1. Risk Assessment. All activities are systematically evaluated for compliance and risks. A process is instituted to ensure risks are regularly evaluated. Internal controls are matched to severity of risk.
2. Identification of Responsible Parties and Roles. Roles and responsibilities for compliance risk areas are clearly defined and documented. People are adequately empowered to carry out their responsibilities.
3. Standards and Procedures. Compliance standards, practices and procedures are written, clearly established and reasonably designed to reduce the risk of non-compliance conduct. Clear standards of conduct are established and widely distributed.
4. Program Oversight. A Compliance Assistance Officer and other appropriate bodies (e.g., compliance committees) are designated and charged with the responsibility for developing, operating, and monitoring the compliance program, with authority to report directly to the Board and/or the President/CEO.
5. Awareness, Education and Training. Compliance standards and procedures are effectively communicated, and the institution ensures that responsible persons receive timely and appropriate education and training.
6. Lines of Communication. An effective method of communication is developed between the compliance function and all employees, including a "hot line" to receive complaints, as well as a mechanism to respond to questions.
7. Monitoring and Auditing. Monitoring and auditing systems are implemented to detect non-compliant conduct and identify problem areas.
8. Enforcement. Standards are consistently enforced through identification of non-compliance and appropriate consequences based upon clear and specific disciplinary policies.
9. Corrective Action. Systems effectively ensure prompt investigation of non-compliance, reporting where appropriate, and proper responses to prevent similar breakdowns in the future, including modifying the compliance program.