In April of 2016, the FFIEC released proposed new guidelines for rating compliance programs at financial institutions. These guidelines have since been adopted and will commence in March of 2017. The new compliance guidelines will represent a strong departure from the current system for rating. In addition, these guidelines present a strong opportunity for financial institutions to greatly impact their own compliance destiny. Although these new guidelines have been released with limited fanfare, the change in approach to supervision of financial institutions has been discussed for some time and is noteworthy. The upcoming changes to the ratings for compliance programs, will put a premium on the overall effectiveness of your compliance management program. The stronger the program for compliance, the less likely a single finding will impact the overall rating.
Although it is easy to assume that “effectiveness” is in the eye of the beholder, there are some metrics that can be used to make this determination. Some of the factors that the regulators will consider when assessing effectiveness include:
· Ability to identify compliance risks at the institution – under the new ratings system
s the risk assessment your institution prepares will be a critical document. On a regular basis, it is necessary to identify all the risks associated with:
o The products you offer
o The customers you serve
o The It systems you are using
o The training program you have
o The strength of the policies and procedures in place
o Turnover at key positions
o New and additional products offered
Regulators will expect the risk assessment process is comprehensive and robust and all potential problems are considered and addressed. For each risk mentioned above there should be steps designed to reduce risk to an acceptable level. In this case, the acceptable level should match with the risk appetite of the Board. All financial activity has some level of inherent risk. The risk assessment should detail how your institution has identified the risk and done all that it can to reduce the risk to the level the Board has decided they are willing to take.
· Appropriate resources to address and mitigate risks – One of the disconnects that often occur between the completion of a risk assessment and the ongoing operation of a financial institution is consideration of the resources that are available. For example, it is one thing to develop comprehensive procedures for testing compliance with flood rules. It is another thing altogether not to have sufficient staff to complete all the steps in the procedures. Moreover, if the staff that are expected to follow the flood procedures are overburdened or under trained, your plans for mitigating risk will be thwarted. The level and quality of resources directed towards compliance will be a key consideration for the overall compliance rating under the new guidelines. Suppose your financial institution had a finding in the flood insurance area after an examination. If the finding was caused by an oversight, that is unlikely to repeat, the impact of the finding will be minimized. On the other hand, if the finding was created because there wasn’t enough time or staff to do a quality check, the issue looms large.
· Ongoing testing of the internal controls – Much like the old saying “an ounce of prevention is worth a pound of cure” regular testing of compliance controls can greatly enhance the effectiveness of a compliance program. The testing doesn’t have to be extensive, just consistent. Take five of the most recent originated loans and make sure that the disclosures were completed timely and completely. Do the same for deposit accounts that have been recently opened. Complete a mystery shopping event to test employee’s knowledge of products and services. By using ongoing testing, a compliance team can determine the areas of true weakness and address them.
· Training of staff– Most financial institutions rely on on-line training to meet the obligations of keeping staff informed about the applicable regulations. On-line training is an extremely useful and cost effective manner to give staff members basic understanding. However, effective compliance programs augment this training with in-person classes that allow staff to ask real world examples. This reinforces the information and allows for a deeper understanding of the requirements of the regulations and how staff is critical for an overall strong program.
Using Findings to your advantage
Maintaining an effective program does not mean that there won’t be ANYfindings. It DOES mean that when errors occur, the compliance team can determine the root cause of the problem and develop a plan to address it. An effective compliance program will be able to use findings to strengthen the program itself in the long run.