Banking Regulations to Watch in 2016

Regulations to Watch in 2016  

The New Year brings with it many different types of celebrations and traditions.  In the world of financial institution compliance the tradition for the New Year is to await the implementation of new regulations.  For the past several years, there have been a large number of new regulations that have been implemented.  Fortunately, the pace of new regulations has slowed dramatically and 2016 will not see a large number.   In fact, there are only two significant regulatory changes that will take place in 2016.  Despite this fact, as you plan for the compliance year, remember that the supervisory emphasis of the regulatory agencies can have the same impact as new regulations.

There are several sources for regulatory changes.  Regulatory agencies respond to world events, the political environment, resources allocations, technology and many other factors.   One valuable source of information that is often overlooked are the annual plans or statements that are issued by the prudential regulators.  All three issue a plan that addresses the areas that they will emphasize in the upcoming year.   In addition, there are many organizations and agencies that list the effective dates for regulations.  Gathering information on the new regulations and regulatory initiatives is a key first step for planning the compliance year.

Two (and one/half) Significant Changes

The most significant regulatory changes that will occur in 2016 are the flood insurance rules and changes in regulation Z that will expand the ability of small creditors to make loans with terms that would otherwise make them non-qualified mortgages without fear.   There is also the TILA / RESPA Integrated Disclosure Rule aka, “TRID” that went into effect in the final quarter of 2015.

Flood Insurance 

The flood insurance rules are likely to impact your institution in two significant areas.  First, for loans with a residence as collateral, there is now an exception for detached structures.  No longer will you have to get insurance for that random tool shed on the property that you have taken as collateral.  There are several considerations that go with this change.

The second change impacts the way that forced placed insurance may be charged to the customer.  In some cases, the customer may be charged back to the day that the policy lapsed for flood insurance.  Again, there are several considerations to make when applying this rule to your institution.

The flood rules also apply an escrow requirement for institutions that are over $1billion in assets.  We discussed these changes in detail in a three part blog that is on our website at  For more information, please review our blogs.

Regulation Z 

Another significant change is the expansion of the ability of small creditors to enjoy qualified mortgage protections for mortgage loans.  The CFPB described the change this way;

There are a variety of provisions in the rules that affect small creditors, as well as small creditors that operate predominantly in rural or underserved areas. For instance, a provision in the Ability-to-Repay rule extends Qualified Mortgage status to loans that small creditors hold in their own portfolios, even if consumers’ debt-to-income ratio exceeds 43 percent. Small creditors that operate predominantly in rural or underserved areas can originate Qualified Mortgages with balloon payments even though balloon payments are otherwise not allowed with Qualified Mortgages. Similarly, under the Bureau’s Home Ownership and Equity Protection Act rule, such small creditors can originate high-cost mortgages with balloon payments. Also, under the Bureau’s Escrows rule, eligible small creditors that operate predominantly in rural or underserved areas are not required to establish escrow accounts for higher-priced mortgages. [1]

This expansion creates a great deal of opportunity for smaller financial institutions to consider mortgage lending.  We will discuss this opportunity in detail in blogs to come in the near future.


The regulatory change that received the most publicity last year was the TILA / RESPA Integrated Disclosure Rule which was widely known as TRID.  This rule actually was implemented in the last quarter of 2015.  Since its start, several regulatory agencies have released examination procedures that indicate how they will treat financial institutions the first time new loans are reviewed for compliance with these rules.   According to many publications, technical or individual violations will be de-emphasized.  The main area of emphasis will be on the system for compliance that has been developed by the institution.

Regulatory Emphasis

In addition to changes in regulations, it is important to glean as much information as is available from the regulatory agencies about the areas of focus for examinations.  A change in the area of focus can have the same impact as a change in regulation.  For example, in the area of flood insurance when the focus changed from the appropriate amount of insurance to a review of flood notices, a number institutions that previously had satisfactory reviews found themselves with findings and in extreme cases, civil money penalties.   It is the change in focus of the regulators that often has many an institution asking “why were we okay at the last examination, but not now?  Fortunately, many of the regulatory agencies publish strategic plans which indicate the areas that will be emphasized for the year.    Here is a brief review:


The CFPB’s Deputy Assistant Director for origination, Calvin Hagins, recently warned mortgage lenders of the four main examination priorities for 2016—loan originator compensation plans, the ability-to-repay rule, the TILA-RESPA Integrated Disclosures (TRID) rule, and marketing service agreements.

Speaking at the California MBA Legal Issues Conference, indicated that CFPB examiners will spend a substantial amount of time evaluating loan compensation schemes at every exam at every entity. [2]


The Office of the Comptroller of the Currency, in its 2016 strategic operating plan released the following priorities

  • Evaluating adequacy of compliance risk management and assessing banks’ effectiveness in identifying and responding to risks posed by new products, services, or terms.
  • Examiners will also assess compliance with the following: – new requirements for integrated mortgage disclosure under the Truth in Lending Act of 1968 and the Real Estate Settlement Procedures Act of 1974.
  • Relevant consumer laws, regulations, and guidance for banks under $10 billion in assets.
  • Flood Disaster Protection Act of 1973
  • The Servicemembers Civil Relief Act of 2003.

In addition, the OCC pointed out that fair access to credit will also be a priority;

  • Assessing banks’ efforts to meet the needs of creditworthy borrowers and to monitor banks’ compliance with the Community Reinvestment Act and fair lending laws.
  • Examiners at banks with more than $500 million in assets will continue to use the Fair Lending Risk Assessment Tool in their fair lending assessments. [3]


The FDIC’s 2015 strategic plan is still in effect and it covers several years.  While this plan is not as specific in the areas of emphasis as some of the other agencies, the plan does mention that there will be an emphasis placed on consumer protection, the CRA and Fair Lending laws. [4]  We have interpreted this language to mean that UDAAP, Fair Lending and the Community Reinvestment Act are all areas that should receive attention at your institution before, the examiners arrive.

Federal Reserve

The Federal Reserve System in its annual compliance hot topics presentation that areas of focus will include regulation C (HMDA), Regulation B spousal signature rules and UDAAP.  [5]


In the area of BSA/AML FinCEN is now taking comments about new rules for due diligence.  The original proposal was controversial in that it essentially required financial institutions to perform due diligence on the beneficiaries of accounts as well as in some cases, the customers of the financial institutions clients.  While it is evident that the proposal will be scaled back somewhat, it is also logical to assume that customer due diligence will be an area of focus for the FinCen in both the short term and the long term.

As you develop your audit plan and compliance risk assessment for the year, both new regulations and regulatory emphasis should receive strong consideration.  As a best practice, it is recommended that you contact your regulator and ask for information on areas of emphasis for 2016 and plan accordingly.

[1] CFPB Finalizes Rule to Facilitate Access to Credit in Rural and Underserved Areas- September 21, 2015

[2] Deputy Assistant Director for Originations, Calvin Hagins,  comments to California MBA Legal Issues Conference

[3] OCC Committee on Bank Supervision FY 2016 Operating Plan

[4] 2015 Strategic plan

[5] 2015 Strategic plan

Pitfalls to Avoid When Developing a Fair Lending Assessment-Part Two

Pitfalls to Avoid When Developing a Risk Assessment for Fair Lending- Part Two

In part one of this series, we made the argument that an individual risk assessment should be performed for the area of Fair Lending.   When performing the risk assessment there are several pitfalls that must be avoided.

Policies and Procedures

The review of institutions’ policies and particularly, its procedures is a basic and critical part to any risk assessment in the area of Fair Lending.

Potential Pitfall:  Policies and procedures can be fully in compliance with regulatory requirements and still have the potential for Fair Lending issues.  Review of the policies and procedures must consider both compliance with the requirements of regulations and the impact on customers!

First, these documents should be reviewed to determine that all of the required information is up to date and correct.  In this review, it is important that regulatory requirements such as “grossing up” income[1] in credit decisions, spousal signature rules and Fair Lending principles are included.  This review should also include a review of procedures to ensure that they match policies.

The second phase of the review should be completed to ensure that policies and procedures do not present the possibility of disparate impact.  In this review, the goal is to review the policies and procedures to determine the level of discretion allowed and how this discretion can be checked against Fair Lending risk.  For example, do the procedures require documentation of delays in processing loans?  Do policies and procedures emphasize the need for secondary review?

Credit Policies

Credit Policies are an area of particular concern in the Fair lending Assessment.  The review of credit policies should also be completed in two phases

Potential Pitfall: Credit policies should reflect the idea that the bank has made a reasoned decision about how it is meeting the credit needs of its community.  Policies that are fully compliant can become outdated quickly.  Review of credit policies should consider the changes in the assessment area and should reflect the business decisions of the Board.

Credit formulas and guidelines should be reviewed and validated independently to ensure that the data is valid.   Though these validations don’t need to be performed annually, it is a best practice to test the guidelines Vis a Vis adverse action trends at the bank.  Guidelines that yield an extremely high number of loan declines may need study and possibly adjustment.

In the second phase of the review, a comparison between the credit policies, the strategic plan of the bank and current economic data should be completed.  The purpose of this review is to determine that the bank’s credit policies and procedures match the credit needs of the community.   It is imperative that the Bank be able to document the business reasons for the list of products being offered.  For example, a decision by a Bank not to offer home equity loans when there is strong need for such loans in an assessment area, may be called into question during a Fair Lending examination.  A best practice is to have the economic data to demonstrate that these loans are not economically feasible at the bank, or that some other legitimate business reason exists for not making such loans.

Credit Decision Process

The credit decision process from the time of application to ultimately credit decision or withdrawal by the applicant should be assessed with an eye towards eliminating the ability of single bank employee from thwarting the will of the Board by engaging in illegal behavior

Potential Pitfall:  When reviewing adverse actions and withdrawals for timely notices, it is possible to overlook the warning signs of Fair Lending issues.

The review of adverse actions generally includes a check to make sure that notices are given within the timeframes required by Regulation B.  In addition a good review includes a check to determine that the information given is sufficient for the applicant to understand the issues that cause an adverse decision.   However, a best practice is also to review for Fair Lending ‘warning signs”.  For example, an extremely low rate of adverse actions is a strong indicator or pre-screening.  A high rate of withdrawals among protected groups is a strong indicator of discouragement.

It is a best practice to review the credit decision process to determine the ability of an individual to make credit decisions without oversight.  The more autonomy loan officers have, the more the system for secondary review should be empowered.

Lending Decisions

The traditional Fair Lending analysis focuses on a review of the approvals versus declines at the Bank.  A common practice is to review “matched pairs” which compares the low rated credit approvals with highly rated declines (loans that were barely declined).

Potential Pitfall:  If this is the heart of the analysis, then the bank is not getting the full story!  The analysis must look at the applicant’s total experience to ensure that all are getting the same considerations.

The analysis should consider:

  • Application to decision time-trends for members in protected classes
  • Comparative analysis- close decisions to approve versus decline
  • Pricing Analysis
  • Special considerations

o   Insufficient collateral frequently being given as a reason for decline

o   Large number of declines in a certain product area

  • High number of approvals versus a small number of declines

If all of the above is not part of the analysis that is being performed, then your bank may have potential Fair Lending issues that are going undetected.

Vendor Management

Financial institutions are charged with knowing and managing the results obtained from their vendors.  The regulatory agencies have made it clear that in every area from indirect auto lending to appraisals that they expect that financial institutions will monitor the results that they are getting from vendors.

Potential Pitfall:  If the review of the vendor ends with a background check, your institution may not be getting the full story.  The best practices require that the Bank pay attention to the results of the vendor’s efforts.  There has to be a general check that results are reasonable and consistent

The assessment must consider whether the results being produced are consistent and reliable.  For example, are appraisals being reviewed and compared to complaints?   Is it possible that certain appraisers consistently yield lower property values in certain income tracts?  Are flood insurance determinations being updated to match changes in the flood map?  The bank will be held accountable for the misbehavior of its vendors!

UDAAP Review

The risk assessment should include a review of the potential for UDAAP.  This is an area that is growing in scope and influence.

Potential Pitfall:  UDAAP is far reaching and can be easily overlooked.

The assessment should consider whether there is consistency in advertising and actual disclosures.  The risk assessment must look at the Bank’s products/operations from the point of view of the consumer.

Customer complaints are an area of focus for regulators.  Make sure that complaints are getting categorized and reported to the Board.  If no complaints have been received, there should be at least a policy and procedures in place to handle these once they do appear.


Many community banks use testimonials as part of their marketing.  The relationship with the community is after all, one of the strengths of being a community bank.

Potential Pitfall:   A risk assessment that exclusively covers direct compliance with Reg. Z and DD may overlook Fair Lending concerns in advertising.

Risk assessment should cover the reasons for the advertising and the markets that you are attempting to reach.  Has the bank considered expanding advertising to nontraditional communities?   Are there communities within the Bank’s assessment area that are left out of the advertising and marketing?

Strategic Plan

Examiners expect that the Bank has direct knowledge of the credit needs of the assessment area.  This should be considered as part of the risk assessment

Potential Pitfall:  Without considering the overall strategy of the Bank, it is difficult to get the full picture of how the bank is addressing Fair Lending within its community

The strategic plan is most often not considered as part of the Fair Lending assessment.  However, in many cases, the examiners will start considering an institutions strategy in offering products to its community as a consideration of Fair Lending effectiveness.

A Fair Lending risk assessment is a critical component of effective compliance management.

[1] See reg. B at 202.6(b) 5

Developing a Fair Lending Risk Assessment

Developing a Risk Assessment for Fair Lending – Part One

Happy New Year!   As the new year begins, our focus continues to be on issues that are directly related to compliance.  One area that is often overlooked when assessing overall compliance performance is fair lending.  Very few financial institutions actually prepare a risk assessment for the Fair Lending area.  Generally, if there is a risk assessment, fair lending is including in the overall lending compliance risk assessment.  However, fair lending covers a wide range of compliance laws and disciplines.  A strong fair lending compliance program will include reviews internal controls in several key risk and compliance areas.  Fair lending is a separate, essential compliance discipline.

Why Fair Lending as a Separate Risk Assessment?

When we speak of this topic, we must first qualify that there is no one Fair Lending law.  There are a series of laws that come together to create the umbrella that we call Fair Lending.  These include:

  • Reg. B – Equal Credit Opportunity Act
  • Reg. C – Home Mortgage Disclosure Act
  • Reg. Z – Truth in Lending
  • Reg. BB – Community Reinvestment Act
  • Reg. Z -Advertising
  • UNDAAP – Unfair, Deceptive, Abusive Acts or Practices Act
  • Reg. DD – Advertising
  • State Laws

Logically, one could assume that since each of these areas are covered in the risk assessments of lending and/or operational compliance, that there is no need to do a separate Fair Lending assessment.   However, the fair lending assessment involves different considerations for compliance with the spirit of these regulations.

Fair Lending is not like any Other Area of Compliance

The Fair Lending review looks at the impact of practices at a bank to determine whether a violation has occurred.  Fair Lending is in fact, one of the areas of compliance where you may have met all of the requirements of a regulation and still have a violation!  Consider a credit scoring system that requires a minimum disposable income of $1,200 per month.  Suppose further that this minimum is applied equally and fairly to all applicants.  In the case where the minimum disposable income in one neighborhood of a bank’s assessment area is $900, that whole section would be excluded.  Suppose further that the section of the assessment area that is excluded includes the low-to moderate income tracts.  A serious Fair Lending concern has been born.   This is true even though there is nothing illegal or generally wrong about the $1,200 minimum.

Moreover, when considering whether Fair Lending or UDAAPP concerns exists at a Bank, examiners will consider everything from the relationship that the Bank has with its community, including   development of specific products and their overall impact on protected classes.   A “low cost” checking account that is being marketed to low to moderate income populations as an alternative to  check cashing outlets can be a noble idea.  However, if there are fees on the account that kick in to try to discourage certain behaviors, then what was once a noble idea can become a UDAAP concern.

Fair Lending Examinations Will Consider a Financial Institutions’ Relationship with its Vendors

It has become increasingly obvious that Examiners will review a Bank’s oversight of its vendors [1].  Regulatory expectations are that the financial institution must be aware of the reputation of its vendors and must make an effort to determine that the service provided is one that complies with all applicable laws and standards.  The CFPB specifically addressed the issue of indirect auto lending and its Fair Lending implications in recent initiatives [2].    The findings of Fair Lending problems and violations of the Equal Credit Opportunity Act will be addressed not only to the lender with the problem, but also to the financial institution, that is funding the lender.

One of the areas that will continue to receive scrutiny is appraisals.  Changes in Reg. Z for appraisals on high cost mortgages are a direct result of the financial crisis that we experienced and the role that fraudulent appraisals played.   While inflated values of properties were a major concern, the other side of bad appraisal practices is a Fair Lending concern.  When an appraiser constantly evaluates home prices at levels that are at the low end of the market, the expectation is that Banks will conduct research to ensure that these values are reasonable.   There should be clearly documented reasons for the property value conclusion.   Moreover, when reviewing the appraisal report, the financial institution Bank is expected to watch out terms that have been banned for some time (e.g. “pride of ownership”).

Financial institutions will be held accountable for the work performed for them by third party vendors.  This is an area that should be considered as part of the overall risk assessment of Fair Lending

Complaints, Social Media and Fair Lending

Another area that examiners will emphasize is the bank’s overall administration of the complaints process.   Most financial institutions already have a complaints log and a policy in place that requires staff to respond to a complaint in a reasonable time.  However, the expectation is that also for institutions to compile and categorize complaints and to report the results of this effort to the Board.  Do the complaints represent a pattern?  Are your customers trying to tell you something about the level of fees being charged?  Maybe there is a branch where discouragement is happening inadvertently.   The point is the complaints received should be analyzed for patterns and concerns. In addition, there should be evidence that the patterns noticed are being discussed with the Board.

As many institutions use social media these days, a completely new possible area of receiving complaints has opened up.  The expectation is that someone at the bank will review social media for the possibility of serious complaints that must be answered and included in the aforementioned analysis.

Advertising and Image in the Community

For an institution that has been in existence for many years, there is a rich history.  Many institutions want to use their history as a part of marketing.   There is nothing wrong with doing that- as long as the institution is sensitive to the possibility that during its lifetime, the make-up of its assessment area may have changed significantly.  Pictures and references to turn of the century events in which a bank was involved may have entirely different connotations depending on person or persons viewing the material.  For example, suppose an institution had an advertising campaign that made direct references to the fact that they had been in the community for over 100 years.   The marketing material produced showed various scenes from the community over the years.  Unfortunately since the ad campaign focused on history,  it did not include pictures from the present day.  The community had significantly changed in racial and social economic make up over the years.  The advertising campaign was roundly criticized by the community and the regulators and the bank narrowly avoided enforcement action.  It is clear that the intent of the program was not to insult anyone, but nevertheless great insult was taken!

Fair Lending is an Area that Requires a Separate Risk Assessment

Fair Lending has always been an examination area that is subjective.  Over the past few years, this area has become increasingly complex. The regulators have made it clear that this will be an area of emphasis that has the potential for enforcement action.   It is therefore, critical for banks to perform a risk assessment in this area.

In Part Two of this Blog we will discuss a formula for developing a risk assessment for community institutions.

Don’t Forget That Training is a Pillar of a Strong Compliance Program

Don’t forget that Training is a Pillar of a Strong Compliance Program   

Since regulators first embraced the risk-based approach to supervision of banks, training of staff has been recognized as one of the pillars of a strong compliance program. In its 2002 article entitled “A Banker’s Guide to Establishing and Maintaining an Effective Compliance Management Program”, the Kansas City Federal Reserve Bank discussed the importance of training to a compliance program:

“The importance of having a staff that is knowledgeable of regulatory requirements cannot be overstated. Regardless of an institution’s philosophy and policies, ultimately it is line staff who process transactions and interact with customers. If employees are not adequately trained in compliance matters, errors are certain to occur” [1]

Mark W Olson, Member of the Board of Governors of the US Federal Reserve System, also emphasized this point in his remarks at the American Bankers Association’s Regulatory Compliance Conference.  He stated in part that:

“Training on policies, procedures, and associated controls is a component of compliance-risk management that should not be overlooked. Examiners will determine whether the banking organization’s training program ensures that compliance policies, procedures, and controls are well understood and appropriately communicated throughout the organization. [2]

These are just two of several statements by regulators that make it clear that training of staff is not only important, but that is an essential component of compliance. There must be a mechanism in place to make sure that everyone associated with your institution is kept abreast of changes to regulations that directly impact its operations. In addition, when management and staff have a clear understanding of the requirements of regulations, they are more effective and efficient. While good training will not make up for unsafe and unsound practices, a well trained staff can cover a multitude of “sins”.

The Case for “Live” Training

Most financial institutions these days use some form of internet training to fulfill their compliance training needs.   Online courses are for the most part accepted as the most cost effective way to conduct training for staff.  We would like to suggest that cost efficiency may not ultimately be the most important consideration.  Most compliance programs at small institutions consist of online training programs that allow participants the ability to take tests multiple times until the desired score is achieved.  Unfortunately, a common strategy for the participants is to eschew reading the material, go straight to the test, take it, write down the answers to the questions that they got wrong and then retake the test with answer guide in hand. While this process will help to ensure that everyone has received a passing grade on the training, it does little to increase staff knowledge of regulations. This is not meant to be an indictment of online training programs at all.

Instead, it is a suggestion that a complete compliance training program must have a great deal more.  Consider the nature of compliance regulations. Whether we like to admit it or not compliance regulations have a history of being earned!  For example, Regulation B (The Equal Credit Opportunity Act) was passed to address the fact that women and minorities were being denied equal access to credit.  And the Truth in Lending Act is the result of former banking practices that mislead borrowers about the real costs of the loans they were getting.   Consumer regulations have been designed to address areas that have been proven to cause consumer financial harm

Because consumer regulations are designed to either prevent certain behaviors, collect information on the results of bank practices or to provide complete information through disclosures, a great deal is left open for interpretation.  There are even times when regulations direct that staff must interpret information to the best of their ability (Government Monitoring Information in HMDA).  Often when a regulation is misunderstood, violations result.

We have found that when management and staff alike are given the opportunity to hear a bit of the history of the regulation it makes a big difference in the overall level of compliance.  Knowing WHY a regulation was enacted goes a long way toward understanding what it is that the regulation is trying to accomplish.  Taking this idea one step further, giving staff information on what it is that the current regulation is trying to accomplish goes a long way toward obtaining positive participation in the compliance effort.

By helping to ensure that staff members understand the specifics of compliance regulations, you can greatly enhance the effectiveness of the program.  Staff who understand what it is that the regulation is trying to accomplish can feel empowered.  Whether or not staff members agree with the regulation, understanding it is key.  With the basic understanding of the regulation as a tool, the number of misinterpretations and resulting errors are greatly reduced.

Courses on consumer regulations should at least annually include information about the history and the legislative intent of the regulation.   Optimally, staff will be given the opportunity to work through case studies during the training session as these are very helpful in increasing understanding of the regulation.

Training Can be a Cost Saver
In the area of compliance, the most frequent violations of regulations are a direct result of either misunderstanding the requirements of regulations or ignorance of changes to regulations. Training courses that cover the requirements of consumer regulations are extremely effective in reducing these kinds of violations. While compliance violations rarely result in the closure of a bank, the fines, penalties and reimbursements that result can have a drastic impact on profitability.

Do not Give Training the Axe

Although the examination handbooks don’t specifically say it, the fact that training is listed as one of the “pillars” of the compliance program suggests that it is at least as important as the other pillars.  And yet, for reasons that are lost in tradition, this area often is not treated as an important part of compliance.

Even in the toughest of economic times, training of staff and management is a necessity. Through training courses that are specifically designed to meet the needs of individual organizations, financial institutions can be prepared to meet the challenges of a changing regulatory environment. As one of the most important pillars of a strong compliance program, training should never be considered a luxury!

[1]A Banker’s Guide to Establishing and Maintaining an Effective Compliance Management Program (the Guide). Federal Reserve Bank of Kansas City , 2002

[2]  Remarks by Mark W Olson, Member of the Board of Governors of the US Federal Reserve System, at the American Bankers Association’s Regulatory Compliance Conference, Orlando, 12 June 2006.


Strengthening Your Compliance Program-Getting to the Root of the Problem

Getting to the Root of the Problem- An important Step to Strong Compliance

The compliance examiners are coming!  It is time to get everything together to prepare for the onslaught right?   Time to review every consumer loan that has been made and every account that has been opened in the last 12 months, right? Not necessarily!  The compliance examination is really an evaluation of your compliance management program (“CMP”).  By approaching your examinations and audits as an evaluation of the effectiveness of your overall CMP, the response to the news of an upcoming review becomes (almost) welcome.

The Elements of the CMP

There is really no “one size fits all” way to set up a strong compliance program.  There are, however, basic components that all compliance management systems need.  These components are often called the pillars of the CMP.  The pillars are:

  • Policies and procedures
  • Internal Controls
  • Management Information systems
  • Training

The relative importance of each of these pillars depends on the risk kevels at individual financial institutions.  The compliance examination is a test of how well the institution has identified these risks and deployed resources.   For example, when one has highly experienced and trained staff coupled with low turnover, the need for fully detailed procedures may be minimal.  On the other hand, at an institution where new products are being offered regularly, the need for training can be critical.   The central question is whether or not risks have been properly identified at your institution.  Once risks have been identified have effective steps been taken to mitigate risks.

Making the CMP fit Your Bank 

Making sure that your CMP is right-sized starts with an evaluation of what the institution is doing and the inherent risk in that activity.  For example, consumer lending comes with a level of risk.  Missed deadlines, improper disclosures or misinterpretations of the requirements of the regulations are risks that are inherent in a consumer portfolio.   In addition to the risks inherent in the portfolio are the risks associated with the manner in which the institution conducts it consumer business.   Are risk assessments conducted when a product is going to be added or terminated?  Both decisions can create risks.  For example, the decision to cease HELOC’s may create a fair lending issue; while the decision to start making HELOC’s has to be made in light of the knowledge and abilities of the staff that will be making the loans and the staff that will be reviewing for compliance.

We suggest that compliance has to be a part of the overall business and strategic plan of any financial institution.  The best way to make sure that the CMP is appropriate is to include compliance in all of the business decisions.   The CMP has to be flexible enough to absorb changes while remaining effective and strong.

The Test of the CMP

Probably the most efficient way to determine the strengths and weakness of the CMP is by reviewing the findings of internal audit, and examinations as well as quality control checks.  When reviewing these findings what is most important is getting to the root of the problem.    Both the findings and the recommendations that can be found in examination and audit reports can be used to help “tell the story” of the effectiveness of the CMP.  As the institution receives its readout of findings and recommendations, it is very important to ask the examiner or auditor “In your opinion, what was the cause of this finding?”  Generally, we believe that you will find that the answer you receive will be candid and extremely helpful in addressing the problem.  Let’s face it, sometimes findings occur when people have bad days.  On those bad days, even the secondary review may not quite catch the problem.  These are generally not the types of findings that should keep you up at night.

The findings that should cause concerns are the ones that result from lack of knowledge or lack of information about the requirements of a regulation.  These findings are systemic and tend to raise the antenna of auditors and examiners.  Unfortunately, too often the tendency for institutions is to respond to this kind of finding by agreeing with it and promising to take immediate steps to address it.  Without knowing the root cause of the problem, the fix becomes the banking version of sticking one’s finger in the dyke to avoid a flood.

Addressing Findings  

We suggest a five step process to truly address findings and strengthen the CMP;

  1. Make sure that the compliance staff truly understands the nature of the finding.  This may sound obvious, but far too many times there is a great deal loss in translation between the readout and the final report.  Many of our clients have stated that they felt like what was discussed at the exit doesn’t match the final report they receive.  We recommend fighting the urge to dismiss the auditor/examiner as a crank!  Call the agency making the report and get clarification to make sure that concern that is being express is understood by staff.
  2. Develop an understanding of the root cause of the finding.  Does this finding represent a problem with our training?  Perhaps we have not deployed our personnel in the most effective manner.  It is critical that management and the compliance team develop an understanding or why this finding occurred to most effectively address it.
  3. Assign a personal responsible along with an action plan and benchmark due dates.   Developing the plan of action and setting dates develops an accountability for ensuring that the matter is addressed.
  4. Assign an individual to monitor progress in addressing findings.  We also recommend that this person should report directly to the Audit Committee of the Board of Directors.  This builds further accountability into the system.
  5. Validate the response.   Before an item can be removed from the tracking list, there should be an independent validation of the response.  For example, if training was the issue; the response should not be simply that all staff have now taken the training.  The process should include a review of the training materials to ensure that they are sufficient, feedback from staff members taking the training. In addition, a quality control check should be performed.

Not only does determining the root cause of a problem make the response more effective, but in doing so, the CMP will be strengthened.  For example, it may be easy to see that an institution has a problem with disclosing right of recession disclosures.  It may be harder to see that the problem is not the people at all, but that the training they received is confusing and ineffective.  Only by diving into the root cause of the problem can the CMP be fully effective.

Please Join us For a Free 15-Minute Webinar

Preparing for the Next Compliance Year
Are You Ready for 2016 ?

We’d Love to Have You Join Us for Another Regulatory Briefing

Day: Thursday, December 17, 2015
Time: 10 am pacific / 9 am mountain / 12pm central /1 pm eastern
Duration: 15 minutes, plus Q&A
Who Will Benefit: Compliance Staff, BSA Staff, Lending Operations, Deposit Operations, Compliance Officers, Chief Risk Officers, Chief Credit Officers, Auditors

To register please go to and click on the “Regulatory Briefings” tab

Planning Your Compliance Year

Planning Your Compliance Year

As the year comes to close, for most people, it is time to celebrate with family and friends and to look forward to the new year with anticipation.  For risk and compliance officers at financial institutions, the new year comes with a bit of a different perspective.  For many years now, each new year brings a different set of regulations and the challenges of keeping financial institutions in compliance.   This is not necessarily a bad thing.  New challenges can present an opportunity for new and more efficient solutions.   There are some steps that you can take that can truly help you get to the goal of “getting on top of compliance”.

Step One- Information Gathering

There are several sources for regulatory changes.  It is important to consider the fact that compliance and risk expectations can be changed by more than the implementation of new regulations.   Regulatory agencies respond to world events, the political environment, resources allocations, technology and many other factors.   One valuable source of information that is often overlooked are the annual plans or statements that are issued by the prudential regulations.  All three issue a plan that addresses the areas that they will emphasize in the upcoming year.   [1]  In addition, there are many organizations and agencies that list the effective dates for regulations.  At VCM, we have a form that lists regulations, effective dates and whether or not the regulation will apply to your organization. [2]  Gathering information on the new regulations and regulatory initiatives is a key first step for planning the compliance year.

Step Two – Setting the Parameters

We believe that the next step should always be completing a risk assessment.  More often than not we come see risk assessments that are performed specifically for the purpose of meeting a regulatory requirement.  In many cases, these assessments are completed and put away without being looked at until it is time to do an annual update.  We believe that Instead, that the risk assessment provides an excellent opportunity to set the parameters for your own compliance program.  We recommend that that risk assessment should include:

  • The areas where there have been regulatory of internal audit findings in the past
  • The types of products that the Bank offers and the risks associated with those products
  • New products that are being contemplated
  • The management reports that are currently being generated by software
  • Changes in regulations that might affect the bank
  • Changes in staff that have occurred or are planned.

The risk assessment should be designed to determine the areas where your institution has the greatest risk for violations or findings.  It is critical that the assessment should be brutally honest and unflinching in its assessment of the compliance needs for your institution.

The most important part of this step is to remember to USE the document that you have prepared!  The risk assessment should be the basic document that helps you make the case to senior management for additional staff and/or resources.   The risk assessment should also be used to help set the scope of the internal audits that are performed.  It is very rare that there will be time to cover every potential issue in a year so the risk assessment should help prioritize resources.    The risk assessment should also be the document from which the training calendar should be set.

Step Three- Checking Twice  

In addition to going through the regulations, it is necessary to make sure that your policies and procedures match the requirements.  For example, have you developed a solid method for making sure that you comply with the “valuations rules” of regulation B and Z  Do you know what these are and how they affect you?

It is also a very good idea to sign up for all of the “Free stuff” that the regulators publish about compliance.   These can be used as useful supplemental training tools.  There is a great deal of very helpful information made available by the Federal Reserve and the CFPB in particular.  [3]

Step Four-Call for Help!

One of the benefits of completing a comprehensive compliance risk assessment is that the results can help you determine the level of support that is needed.   Far too often compliance departments get additional resources after the staff has been overwhelmed or has experienced a poor result from an audit or examination.  However, we suggest that the old saying that an ounce of prevention is worth a pound of cure applies.  Identifying the areas that are the highest risk and asking for help in those areas before they become a problem is best practice that will enhance your compliance program and the quality of your life!

Of course one of the best areas to get support for compliance is through the staff at your bank.   At the end of the day compliance is a team effort that requires the input of the whole bank to be most effective.  One of the themes that we have noticed over the years is that people tend to buy in more when they understand the how’s and whys of compliance.  While online training classes are clearly efficient and relatively inexpensive, they sometimes can lack the perspective that gives the staff members the reason why the particular regulation exists.   For example, we have found that taking the time to explain what it is that BSA laws and rules are trying to accomplish to the staff members who are opening accounts has dramatically improved the collection of data for CIP.  The same is true for Regulation B and a host of other areas.  By helping bank staff understand that there really are good reasons why you are so insistent on complete and accurate disclosures, you can greatly reduce the error rate in these disclosures.   The help from staff that you get, the more efficient you can be.

Step Five- Execute the Plan

Once you have completed the risk assessment, prioritize the risks and asked for help, it is time to execute the plan.   Make sure that the scope of the audits that you are getting will actually meet your needs and give you information on how things are going.   Regulators have become increasingly critical of audit scopes that are too general or that do not cover specific areas of compliance weakness at the bank.   The internal audit is an important tool that should be used to help find areas that need attention.  It is true that the auditor is your friend.  The results of audits should be taken seriously and positively as this is your opportunity to determine levels of compliance without having regulatory problems.

Like all good coaches, as a compliance officer you know the areas where your team is the weakest.  Make sure that your compliance plan is designed to address these areas from the outset.  If training has been a concern for example, then make sure that you have addressed the root of the problem.

Step Six-Remain Flexible

There is a parable that says that if you want to prove that God has a sense of humor- then try making your own plans.  There is no question that the best-laid plans can sometimes go awry.  Therefore, it is important that you build flexibility into your plan.  For example, even though you may have wanted to do flood insurance testing in the first quarter, you might find that the bigger area of risk is compliance with HMDA.  Even though flood insurance will always be a “hot button” issue, there are times when the greater area of risk can be somewhere else.  The point is that your plan must have the ability to hit all of the highest areas of risk to ensure that your program is successful.

Planning your compliance year cannot only keep you ahead of trouble; it can help you start making different New Year’s resolutions!

[1] See for example,,

[2][2] This form can be found on our website at


Having the “Compliance” Conversation

Having the “Compliance Conversation” in the Face of Changing Expectations.
One of the constants in the world of compliance is change.    This will be true again in 2016 when several new significant changes to regulations will be implemented.   For smaller institutions the regulatory changes won’t be as significant as for larger ones.  However, in addition to changes in regulations, there will also be changes in the areas of emphasis for the regulators.   For example, regulators will be looking at the financial intuitions usage of models as a tool and will expect that the governance around the usage of models will be well documented.  In addition, Bank Secrecy Act/Anti Money Laundering compliance programs will be scrutinized.  Changes such as these can significantly impact the outcome of examinations and audits.

One of the other constants in compliance has been skepticism about consumer laws in general and the need for compliance regulations specifically.  It is often easy to feel the recalcitrance of the senior management at financial institutions to the very idea of compliance.  Even institutions with a good compliance record often tend to do exactly that which is required by the regulation for the sole purpose of staying in compliance with the letter and not the spirit of compliance.  Indeed, skepticism about the need for consumer regulations as well as the effectiveness of the regulations are conversations that can be heard at many an institution.

The combination of changes in the consumer regulations and changes in the focus of these agencies presents both a challenge and an opportunity for compliance staff everywhere.  It is time to have “the talk” with senior management.    The point of the talk?  Enhancements in compliance can help your bank receive higher compliance ratings while improving the overall relationship with your primary regulator.

The Compliance Conversation

While there are many ways to try to frame the case for why compliance should be a primary concern at a bank, there are several points that we have found that help convince a skeptic.
Compliance regulations have been earned by the financial industry.  A quick review of the history of the most well-known consumer regulations will show that each of these laws was enacted to address bad behaviors of financial institutions.  For example, the Equal Credit Opportunity Act (ECOA) was passed to help open up credit markets to women and minorities who were being shut out of the credit market.  Moreover, the Fair lending laws, HMDA and the Community Reinvestment Act were all passed to assist in the task of enforcement of the ECOA.  In all of these cases, the impetus for the legislation was complaints from the public about the behavior of banks.  The fact is that these regulations were implemented to prevent financial institutions from hurting the public.
Compliance will not go away.   Even though there have been changes to the primary regulations, there has been no credible movement towards doing away with them.   Banking is such an important part of our economy that it will always receive a great deal of attention from the public and therefore, legislative bodies.   The trend for all of the compliance regulations is that they continue to expand.  The need for a compliance program is as basic to banking as the need for deposit insurance.  In addition, since compliance is and will be, a fact of banking life, the prudent course is to embrace it.

Compliance may not be a profit center, but a good compliance program reduces the opportunity costs of regulatory enforcement actions.  Many financial institutions tend to be reactive when it comes to compliance.  We understand that there is a cost benefit analysis that is done and often, the decision is made to “take our chances” and get by with a minimal amount of resources spent on compliance.   However, more often than not the cost benefit analysis does not take into account the cost of “getting caught”.  Findings from compliance examinations may require “look backs” into past transactions and reimbursement to customers who were harmed by a particular practice.  The costs for such action include costs of staff time (or temporary staff), reputational costs and the costs associated with correcting the offending practice.  A strong compliance management system will prevent these costs from being incurred from the outset and protect the Bank’s reputation; which at the end of the day is its most important asset.

Compliance is directly impacted by the strategic plan. Far too often, compliance is not considered as banks put together their plans for growth and profitability.   Plans for new marketing campaigns or new products being offered go through the approval process without the input of the compliance team.  Unfortunately, without this consideration, banks add additional risk without being aware of how the additional risk can be mitigated.    When compliance is considered in the strategic plan, we find that the proper level of resources can be dedicated to all levels of management and internal controls.

There is nothing about being in compliance that will get in the way of the bank making money and being successful.  Many times the compliance officer gets portrayed as the person who keeps saying no- No!” to new products, “No!” to new marketing” and “No!” to being profitable.  But the truth is that this characterization is both unfair and untrue.  The compliance staff at your banks wants the bank to make all the money that it possibly can while staying in compliance with the laws that apply.  The compliance team is not the enemy.  In fact, the compliance team is there to solve problems.

Getting the Conversation to Address the Future.

Today, we are seeing changes in the expectations that regulators have about responding to examination findings and the overall maintenance of the compliance management program.   There are three fronts that may seem unrelated at first, but when put together, they make  powerful arguments about how compliance can become a key component in your relationship with the regulators.
First, the regulators have determined that the overall effectiveness of the compliance programs should be a consideration of the CAMEL ratings.   The Comptroller of the Currency has published remarks that make it clear that he intends to evaluate the review of the compliance management program to directly impact the overall “M” rating within the CAMEL ratings.   The other prudent regulators are soon to follow.  The thought behind evaluating the compliance management program is that it is in fact the responsibility of management to maintain and operate a strong compliance program.  The failure to do so is a direct reflection of management’s abilities.  Compliance is now a regulatory foundation issue.

Second, now more than ever, regulators are looking to financial institutions to risk assess their own compliance and when problems are noted, to come forward with the information.  The CFPB for example, published guidance in 2013 (Bulletin 2013-06) that directly challenged banks to be corporate citizens by self-policing and self-reporting.  It is clear that doing so will enhance both the reputation and the relationship with regulators.  The idea here is that by showing that you take compliance seriously and are willing to self-police, the need for regulatory oversight can be reduced.

Finally, the regulators have reiterated their desire to see financial institutions address the root causes of findings in examinations.   There have been recent attempts by the Federal Reserve and the CFPB to make distinctions between recommendations and findings.  The reason for these clarifications are so that banks can more fully address the highest areas of concern.  The regulators are emphasizing that they expect a financial institutions to address the heart of the reason that the finding occurred.  For example, in a case where a bank was improperly completing Good Faith Estimates in violation of RESPA, the response cannot simply be to tell the loan staff to knock it off!  In addition to correcting mistakes, there is either a training issue or perhaps staff are improperly assigned.  What is the reason for the improper disclosures?  That is what the regulators want addressed.

The opportunity exists to enhance your relationship with your regulators through your compliance department.  By elevating the level of importance of compliance at your institution and using it as a topic, a relationship of trust and communication can be developed with your regulators.

Does Your Outsourced Audit Meet Regulatory Standards? Part Two

Does Your Internal Audit Scope Meet Regulatory Standards? 

A Two Part Series-Part TWO-Setting the Scope    

As we  noted in the first part of this series, the scope of the internal audit function at financial institutions has been an area of focus for  regulators.  In particular, regulators have focused on whether or not the scope of internal audits meets both regulatory standards and is appropriate in light of the overall risk profile of a financial institution.  It is the second of these two considerations that has most recently  caused findings and created concerns.    It is therefore, critical that the scope of audits reflect an understanding of the risks inherent at your financial institution.

Using Risk Assessments Effectively

The Federal Financial Institutions Examination Council (FFIEC”) issued a comprehensive policy statement on the audit process in 2003.  This statement is still the definitive regulatory guidance on the proper development and maintenance of the internal audit function for financial institutions.   The guidance states that risk assessments are a key component of internal audits.  A risk assessment is defined as follows:

A control risk assessment (or risk assessment methodology) documents the internal auditor’s understanding of the institution’s significant business activities and their associated risks. These assessments typically analyze the risks inherent in a given business line, the mitigating control processes, and the resulting residual risk exposure of the institution. They should be updated regularly to reflect changes to the system of internal control or work processes, and to incorporate new lines of business.[1]

At smaller institutions, there generally is not a full time internal auditor on staff.  This does not obviate the need for comprehensive and timely risk assessments.  Unfortunately, the risk assessment process is often overlooked.   The risk assessment should consider the following:

Past Examination and Audit Results

It goes without saying that the past can be a  prelude to the future.   Prior findings are an immediate indication of lack of effectiveness of internal controls.  It is important that the root cause of the finding or recommendations from regulators is identified and addressed.  Internal audits should coordinate with the risk assessment to test the effectiveness of the remediation.

Changes in Staff and Management

Change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change.  For example, suppose the head of Note Operations is brand new.  This new manager will want to process loans using her/his own system.  Loan staff who may be used to past procedures may become confused.  Change generally increases the possibility of findings or mistakes.   Your risk assessment should take into account the risks associated with changes and how best to address them.  In addition, this is an area that should be covered by internal audit as it presents a risk.

Changes in Products, Customers or Branches

It is also important that your risk assessment consider all  of the different aspects of changes that have occurred or will occur during the year.  Any new products or services, new vendors, and/or marketing campaigns that are designed to entice new types of customers are all changes that impact the overall risk profile of the institution.    The resources necessary to address these changes should also be a consideration for the internal audit.

Changes in Regulations

Over the past few years, there have been a huge number of changes to regulations, guidance and directives from Federal and State agencies.  Many of these changes do not impact smaller institutions directly, but many do.  Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year.   Part of your risk assessment process has to consider changes that will affect your institution.  The internal audit scope should also consider whether the institution is prepared to meet changing regulatory requirements.

Monitoring systems in place

The information systems being employed to monitor the effectiveness of internal controls should be considered.  For many institutions, this system is comprised of word of mouth and the results of audits and examinations.  Information used by senior management and reported to the Board should be sufficient to allow credible challenges by the Board.[2]

Using the Risk assessment to Set Audit Scopes

Once a risk assessment is completed, the results should be directly tied to the internal audit schedule.   The FIIEC guidance points out the relationship between the internal audit plan and the risk assessment:

An internal audit plan is based on the control risk assessment and typically includes a summary of key internal controls within each significant business activity, the timing and frequency of planned internal audit work, and a resource budget.[3]

The risk assessment should prioritize the potential for findings, while the audit scope should be developed to test mitigation steps made to reduce findings.

The criticism that is often raised about outsourced audit is that the scope is incomplete.  This is often the case because outsourced vendors have developed their scope based upon best practices, and their experiences at various institutions.  While this is obviously a best practice for the audit vendor, the problem is that it doesn’t always fit the individual institution.   Information from a comprehensive risk assessment should be incorporated into the scope of an internal audit.

In this manner, the auditor can best consider the areas of risk that are the highest priority at a particular institutions.  For example, when developing the scope for an independent audit of a BSA/AML program, the scope should include the most recent risk assessment.  Changes in the customer base, an increase in the overall risk profile of the bank or a change in personnel are all factors that should be included in the audit scope.  In addition, the auditor should consider whether current monitoring systems have the capability to properly monitor the additional level of risk.  Finally, the professional abilities of the BSA staff should be considered as they relate to additional risk.

Ultimately, it is the responsibility of the Board to ensure that the internal audit is effectively testing the strength of internal controls.

[1] Interagency Policy Statement on the Internal Audit Function and its Outsourcing

[2] See for example, OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations

[3] Interagency Policy Statement on the Internal Audit Function and its Outsourcing

Does Your Outsourced Audit meet Regulatory Standards?

Does Your Internal Audit Scope Meet Regulatory Standards? 

A Two Part Series-Part One:-The Regulatory Standards 

One of the areas of focus for the regulators of financial institutions in the upcoming months will be the scope of the outsourced audits.   We have recently noted a number of clients that have been criticized for audit scopes that are either inadequate based upon risk, or are simply not comprehensive.

It is well established that the safe and sound operation of a financial institution requires among other things, a well-established system of internal controls.  The regulatory agencies all have a similar definition of internal controls.  For example, the Office of the Comptroller of the Currency in the Management handbook as follows:

Internal control is the systems, policies, procedures, and processes effected by the board of directors, management, and other personnel to safeguard bank assets, limit or control risks, and achieve a bank’s objectives.[1]

Once a system of internal controls has been established by a Board of Directors, it is necessary to test the effectiveness of the controls and to make sure that bank personnel are adhering to the limits established.  This is the role of internal audit.   As the OCC handbook points out;

Internal audit provides an objective, independent review of bank activities, internal controls, and management information systems to help the board and management monitor and evaluate internal control adequacy and effectiveness.[2]

Regular, comprehensive auditing of the operations of a financial institution are a necessary part of a safe and sound operation.  All federally insured financial institutions are expected to maintain audit departments.   However, for smaller institutions that cost of employing a full time internal audit staff has proven to be prohibitive.    For most institutions with assets of less than $1 billion, the audit function have been at least partially outsourced.

Outsourcing of the audit function is a well-established a practice.  The Federal Financial Institutions Examination Council (FFIEC”) recognized this when it issued a comprehensive policy statement on the process in 2003.   The guidance is called “Interagency Policy Statement on the Internal Audit Function and its Outsourcing”.  Since its release, there has been some additional guidance that has been issued that addresses outsourcing in more general terms[3] .  However, the guidance first issued in 2003 remains the seminal guide for outsourcing audit today.

Standards for Outsourcing

The FFIEC guidance makes it clear that the responsibility for internal controls remains with the Board and senior management of the financial institution.

Furthermore, the agencies want to ensure that these arrangements with outsourcing vendors do not leave directors and senior management with the erroneous impression that they have been relieved of their responsibility for maintaining an effective system of internal control and for overseeing the internal audit function.[4]

The guidance is divided into four parts:

  1. The Internal Audit function
  2. Outsourcing Arrangements
  3. Independence of the public accountant
  4. Guidance for Regulators

The Audit Function

The guidance notes that the audit function is the mean by which the Board can test whether or not internal controls are effective.

Accordingly, directors and senior management should have reasonable assurance that the system of internal control prevents or detects significant inaccurate, incomplete, or unauthorized transactions; deficiencies in the safeguarding of assets; unreliable financial reporting (which includes regulatory reporting); and deviations from laws, regulations, and the institution’s policies. [5]

The function of internal audit, then is ultimately to inform the Board, of weaknesses in internal controls and the possibility of regulatory violations.    There is a great deal of discussion in this section about the reporting structure for the audit function.  Ultimately, the critical point from this section is that whatever reporting structure is developed, the auditor must have the ability to report directly to the audit committee.

We note that in many smaller institutions, the results of audits are read out to business line managers and the final reports are delivered directly to the Board or to the audit committee of the Board.  This process often does not allow the auditor in charge to communicate directly with the audit committee.  A comprehensive scope should include a comment on the effectiveness of management to carry out their assigned duties. The guidance is specific that in small institutions, the person responsible for testing internal controls should report findings directly to the audit committee.   As a best practice, a member of the audit committee should attend the exit meeting and allow the auditor to comment on any concerns that he/she feels should be directly communicated to the Board.

Outsourcing Arrangements

The guidance notes that even in the event that the audit function is completely outsourced, it is still the responsibility of the Board and management to ensure that internal controls are effective.    The outsourced agreement should take into account both the current and anticipated business risks of the financial institution.

The guidance details the minimum requirements for an outsourcing agreement, including the limitation that outside auditors must not make management decisions and can only act in the capacity of informing the Board.  Once again, the idea that the outside auditor should communicate directly with a representative of the Board is emphasized.

One of the areas of criticism that we are currently seeing is that the internal audit plans do not adequately consider factors that should be part of the risk assessment.  Changes in staff, new regulatory requirements, software limitations, overall training and experience of management are all factors that should be considered when developing the internal audit plan.   As a best practice, the scope of the audits to be performed by the outsourced auditor should reflect the fact that the Board has considered these factors and included them.

Independence of the Public Accountant

For many financial institutions, the temptation is to use the same accounting firm that prepares financial statements to perform internal audits.  This issue presents itself most often with institutions that are over $500 million in assets, because there is a requirement for an independent audit on financial statements by a public accounting firm.  Generally, the guidance limits the ability of public accounting firms to also be the outsourced audit firm.

For smaller institutions, there is no prohibition to use public accounting firms, however, the practice is strongly discouraged.   In large part, the reason for this is that the firm that prepares the financial statement must be completely independent.  The data that is used to prepare financial statements has to be independently verified.  When the accounting firm performs both of these functions, the appearance is that independence is lacking.  In other words, the firm that is preparing the financial statements of a bank may be auditing its own work.

There are several independent firms that specialize in auditing for financial institutions.  These firms tend to provide cost effective and comprehensive alternatives to the public accounting firms.

Guidance for Regulators

The guidance specifies the goal of the examiners review of the internal audit.  The examiners are directed to ensure that the audit scope reflects the risk assessment of the institution and the Board has directed the auditor to consider the areas that are the highest risk.  The examiners are also directed to review the work papers of the auditor to ensure that they support the findings and conclusions in the audit report.   Examiners will also review how findings are communicated to the Board and management.  There is an expectation that responses to findings are tracked and monitored.

We have recently noted that the regulators are criticizing Boards for not receiving information about the overall effectiveness of the senior managers that they have employed.   Examiners have often been critical when the audit report does not specifically draw a conclusion about the training, effectiveness and capabilities of the senior management in charge of the business line being audited.  As we noted, it is a best practice to allow an outlet for the auditor to communicate a conclusion about senior management in the audit process.

In part two, we will discuss best practices for developing the audit scope.

[1]   Comptroller’s Handbook-Internal Control 2001  page 1

[2] Ibid  Page 1

[3] See for example, Supervision and Regulation (SR) letter 13-19/CA letter 13-21, “Guidance on Managing Outsourcing Risk.”

[4] Interagency Policy Statement on the Internal Audit Function and its Outsourcing

[5] Ibid

Your Partner in Balancing Compliance