Part One- Change is on the Horizon
In April of 2016, the FFIEC released proposed new guidelines for rating compliance programs at financial institutions. Once these new guidelines are adopted, not only will they represent a strong departure from the current system for rating, they also present a strong opportunity for financial institutions to greatly impact their own compliance destiny. Although these new guidelines have been released with limited fanfare, the change in approach to supervision of financial institutions has been discussed for some time and is noteworthy.
The Current Rating System
The current system for rating compliance at financial institutions was first adopted in 1980. Performance of an institution under the Community Reinvestment Act is evaluated separately and is therefore not considered as part of the compliance examination. Under the current system, compliance is rated on a scale of increasing concern from one to five. An institution with a rating of one has little to no compliance concerns while a five rated institutions has severe concerns and an inoperative compliance system.
Under the current system, the ratings that examiners assign are based upon transaction testing. Examiners would sample a series of transactions and if there were violations of regulations, ratings would be affected. Over the years, several problems were noted with this approach. First, this approach does not take into account the root of the problem. For example, suppose the problem was caused by a form that was not up to date. Suppose further that the problem with the form was it had the wrong address for the regulator of the institution. Using the transaction approach each loan file that contained this disclosure would count as a regulatory violation and the institution would appear to have huge number of violations. In this case, even if the examiners determined this was a technical violation and not serious, the possibility existed the overall rating would have to be a bad one to reflect the number of violations noted.
However, what if in this case, the compliance staff was well aware of the changed address, had performed training and endeavored to change all of the required forms. Unfortunately, one branch or division of the Bank still had old forms and was still using them. It is of course not good that the old forms were still being used, but the finding certainly does not indicate a severe risk at the institution.
A second problem with the current guidelines is that they do not clearly match the risk based approach for examinations that regulators have employed for several years. Each regulator has received the mandate that examinations should be tailored using a risk based approach. The examination should focus on the size, complexity and overall risk portfolio of a financial institution. The compliance examination is supposed to evaluate the effectiveness of overall system that has been employed at an institution. In that regard, each financial institution is unique in the products and services that they offer. For example, a community bank that makes five HMDA reportable loans a year doesn’t have the same compliance needs as an institution that makes five hundred HMDA loans in the same time.
Yet another concern with the current rating system is that it tends to be “one size fits all” and as a result, outcomes are unpredictable. Examiners, for some time have considered compliance systems on a contextual basis. The relative size of an institution, its activity in a given area and the resources realistically available have all been factors examiners consider when assessing a compliance program. Unfortunately, under the current system there is no mechanism to clearly reflect these considerations. In many cases, an overall rating of “two” is assigned to a financial institution followed by a litany of criticism that leaves the reader confused about how the rating was possible.
In the last two years in particular, there has been a push from regulators to encourage “self-policing”, which is the process of self-detecting and correcting compliance problems at institutions. And while there have been supervisory directives that encourage self-policing, the current rating system does not allow this behavior to be properly recognized.
The proposed guidance discusses the key principals of the new ratings system:
“The proposed System is based on a set of key principles. The Agencies agreed that the proposed ratings should be:
- [A]n Incentive for Compliance.
Risk Based: the principal here is that not all compliance systems are the same. They will vary based upon the size, complexity and risk profile of the bank. The examiners will be asked to evaluate the compliance system as it relates to the particular institution that is being reviewed. For example, written procedures that are very general in nature may be appropriate at an institution that has stable staff and experienced little to no turnover. On the other hand, those same procedures may be inadequate at a new and growing institution.
Transparent: The scope of the review and the categories that are being considered should be clear and published. Each institution should be able to understand the rating is based on specific considerations made during the current examination. Past examinations results may or may not be considered; the description of the rating criteria should detail the factors deemed important.
Actionable: The evaluation should include recommendations that address the overall strengths of the compliance program and specific areas that should be enhanced. The idea here is management’s attention should be drawn to specific steps that should be taken to enhance the overall compliance program.
Incent Compliance: The examiners should consider the level to which the institution has instituted a program that self-detects and corrects problems. In this case, remember self-detecting and correcting includes an analysis of the root of the problem and remediation testing before the matter is considered closed.
Under the new rating system, there will still be a “one” through “five”, but the ratings will be given on three distinct components of compliance;
- Board & management Oversight
- The Compliance management program
- Violations of law and Harm to consumers
In part two of this series we will discuss the new ratings and the opportunities this system presents.