Revised Compliance Framework for Philippine Banks

Business risk refers to internal and external conditions detrimental to a bank's business model, its operational returns, and franchise value.
It encompasses reputational risks from decisions affecting market standing and public trust.
Risks include actions contrary to regulations, best practices, codes of conduct, and legal risks from regulatory changes affecting the business model.
Business risk combined with financial risks constitutes total corporate risk.

The compliance function must be formally established by a Board-approved charter defining its authority, independence, and standing.
The charter addresses:
- Independence from business activities
- Organizational structure and responsibilities
- Relationships with other units
- Access to necessary information
- Investigation rights for compliance breaches
- Formal reporting to senior management, Board, and relevant committees
- Direct access to the Board and committees
This formal status must be effectively communicated across the organization.

The compliance program must be documented in a written Compliance Manual approved by the Board.
It is distinct from risk management and internal audit programs, focusing specifically on business risk mitigation.
The program must reflect the bank's size, complexity, and identify specific business risk avenues.
A suitable organizational structure with full-time dedicated personnel must administer the compliance function.
Duties of the CCO and compliance staff must be explicitly defined.
Failure to ensure integrity and accuracy in documentary submissions is an unsafe banking practice.
The President and the CCO must affirm under oath that the compliance system is Board-approved and accurately documented.
The program must be updated at least annually.
The compliance function fosters constructive communication with BSP and other regulatory agencies.
Bank staff and affiliated parties must receive regular training to inculcate compliance culture.

The CCO oversees the compliance program's design, implementation, and breach management.
Responsible for ensuring integrity and accuracy of documentary submissions to BSP.
Appointment of a full-time CCO requires Monetary Board approval.
The CCO must meet fit and proper qualifications including integrity, competence, education, diligence, and experience.
A CCO may be appointed for a banking group if compliance is conducted group-wide.
Banks with a "simple" business model may, subject to approval, designate a non-executive director as CCO concurrently.
Classification of banks as "simple" or "complex" affects CCO qualifications and appointment rules.

The Board ensures the establishment and oversight of a defined compliance program.
A board-level Committee, chaired by a non-executive Director, oversees compliance.
Senior management, led by the CCO, ensures adherence to compliance standards and expedites issue resolution.
The CCO periodically reports compliance matters to the Board or designated Committee.
Amendments to the compliance program require Board approval.
Material breaches and inadequacies are to be promptly reported and addressed.
Material inadequacies in compliance are deemed unsafe and unsound banking practices.

Banks may outsource review, assessment, and testing of their compliance programs to qualified third parties.
Such outsourcing arrangements must comply with relevant MORB rules and BSP Circular provisions.

All provisions of the Circular must be fully complied with on or before July 1, 2012.