the relationship between compliance and process, and realize the change of compliance scheme from "task-centered" to "process-centered".
Process is the lifeline of commercial banks' operation, and it is the operational process of banks or the working way of employees. Compared with other industrial and commercial enterprises, process is more core for commercial banks, because commercial banks operate according to various processes, and their business, efficiency and performance of the whole industry are affected by processes.
The process of commercial banks determines the functions of various departments and business lines and determines the organizational structure. Whether the division and efficiency of processes are conducive to customer needs, whether it is conducive to reducing costs and controlling risks has become the key determinant of organizational structure change and departmental function change.
Excellent foreign commercial banks have established customer-oriented process banks. For example, many branches such as Citibank and Standard Chartered Bank have passed ISO900 1 (the core standard of quality management system), ISO2700 1 (the standard of information security management) and BS25999 (the standard of business continuity management). Compliance scheme is changing from "task-centered" to "process-centered". A process-centric compliance plan requires that compliance be based on continuous testing and verification. In addition, local and repetitive compliance management activities are being replaced by those that can make the whole organization fully understand compliance.
Therefore, in the process of compliance management, Chinese banks must make it clear that compliance management is not only the management responsibility of the compliance department, but also the basic responsibility of all business lines and departments. Infiltrate compliance management into the process, promote process optimization through compliance management and promote comprehensive compliance risk management of commercial banks.