Planning Your Compliance Year
As the year comes to close, for most people, it is time to celebrate with family and friends and to look forward to the new year with anticipation. For risk and compliance officers at financial institutions, the new year comes with a bit of a different perspective. For many years now, each new year brings a different set of regulations and the challenges of keeping financial institutions in compliance. This is not necessarily a bad thing. New challenges can present an opportunity for new and more efficient solutions. There are some steps that you can take that can truly help you get to the goal of “getting on top of compliance”.
Step One- Information Gathering
There are several sources for regulatory changes. It is important to consider the fact that compliance and risk expectations can be changed by more than the implementation of new regulations. Regulatory agencies respond to world events, the political environment, resources allocations, technology and many other factors. One valuable source of information that is often overlooked are the annual plans or statements that are issued by the prudential regulations. All three issue a plan that addresses the areas that they will emphasize in the upcoming year.  In addition, there are many organizations and agencies that list the effective dates for regulations. At VCM, we have a form that lists regulations, effective dates and whether or not the regulation will apply to your organization.  Gathering information on the new regulations and regulatory initiatives is a key first step for planning the compliance year.
Step Two – Setting the Parameters
We believe that the next step should always be completing a risk assessment. More often than not we come see risk assessments that are performed specifically for the purpose of meeting a regulatory requirement. In many cases, these assessments are completed and put away without being looked at until it is time to do an annual update. We believe that Instead, that the risk assessment provides an excellent opportunity to set the parameters for your own compliance program. We recommend that that risk assessment should include:
- The areas where there have been regulatory of internal audit findings in the past
- The types of products that the Bank offers and the risks associated with those products
- New products that are being contemplated
- The management reports that are currently being generated by software
- Changes in regulations that might affect the bank
- Changes in staff that have occurred or are planned.
The risk assessment should be designed to determine the areas where your institution has the greatest risk for violations or findings. It is critical that the assessment should be brutally honest and unflinching in its assessment of the compliance needs for your institution.
The most important part of this step is to remember to USE the document that you have prepared! The risk assessment should be the basic document that helps you make the case to senior management for additional staff and/or resources. The risk assessment should also be used to help set the scope of the internal audits that are performed. It is very rare that there will be time to cover every potential issue in a year so the risk assessment should help prioritize resources. The risk assessment should also be the document from which the training calendar should be set.
Step Three- Checking Twice
In addition to going through the regulations, it is necessary to make sure that your policies and procedures match the requirements. For example, have you developed a solid method for making sure that you comply with the “valuations rules” of regulation B and Z Do you know what these are and how they affect you?
It is also a very good idea to sign up for all of the “Free stuff” that the regulators publish about compliance. These can be used as useful supplemental training tools. There is a great deal of very helpful information made available by the Federal Reserve and the CFPB in particular. 
Step Four-Call for Help!
One of the benefits of completing a comprehensive compliance risk assessment is that the results can help you determine the level of support that is needed. Far too often compliance departments get additional resources after the staff has been overwhelmed or has experienced a poor result from an audit or examination. However, we suggest that the old saying that an ounce of prevention is worth a pound of cure applies. Identifying the areas that are the highest risk and asking for help in those areas before they become a problem is best practice that will enhance your compliance program and the quality of your life!
Of course one of the best areas to get support for compliance is through the staff at your bank. At the end of the day compliance is a team effort that requires the input of the whole bank to be most effective. One of the themes that we have noticed over the years is that people tend to buy in more when they understand the how’s and whys of compliance. While online training classes are clearly efficient and relatively inexpensive, they sometimes can lack the perspective that gives the staff members the reason why the particular regulation exists. For example, we have found that taking the time to explain what it is that BSA laws and rules are trying to accomplish to the staff members who are opening accounts has dramatically improved the collection of data for CIP. The same is true for Regulation B and a host of other areas. By helping bank staff understand that there really are good reasons why you are so insistent on complete and accurate disclosures, you can greatly reduce the error rate in these disclosures. The help from staff that you get, the more efficient you can be.
Step Five- Execute the Plan
Once you have completed the risk assessment, prioritize the risks and asked for help, it is time to execute the plan. Make sure that the scope of the audits that you are getting will actually meet your needs and give you information on how things are going. Regulators have become increasingly critical of audit scopes that are too general or that do not cover specific areas of compliance weakness at the bank. The internal audit is an important tool that should be used to help find areas that need attention. It is true that the auditor is your friend. The results of audits should be taken seriously and positively as this is your opportunity to determine levels of compliance without having regulatory problems.
Like all good coaches, as a compliance officer you know the areas where your team is the weakest. Make sure that your compliance plan is designed to address these areas from the outset. If training has been a concern for example, then make sure that you have addressed the root of the problem.
Step Six-Remain Flexible
There is a parable that says that if you want to prove that God has a sense of humor- then try making your own plans. There is no question that the best-laid plans can sometimes go awry. Therefore, it is important that you build flexibility into your plan. For example, even though you may have wanted to do flood insurance testing in the first quarter, you might find that the bigger area of risk is compliance with HMDA. Even though flood insurance will always be a “hot button” issue, there are times when the greater area of risk can be somewhere else. The point is that your plan must have the ability to hit all of the highest areas of risk to ensure that your program is successful.
Planning your compliance year cannot only keep you ahead of trouble; it can help you start making different New Year’s resolutions!
 See for example, http://www.occ.gov/news-issuances/news-releases/2015/nr-occ-2015-130.html, https://www.fdic.gov/about/strategic/performance/supervision.html