Wishes Compliance Management System
Wishes Compliance Management Table of Contents INTRODUCTION 3 POLICY STATEMENT 3 COMPLIANCE MANAGEMENT SYSTEM 4 GOVERNANCE AND OVERSIGHT 4 COMPLIANCE PROGRAM ELEMENTS 5 Regulatory Risk and Control Assessment 5 Regulatory Change Management 6 Policies and Procedures 6 Monitoring and Testing 7 Reporting 7 Corrective Action 8 Training 8 Complaint Management 8 VERSION CONTROL 8 APPENDIX A-ROLES AND RESPONSIBILITIES 9 3 Wishes Compliance Management INTRODUCTION Financial platforms operate in a regulated environment where state and federal regulations require a high level of diligence. In order to remain competitive, it is critical for these firms to continuously look for opportunities to meet the needs of their clients, while also striving to improve effectiveness of their technology and operations as well as meeting the expectations of their stakeholders, investors and regulators. At the same time, legislation and resulting regulations, as well as the political climate and focus of regulators, creates an environment of constant change. To be successful, financial institutions must balance consumer protection, regulatory burden, company growth and investor expectations. These factors all contribute to the inherent risk for all financial institutions, including Wishes. To address this risk, Wishes has developed and maintains a sound Compliance Management System that is designed to integrate with the overall risk management strategy of the company. It is Wishes practice to incorporate compliance into our technology whenever possible. Additionally, Wishes includes compliance in strategic, operational, and resourcing decisions. All Wishes employees have a role in ensuring compliance within the activities undertaken by the company or individuals representing the company. It is the responsibility of each member of Wishes to escalate potential compliance violations to their management. POLICY STATEMENT It is Wishes policy to comply with all applicable laws, regulations, guidance and industry standards. Additionally, it is Wishes policy to conduct our business activities and manage our third-party vendors in a manner that is commensurate with the level of risk they may pose to our company or our customers. Wishes Compliance Management COMPLIANCE MANAGEMENT SYSTEM To execute on our commitment to compliance, Wishes has implemented a Compliance Management System (“CMS”) to assist in identifying and managing our compliance risk. The Compliance Management System is how Wishes: ● Establishes its compliance responsibilities. ● Ensures employee awareness and understanding of applicable requirements as well as their responsibility to escalate potential compliance violations. ● Ensures business activities are inclusive of compliance requirements. ● Monitors operations to ensure technical solutions are operating as intended and meeting the requirements of the law. ● Reviews employee performance and incorporates compliance elements into evaluations; and ● Takes corrective action and updates tools, systems, processes and documentation, as necessary. Non-compliance with regulatory requirements can result in monetary penalties, litigation, formal enforcement actions by regulators, as well as reputation damage. In some instances, employees, directors and officers may face personal liability or criminal charges for non compliance. GOVERNANCE AND OVERSIGHT The success of a Compliance Program is to a large degree driven by actions taken by the firm’s board and senior management. The responsibility for ensuring that Wishes follows all regulatory requirements rests with the Board of Directors and senior leaders of the organization. The Board will formally adopt Wishes CMS on at least an annual basis, or as significant changes are made to the firm’s strategy, product offerings, geographic reach or distribution channels. The Board will stay informed of the effectiveness of the CMS through periodic reporting and issue escalation, should material defects be identified. Senior Management is responsible for administering the CMS to ensure compliance with applicable state and federal laws and regulations. Senior Management will provide day-to-day oversight and strategic direction on: ● Company expectations about compliance. ● Overall direction for setting compliance policies, procedures, and business practices. ● Resource allocation to ensure adequate attention to the Compliance Program in both numbers and expertise for an effective program. ● Independence of the compliance function from business operations. ● Incorporation of compliance needs into product development, marketing, account management and other operational areas of the business. ● Adequate technical resources to assist in implementing compliance related requirements; and ● Reporting requirements for compliance risks, issues and corrective action. 5 Wishes Compliance Management COMPLIANCE PROGRAM ELEMENTS A sound compliance program is essential to the efficient, effective and successful operation of a company providing financial products and services. Wishes Compliance Program includes the following components: ● Regulatory Risk and Control Assessment ● Regulatory Change Management Program ● Policies and Procedures ● Monitoring and Testing ● Reporting ● Corrective Action ● Training ● Complaint Management Regulatory Risk and Control Assessment To properly manage compliance risk, Wishes identifies and assesses the applicability of regulatory requirements and ensures proper controls are in place to mitigate the risk, relative to our products, services and business practices. Wishes has evaluated and analyzed the federal regulations affecting our business and has completed a foundational assessment of the risk to the company based on those requirements. Annually, or as changes to our products, services or business processes necessitate, Wishes will update the risk assessment to ensure all applicable laws and regulations are identified and appropriate provisions of the law or regulation are assigned an impact and likelihood rating. Together, the impact and likelihood rating create the inherent risk rating for the law or regulation. Inherent risk is the risk level absent of controls. The inherent risk rating considers penalties, potential litigation, loss of reputation, loss of income and the inability to expand the business resulting from non-compliance. The inherent risk rating is used to drive prioritization of the development and implementation of mitigating controls, including system enhancements, policies and procedures, monitoring and testing and training. The inherent risk is identified as High, Moderate or Low. The risk assessment also includes a determination of the expected change/direction of risk and is identified as Increasing, Decreasing or Stable. The direction of risk is determined by changes in the regulatory or political environment, entity structure, business strategy, the results of testing and monitoring or other information identified by the company to increase or decrease the potential risk of the regulatory environment. In addition to identifying the risk universe and assessing the inherent risk and direction of risk, Wishes assesses the controls designed to prevent or detect deficiencies. The controls are assigned an effectiveness rating based on their ability to mitigate the regulatory compliance risk. The controls are rated as Strong, Adequate or Weak. The inherent risk rating and control effectiveness rating are used to determine the residual risk of the compliance requirements. In contrast to the inherent risk, the residual risk is the risk remaining to the company given the current effectiveness of the control environment. 6 Wishes Compliance Management Regulatory Change Management It is Wishes policy to monitor new and changing laws, guidance and industry standards. The Compliance team keeps apprised of such developments by monitoring publications and maintaining relationships with regulators, advisors and peers in the industry. Changes to law or regulation are tracked by the Compliance team to ensure appropriate ownership, implementation and validation of the implementation when a technical solution is available. The Compliance team, in consultation with internal or external legal counsel, when appropriate, reviews and interprets new and changing legal and regulatory requirements. Compliance analyzes the relevance of the requirements and, along with business operations and technology, evaluates approaches for implementation. Changes to technology systems are built by the product and engineering teams with oversight by Compliance. Policies and Procedures Wishes has developed and implemented a system of policies and procedures to address compliance requirements facing our business. Compliance policies serve to document and implement controls related to the regulatory requirements that affect Wishes. Policies and procedures are modified regularly, on at least an annual basis, to remain current and to serve as a reference for employees in their day-to-day activities. Compliance policies and procedures are stored in a central repository with access available to all employees. Wishes is subject to the following laws and regulations and maintains policies to address each (although some policies may be combined, such is the case with the Marketing and Solicitation Policy, which includes requirements from several regulations.): ● Anti-Money Laundering/Terrorist Financing Laws and Regulations o Bank Secrecy Act/Anti-Money Laundering o Customer Identification Program (“CIP”) and Customer Due Diligence (“CDD”) o OFAC ● E-Sign Act ● Privacy ● Marketing, Advertising and Solicitation o CAN-SPAM o TSR/TCPA o UDAAP ● Vendor Management ● Business Continuity Planning ● Information Security Monitoring and Testing Monitoring and testing are proactive approaches by Wishes to identify potential weaknesses in the controls designed to mitigate compliance risk. The Monitoring and Testing Program, administered by the Compliance team, may identify errors in system, processes, procedures or training that, if left uncorrected, could create additional risk to the company. Compliance is 7 Wishes Compliance Management Version 1.1 Oct 2024 included in business change management discussions to ensure compliance and monitoring systems are included in the initial design of all applicable changes. An effective monitoring system includes regularly scheduled reviews of: ● Disclosures and calculations, if any, for product offerings. ● Document filing and retention procedures, posted notices, marketing literature and advertisements. ● Scripts and guides for employee contact or automated responses with customers. ● Adherence to consumer protection laws and regulations; and ● Third-party service provider operations. Changes to regulations or to Wishes products, services, or business processes may trigger a review of established compliance procedures. Reporting Compliance reporting is designed and implemented in a way as to inform and drive action. Upon completion of testing, the Compliance team provides Senior Management, as well as management of the areas tested, with documentation of the testing, including the scope of the review, the sample selection criteria, the results of testing, including any defects identified, recommendations for improvement and corrective action, including a timeline for completion, when necessary. The Compliance team provides periodic updates to Senior Management, including a summary of the results of monitoring and testing, high profile compliance issues and any high or medium risk corrective action that has not been completed according to the agreed upon schedule. Additionally, summary information related to the overall compliance health of the organization and a summary of compliance activity is included in the board package for the Board of Directors and Senior Management on at least a semi-annual basis, or more frequent should any material issues be identified. 8 Wishes Compliance Management Corrective Action When compliance issues or defects are identified, it is Wishes policy to address the issues expeditiously. An employee who discovers or is notified by a customer of a compliance issue will promptly report the issue internally through appropriate channels to notify management and the Compliance team. The Compliance team, in consultation with business operations and Senior Management, as appropriate, will develop a corrective action plan. Business Operations will coordinate with compliance to (1) oversee the execution of the plan to identify the nature and the scope of the problem, including a root cause analysis, likely repercussions (past and future) and potential legal, reputation or other risks of continued non-compliance; (2) remediate the issue, notifying any customers who are affected; and (3) determine necessary changes to business practice, systems or training to prevent such an issue going forward and/or ensure the ability to identify such an issue in the future before it becomes problematic. Training Educating the Board, Senior Management and all Wishes employees on regulatory compliance is essential to maintaining an effective Compliance Program. It is Wishes policy that all its employees receive compliance training at onboarding as well as ongoing training to facilitate understanding of the financial services industry and the regulatory requirements to which Wishes is subject. When appropriate, teams receive additional training tailored to their respective roles and responsibilities. The Compliance team administers Wishes Compliance Training Program and ensures materials are robust, accurate and relevant to the business, ensures training logs are kept and administers any knowledge assessments as the result of the training. Complaint Management Wishes understands the importance of having an effective complaint management program, both in meeting regulatory requirements as well as providing a mechanism for customers to provide feedback on potential process, product or service enhancements. Wishes ensures customer complaints are handled promptly and consistently and that potential issues are escalated, reviewed and addressed by the proper parties in a timely manner. Wishes maintains a log of customer complaints and resolution and identifies the root cause of any error, when applicable, to enhance business practices. See Wishes Complaint Management Program.