BSP Circular No. 429 Compliance Amendments

The board of directors must oversee compliance policy implementation and ensure timely resolution of compliance issues.
Senior management is tasked with establishing, enforcing, and assessing the compliance policy.
Senior management must report at least annually to the board or its committee about compliance matters, including recommendations for changes.
Material breaches of laws or standards must be reported promptly to the board.

The compliance function must be formally established via a charter or similar document approved by the board.
The charter defines the function's authority, standing, and independence.
Key elements addressed include independence from business activities, defined roles and responsibilities, relationships within the organization, access to necessary information, investigative rights, and reporting lines.
The charter must be communicated organization-wide.

The compliance function must operate independently from the institution’s business activities.
It must have adequate resources and the freedom to act on its initiative across all relevant units.
It must report irregularities directly to senior management and the board without fear of retaliation.
Unrestricted access to operational areas, records, and files is required.

The compliance function’s roles and responsibilities should be explicit.
Duties between legal, compliance, internal audit, and risk management functions should be clearly delineated.
Formal cooperation and information exchange arrangements shall exist among these functions.

Compliance structures for institutions conducting business in multiple jurisdictions should address local concerns within a unified group compliance policy.
Compliance functions should respect significant differences in legal and regulatory frameworks between jurisdictions.
Local legal and regulatory requirements must be integrated into the compliance function’s structure and responsibilities.

Institutions must adopt policies to manage risks from outsourcing activities.
Outsourcing may reduce risk by delegating specialized activities to qualified third parties but does not absolve institutions' ultimate responsibility.
Compliance risk assessment and testing may be outsourced but require appropriate oversight by the compliance officer.
Outsourcing agreements detailing duties, responsibilities, rights, and obligations must be approved by the board and submitted to the Bangko Sentral supervisory department 30 days before execution.
Agreements must ensure clear allocation of responsibilities and address residual risks including default and operational failures.

The Circular takes effect 15 days after its publication in the Official Gazette or a newspaper of general circulation.