Outsourcing Compliance-A Frank Discussion

VCM is a company that specializes in outsourcing compliance.  We understand that this concept can, quite frankly be confusing and in the case of the incumbent compliance officer, frightening!    We would like the opportunity to address some of the misconceptions and concerns associated with this field. 

 

1.       What is outsourcing? 

a.       The truth is that outsourcing is different things to different companies.  In our view outsourcing means reducing stress!  Our firm is designed to support banks existing compliance function.  Many of our banks consider themselves “business banks” that do very limited consumer lending.  As a result, the compliance program gets little attention and few resources.   That is where VCM comes in.  We have a staff of compliance experts who have the training, experience and knowledge of the laws and regulations that apply to your bank.   We work directly with lending and operations staff at our banks to make sure their BSA and compliance programs are up to date.

2.       Won’t VCM help the Bank get rid of my job?

a.       We do exactly the opposite.  Our goal is to use our resources to augment the resources at our banks.  We take pride in making our clients CMP and BSA programs strong.

3.       What if we only need occasional help with compliance issues?

a.       In our opinion, it is extremely rare that only occasional help is needed.  The issues that lead to our clients contacting us almost always are part of a larger concern with at least one portion of the overall compliance program.  We find that the more inexpensive and most efficient route is to allow for a complete outsourcing program to review all areas of the compliance program and to implement changes to strengthen compliance. 

4.       Wouldn’t it be cheaper to hire a compliance officer?

a.       Not at all!  Really good compliance officers are really hard to come by!  To be an excellent compliance officer, one most have hours and hours of experience, training and certifications.  In addition, with the myriad changes in laws and regulations, a good compliance officer must receive hours of training on an annual basis.  With outsourcing, the Bank can leverage the skill and experience of the incumbent officer with the additional training and experience that we provide.  

5.       Specifically what comes with the VCM outsourcing package?   

·        Risk Assessment: The way that we support our clients is multifaceted.  We provide an annual risk assessment that is designed to identify overall risk at the Bank and the manner in which compliance risk is a factor in overall risk.   We the design our approach to fit the unique needs of our client.  

·        Policies and Procedures:  we review all relevant policies and procedures to make sure they are up to date, comprehensive and relevant to overall risk and level of operations at the Bank.  

·        Forms and Checklists:  using the experience of staff, we develop, as necessary forms and checklist that assist bank staff in maintaining compliance.  

·        Ongoing Assistance:  Through of ‘hotline” we are available to answer questions as they arise on an ongoing basis.    All questions receive a 48 turnaround for answers.  

·        Quarterly Quality Control Review: We conduct transaction testing of a sample of accounts to determine the level of compliance with applicable regulations and Bank policies and procedures   

6.       Once we have a good compliance program in place, why would we need to keep VCM?  

a.       A strong compliance program relies on several factors.  These factors are known as the pillars.  The components of a strong program include

                                                               i.      Policies and procedures;

                                                             ii.      Training;

                                                            iii.      Management Information;

                                                           iv.      Independent audit;

VCM assist with each of these.  We review the policies that are in place and make sure that they are up to date and are approved by the Board on a timely annual basis.  We do the same with the procedures that have been designed to implement the policies.  We provide training on an on-going basis.  Through our quarterly quality control checks, we provide management with information on the level of compliance with policies and procedures. 

7.       How can I find out more? 

a.       This is the easiest question of all!  Please feel free to contact us at www.VCM4you.com  or at 510-583-0124. 

Risk Assessments at Small Community Banks

The enterprise wide risk assessment has become an important tool at large complex banks.  Every year risk managers are tasked with developing a wide ranging assessment of the overall risk at the bank and the mitigation in place to address this risk. They us sophisticated modeling tools and expensive software to help with the development of these behemoths.   But what about a small bank?  Isn’t the overall level of risk evident? Why should a small $300 million bank take the time?  In our opinion, no Bank is too small to need a complete risk assessment  

What is a Bank Risk Assessment? 

In large part, the question of whether or not to perform a risk assessment becomes more pressing depending on how one defines a risk assessment.  A risk assessment is defined in Investopedia as “ 

“The process of identification, analysis and either acceptance or mitigation of uncertainty in investment decision-making. Essentially, risk management occurs anytime an investor or fund manager analyzes and attempts to quantify the potential for losses in an investment and then takes the appropriate action (or inaction) given their investment objectives and risk tolerance. Inadequate risk management can result in severe consequences for companies as well as individuals. For example, the recession that began in 2008 was largely caused by the loose credit risk management of financial firms.”  

We believe that this definition means that risk assessments should be performed by all financial institutions.  The risk assessment is the Bank’s opportunity to establish the level of appetite for risk.  In doing so the Board establishes the limits of how must risk it is willing to take to reach its overall strategic goals.   Put another way a risk assessment at a small bank is an excellent opportunity for the bank to take stock of what it is doing and where it is going! In completing an effective risk assessment the Bank has the opportunity to look at the skill and experience level of staff, the training available, the current IT systems in place and to weigh all these against the lending opportunities at the Bank.   

 Risk Assessment versus Strategic Planning

A risk assessment is different from a strategic plan in that the strategic plan looks to find opportunities available to a financial institution and how best to exploit those opportunities.  The risk assessments looks at the opportunities juxtaposed the inherent risk at the financial institution.  Put another way, there may a great number of opportunities available in auto lending, but these opportunities can only result in profits, if the Bank has the proper infrastructure to exploit the opportunity.   The risk assessment allows the bank to take complete and honest stock of its abilities, capabilities and limitations.  Does the bank have the software, the knowledge and the staff that are capable of making all of the required disclosures?  Without these, the opportunity that seemed like such a good idea can become nightmare of regulatory enforcement actions!  

Finding Hidden Risk

For smaller banks, the greatest areas of risk are often unrecognized.  With smaller levels of capital and limited assets, the smaller bank has a thin margin for error.  One or two big loans that become nonperforming can create capital and other operating concerns.   There have been myriad changes in the regulations that apply to banks in the areas of consumer lending, BSA/AML and Fair Lending to name a few.  For those banks that consider themselves business lenders, the fact that many of these regulations blend over into commercial lending can come as quite a shock.  By performing a risk assessment that considers which regulations apply to the Bank and the staff’s overall familiarity with necessary steps for compliance can save  the institution a great deal of embarrassment and money!  

The risk assessment gives the Bank an opportunity to research the ways to disburse risk, take full advantage of opportunities that exist in the assessment area and to establish a framework to make the strategic plan, one that will help the Bank grow safely and within its own capabilities.  

Each Risk Assessment is Unique.

Jon Danielsson, the director of the Systemic Risk Centre at the London School of Economics notes that: 

“If the authorities pick one modeling approach over another, they may just as easily be backing the wrong horse, a model that is less accurate, affording financial institutions and the financial system less protection in the future. For this reason, it is generally better for financial institutions to develop their own models internally”

Source:  Inconsistent Risk Assessment by Banks Isn't That Bad- John Carney CNBC

Each Bank has its own characteristics that make it unique.  Everything from the make-up of the Board, the experience and skill of the staff, the relationship with the local community must be consider in its proper place as part of a complete and effective risk assessment.    We believe that in considering all aspects of a Bank’s operation, the Bank can truly “know itself”.  

Combining Compliance with Overall Governance-Just being a “commercial bank” won’t get you off the Hook!  

Like many credit officers around the country, you have been reading with some amusement about the Consumer Financial Protection Bureau (“CFPB”) and how it has begun imposing regulations on those poor banks that make consumer loans.  You chuckle as you say to yourself that at your bank we don’t plan on doing any of “those” types of loans.  You know, “those” consumer loans!  Too much trouble, too many regulations and not enough return.  So, you conclude, we won’t do any consumer loans and therefore, we don’t have to worry about this stuff…right?  Well, that may not be the case at all!    

There are areas where compliance and commercial lending do intersect.   Although commercial loans are generally not covered by consumer compliance regulations, there are certain points where these regulations and commercial lending do intersect.  Included in these areas is the Equal Credit Opportunity Act (Reg. B), Fair Lending Laws & Regulations and the Unfair, Deceptive or Abusive Acts or Practices (“UDAAP”) regulations.  Violations of any these regulations can lead to enforcement action ranging from memorandums of understanding up to and including civil money penalties if the regulators determine that a pattern or practice of violations exists. 

Remember that Reg. B applies its ECOA notification and 30 day limits for credit notices to all loans.  The commercial lending process can and often does cross into the area of fair lending when properties have residential units attached.  The Community Reinvestment Act is still in effect along with its requirements for lending to small business and within assessment areas.  There is always RESPA and HMDA to consider.  The point is that there is no such thing as a bank that has NO connection with compliance laws & regulations.  

Incorporating Compliance

It is understandable that the first reaction to new regulations is something akin to “why not pick on the big banks and leave us alone!” And while that is an excellent point, the fact of the matter is that the age of the CFPB is here, like it or not.  The real question is what is the best way to respond?  There are a few steps that you can take to make life easier:  

1.       Accept that the fact that changes are coming and will be a part of your lending life.  The CFPB is not going away and their influence on the regulatory agencies will continue to grow. Some of the changes will be mild while other will be onerous. Regardless, your bank will be expected to comply.  There are definitely times to stand and fight, but you must pick your battles wisely.  Rather than resist, look for ways to build compliance into the overall lending and credit process as your first instinct.  For example, requiring CRA information or tracking compliance with Reg. B can often times be built in to the credit approval process.   

2.       Read up on those changes.  There is a great deal of information available on the internet that does  an excellent job of summarizing what changes are being contemplated and what changes are imminent.  One good free site to subscribe to is http://regreformtracker.aba.com. 

3.       Comment and be a part of the changes that are actually implemented.  Almost all regulations and rule changes announce a public comment period where the general public is asked for thoughtful commentary on the rules being contemplated.  Very often these calls go unanswered or receive limited answers.  However, the regulators actually do read these comments and do a good job of considering the arguments they advance.  These comments really do help to shape the scope and application of the regulations.  A really good example of this can be found in the 2011 Interagency Questions and Answers on Flood Insurance. [1] One of the more vexing questions on how to determine the insurance value of commercial property has been directly impacted by public comments.   

4.       Start planning early.  Once you become aware that changes are coming, planning should take place immediately.  Many banks get caught attempting to come into compliance at the last minute when it is clear that changes will impact the overall loan process.  There is no time like the present to get ready! 

5.       Prepare your staff for the changes.  Find out as much as you can about why the regulation is being imposed and what it hopes to accomplish- the more people understand about WHY, they will remember to do!   Incorporate the “why are we doing this” question into the training that is provided to staff.

6.       Incorporate compliance into all that you do. No need to fight it!  Embrace it!  

Compliance is a part of banking and will be a part of banking.  So embrace your inner compliance officer! 

---

[1] http://www.fema.gov/library/viewRecord