Most Common Audit Issues with Compliance Policies and Documentation (and Why It Happens)…
If you work in FinTech or Financial Services, you probably know that most audits start with a “please, send me your policies” request.
And most audit findings come from scenarios when you did not follow your policy or when your policy did not describe something that actually happened.
So, what are the most common reasons that cause issues, discrepancies, or audit findings when it comes to compliance policies:
- A mismatch between internal documents, especially when they are prepared by different authors. The most common example would be a mismatch between the language in the AML Policy vs Terms and Conditions on the website vs Privacy Policy with respect to which data and documents are being collected from the clients and what happens with the data. Another common mismatch happens when FinTech startups launch a new product or feature, update their T&Cs, but forget to update their policies.
- Exceptions: you make exceptions for your clients, but forget to update the policy. Or your policy does not talk about if or how you can make exceptions.
- You don’t exactly follow your policy because your tools or systems don’t allow it, maybe some processes are combined or some assessment is done automatically, but your policy does not describe it sufficiently clearly.
- Sometimes companies make changes to their policies “under duress” (aka at the request of the auditor, banking, or financial partner) and simply copy-paste the language required by this partner or auditor into the policy, but this language may not work or may not be applicable for all of your products. Or you just want to get it over with and don’t assess longer-term implications.
- You use new tools, new team names, new titles, and new processes, but you forget to update your policy.
- A new law comes into force, and you (hopefully) update your policy accordingly, but oftentimes there are many secondary legislation, circulars, and guidelines that are not repealed, and you don’t reconcile which document is applicable for which case (this happened a lot when AMLD5 came into force, but older national due diligence circulars still remained valid as well) and end up potentially ignoring some of the older circulars that are still valid.
- Definitions mismatch: oftentimes you can find discrepancies in definitions between EU Directives, national legislation, FATF Recommendations, EBA Guidelines, and your own policies (for example, PEP definition, high-risk country lists, risk categorization, applicable due diligence limits, etc.).
Yes, the compliance policy framework and its maintenance are not a cakewalk. What can you do about it?
It is anyway required that you review and update all your policies and procedures at least annually and sometimes it helps when you can assign this task to a relatively new team member – someone who joined 4-5 months ago so that they are fresh enough and will notice obvious discrepancies, but already familiar enough with your products and tools.
Another solution – you could rely on my FinTech Compliance Self-Starter Bundle with dozens of policy templates and document samples, find out and re-use what you were missing, add clarifications, discover nuances or just copy-paste things that you did not have.