In this post, we aim to take a close look at an often overlooked element of a good financial crime compliance programme - the process(es) of quality control (QC) and quality assurance (QA).
It is one thing (a very good thing!) to have thorough policies and procedures and carefully designed controls, but it is another to understand if they are actually working properly. To this end, regulated institutions need to adopt frameworks to embed appropriate QC / QA practices. These activities are critical in ensuring the integrity of fincrime compliance processes, ensuring regulatory compliance, and safeguarding against illicit activities. In this article, we look at the significance of QC and QA and highlight their key components.
Definitions
First, let’s clear up a common area of confusion and clarify the difference between QC and QA. Both are crucial elements of a comprehensive compliance programme, but each serves a distinct purpose:
Quality control
A check to confirm that a process is being applied consistently and effectively, in line with documented processes or procedures.
QC is a control mechanism that involves detecting, analysing and rectifying compliance issues in real time, to identify if analysts are adhering to policies and procedures, and to take remedial actions if not.
QC can be characterised as a reactive or corrective process. It happens in near real time, meaning errors or shortcomings can be corrected almost straightaway.
QC is traditionally owned by the first line of defence. It can be done by the same team(s) which performs the task being assessed. For instance, a senior team member may review one in every five tasks completed by a more junior team member (a ‘four-eyes review’).
Quality assurance
An objective review of the outcome of a specific process or control. QA ensures a process has been followed correctly and reviews the outcome to identify weaknesses or room for improvement in the future.
QA is a proactive measure designed to ensure controls and processes are working effectively and are compliant with regulations.
QA is more retrospective than QC, as it involves looking back over actions taken in the past, meaning it is designed to improve controls and processes in the future rather than address errors as they occur.
QA is traditionally owned by the second line of defence, i.e. compliance. This ensures it is objective, as one team reviews the work of another.
A key component of QA is sample testing, i.e. checking and validating a sample of completed activity at set intervals to confirm if appropriate standards have been met and if relevant policies and procedures have been followed.
Considerations for Success
Quality Control
Ensure you map out all the processes which require QC.
Consider proportionality. How frequently should you perform QC? What percentage of tasks are you performing QC on?
Take a risk-based approach to QC. Increase the number / percentage of tasks checked for new joiners, poor performers or higher-risk scenarios.
Ensure you have sufficient resources to perform QC.
Ensure you do something meaningful with the output, e.g. enhancing procedures or providing training.
Quality Assurance
Set out a QA monitoring programme for the year. You don’t need to do it all at once, and you may not need to cover everything in one year if you deem that appropriate.
Take a risk-based approach. Are there any areas that need an urgent deep dive? When was the last time particular controls received assurance? If you conducted QA on a process last year and the results were positive, maybe focus your time/resource somewhere else.
Be aware of regulatory changes and horizon scanning.
Ensure you do something meaningful with the output, e.g. policy updates or system enhancements. You should also feed the findings into your firm’s risk assessment to measure residual risks.
In conclusion, QC and QA are integral components of a robust financial crime compliance programme. By proactively implementing QA measures to improve processes and reacting swiftly to issues through QC practices, organisations can minimise the risk of illicit activities, safeguard their reputations, and comply with regulatory obligations.
Want to find out more about our services?