As part of the consumer credit authorisation process the Financial Conduct Authority (FCA) will require all consumer credit firms to detail their compliance monitoring programme and attach a compliance monitoring plan as part of their application pack. This blog post highlights the key areas for consideration for consumer credit firms to contemplate when developing their monitoring plan.  

What is compliance monitoring?

Compliance monitoring is the quality assurance testing carried out over the day to day activities of the business. The compliance monitoring team usually sits as an independent function in the second line of defence and provides assurance to the board that the firm is operating within a compliant framework.    

In a traditional three lines of defence model, the FCA will expect each business line to undertake their own regular monitoring of the day to day activities as the first line of defence, with Internal Audit providing the additional third line, depending on the size of the firm.   

The design stage

A compliance monitoring plan should be proportionate to the scale and complexity of the business and driven by the firm's assessment of their compliance risks.  It will need to describe the testing to be carried out; the frequency; by whom – the role of the person responsible for the testing (for example, the Compliance Officer); and the records to be retained evidencing the testing carried out and associated findings.  

The firm's regulatory risk profile defines the scope, scale and complexity of required compliance monitoring activities. A robust assessment of the underlying regulatory risks facing a firm is therefore critical to ensure that compliance monitoring activity is appropriate.  The first stage of this process therefore is to compile the required inputs.

The inputs to any compliance monitoring plan should reflect where the business faces the greatest risks.  This will ultimately drive the content of the plan.  The plan should aim to cover the majority of risks identified in the risk map, but resource should be targeted to those where the potential risk is greatest.  The firm will need to consider risks such as areas of regulatory focus for example, CONC; previous internal audit findings; regulatory correspondence; complaints; and business performance.  The firm will also need to consider whether the monitoring team has sufficient resource, skills and experience to conduct reviews across the full spectrum of the firm's regulated activities. 

Key risks for consumer credit firms

The key risks to a consumer credit firm are likely to be specific, depending on the business model.  However, there are some risks which we believe will attract additional regulatory scrutiny, including for example:

  • Responsible lending;
  • Collection activities;
  • Outsourcing arrangements;
  • Forbearance options and arrears handling;
  • Vulnerable customers; and
  • Complaints handling.   

The approach to monitoring activities

Once the risks are identified and risk weighted, deciding how to conduct monitoring activity is the next step.  The main challenges are deciding what review methodology to use and how to effectively allocate resource to provide the desired level of assurance over each risk.  For example, a firm may want to develop a monitoring plan that will see in-depth reviews of key risks and high level reviews for those deemed more minor risks.   However, as it is important not to neglect low risks, the plan may evolve over time so that all risks receive an in-depth review at some stage.  

Monitoring activities which require specialist knowledge should be mapped against the teams' skillset to ensure appropriate resource is allocated to each review.  

A detailed testing plan will also consider whether certain risks should be combined with others to allow the production of a combined assessment; how complex the subject of the review is; and what level of assurance can be gained from Internal Audit findings (third line) or by business line monitoring (first line). 

The output

The output of second line monitoring activity will depend on the level and frequency of assurance required by the board, and specifically how this relates back to their risk appetite.  MI should be produced showing the results of compliance monitoring and how the team is progressing against plan.  MI should be adequate enough to keep the board informed of the key risks and allow for root cause analysis of any failings identified.  Together with first line monitoring, results may bring about enhancements to the control framework.  Monitoring plans should therefore contain enough flex to adapt to new requests by the board or management should they identify any emerging risks or require any additional assurance in certain areas.

Consumer credit firms will need to make sure they have a robust and documented compliance monitoring programme, which considers the issues highlighted in this blog, in preparation for their authorisation gateway.    

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.