Using Self-Policing to Create Better Compliance Outcomes

dreamstime_m_17568770Imagine the following scenario: you are the compliance officer and while doing a routine check on disclosures, you notice a huge error that your institution has been making for the last year.  The beads of sweat form on your forehead as you realize that this mistake may impact several hundred customers.   Real panic sets in as you start to wonder what to do about the regulators.  To tell or not to tell, that is indeed the question!

There are many different theories on what to do when your internal processes discover a problem.  Although it may seem counterintuitive, the best practice, with certain caveats, is to inform the regulators of the problem.    CFBP Bulletin 2013-06 discusses what it calls “responsible business conduct” and details the grounds for getting enforcement consideration from the CFPB.  In this case, consideration is somewhat vague and it clearly depends on the nature and extent of the violation, but the message is clear.  It is far better to self-police and self-report than it is to let the examination team discover a problem!

Why Disclose a Problem if the Regulators Didn’t Discover it?  

It is easy to make the case that financial institutions should “let sleeping dogs lay”.  After all, if your internal processes have found the issue, you can correct it without the examiners knowing, and move on. Right?  In fact, nothing could be further from the truth.   The relationship between regulators and the banks they regulate was once collegial, but that is most certainly not the case any longer.   Regulators have been pushed by legislation and by public outcry to be proactive in their efforts to regulate.  Part of the process of rehabilitating the image of financial institutions is ensuring that they are being well regulated and that misbehavior in compliance is being addressed.

Self- Policing

It is not enough to discover one’s own problems and address them.  In the current environment, there is a premium placed on the idea that an institution has compliance and/or audit systems in place that are extensive enough to find problems, determine the root of the problems and make recommendations for change.  An attitude that compliance is important must permeate the organization starting from the top.  To impress the regulators that an organization is truly engaged in self-policing, there has to be evidence that senior management has taken the issue seriously and has taken steps to address whatever the concern might be.  For example, suppose during a compliance review, the compliance team discovers that commercial lenders are not consistently given a proper ECOA notification.  This finding is reported to the Compliance Committee along with a recommendation for training for commercial lending staff.   The Compliance Committee accepts the recommendation and tells the Compliance Officer to schedule Reg. B training for commercial lenders.  This may seem like a reasonable response, but it is incomplete.

This does not rise to the level of self- policing that is discussed in the CFPB memo; a further step is necessary.  What is the follow-up from senior management?   Will senior management follow up to make sure that the classes have been attended by all commercial lending staff?  Will there be consequences for those who do not attend the classes?  The answers to these questions will greatly impact the determination of whether there is self-policing that is effective.   Ultimately, the goal should be to show that the effort at self-policing for compliance is robust and taken seriously at all levels of management.  The more the regulators trust the self-policing effort, the more the risk profile decreases and the less likely enforcement action will be imposed.


At first blush self-reporting seems a lot like punching oneself in the face, but this is not the case at all!   The over-arching idea from the CFPB guidance is that the more the institution is willing to work with the regulatory agency, the more likely that there will be consideration for reduced enforcement action.  Compliance failures will eventually be discovered and the more they are self-discovered and reported, the more trust that the regulators have in the management in general and the effectiveness of the compliance program in particular.   The key here is to report at the right time.  Once the extent of the violation and the cause of it have been determined, the time to report is imminent.  While it may seem that the best time to report is when the issue is resolved, this will generally not be the case.  In point of fact, the regulators may want to be involved in the correction process.  In any event, you don’t want to wait until it seems that discovery of the problem was imminent (e.g. the regulatory examination will start next week!).

It is important to remember here that the reporting should be complete and as early as possible keeping in mind that you should know the extent and the root cause of the problem.  It is also advisable to have a strategy for remediation in place at the time of reporting.


What will the institution do to correct the problem?  Has there been research to determine the extent of the problem and how many potential customers have been affected?      How did management make sure that whatever the problem is has been stopped and won’t be repeated?  What practices, policies and procedures have been changed as a result of the discovery of the problem?  These are all questions that the regulators will consider when reviewing efforts at remediation.  So for example, if it turns out that loan staff has been improperly disclosing transfer taxes on the GFE, an example of strong mediation would include:

  • A determination if the problem was systemic or with a particular staff member
  • A “look back” on loan files that for the past 12 months
  • Reimbursement of any all customers who qualify
  • Documentation of the steps that were taken to verify the problem and the reimbursements
  • Documentation of the changed policies and procedures to ensure that there is a clear understanding of the requirements of the regulation
  • Disciplinary action (if appropriate for affected employees)
  • A plan for follow-up to ensure that the problem is not re-occurring


Despite the very best effort at self-reporting and mediation, there may still be an investigation by the regulators.  Such an instance calls for cooperation not hunkering down.  The more your institution is forthcoming with the information about its investigation, the more likely that the regulators will determine that there is nothing more for them to do.

At the end of the day, it is always better to self-detect report and remediate.  In doing so you go a long way toward controlling your destiny and reducing punishment.

Community Outreach-Why Bother?


Community Outreach- Why Bother? 

One of the many requirements of the Community Reinvestment Act (“CRA”) is that all financial institutions that are subject to it make an effort to do outreach to the community.  There are similar requirements in both state and federal fair lending laws.   We believe that the need to do community outreach goes far beyond the regulatory requirements of fair lending and the CRA.

Re-Visiting Your Approach to the CRA- Embracing the Needs of Your Community

Since its inception, the Community Reinvestment Act (“CRA”) has received a great deal of attention. From consumer’s advocacy groups, the reception of the CRA has been positive, while many in the banking community are either ambivalent or downright hostile towards this legislation. During the financial crisis of 2008, the CRA enjoyed a special, albeit unfair place of contempt from those who insisted that compliance with the CRA was somehow at the root of the financial meltdown. But wait, what if the CRA had nothing to do with the financial crisis? What if instead of being an administrative burden, compliance with the CRA resulted in greater marketing opportunities and greater opportunities for overall profitability? These opportunities exist if you embrace the concept of outreach to your community.

When the CRA was first enacted, it was designed to get financial institutions to take a second look at communities that had been historically overlooked for credit by financial institutions. Though these communities tended to be populated with low to moderate income borrowers, these borrowers represent significant opportunities for good credit. The CRA was a means to an end to get banks and financial institutions to “meet the credit needs of the communities in which they operate, including low- and moderate-income neighborhoods, consistent with safe and sound banking operations” [1]

Over the years, even though billions of dollars of investments have been made in communities that were being overlooked[2], the reputation of the CRA has become one of the regulation that forces banks to make “bad loans”. However, the true emphasis of the regulation has been and always will be to encourage banks to assess the credit needs of the communities they serve. In other words, one of the main goals of the regulations was to get banks to find credit “diamonds in the rough” in areas that had traditionally been written off. , the reputation of the CRA has become one of the regulations that forces banks to make “bad loans”. However, the true emphasis of the regulation is to encourage banks to assess the credit needs of the communities they serve. In other words, one of the main goals of the regulations was to get banks to find credit “diamonds in the rough” in areas that had traditionally been written off.

The strategy of serving communities that have been overlooked has been successfully and very profitably employed by none other than hall of fame basketball star Earvin “Magic” Johnson. His Magic John Enterprises has partnered with all manner of fortune 500 companies to invest over $500 million in communities that had been overlooked.  Using the approach of finding the “diamonds in the rough” Johnson’s companies continue to grow and show amazing profits by investing in low to moderate income communities.  So how does he find these opportunities? “Magic Johnson Enterprises is known for successfully staying rooted in communities because they understand those communities’ unique needs and personalities”[3]  In other words, he knows the needs of his communities and provides services that meet those needs.

Why Should a Bank Market to the Entire Community?

The obvious answer to this question is that failure to market to the whole community may result in a violation of CRA or Fair Lending.  The exclusion of one or more protected groups from marketing efforts can easily be interpreted as a form of “redlining” or discouragement, both of which would be seriously regulatory compliance problems.

The less obvious answer is that by including the entire community of your field of customers, the Bank can become a significant part of the community.  Community banks are an indispensable part of any community. Though it may not seem this way, the trend is that the regulatory agencies are beginning to recognize that community banks are an indispensable part of small communities and should be treated that way. [4] [4] The more that the bank can show that it is truly serving the needs of its community, the stronger the argument becomes that it is indispensable.  An indispensable bank is one that communities will fight for in times of trouble. Moreover, regulators are more likely to give assistance to true community banks

Product Development Anyone? 

One of the best ways to determine whether your institution is offering products that people actually want is to ask.  Getting out into the community and talking to customers allows senior management to get to know what mobile phone and computer applications people are using so that when the time comes to invest in new technology, the money can be well spent.

Can you Say KYC?  

The heart and soul of a strong BSA/AML compliance program is the ability of the staff at a financial institution to know its customers and their individual business plans.  By reaching out to the community it is possible to obtain feedback on how some of your customers are doing.  Suppose it turns out that one of your biggest customers has a terrible reputation in the community; especially one for charging high fees for cashing checks.  This could be particularly upsetting if you were unaware that they were cashing checks at all.

Untapped Resources

Community outreach allows the senior management of your institution to discover potential new and diverse staff members.  There are many small private programs that are designed to train young people for business and these programs can be a strong source of future management candidates.

Just What IS Your Entire Community?

The first step in the process is to make a determination of just who is part of the entire community that that your bank serves!  When was the last time that you performed an assessment of the communities that make up your assessment area? There is a wealth of information available about the makeup of people who live in your assessment area.  For example, the US Census Bureau publishes information about the households in the tracts in your assessment area.  The information includes statistics on the median income, age and races on the people in your area.  There is also information on minority and business ownership that is available by county and MSA.  The FFIEC website has a link to the Census Bureau. [5]  Another good source of data are reports prepared by county and state Chambers of Commerce. In addition to public sources of information, there are several services that provide economic data about the economic status of counties and communities[6]. However, it should be noted that these services tend to be expensive.

A much better source of information is personal contact with community groups in your area. Not all community organizers are anti-banks! In point of fact, many are doing all they can to get their clients actively involved in the banking community and away from the clutches of ‘’payday’’ lenders.

The goal here is to develop as much information as possible about just who your community is and how they fit into your business plan.  Oftentimes, this process results in discovering new and heretofore untapped opportunities. One of the main thrusts of CRA that often goes unmentioned is the push to get banks to find lending opportunities that would go completely unnoticed if not for requirements of the regulation.   Remember, CRA specifically states that the intention is not to get banks to make bad loans, just loans that would otherwise be overlooked.[7]

Marketing to Your Entire Community

One of the key elements in the overall commercial success of a bank is its ability to market itself to its community.  It is through marketing that the bank lets their communities know that it is around and that it is open for business.   Putting a marketing plan together can sometimes be a daunting task indeed.  This is especially true in the current cost conscious environment.  As you put you marketing plans together we suggest that there are two other areas to consider-both Fair Lending and the Community Reinvestment Act.  Your banks’ overall effort at compliance in these two areas can be either greatly enhanced or harmed by the marketing that is done.   We suggest that marketing should always be directed at the client’s entire community.  Failure to include all potential customers in marketing can result in both missed opportunities and the potential for CRA and Fair Lending issues.

How to Market

Today there are so many different venues for advertising that provide for effective low cost communication with customers that the bank opportunities are limitless. Social media has become a staple of the advertising for many banks. Good old fashion newspaper advertising works for others.  The idea is to make sure that you strive for inclusion and meet people where they are.  Do people speak different foreign languages in your assessment area? Make sure that you reach out to them in publications aimed at serving these communities.

In the end, comprehensive marketing programs serve both compliance and the bottom line.

[1] Don’t Blame Subprime Mortgage Crisis or Financial Meltdown on CRA  Stable 2008

[2] See The Community Reinvestment Act: 30 Years of Wealth   Building and What We Must Do to Finish the Job John Taylor and Josh Silver National Community Reinvestment Coalition

[3] Magic Johnson Enterprises Helps Major Corporations Better Serve the Multicultural Consumer  Business Wire 2008

[4] See Oklahoma Bankers association update June 3, 20123; 2011 Speech by  Ben Bernanke to federal Reserve Board


[6] Dun& Bradstreet provides one such service

[7] The Community Reinvestment Act of 1977 instructs federal financial supervisory agencies to encourage their regulated financial institutions to help meet credit needs of the communities in which they are chartered while also conforming to “safe and sound” lending standards.


Your Partner in Balancing Compliance