4802 JAN FEB 2020 SHONI

Question 1
Governance, Risk Management and Compliance (GRC) refers to an organization strategy for
handling the interdependencies between these three components. Any size of organization
can use GRC. A strong GRC technology platform is critical to a successful risk management
program. Without one, it is infinitely harder to leverage common processes, share data and
gain visibility into risks across the organization.
Under King III, risk management remains important and more detailed guidance is given on
how it is to be accomplished. The board is responsible for the governance of risk and
disclosure. Management is responsible for risk management design, implementation and
monitoring of risk management plan.
Being closely related concepts, governance, risk and compliance activities are increasingly
being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and
gaps. GRC represents a way in which management can better accomplish their strategic
objectives. The organisation’s response to risks typically depends on their perceived gravity,
and involves controlling, avoiding, accepting or transferring them to a third party.
GRC is a discipline that aims to synchronize information and activity across governance, risk
management and compliance to create efficiency, enable more effective information sharing
and reporting and avoid wasteful overlaps.

- Governance refers to the ethical management of the organization by its leaders in

accordance with approved business plans and strategies.
- Risk management refers to an organisation process for identifying, categorising,
assessing and enacting strategies to minimize risk that would hinder its operations and
to control risks that enhance operations. This definition of risk means that things like
not meeting the business’s market share growth objectives are risks just as much as
exposures related to topics such as business continuity.
- Compliance refers to the level of adherence an organization has to the standards,
regulations and best practices mandated by the business and by relevant governing
bodies and laws.
These three activities traditionally functioned more or less separately. In GRC approach, each
of the three component programs continues to interact with and support existing business
functions. However, the interactions of the three is where the benefits become apparent.
GRC achieves this by breaking down the traditional barriers between business units and
requiring them to work in a collaborative fashion to achieve the company’s strategic goals.

GRC makes:
 Risk management part of everyone’s job. (R)
 Will improve oversight of corporate governance through more effective integrated
approach of managing the business. (G)
  Satisfies the need to ‘exhibit control’ to regulators, auditors, and stakeholders. (C)
Organisations reach a size where coordinated control over governance, risk management
and compliance (GRC) activities are required to operate effectively. Each of these three
disciplines creates information of value to the other two. Each of the three GRC
disciplines touch and affect the same technologies, people, processes, and information in
any organisation.

If properly implemented, GRC policies, practices and software offer the following benefits.
Reduced costs.
 Improved leadership effectiveness across all aspects of governance, which Contribute
directly to better business performance, viability and sustainability.
 Increased visibility into risks, threats and vulnerabilities.
 Ongoing compliance with required standards and regulations.
 Protection against unfavourable internal audits, financial penalties and litigations,
because it improves assurance reliability.
 Reductions in risk across the entire organization, including business risks, financial
risks, operational risks and security risks.
 Creates manner of greater understanding of – same team – same playing field.
 Gets rid of silos (silo views) – silos influence communication negatively.
 Knowledge domain and not just an information domain.

Question 2
1. A dealer commits the bank to a deal but fails to record the transaction properly and a
dispute arises some weeks later over the amount.
• Operational Risk
• The fact that the bank might lose that money
• Dealer can also deny that transaction
• Operational manager is responsible

2. A bank dealer lends money to a client within an authorized facility but the clients
fails to repay.
• Credit Risk
• Liquidity problem because he didn’t pay and it will reduce capital to the bank
• Credit manager is responsible because he facilitated the loan, he should have done the
proper credit checks on the lender
• It depends on the structure of the bank, therefore it could also be all officers that authorizes
loans
3. A member of staff opens an incoming e-mail and finds a virus in an attached
program.
• Operational Risk/System risk
• IT Manager is responsible because he should have had backup or detected viruses on
systems.
4. A senior dealer in a bank dealing room is dating an junior dealer.
• Operational Risk
• Human error
• Operational manager is responsible
• Ethics of bank is compromised

5. A senior dealer has a working lunch with a client and while at the lunch table takes a
call on his mobile phone. He quotes a price to the client and a deal is concluded.
• Operational Risk
• He is disclosing transaction of bank to another client
• Conflict of interest
• Human error
• Making deal on phone while there is no proper documentation/contract, could also lead to
compliance risk

6. An Australian company owns premises in Johannesburg, South Africa. The South

African Rand falls in value by over 10% in the space of a one-year accounting period.
• Operational Risk/Market Risk
• Volatility of capital
• Operations manager, the idea emanated from him and he expands the scope of operations
within the bank.
• Can also be marketing manager, because he should have considered the market volatility?
7. A local bank employs a sophisticated new value at risk programme upon the
instruction of its Head Office in Europe; Losses are substantially higher than the system
predicts.
• Strategic Risk
• Coning to another country to transact when there is competition in the market
• Marketing manager is responsible, he should not rely on systems prediction, he should have
made use of his own experience based on the market and he should have considered market
volatility
8. The authorities for mis-selling its products fines a bank pension fund provider.
• Reputational Risk
• • Marketing manager is responsible, because why must you mis-sell products and
what was he as manager doing about it

9. A borrower of money at a fixed rate wishes to repay the loan one year earlier.
• Market Risk
• Loses interest when loan is not paid
• Credit manager is responsible, what conditions did he state when money was borrowed
because it says fixed rate (Accredited it to be part of your revenue)

10. In 1998 the Russian government defaulted on its debt obligations, causing a flight to
credit quality.
• Credit Risk
• Whatever shakes the market?
• CEO is responsible, because he is head of everything when government is involved, CEO
must give approval.CEO is responsible for dealing with stakeholders when government is
involved

Question 3

(a) A compliance officer are responsible to provide guidance and recommendations regarding
the banks regulatory requirement. Compliance officer must act proactively and constructively
and assist line management efficient and profitable. Without violating statutory, regulatory
and supervisory requirements. He needs to gain the support of line management without
jeopardizing his independence. The following are the roles of compliance officer:

• Setting organisation-wide policy and standards for compliance.

• Providing advice on compliance related matters.
• Compiling or updating of a compliance manual with sufficient references to relevant
operational manuals.

• Establishing and maintaining a compliance culture, in conjunction with line management,

within the company, which contributes to the overall objective of prudent risk management of
the company. Establishing and maintaining working relationships with relevant stakeholders.
The stakeholders of a bank include the government, regulators, consumers, investors and
depositors, financial service providers, management, employees and compliance officers. The
compliance officer will ensure, as far as possible, that each role player fully understand his or
her individual roles (mandate). The effectiveness of the interaction between the different role-
players will affect the extent to which the importance of compliance is correctly perceived
within the Bank.

• The role of the compliance officer includes the provision of assistance to minimise the
damage to the company’s reputation/image.
• Promoting a compliance culture through effective training programmes and
Compliance awareness campaigns. Everyone in the organisation should be aware of the
impact of non-compliance to laws, rules and regulations within the Bank.

• Continuously monitor the level of compliance at the Bank, preferably through Compliance
Risk Management Plans approved for the different business units. Any compliance breaches
will be reported to Group EXCO and the Board as and when occurred. A target may, for
example, be set to achieve a zero threshold for compliance breaches.
• Reports to the Board, audit committee, line management and regulators (students could add
some suggestions, for example, the development of a structured reporting procedure in terms
of the requirements prescribed by the different laws, regulations and rules.)
Finally, the compliance officer must attend to the recommendations from the Board, audit
committee, line management and regulators, as and when identified.

(b) The board should made aware of the improvement of an effective compliance function.
An organisation should have effective compliance risk management programmes.

Compliance Risk Management process

- Compliance risk identification

Compliances officer assist management in identifying the regulatory requirement that apply
to the bank. Analysing of the regulatory requirement that have been identified together with
regulatory universe of the bank.

- Compliance risk assessment

Once the identification and analysis of the regulatory requirement have been compiled, they
must be prioritised by rating each regulatory requirements according to the risk variables that
are used for assessment which are:
Seriousness – the potential negative impact of non-compliance
Probability – The likelihood that not compliance with a specific regulatory requirement might
occur. It is determined by the effectiveness of the controls that were implemented.

- Compliance risk management

Control measures must be designed and implemented to ensure that the regulatory
requirements are complied with Policies and procedures, people, information and technology.
The control measures should be recorded in risk management plans.

- Compliance risk monitoring

Once control measures have been developed and implemented these measures must be
monitored to determine whether they are being complied with. Also, determine whether they
are effective. Planned compliance monitoring plan should be recorded in the risk
management plan. Report findings of the review process to the relevant role players.

How would you interact with the banking supervisor? (The Bank Supervision
Department of the South African Reserve Bank).
It is important to maintain a good relationship with the regulators of the Bank. The regulator
holds the key that allows the conduct of business. A good relationship with the regulator is
critical to the sustainability of the business in the long term. Such relationship is only
established through effective liaison with the regulator, in this case the Supervision
Department of the South African Reserve Bank. The relationship should be one of open and
effective communication. This help to develop a level of trust and the bank will gain a
reputation of being co-operative and compliant.

The compliance officer is also responsible for reporting compliance issues to the Regulator.
For example, Regulation 47 of the Banks Act requires the compliance officer to submit a
copy of the compliance report submitted to the Board of Directors or the audit committee, to
the Registrar. Other regulators of the Bank have different/additional requirements.

Information requested by the banking supervisor shall be requested by the compliance officer
from all the businesses in the bank and provided through the compliance office as a central
point. Thus, the compliance officer will be the contact point for all communications with the
banking supervisor.
On a daily, weekly, monthly, quarterly and annual basis, various reports are submitted to the
Reserve Bank. These reports include, but are not limited to; daily statutory reserve reports,
relating to anti-money laundering, fair lending practices, reports relating to the fitness and
proper standing of the directors and the board, corporate governance reports ensuring that
there is no conflict of interest in the directors discharging their duties. The compliance officer
will therefore be liaising with senior management within the Bank to ensure the accuracy and
timely submission of these reports and also ensuring effective communication between the
bank and the banking supervisor.

( c ) Introduction - Money laundering and how it affects banks

Internationally, governments have agreed to fight organised crime and terrorism by, among
others, seizing the proceeds of crime and making money laundering a criminal offence. Since
the 1980s many countries have passed laws that demonstrate their commitment to this effort.

South Africa has adopted money-laundering laws to help it comply with its international
obligations to fight organised crime and terrorism.

Banks main legal obligations are contained in the following legislation:

- The banks act 94 of 1990
- The prevention of organised crime act 121 of 1998 (POCA)
- The financial intelligence centre act 38 of 2001. (FICA)

In terms of section 60A of the Banks Act;

(1) A bank shall establish an independent compliance function as part of the risk management
framework of the bank.
(2) The compliance function shall be headed by a compliance officer of the bank, who shall
perform his or her functions with such care and skill as can reasonably be expected from a
person responsible for such a function in a similar institution.
(3) The appointed compliance officer shall perform his or her functions subject to such
requirements and conditions as may be prescribed in the Regulations relating to Banks.
The most comprehensive legislation detailing money-laundering controls is the Financial
Intelligence Centre Act, the focus of which is on control requirements. FICA creates money
laundering control obligations for banks and other institutions and professionals such as
estate agents, brokers, attorneys and insurance companies. Customer identification is a crucial
element of any effective money laundering control system. Banks must implement reasonable
measures for them to know who their customers are and to prevent criminals from using false
or stolen identities to gain access to bank services.
• The specific duties and obligations of the compliance officer under FICA:

1. Adopt internal compliance rules and standard procedures as set out in section 42
2. Set internal rules concerning the identification of clients (KYC) as specified in Regulation
3. The internal rules concerning the keeping of records – regulation 26
4. The internal rules concerning the reporting of information to supervisory body – regulation
27 5. Adhere to the legislative obligation of Accountable Institutions (such as banks) to train
their employees in FICA compliance as per section 43 of the Act.

• Conclusion/evaluation

The compliance officer must ensure the adherence to the requirements set out above. If not,
the bank faces a combination of the following types of risks that can result from non-
compliance to the FICA: Criminal-liability risk, Regulatory risk (including fines),
Reputational risk and Civil-liability risk

(d) Westpac is one of the largest bank in Australia. In 2020, it paid the largest corporate fine
in that country’s history. It paid AU$ 1.3 million for more than 23 million violation of money
laundering and terrorism financing laws.
In its settlement, Westpac admitted to millions of failures in reporting and record keeping on
international transfers. However, the most shocking was the origin of some of those transfers.
In the wake of the scandal, Westpac’s CEO resigned but with the whole year’s salary as
severance. No one at the bank was charged with a crime.

This case is one of the biggest money laundering scandal in history, and it was not the first
and not the last. As long as banks can profit by taking money from criminals, they will
continue to do it.
This shows that fines are not enough compared to the profits from processing the suspicious
transactions. As long as they risk nothing worse than a fine, they have no incentives not to do
it again.
If regulators around the globe really want to stop money laundering, they need to get serious
about punishing it. One option is to make fines heavy enough to outweigh the profits of
money laundering. Another is to start issuing criminal penalties, breaking up the banks,
seizing their assets and sending their leaders to prison.

Question 4

a. Why did banks close Gupta account without giving reason?

Banks are never legally obliged to provide reasons for terminating business relationships. If
those banks didn’t close the bank accounts linked to the Guta family, they banks could have
been locked out of the international payments system with absolutely catastrophic results if
they kept the gupta family’s account open in 2016. If South African banks had been banned
from international financial network, large scale of job losses would have been occurred.
If the institution picks up suspicious transactions and not act on them, they will be removed
from the international banking system.
The bank did not disclose their reason for cutting ties with the Guptas in 2016, citing the
confidential client-bank relationship. Bank close the bank accounts fearing reputational and
business risk associated with the family operations.

b. Risks related to not closing the accounts

I Due to two competing interests, banks were forced into a difficult situation. In general,
banks maintain a confidentiality agreement with their clients that prohibits them from
disclosing client information to outside parties absent the client's consent or a court order. ii)
There might have been compliance difficulties, which would have forced banks to take the
decision to disown their customers.

The following are the four primary risks that the banks may have attempted to control.

• Compliance Risk: Compliance risk is the danger that results from banks' disregard for legal
standards. Due to their significance to the growth of an economy, banks are subject to strict
regulation, and they are required by FICA to act on errand accounts. Failure to comply with
this could result in the bank being subject to several sanctions, some of which may even
involve license revocation. Although we are not aware of the specifics of what happened, the
fact that the banks cancelled the accounts of this particular consumer is sufficient to show
that they complied.
• Legal and Litigation Risks: The banks could have easily been sued for breach of contract
if they had made known to the public the reasons they cancelled the accounts. Banks are only
permitted to share client information to officers of the state or with the client's full consent.
The banks' failure to inform the public is sufficient evidence that they minimized their risk.

• Reputational Risk: Reputational danger is a risk that develops when the public loses faith
in an institution. Public opinion is divided, however the banks did responsibly by withholding
this information from the public in light of the reputational risk issue.

• Overarching Governance/Political and Ethical Risks: The Gupta Family had recently
emerged as a contentious political issue, placing the banks in a precarious position where
they were forced to respond despite the possibility of being accused of engaging in political
play. In such circumstances, the issues of corporate governance and ethical conduct must be
taken into consideration.

c. All registered FSPs are required by FICA to report any suspicious activity, notably cash
transactions.
Additionally, banks must keep an eye on what happens on their customers' accounts to make
sure that money-laundering concerns are not present.
The Banks have to always present a professional image. Without the client's permission or
without a court order, they were not permitted to divulge private information to the public.
However, banks are required to disclose any suspicious transactions to the relevant regulatory
body; they are not required to notify the public unless specifically ordered to do so by the
courts.
In the main, the keys risks associated with money laundering seem to have been addressed by
the banks
Whether they reported to the authorities or not remains unclear but what is very clear is that
they were aware of their obligations under the Act and thus acted accordingly.