Compliance within the financial services industry impacts the entire organization and is key to the bottom line for firms currently operating in the mortgage space. Comprehensive compliance risk management strategies are required to meet compliance obligations and also protect customers, employees and shareholders.
In general, compliance means adherence to a policy, standard, specification, or law. Regulatory compliance further describes the actions of banks and lenders to comply with relevant laws and regulations. It is interesting that the term compliance has synonyms such as docility, obedience, conformity and submission. In contrast, the antonyms include defiance, resistance, and disobedience.
The recent financial crisis, the increase in size and complexity of banks, and the new legislation to protect consumers have resulted in more regulatory oversight. Banks are facing ever-increasing and evolving regulations such as the Card Act, Reg. E., Dodd-Frank, Sarbanes-Oxley, the USA Patriot Act and the Bank Secrecy Act.
Within the compliance area, a consolidated and integrated approach is needed to ensure that all necessary governance requirements are met. With a focus on operational transparency, banks and other financial services organizations are increasingly migrating from the term compliance to a more comprehensive compliance risk management, not to be confused with customer relationship management.
A recent study found that for the 100 largest banks in the United States, the annual operational cost of compliance including IT support, process support, examination and assessment expenses, and training exceeds $1 billion. And this figure does not include staffing expense for employees who are not dedicated to the compliance function or software capital expenditures.
This paper will highlight key elements of compliance risk management and also identify how the implications of compliance can dramatically impact corporate operations as well as employees.
Community Bank Impact
As you may imagine, smaller banks and financial services providers often struggle with tracking and implementing the multitude of rules and regulations. It can seem like an avalanche of new policies and procedure requirements. Many community banks benefit from an external partner to assist with the identification and interpretation of legislative and compliance changes. Peer groups and technology vendor partners can assist with solutions that address the ever-changing regulatory landscape.
The compliance expense, as a percentage of total assets, is much greater for community banks. A recent study shared that compliance cost as a percentage of bank assets is nearly double at a $5 billion U.S. community bank as compared to a $100 billion U.S. regional bank. However, before you draw the conclusion that bigger is better, be warned. The Federal Reserve System Board of Governors has issued specific requirements for large bank organizations that increase the requirements for compliance regulatory management.
Often referenced as S-R-Eight-O-Eight, in October 2008, the Federal Reserve issued this supervisory letter entitled “Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles.” This letter clearly outlined a different set of compliance expectations for larger banking organizations.
While there are exceptions, “large banking organizations” as defined by SR 08-8 are typically $50 billion or more in assets with multiple legal entities.
Companywide compliance risk management as reflected in SR 08-8 includes the processes to manage compliance risk across an entire organization’s business lines, support units, legal entities, and jurisdictions. Some areas where a companywide approach is particularly helpful include privacy, fair lending, anti-money laundering, affiliate transactions and conflicts of interest. This is particularly true where legal and regulatory requirements may apply to multiple business lines or legal entities.
The Federal Reserve also provided specific guidance on the management of a CRM program. Specifically, they suggest a formalized compliance program for “identifying, assessing, controlling, measuring, monitoring and reporting compliance risks across the organization and providing compliance training.” Compliance policies and procedures should be documented along with compliance risk management standards.
The board of directors and various executive and management committees provide companywide compliance oversight. A key component of the oversight is a corporate compliance group with responsibility for the implementation of the organization’s CRM program and managing compliance risks across all legal entities and business lines.
Common Compliance Themes
Legislative Compliance Management
To ensure a successful compliance risk management program, financial service providers must first have a comprehensive understanding of the various laws and regulations applicable to its lines of business. This will include federal regulations as well as state specific requirements.
There are firms that can assist banks and lenders with tracking this information, but having a list of laws is just the beginning. Once the laws are identified, these banks and financial service providers must create a process whereby they will weave new or changing regulations into their compliance management organization for the specific lines of business.
A key element of effective compliance management is to identify the inherent risk associated with regulatory compliance. Typically banks measure this risk by utilizing a comprehensive risk assessment methodology. The risk assessment scope and coverage should be clearly defined, as well as the parameters of the assessment categories.
The calculation of the risk assessment will be compared against the targeted risk ratings. This will help the bank to identify any required corrective actions. Ultimately, the risk assessment methodology provides a way to measure the risk; but it does not in itself alter the risk in any way. Having this process in place can assist in avoiding surprises and identify potential improvement opportunities prior to an audit or examination.
Monitoring and Testing
A rigorous compliance monitoring and testing program will ensure risk mitigation via process controls and monitoring for illegal activities. This will assist financial service providers in adherence to the compliance framework and may also lead to identifying weaknesses and gaps resulting in regulatory violations. Firms will also monitor for illegal (such as money laundering) activity related to any products or services. One regional bank created a department called Compliance Process Certification that conducts specific reviews across the various CRM units to validate compliance adherence.
Staffing and Training
In recent years the need for quality compliance staff members and leaders has grown proportionally with the influx of new regulatory requirements. Banks and other financial service providers are measured not only on the results, but the staff size and experience. Detailed job descriptions outlining the scope and responsibility of each area are crucial along with succession planning. Banks that have key leadership gaps must move quickly to resolve those deficiencies.
Banks must also be nimble with their staff and make appropriate adjustments. For example, one regional bank recently renamed its fair lending team to “fair and responsible banking.” Moreover, this was not a simple name change, but rather a more holistic view of how to do the right thing for the customer every time. Many banks have also begun to seek out noncompliance professionals to assist in certain key areas. They have found those with business line experience, consultants and project managers can add significant value in executing the approved compliance initiatives.
Policies and Procedures
In compliance, there is a policy or procedure for nearly everything. Most firms have a comprehensive compliance policy inventory where they keep track of the various regulations, internal requirements, and the associated policies and procedures. Changes to the policies or procedures will typically require a detail review and approval process. Some topics require approval directly from the bank board of directors or one of the various operating committees.
Given the ever-changing regulatory landscape, the policy manual is continually being updated. As a result, employee training and communication is crucial so that everyone is aware of the current requirements and how any changes may impact their job responsibilities. Version control is also essential as banks keep detailed records of when various updates are applied and the specific approval processes and authorized sign-offs.
Issues Tracking System
Effective compliance management solutions require a determined way to track all issues. This would include findings from all internal audits, regulatory examinations, and self-identified opportunities for improvement. In addition to tracking the existence of a finding or issue, this tracking system must also be updated on a routine basis to reflect the forward progress on resolution of each item as well as the current status.
The systems and processes vary by organization and there is generally a tiered sign-off process by compliance executives to validate the information. However, compliance professionals must beware, since the output from a system is only as good as the quality of the input provided. The common phrase of “garbage in, garbage out” may apply.
Implications of Noncompliance
Compliance violations or infractions can have significant consequences. Such consequences include the inability to grow through accepting new deposits, acquisitions, or building new branches in desired locations. Additionally, a bank could face regulatory orders (e.g., cease and desist), financial penalties and criminal charges for employees, executives, or directors.
Finally, an impact that is more difficult to measure, but just as powerful is reputational risk. How will the public perceptions or media coverage of potential infractions impact the bank’s business? Infractions or noncompliance can lead to lack of confidence in an organization, distrust, and result in lost customers and income as well as impacting future revenue opportunities.
Compliance Best Practices
Find Your Own Weaknesses
Internal auditors and external regulators routinely examine banks and issue reports with their findings. However, waiting on the “report” is often too late. Proactive institutions will conduct CRM self-assessments and leverage the content from its database of applicable state and federal regulations to identify potential gaps. The analysis and remediation plans can be created and efforts begun immediately to improve compliance adherence.
Comprehensive Compliance Policy Manual
As the required regulations are identified, financial service providers will benefit from the development of a comprehensive compliance policy manual. This will identify the various regulations and requirements and specify how the firm will comply across the enterprise and within the individual business units. This manual will include applicable policies, procedures, guidelines and control processes.
The approval and revision of any compliance related topics should be carefully documented with appropriate senior management, committee, or board involvement. Also the policy, procedure, or guideline must clearly communicate the responsibilities and accountabilities necessary to mitigate compliance risk.
Employee Communication and Training
Banks generally develop employee training to educate associates, managers and executives on applicable compliance regulations. Training may be classroom based or independent study and many banks effectively leverage Web-based delivery solutions. Firms measure the pre-test and the post-test results to identify the lift received as a result of the training and to make sure a minimum threshold is achieved. Banks track the applicable training courses by employee based on their roles and responsibilities. Routine reporting identifies any employees not completing training so managers can follow-up as appropriate.
Compliance Assurance Program
A CRM assurance program will provide a coordinated and consolidated approach to findings and recommendations resulting from the internal audits and regulatory examinations across the organization. This program will monitor the bank’s progress on remediation and also provide the necessary tracking and reporting to senior management, board committees and external regulators. By having one unit focus on compliance assurance, the bank can also benefit from potential synergies or overlap among findings. Often one remediation plan will resolve multiple findings across different business units.
By building the appropriate relationships with the regulators, auditors, business leads, and compliance staff the compliance assurance team can also be involved earlier in the process to assist in the development of the management responses, project timelines and committed deliverables. In some cases this group may also be able to review compliance adherence in advance of the audit or examination and recommend improvements to eliminate potential findings.
At the end of the day, compliance really is everybody’s business. While some may view compliance as the “business prevention” department, in contrast they are in place to help protect the firm and assist the organization in the development and management of solutions to ensure regulatory adherence.
As you consider your organization and compliance risk management strategies you may wish to ask some of the following key questions:
• Is my compliance group appropriately staffed?
• As an organization, are we proactively looking for ways to improve compliance adherence?
• Do we have a compliance assurance program to ensure the consolidated remediation of findings and coordination across the organization?
• Do we have depth in our compliance organization to support staff succession planning?
• What investments can we make in compliance that benefit long-term bank profitability and success?
Many of these questions may be answered internally which others generally require an external third-party perspective. Leverage consultants and contractors as appropriate to help you reach your goal, but make sure to have the knowledge transfer so your employees can provide ongoing compliance coverage going forward.
If compliance is not a top priority at your firm, are you willing to accept the consequences?
Brian King is president at Wisemar Inc. a management-consulting firm (www.wisemar.com). He can be reached at 704-503-6008.