As the year comes to close, for most people, it is time to celebrate with family and friends and to look forward to the new year with anticipation. For risk and compliance officers at financial institutions, the new year comes with a bit of a different perspective. For many years now, each new year brings a different set of regulations and the challenges of keeping financial institutions in compliance. This is not necessarily a bad thing. New challenges can present an opportunity for new and more efficient solutions. There are some steps that you can take that can truly help you get to the goal of “getting on top of compliance”.
Step One- Information Gathering
There are several sources for regulatory changes. It is important to consider the fact that compliance and risk expectations can be changed by more than the implementation of new regulations. Regulatory agencies respond to world events, the political environment, resources allocations, technology and many other factors. One valuable source of information that is often overlooked are the annual plans or statements that are issued by the prudential regulations. All three issue a plan that addresses the areas that they will emphasize in the upcoming year.  In addition, there are many organizations and agencies that list the effective dates for regulations. At VCM, we have a form that lists regulations, effective dates and whether or not the regulation will apply to your organization.  Gathering information on the new regulations and regulatory initiatives is a key first step for planning the compliance year.
Step Two – Setting the Parameters
We believe that the next step should always be completing a risk assessment. More often than not we come see risk assessments that are performed specifically for the purpose of meeting a regulatory requirement. In many cases, these assessments are completed and put away without being looked at until it is time to do an annual update. We believe that Instead, that the risk assessment provides an excellent opportunity to set the parameters for your own compliance program. We recommend that that risk assessment should include:
The areas where there have been regulatory of internal audit findings in the past
The types of products that the Bank offers and the risks associated with those products
New products that are being contemplated
The management reports that are currently being generated by software
Changes in regulations that might affect the bank
Changes in staff that have occurred or are planned.
The risk assessment should be designed to determine the areas where your institution has the greatest risk for violations or findings. It is critical that the assessment should be brutally honest and unflinching in its assessment of the compliance needs for your institution.
The most important part of this step is to remember to USE the document that you have prepared! The risk assessment should be the basic document that helps you make the case to senior management for additional staff and/or resources. The risk assessment should also be used to help set the scope of the internal audits that are performed. It is very rare that there will be time to cover every potential issue in a year so the risk assessment should help prioritize resources. The risk assessment should also be the document from which the training calendar should be set.
Step Three- Checking Twice
In addition to going through the regulations, it is necessary to make sure that your policies and procedures match the requirements. For example, have you developed a solid method for making sure that you comply with the “valuations rules” of regulation B and Z Do you know what these are and how they affect you?
It is also a very good idea to sign up for all of the “Free stuff” that the regulators publish about compliance. These can be used as useful supplemental training tools. There is a great deal of very helpful information made available by the Federal Reserve and the CFPB in particular. 
Step Four-Call for Help!
One of the benefits of completing a comprehensive compliance risk assessment is that the results can help you determine the level of support that is needed. Far too often compliance departments get additional resources after the staff has been overwhelmed or has experienced a poor result from an audit or examination. However, we suggest that the old saying that an ounce of prevention is worth a pound of cure applies. Identifying the areas that are the highest risk and asking for help in those areas before they become a problem is best practice that will enhance your compliance program and the quality of your life!
Of course one of the best areas to get support for compliance is through the staff at your bank. At the end of the day compliance is a team effort that requires the input of the whole bank to be most effective. One of the themes that we have noticed over the years is that people tend to buy in more when they understand the how’s and whys of compliance. While online training classes are clearly efficient and relatively inexpensive, they sometimes can lack the perspective that gives the staff members the reason why the particular regulation exists. For example, we have found that taking the time to explain what it is that BSA laws and rules are trying to accomplish to the staff members who are opening accounts has dramatically improved the collection of data for CIP. The same is true for Regulation B and a host of other areas. By helping bank staff understand that there really are good reasons why you are so insistent on complete and accurate disclosures, you can greatly reduce the error rate in these disclosures. The help from staff that you get, the more efficient you can be.
Step Five- Execute the Plan
Once you have completed the risk assessment, prioritize the risks and asked for help, it is time to execute the plan. Make sure that the scope of the audits that you are getting will actually meet your needs and give you information on how things are going. Regulators have become increasingly critical of audit scopes that are too general or that do not cover specific areas of compliance weakness at the bank. The internal audit is an important tool that should be used to help find areas that need attention. It is true that the auditor is your friend. The results of audits should be taken seriously and positively as this is your opportunity to determine levels of compliance without having regulatory problems.
Like all good coaches, as a compliance officer you know the areas where your team is the weakest. Make sure that your compliance plan is designed to address these areas from the outset. If training has been a concern for example, then make sure that you have addressed the root of the problem.
Step Six-Remain Flexible
There is a parable that says that if you want to prove that God has a sense of humor- then try making your own plans. There is no question that the best-laid plans can sometimes go awry. Therefore, it is important that you build flexibility into your plan. For example, even though you may have wanted to do flood insurance testing in the first quarter, you might find that the bigger area of risk is compliance with HMDA. Even though flood insurance will always be a “hot button” issue, there are times when the greater area of risk can be somewhere else. The point is that your plan must have the ability to hit all of the highest areas of risk to ensure that your program is successful.
Planning your compliance year cannot only keep you ahead of trouble; it can help you start making different New Year’s resolutions!
Having the “Compliance Conversation” in the Face of Changing Expectations.
One of the constants in the world of compliance is change. This will be true again in 2016 when several new significant changes to regulations will be implemented. For smaller institutions the regulatory changes won’t be as significant as for larger ones. However, in addition to changes in regulations, there will also be changes in the areas of emphasis for the regulators. For example, regulators will be looking at the financial intuitions usage of models as a tool and will expect that the governance around the usage of models will be well documented. In addition, Bank Secrecy Act/Anti Money Laundering compliance programs will be scrutinized. Changes such as these can significantly impact the outcome of examinations and audits.
One of the other constants in compliance has been skepticism about consumer laws in general and the need for compliance regulations specifically. It is often easy to feel the recalcitrance of the senior management at financial institutions to the very idea of compliance. Even institutions with a good compliance record often tend to do exactly that which is required by the regulation for the sole purpose of staying in compliance with the letter and not the spirit of compliance. Indeed, skepticism about the need for consumer regulations as well as the effectiveness of the regulations are conversations that can be heard at many an institution.
The combination of changes in the consumer regulations and changes in the focus of these agencies presents both a challenge and an opportunity for compliance staff everywhere. It is time to have “the talk” with senior management. The point of the talk? Enhancements in compliance can help your bank receive higher compliance ratings while improving the overall relationship with your primary regulator.
The Compliance Conversation
While there are many ways to try to frame the case for why compliance should be a primary concern at a bank, there are several points that we have found that help convince a skeptic. Compliance regulations have been earned by the financial industry. A quick review of the history of the most well-known consumer regulations will show that each of these laws was enacted to address bad behaviors of financial institutions. For example, the Equal Credit Opportunity Act (ECOA) was passed to help open up credit markets to women and minorities who were being shut out of the credit market. Moreover, the Fair lending laws, HMDA and the Community Reinvestment Act were all passed to assist in the task of enforcement of the ECOA. In all of these cases, the impetus for the legislation was complaints from the public about the behavior of banks. The fact is that these regulations were implemented to prevent financial institutions from hurting the public. Compliance will not go away. Even though there have been changes to the primary regulations, there has been no credible movement towards doing away with them. Banking is such an important part of our economy that it will always receive a great deal of attention from the public and therefore, legislative bodies. The trend for all of the compliance regulations is that they continue to expand. The need for a compliance program is as basic to banking as the need for deposit insurance. In addition, since compliance is and will be, a fact of banking life, the prudent course is to embrace it.
Compliance may not be a profit center, but a good compliance program reduces the opportunity costs of regulatory enforcement actions. Many financial institutions tend to be reactive when it comes to compliance. We understand that there is a cost benefit analysis that is done and often, the decision is made to “take our chances” and get by with a minimal amount of resources spent on compliance. However, more often than not the cost benefit analysis does not take into account the cost of “getting caught”. Findings from compliance examinations may require “look backs” into past transactions and reimbursement to customers who were harmed by a particular practice. The costs for such action include costs of staff time (or temporary staff), reputational costs and the costs associated with correcting the offending practice. A strong compliance management system will prevent these costs from being incurred from the outset and protect the Bank’s reputation; which at the end of the day is its most important asset.
Compliance is directly impacted by the strategic plan. Far too often, compliance is not considered as banks put together their plans for growth and profitability. Plans for new marketing campaigns or new products being offered go through the approval process without the input of the compliance team. Unfortunately, without this consideration, banks add additional risk without being aware of how the additional risk can be mitigated. When compliance is considered in the strategic plan, we find that the proper level of resources can be dedicated to all levels of management and internal controls.
There is nothing about being in compliance that will get in the way of the bank making money and being successful. Many times the compliance officer gets portrayed as the person who keeps saying no- No!” to new products, “No!” to new marketing” and “No!” to being profitable. But the truth is that this characterization is both unfair and untrue. The compliance staff at your banks wants the bank to make all the money that it possibly can while staying in compliance with the laws that apply. The compliance team is not the enemy. In fact, the compliance team is there to solve problems.
Getting the Conversation to Address the Future.
Today, we are seeing changes in the expectations that regulators have about responding to examination findings and the overall maintenance of the compliance management program. There are three fronts that may seem unrelated at first, but when put together, they make powerful arguments about how compliance can become a key component in your relationship with the regulators.
First, the regulators have determined that the overall effectiveness of the compliance programs should be a consideration of the CAMEL ratings. The Comptroller of the Currency has published remarks that make it clear that he intends to evaluate the review of the compliance management program to directly impact the overall “M” rating within the CAMEL ratings. The other prudent regulators are soon to follow. The thought behind evaluating the compliance management program is that it is in fact the responsibility of management to maintain and operate a strong compliance program. The failure to do so is a direct reflection of management’s abilities. Compliance is now a regulatory foundation issue.
Second, now more than ever, regulators are looking to financial institutions to risk assess their own compliance and when problems are noted, to come forward with the information. The CFPB for example, published guidance in 2013 (Bulletin 2013-06) that directly challenged banks to be corporate citizens by self-policing and self-reporting. It is clear that doing so will enhance both the reputation and the relationship with regulators. The idea here is that by showing that you take compliance seriously and are willing to self-police, the need for regulatory oversight can be reduced.
Finally, the regulators have reiterated their desire to see financial institutions address the root causes of findings in examinations. There have been recent attempts by the Federal Reserve and the CFPB to make distinctions between recommendations and findings. The reason for these clarifications are so that banks can more fully address the highest areas of concern. The regulators are emphasizing that they expect a financial institutions to address the heart of the reason that the finding occurred. For example, in a case where a bank was improperly completing Good Faith Estimates in violation of RESPA, the response cannot simply be to tell the loan staff to knock it off! In addition to correcting mistakes, there is either a training issue or perhaps staff are improperly assigned. What is the reason for the improper disclosures? That is what the regulators want addressed.
The opportunity exists to enhance your relationship with your regulators through your compliance department. By elevating the level of importance of compliance at your institution and using it as a topic, a relationship of trust and communication can be developed with your regulators.
Does Your Internal Audit Scope Meet Regulatory Standards?
A Two Part Series-Part TWO-Setting the Scope
As we noted in the first part of this series, the scope of the internal audit function at financial institutions has been an area of focus for regulators. In particular, regulators have focused on whether or not the scope of internal audits meets both regulatory standards and is appropriate in light of the overall risk profile of a financial institution. It is the second of these two considerations that has most recently caused findings and created concerns. It is therefore, critical that the scope of audits reflect an understanding of the risks inherent at your financial institution.
Using Risk Assessments Effectively
The Federal Financial Institutions Examination Council (FFIEC”) issued a comprehensive policy statement on the audit process in 2003. This statement is still the definitive regulatory guidance on the proper development and maintenance of the internal audit function for financial institutions. The guidance states that risk assessments are a key component of internal audits. A risk assessment is defined as follows:
A control risk assessment (or risk assessment methodology) documents the internal auditor’s understanding of the institution’s significant business activities and their associated risks. These assessments typically analyze the risks inherent in a given business line, the mitigating control processes, and the resulting residual risk exposure of the institution. They should be updated regularly to reflect changes to the system of internal control or work processes, and to incorporate new lines of business.
At smaller institutions, there generally is not a full time internal auditor on staff. This does not obviate the need for comprehensive and timely risk assessments. Unfortunately, the risk assessment process is often overlooked. The risk assessment should consider the following:
Past Examination and Audit Results–
It goes without saying that the past can be a prelude to the future. Prior findings are an immediate indication of lack of effectiveness of internal controls. It is important that the root cause of the finding or recommendations from regulators is identified and addressed. Internal audits should coordinate with the risk assessment to test the effectiveness of the remediation.
Changes in Staff and Management
Change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change. For example, suppose the head of Note Operations is brand new. This new manager will want to process loans using her/his own system. Loan staff who may be used to past procedures may become confused. Change generally increases the possibility of findings or mistakes. Your risk assessment should take into account the risks associated with changes and how best to address them. In addition, this is an area that should be covered by internal audit as it presents a risk.
Changes in Products, Customers or Branches
It is also important that your risk assessment consider all of the different aspects of changes that have occurred or will occur during the year. Any new products or services, new vendors, and/or marketing campaigns that are designed to entice new types of customers are all changes that impact the overall risk profile of the institution. The resources necessary to address these changes should also be a consideration for the internal audit.
Changes in Regulations
Over the past few years, there have been a huge number of changes to regulations, guidance and directives from Federal and State agencies. Many of these changes do not impact smaller institutions directly, but many do. Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year. Part of your risk assessment process has to consider changes that will affect your institution. The internal audit scope should also consider whether the institution is prepared to meet changing regulatory requirements.
Monitoring systems in place
The information systems being employed to monitor the effectiveness of internal controls should be considered. For many institutions, this system is comprised of word of mouth and the results of audits and examinations. Information used by senior management and reported to the Board should be sufficient to allow credible challenges by the Board.
Using the Risk assessment to Set Audit Scopes
Once a risk assessment is completed, the results should be directly tied to the internal audit schedule. The FIIEC guidance points out the relationship between the internal audit plan and the risk assessment:
An internal audit plan is based on the control risk assessment and typically includes a summary of key internal controls within each significant business activity, the timing and frequency of planned internal audit work, and a resource budget.
The risk assessment should prioritize the potential for findings, while the audit scope should be developed to test mitigation steps made to reduce findings.
The criticism that is often raised about outsourced audit is that the scope is incomplete. This is often the case because outsourced vendors have developed their scope based upon best practices, and their experiences at various institutions. While this is obviously a best practice for the audit vendor, the problem is that it doesn’t always fit the individual institution. Information from a comprehensive risk assessment should be incorporated into the scope of an internal audit.
In this manner, the auditor can best consider the areas of risk that are the highest priority at a particular institutions. For example, when developing the scope for an independent audit of a BSA/AML program, the scope should include the most recent risk assessment. Changes in the customer base, an increase in the overall risk profile of the bank or a change in personnel are all factors that should be included in the audit scope. In addition, the auditor should consider whether current monitoring systems have the capability to properly monitor the additional level of risk. Finally, the professional abilities of the BSA staff should be considered as they relate to additional risk.
Ultimately, it is the responsibility of the Board to ensure that the internal audit is effectively testing the strength of internal controls.
 Interagency Policy Statement on the Internal Audit Function and its Outsourcing
 See for example, OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations
 Interagency Policy Statement on the Internal Audit Function and its Outsourcing
Does Your Internal Audit Scope Meet Regulatory Standards?
A Two Part Series-Part One:-The Regulatory Standards
One of the areas of focus for the regulators of financial institutions in the upcoming months will be the scope of the outsourced audits. We have recently noted a number of clients that have been criticized for audit scopes that are either inadequate based upon risk, or are simply not comprehensive.
It is well established that the safe and sound operation of a financial institution requires among other things, a well-established system of internal controls. The regulatory agencies all have a similar definition of internal controls. For example, the Office of the Comptroller of the Currency in the Management handbook as follows:
Internal control is the systems, policies, procedures, and processes effected by the board of directors, management, and other personnel to safeguard bank assets, limit or control risks, and achieve a bank’s objectives.
Once a system of internal controls has been established by a Board of Directors, it is necessary to test the effectiveness of the controls and to make sure that bank personnel are adhering to the limits established. This is the role of internal audit. As the OCC handbook points out;
Internal audit provides an objective, independent review of bank activities, internal controls, and management information systems to help the board and management monitor and evaluate internal control adequacy and effectiveness.
Regular, comprehensive auditing of the operations of a financial institution are a necessary part of a safe and sound operation. All federally insured financial institutions are expected to maintain audit departments. However, for smaller institutions that cost of employing a full time internal audit staff has proven to be prohibitive. For most institutions with assets of less than $1 billion, the audit function have been at least partially outsourced.
Outsourcing of the audit function is a well-established a practice. The Federal Financial Institutions Examination Council (FFIEC”) recognized this when it issued a comprehensive policy statement on the process in 2003. The guidance is called “Interagency Policy Statement on the Internal Audit Function and its Outsourcing”. Since its release, there has been some additional guidance that has been issued that addresses outsourcing in more general terms . However, the guidance first issued in 2003 remains the seminal guide for outsourcing audit today.
Standards for Outsourcing
The FFIEC guidance makes it clear that the responsibility for internal controls remains with the Board and senior management of the financial institution.
Furthermore, the agencies want to ensure that these arrangements with outsourcing vendors do not leave directors and senior management with the erroneous impression that they have been relieved of their responsibility for maintaining an effective system of internal control and for overseeing the internal audit function.
The guidance is divided into four parts:
The Internal Audit function
Independence of the public accountant
Guidance for Regulators
The Audit Function
The guidance notes that the audit function is the mean by which the Board can test whether or not internal controls are effective.
Accordingly, directors and senior management should have reasonable assurance that the system of internal control prevents or detects significant inaccurate, incomplete, or unauthorized transactions; deficiencies in the safeguarding of assets; unreliable financial reporting (which includes regulatory reporting); and deviations from laws, regulations, and the institution’s policies. 
The function of internal audit, then is ultimately to inform the Board, of weaknesses in internal controls and the possibility of regulatory violations. There is a great deal of discussion in this section about the reporting structure for the audit function. Ultimately, the critical point from this section is that whatever reporting structure is developed, the auditor must have the ability to report directly to the audit committee.
We note that in many smaller institutions, the results of audits are read out to business line managers and the final reports are delivered directly to the Board or to the audit committee of the Board. This process often does not allow the auditor in charge to communicate directly with the audit committee. A comprehensive scope should include a comment on the effectiveness of management to carry out their assigned duties. The guidance is specific that in small institutions, the person responsible for testing internal controls should report findings directly to the audit committee. As a best practice, a member of the audit committee should attend the exit meeting and allow the auditor to comment on any concerns that he/she feels should be directly communicated to the Board.
The guidance notes that even in the event that the audit function is completely outsourced, it is still the responsibility of the Board and management to ensure that internal controls are effective. The outsourced agreement should take into account both the current and anticipated business risks of the financial institution.
The guidance details the minimum requirements for an outsourcing agreement, including the limitation that outside auditors must not make management decisions and can only act in the capacity of informing the Board. Once again, the idea that the outside auditor should communicate directly with a representative of the Board is emphasized.
One of the areas of criticism that we are currently seeing is that the internal audit plans do not adequately consider factors that should be part of the risk assessment. Changes in staff, new regulatory requirements, software limitations, overall training and experience of management are all factors that should be considered when developing the internal audit plan. As a best practice, the scope of the audits to be performed by the outsourced auditor should reflect the fact that the Board has considered these factors and included them.
Independence of the Public Accountant
For many financial institutions, the temptation is to use the same accounting firm that prepares financial statements to perform internal audits. This issue presents itself most often with institutions that are over $500 million in assets, because there is a requirement for an independent audit on financial statements by a public accounting firm. Generally, the guidance limits the ability of public accounting firms to also be the outsourced audit firm.
For smaller institutions, there is no prohibition to use public accounting firms, however, the practice is strongly discouraged. In large part, the reason for this is that the firm that prepares the financial statement must be completely independent. The data that is used to prepare financial statements has to be independently verified. When the accounting firm performs both of these functions, the appearance is that independence is lacking. In other words, the firm that is preparing the financial statements of a bank may be auditing its own work.
There are several independent firms that specialize in auditing for financial institutions. These firms tend to provide cost effective and comprehensive alternatives to the public accounting firms.
Guidance for Regulators
The guidance specifies the goal of the examiners review of the internal audit. The examiners are directed to ensure that the audit scope reflects the risk assessment of the institution and the Board has directed the auditor to consider the areas that are the highest risk. The examiners are also directed to review the work papers of the auditor to ensure that they support the findings and conclusions in the audit report. Examiners will also review how findings are communicated to the Board and management. There is an expectation that responses to findings are tracked and monitored.
We have recently noted that the regulators are criticizing Boards for not receiving information about the overall effectiveness of the senior managers that they have employed. Examiners have often been critical when the audit report does not specifically draw a conclusion about the training, effectiveness and capabilities of the senior management in charge of the business line being audited. As we noted, it is a best practice to allow an outlet for the auditor to communicate a conclusion about senior management in the audit process.
In part two, we will discuss best practices for developing the audit scope.
 Comptroller’s Handbook-Internal Control 2001 page 1
Self- Policing- An excellent way to control your own destiny!
So you are the compliance officer and while doing a routine check on disclosures, you notice a huge error that the Bank has been making for the last year. The beads of sweat form on your forehead as you realize that this mistake may impact several hundred customers. Real panic sets in as you start to wonder what to do about the regulators. To tell or not to tell, that is indeed the question!
Many of our clients struggle with the question of what to do when your internal processes discover a problem. We have always believed that the best policy is to inform the regulators of the problem. CFBP Bulletin 2013-06 discusses what it calls “responsible business conduct” and details the grounds for receiving consideration for getting enforcement relief from the CFPB. In this case, “consideration is somewhat vague and it depends on the nature and extent of the violation, but the message is clear. It is far better to self-police and self-report than it is to let the examination team discover a problem.
Why Disclose a Problem if the Regulators Didn’t Discover it?
It is easy to make the case that financial institutions should “let sleeping dogs lay”. After all, if your internal processes have found the issue, the thing is that you can correct it without the examiners ever knowing, move on and everybody is happy. Right? In fact, nothing could be further from the truth. There was a time when the relationship between regulators and the banks they regulate was collegial, but that is most certainly not the case any longer. Part of the process of rehabilitating the image of banks is to ensure that they are being well regulated and that misbehavior in the area of compliance is being addressed.
It is not enough that a bank discovers its own problems and addresses them. In the current environment, there is a premium placed on the idea that a bank has compliance and/or audit systems in place that are extensive enough to find problems, determine the root of the problems and make recommendations for change. An attitude that compliance is important must permeate the organization starting from the top. To impress the regulators that an organization is truly engaged in self-policing, there has to be evidence that senior management has taken the issue seriously and has taken steps to address whatever the concern might be. For example, suppose during a compliance review, the compliance team discovers that commercial lenders are not consistently given a proper ECOA notification. This finding is reported to the Compliance Committee along with a recommendation for training for commercial lending staff. The Compliance Committee accepts the recommendation and tells the Compliance Officer to schedule Reg. B training for commercial lenders. This seems like a reasonable response, right?
This does not rise to the level of self- policing that is discussed in the CFPB memo; a further step is necessary. What is the follow-up from senior management? Will senior management follow up to make sure that the classes have been attended by all commercial lending staff? Will there be consequences for those who do not attend the classes? The answers to these questions will greatly impact the determination of whether there is self-policing that is effective. Ultimately, the goal of a Bank should be to show that the effort at self-policing for compliance is robust and taken seriously at all levels of management. The more the regulators trust the self-policing effort, the more the risk profile of bank decreases and the less likely enforcement action will be imposed.
While at first blush self-reporting seems a lot like punching oneself in the face, this is not the case at all. The over-arching idea from the CFPB guidance is that the more the institution is willing to work with the regulatory agency, the more likely it is that there will be consideration for reduced enforcement action. Compliance failures will eventually be discovered and the more they are self-discovered and reported, the more trust the regulators have in the management of the bank in general and the effectiveness of the compliance program in particular. The key here is to report at the right time. Once the extent of the violation and the cause of it have been determined, the time to report is imminent. While it may seem that the best time to report is when the issue is resolved, this will generally not be the case. In point of fact, the regulators may want to be involved in the correction process. In any event, you don’t want to wait until it seems that discovery of the problem was imminent (e.g. the regulatory examination will start next week!).
It is important to remember here that the reporting should be complete and as early as possible, keeping in mind that you should know the extent and the root cause of the problem. It is also advisable to have a strategy for remediation in place at the time of reporting.
What will your bank do to correct the problem? Has there been research to determine the extent of the problem and how many potential customers have been affected? How did the Bank make sure that whatever the problem is has been stopped and won’t be repeated? What practices, policies and procedures have been changed as a result of the discovery of the problem? These are all questions that the regulators will consider when reviewing efforts at remediation. For instance, if it turns out that the problem has been improperly disclosing transfer taxes, an example of strong mediation would include:
A determination if the problem was systemic or with a particular staff member
A “look back” on loan files for the past 12 months
Reimbursement of all customers who qualify
Documentation of the steps that were taken to verify the problem and the reimbursements
Documentation of the changed policies and procedures to ensure that there is a clear understanding of the requirements of the regulation.
Disciplinary action (if appropriate for affected employees)
A plan for follow-up to ensure that the problem is not re-occurring
Despite the very best effort at self-reporting and mediation, there may still be an investigation by the regulators. If the regulators start to investigate an area that you have already disclosed, such an instance calls for cooperation not hunkering down. The more the bank is forthcoming with the information about its investigation, the more likely that the regulators will determine that there is nothing more for them to do.
At the end of the day, it is always better to self-detect, report and remediate. In doing so you go a long way toward controlling your destiny and reducing punishment!
Customer Complaints are a Part of the Dodd Frank Act:
As many of us are well aware, the Dodd Frank Financial Regulation Act (“Dodd Frank” or the “Act”) introduced sweeping changes to bank regulation. Many provisions of Dodd Frank were implemented immediately and are at this point well known. However, there are several provisions that have either not yet been enacted or are less well known. Among the less well known provisions is section 1034 of the Act. This section directs the Consumer Financial Protection Bureau (“CFPB”) to develop a national complaint system. The system is designed to track both the complaints of consumers that use financial products and the responses of the institutions that offer the products. The compliant system first went live in 2011 when only complaints about credit cards were accepted. Since that time, the CFPB has taken complaints about mortgages, bank accounts and services, private student loans, other consumer loans credit reporting, money transfers, debt collection and payday loans.
Did you know that the complaints that are made against you can be made public? As of July of 2015, not only will complaints be public, but the narrative of the complaint can also be published at the customer’s request! While many of the lobbying groups for banks have found this last part abhorrent, we believe that this practice creates an opportunity for improvement.
The complaint process:
The complaint process is described in the Company Portal Manual that was released by the CFPB in 2011. The basic process is as follows:
Consumer submits a complaint by web, telephone, mail, or fax to the CFPB, or another agency forwards the complaint to the CFPB.
Consumer Response reviews the complaint for completeness and consistency with  our authority and roll out schedule.
Consumer Response forwards the complaint to the company identified by the consumer via the secure company portal (portal). The goal is to route complaints within 24-48 hours of receipt.
Company  reviews the complaint, communicates with consumer as appropriate, and determines its response and any related actions.
Company responds to Consumer Response via the portal.
Consumer Response invites the consumer to review and evaluate the company’s response by logging into the secure consumer portal or calling the CFPB’s toll-free number. 
Consumer Response prioritizes for investigation complaints where the company failed to respond within the requested timeframe or the company’s response is disputed by the consumer
For banks and financial institutions, it is very important to respond in a complete and timely manner to complaints. The CFPB’s system will track complaints and will show response times as past due in the event that a complete response is not received. Make sure that your institutions complaint response policies and procedures are up to date!
When a response is a response
The requirements for a proper response are described in the guidance that was published in June 2013. The guidance notes that is always up to the institution to decide how best to respond to the customer. However, it is clear that any response is expected to be completely documented. For example, if a complaint is about a credit card closing, the documentation that is expected includes the following:
Adverse Action notice, including the reasons for the adverse action *
Date the account was closed
Date the notice was sent to the customer
Whether notice sent by postal mail or electronically
If sent by postal mail, the address to which the statement (or notification, as applicable) was sent
It is likely that a response that does not include all of this information will result in additional inquiries from the CFPB. The more complete the document that is relied upon for the response, the better.
Your Complaint may become public
As of July 2015, the CFPB has decided that the narratives from the customer’s complaints can be made public if the customer consents. Financial institutions can also ask that their responses also be made public. Many groups, including the American Bankers Association, expressed grave concerns about the potential for reputation harm based upon the publication of complaints. Nevertheless, the CFPB determined that the public good was better served by allowing consumers the option to publish their complaints. The possibility that a complaint against your bank may be published means that your procedures for responding are of critical importance. Documentation of the reasons for the response should be complete and accurate. Remember, there will be a possibility that the whole world will see!
Turning a negative into a positive:
The good news in all of this is that one institution’s pain is another’s opportunity for growth! The results of complaints are published on both an annual and a monthly basis. This is YOUR opportunity! Find out what the complaints are and treat each one like an opportunity. If you note that complaints about debt collection are the most prominent, it will be a good idea to review your banks procedures for debt collection. Has your bank incorporated the most recent rules and guidance in this area of your practices? If you are using a vendor, have you completed due diligence of the vendor recently?
The CFPB has made it clear that they are reviewing complaints, compiling the results and directing resources to the areas that experience the highest level of complaints. The complaint system will be a good barometer for determining the areas of emphasis for examinations in the near future.
One of the more difficult tasks that our clients must accomplish is to try to meet the community development and community service tests in the Community reinvestment Act (“CRA”). For many community banks the opportunities to do community service that qualifies under the requirements of the CRA are very limited. The same is true with opportunities to conduct community development activities while staying within ones assessment area. In many cases, the service opportunities have been limited to teaching classes at organizations that serve community needs. Lending and investment opportunities are often “gobbled up” by the large banks in the assessment area, leaving the community banks to scramble to try and comply with the requirements of the regulation.
In November of 2013, the FFIEC announced changes to the Community Reinvestment Act Q & A that have the potential to greatly expand a bank’s ability to meet the tests of CRA while doing CRA activities outside of the assessment area.  In addition, the ability to perform community service has also been expanded. Just remember along with new powers come additional responsibilities and therefore additional risks!
There are actually several changes that were adopted in November, 2013. We are only discussing a few that we believe directly impact compliance with the community development tests for small and intermediate banks. Large Banks are encouraged to read the full text of the changes.
In the past there was wording that suggested that banks could do community development activities outside of the assessment area, the caveat for how these activities might qualify for credit to the bank performing them was unclear. The original Q & A stated the following:
Q&A § .12(h) – 6 stated that examiners would consider such activities if an institution, considering its performance context, had adequately addressed the community development needs of its assessment area(s).
In particular, the language created doubt that activities outside of a defined assessment area would be given credit at all. The agencies first proposed new language that indicated that as long as these activities were performed in a safe and sound manner and weren’t done in lieu of activities within the assessment area, they would be okay. However, because many comments were received  the language was changed. The adopted new language says:
.12(h) – 6 states, with respect to community development activities that are conducted in the broader statewide or regional area that includes the institution’s assessment area(s), that “examiners will consider these activities even if they will not benefit the institution’s assessment area(s), as long as the institution has been responsive to community development needs and opportunities in its assessment area(s).”
The definition of what a broader statewide or regional area was left fairly open to a common sense application. There are not specific guidelines for defining these. It is safe to say that a definition that includes contiguous counties or economic zones that cross state lines (Lake Tahoe in California and Nevada for example) would be an acceptable definition.
Another significant change is the service that can qualify as community service on the part of bank employees. The current Q & A stated that service to a community group was defined as
.12(i) – 3 stated that providing technical assistance to organizations that engage in community development activities (as defined by the regulation) is considered a community development service
For many of our clients this language has been taken to limit the things that bank employees may do to get credit for the community service. The FFIEC clearly wanted to expand that definition and in particular wanted to add that serving on the Board of community service organization can indeed count as community service
.12(i) – 3 to clarify that service on the board of directors of a community development organization is an explicit example of a technical assistance activity that could be provided to community development organizations that would receive consideration as a community development service
The idea here is that the service on the Board of these organizations must be active and not symbolic. In what looked almost like a throw away, the FFIEC also added the following:
In addition, in response to commenters’ suggestions, the Agencies are adding the following example of a technical assistance activity that might be provided to community development organizations: providing services reflecting financial institution employees’ areas of expertise at the institution, such as human resources, information technology, and legal services.
Of course this language greatly expands the sort of services that a bank may provide to community development organizations while meeting the service requirements of the CRA.
Simply put, the more work you do upfront, the more leeway you get! For example, being able to prove that there is broader region that you serve outside of your assessment area and that this region is legitimately economically connected is an important step in being able to perform community development activities out of the assessment area.
The second step is being able to show that the plan for activities allows the bank to serve the needs of the immediate assessment area while expanding.
We believe that for a plan to expand to activities beyond the assessment must be well thought out, and there must be documentation to show that the plan does not ignore low to moderate income groups within the assessment area. However, for banks that do not have these populations directly within the established assessment area, this is a significant opportunity to expand and reach new levels of community development that had heretofore been unattainable.
The key to a successful expansion is being able to document the idea that the Bank understands the credit needs of the people within the established assessment area. In conjunction with understanding those needs the bank must be able to show how their activities meet those needs
 For the full text of the changes see http://www.federalreserve.gov/newsevents/press/bcreg/20130318a.htm
 We continue to remind our clients that the agencies do read and consider comments they receive!