When to Hold ‘Em and When to File ‘Em- A two Part Series on SAR Filings
Part Two- The Decision
In the first part of this series we noted that Suspicious Activity Reports (“SARs”) are an essential part of the world financial crimes monitoring network. There are analysts at an agency called FinCen that read all of the SARs and capture data about the various schemes that criminals employ in attempts to launder money. We also noted that filing of SARs has become an area of stress for BSA staff at financial institutions. On one hand, there is a concern that failure to file a SAR might result in criticism by regulators. There are also concerns that filing SARs is a pointless exercise that creates more administrative work and accomplishes little. After all, a proper filing involves research transactions, performing analysis and drawing conclusions that must be documented. Moreover, almost all SAR’s require a second filing 90 days later to discuss whether the suspected activity has continued.
At the end of the day, whether or not a SAR should be filed is the decision of the financial institution. It is the expectation of regulators that this decision should be part of a well-established and defined process. According the FFIEC BSA examination manual the process should include five component parts; identification of unusual activity, managing alerts, SAR decision making, SAR completion and Monitoring on continuing activity.
Identification or alert of unusual activity; This is the part of any BSA compliance program that combines human intelligence and software. All financial institution staff are required to receive annual training on BSA/AML. One of the main reasons for this requirement is that staff is expected to be able to identify activities that don’t fit into normal patterns or activities for their customers. For example, a longtime customer who normally receives his payroll and pay bills out of his account suddenly deposits $15,000. The expectation is that the staff members of the institutions should gently, but firmly find out the source of this unusual deposit. Of course there are many reasonable answers for how the customer came across this money.
Monitoring software should perform a similar functions. The whole point of using software is to aggregate transactions so of a customer so that any transactions that fall outside of the normal or expected create an alert and follow-up.
Managing Alerts: Managing alerts is important so that institutional resources are focused on the highest area of risk. Not every customer at your institution is engaged in nefarious activity. In fact, the vast majority are good people who are simply conducting banking activity. Much like the boy who cried “wolf” in the children’s fairy tale, there can be a such thing as too many BSA/AML warnings. The expectation of regulators is that you will adjust your monitoring to create warnings for activity that is truly suspicious or out of the pattern of normal activity. This is at the heart of the requirement that financial institutions perform model validation on a regular basis. There should be a formal and well established method for reviewing alerts and resolving them in a timely and comprehensive manner.
SAR Decision Making: There has to be a clear process for making SAR decisions and there also has to be an ultimate decision maker for whether or not the SAR will be filed. The individual decision about whether or not to file a SAR rests with the financial institution. The FFIEC BSA Manual makes this clear
In those instances where the bank has an established SAR decision-making process, has followed existing policies, procedures, and processes, and has determined not to file a SAR, the bank should not be criticized for the failure to file a SAR unless the failure is significant or accompanied by evidence of bad faith.
SAR completion and filing: there should be a clearly defined process for who performs the research necessary to complete the SAR in a timely and complete manner. The SAR narrative should tell the story in that it should clearly identify the who, what, where, when and why the activity is considered suspicious. The SAR should be filed within 30 days of the time the activity is determined to be suspicious.
Monitoring and SAR filing on continuing activity: Once the SAR is filed, there should be a process in place to continue to monitor the customer to determine if additional suspicious activity is continuing. At the conclusion of 90 days of monitoring, there should be a follow-up SAR that tells “the rest of the story”. Was the activity repeated, or was it just a bump in the road? 
So you have your system in place. Your staff is well trained to look for unusual activity and your software is monitoring for suspicious behavior. The questions still remains, just what exactly is suspicious? Unfortunately, there simply is no one right or wrong answer to that question. Suspicious is in the eye of the beholder. This is why the “know your customer” component is critical to a strong BSA compliance program. The more that you know about your customer and what they are doing, the more obvious suspicious activity becomes.
As a best practice, if there aren’t several members of your institutions staff that fully understand the business model of a client, it is a bad idea to continue the relationship. Regulators expect that financial institutions have the ability to know the source of funds, the customer base, and the typical transaction flow of the peers of your customer. For example, suppose you have a customer who sells fresh flowers. The expectation would be that staff members at your institution understand how a fresh flower stand works, what typical receipts there might be, who the customers of the stand are and how transactions are conducted. Does the customer sell for cash only? Why? What level of cash is normal for a flower stand? Is it likely that a flower stand would send or receive wires? The point is that that the more that is known about the business, then the more likely that unusual activity can be determined.
In addition to knowing the business, the institution must have the means to monitor activity in a transparent manner. Through a combination of software, direct conversations and onsite visitations with the client, the institution should maintain a clear picture of normal transaction activity.
In the event that a transaction seems unusual, there is absolutely nothing wrong with asking the customer directly. In many, if not most cases, there is a completely acceptable explanation. Most customer will have no trouble with providing documentation to support their activities. Small business owners are generally proud of their accomplishments and don’t mind discussing a large sale or adding a new client. Of course, when a client is unwilling or unable to provide an explanation and present documentation, there may be trouble. The decision to file or not to file is one that your institution must be able to live with and defend through documentation.
Defensive SARs- Don’t do it!
In many cases banks don’t truly know or believe that activity is suspicious, but file a SAR “defensively”. The idea here is that we can tell whether or not the activity is unusual or simply don’t have the time to do the necessary research to make a determination, so filing a SAR is seen as a temporary fix. However, defensive SARs are a sign of weakness or deficiencies in a BSA compliance program. If there is not sufficient time, or a complete understanding of the business model of the client to properly monitor and research the activity of a customer, as a best practice, the customer should be considered for de-risking (account closure). Simply filing SARs defensively is staving off the inevitable.
There Comes a Time
After a SAR has been filed for the first time on a customer, as a best practice, it is worth considering how the filing might change the relationship between the institution and the customer. If the possibility exists that there is activity that may be considered suspicious or unusual on an ongoing basis there are really only two clear choices. The first is to study the business plan of the customer and to gather sufficient information to document that the activity is normal and customary. The concept of suspicious activity is one of context. That is, if we return to the flower shop example above, does it make sense that wires might be going to an obscure bank in Europe? It does indeed if you find out that there is a rare flower that exists in that part of the world and the flower shop has made a marketing point of being able to deliver the rare flower in your area. Moreover, if the flower shop owner is able to show shipping details of the flower, insurance bills, bills of lading or other similar documents that prove the shipment of flowers, then the wires are ordinary and customary.
The other option is to consider the account for de-risking. Many institutions let ego, or the pursuit of fee income get in the way of safe and sound operating. When a customers’ operations are way ahead of the capabilities and resources of the institution, it is time, as Kenny Rodgers would say, to know when to walk away and know when to run.
 This should not be confused with data validation. Model validation is a test of the efficacy of the software settings.
 FFIEC BSA Manual Systems to Identify, Research, and Report Suspicious Activity
When to Hold ‘em and when to File ‘em – a Two Part Series on SAR Filings
Amongst the many ongoing tensions of running a Bank Secrecy Act (“BSA”) compliance program, the decision about whether or not to file a Suspicious Activity Report (“SAR”) often becomes a daily test. To paraphrase the lyric of Kenny Rodgers, you have to know when to hold ‘em and when to file ‘em”.
There was a period of time a few years ago when filing SAR’s became the remedy for all “ills” in the BSA area. Many small institutions found themselves filing as many as 60-70 SAR’s a month. In extreme cases, more than a quarter of all customers had either a new SAR or a follow-up SAR being processed. In those cases, an inordinate amount of time and resources were being spent on processing forms that said essentially, that there was “no change’ and the customer was still doing what had caused the initial report to be filed.
While there is no definitive answer to the ongoing questions of when to file a SAR, there are some guidelines that can be used to help with the process.
The Point of it all with SAR’s
Why do we even have SAR’s and what in the world are they used for? According to the FFIEC’s (Federal Financial Institutions Examination Council”) BSA handbook, SAR’s are a critical component of the national BSA program.
Suspicious activity reporting forms the cornerstone of the BSA reporting system. It is critical to the United States’ ability to utilize financial information to combat terrorism, terrorist financing, money laundering, and other financial crimes. 
According to FinCen, the organization that reads and acts on SAR, the purpose of SARs is:
The purpose of the Suspicious Activity Report (SAR) is to report known or suspected violations of law or suspicious activity observed by financial institutions subject to the regulations of the Bank Secrecy Act (BSA). In many instances, SARs have been instrumental in enabling law enforcement to initiate or supplement major money laundering or terrorist financing investigations and other criminal cases. Information provided in SAR forms also presents the Department of the Treasury’s Financial Crimes Enforcement Network (FinCen) with a method of identifying emerging trends and patterns associated with financial crimes. The information about those trends and patterns is vital to law enforcement agencies and provides valuable feedback to financial institutions.
For the BSA Officer who sometimes feels that these reports are being prepared only so that they can disappear into the ether, take heart. Your SAR’s area read and they are acted upon in many instances.
In her comments to the International Bankers annual anti-money laundering seminar, FinCen Director, Jennifer Calvery described the federal government’s efforts to fight the terror group commonly known as ISIS. She noted that although much of the activity of that group is in Syria and Iraq, the fact of the matter is that they have to have trading partners around the world to get the supplies that they need to wage war. There are several things that FinCen and similar agencies are trying to accomplish to stop them; disrupting revenue streams by denying funds wherever possible, limited the access to the international financial system and finally, punishing any individual or group that helps ISIS.
Here is one example that has been cited:
… [A] Case originated in 2008 with BSA data concerning an individual who was later convicted of conspiring to provide and providing material support to the Pakistani Taliban. The defendant funneled money to Pakistan as Taliban insurgents fought for greater control in northwest Pakistan. BSA data was critical in uncovering the diverse and complex methods the individual used to send money from the United States to Pakistan, each of which was designed to conceal and support his activities. Investigators uncovered at least three methods: 1) wire transfers from the United States to Pakistan, where an associate picked up and administered the funds; 2) transfers of funds from cashier’s checks drawn on U.S. banks to a bank in Pakistan where co-conspirators could draw checks; and 3) bulk cash carried by family members and other travelers from the United States to Pakistan. 
So ultimately, regardless of the size of your institution, the SAR’s that you file are part of something much bigger. You are deputies in the fight against some very dark forces including human traffickers, drug dealers and terrorists and the information that you provide is critical in this fight.
A Balancing Act
The decision to file a SAR must be a balancing act. For the BSA Officer at most financial institutions there remains the fear that the decision not to file a SAR might result of heavy regulatory criticism. It is sometimes the case that institutions will file a SAR even when they feel that they are totally informed about the transactions and do not feel it is suspicious. Filing a SAR to avoid regulatory criticism is commonly called “defensive SAR filing”. While almost no institution will admit to doing so, a large number have actually filed defensively.
As a best practice, the SAR process should also be tied to the “de-risking” consideration process at your institution. There are many times when a customer engages in a suspicious transaction that is a onetime thing. Perhaps there a large cash transaction and the explanation from the customer is somewhat sketchy. A SAR is filed and the account is closely monitored for the next 180 days. There is no other unusual or suspicious activity. In these cases no additional SAR needs to be filed.
However, there are cases when a customer engages in suspicious activity and continues to do so. For many institutions, the process has become a continuous string of monitoring account activity and filing SARs. However, in the event that a customer is engaging in activity that the institutions finds suspicious, the prudent course is to act on that information. In the event that there are three or more SARs filed on a customer for the same type of activity, it is necessary to make one of two determinations:
The activity can be fully explained and vetted and is therefore not suspicious
The institution does not have the information necessary to properly monitor and manage the risk presented by the customer and therefore must terminate the relationship (“de-risk”)
Continuously filing SARs on a customer without considering the customer for de-risking is a red flag for regulators. This is in an indication that the BSA staff of your institution does not fully understand what the customer is doing. Once activity of a customer has been determined to be suspicious, the process for gathering additional information should begin. Ultimately, if the BSA staff is unclear about a customer’s activity or business, he/she presents an unacceptable level of risk. Filing a SAR defensively can be an act of simply giving up and admitting that there is insufficient information about the customer.
The Examination Process and SARs.
Again, the BSA examination manual is helpful here. It states that what the examiners are supposed to be looking at is the SAR Decision Process.
Within this system, FinCen and the federal banking agencies recognize that, as a practical matter, it is not possible for a bank to detect and report all potentially illicit transactions that flow through the bank. Examiners should focus on evaluating a bank’s policies, procedures, and processes to identify, evaluate, and report suspicious activity. However, as part of the examination process, examiners should review individual SAR filing decisions to determine the effectiveness of the bank’s suspicious activity identification, evaluation, and reporting process
It is clear from the text of the examination manual that they is no expectation that a financial institution will be able to catch every suspicious transaction that takes place. There are simply not enough resources for that to be the reality. Instead regulators expect financial institutions to develop systems that allow for the identification, and monitoring of the highest risk areas.
There are five key components to an effective SAR monitoring system. The five components are:
Identification or alert of unusual activity (which may include: employee identification, law enforcement inquiries, other referrals, and transaction and surveillance monitoring system output).
SAR decision making.
SAR completion and filing.
Monitoring and SAR filing on continuing activity.
In part two-we will discuss what each of these components mean and how to determine when to Hold ‘em and when to file ‘em.
Compliance regulations have become the center of a number of discussions in the financial services industry. Starting with the financial meltdown of 2008 the numbers of regulations that directly impact the relationship between consumers and banks have grown exponentially. Of course, the costs associated with compliance have also grown and become a significant part of the strategic planning processes and budget for financial institutions. Quite often, compliance regulations are derided as unnecessary and burdensome while the regulatory agencies that are charged with enforcing them are considered unreasonable or unfair. Unfortunately, it is often the case that the reasons compliance regulations exist and the goals of compliance examiners are misunderstood. This misunderstanding can lead to less than effective compliance management programs, mistrust of regulatory agencies and overall inefficiencies in the compliance regulation process. Understanding the “why’s” and “what’s” of compliance can go a long way towards a stronger compliance program.
Compliance a Brief History
Although there are several theories about why banking is such a heavily regulated industry, some common themes develop when considering this topic. Chief among the reasons that are advanced as an argument for bank regulation is the idea that banks and financial institutions must maintain stability, and the regulatory structure helps to create stability. For example, deposit insurance helps to eliminate the fear that financial institutions will run out of money for their customers. Another argument for regulation is the role that financial institutions play in the payment system. This is an area that requires stability. The ability of funds to flow freely through the financial system is one of the hallmarks of the stability of the US financial system. A third area that is often cited is the need to promote efficiency and competition among financial institutions.
In the aftermath of the stock market crash of 1929, the banking system experienced one of its greatest crises of confidence. Significant “runs “on banks caused liquidity concerns and brought the whole US financial system to a crashing stop. The result of these events was to usher in the modern age of bank regulation. From that time on, there have been a series of regulations and regulatory agencies that have been developed that have all been designed to promote stability and efficiency in the financial system. Generally, financial institution rules that promote the overall stability of the financial institutions are considered “safety and soundness” rules. Safety and soundness rules deal with the overall levels of risks that are inherent at individual banks. Levels of capital, limits on the loans to one borrower and the ability to identify and manage the risks presented by individual customers are all examples of safety and soundness rules.
While safety and soundness rules can generally trace their lineage back to the Great Depression, consumer regulations don’t enjoy the same clear history. For the most part, compliance regulations have been implemented following a much more indirect path. The pattern for development of consumer protection regulations is a familiar one.
1. A practice or product of a financial institution impacts a group of consumers in a negative way (e.g. women or minorities do not have equal access to credit).
2. The offending practice receives widespread attention of the public
3. The public outcry receives the attention of government
4. Legislation is passed to directly change the practice or product.
This has been the pattern time and time again in the development of all of the notable consumer protection regulations that have been enacted in the financial services industries. For example, Regulation Z (the Truth in Lending Act) was passed after public outcry about the lack of complete information detailing the costs of borrowing from banks. From the flood insurance rules, the SAFE Act to the Servicemen’s Civil Relief Act, each of the significant consumer protection regulations has followed this same pattern and path. While it can be passionately argued that regulation is not always the most efficient means to prevent bad practices, waiting for market discipline to self-regulate has historically caused more harm than good.
It is important to remember that consumer compliance regulations, regardless of the design or requirements, have similar goals in common; to prevent policies or practices that have caused real people harm in the past. Moreover, it is also the case that financial institution practices that hurt people have not been prevented by consumer regulations. In fact, the reason that the Consumer Financial Protection Bureau was created was to further strengthen the protections for consumers.
“…CFPB will be the single, consumer-focused regulating authority, consolidating the existing authorities scattered throughout the Federal government under one roof. And, the Bureau’s oversight includes the large banks and credit unions that had historically been regulated by the Federal government, as well as independent and privately owned “non-bank financial institutions” that had never been regulated before.
This means that for the first time, the Federal government will be able to regulate the activities of independent payday lenders, private mortgage lenders and servicers, debt collectors, credit reporting agencies, and private student loan companies.” 
A Peek Inside Consumer Regulations
In addition to their similar origins, consumer regulations also share similar approaches to addressing problems. The institutions to which these regulations apply are required to either disclose information to customers or collect information about customers. Regardless of the actions that are required of the financial institution, the overall goal of consumer compliance regulations is to provide as much information as possible to the general public. Data that is collected is used to study the impact of financial institution practices. For example, the data from the HMDA LAR (Loan Application Register) is used to study trends in housing and the experience of women and minorities at institutions that originate mortgages. Regulatory disclosures, such as the Truth in Lending disclosures are meant to give the customer the ability to easily compare the costs of a loan from one institution to the next. The finance charges and fees are all supposed to be listed in a uniform manner to allow a customer to lay offers for a loan side by side.
Ultimately, consumer regulations are supposed to level the playing field between financial institutions who have significant resources and unsophisticated borrowers who have limited resources.
When examiners conduct a compliance examination, the ultimate goal is to determine the strength and effectiveness of the compliance management program (‘CMP”). The CMP is comprised of the policies and procedures that cover compliance, the internal controls that have been established, independent reviews and training of staff. The examination team will take a step-by-step approach.
First, there will be analysis to determine that each of the critical components of the CMP have been established. Policies and procedures are reviewed to make sure that they are comprehensive and up to date. Do these documents give staff information on the expectations of the Board and senior management? Further, in the case of procedures, do they direct staff on the proper steps to take to conduct transactions? The compliance examiners will also review training programs and analyze whether they are keeping staff appropriately informed of applicable regulations. Finally, this portion of the examination will analyze independent review (audits) to make sure that the scope is appropriate.
Next the examiners make a determination about the overall effectiveness of the CMP. For example, the most complete written policies and procedures in the world have no impact if the results of independent reviews are ignored. The CMP must have the ability to determine the roots of noncompliance and a plan for corrective action.
As a third step, the compliance examination reviews the ability of the senior management at the financial institution to identify risks and to take action to mitigate risks. Many times, when there are regulatory concerns at financial institutions, the root cause is the inability of staff to recognize why an activity is risky or the extent of the risk. For example, an institution that serves a large number of high risks clients, must have the ability to determine what makes them high risk and precisely how to monitor activities to look for suspicious behavior. Before a bank takes on an MSB (“Money Service Business”) as a client, there should be sufficient staff knowledge of MSB’s. The institution should also have the software ability to closely monitor transactions of MSB’s.
Finally, the compliance examination staff will review the skill sets and knowledge of the staff who are charged with keeping the institution incompliance. A highly experienced and knowledgeable staff can serve as a strong counterbalance to limited policies and procedures, for example. On the other hand, staff who are unfamiliar with compliance regulations will be expected to have significant resources to use.
The compliance rating is based upon the overall effectiveness of the CMP at a financial institution.
Compliance regulations are the direct result of bad behaviors of financial institutions. Most of the regulation are designed to give the consuming public maximum information. Compliance will be a part of banking on an ongoing basis. Embrace your inner compliance officer.
 Consumer Financial Protection Bureau 101: Why We Need a Consumer Watchdog JANUARY 4, 2012 AT 11:13 AM ET BY MEGAN SLACK Whitehouse.gov blog
As anyone in compliance can attest, there are myriad consumer compliance regulations. For financial institutions, these regulations are regarded as anything from a nuisance, to the very bane of the existence of banks. However, in point of fact, there are no bank consumer regulations that were not earned by misbehavior in the past. Like it or not these regulations exist to prevent bad behavior and/or to encourage certain practices. We believe that one of the keys to strengthening a compliance program is to encourage your staff to understand why these regulations exist and what it is the regulations are designed to accomplish. To further this cause, we have designed a series of blogs that from time to time throughout the year, will address these questions about various banking regulations. We call this series “Why is there….”
BSA- the Early Years
Since the beginning of crime, there has been a need to hide the ill-gotten gains of criminal activity. Early bad guys held their loot in caves. Later, treasure chests provided a means of hiding criminal wealth. However, despite the form that ancient loot took, the goal was and has always been to reduce assets to currency so that it can be used in exchange for other goods and services. The need to take illicit assets or money and hide its source is known commonly as “money laundering”. Criminals of all sorts engage in money laundering and have become exceedingly sophisticated in their pursuit of hiding the sources and uses of their money.
Because the “bad guys’ continue to evolve, the history of the Bank Secrecy Act (“BSA”) and Anti-Money Laundering laws (“AML”) is one of ongoing change. The laws that make money laundering illegal can be traced back to the Bank Secrecy Act of 1970. Since the time the BSA was passed, there have been seven major legislative changes to the overall legislative scheme that covers this area. These changes are;
Money Laundering Control Act (1986)
Anti-Drug Abuse Act of 1988
Annunzio-Wylie Anti-Money Laundering Act (1992)
Money Laundering Suppression Act (1994)
Money Laundering and Financial Crimes Strategy Act (1998)
Uniting and Strengthening America by Providing Appropriate Tools to Restrict, Intercept and Obstruct Terrorism Act of 2001 (USA PATRIOT Act)
Intelligence Reform & Terrorism Prevention Act of 2004
As technology has changed, so have the goals of many of the criminals that want to launder money. In addition to drug dealers, there are terrorists, human traffickers, politicians and embezzlers, all of whom are developing ways to hide their cash.
What exactly is money laundering? Well FinCen, which is the federal agency that is specifically charged with monitoring and preventing money laundering defines it this way;
Money laundering is the process of making illegally-gained proceeds (i.e. “dirty money”) appear legal (i.e. “clean”). Typically, it involves three steps: placement, layering and integration. First, the illegitimate funds are furtively introduced into the legitimate financial system. Then, the money is moved around to create confusion, sometimes by wiring or transferring through numerous accounts. Finally, it is integrated into the financial system through additional transactions until the “dirty money” appears “clean.” Money laundering can facilitate crimes such as drug trafficking and terrorism, and can adversely impact the global economy.
Put another way, when criminals conduct their business, they almost always do so in cash, for what should be obvious reasons. As early as the 1970’s federal regulators realized that without some regulatory help, financial institutions would be used as tools for disposing of the cash received from crimes. Criminals would simply deposit their money in the bank, wait a few days and then make legitimate withdrawals. Once the cash was co-mingled with other deposits, there would be no way to tell which money came from real legitimate effort and which was the result of crime.
Some of the more popular schemes for changing criminal cash into legitimate money include;
Black Market Foreign Exchange: In this enterprise, all of the participants are breaking one law or another. On one end are importers of goods who do not want to pay the government rate for exchanging currency from US Dollars to the home currency (e.g. Peso’s). These importers make a deal with a broker who is willing to import goods illegally. The importer makes a deal with a criminal who has “dirty” US dollars. The importer uses the “dirty” money to buy US goods and ships them to his own country. The goods are then sold to the importers who pay the broker in local currency. The criminal gets his money back in Pesos that are now “clean”
Investing in Legitimate Businesses: Here a criminal buys all or part of a legitimate business and simply mixes his cash in with the earnings of that business. This only works for business that already deal extensively in cash. This is why gas stations, casinos, bars and check cashing stores are considered “high risk” for money laundering. Because many professional service providers such as doctors and lawyers often take cash for payments, they are also considered “high risk”.
Smurfing: Sometimes a criminal will get a number of people working together to break up his cash deposits into small amounts. This is called smurfing
Structuring: This is by far and away the most frequent form of attempted laundering. Most people realize these days that a cash deposit above $10,000 has to be reported to the IRS. Criminals have for years, tried to get around this limit by making deposits of smaller amounts on subsequent days. This is called structuring
Over the years there have been many different schemes for trying to avoid detecting of money laundering. In fact there are simply too many to list here. Suffice to say that there are criminal groups with nothing but money and time to try to figure out new and different ways to make “dirty” money clean.
What is the Money Used For?
There are many different uses for money once it has been laundered. Some of the more onerous uses include:
Drug Dealing Activity
As you can see, money that is laundered is used to fund extreme criminal enterprises. This is why it critically important is that financial institutions do all that they can to lend a hand to legal authorities to stop money laundering.
Each of the changes in BSA/AML laws were designed to improve the overall monitoring of cash and cash equivalent transactions. For small financial institutions, the changes have been ongoing and significant. As the regulations changed, the expectations of the regulatory bodies evolved. Today, no self-respecting banker would consider operating without a full BSA/AML compliance program. Moreover, very few banks can get away with a manual system for tracking and aggregating the transactions of their customers. Today, a sound BSA/AML program includes software that helps bank staff aggregate and monitor transactions of its customers.
BSA/AML laws are really financial institution’s way of helping to keep the world a better, safer place.
The New Year brings with it many different types of celebrations and traditions. In the world of financial institution compliance the tradition for the New Year is to await the implementation of new regulations. For the past several years, there have been a large number of new regulations that have been implemented. Fortunately, the pace of new regulations has slowed dramatically and 2016 will not see a large number. In fact, there are only two significant regulatory changes that will take place in 2016. Despite this fact, as you plan for the compliance year, remember that the supervisory emphasis of the regulatory agencies can have the same impact as new regulations.
There are several sources for regulatory changes. Regulatory agencies respond to world events, the political environment, resources allocations, technology and many other factors. One valuable source of information that is often overlooked are the annual plans or statements that are issued by the prudential regulators. All three issue a plan that addresses the areas that they will emphasize in the upcoming year. In addition, there are many organizations and agencies that list the effective dates for regulations. Gathering information on the new regulations and regulatory initiatives is a key first step for planning the compliance year.
Two (and one/half) Significant Changes
The most significant regulatory changes that will occur in 2016 are the flood insurance rules and changes in regulation Z that will expand the ability of small creditors to make loans with terms that would otherwise make them non-qualified mortgages without fear. There is also the TILA / RESPA Integrated Disclosure Rule aka, “TRID” that went into effect in the final quarter of 2015.
The flood insurance rules are likely to impact your institution in two significant areas. First, for loans with a residence as collateral, there is now an exception for detached structures. No longer will you have to get insurance for that random tool shed on the property that you have taken as collateral. There are several considerations that go with this change.
The second change impacts the way that forced placed insurance may be charged to the customer. In some cases, the customer may be charged back to the day that the policy lapsed for flood insurance. Again, there are several considerations to make when applying this rule to your institution.
The flood rules also apply an escrow requirement for institutions that are over $1billion in assets. We discussed these changes in detail in a three part blog that is on our website at www.vcm4you.com. For more information, please review our blogs.
Another significant change is the expansion of the ability of small creditors to enjoy qualified mortgage protections for mortgage loans. The CFPB described the change this way;
There are a variety of provisions in the rules that affect small creditors, as well as small creditors that operate predominantly in rural or underserved areas. For instance, a provision in the Ability-to-Repay rule extends Qualified Mortgage status to loans that small creditors hold in their own portfolios, even if consumers’ debt-to-income ratio exceeds 43 percent. Small creditors that operate predominantly in rural or underserved areas can originate Qualified Mortgages with balloon payments even though balloon payments are otherwise not allowed with Qualified Mortgages. Similarly, under the Bureau’s Home Ownership and Equity Protection Act rule, such small creditors can originate high-cost mortgages with balloon payments. Also, under the Bureau’s Escrows rule, eligible small creditors that operate predominantly in rural or underserved areas are not required to establish escrow accounts for higher-priced mortgages. 
This expansion creates a great deal of opportunity for smaller financial institutions to consider mortgage lending. We will discuss this opportunity in detail in blogs to come in the near future.
The regulatory change that received the most publicity last year was the TILA / RESPA Integrated Disclosure Rule which was widely known as TRID. This rule actually was implemented in the last quarter of 2015. Since its start, several regulatory agencies have released examination procedures that indicate how they will treat financial institutions the first time new loans are reviewed for compliance with these rules. According to many publications, technical or individual violations will be de-emphasized. The main area of emphasis will be on the system for compliance that has been developed by the institution.
In addition to changes in regulations, it is important to glean as much information as is available from the regulatory agencies about the areas of focus for examinations. A change in the area of focus can have the same impact as a change in regulation. For example, in the area of flood insurance when the focus changed from the appropriate amount of insurance to a review of flood notices, a number institutions that previously had satisfactory reviews found themselves with findings and in extreme cases, civil money penalties. It is the change in focus of the regulators that often has many an institution asking “why were we okay at the last examination, but not now? Fortunately, many of the regulatory agencies publish strategic plans which indicate the areas that will be emphasized for the year. Here is a brief review:
The CFPB’s Deputy Assistant Director for origination, Calvin Hagins, recently warned mortgage lenders of the four main examination priorities for 2016—loan originator compensation plans, the ability-to-repay rule, the TILA-RESPA Integrated Disclosures (TRID) rule, and marketing service agreements.
Speaking at the California MBA Legal Issues Conference, indicated that CFPB examiners will spend a substantial amount of time evaluating loan compensation schemes at every exam at every entity.
The Office of the Comptroller of the Currency, in its 2016 strategic operating plan released the following priorities
Evaluating adequacy of compliance risk management and assessing banks’ effectiveness in identifying and responding to risks posed by new products, services, or terms.
Examiners will also assess compliance with the following: – new requirements for integrated mortgage disclosure under the Truth in Lending Act of 1968 and the Real Estate Settlement Procedures Act of 1974.
Relevant consumer laws, regulations, and guidance for banks under $10 billion in assets.
Flood Disaster Protection Act of 1973
The Servicemembers Civil Relief Act of 2003.
In addition, the OCC pointed out that fair access to credit will also be a priority;
Assessing banks’ efforts to meet the needs of creditworthy borrowers and to monitor banks’ compliance with the Community Reinvestment Act and fair lending laws.
Examiners at banks with more than $500 million in assets will continue to use the Fair Lending Risk Assessment Tool in their fair lending assessments. 
The FDIC’s 2015 strategic plan is still in effect and it covers several years. While this plan is not as specific in the areas of emphasis as some of the other agencies, the plan does mention that there will be an emphasis placed on consumer protection, the CRA and Fair Lending laws.  We have interpreted this language to mean that UDAAP, Fair Lending and the Community Reinvestment Act are all areas that should receive attention at your institution before, the examiners arrive.
The Federal Reserve System in its annual compliance hot topics presentation that areas of focus will include regulation C (HMDA), Regulation B spousal signature rules and UDAAP. 
In the area of BSA/AML FinCEN is now taking comments about new rules for due diligence. The original proposal was controversial in that it essentially required financial institutions to perform due diligence on the beneficiaries of accounts as well as in some cases, the customers of the financial institutions clients. While it is evident that the proposal will be scaled back somewhat, it is also logical to assume that customer due diligence will be an area of focus for the FinCen in both the short term and the long term.
As you develop your audit plan and compliance risk assessment for the year, both new regulations and regulatory emphasis should receive strong consideration. As a best practice, it is recommended that you contact your regulator and ask for information on areas of emphasis for 2016 and plan accordingly.
 CFPB Finalizes Rule to Facilitate Access to Credit in Rural and Underserved Areas- September 21, 2015
 Deputy Assistant Director for Originations, Calvin Hagins, comments to California MBA Legal Issues Conference
 OCC Committee on Bank Supervision FY 2016 Operating Plan
Pitfalls to Avoid When Developing a Risk Assessment for Fair Lending- Part Two
In part one of this series, we made the argument that an individual risk assessment should be performed for the area of Fair Lending. When performing the risk assessment there are several pitfalls that must be avoided.
Policies and Procedures
The review of institutions’ policies and particularly, its procedures is a basic and critical part to any risk assessment in the area of Fair Lending.
Potential Pitfall: Policies and procedures can be fully in compliance with regulatory requirements and still have the potential for Fair Lending issues. Review of the policies and procedures must consider both compliance with the requirements of regulations and the impact on customers!
First, these documents should be reviewed to determine that all of the required information is up to date and correct. In this review, it is important that regulatory requirements such as “grossing up” income in credit decisions, spousal signature rules and Fair Lending principles are included. This review should also include a review of procedures to ensure that they match policies.
The second phase of the review should be completed to ensure that policies and procedures do not present the possibility of disparate impact. In this review, the goal is to review the policies and procedures to determine the level of discretion allowed and how this discretion can be checked against Fair Lending risk. For example, do the procedures require documentation of delays in processing loans? Do policies and procedures emphasize the need for secondary review?
Credit Policies are an area of particular concern in the Fair lending Assessment. The review of credit policies should also be completed in two phases
Potential Pitfall: Credit policies should reflect the idea that the bank has made a reasoned decision about how it is meeting the credit needs of its community. Policies that are fully compliant can become outdated quickly. Review of credit policies should consider the changes in the assessment area and should reflect the business decisions of the Board.
Credit formulas and guidelines should be reviewed and validated independently to ensure that the data is valid. Though these validations don’t need to be performed annually, it is a best practice to test the guidelines Vis a Vis adverse action trends at the bank. Guidelines that yield an extremely high number of loan declines may need study and possibly adjustment.
In the second phase of the review, a comparison between the credit policies, the strategic plan of the bank and current economic data should be completed. The purpose of this review is to determine that the bank’s credit policies and procedures match the credit needs of the community. It is imperative that the Bank be able to document the business reasons for the list of products being offered. For example, a decision by a Bank not to offer home equity loans when there is strong need for such loans in an assessment area, may be called into question during a Fair Lending examination. A best practice is to have the economic data to demonstrate that these loans are not economically feasible at the bank, or that some other legitimate business reason exists for not making such loans.
Credit Decision Process
The credit decision process from the time of application to ultimately credit decision or withdrawal by the applicant should be assessed with an eye towards eliminating the ability of single bank employee from thwarting the will of the Board by engaging in illegal behavior
Potential Pitfall: When reviewing adverse actions and withdrawals for timely notices, it is possible to overlook the warning signs of Fair Lending issues.
The review of adverse actions generally includes a check to make sure that notices are given within the timeframes required by Regulation B. In addition a good review includes a check to determine that the information given is sufficient for the applicant to understand the issues that cause an adverse decision. However, a best practice is also to review for Fair Lending ‘warning signs”. For example, an extremely low rate of adverse actions is a strong indicator or pre-screening. A high rate of withdrawals among protected groups is a strong indicator of discouragement.
It is a best practice to review the credit decision process to determine the ability of an individual to make credit decisions without oversight. The more autonomy loan officers have, the more the system for secondary review should be empowered.
The traditional Fair Lending analysis focuses on a review of the approvals versus declines at the Bank. A common practice is to review “matched pairs” which compares the low rated credit approvals with highly rated declines (loans that were barely declined).
Potential Pitfall: If this is the heart of the analysis, then the bank is not getting the full story! The analysis must look at the applicant’s total experience to ensure that all are getting the same considerations.
The analysis should consider:
Application to decision time-trends for members in protected classes
Comparative analysis- close decisions to approve versus decline
o Insufficient collateral frequently being given as a reason for decline
o Large number of declines in a certain product area
High number of approvals versus a small number of declines
If all of the above is not part of the analysis that is being performed, then your bank may have potential Fair Lending issues that are going undetected.
Financial institutions are charged with knowing and managing the results obtained from their vendors. The regulatory agencies have made it clear that in every area from indirect auto lending to appraisals that they expect that financial institutions will monitor the results that they are getting from vendors.
Potential Pitfall: If the review of the vendor ends with a background check, your institution may not be getting the full story. The best practices require that the Bank pay attention to the results of the vendor’s efforts. There has to be a general check that results are reasonable and consistent
The assessment must consider whether the results being produced are consistent and reliable. For example, are appraisals being reviewed and compared to complaints? Is it possible that certain appraisers consistently yield lower property values in certain income tracts? Are flood insurance determinations being updated to match changes in the flood map? The bank will be held accountable for the misbehavior of its vendors!
The risk assessment should include a review of the potential for UDAAP. This is an area that is growing in scope and influence.
Potential Pitfall: UDAAP is far reaching and can be easily overlooked.
The assessment should consider whether there is consistency in advertising and actual disclosures. The risk assessment must look at the Bank’s products/operations from the point of view of the consumer.
Customer complaints are an area of focus for regulators. Make sure that complaints are getting categorized and reported to the Board. If no complaints have been received, there should be at least a policy and procedures in place to handle these once they do appear.
Many community banks use testimonials as part of their marketing. The relationship with the community is after all, one of the strengths of being a community bank.
Potential Pitfall: A risk assessment that exclusively covers direct compliance with Reg. Z and DD may overlook Fair Lending concerns in advertising.
Risk assessment should cover the reasons for the advertising and the markets that you are attempting to reach. Has the bank considered expanding advertising to nontraditional communities? Are there communities within the Bank’s assessment area that are left out of the advertising and marketing?
Examiners expect that the Bank has direct knowledge of the credit needs of the assessment area. This should be considered as part of the risk assessment
Potential Pitfall: Without considering the overall strategy of the Bank, it is difficult to get the full picture of how the bank is addressing Fair Lending within its community
The strategic plan is most often not considered as part of the Fair Lending assessment. However, in many cases, the examiners will start considering an institutions strategy in offering products to its community as a consideration of Fair Lending effectiveness.
A Fair Lending risk assessment is a critical component of effective compliance management.
Developing a Risk Assessment for Fair Lending – Part One
Happy New Year! As the new year begins, our focus continues to be on issues that are directly related to compliance. One area that is often overlooked when assessing overall compliance performance is fair lending. Very few financial institutions actually prepare a risk assessment for the Fair Lending area. Generally, if there is a risk assessment, fair lending is including in the overall lending compliance risk assessment. However, fair lending covers a wide range of compliance laws and disciplines. A strong fair lending compliance program will include reviews internal controls in several key risk and compliance areas. Fair lending is a separate, essential compliance discipline.
Why Fair Lending as a Separate Risk Assessment?
When we speak of this topic, we must first qualify that there is no one Fair Lending law. There are a series of laws that come together to create the umbrella that we call Fair Lending. These include:
Reg. B – Equal Credit Opportunity Act
Reg. C – Home Mortgage Disclosure Act
Reg. Z – Truth in Lending
Reg. BB – Community Reinvestment Act
Reg. Z -Advertising
UNDAAP – Unfair, Deceptive, Abusive Acts or Practices Act
Reg. DD – Advertising
Logically, one could assume that since each of these areas are covered in the risk assessments of lending and/or operational compliance, that there is no need to do a separate Fair Lending assessment. However, the fair lending assessment involves different considerations for compliance with the spirit of these regulations.
Fair Lending is not like any Other Area of Compliance
The Fair Lending review looks at the impact of practices at a bank to determine whether a violation has occurred. Fair Lending is in fact, one of the areas of compliance where you may have met all of the requirements of a regulation and still have a violation! Consider a credit scoring system that requires a minimum disposable income of $1,200 per month. Suppose further that this minimum is applied equally and fairly to all applicants. In the case where the minimum disposable income in one neighborhood of a bank’s assessment area is $900, that whole section would be excluded. Suppose further that the section of the assessment area that is excluded includes the low-to moderate income tracts. A serious Fair Lending concern has been born. This is true even though there is nothing illegal or generally wrong about the $1,200 minimum.
Moreover, when considering whether Fair Lending or UDAAPP concerns exists at a Bank, examiners will consider everything from the relationship that the Bank has with its community, including development of specific products and their overall impact on protected classes. A “low cost” checking account that is being marketed to low to moderate income populations as an alternative to check cashing outlets can be a noble idea. However, if there are fees on the account that kick in to try to discourage certain behaviors, then what was once a noble idea can become a UDAAP concern.
Fair Lending Examinations Will Consider a Financial Institutions’ Relationship with its Vendors
It has become increasingly obvious that Examiners will review a Bank’s oversight of its vendors . Regulatory expectations are that the financial institution must be aware of the reputation of its vendors and must make an effort to determine that the service provided is one that complies with all applicable laws and standards. The CFPB specifically addressed the issue of indirect auto lending and its Fair Lending implications in recent initiatives . The findings of Fair Lending problems and violations of the Equal Credit Opportunity Act will be addressed not only to the lender with the problem, but also to the financial institution, that is funding the lender.
One of the areas that will continue to receive scrutiny is appraisals. Changes in Reg. Z for appraisals on high cost mortgages are a direct result of the financial crisis that we experienced and the role that fraudulent appraisals played. While inflated values of properties were a major concern, the other side of bad appraisal practices is a Fair Lending concern. When an appraiser constantly evaluates home prices at levels that are at the low end of the market, the expectation is that Banks will conduct research to ensure that these values are reasonable. There should be clearly documented reasons for the property value conclusion. Moreover, when reviewing the appraisal report, the financial institution Bank is expected to watch out terms that have been banned for some time (e.g. “pride of ownership”).
Financial institutions will be held accountable for the work performed for them by third party vendors. This is an area that should be considered as part of the overall risk assessment of Fair Lending
Complaints, Social Media and Fair Lending
Another area that examiners will emphasize is the bank’s overall administration of the complaints process. Most financial institutions already have a complaints log and a policy in place that requires staff to respond to a complaint in a reasonable time. However, the expectation is that also for institutions to compile and categorize complaints and to report the results of this effort to the Board. Do the complaints represent a pattern? Are your customers trying to tell you something about the level of fees being charged? Maybe there is a branch where discouragement is happening inadvertently. The point is the complaints received should be analyzed for patterns and concerns. In addition, there should be evidence that the patterns noticed are being discussed with the Board.
As many institutions use social media these days, a completely new possible area of receiving complaints has opened up. The expectation is that someone at the bank will review social media for the possibility of serious complaints that must be answered and included in the aforementioned analysis.
Advertising and Image in the Community
For an institution that has been in existence for many years, there is a rich history. Many institutions want to use their history as a part of marketing. There is nothing wrong with doing that- as long as the institution is sensitive to the possibility that during its lifetime, the make-up of its assessment area may have changed significantly. Pictures and references to turn of the century events in which a bank was involved may have entirely different connotations depending on person or persons viewing the material. For example, suppose an institution had an advertising campaign that made direct references to the fact that they had been in the community for over 100 years. The marketing material produced showed various scenes from the community over the years. Unfortunately since the ad campaign focused on history, it did not include pictures from the present day. The community had significantly changed in racial and social economic make up over the years. The advertising campaign was roundly criticized by the community and the regulators and the bank narrowly avoided enforcement action. It is clear that the intent of the program was not to insult anyone, but nevertheless great insult was taken!
Fair Lending is an Area that Requires a Separate Risk Assessment
Fair Lending has always been an examination area that is subjective. Over the past few years, this area has become increasingly complex. The regulators have made it clear that this will be an area of emphasis that has the potential for enforcement action. It is therefore, critical for banks to perform a risk assessment in this area.
In Part Two of this Blog we will discuss a formula for developing a risk assessment for community institutions.
Don’t forget that Training is a Pillar of a Strong Compliance Program
Since regulators first embraced the risk-based approach to supervision of banks, training of staff has been recognized as one of the pillars of a strong compliance program. In its 2002 article entitled “A Banker’s Guide to Establishing and Maintaining an Effective Compliance Management Program”, the Kansas City Federal Reserve Bank discussed the importance of training to a compliance program:
“The importance of having a staff that is knowledgeable of regulatory requirements cannot be overstated. Regardless of an institution’s philosophy and policies, ultimately it is line staff who process transactions and interact with customers. If employees are not adequately trained in compliance matters, errors are certain to occur” 
Mark W Olson, Member of the Board of Governors of the US Federal Reserve System, also emphasized this point in his remarks at the American Bankers Association’s Regulatory Compliance Conference. He stated in part that:
“Training on policies, procedures, and associated controls is a component of compliance-risk management that should not be overlooked. Examiners will determine whether the banking organization’s training program ensures that compliance policies, procedures, and controls are well understood and appropriately communicated throughout the organization. 
These are just two of several statements by regulators that make it clear that training of staff is not only important, but that is an essential component of compliance. There must be a mechanism in place to make sure that everyone associated with your institution is kept abreast of changes to regulations that directly impact its operations. In addition, when management and staff have a clear understanding of the requirements of regulations, they are more effective and efficient. While good training will not make up for unsafe and unsound practices, a well trained staff can cover a multitude of “sins”.
The Case for “Live” Training
Most financial institutions these days use some form of internet training to fulfill their compliance training needs. Online courses are for the most part accepted as the most cost effective way to conduct training for staff. We would like to suggest that cost efficiency may not ultimately be the most important consideration. Most compliance programs at small institutions consist of online training programs that allow participants the ability to take tests multiple times until the desired score is achieved. Unfortunately, a common strategy for the participants is to eschew reading the material, go straight to the test, take it, write down the answers to the questions that they got wrong and then retake the test with answer guide in hand. While this process will help to ensure that everyone has received a passing grade on the training, it does little to increase staff knowledge of regulations. This is not meant to be an indictment of online training programs at all.
Instead, it is a suggestion that a complete compliance training program must have a great deal more. Consider the nature of compliance regulations. Whether we like to admit it or not compliance regulations have a history of being earned! For example, Regulation B (The Equal Credit Opportunity Act) was passed to address the fact that women and minorities were being denied equal access to credit. And the Truth in Lending Act is the result of former banking practices that mislead borrowers about the real costs of the loans they were getting. Consumer regulations have been designed to address areas that have been proven to cause consumer financial harm
Because consumer regulations are designed to either prevent certain behaviors, collect information on the results of bank practices or to provide complete information through disclosures, a great deal is left open for interpretation. There are even times when regulations direct that staff must interpret information to the best of their ability (Government Monitoring Information in HMDA). Often when a regulation is misunderstood, violations result.
We have found that when management and staff alike are given the opportunity to hear a bit of the history of the regulation it makes a big difference in the overall level of compliance. Knowing WHY a regulation was enacted goes a long way toward understanding what it is that the regulation is trying to accomplish. Taking this idea one step further, giving staff information on what it is that the current regulation is trying to accomplish goes a long way toward obtaining positive participation in the compliance effort.
By helping to ensure that staff members understand the specifics of compliance regulations, you can greatly enhance the effectiveness of the program. Staff who understand what it is that the regulation is trying to accomplish can feel empowered. Whether or not staff members agree with the regulation, understanding it is key. With the basic understanding of the regulation as a tool, the number of misinterpretations and resulting errors are greatly reduced.
Courses on consumer regulations should at least annually include information about the history and the legislative intent of the regulation. Optimally, staff will be given the opportunity to work through case studies during the training session as these are very helpful in increasing understanding of the regulation.
Training Can be a Cost Saver
In the area of compliance, the most frequent violations of regulations are a direct result of either misunderstanding the requirements of regulations or ignorance of changes to regulations. Training courses that cover the requirements of consumer regulations are extremely effective in reducing these kinds of violations. While compliance violations rarely result in the closure of a bank, the fines, penalties and reimbursements that result can have a drastic impact on profitability.
Do not Give Training the Axe
Although the examination handbooks don’t specifically say it, the fact that training is listed as one of the “pillars” of the compliance program suggests that it is at least as important as the other pillars. And yet, for reasons that are lost in tradition, this area often is not treated as an important part of compliance.
Even in the toughest of economic times, training of staff and management is a necessity. Through training courses that are specifically designed to meet the needs of individual organizations, financial institutions can be prepared to meet the challenges of a changing regulatory environment. As one of the most important pillars of a strong compliance program, training should never be considered a luxury!
A Banker’s Guide to Establishing and Maintaining an Effective Compliance Management Program (the Guide). Federal Reserve Bank of Kansas City , 2002
 Remarks by Mark W Olson, Member of the Board of Governors of the US Federal Reserve System, at the American Bankers Association’s Regulatory Compliance Conference, Orlando, 12 June 2006.
Getting to the Root of the Problem- An important Step to Strong Compliance
The compliance examiners are coming! It is time to get everything together to prepare for the onslaught right? Time to review every consumer loan that has been made and every account that has been opened in the last 12 months, right? Not necessarily! The compliance examination is really an evaluation of your compliance management program (“CMP”). By approaching your examinations and audits as an evaluation of the effectiveness of your overall CMP, the response to the news of an upcoming review becomes (almost) welcome.
The Elements of the CMP
There is really no “one size fits all” way to set up a strong compliance program. There are, however, basic components that all compliance management systems need. These components are often called the pillars of the CMP. The pillars are:
Policies and procedures
Management Information systems
The relative importance of each of these pillars depends on the risk kevels at individual financial institutions. The compliance examination is a test of how well the institution has identified these risks and deployed resources. For example, when one has highly experienced and trained staff coupled with low turnover, the need for fully detailed procedures may be minimal. On the other hand, at an institution where new products are being offered regularly, the need for training can be critical. The central question is whether or not risks have been properly identified at your institution. Once risks have been identified have effective steps been taken to mitigate risks.
Making the CMP fit Your Bank
Making sure that your CMP is right-sized starts with an evaluation of what the institution is doing and the inherent risk in that activity. For example, consumer lending comes with a level of risk. Missed deadlines, improper disclosures or misinterpretations of the requirements of the regulations are risks that are inherent in a consumer portfolio. In addition to the risks inherent in the portfolio are the risks associated with the manner in which the institution conducts it consumer business. Are risk assessments conducted when a product is going to be added or terminated? Both decisions can create risks. For example, the decision to cease HELOC’s may create a fair lending issue; while the decision to start making HELOC’s has to be made in light of the knowledge and abilities of the staff that will be making the loans and the staff that will be reviewing for compliance.
We suggest that compliance has to be a part of the overall business and strategic plan of any financial institution. The best way to make sure that the CMP is appropriate is to include compliance in all of the business decisions. The CMP has to be flexible enough to absorb changes while remaining effective and strong.
The Test of the CMP
Probably the most efficient way to determine the strengths and weakness of the CMP is by reviewing the findings of internal audit, and examinations as well as quality control checks. When reviewing these findings what is most important is getting to the root of the problem. Both the findings and the recommendations that can be found in examination and audit reports can be used to help “tell the story” of the effectiveness of the CMP. As the institution receives its readout of findings and recommendations, it is very important to ask the examiner or auditor “In your opinion, what was the cause of this finding?” Generally, we believe that you will find that the answer you receive will be candid and extremely helpful in addressing the problem. Let’s face it, sometimes findings occur when people have bad days. On those bad days, even the secondary review may not quite catch the problem. These are generally not the types of findings that should keep you up at night.
The findings that should cause concerns are the ones that result from lack of knowledge or lack of information about the requirements of a regulation. These findings are systemic and tend to raise the antenna of auditors and examiners. Unfortunately, too often the tendency for institutions is to respond to this kind of finding by agreeing with it and promising to take immediate steps to address it. Without knowing the root cause of the problem, the fix becomes the banking version of sticking one’s finger in the dyke to avoid a flood.
We suggest a five step process to truly address findings and strengthen the CMP;
Make sure that the compliance staff truly understands the nature of the finding. This may sound obvious, but far too many times there is a great deal loss in translation between the readout and the final report. Many of our clients have stated that they felt like what was discussed at the exit doesn’t match the final report they receive. We recommend fighting the urge to dismiss the auditor/examiner as a crank! Call the agency making the report and get clarification to make sure that concern that is being express is understood by staff.
Develop an understanding of the root cause of the finding. Does this finding represent a problem with our training? Perhaps we have not deployed our personnel in the most effective manner. It is critical that management and the compliance team develop an understanding or why this finding occurred to most effectively address it.
Assign a personal responsible along with an action plan and benchmark due dates. Developing the plan of action and setting dates develops an accountability for ensuring that the matter is addressed.
Assign an individual to monitor progress in addressing findings. We also recommend that this person should report directly to the Audit Committee of the Board of Directors. This builds further accountability into the system.
Validate the response. Before an item can be removed from the tracking list, there should be an independent validation of the response. For example, if training was the issue; the response should not be simply that all staff have now taken the training. The process should include a review of the training materials to ensure that they are sufficient, feedback from staff members taking the training. In addition, a quality control check should be performed.
Not only does determining the root cause of a problem make the response more effective, but in doing so, the CMP will be strengthened. For example, it may be easy to see that an institution has a problem with disclosing right of recession disclosures. It may be harder to see that the problem is not the people at all, but that the training they received is confusing and ineffective. Only by diving into the root cause of the problem can the CMP be fully effective.