Monday, September 16, 2013


Performing a Risk Assessment of Your Compliance Program

Many of our clients have heard of enterprise wide risk assessments and the need to develop risk assessments for various areas of operations of their respective banks.  However, one of the areas that we find that often gets overlooked is the Compliance Management program itself.  It is our opinion that right now is the time for our clients to perform a risk assessment of Compliance Management.  Moreover, in doing so, we suggest that the risk assessment take an entirely different approach than in the past.  

Traditional Approach

The tried and true approach to assessing the effectiveness of a Compliance Management program is to review the traditional pillars:            

a.       Policies and procedures – policies established by the Board and procedures written by senior management to implement the policies. 

b.      Management information systems and reporting – A system or series of reports that adequately detail the operations of the Bank and allow staff to accurately report to the Board

c.       Audit – This includes both internal controls and an independent review of the performance of the bank’s staff vis a vis the requirements of the applicable regulations and bank policies

d.      Training- Ongoing training of the Board, management and staff.  

The traditional risk assessment would determine that policies and procedures are in place, that reports are accurate and sufficient.  Audits are performed by independent firms and training is generally done by a combination of online classes and the occasional conference or outside training class.  

While it is tried and true to look at these areas when doing a risk assessment, we submit to our clients that assessing risk in your compliance program is a whole new ball of wax!  This will be particularly true in 2014 and beyond as a whole number of regulations will begin to affect the banking industry.      

New regulations and new approaches from the regulators  

The development of the CFPB means that there are new ways that regulators are looking at the stratosphere of regulations that cover banking.  For example, UDAAP claims can be brought in various ways areas ranging from advertising to flood insurance. [1]  In addition, it is clear that the regulators are also looking to ensure that financial institutions are watching their vendors and consultants. For example, the CFPB has issued direct guidance about indirect auto financing and its impact of Fair Lending examinations. 

Another area that will receive close and direct scrutiny is the area customer complaints.  It is clear that the regulators now expect that banks will do more than simply resolve complaints and keep track of them on a log.  The expectation is that the types of complaints being received will be compiled and sorted and then reported to the Board.  The manner in which complaints are resolved and reported to the Board is being considered by examiners.  As many banks participate in social media, complaints can now come from various and sometimes unexpected places.   

Overall, there is a whole new universe of expectations in the compliance are even for community banks.  While the CFPB deals directly with the large mega banks, it is clear that they will provide the template for regulators at all financial institutions.    

Exempt Today does not mean Exempt Tomorrow

While many of the CFPB regulations have carve outs and safe harbors for smaller banks, they also have triggers that kick in and these triggers must be monitored.  A prime example of a regulation with triggers is the ability to repay rule.  Generally these rules allow a safe harbor for qualified mortgages that are not high priced.  However, in the current environment, it is easily conceivable that high priced mortgages[2] will creep into your banks portfolio.   It is not enough to look at the regulation, decide that your bank exempt and to move on until the next audit.  Today’s Compliance Programs has to be nimble and dynamic.  There must be a process to determine whether or not regulatory requirements have been trigger and new procedures should be implemented.  

Dynamic Risk Assessment

For community banks, not only does the possibility of new regulatory requirements exits, but also new takes on established regulations.    UDAAP and the Fair Lending regulations have become an area of emphasis for regulators.  While both of these areas have been a part of the compliance world for some time, there is a new and different take on these rules apply.  Fair Lending has been expanded to include the activity of vendors.  This is clear both from the CFPB guidance on debt collection previous mentioned and from a renewed emphasis on vendor management generally in examinations.  Do you test the results that you are getting on appraisals to ensure that the results don’t present a fair lending issue?   Are there prohibited phrases buried in appraisals.  You will be held responsible if there are even if you might be unaware!  UDAAP can be raised in a number of different ways from advertising inconsistency to debt collection practices.  

The application of regulations that apply to community banks is dynamic and so must the risk assessment of compliance be dynamic. 

Some Light at the End of the Tunnel

The CFPB has released guidance that states the more that you self-identify and correct the better for you![3]  This is clearly not a carte blanche to reveal all violations and expect that there will be no enforcement actions.  It does indicate the more that you can show that your Compliance Program has the ability to sniff out trouble coupled with the ability to affect change, the less likely that the examiners will recommend enforcement action.  Put another way, the more that you can find problems, determine the source of the problem and fix the problem, the longer it might be between examinations.   The implications of this guidance are that your compliance program has to be ready to take on change in the regulations, changes in the banks overall operations and changes in the banking universe in real time and address any problems found.  

Does your program have the ability to assess risk and determine mitigation? 

Do you have the ability and “bandwidth” to perform a risk assessment of your Compliance Program?  Even for a small community bank, the risk assessment should be updated at a minimum semi-annually. 

A review of regulations that potentially impact the bank and what to look out for should be included in the risk assessment.  It is critical that the Compliance role at banks become proactive and be involved in all areas of operations at the bank.  For example, the compliance department should be part of the vendor management program as well as the product development process.  

The Compliance programs has to begin to do more than look at what the current compliance situation is, it also has to be able to project future concerns or questions that must be answered.  Therefore, the Compliance program should also consider the strategic plan and should consider trends within the banks assessment area.  

Why not perform a compliance Risk assessment?   


[1] The CFPB issued guidance on the collection of debts and UDAAP in July 2013
[2] Higher-priced. Qualified Mortgages under the General and Temporary definitions are considered higher-priced if they have an APR that exceeds the APOR by 1.5 percentage points or more for first-lien loans and 3.5 percentage points or more for subordinate-lien loans.
[3] CFBP Bulletin 2013-06
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)