VCM BLOG

Aligning Your Compliance Department with Risk, January 26, 2017

Jan18

 

There are many reasons financial intuitions suffer through periods of poor compliance performance. The causes for these problems are myriad. One of the key contributors to compliance woes is often overlooked. When resources in the compliance department are misaligned or inadequate, trouble is bound to follow. Inadequate resources result from not just a small compliance staff, but also instances of “over-compliance”.   Misaligned staff occurs when your institution’s risk assessment fails to identify the highest risks or is not used as part of the compliance planning process.

Inadequate Resources

Too few resources can result from many different sources including:

  • Training – Online training is a good first start for helping staff understand the basics of compliance. These courses are cost effective and provide good basic information about various topics in compliance. However, training that includes some in-person components tends to be more effective. In-person classes allow staff to review case studies, ask in-depth questions and gain a more complete understanding of the rationale for regulations. In addition, these types of classes significantly increase the retention for participants.
  • Software used for monitoring – Determine whether your software provider effectively helps you monitor compliance activities. Many compliance officers “take what they get” from their software providers and make do with the reports that get generated. Having a discussion with your vendor can result in significant changes. Software providers have significant resources including the ability to tailor the report you receive to meet specific needs. If the reports that are generated create more work than they resolve questions, now is good time to have a discussion with your software provider.
  • Compliance officer overburdened – Compliance has become a full-time occupation. In addition to constant reporting requirements there are nuances to the position that require the full focus and attention of the compliance officer.   Despite these requirements, there are many compliance officers that serve in various capacities in addition to their compliance duties.   When a compliance officer is overburdened, the compliance program suffers. Attention can only be addressed toward the pressing issues of the moment. Potential problems are left for consideration at the time they have become compliance violations.
  • Too Much Unnecessary information – In some cases, it is possible to engage in “over-compliance”, meaning developing data bases that are simply too large to effectively review and interpret. For example, some institutions make a habit of filing Suspicious Activity Reports on all clients that have even a whiff of questionable activity. Alternatively, some institutions include a large portion of their customer base as high risk customers. The sentiment for taking this course of action is understandable- a conservative approach to risk. However, the net result of taking such an approach is information overload. Massive amounts of data are presented to compliance staff rendering them unable to keep up and the process gets overwhelmed.

 

Misaligned Compliance

Compliance resources are limited in almost all institutions.   This is also true in the regulatory agencies that supervise financial institutions. Therefore, the regulatory institutions take the risk based approach to supervision.   The goal of the risk based approach is not to necessary catch every flaw in a compliance system. The idea is that the areas of greatest risk should receive the most attention. The same philosophy is at the heart of the compliance rating system announced by the FFIEC.   The effectiveness of the compliance program will be reviewed and rated. Individual findings of low importance will still be addressed, but put into an overall context of risk. The point is that the areas with the highest risk should get the most attention.

At your institution, one of the ways to make your compliance program most effective is to concentrate on the highest levels of risk.   You can do this be “letting go” in some cases and focusing on others. One of the areas that is illustrative is an institution with many Suspicious Activity Reports.   For example, in this case the institution has $1 billion in assets that writes SARS on over 70 clients a month.   The SAR process requires that each of these SAR reports has a follow-up at 90 days. The SAR reports describe activity that such as structuring and potential tax evasion. The compliance team at this institution has determined that all potential structuring activity will result in a SAR.   The institution quickly finds out that the time that is taken by filing SARS and following up on them leaves little time to research the customer and to determine if there are business reasons for the activity that is viewed as suspicious.   The number of SARs continues to grow while the amount of time that is spent on research of individual customers continues to shrink. Eventually SARs are filed late and compliance concerns are noted by the regulators.

In the above instance, a re-alignment of compliance resources would focus on getting to “know your customer”. By doing research on the customer and talking to them, the activity may not be suspicious at all. For example, one customer deposits cash in amounts between $8,000 and $9,300 every two days. This pattern may not be structuring at all if the customer is a small store that can prove the deposits are the actual cash receipts for the day. The compliance team could ask the customer to report cash sales weekly, match the results with the deposits and have a level of comfort that structuring was not taking place. Without a proper balance between KYC and SAR reporting, a compliance team can engage in a death spiral that included excessive SAR filing and inadequate research.

Compliance programs should look for the root cause of a concern and address that root cause rather than attempt to apply “bandages” when findings are noted.   Training programs that help staff learn about the financial needs of the client base are also an effective means to aligned compliance resources. If your institution does not offer credit cards, then course information on these products could be reduced in exchange for information on current products.

Aligning Compliance to Risk

The compliance risk assessment is the best place to start the alignment of compliance risk to resources. Developing a comprehensive and effective compliance risk assessment will allow the institution to identify the greatest areas of risk and to direct resources to those areas.

 

BSA Risk Assessments-What’s the Point, December 28, 2016

 

dec-28

For those of you who have experienced a BSA examination or audit, you know one of the first things you are asked for is your BSA/OFAC risk assessment.  It has also likely been your experience to find a risk assessment deemed complete and not in need of some sort of enhancement is something of a “unicorn”.  In most cases, examinations and audits include a comment discussing the need to expand the risk assessment and to include more detail.  The detail required for a complete risk assessment is elusive at best.  Often, the right information for the risk assessment fits the famous Supreme Court definition of pornography- “you know it when you see it”.

The FFIEC BSA manual is not exactly helpful when it comes to developing risk assessments.   The manual directs every financial institution should develop a BSA/AML and an OFAC risk assessment.  Unfortunately, the form the risk assessment should take or the minimum information required are left as open questions for the financial institution.   Thus, many financial institutions end up with a very basic document which has been developed to meet a regulatory requirement, but without much other meaning or use.

As financial institutions continue to change and the number of financial products and type of institutions offering banking services grows, the risk assessment can be something entirely different. Taking the approach that the risk assessment can be used to formulate both the annual budget request and the strategic plan, can change the whole process.

The FFIEC BSA examination manual specifically mentions risk assessments in the following section:

“The same risk management principles that the bank uses in traditional operational areas should be applied to assessing and managing BSA/AML risk. A well-developed risk assessment assists in identifying the bank’s BSA/AML risk profile. Understanding the risk profile enables the bank to apply appropriate risk management processes to the BSA/AML compliance program to mitigate risk. This risk assessment process enables management to better identify and mitigate gaps in the bank’s controls. The risk assessment should provide a comprehensive analysis of the BSA/AML risks in a concise and organized presentation, and should be shared and communicated with all business lines across the bank, board of directors, management, and appropriate staff; as such, it is a sound practice that the risk assessment be reduced to writing” 1

 

This preamble has several important ideas in it.   The expectation is, management of an institution can identify:

  • Who its customers are:  including the predominant nature of the customer base- are you a consumer institution or a commercial at your core?  Who are the customers you primarily serve?
  • What is going on in your service area?  Is it a high crime area or a high drug trafficking area, both or neither?  The expectation is you will know the types of things, both good and bad going on around you.  For example, if you live in an area where real estate is extremely high cost, there might be several “bad guys” buying property for cash as a means of laundering money.   The point is you need to know what is going on around you
  • Where are the outlier customers?  Do you know which types of customers who require being watched more than others?  There are some customers who, by the nature of what they do, require more observation and analysis than others.  The question is, have you identified these high-risk customers?
  • How well are you set up to monitor the risks at your institution?  Do you have systems in place are up to the task to discover “bad things” going?  Does the software you use really help the monitoring process?   This analysis should consider whether the staff you have   truly understand the business models your customers are using.  For example, if your customer base includes Money Service Businesses, do you have staff in place who know how money services business work and what to look for?  The best software in the world is ineffective if the people reading the output are not familiar with what normal activity at an MSB.
  • Ties to the strategic plan: Does the BSA program have the resources to match changes in products or services planned for the institution? For example, if the institution plans to increase the number of accounts offered to money services business, does the BSA department have an increase in staff included in its budget?

 

Effective Risk Management 

The information and conclusions developed in the risk assessment should be used for planning the year for the BSA/AML compliance program.  The areas with the greatest areas of risk should also be the same areas with the greatest dedicated resources.   Independent audits and reviews should be directed to areas of greatest risk.  For example, if there are many electronic banking customers at the institutions while almost no MSB’s, then the audit scope should presumably focus on the electronic banking area and give MSB’s a limited review.  In addition, training should focus on the BSA/AML risks associated with electronic banking, etc.

Rethinking the Risk Assessment process 

Continued development of new products and processes in finance and technology (“fintech”) and BSA/AML have opened the possibility of a vast array of potential new products for financial institutions.  Products such as digital wallets and stored value on smartphones have opened new markets for people who have been traditionally unbanked and underbanked. Financial institutions which are forward thinking should consider the possibility some of these new products have the potential to enhance income.

The ability to safely and effectively offer new products depends heavily on the ability of the compliance department to fully handle the regulatory requirements of the products.  When preparing the risk assessment, consider the resources necessary to offer new and (money making products).

There are no absolute prohibitions against banking high risk clients  

Per the FFIEC BSA Examination manual higher risk accounts are defined as:

“Certain products and services offered by banks may pose a higher risk of money laundering or terrorist financing depending on the nature of the specific product or service offered. Such products and services may facilitate a higher degree of anonymity, or involve the handling of high volumes of currency or currency equivalents” 2

The Manual goes on to detail several other factors which should be considered when monitoring high risk accounts.  We note the manual does not conclude high risk accounts should be avoided.

The BSA/AML examination manual (“exam manual”) establishes the standard for providing banking services to clients who may have a high risk of potential money laundering.  Financial institutions are expected to:

  1. Conduct a risk assessment on each of these clients,
  2. Consider the risks presented
  3. Consider the strengthening of internal controls to mitigate risk
  4. Determine whether the account(s) can be properly monitored and administrated;
  5. Determine if the risk presented fits within the risk tolerance established by the Board of Directors.

Once these steps are followed to open the account, for high risk customers, there is also an expectation there will be ongoing monitoring of the account for potential suspicious activity or account abuse.    The exam manual is also clear; once a procedure is in place to determine and properly mitigate and manage risks, there is no prohibition against having high risk customers.  The risk assessment section of the exam manual notes the following:

“The existence of BSA/AML risk within the aggregate risk profile should not be criticized as long as the bank’s BSA/AML compliance program adequately identifies, measures, monitors, and controls this risk as part of a deliberate risk strategy.”3

Once an account has been determined to be high risk, and an efficient monitoring plan has been developed, there can be various levels of what high risk can mean.    When a customer’s activity is consistent with the parameters which have been established and have not varied for some time, then account can technically be high risk but not in practice.   For example, Money Services Businesses are considered “high-risk” because they fit the definition from the FFIEC manual.  However, a financial institution can establish who the customers of the MSB are and what they do.  A baseline for remittance activity, check cashing and deposits and wire activity can be established.   If the MSB’s activity meets the established baseline, the account remains “high risk” only in the technical meaning of the word.   Knowing what the customers’ business line is and understanding what the customer is doing as they continue without much variation reduces the overall risk.

For a more complete discussion of the effective use of the BSA/AML risk assessment, please contact us at www.vcm4you.com.

Planning Your Compliance Year- December 13, 2016

As the year comes to close, for most people, it is time to celebrate with family and friends and to look forward to the new year with anticipation.  For risk and compliance officers at financial institutions, the new year comes with a bit of a different perspective.  For many years now, each new year brings a different set of regulations and the challenge of keeping financial institutions in compliance.   This is not necessarily a bad thing.  New challenges can present an opportunity for new and more efficient solutions.   There are some steps that you can take that can truly help you get to the goal of getting on top of compliance.

 

Step One- Information Gathering

There are several sources for regulatory changes.  It is important to consider the fact that compliance and risk expectations can be changed by more than the implementation of new regulations.   Regulatory agencies respond to world events, the political environment, resources allocations, technology and many other factors.   One valuable source of information that is often overlooked are the annual plans or statements that are issued by the prudential regulations.  All three issue a plan that addresses the areas that they will emphasize in the upcoming year.[1]  For example, the Office of the Comptrollers’ annual report points out that strategic planning will be an emphasis of the examinations teams in 2017.   In addition, there are many organizations and agencies that list the effective dates for regulations.  At VCM, we have a form that lists regulations, effective dates and whether the regulation will apply to your organization. [2] Gathering information on the new regulations and regulatory initiatives is a key first step for planning the compliance year.

Step Two – Setting the Parameters

The next step is to complete a risk assessment.  Often, we see risk assessments that are performed specifically for meeting a regulatory requirement.  In many cases, these assessments are completed and put away until it is time to do an annual update.  We believe that the risk assessment provides an excellent opportunity to set the parameters for your own compliance program.  Your risk assessment should include:

  • The areas where there have been regulatory of? internal audit findings in the past
  • The types of products the Bank offers and the risks associated with those products
  • New products contemplated
  • The management reports currently being generated by software
  • Changes in regulations that might affect the bank
  • Changes in staff that have occurred or are planned.

The risk assessment should be designed to determine the areas where your institution has the greatest risk for violations or findings.  The assessment should be brutally honest and unflinching in its assessment of the compliance needs for your institution.

The most important part of this step is to remember to USE the document that you have prepared!  The risk assessment should be the basic document that helps you make the case to senior management for additional staff and/or resources.   The risk assessment should also be used to help set the scope of the internal audits that are performed.  It is very rare that there will be time to cover every potential issue in a year so the risk assessment should help prioritize resources.    The risk assessment should also be used to set the training calendar.

Step Three- Checking Twice  

In addition to going through the regulations, it is necessary to make sure your policies and procedures match the requirements.  For example, have you developed a solid method for making sure that you comply with the “valuations rules” of regulations B and Z?  Do you know what these are and how they affect you?

It is also a very good idea to sign up for all the “Free stuff” that the regulators publish about compliance.   These can be used as useful supplemental training tools.  There is a great deal of very helpful information made available by the Federal Reserve and the CFPB. [3]

Step Four-Call for Help!

One of the benefits of completing a comprehensive compliance risk assessment is that the results can help you determine the level of support that is needed.   Far too often compliance departments get additional resources only after the staff has been overwhelmed or has experienced a poor result from an audit or examination.  However, as the saying goes, an ounce of prevention is worth a pound of cure.  Identifying the areas that are the highest risk and asking for help in those areas before they become a problem is a best practice that will enhance your compliance program and the quality of your life!

One of the best areas to get support for compliance is through the staff at your bank.   At the end of the day, compliance is a team effort that requires the input of the whole bank to be most effective.  One of the themes that we have noticed over the years is that people tend to buy in more when they understand the how’s and whys of compliance.  While online training classes are clearly efficient and relatively inexpensive, they sometimes can lack the perspective that gives the staff members the reason why the regulation exists.   For example, we have found that taking the time to explain what it is that BSA laws and rules are trying to accomplish to the staff members who are opening accounts has dramatically improved the collection of data for CIP.  The same is true for Regulation B and a host of other areas.  By helping bank staff understand that there really are good reasons why you are so insistent on complete and accurate disclosures, you can greatly reduce the error rate in these disclosures.   The more help from staff that you get, the more efficient you can be.

 

Step Five- Execute the Plan

Once you have completed the risk assessment, prioritize the risks and asked for help, it is time to execute the plan.   Make sure that the scope of the audits that you are getting will meet your needs and give you information on how things are going.   Regulators have become increasingly critical of audit scopes that are too general or that do not cover specific areas of compliance weakness at the bank.   The internal audit is an important tool that should be used to help find areas that need attention.  It is true that the auditor is your friend.  The results of audits should be taken seriously and positively as this is your opportunity to determine levels of compliance without having regulatory problems.

Like all good coaches, as a compliance officer you know the areas where your team is the weakest.  Make sure that your compliance plan is designed to address these areas from the outset.  If training has been a concern for example, then make sure that you have addressed the root of the problem.

Step Six-Remain Flexible

There is a parable that says that if you want to prove that God has a sense of humor- then try making your own plans.  There is no question that the best-laid plans can sometimes go awry.  Therefore, it is important that you build flexibility into your plan.  For example, even though you may have wanted to do flood insurance testing in the first quarter, you might find that the more urgent area of risk is compliance with HMDA.  Even though flood insurance will always be a “hot button” issue, there are times when the greater area of risk can be somewhere else.  The point is that your plan can hit all the highest areas of risk to ensure that your program is successful.

 

Planning your compliance year cannot only keep you ahead of trouble; it can help you start making different New Year’s resolutions!

 

[1] See for example, http://www.occ.gov/news-issuances/news-releases/2015/nr-occ-2015-130.html, https://www.fdic.gov/about/strategic/performance/supervision.html

 

[2] This form can be found on our website at www.vcm4you.com

[3] http://www.philadelphiafed.org/results.cfm?sort=rel&start=0&text=compliance`1

There are Lessons for All Financial Institutions in the Wells Fargo Case- Part Three: A Glaring Need – November 2, 2016

There are lessons for All Financial Institutions in the Wells Fargo Case

Part Three- Turning Our Eyes to a Glaring Need

We have talked about the Wells Fargo case involved violations of Unfair, Deceptive Acts or Practices Act. We noted that this is true because the practices of the bank forced extra accounts and products on customers who simply didn’t want them. In addition to unwanted accounts were significant fees and charges. In some cases, there were as many as 10 unwanted accounts for customers of Wells Fargo.

While this case continues to wind its way through various administrative hearings, news stories and the inevitable civil lawsuits, there is a strong irony in this case that can easily go unnoticed. There can be no doubt that customers of the Wells Fargo were victimized by an abusive campaign. However, while these customers can be considered OVERBANKED there are simultaneously millions of Americans are unbanked and underbanked.

A Forgotten Population

Wells and many other financial institutions continue to pursue practices that forced additional accounts on people who already had a banking relationship. In the meantime, there are millions of potential customers who have no relationship at all as the FDIC showed inn their 2015 study of Unbanked and underbanked populations.

The FDIC has defined Unbanked and underbanked as follows:

“…… many households—referred to in this report as “unbanked”—do not have an account at an insured institution. Additional households have an account, but have also obtained financial services and products from non-bank, alternative financial services (AFS) providers in the prior 12 months. These households are referred to here as “underbanked.”[1]

Per the Corporation for Enterprise Development, there are millions of unbanked and underbanked households across the country. For example, in 2010 the same organization estimated that 20% of the households in New Jersey are underbanked.[2].     The number of unbanked and underbanked people that live within the service areas of financial institutions presents both an opportunity and a level of risk. As the FDIC pointed out in there May 2016 study “Bank Efforts to serve underbanked and unbanked Communities” the whole banking community is better served when the level of trust and participation is increased[3].

Why Unbanked and Underbanked?

The FDIC asks the same sorts of questions every year the answers have been consistent. Here are some of the key observations:

  • The most commonly cited reason was “Do not have enough money to keep in an account.” An estimated 57.4 percent of unbanked households cited this as a reason and 37.8 percent cited it as the main reason.
  • Other commonly cited reasons were “Avoiding a bank gives more privacy,” “Don’t trust banks,” “Bank account fees are too high,” and “Bank account fees are unpredictable.
  • Perceptions of Banks’ Interest The 2015 survey included a new question asked of all households: “How interested are banks in serving households like yours?”
  • The survey results revealed pronounced differences across households.
  • Approximately 16 percent thought that banks were “not at all interested” in serving households like theirs, and the perceptions of the remaining 8 percent were unknown.
  • Unbanked households were substantially less likely than underbanked or fully banked households to perceive that banks were interested in serving households like theirs. More than half (55.8 percent) thought that banks were not at all interested, compared to roughly 17 percent of underbanked households and 12 percent of fully banked households.

While financial institutions are overbanking the customers they have, there are well over 50 million households in America that currently either don’t have a relationship with a bank or a minimal one.

Why serve these communities?

In many cases, misperceptions from the point of view of customers and financial institutions keep them apart. For far too long it has been an axiom that the costs of providing banking services for consumer accounts prevents an acceptable rate of return. However, through the development and use of new technologies, the costs associated with consumer accounts has significantly declined.

Without significant competition for the unbanked and underbanked households, financial needs are met by business that are predatory. The number of financial institutions offering high cost loans has proliferated and the number of unbanked and underbanked families has grown.

Advances in technology had made it possible for financial institutions to offer services to communities throughout the country and the world without needed to expand the branch system. Today’s digital wallet customer is tomorrow’s commercial loan.

Compliance as an Asset

For the financial institution that considers offering new products and services using technology, a new approach to compliance must be pursued.   Currently for most financial institutions, compliance is viewed as a necessary evil expense that is at best, the cost of doing business. However, suppose the role and function of the compliance department changed. When the compliance department becomes fully versed in the requirements for offering Fintech products, the institution can become an active participant in the burgeoning market. By putting resources into your institutions ability to assess and monitor risks, new products, partnerships and growth is possible. Start thinking of compliance as an asset- it can be the gateway to new sources of income

Towards New Markets

The fact is that there are products that are available and cost effective while the market for these products is huge; there simply must be a willing spirit. Rather than committing fraud, consider serving the unbanked and underbanked markets

 

[1] FDIC survey of unbanked and underbanked households

[2] See https://cfed.org/assets/pdfs/Most_Unb anked_Places_in_America.pdfJune 2016

[3]The FDIC recognizes that public confidence in the banking system is strengthened when banks effectively serve the broadest possible set of consumers. Accordingly, the agency is committed to helping increase the participation of unbanked and underbanked consumers in the banking system.

Your Partner in Balancing Compliance