VCM BLOG

What Is Supposed to be in my Risk Assessment? January 10, 2017

jan-10

2017 is here! Now is the time for new resolutions, renewed plans for success and… if you’re in compliance, now is the time for new compliance risk assessments. As we have discussed in previous blogs, the risk assessment is often discussed and sometimes reviled as a meaningless regulatory requirement. When attempting to prepare a risk assessment, a frequent question is presented; what are the essential items in my risk assessment? Per regulatory guidance produced by the Federal Reserve:

“Principles of sound management should apply to the entire spectrum of risks facing an institution including, but not limited to, credit, market, liquidity, operational, compliance, and legal risk.”

This guidance applies to general principals of risk assessment preparation. The compliance risk assessment is something of a different animal because questions of market risk, credit risk and liquidity risk are relatively minor concerns when considering risks in compliance. The focus instead should be on compliance, transactional, strategic, financial and reputational risks associated with compliance activity.

Think of the risk assessment as a matrix – not the type where you get to choose a red pill or a blue pill, just a square with several blocks. There is a formula that you can use to complete an effective risk assessment. The basic formula is INHERENT RISK (minus) INTERNAL CONTROLS (equals) MITIGATED RISK.

Inherent Risk

Inherent risk is the risk associated with the products, customers and overall compliance structure at your bank.

An inherent risk is a risk category that really relates broadly to the activities and operations of a company without considering necessarily the company. For example, unsecured lending is inherently more risky than secured lending. If I were auditing an institution that was primarily involved in unsecured lending, then I would have a higher assessment of inherent risk in that organization than, let’s say, secured lending. And that’s a fairly simple example, but that type of a risk assessment is done for each critical business component1

When considering the level of inherent risk at your institution, consider all the products that you offer and the worst-case scenarios lurking in the background. For example, supposed you are considering the inherent risk associated with consumer lending. The inherent risk might look something like this:

Consumer Loans- Inherent Risk/Type of Risk Comment

Compliance Risk -The risk associated with the regulatory requirements for making consumer loans, e.g. disclosures, accurate calculations, etc.

Transactional Risks- The risks associated with the systems in place that are being used to support offering the product. Can your core support the loan types being offered?

Reputation Risks-The risk that the products will result in consumer complaints, UDAAP violations or potential fair lending concerns.

Strategic Risk -Are your products really meeting the credit needs of the community you serve?

The point of this part of the exercise should be to determine the level of risks that are part of offering the products at all. This level of risk doesn’t consider anything of your compliance program.

Internal Controls

One you have identified the risks inherent in the products you offer, the customers you serve and the overall current compliance program, the next step is to review the steps your institution has taken to address them. This is where your policies, procedures, training and independent audits come in. There is really an opportunity to self-reflect and simultaneously project your aspirations during this part of the risk assessment. It is one thing to note you have policies and procedures in place. It is a far different consideration to determine how effective they are. Are the policies and procedures written and updated on an annual basis? How much of the policies and procedures are internally developed and how much have been “borrowed” from other institutions? (Note: This is not to imply that borrowing is a bad thing, if the information truly reflects the situation at your institution). The risk assessment should contain an analysis of the current state of the internal controls. What would excellent controls look like and what would it take for the compliance department to get there? These considerations should be included.

Mitigated Risk

Your overall assessment of how well the internal controls at your institution address the possibility of problems is the mitigated risk. For the risk assessment to be a most effective tool, it is necessary for this process to truly consider potential proems with internal controls. Written policies and procedures, for example, can be comprehensive and up to the minute accurate, but totally ineffective if staff don’t use them. Training is an area often taken for granted. The online training that most institutions offer is a great start for training. However, for a full in-depth understanding, additional training that includes case-studies is a best practice.

 

For the banking industry in general regulators have put strategic risk at the forefront. For example, its semiannual risk perspective for spring 2016, the OCC noted that strategic risk is a concern:

“Banks are several years into the risk accumulation phase of the economic cycle. The banking environment continues to evolve, with growing competition among banks, nonbanks, and financial technology firms. Banks are increasingly offering innovative products and services, enabling them to better meet the needs of their customers. While doing so may heighten strategic risk if banks do not use sound risk management practices that align with their overall business strategies, failure to innovate to meet evolving needs or financial services may place a bank at a competitive disadvantage.”2

As the risk assessment process is completed this year, it is important to consider whether your institution is keeping up with trends in technology and innovation. The financial industry is being disrupted in a way that will significantly impact the relationship between customers and institutions. Without the right technology and business plan, it will be easy to be left behind. Make sure that your risk assessment considers strategic risk.

James DeFrantz is the Principal of Virtual Compliance Management Services LLC. He can be reached directly at JDeFrantz@VCM4you.com

[1] William Lewis, Price Waterhouse Coopers  Comptroller of Currency Administrator of National Banks Audit Roundtable, Part 1 Risk Assessment and Internal Controls .

[2] OCC Semiannual Risk Perspective From the National Risk Committee  Spring 2016

Planning Your Compliance Year- December 13, 2016

As the year comes to close, for most people, it is time to celebrate with family and friends and to look forward to the new year with anticipation.  For risk and compliance officers at financial institutions, the new year comes with a bit of a different perspective.  For many years now, each new year brings a different set of regulations and the challenge of keeping financial institutions in compliance.   This is not necessarily a bad thing.  New challenges can present an opportunity for new and more efficient solutions.   There are some steps that you can take that can truly help you get to the goal of getting on top of compliance.

 

Step One- Information Gathering

There are several sources for regulatory changes.  It is important to consider the fact that compliance and risk expectations can be changed by more than the implementation of new regulations.   Regulatory agencies respond to world events, the political environment, resources allocations, technology and many other factors.   One valuable source of information that is often overlooked are the annual plans or statements that are issued by the prudential regulations.  All three issue a plan that addresses the areas that they will emphasize in the upcoming year.[1]  For example, the Office of the Comptrollers’ annual report points out that strategic planning will be an emphasis of the examinations teams in 2017.   In addition, there are many organizations and agencies that list the effective dates for regulations.  At VCM, we have a form that lists regulations, effective dates and whether the regulation will apply to your organization. [2] Gathering information on the new regulations and regulatory initiatives is a key first step for planning the compliance year.

Step Two – Setting the Parameters

The next step is to complete a risk assessment.  Often, we see risk assessments that are performed specifically for meeting a regulatory requirement.  In many cases, these assessments are completed and put away until it is time to do an annual update.  We believe that the risk assessment provides an excellent opportunity to set the parameters for your own compliance program.  Your risk assessment should include:

  • The areas where there have been regulatory of? internal audit findings in the past
  • The types of products the Bank offers and the risks associated with those products
  • New products contemplated
  • The management reports currently being generated by software
  • Changes in regulations that might affect the bank
  • Changes in staff that have occurred or are planned.

The risk assessment should be designed to determine the areas where your institution has the greatest risk for violations or findings.  The assessment should be brutally honest and unflinching in its assessment of the compliance needs for your institution.

The most important part of this step is to remember to USE the document that you have prepared!  The risk assessment should be the basic document that helps you make the case to senior management for additional staff and/or resources.   The risk assessment should also be used to help set the scope of the internal audits that are performed.  It is very rare that there will be time to cover every potential issue in a year so the risk assessment should help prioritize resources.    The risk assessment should also be used to set the training calendar.

Step Three- Checking Twice  

In addition to going through the regulations, it is necessary to make sure your policies and procedures match the requirements.  For example, have you developed a solid method for making sure that you comply with the “valuations rules” of regulations B and Z?  Do you know what these are and how they affect you?

It is also a very good idea to sign up for all the “Free stuff” that the regulators publish about compliance.   These can be used as useful supplemental training tools.  There is a great deal of very helpful information made available by the Federal Reserve and the CFPB. [3]

Step Four-Call for Help!

One of the benefits of completing a comprehensive compliance risk assessment is that the results can help you determine the level of support that is needed.   Far too often compliance departments get additional resources only after the staff has been overwhelmed or has experienced a poor result from an audit or examination.  However, as the saying goes, an ounce of prevention is worth a pound of cure.  Identifying the areas that are the highest risk and asking for help in those areas before they become a problem is a best practice that will enhance your compliance program and the quality of your life!

One of the best areas to get support for compliance is through the staff at your bank.   At the end of the day, compliance is a team effort that requires the input of the whole bank to be most effective.  One of the themes that we have noticed over the years is that people tend to buy in more when they understand the how’s and whys of compliance.  While online training classes are clearly efficient and relatively inexpensive, they sometimes can lack the perspective that gives the staff members the reason why the regulation exists.   For example, we have found that taking the time to explain what it is that BSA laws and rules are trying to accomplish to the staff members who are opening accounts has dramatically improved the collection of data for CIP.  The same is true for Regulation B and a host of other areas.  By helping bank staff understand that there really are good reasons why you are so insistent on complete and accurate disclosures, you can greatly reduce the error rate in these disclosures.   The more help from staff that you get, the more efficient you can be.

 

Step Five- Execute the Plan

Once you have completed the risk assessment, prioritize the risks and asked for help, it is time to execute the plan.   Make sure that the scope of the audits that you are getting will meet your needs and give you information on how things are going.   Regulators have become increasingly critical of audit scopes that are too general or that do not cover specific areas of compliance weakness at the bank.   The internal audit is an important tool that should be used to help find areas that need attention.  It is true that the auditor is your friend.  The results of audits should be taken seriously and positively as this is your opportunity to determine levels of compliance without having regulatory problems.

Like all good coaches, as a compliance officer you know the areas where your team is the weakest.  Make sure that your compliance plan is designed to address these areas from the outset.  If training has been a concern for example, then make sure that you have addressed the root of the problem.

Step Six-Remain Flexible

There is a parable that says that if you want to prove that God has a sense of humor- then try making your own plans.  There is no question that the best-laid plans can sometimes go awry.  Therefore, it is important that you build flexibility into your plan.  For example, even though you may have wanted to do flood insurance testing in the first quarter, you might find that the more urgent area of risk is compliance with HMDA.  Even though flood insurance will always be a “hot button” issue, there are times when the greater area of risk can be somewhere else.  The point is that your plan can hit all the highest areas of risk to ensure that your program is successful.

 

Planning your compliance year cannot only keep you ahead of trouble; it can help you start making different New Year’s resolutions!

 

[1] See for example, http://www.occ.gov/news-issuances/news-releases/2015/nr-occ-2015-130.html, https://www.fdic.gov/about/strategic/performance/supervision.html

 

[2] This form can be found on our website at www.vcm4you.com

[3] http://www.philadelphiafed.org/results.cfm?sort=rel&start=0&text=compliance`1

Assessing Your Compliance Management Program- November 29, 2016

In April of 2016, the FFIEC released proposed new guidelines for rating compliance programs at financial institutions.  These guidelines have since been adopted and will commence in March of 2017. The new compliance guidelines will represent a strong departure from the current system for rating. In addition, these guidelines present a strong opportunity for financial institutions to greatly impact their own compliance destiny.  Although these new guidelines have been released with limited fanfare, the change in approach to supervision of financial institutions has been discussed for some time and is noteworthy.  The upcoming changes to the ratings for compliance programs, will put a premium on the overall effectiveness of your compliance management program.   The stronger the program for compliance, the less likely a single finding will impact the overall rating.

Determining Effectiveness

Although it is easy to assume that “effectiveness” is in the eye of the beholder, there are some metrics that can be used to make this determination.  Some of the factors that the regulators will consider when assessing effectiveness include:

·        Ability to identify compliance risks at the institution – under the new ratings systems the risk assessment your institution prepares will be a critical document. On a regular basis, it is necessary to identify all the risks associated with:

o  The products you offer

o  The customers you serve

o  The It systems you are using

o  The training program you have

o  The strength of the policies and procedures in place

o  Turnover at key positions

o  New and additional products offered

Regulators will expect the risk assessment process is comprehensive and robust and all potential problems are considered and addressed. For each risk mentioned above there should be steps designed to reduce risk to an acceptable level. In this case, the acceptable level should match with the risk appetite of the Board. All financial activity has some level of inherent risk. The risk assessment should detail how your institution has identified the risk and done all that it can to reduce the risk to the level the Board has decided they are willing to take.

·        Appropriate resources to address and mitigate risks – One of the disconnects that often occur between the completion of a risk assessment and the ongoing operation of a financial institution is consideration of the resources that are available. For example, it is one thing to develop comprehensive procedures for testing compliance with flood rules. It is another thing altogether not to have sufficient staff to complete all the steps in the procedures. Moreover, if the staff that are expected to follow the flood procedures are overburdened or under trained, your plans for mitigating risk will be thwarted. The level and quality of resources directed towards compliance will be a key consideration for the overall compliance rating under the new guidelines. Suppose your financial institution had a finding in the flood insurance area after an examination. If the finding was caused by an oversight, that is unlikely to repeat, the impact of the finding will be minimized. On the other hand, if the finding was created because there wasn’t enough time or staff to do a quality check, the issue looms large.

·        Ongoing testing of the internal controls – Much like the old saying “an ounce of prevention is worth a pound of cure” regular testing of compliance controls can greatly enhance the effectiveness of a compliance program. The testing doesn’t have to be extensive, just consistent. Take five of the most recent originated loans and make sure that the disclosures were completed timely and completely. Do the same for deposit accounts that have been recently opened. Complete a mystery shopping event to test employee’s knowledge of products and services.  By using ongoing testing, a compliance team can determine the areas of true weakness and address them.

·        Training of staff– Most financial institutions rely on on-line training to meet the obligations of keeping staff informed about the applicable regulations. On-line training is an extremely useful and cost effective manner to give staff members basic understanding. However, effective compliance programs augment this training with in-person classes that allow staff to ask real world examples. This reinforces the information and allows for a deeper understanding of the requirements of the regulations and how staff is critical for an overall strong program.

Using Findings to your advantage

Maintaining an effective program does not mean that there won’t be ANYfindings. It DOES mean that when errors occur, the compliance team can determine the root cause of the problem and develop a plan to address it.  An effective compliance program will be able to use findings to strengthen the program itself in the long run.

There are Lessons for All Financial Institutions in the Wells Fargo Case- Part Three: A Glaring Need – November 2, 2016

There are lessons for All Financial Institutions in the Wells Fargo Case

Part Three- Turning Our Eyes to a Glaring Need

We have talked about the Wells Fargo case involved violations of Unfair, Deceptive Acts or Practices Act. We noted that this is true because the practices of the bank forced extra accounts and products on customers who simply didn’t want them. In addition to unwanted accounts were significant fees and charges. In some cases, there were as many as 10 unwanted accounts for customers of Wells Fargo.

While this case continues to wind its way through various administrative hearings, news stories and the inevitable civil lawsuits, there is a strong irony in this case that can easily go unnoticed. There can be no doubt that customers of the Wells Fargo were victimized by an abusive campaign. However, while these customers can be considered OVERBANKED there are simultaneously millions of Americans are unbanked and underbanked.

A Forgotten Population

Wells and many other financial institutions continue to pursue practices that forced additional accounts on people who already had a banking relationship. In the meantime, there are millions of potential customers who have no relationship at all as the FDIC showed inn their 2015 study of Unbanked and underbanked populations.

The FDIC has defined Unbanked and underbanked as follows:

“…… many households—referred to in this report as “unbanked”—do not have an account at an insured institution. Additional households have an account, but have also obtained financial services and products from non-bank, alternative financial services (AFS) providers in the prior 12 months. These households are referred to here as “underbanked.”[1]

Per the Corporation for Enterprise Development, there are millions of unbanked and underbanked households across the country. For example, in 2010 the same organization estimated that 20% of the households in New Jersey are underbanked.[2].     The number of unbanked and underbanked people that live within the service areas of financial institutions presents both an opportunity and a level of risk. As the FDIC pointed out in there May 2016 study “Bank Efforts to serve underbanked and unbanked Communities” the whole banking community is better served when the level of trust and participation is increased[3].

Why Unbanked and Underbanked?

The FDIC asks the same sorts of questions every year the answers have been consistent. Here are some of the key observations:

  • The most commonly cited reason was “Do not have enough money to keep in an account.” An estimated 57.4 percent of unbanked households cited this as a reason and 37.8 percent cited it as the main reason.
  • Other commonly cited reasons were “Avoiding a bank gives more privacy,” “Don’t trust banks,” “Bank account fees are too high,” and “Bank account fees are unpredictable.
  • Perceptions of Banks’ Interest The 2015 survey included a new question asked of all households: “How interested are banks in serving households like yours?”
  • The survey results revealed pronounced differences across households.
  • Approximately 16 percent thought that banks were “not at all interested” in serving households like theirs, and the perceptions of the remaining 8 percent were unknown.
  • Unbanked households were substantially less likely than underbanked or fully banked households to perceive that banks were interested in serving households like theirs. More than half (55.8 percent) thought that banks were not at all interested, compared to roughly 17 percent of underbanked households and 12 percent of fully banked households.

While financial institutions are overbanking the customers they have, there are well over 50 million households in America that currently either don’t have a relationship with a bank or a minimal one.

Why serve these communities?

In many cases, misperceptions from the point of view of customers and financial institutions keep them apart. For far too long it has been an axiom that the costs of providing banking services for consumer accounts prevents an acceptable rate of return. However, through the development and use of new technologies, the costs associated with consumer accounts has significantly declined.

Without significant competition for the unbanked and underbanked households, financial needs are met by business that are predatory. The number of financial institutions offering high cost loans has proliferated and the number of unbanked and underbanked families has grown.

Advances in technology had made it possible for financial institutions to offer services to communities throughout the country and the world without needed to expand the branch system. Today’s digital wallet customer is tomorrow’s commercial loan.

Compliance as an Asset

For the financial institution that considers offering new products and services using technology, a new approach to compliance must be pursued.   Currently for most financial institutions, compliance is viewed as a necessary evil expense that is at best, the cost of doing business. However, suppose the role and function of the compliance department changed. When the compliance department becomes fully versed in the requirements for offering Fintech products, the institution can become an active participant in the burgeoning market. By putting resources into your institutions ability to assess and monitor risks, new products, partnerships and growth is possible. Start thinking of compliance as an asset- it can be the gateway to new sources of income

Towards New Markets

The fact is that there are products that are available and cost effective while the market for these products is huge; there simply must be a willing spirit. Rather than committing fraud, consider serving the unbanked and underbanked markets

 

[1] FDIC survey of unbanked and underbanked households

[2] See https://cfed.org/assets/pdfs/Most_Unb anked_Places_in_America.pdfJune 2016

[3]The FDIC recognizes that public confidence in the banking system is strengthened when banks effectively serve the broadest possible set of consumers. Accordingly, the agency is committed to helping increase the participation of unbanked and underbanked consumers in the banking system.

Why IS There a Truth in Savings Act?

dreamstime_s_56110747

As anyone in compliance can attest to, there are myriad consumer compliance regulations.  For bankers, these regulations are regarded as anything from a nuisance, to the very bane of the existence of banks.  However, in point of fact, there are no bank consumer regulations that were not earned by the misbehavior of financial institutions in the past.  Like it or not these regulations exist to prevent bad behavior and/or to encourage certain practices.   We believe that one of the keys to strengthening a compliance program is to get your staff to understand why regulations exist and what it is the regulations are designed to accomplish.  To further this cause, we have determined that we will from time to time through the year; address these questions about various banking regulations.  We call this series “Why IS there….”

Like all of its consumer brethren, the Truth in Savings Act (“TISA”) was enacted to address significant problems that consumers were experiencing with financial institutions. Moreover, the history of the regulation is a familiar one.  First, there were practices that left consumers confused and misinformed about the value, cost and benefits of deposits accounts.   Next, there was an outcry about the practices which resulted in congressional hearings.   Eventually regulation was passed that was designed to set standards in this area and TISA was born!

TISA has a history that is a bit more interesting than some of the significant consumer regulations.   The law was first passed in 1991, but the implementing regulations took close to two years to design and implement.    Once the rules were implemented, there was a still a great deal of confusion in the immediate years that followed, and amendments to the Act were added that delayed its implementation.  Since its implementation there have been some “fine-tuning” amendments such as adding the ability to make disclosures electronically, but the basic thrust of the regulation has remained.  The most significant change to the regulation occurred in 2006 which guidance was published that covered the manner in which information is disclosed to customers about overdraft fees.

Why was there a need for TISA?

In the early 1990’s the financial services industry had just gone through a tremendous upheaval as several important industries have either failed or gone through significant contraction.  The Savings and Loan industry had all but come to an end.  As the economy contracted the competition for the deposits of consumers became fierce.  Deposits are of course, the life blood of financial institutions.  Deposits generally supply the liquidity of financial institutions and are the funding source for loans.

Fierce competition for deposits meant that financial institutions began to do all they could to stand out to potential deposit clients.  Many institutions engaged in aggressive advertising of rates that they would pay on deposits and unfortunately, in many cases, the advertising did not tell the full story at all.  Consumers soon found out even though they thought they were getting a certain rate of return on their deposits, there in fact many “catches” to the interest rate    

Four Really Bad Practices

TISA was aimed at three particularly misleading practices in particular;

  • Interest Timing
  • Investible Balance
  • Low Balance
  • “Free” Checking

Interest Timing:  Was the practice of offering a rate on a deposit without clearly informing the customer that if the deposit was not made by a certain time, the rate would not apply for the month.  For example, I offer you a rate of 10% on your $1,000 deposit.   However, I neglect to mention to you that if the deposit is not made by the 10th of the month the rate for the whole month will be 2%.  In extreme cases, the borrower who missed the deposit deadline would never earn the higher rate advertised.

Investible Balance:  This is the practice of paying interest only on the portion of the deposit that that financial institution deemed “investable” after having to set aside required reserves.  In some cases, using this practice banks would actually pay interest only on 80 percent of the balance of your deposit.  As in the above example, your deposit is $1,000.  The financial institution would argue that $200 of that deposit must be set aside for capital purposes and can’t be used to make money, therefore, only the remaining $800 would receive interest.

Low Balance:  A third practice that regulators (and consumers) found vexing was the “low Balance” method of calculating interest.  Using this method, the amount of interest that was calculated was based upon the lowest balance of the account during the month.  If your account maintained its $1,000 balance for 29 of the 30 days of the month and then you made a withdrawal of $900 on the 29th day, interest would be calculated on the remaining $100 balance.

“Free” Accounts:  Many accounts that were advertised as free, would also come with strings attached based upon the collected balance in the account.  A series of charges would be applied anytime that the balance of the account went below an amount set by the financial institution.  Many of these free accounts ended up being more expensive than other accounts.

These practices and several other lessor tactics employed by financial institutions in advertising made it nearly impossible for consumers to shop to find the best deal for their deposits.

One Additional Concern- Overdrafts

After the first version of the ACT was passed, a further concern came to light, fees charged on overdrafts.  In many cases, financial institutions were allowing for the payment of items that overdraw accounts “as a courtesy”.  However, the term “courtesy” came with significant fees.  In some cases, the financial institution engaged in practices that would pay the largest check first and then charge fees for each subsequent overdraft.  For example, suppose five checks are presented to an account that had a balance of $1,000.  The checks total $1,300.   One check is for $1,200 and the other checks are for $100, $75, $50 and $25.  Financial institutions were paying the first check and then charging an overdraft fee for each of the other checks.   Under the rules of TISA, only the $1,200 check would come with an overdraft fee, because the other checks would be paid first.

The Main Point of TISA

The significant changes that TISA brought about include the creation of the Annual Percentage Yield or APY.  The requirement here is that the way an institution quotes an interest rate has to be uniform.  Financial institutions had to base their disclosures on this calculation and must calculate interest as disclosed.  In this manner a customer can compare one institution to the next and make an informed decision about where they will put their money.

TISA and UDAAP 

Although the regulations do not contain significant penalties for noncompliance, in recent years, examiners have tied the Unfair Deceptive Abusive Acts or Practices (“UDAAP”) regulations to TISA.   In cases, when disclosures did not meet the standards established by TISA, violations of UDAAP have been cited.  For example, when an account is advertised as “free” or low cost, when fees are actually charged that don’t match, a UDAAP claim can be filed.    In addition, when terms of an account are mentioned in advertising or on the website of a financial institution aren’t mentioned, there can be UDAAP claims.

***For more information on ways to reduce the potential for TISA and UDAAP violation, please contact us at www.vcm4you.com ***

Proposed New Ratings for Compliance-Is This a Brave New World?

A Two Part Series.  Part Two – Change Creates Opportunity.

dreamstime_s_51898458In April of 2016, the FFIEC released proposed new guidelines for rating compliance programs at financial institutions.    Once these new guidelines are adopted, not only will they represent a strong departure from the current system for rating, they also present a strong opportunity for financial institutions to greatly impact their own compliance destiny.   Although these new guidelines have been released with limited fanfare, the change in approach to supervision of financial institutions has been discussed for some time and is noteworthy.

The Proposed New Rating System 

The new rating system is designed to focus on the Compliance Management System (“CMS”) that an institution has established to administrate its compliance effort.  This assessment is supposed to be risk based which means that for each institution, the CMS should be unique.  The size, complexity and risk profile of an institution should dictate the structure of the CMS.

The compliance ratings will focus on three specific areas

1)      Board Oversight

2)      The Compliance Program

3)      Violations of Law and Consumer harm

The guidance notes that a part or all of the CMS can be outsourced to third party providers with the caveat that the financial institution cannot outsource the responsibility for compliance.  In other words, the financial institution will be held accountable for the failures of its third party provider.    For each of these areas, there are specific considerations that the examination team will consider.  The guidance describes the factors that should be considered by the examination team for each of the factors:

Board Oversight:

The areas that will be evaluated for Board Oversight are listed below.   A review of these factors indicates that the examiners will be asked to focus on the compliance environment.  The overall level of importance assigned to compliance will be considered as part of the consideration of the management of the institution.   This is consistent with the growing focus placed by prudential regulators on the management component of compliance.

  • Oversight of and commitment to the institution’s compliance risk management program;
  • effectiveness of the institution’s change management processes, including responding timely and satisfactorily to any variety of change, internal or external, to the institution;
  • comprehension, identification, and management of risks arising from the institution’s products, services, or activities; and
  • any corrective action undertaken as consumer compliance issues are identified.

Compliance Management System

The factors listed for the compliance management system are familiar and include the following:

  1. Whether the institution’s policies and procedures are appropriate to the risk in the products, services, and activities of the institution
  2. The degree to which compliance training is current and tailored to risk and staff responsibilities
  3. The sufficiency of the monitoring and, if applicable, audit to encompass compliance risks throughout the institution;
  4. The responsiveness and effectiveness of the consumer complaint resolution process.

These factors will allow the examination team the ability to look at a system for compliance in context of the institutions.  Since each institution is unique, the system for compliance should be reviewed in light of the overall operation of an individual financial institution.

Violations of Law and Consumer Harm

The final area of consideration is where the “rubber meets the road” for compliance programs.  Ultimately, the goal of compliance programs has to be to mitigate against the possibility of compliance violations.  As part of evaluating compliance programs the examiners have to consider the following:

  1. The root cause, or causes, of any violations of law identified during the examination
  2. The severity of any consumer harm resulting from violations
  3. The duration of time over which the violations occurred
  4. The pervasiveness of the violations.

The examiners will clearly be allowed to make distinctions between technical violations that don’t cause a great deal of consumer harm form severe and substantive violations.  For example, the failure to provide notice of property in a flood zone when a loan is modified is not likely to cause great consumer harm.  More often than not when this transaction occurs, the borrower has already purchased flood insurance and the notice is a technicality.   This is the sort of violation in the past lead to difficulties in providing a clear rating of a compliance program.

Opportunities Provided by These Changes

The new compliance rating represents significant changes in the ability of banks to alter their compliance destiny.   The emphasis on self- detection and self-policing allows financial institutions to perform self-evaluation and diagnose compliance issues internally.

In the new rating system, there is a premium placed on the idea that an institution has compliance and/or audit systems in place that are extensive enough to find problems, determine the root of the problems and make recommendations for change.  An attitude that compliance is important must permeate the organization starting from the top.  To impress the regulators that an organization is truly engaged in self-policing, there has to be evidence that senior management has taken the issue seriously and has taken steps to address whatever the concern might be.  For example, suppose during a compliance review, the compliance team discovers that commercial lenders are not consistently given a proper ECOA notification.  This finding is reported to the Compliance Committee along with a recommendation for training for commercial lending staff.   The Compliance Committee accepts the recommendation and tells the Compliance Officer to schedule Reg. B training for commercial lenders.  This may seem like a reasonable response, but it is incomplete.

This does not rise to the level of self- policing that is discussed in the CFPB memo; a further step is necessary.  What is the follow-up from senior management?   Will senior management follow up to make sure that the classes have been attended by all commercial lending staff?  Will there be consequences for those who do not attend the classes?  The answers to these questions will greatly impact the determination of whether there is self-policing that is effective.   Ultimately, the goal should be to show that the effort at self-policing for compliance is robust and taken seriously at all levels of management.  The more the regulators trust the self-policing effort, the more the risk profile decreases and the less likely enforcement action will be imposed.

Self-Reporting

At first blush self-reporting seems a lot like punching oneself in the face, but this is not the case at all!   The over-arching idea from the CFPB guidance is that the more the institution is willing to work with the regulatory agency, the more likely that there will be consideration for reduced enforcement action.  Compliance failures will eventually be discovered and the more they are self-discovered and reported, the more trust that the regulators have in the management in general and the effectiveness of the compliance program in particular.   The key here is to report at the right time.  Once the extent of the violation and the cause of it have been determined, the time to report is imminent.  While it may seem that the best time to report is when the issue is resolved, this will generally not be the case.  In point of fact, the regulators may want to be involved in the correction process.  In any event, you don’t want to wait until it seems that discovery of the problem was imminent (e.g. the regulatory examination will start next week!).

It is important to remember here that the reporting should be complete and as early as possible keeping in mind that you should know the extent and the root cause of the problem.  It is also advisable to have a strategy for remediation in place at the time of reporting.

Remediation

What will the institution do to correct the problem?  Has there been research to determine the extent of the problem and how many potential customers have been affected?      How did management make sure the problem has been stopped and won’t be repeated?  What practices, policies and procedures have been changed as a result of the discovery of the problem?  These are all questions that the regulators will consider when reviewing efforts at remediation.  So for example, if it turns out that loan staff has been improperly disclosing transfer taxes on the GFE, an example of strong mediation would include:

  • A determination if the problem was systemic or with a particular staff member
  • A “look back” on loan files that for the past 12 months
  • Reimbursement of any customers who qualify
  • Documentation of the steps that were taken to verify the problem and the reimbursements
  • Documentation of the changed policies and procedures to ensure that there is a clear understanding of the requirements of the regulation
  • Disciplinary action (if appropriate for affected employees)
  • A plan for follow-up to ensure that the problem is not re-occurring

The new compliance rating systems will place a strong premium on self-policing.  There is no time like the present to institution procedures that emphasize self-policing and embrace the overall concept of compliance as a core value.

FOR MORE INFORMATION AND BLOS, PLEASE VISIST US AT WWW.VCM4YOU.COM

Proposed new ratings for compliance- Is this a Brave New World?

Part One- Change is on the Horizon

In April of 2016, the FFIEC released proposed new guidelines for rating compliance programs at financial institutions.   Once these new guidelines are adopted, not only will they represent a strong departure from the current system for rating, they also present a strong opportunity for financial institutions to greatly impact their own compliance destiny.   Although these new guidelines have been released with limited fanfare, the change in approach to supervision of financial institutions has been discussed for some time and is noteworthy.

The Current Rating System

The current system for rating compliance at financial institutions was first adopted in 1980.   Performance of an institution under the Community Reinvestment Act is evaluated separately and is therefore not considered as part of the compliance examination. Under the current system, compliance is rated on a scale of increasing concern from one to five. An institution with a rating of one has little to no compliance concerns while a five rated institutions has severe concerns and an inoperative compliance system.

Under the current system, the ratings that examiners assign are based upon transaction testing. Examiners would sample a series of transactions and if there were violations of regulations, ratings would be affected. Over the years, several problems were noted with this approach. First, this approach does not take into account the root of the problem. For example, suppose the problem was caused by a form that was not up to date. Suppose further that the problem with the form was it had the wrong address for the regulator of the institution.   Using the transaction approach each loan file that contained this disclosure would count as a regulatory violation and the institution would appear to have huge number of violations. In this case, even if the examiners determined this was a technical violation and not serious, the possibility existed the overall rating would have to be a bad one to reflect the number of violations noted.

However, what if in this case, the compliance staff was well aware of the changed address, had performed training and endeavored to change all of the required forms. Unfortunately, one branch or division of the Bank still had old forms and was still using them. It is of course not good that the old forms were still being used, but the finding certainly does not indicate a severe risk at the institution.

A second problem with the current guidelines is that they do not clearly match the risk based approach for examinations that regulators have employed for several years. Each regulator has received the mandate that examinations should be tailored using a risk based approach. The examination should focus on the size, complexity and overall risk portfolio of a financial institution. The compliance examination is supposed to evaluate the effectiveness of overall system that has been employed at an institution.   In that regard, each financial institution is unique in the products and services that they offer. For example, a community bank that makes five HMDA reportable loans a year doesn’t have the same compliance needs as an institution that makes five hundred HMDA loans in the same time.

Yet another concern with the current rating system is that it tends to be “one size fits all” and as a result, outcomes are unpredictable.   Examiners, for some time have considered compliance systems on a contextual basis. The relative size of an institution, its activity in a given area and the resources realistically available have all been factors examiners consider when assessing a compliance program. Unfortunately, under the current system there is no mechanism to clearly reflect these considerations.   In many cases, an overall rating of “two” is assigned to a financial institution followed by a litany of criticism that leaves the reader confused about how the rating was possible.

In the last two years in particular, there has been a push from regulators to encourage “self-policing”, which is the process of self-detecting and correcting compliance problems at institutions. And while there have been supervisory directives that encourage self-policing, the current rating system does not allow this behavior to be properly recognized.

New Ratings

The proposed guidance discusses the key principals of the new ratings system:

“The proposed System is based on a set of key principles. The Agencies agreed that the proposed ratings should be:

  • Risk-based
  • Transparent
  • Actionable
  • [A]n Incentive for Compliance.

Risk Based: the principal here is that not all compliance systems are the same. They will vary based upon the size, complexity and risk profile of the bank. The examiners will be asked to evaluate the compliance system as it relates to the particular institution that is being reviewed. For example, written procedures that are very general in nature may be appropriate at an institution that has stable staff and experienced little to no turnover. On the other hand, those same procedures may be inadequate at a new and growing institution.

Transparent: The scope of the review and the categories that are being considered should be clear and published. Each institution should be able to understand the rating is based on specific considerations made during the current examination. Past examinations results may or may not be considered; the description of the rating criteria should detail the factors deemed important.

Actionable: The evaluation should include recommendations that address the overall strengths of the compliance program and specific areas that should be enhanced.   The idea here is  management’s attention should be drawn to specific steps that should be taken to enhance the overall compliance program.

Incent Compliance: The examiners should consider the level to which the institution has instituted a program that self-detects and corrects problems.   In this case, remember self-detecting and correcting includes an analysis of the root of the problem and remediation testing before the matter is considered closed.

Overall Ratings

Under the new rating system, there will still be a “one” through “five”, but the ratings will be given on three distinct components of compliance;

  1. Board & management Oversight
  2. The Compliance management program
  3. Violations of law and Harm to consumers

In part two of this series we will discuss the new ratings and the opportunities this system presents.

Please feel free to contact us at WWW.VCM4you.compicture1.jpg

Using Self-Policing to Create Better Compliance Outcomes

dreamstime_m_17568770Imagine the following scenario: you are the compliance officer and while doing a routine check on disclosures, you notice a huge error that your institution has been making for the last year.  The beads of sweat form on your forehead as you realize that this mistake may impact several hundred customers.   Real panic sets in as you start to wonder what to do about the regulators.  To tell or not to tell, that is indeed the question!

There are many different theories on what to do when your internal processes discover a problem.  Although it may seem counterintuitive, the best practice, with certain caveats, is to inform the regulators of the problem.    CFBP Bulletin 2013-06 discusses what it calls “responsible business conduct” and details the grounds for getting enforcement consideration from the CFPB.  In this case, consideration is somewhat vague and it clearly depends on the nature and extent of the violation, but the message is clear.  It is far better to self-police and self-report than it is to let the examination team discover a problem!

Why Disclose a Problem if the Regulators Didn’t Discover it?  

It is easy to make the case that financial institutions should “let sleeping dogs lay”.  After all, if your internal processes have found the issue, you can correct it without the examiners knowing, and move on. Right?  In fact, nothing could be further from the truth.   The relationship between regulators and the banks they regulate was once collegial, but that is most certainly not the case any longer.   Regulators have been pushed by legislation and by public outcry to be proactive in their efforts to regulate.  Part of the process of rehabilitating the image of financial institutions is ensuring that they are being well regulated and that misbehavior in compliance is being addressed.

Self- Policing

It is not enough to discover one’s own problems and address them.  In the current environment, there is a premium placed on the idea that an institution has compliance and/or audit systems in place that are extensive enough to find problems, determine the root of the problems and make recommendations for change.  An attitude that compliance is important must permeate the organization starting from the top.  To impress the regulators that an organization is truly engaged in self-policing, there has to be evidence that senior management has taken the issue seriously and has taken steps to address whatever the concern might be.  For example, suppose during a compliance review, the compliance team discovers that commercial lenders are not consistently given a proper ECOA notification.  This finding is reported to the Compliance Committee along with a recommendation for training for commercial lending staff.   The Compliance Committee accepts the recommendation and tells the Compliance Officer to schedule Reg. B training for commercial lenders.  This may seem like a reasonable response, but it is incomplete.

This does not rise to the level of self- policing that is discussed in the CFPB memo; a further step is necessary.  What is the follow-up from senior management?   Will senior management follow up to make sure that the classes have been attended by all commercial lending staff?  Will there be consequences for those who do not attend the classes?  The answers to these questions will greatly impact the determination of whether there is self-policing that is effective.   Ultimately, the goal should be to show that the effort at self-policing for compliance is robust and taken seriously at all levels of management.  The more the regulators trust the self-policing effort, the more the risk profile decreases and the less likely enforcement action will be imposed.

Self-Reporting

At first blush self-reporting seems a lot like punching oneself in the face, but this is not the case at all!   The over-arching idea from the CFPB guidance is that the more the institution is willing to work with the regulatory agency, the more likely that there will be consideration for reduced enforcement action.  Compliance failures will eventually be discovered and the more they are self-discovered and reported, the more trust that the regulators have in the management in general and the effectiveness of the compliance program in particular.   The key here is to report at the right time.  Once the extent of the violation and the cause of it have been determined, the time to report is imminent.  While it may seem that the best time to report is when the issue is resolved, this will generally not be the case.  In point of fact, the regulators may want to be involved in the correction process.  In any event, you don’t want to wait until it seems that discovery of the problem was imminent (e.g. the regulatory examination will start next week!).

It is important to remember here that the reporting should be complete and as early as possible keeping in mind that you should know the extent and the root cause of the problem.  It is also advisable to have a strategy for remediation in place at the time of reporting.

Remediation

What will the institution do to correct the problem?  Has there been research to determine the extent of the problem and how many potential customers have been affected?      How did management make sure that whatever the problem is has been stopped and won’t be repeated?  What practices, policies and procedures have been changed as a result of the discovery of the problem?  These are all questions that the regulators will consider when reviewing efforts at remediation.  So for example, if it turns out that loan staff has been improperly disclosing transfer taxes on the GFE, an example of strong mediation would include:

  • A determination if the problem was systemic or with a particular staff member
  • A “look back” on loan files that for the past 12 months
  • Reimbursement of any all customers who qualify
  • Documentation of the steps that were taken to verify the problem and the reimbursements
  • Documentation of the changed policies and procedures to ensure that there is a clear understanding of the requirements of the regulation
  • Disciplinary action (if appropriate for affected employees)
  • A plan for follow-up to ensure that the problem is not re-occurring

Cooperation

Despite the very best effort at self-reporting and mediation, there may still be an investigation by the regulators.  Such an instance calls for cooperation not hunkering down.  The more your institution is forthcoming with the information about its investigation, the more likely that the regulators will determine that there is nothing more for them to do.

At the end of the day, it is always better to self-detect report and remediate.  In doing so you go a long way toward controlling your destiny and reducing punishment.

Community Outreach-Why Bother?

 

Community Outreach- Why Bother? 

One of the many requirements of the Community Reinvestment Act (“CRA”) is that all financial institutions that are subject to it make an effort to do outreach to the community.  There are similar requirements in both state and federal fair lending laws.   We believe that the need to do community outreach goes far beyond the regulatory requirements of fair lending and the CRA.

Re-Visiting Your Approach to the CRA- Embracing the Needs of Your Community

Since its inception, the Community Reinvestment Act (“CRA”) has received a great deal of attention. From consumer’s advocacy groups, the reception of the CRA has been positive, while many in the banking community are either ambivalent or downright hostile towards this legislation. During the financial crisis of 2008, the CRA enjoyed a special, albeit unfair place of contempt from those who insisted that compliance with the CRA was somehow at the root of the financial meltdown. But wait, what if the CRA had nothing to do with the financial crisis? What if instead of being an administrative burden, compliance with the CRA resulted in greater marketing opportunities and greater opportunities for overall profitability? These opportunities exist if you embrace the concept of outreach to your community.

When the CRA was first enacted, it was designed to get financial institutions to take a second look at communities that had been historically overlooked for credit by financial institutions. Though these communities tended to be populated with low to moderate income borrowers, these borrowers represent significant opportunities for good credit. The CRA was a means to an end to get banks and financial institutions to “meet the credit needs of the communities in which they operate, including low- and moderate-income neighborhoods, consistent with safe and sound banking operations” [1]

Over the years, even though billions of dollars of investments have been made in communities that were being overlooked[2]http://www.blogger.com/blogger.g?blogID=3530472396892716457, the reputation of the CRA has become one of the regulation that forces banks to make “bad loans”. However, the true emphasis of the regulation has been and always will be to encourage banks to assess the credit needs of the communities they serve. In other words, one of the main goals of the regulations was to get banks to find credit “diamonds in the rough” in areas that had traditionally been written off. , the reputation of the CRA has become one of the regulations that forces banks to make “bad loans”. However, the true emphasis of the regulation is to encourage banks to assess the credit needs of the communities they serve. In other words, one of the main goals of the regulations was to get banks to find credit “diamonds in the rough” in areas that had traditionally been written off.

The strategy of serving communities that have been overlooked has been successfully and very profitably employed by none other than hall of fame basketball star Earvin “Magic” Johnson. His Magic John Enterprises has partnered with all manner of fortune 500 companies to invest over $500 million in communities that had been overlooked.  Using the approach of finding the “diamonds in the rough” Johnson’s companies continue to grow and show amazing profits by investing in low to moderate income communities.  So how does he find these opportunities? “Magic Johnson Enterprises is known for successfully staying rooted in communities because they understand those communities’ unique needs and personalities”[3]  In other words, he knows the needs of his communities and provides services that meet those needs.

Why Should a Bank Market to the Entire Community?

The obvious answer to this question is that failure to market to the whole community may result in a violation of CRA or Fair Lending.  The exclusion of one or more protected groups from marketing efforts can easily be interpreted as a form of “redlining” or discouragement, both of which would be seriously regulatory compliance problems.

The less obvious answer is that by including the entire community of your field of customers, the Bank can become a significant part of the community.  Community banks are an indispensable part of any community. Though it may not seem this way, the trend is that the regulatory agencies are beginning to recognize that community banks are an indispensable part of small communities and should be treated that way. [4] [4] The more that the bank can show that it is truly serving the needs of its community, the stronger the argument becomes that it is indispensable.  An indispensable bank is one that communities will fight for in times of trouble. Moreover, regulators are more likely to give assistance to true community banks

Product Development Anyone? 

One of the best ways to determine whether your institution is offering products that people actually want is to ask.  Getting out into the community and talking to customers allows senior management to get to know what mobile phone and computer applications people are using so that when the time comes to invest in new technology, the money can be well spent.

Can you Say KYC?  

The heart and soul of a strong BSA/AML compliance program is the ability of the staff at a financial institution to know its customers and their individual business plans.  By reaching out to the community it is possible to obtain feedback on how some of your customers are doing.  Suppose it turns out that one of your biggest customers has a terrible reputation in the community; especially one for charging high fees for cashing checks.  This could be particularly upsetting if you were unaware that they were cashing checks at all.

Untapped Resources

Community outreach allows the senior management of your institution to discover potential new and diverse staff members.  There are many small private programs that are designed to train young people for business and these programs can be a strong source of future management candidates.

Just What IS Your Entire Community?

The first step in the process is to make a determination of just who is part of the entire community that that your bank serves!  When was the last time that you performed an assessment of the communities that make up your assessment area? There is a wealth of information available about the makeup of people who live in your assessment area.  For example, the US Census Bureau publishes information about the households in the tracts in your assessment area.  The information includes statistics on the median income, age and races on the people in your area.  There is also information on minority and business ownership that is available by county and MSA.  The FFIEC website has a link to the Census Bureau. [5]  Another good source of data are reports prepared by county and state Chambers of Commerce. In addition to public sources of information, there are several services that provide economic data about the economic status of counties and communities[6]. However, it should be noted that these services tend to be expensive.

A much better source of information is personal contact with community groups in your area. Not all community organizers are anti-banks! In point of fact, many are doing all they can to get their clients actively involved in the banking community and away from the clutches of ‘’payday’’ lenders.

The goal here is to develop as much information as possible about just who your community is and how they fit into your business plan.  Oftentimes, this process results in discovering new and heretofore untapped opportunities. One of the main thrusts of CRA that often goes unmentioned is the push to get banks to find lending opportunities that would go completely unnoticed if not for requirements of the regulation.   Remember, CRA specifically states that the intention is not to get banks to make bad loans, just loans that would otherwise be overlooked.[7]

Marketing to Your Entire Community

One of the key elements in the overall commercial success of a bank is its ability to market itself to its community.  It is through marketing that the bank lets their communities know that it is around and that it is open for business.   Putting a marketing plan together can sometimes be a daunting task indeed.  This is especially true in the current cost conscious environment.  As you put you marketing plans together we suggest that there are two other areas to consider-both Fair Lending and the Community Reinvestment Act.  Your banks’ overall effort at compliance in these two areas can be either greatly enhanced or harmed by the marketing that is done.   We suggest that marketing should always be directed at the client’s entire community.  Failure to include all potential customers in marketing can result in both missed opportunities and the potential for CRA and Fair Lending issues.

How to Market

Today there are so many different venues for advertising that provide for effective low cost communication with customers that the bank opportunities are limitless. Social media has become a staple of the advertising for many banks. Good old fashion newspaper advertising works for others.  The idea is to make sure that you strive for inclusion and meet people where they are.  Do people speak different foreign languages in your assessment area? Make sure that you reach out to them in publications aimed at serving these communities.

In the end, comprehensive marketing programs serve both compliance and the bottom line.

[1] Don’t Blame Subprime Mortgage Crisis or Financial Meltdown on CRA  Stable Communities.com 2008

[2] See The Community Reinvestment Act: 30 Years of Wealth   Building and What We Must Do to Finish the Job John Taylor and Josh Silver National Community Reinvestment Coalition

[3] Magic Johnson Enterprises Helps Major Corporations Better Serve the Multicultural Consumer  Business Wire 2008

[4] See Oklahoma Bankers association update June 3, 20123; 2011 Speech by  Ben Bernanke to federal Reserve Board

[5] http://www.ffiec.gov/; http://www.econdata.net/content_datacollect.html

[6] Dun& Bradstreet provides one such service

[7] The Community Reinvestment Act of 1977 instructs federal financial supervisory agencies to encourage their regulated financial institutions to help meet credit needs of the communities in which they are chartered while also conforming to “safe and sound” lending standards.

dreamstime_m_48758812

Having the “Compliance Conversation” in the Face of Changing Expectations

dreamstime_xl_3008670.jpg
One of the constants in the world of compliance is change.   This has been especially true in the last few years, as not only have new regulations been issued; there is now an entirely different agency that regulates banks.  Right now, most are unsure just how the Consumer Financial Protection Bureau (“CFPB”) will affect the banks it does not primarily regulate.   However, it is a good bet that much of what is done by the CFPB will also be implemented in one form or another by the other prudential regulators.

One of the other constants in compliance has been skepticism about consumer laws in general, and the need for compliance specifically.  It is often easy to feel the recalcitrance of the senior management at financial institutions to the very idea of compliance.  Even institutions with good compliance records often tend to do only that which is required by the regulation.  In many cases, they do the minimum for the sole purpose of staying in compliance and not necessarily because they agree with the spirit of compliance.  Indeed, skepticism about the need for consumer regulations as well as the effectiveness of the regulations are conversations that can be heard at many an institution.

The combination of changes in the consumer regulations, changes at regulatory agencies and changes in the focus of these agencies presents both a challenge and an opportunity for compliance staff everywhere.  It is time to have “the talk” with senior management. What should be the point of the talk?  Enhancements in compliance can help your bank receive higher compliance ratings while improving the overall relationship with your primary regulator.

The Compliance Conversation

While there are many ways to try to frame the case for why compliance should be a primary concern at a bank, there are several points that may help to convince a skeptic.

1)      Compliance regulations have been earned by the financial industry.  A quick review of the history of the most well-known consumer regulations will show that each of these laws was enacted to address bad behaviors of financial institutions.  The Equal Credit Opportunity Act was passed to help open up credit markets to women and minorities who were being shut out of the credit market.  The Fair lending laws, HMDA and the Community Reinvestment Act were passed to assist in the task of the ECOA. In all of these cases, the impetus for the legislation was complaints from the public about the behavior of banks. The fact is that these regulations are there to prevent financial institutions from hurting the public.

2)      Compliance will not go away!  Even though there have been changes to the primary regulations, there has been no credible movement to do away with them. Banking is such an important part of our economy that it will always receive a great deal of attention from the public and therefore legislative bodies. In point of fact, the trend for all of the compliance regulations is that they continue to expand. The need for a compliance program is as basic to banking as the need for deposit insurance.  Since compliance is and will be, a fact of banking life, the prudent course is to embrace it.

3)      Compliance may not be a profit center, but a good compliance program cuts way down on the opportunity costs of regulatory enforcement actions.  Many financial institutions tend to be reactive when it comes to compliance.  We understand; there is cost benefit analysis that is done and often, the decision is made to “take our chances” and get by with a minimal amount of resources spent on compliance.   However, more often than not the cost benefit analysis does not take into account the cost of “getting caught”.  Findings from compliance examinations that require “look backs” into past transactions and reimbursement to customers who were harmed by a particular practice is an extremely expensive experience.  The costs for such actions include costs of staff time (or temporary staff), reputational costs and the costs associated with correcting the offending practice.  A strong compliance management system will help prevent these costs from being incurred and protect the institution’s reputation; which at the end of the day is its most important asset.

4)      Compliance is directly impacted by the strategic plan.  Far too often, compliance is not considered as institutions put together their plans for growth and profitability.  Plans for new marketing campaigns or new products being offered go through the approval process without the input of the compliance team.  Unfortunately, without this consideration, additional risk is added without being aware of how the additional risk can be mitigated.   When compliance is considered in the strategic plan, the proper level of resources can be dedicated to all levels of management and internal controls.

5)      There is nothing about being in compliance that will get in the way of the bank making money and being successful.  Many times the compliance officer gets portrayed as the person who keeps saying no; No!” to new products, “No!” to new marketing, and “No!” to being profitable.  But the truth is that this characterization is both unfair and untrue.  The compliance staff at your institution wants it to make all the money that it possibly can while staying in compliance with the laws that apply.  The compliance team is not the enemy.  In fact, the compliance team is there to solve problems.

Getting the Conversation to Address the Future.

Today there are changes in the expectations that regulators have about responding to examination findings and the overall maintenance of the compliance management program.   There are three fronts that may seem unrelated at first, but when out together make powerful arguments about how compliance can become a key component in your relationship with the regulators.

First, the prudential regulators have made it clear that they intend the review of the compliance management program to directly impact the overall “M” rating within the CAMEL ratings.   The thought behind evaluating the compliance management program as part of the management rating is that it is the responsibility of management to maintain and operate a strong compliance program.  The failure to do so is a direct reflection of management’s abilities.  Compliance is now a regulatory foundation issue.

Second, now more than ever, regulators are looking to banks to risk assess their own compliance and when problems are noted, to come forward with the information.  The CFPB for example, published guidance in 2013 (Bulletin 2013-06) that directly challenged banks to be corporate citizens by self-policing and self-reporting.  It is clear that doing so will enhance both the reputation and the relationship with regulators.  The idea here is that by showing that you take compliance seriously and are willing to self-police, the need for regulatory oversight can be reduced.

Finally, the regulators have reiterated their desire to see financial institutions address the root causes of findings in examinations.   There have been recent attempts by the Federal Reserve and the CFPB to make distinctions between recommendations and findings.  The reason for these clarifications is so that institutions can more fully address the highest areas of concern.  By “addressing”, the regulators are emphasizing that they mean dealing with the heart of the reason that the finding occurred.  For example, in a case where a bank was improperly getting flood insurance, the response cannot simply be to tell the loan staff to knock it off!  In addition to correcting mistakes, there is either a training issue of perhaps staff are improperly assigned.  What is the reason for the improper responses?  That is what the regulators want addressed.

The opportunity exists to enhance your relationship with your regulators through your compliance department.  By elevating the level of importance of compliance and using your compliance program as a means of communicating with your regulators, the compliance conversation can enhance the overall relationship between your institution and your regulator.

Your Partner in Balancing Compliance