Getting to the Root of the Problem- An important Step to Strong Compliance
The compliance examiners are coming! It is time to get everything together to prepare for the onslaught right? Time to review every consumer loan that has been made and every account that has been opened in the last 12 months, right? Not necessarily! The compliance examination is really an evaluation of your compliance management program (“CMP”). By approaching your examinations and audits as an evaluation of the effectiveness of your overall CMP, the response to the news of an upcoming review becomes (almost) welcome.
The Elements of the CMP
There is really no “one size fits all” way to set up a strong compliance program. There are, however, basic components that all compliance management systems need. These components are often called the pillars of the CMP. The pillars are:
- Policies and procedures
- Internal Controls
- Management Information systems
The relative importance of each of these pillars depends on the risk kevels at individual financial institutions. The compliance examination is a test of how well the institution has identified these risks and deployed resources. For example, when one has highly experienced and trained staff coupled with low turnover, the need for fully detailed procedures may be minimal. On the other hand, at an institution where new products are being offered regularly, the need for training can be critical. The central question is whether or not risks have been properly identified at your institution. Once risks have been identified have effective steps been taken to mitigate risks.
Making the CMP fit Your Bank
Making sure that your CMP is right-sized starts with an evaluation of what the institution is doing and the inherent risk in that activity. For example, consumer lending comes with a level of risk. Missed deadlines, improper disclosures or misinterpretations of the requirements of the regulations are risks that are inherent in a consumer portfolio. In addition to the risks inherent in the portfolio are the risks associated with the manner in which the institution conducts it consumer business. Are risk assessments conducted when a product is going to be added or terminated? Both decisions can create risks. For example, the decision to cease HELOC’s may create a fair lending issue; while the decision to start making HELOC’s has to be made in light of the knowledge and abilities of the staff that will be making the loans and the staff that will be reviewing for compliance.
We suggest that compliance has to be a part of the overall business and strategic plan of any financial institution. The best way to make sure that the CMP is appropriate is to include compliance in all of the business decisions. The CMP has to be flexible enough to absorb changes while remaining effective and strong.
The Test of the CMP
Probably the most efficient way to determine the strengths and weakness of the CMP is by reviewing the findings of internal audit, and examinations as well as quality control checks. When reviewing these findings what is most important is getting to the root of the problem. Both the findings and the recommendations that can be found in examination and audit reports can be used to help “tell the story” of the effectiveness of the CMP. As the institution receives its readout of findings and recommendations, it is very important to ask the examiner or auditor “In your opinion, what was the cause of this finding?” Generally, we believe that you will find that the answer you receive will be candid and extremely helpful in addressing the problem. Let’s face it, sometimes findings occur when people have bad days. On those bad days, even the secondary review may not quite catch the problem. These are generally not the types of findings that should keep you up at night.
The findings that should cause concerns are the ones that result from lack of knowledge or lack of information about the requirements of a regulation. These findings are systemic and tend to raise the antenna of auditors and examiners. Unfortunately, too often the tendency for institutions is to respond to this kind of finding by agreeing with it and promising to take immediate steps to address it. Without knowing the root cause of the problem, the fix becomes the banking version of sticking one’s finger in the dyke to avoid a flood.
We suggest a five step process to truly address findings and strengthen the CMP;
- Make sure that the compliance staff truly understands the nature of the finding. This may sound obvious, but far too many times there is a great deal loss in translation between the readout and the final report. Many of our clients have stated that they felt like what was discussed at the exit doesn’t match the final report they receive. We recommend fighting the urge to dismiss the auditor/examiner as a crank! Call the agency making the report and get clarification to make sure that concern that is being express is understood by staff.
- Develop an understanding of the root cause of the finding. Does this finding represent a problem with our training? Perhaps we have not deployed our personnel in the most effective manner. It is critical that management and the compliance team develop an understanding or why this finding occurred to most effectively address it.
- Assign a personal responsible along with an action plan and benchmark due dates. Developing the plan of action and setting dates develops an accountability for ensuring that the matter is addressed.
- Assign an individual to monitor progress in addressing findings. We also recommend that this person should report directly to the Audit Committee of the Board of Directors. This builds further accountability into the system.
- Validate the response. Before an item can be removed from the tracking list, there should be an independent validation of the response. For example, if training was the issue; the response should not be simply that all staff have now taken the training. The process should include a review of the training materials to ensure that they are sufficient, feedback from staff members taking the training. In addition, a quality control check should be performed.
Not only does determining the root cause of a problem make the response more effective, but in doing so, the CMP will be strengthened. For example, it may be easy to see that an institution has a problem with disclosing right of recession disclosures. It may be harder to see that the problem is not the people at all, but that the training they received is confusing and ineffective. Only by diving into the root cause of the problem can the CMP be fully effective.