REQUIRED READING: Compliance within the financial services industry impacts the entire organization. Comprehensive compliance risk management strategies are required to meet compliance obligations and also protect customers, employees and shareholders.
In general, compliance means adherence to a policy, standard, specification or law. Regulatory compliance further describes the actions of banks and lenders to comply with relevant laws and regulations. It is interesting that the term ‘compliance’ has synonyms such as docility, obedience, conformity and submission. In contrast, the antonyms include defiance, resistance and disobedience.
The recent financial crisis, the increase in size and complexity of banks, and the new legislation to protect consumers have resulted in more regulatory oversight. Within the compliance area, a consolidated and integrated approach is needed to ensure that all necessary governance requirements are met. With a focus on operational transparency, financial services organizations are increasingly migrating from the term ‘compliance’ to a more comprehensive ‘compliance risk management’ (CRM) – not to be confused with customer relationship management, which is frequently referred to by the same acronym.
Smaller banks and financial services providers often struggle with tracking and implementing the multitude of rules and regulations. It can seem like an avalanche of new policies and procedure requirements. Many community banks benefit from an external partner to assist with the identification and interpretation of legislative and compliance changes. Peer groups and technology vendor partners can assist with solutions that address the ever-changing regulatory landscape.
The compliance expense, as a percentage of total assets, is much greater for community banks. However, before you draw the conclusion that bigger is better, be warned.
In October 2008, the Federal Reserve issued this supervisory letter, entitled ‘Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles.’ This letter – known as SR 08-8 – clearly outlined a different set of compliance expectations for larger banking organizations. While there are exceptions, ‘large banking organizations’ as defined by SR 08-8, are typically $50 billion or more in assets with multiple legal entities.Â Â
Firm-wide CRM as reflected in SR 08-8 includes the processes to manage compliance risk across an entire organization's business lines, support units, legal entities and jurisdictions. Some areas where a firm-wide approach is particularly helpful include privacy, fair lending, anti-money laundering, affiliate transactions and conflicts of interest. This is particularly true where legal and regulatory requirements may apply to multiple business lines or legal entities.
The Federal Reserve also provided specific guidance on the management of a CRM program. Specifically, it suggested a formalized compliance program for ‘identifying, assessing, controlling, measuring, monitoring and reporting compliance risks across the organization and providing compliance training.’ Compliance policies and procedures should be documented along with CRM standards.
Oversight for firm-wide compliance is provided by the board of directors and various executive and management committees. A key component of firm-wide compliance oversight is a corporate compliance group with responsibility for the implementation of the organization's firmwide CRM program and managing compliance risks across all legal entities and business lines.
There are several common compliance themes that need to be considered. These include the following aspects of CRM:
Legislative compliance management. To ensure a successful CRM program, financial service providers must first have a comprehensive understanding of the various laws and regulations applicable to the companies' lines of business. This will include federal regulations and state-specific requirements.Â
There are firms that can assist banks and lenders with tracking this information, but having a list of laws is just the beginning. Once the laws are identified, these banks and financial service providers must create a process whereby they will weave new or changing regulations into their compliance management organization for the specific lines of business.Â
Risk assessments. A key element of effective compliance management is to identify the inherent risk associated with regulatory compliance. Typically, banks measure this risk by utilizing a comprehensive risk assessment methodology. The risk assessment scope and coverage should be clearly defined, as well as the parameters of the assessment categories.Â
The calculation of the risk assessment will be compared against the targeted risk ratings. This will help the bank identify any required corrective actions. Ultimately, the risk assessment methodology provides a way to measure the risk, but it does not in itself alter the risk in any way. Having this process in place can assist in avoiding surprises and identifying potential improvement opportunities prior to an audit or examination.
Monitoring and testing. A rigorous compliance monitoring and testing program will ensure risk mitigation via process controls and monitoring for illegal activities. This will assist financial service providers in adherence to the compliance framework and may also lead to identifying weaknesses and gaps resulting in regulatory violations.Â
Firms will also monitor for illegal activity related to any products or services. One regional bank created a department called Compliance Process Certification that conducts specific reviews across the various CRM units to validate compliance adherence.
Staffing and training. In recent years, the need for quality compliance staff members and leaders has grown proportionally with the influx of new regulatory requirements. Banks and other financial service providers are measured not only on their results, but also on their staff size and experience. Detailed job descriptions outlining the scope and responsibility of each area are crucial, along with succession planning.
Lenders must also be nimble with their staff and make appropriate adjustments. For example, one regional bank recently renamed its ‘Fair Lending’ team to ‘Fair and Responsible Banking.’ Moreover, this was not a simple name change, but rather a more holistic view of how to do the right thing for the customer every time.Â
Policies and procedures. In compliance, there is a policy or procedure for nearly everything. Most firms have a comprehensive compliance policy inventory where they keep track of the various regulations, internal requirements and the associated policies and procedures.
Changes to the policies or procedures will typically require a detailed review and approval process. Some topics require approval directly from the bank's board of directors or one of the various operating committees.Â
Given the ever-changing regulatory landscape, the policy manual is continually being updated. As a result, employee training and communication are crucial so that everyone is aware of the current requirements and how any changes may impact job responsibilities. Version control is also essential as banks keep detailed records of when various updates are applied and the specific approval processes and authorized sign-offs.
Issues tracking system. Effective compliance management solutions require a determined way to track all issues. This would include findings from all internal audits, regulatory examinations and self-identified opportunities for improvement. In addition to tracking the existence of a finding or issue, this tracking system must also be updated on a routine basis to reflect the forward progress on resolution of each item as well as the current status.Â
The systems and processes vary by organization, and there is generally a tiered sign-off process by compliance executives to validate the information. However, compliance professionals must beware, since the output from a system is only as good as the quality of the input provided. The common phrase ‘garbage in, garbage out’ may apply.
Implications of noncompliance
Compliance violations or infractions can have significant consequences. Such consequences include the inability to grow through accepting new deposits, making acquisitions or building new branches in desired locations. Additionally, a lender could face regulatory orders (e.g., cease and desist), financial penalties and criminal charges for employees, executives or directors.Â
Finally, an impact that is more difficult to measure – but just as powerful – is reputational risk. How will the public perceptions or media coverage of potential infractions impact the bank's business? Infractions or noncompliance can lead to the lack of confidence in an organization, resulting in lost customers and income as well as impacting future revenue opportunities.
Thus, it is essential for financial institutions to find the weaknesses within their organization before a regulator gets there first. Internal auditors and external regulators routinely examine banks and issue reports with their findings.Â
Waiting on the ‘report’ is too late. Proactive institutions will conduct CRM self-assessments and leverage the content from their database of applicable state and federal regulations to identify potential gaps. The analysis and remediation plans can be created and efforts begun immediately to improve compliance adherence.Â
As the required regulations are identified, financial service providers will benefit from the development of a comprehensive compliance policy manual. This will identify the various regulations and requirements and specify how the firm will comply across the enterprise and within the individual business units. This manual will include applicable policies, procedures, guidelines and control processes.Â
The approval and revision of any compliance-related topic should be carefully documented with appropriate senior management, committee or board involvement. The policy, procedure or guideline must clearly communicate the responsibilities and accountabilities necessary to mitigate compliance risk.
Financial services companies generally develop employee training to educate associates, managers and executives on applicable compliance regulations. Training may be based in a classroom or implemented as independent study, and many banks effectively leverage Web-based delivery solutions. Firms measure the pre-test and the post-test results to identify the lift received as a result of the training and to make sure a minimum threshold is achieved.Â
Lenders can track the applicable training courses based on each employee's roles and responsibilities. Routine reporting identifies any employees not completing training so that managers can follow up as appropriate.
A CRM assurance program will provide a coordinated and consolidated approach to findings and recommendations resulting from the internal audits and regulatory examinations across the organization. This program will monitor the lender's progress on remediation and also provide the necessary tracking and reporting to senior management, board committees and external regulators.Â
By having one unit focus on compliance assurance, the lender can also benefit from potential synergies or overlap among findings. Often, one remediation plan will resolve multiple findings across different business units. At the end of the day, compliance really is everybody's business.
Brian King is president of Wisemar Inc., based in Charlotte, N.C. He can be reached at (704) 503-6008.