Compliance Risk Management Strategies
Compliance within the financial services industry impacts the entire organization and is key to the bottom line for firms currently operating in the mortgage space. Comprehensive compliance risk management strategies are required to meet compliance obligations and also protect customers, employees and shareholders.
In general, compliance means adherence to a policy, standard, specification, or law. Regulatory compliance further describes the actions of banks and lenders to comply with relevant laws and regulations. It is interesting that the term compliance has synonyms such as docility, obedience, conformity and submission. In contrast, the antonyms include defiance, resistance, and disobedience.
The recent financial crisis, the increase in size and complexity of banks, and the new legislation to protect consumers have resulted in more regulatory oversight. Banks are facing ever-increasing and evolving regulations such as the Card Act, Reg. E., Dodd-Frank, Sarbanes-Oxley, the USA Patriot Act and the Bank Secrecy Act.
Within the compliance area, a consolidated and integrated approach is needed to ensure that all necessary governance requirements are met. With a focus on operational transparency, banks and other financial services organizations are increasingly migrating from the term compliance to a more comprehensive compliance risk management, not to be confused with customer relationship management.
A recent study found that for the 100 largest banks in the United States, the annual operational cost of compliance including IT support, process support, examination and assessment expenses, and training exceeds $1 billion. And this figure does not include staffing expense for employees who are not dedicated to the compliance function or software capital expenditures.
This paper will highlight key elements of compliance risk management and also identify how the implications of compliance can dramatically impact corporate operations as well as employees.
Community Bank Impact
As you may imagine, smaller banks and financial services providers often struggle with tracking and implementing the multitude of rules and regulations. It can seem like an avalanche of new policies and procedure requirements. Many community banks benefit from an external partner to assist with the identification and interpretation of legislative and compliance changes. Peer groups and technology vendor partners can assist with solutions that address the ever-changing regulatory landscape.
The compliance expense, as a percentage of total assets, is much greater for community banks. A recent study shared that compliance cost as a percentage of bank assets is nearly double at a $5 billion U.S. community bank as compared to a $100 billion U.S. regional bank. However, before you draw the conclusion that bigger is better, be warned. The Federal Reserve System Board of Governors has issued specific requirements for large bank organizations that increase the requirements for compliance regulatory management.
Often referenced as S-R-Eight-O-Eight, in October 2008, the Federal Reserve issued this supervisory letter entitled “Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles.” This letter clearly outlined a different set of compliance expectations for larger banking organizations.
While there are exceptions, “large banking organizations” as defined by SR 08-8 are typically $50 billion or more in assets with multiple legal entities.
Companywide compliance risk management as reflected in SR 08-8 includes the processes to manage compliance risk across an entire organization’s business lines, support units, legal entities, and jurisdictions. Some areas where a companywide approach is particularly helpful include privacy, fair lending, anti-money laundering, affiliate transactions and conflicts of interest. This is particularly true where legal and regulatory requirements may apply to multiple business lines or legal entities.
The Federal Reserve also provided specific guidance on the management of a CRM program. Specifically, they suggest a formalized compliance program for “identifying, assessing, controlling, measuring, monitoring and reporting compliance risks across the organization and providing compliance training.” Compliance policies and procedures should be documented along with compliance risk management standards.
The board of directors and various executive and management committees provide companywide compliance oversight. A key component of the oversight is a corporate compliance group with responsibility for the implementation of the organization’s CRM program and managing compliance risks across all legal entities and business lines.
Common Compliance Themes
Legislative Compliance Management
To ensure a successful compliance risk management program, financial service providers must first have a comprehensive understanding of the various laws and regulations applicable to its lines of business. This will include federal regulations as well as state specific requirements.
There are firms that can assist banks and lenders with tracking this information, but having a list of laws is just the beginning. Once the laws are identified, these banks and financial service providers must create a process whereby they will weave new or changing regulations into their compliance management organization for the specific lines of business.
A key element of effective compliance management is to identify the inherent risk associated with regulatory compliance. Typically banks measure this risk by utilizing a comprehensive risk assessment methodology. The risk assessment scope and coverage should be clearly defined, as well as the parameters of the assessment categories.
The calculation of the risk assessment will be compared against the targeted risk ratings. This will help the bank to identify any required corrective actions. Ultimately, the risk assessment methodology provides a way to measure the risk; but it does not in itself alter the risk in any way. Having this process in place can assist in avoiding surprises and identify potential improvement opportunities prior to an audit or examination.
Monitoring and Testing
A rigorous compliance monitoring and testing program will ensure risk mitigation via process controls and monitoring for illegal activities. This will assist financial service providers in adherence to the compliance framework and may also lead to identifying weaknesses and gaps resulting in regulatory violations. Firms will also monitor for illegal (such as money laundering) activity related to any products or services. One regional bank created a department called Compliance Process Certification that conducts specific reviews across the various CRM units to validate compliance adherence.
Staffing and Training