What to do When the Regulators Have a Finding

What to do when the regulators have a finding


If you are or have been in the compliance arena you are familiar with this scenario; The examiners have just come to your office with a most somber countenance.   They are here to report a significant finding that has resulted from their review.  You have several options, you can:

  1. Hide under your desk and hope they go away
  2. Engage in histrionics and accuse them of picking on your bank
  3. Threaten to sue
  4. Listen closely to what they are saying and ask a series of questions that will allow you to deal with the finding in an effective manner

The fact is that findings happen!  The fact also is that there are findings and there are FINDINGS!   The way you deal with each of these will greatly impact your compliance life.    There are a number of critical steps that your institution can take that will allow your response to have the greatest impact.

Step One- What, Exactly is the Finding? 

It is critical to find out all you can from the examiner when they are presenting the finding.  In many cases, findings are the result of a miscommunication or misunderstanding of questions being asked.   For example, at one bank, an examiner asked where flood insurance policies are stored and was told they are kept in the loan file.   However, the person who gave this answer was unaware that the procedure had been changed and flood loan policies were now kept in a different place.  In this case, the examiners originally were ready to cite the bank for several violations of the flood rules because the information in the loan files was stale.  It is very important to determine form the outset the exact nature of the violation being cited.

Along these lines, it is important determine the specific regulation, guidance or rule that has been violated.  By going to the source of the regulatory requirement, you can get the clearest picture.   As part of this process, it is also useful to get an understanding of whether or not the rule in question is new or has been around for some time.  While it is generally true that the older the rule, the bigger the concern that is being cited as a finding, there are circumstances where this may not be the case.   For example, a reinterpretation of a rule has the same impact as a new rule.   There are sometimes areas that receive new or increased focus.  For example, the requirement that a flood insurance customer receive notice of being a flood area every time a loan is modified, is a requirement that has recently received greater attention, even though the requirement has been in place for many years.

The source of the finding can be a critical consideration when determining the level of enforcement action.

Even though it is understandable, we recommend that your never use the “I was never cited for this before” answer.    You drive faster than the speed limit on the freeway on a regular basis.  This doesn’t mean that it is okay and you would try that answer with a highway patrolman!

At the end of the day, make sure that you can explain the violation to someone else as a test to ensure that you understand the issue.

Step Two- Why did this Happen? 

A frequent mistake that institutions make is to simply fix the problem that is cited in the regulation – i.e., missing disclosures; we will simply start making the disclosures going forward.  The problem with this approach is that it is simply a bandage.  It doesn’t necessarily address the real concern that may have caused the finding in the first place.   The next step in managing a finding is getting to the root of the problem that caused it.

There are several questions to ask when determining the root cause of a finding.  Was it a training issue or were policies and procedures outdated and inefficient?  One the most important questions to ask is whether or not the problem is systemic or limited to an individual staff member or business line.  Is the root of the problem that we don’t understand what the regulation is asking or is it more the case that training needs to be reinforced?    Determining the root cause of a finding allows the institution to frame the magnitude of the issue and to build a response that is appropriate.

Step Three- Is this indicative of a bigger problem?

Once the root cause of a finding has been determined, it is necessary to determine if the findings are an indication of a much bigger problem.   There are as many reasons that findings occur as there are findings.  However, some reasons are indicative of a much larger problem.  For example, if the root cause of the problem is that the institutions was simply unaware of changes to the regulation, there is a fundamental flaw in the overall compliance management program.  This does not mean that your compliance staff is incompetent.  There are many regulations that are coming at financial institutions on a regular basis.  There have to be sufficient resources to ensure that the changes in regulations are communicated and necessary procedures implemented.

In the alternative, perhaps the issue is one of training.  Many institutions use online training programs.  These programs are a cost effective means to training staff and are widely accepted by regulators.   There are however, times when the on-line training may not be sufficient.  In many cases, the opportunity to receive in person training that details the history and goals of a regulation is the best most effective way to reduce findings and violations.

The compliance examination of your institution is ultimately a test of the effectiveness of the compliance management program.   The role of the program at its core should be to identify and to mitigate risks.  If the system that you have developed is not capable of performing this function effectively, findings are indicative of a much bigger problem.

Step Four – Communicating

It is important to communicate the finding(s) to senior management and the Board so that they are fully informed.   As a best practice, the root cause and the proposed solution should be communicated simultaneously.  Communicating the understanding of the finding as well as the plan for fixing the problem is an excellent way to demonstrate to the regulators that you understand the breadth and depth of the concern.  The relationship built on trust and communication will go a long way where there are severe findings. especially if the findings are servere.

Step Five – Find out as soon as you can what the regulatory implications will be

As we noted earlier, there are findings and there are FINDINGS!  In some cases, the finding can simply be a matter of a small correction.  In other cases, the examiner many find that a pattern and practice of violations exists.  In these cases, the examiner can recommend enforcement actions up to and including civil money penalties.    For example, it is critical to find out from the examiners whether or not they will consider a finding a repeat finding.  Repeat findings are an indication of general weakness in the compliance program and are always considered grave, no matter the area of the finding.  In this way, a minor or technical finding can become a matter requiring attention or even the basis for a supervisory letter.   The regulatory implications of the finding must also be communicated to senior management.

Suppose you Don’t Agree

We are aware that many financial institutions either don’t agree or that have misgivings about a finding, but go along to get along.  While this practice may seem to make life easier, it is not actually the most prudent path to take.   ASK for clarification– this is not to be argumentative, but without doing so, you can lock yourself into an untenable position.  In the event that the examiner may be asking something of the institution that is infeasible (e.g. acquiring a new software program).  This is also why it is important to understand the source of the finding- if it is an interpretation or the regulation, there is likely to be a change in the next examination; different examination teams have different interpretations of the regulation.  Ultimately, a forceful yet respectful disagreement is a good thing and is respected by the regulators.

All of the regulators have a system in place to allow for appeals of decisions in those instances where both parties may agree to disagree.

Pick Your Battles

Remember that the compliance review is ultimately an analysis of the compliance management program.  Individual findings do not necessarily indicate a fundamental weakness of the CMP.  Make sure that you keep the difference between findings and FINDINGS in mind.


No tags No Comments
Facebook Twitter LinkedIn Google+ Addthis

Add Your Comment

Your Partner in Balancing Compliance