Having the “Compliance Conversation” in the Face of Changing Expectations

One of the constants in the world of compliance is change.   This has been especially true in the last few years, as not only have new regulations been issued; there is now an entirely different agency that regulates banks.  Right now, most are unsure just how the Consumer Financial Protection Bureau (“CFPB”) will affect the banks it does not primarily regulate.   However, it is a good bet that much of what is done by the CFPB will also be implemented in one form or another by the other prudential regulators.

One of the other constants in compliance has been skepticism about consumer laws in general, and the need for compliance specifically.  It is often easy to feel the recalcitrance of the senior management at financial institutions to the very idea of compliance.  Even institutions with good compliance records often tend to do only that which is required by the regulation.  In many cases, they do the minimum for the sole purpose of staying in compliance and not necessarily because they agree with the spirit of compliance.  Indeed, skepticism about the need for consumer regulations as well as the effectiveness of the regulations are conversations that can be heard at many an institution.

The combination of changes in the consumer regulations, changes at regulatory agencies and changes in the focus of these agencies presents both a challenge and an opportunity for compliance staff everywhere.  It is time to have “the talk” with senior management. What should be the point of the talk?  Enhancements in compliance can help your bank receive higher compliance ratings while improving the overall relationship with your primary regulator.

The Compliance Conversation

While there are many ways to try to frame the case for why compliance should be a primary concern at a bank, there are several points that may help to convince a skeptic.

1)      Compliance regulations have been earned by the financial industry.  A quick review of the history of the most well-known consumer regulations will show that each of these laws was enacted to address bad behaviors of financial institutions.  The Equal Credit Opportunity Act was passed to help open up credit markets to women and minorities who were being shut out of the credit market.  The Fair lending laws, HMDA and the Community Reinvestment Act were passed to assist in the task of the ECOA. In all of these cases, the impetus for the legislation was complaints from the public about the behavior of banks. The fact is that these regulations are there to prevent financial institutions from hurting the public.

2)      Compliance will not go away!  Even though there have been changes to the primary regulations, there has been no credible movement to do away with them. Banking is such an important part of our economy that it will always receive a great deal of attention from the public and therefore legislative bodies. In point of fact, the trend for all of the compliance regulations is that they continue to expand. The need for a compliance program is as basic to banking as the need for deposit insurance.  Since compliance is and will be, a fact of banking life, the prudent course is to embrace it.

3)      Compliance may not be a profit center, but a good compliance program cuts way down on the opportunity costs of regulatory enforcement actions.  Many financial institutions tend to be reactive when it comes to compliance.  We understand; there is cost benefit analysis that is done and often, the decision is made to “take our chances” and get by with a minimal amount of resources spent on compliance.   However, more often than not the cost benefit analysis does not take into account the cost of “getting caught”.  Findings from compliance examinations that require “look backs” into past transactions and reimbursement to customers who were harmed by a particular practice is an extremely expensive experience.  The costs for such actions include costs of staff time (or temporary staff), reputational costs and the costs associated with correcting the offending practice.  A strong compliance management system will help prevent these costs from being incurred and protect the institution’s reputation; which at the end of the day is its most important asset.

4)      Compliance is directly impacted by the strategic plan.  Far too often, compliance is not considered as institutions put together their plans for growth and profitability.  Plans for new marketing campaigns or new products being offered go through the approval process without the input of the compliance team.  Unfortunately, without this consideration, additional risk is added without being aware of how the additional risk can be mitigated.   When compliance is considered in the strategic plan, the proper level of resources can be dedicated to all levels of management and internal controls.

5)      There is nothing about being in compliance that will get in the way of the bank making money and being successful.  Many times the compliance officer gets portrayed as the person who keeps saying no; No!” to new products, “No!” to new marketing, and “No!” to being profitable.  But the truth is that this characterization is both unfair and untrue.  The compliance staff at your institution wants it to make all the money that it possibly can while staying in compliance with the laws that apply.  The compliance team is not the enemy.  In fact, the compliance team is there to solve problems.

Getting the Conversation to Address the Future.

Today there are changes in the expectations that regulators have about responding to examination findings and the overall maintenance of the compliance management program.   There are three fronts that may seem unrelated at first, but when out together make powerful arguments about how compliance can become a key component in your relationship with the regulators.

First, the prudential regulators have made it clear that they intend the review of the compliance management program to directly impact the overall “M” rating within the CAMEL ratings.   The thought behind evaluating the compliance management program as part of the management rating is that it is the responsibility of management to maintain and operate a strong compliance program.  The failure to do so is a direct reflection of management’s abilities.  Compliance is now a regulatory foundation issue.

Second, now more than ever, regulators are looking to banks to risk assess their own compliance and when problems are noted, to come forward with the information.  The CFPB for example, published guidance in 2013 (Bulletin 2013-06) that directly challenged banks to be corporate citizens by self-policing and self-reporting.  It is clear that doing so will enhance both the reputation and the relationship with regulators.  The idea here is that by showing that you take compliance seriously and are willing to self-police, the need for regulatory oversight can be reduced.

Finally, the regulators have reiterated their desire to see financial institutions address the root causes of findings in examinations.   There have been recent attempts by the Federal Reserve and the CFPB to make distinctions between recommendations and findings.  The reason for these clarifications is so that institutions can more fully address the highest areas of concern.  By “addressing”, the regulators are emphasizing that they mean dealing with the heart of the reason that the finding occurred.  For example, in a case where a bank was improperly getting flood insurance, the response cannot simply be to tell the loan staff to knock it off!  In addition to correcting mistakes, there is either a training issue of perhaps staff are improperly assigned.  What is the reason for the improper responses?  That is what the regulators want addressed.

The opportunity exists to enhance your relationship with your regulators through your compliance department.  By elevating the level of importance of compliance and using your compliance program as a means of communicating with your regulators, the compliance conversation can enhance the overall relationship between your institution and your regulator.

Do You Know Your Risk Appetite?

Do you Know Your Risk Appetite?

As part of the development of a comprehensive compliance management program, there are specific roles for senior management and another set of roles for the Board of Directors.  Senior management has a functional role that includes the development of written policies and procedures that are then presented to the Board for approval.   On the other hand, the Board of Director’s role includes setting limits and overall policy guidelines.  Among the most important roles of the Board is to determine the overall risk appetite of the institution.   Traditionally, the way that the Board fulfills this function is by developing a risk appetite statement with metrics for measuring adherence to the risk limits.  For Community Banks and small financial institutions, the idea of a risk appetite statement and metrics may seem like a case of overkill.  However, development of the risk appetite framework can be an invaluable tool for strategic planning and resource allocation.

In one way or another, all financial institutions are making a statement about their risk appetite.  Some choose to consider appropriate risk levels directly and many more do so indirectly.  Each product and service that is offered at an institution, vis-a-vis the resources that are dedicated to compliance create a statement of sorts.   When an institution decides to offer products and services, compliance risks attach regardless of what those products are.  The compliance culture that is developed to support products and services is, a form of a risk statement.  The less emphasis that is placed on compliance the higher the risk that the institution is willing to take.   In many cases, when institutions get into significant regulatory trouble, the root cause is an imbalance between risk appetite and risk management.  Offering a new product without the proper systems in place to monitor compliance and without staff that has the expertise to administer it, is the same as a statement that the risk appetite is high.

Principles Associated with the Risk Appetite Framework

The idea here is that the Board, with the assistance of Senior Management should develop the “rules of the road” for your institution.  If there are certain levels of risk that the institution is/isn’t willing to take, then the Board should clearly state that position.  The same is true for risk that the Board may be willing to take after consideration and approval.   For example, the Board may state that it does not want the financial institution to make auto loans at all.  However, the best customer of the institution tells a loan officer that he wants a car loan for his son.    The loan officer believes that the customer may be lost of he isn’t accommodated.   The auto loan is presented to the Board for approval and an exception may be made.

The basic principles for a risk appetite should include at least four considerations:

  1. The capital level of the institution; Since capital is ultimately what keeps the institution alive a healthy level of capital must be a consideration in the overall willingness to accept risk.
  2. Compensation of staff; The extent to which staff compensation are tied to profits is a risk management consideration. Incentives should be weighted toward the idea that profit should be achieved within the risk framework of the institution
  3. Customer Service; As mentioned above there are times when meeting the needs of the customer base that the institution is trying to maintain may require actions that are out of the ordinary. The ability of your institution to meet those needs should be considered in the risk appetite framework.   If your customer base happens to be high risk, then the products and services that you will offer are also high risk.  [1]
  4. Compliance; For each consideration of risk, there should be a consideration of the resources that will be allocated to mitigate the associated potential for regulatory violations.

The risk appetite framework should be developed to balance the interplay of the four principle areas of consideration.  For example, a higher level of capital should mean that the level of risk appetite is higher than when capital is low.  Considerations of customer service have to be tempered by capital levels; and so it goes.

Compliance as Part of the Risk Appetite    

There are many institutions that consider themselves either low risk or no risk for compliance issues because limited retail products and service are offered.   However, compliance is part of this overall process regardless of whether or not you’re in a retail institution.  There are ALWAYS compliance issues.  Regulations such as the Equal Credit Opportunity Act, Anti-money laundering regulations and Unfair Deceptive Abusive Acts or Practices regulations apply to all financial institutions.

In any financial institution, there are competing interests, and the need to achieve and maintain profitability is often the counterbalance to taking increased risk.   Banking is after all at its essence, the management of risk.   When the competing interests are out of balance, the trouble starts.  Today many financial institutions find themselves searching for sources of income that are different from the traditional positive net interest margins.   The search for nontraditional income has led to consideration of products such as short term loans, MSB’s and mobile banking.   Each of these products have a level of inherent risk as well as substantial potential for profits.  However, the compliance apparatus in place at a financial institution can either significantly raise or reduce the level of inherent risk.   Over the past several years, institutions have found themselves in regulatory trouble by offering products that they either do not fully understand or have the necessary ability to administrate.

There are many examples of institutions that have allowed the push for profits to far outstrip the compliance program.  In fact, on the websites of each of the major regulatory agencies, there are examples of enforcement actions that have been taken as the result of failure to properly maintain a compliance program.

Using the risk framework to help with prioritizing  

When a risk appetite framework is developed and implemented even by a small financial institution, the overall effect on compliance is positive.  The process for developing the framework forces a level of consideration and discipline on the Board and senior management that is useful.  The risk appetite process is conducted by comparing the products and services that that the institutions wishes to offer with its ability to safely offer those products and services.

When a new product is considered, it should receive the same level of thought and consideration.  High risk products are not in of themselves a regulatory “no-no”.   For each additional product or service, the risk appetite of the Board should be considered along with the necessary expenditure on compliance resources.

Remember the overall state of your CMP says a great deal about your risk appetite.


[1] Please note- there are no regulatory bans on high risk customer or clients- just a requirement that the high risks are properly managed.

Why is There a Diversity Section in the Dodd Frank Act?

Why is there a Diversity Section in the Dodd-Frank Act?  

The Dodd–Frank Wall Street Reform and Consumer Protection Act of 2010 was one of the most sweeping banking laws that have been enacted in many years.  Of course, the legislation was passed against the backdrop of one the largest financial crises in world history.  The legislation has many sections and several of the provisions have been heavily discussed.   However, one section of the act, Section 342, has not received much discussion or fanfare at all.  What is Section 342?  It is the section that establishes the Office of Minority and Women Inclusion.

Are you Aware that the FFIEC has released Guidance Standards for Diversity in Hiring and Procurement? 

On Oct. 25, 2013, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corp., National Credit Union Administration, Consumer Financial Protection Bureau, and Securities and Exchange Commission (SEC) which is collectively known as the FFIEC, issued a proposed interagency policy statement on diversity.   Section 342 of the Dodd-Frank Act requires these agencies to develop standards for regulated entities to assess diversity. The final rule was issued and took effect on June 10, 2015.

First Things First-What is this all about? 

One of the things that the Dodd-Frank Act addresses is the effort being made by financial institutions in the area of inclusion of women and minorities in the overall hiring and procurement processes.  The legislative discussion of Section 342 of the Dodd-Frank Act helps to describe what it is that this section of the law is designed to do.

The Agencies believe that a goal of Section 342 is to promote transparency and awareness of diversity policies and practices within the entities regulated by the Agencies. The establishment of standards will provide guidance to the regulated entities and the public for assessing the diversity policies and practices of regulated entities. In addition, by facilitating greater awareness and transparency of the diversity policies and practices of regulated entities, the standards will provide the public a greater ability to assess diversity policies and practices of regulated entities. The Agencies recognize that greater diversity and inclusion promotes stronger, more effective, and more innovative businesses, as well as opportunities to serve a wider range of customers.[1]

Put another way, the Dodd-Frank Act is trying to get financial institutions to get to know their entire assessment area not only as customers, but as potential employees and contractors.   We believe that this fits in with a larger direction to financial institutions that they should get to know the credit and financial needs of the communities they serve.   Much like the Community Reinvestment Act, there is nothing in the law or the guidance that directs institutions to lower standards or to set quotas.  Instead, the idea here is to make sure that the employment and procurement processes are inclusive.   The fact is that there are many “diamonds in the rough” that go overlooked and as a result, are unbanked or underemployed.

Will This Require a Whole new Reporting Process?

The guidance requires an annual statement on the diversity practices of the Banks and credit unions.  Based upon the standards in the rule, it is not likely that a whole new data collection regime will be required.  Instead, it will be the duty of the Board and senior management to include diversity considerations in the strategic plan and ongoing monitoring of performance.

According to the proposed guidance, the expectation will be that institutions will

  • Include diversity and inclusion considerations in the strategic plan
  • Will have a diversity and inclusion plan that is reviewed and approved by the Board
  • Will have regular reports to the Board on progress
  • Will provide training to all affected staff
  • Will designate a senior officer as the person responsible for overseeing and implementing the plan

What does Diversity Mean? 

For purposes of this definition, “minority” is defined as Black Americans, Native Americans, Hispanic Americans, and Asian Americans, which is consistent with the definition of “minority” in sSection 342(g)(3) of the Act.

The final Policy Statement also states that this definition of diversity “does not preclude an entity from using a broader definition with regard to these standards.” This language is intended to be sufficiently flexible to encompass other groups if an entity wants to define the term more broadly. For example, a broader definition may include the categories referenced by the Equal Employment Opportunity Commission (EEOC) in its Employer Information Report EEO-1 (EEO-1 Report), [2] as well as individuals with disabilities, veterans, and LGBT individuals.

While this may seem like a long list of new requirements, in our opinion that is not the case at all.  When developing a strategic plan and assessing the credit needs of the community, the idea of diversity should be part and parcel of the basic considerations and projections.  It is clear that regulators will increasingly focus on financial institutions ability to identify the financial needs of the communities they serve and to match how the banks activities meet those needs.  In addition, we believe that examiners will ask financial institutions to document the reasons why they are not able to offer certain products.  The same will be true in the area of hiring and procurement.  Financial institutions will need to be able to document diversity efforts and to have a good explanation for the lack of diversity.

It should be emphasized that we do not believe that this guidance is leading towards hiring or procurement quotas.  Instead, the requirement will be for complete and clear documentation of the efforts made to ensure that diverse candidates are being considered.

Why is this a Good Thing? 

Diversity has been, and will always be a strength.  Of course a diverse loan portfolio is one that can absorb fluctuations in various industries without much turmoil.   Diverse ideas and experiences have always lead to innovation.  In point of fact, there has been a history of exclusion of several communities of potential customers by financial intuitions for some time.  The whole point of the Community Reinvestment Act was to get financial institutions to look at all communities for potential clients.

Earvin “Magic” Johnson has developed a multi-Billion-dollar business based upon the idea that diversity is strength.  His companies have invested in neighborhoods that were traditionally under banked and lacked access to funding.  The success of this company is a good example of how strategic diversity creates opportunities in communities that often get overlooked.


One of the more controversial points of the regulation is that it appears to rely on self-assessments.  There are no examinations standards that are mentioned in the guidance.  While some commenters decried the idea that self-policing is too vague; it appears that the expectation is that financial institutions will develop a policy, monitor compliance with that policy and make the results available to the public.

Self–assessment is both an opportunity and a curse.  The opportunity exists for an institution to self-define itself.  By setting standards that are based on a comprehensive understanding of the community vis-à-vis the capabilities of the bank, an institution has the opportunity to create a strong impression with regulators.  At the end of the day this is what regulators will willingly accept and applaud.


While it is too early to tell whether the final guidance will have significant costs associated with it, it is obvious that there will be an emphasis on diversity planning and programs for financial institutions. We suggest that the approach should be part of the overall strategic planning process

[1]  Joint Standards for Assessing Diversity Policies and Practices of Regulated Entities

[2] Ibid

Your Partner in Balancing Compliance