The Case for Three Lines of Compliance Defense at Community Banks- A two part series

Part One –The Three Lines of Defense framework 

In late 2014, the Office of the Comptroller of the Currency (“OCC”) published its  “Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches”.  This document established the requirement that large banks should establish and implement a risk management framework.   The framework must cover at a minimum credit, interest rate, liquidity, price, operational, compliance, reputation, and strategic risk.   The guidance goes on to establish several other requirements and documents that large banks have to produce and describes the ongoing expectations for Board members of these banks.  The Federal Reserve and the CFPB have both published similar guidance.  All of this guidance is ostensibly directed at larger banks.  

The guidance details the components and responsibilities of risk and compliance programs, which includes three lines of defense.  All three are specifically defined in the guidance.  The three lines are:

1. The heads of the business units.  [1]
2. Independent risk monitoring. [2]
3. Independent auditing  [3]

While one could dismiss this guidance because it applies to large banks, it is clear that a great deal of the regulatory guidance that is first directed at large banks is eventually applied to community banks.    Moreover, as one reviews the principles of the guidance there are sound reasons for a community bank to consider implementing a program similar to the one discussed.   We believe that community banks should use this guidance to rethink the approach to compliance.  

 

The structure of the risk program described in the guidance is likely more extensive than a community bank might be able to consider.  However, the basic principles described in this guidance present directions for developing a compliance management system for 2015 and beyond. 

 

The main theme of the guidance published by all three agencies is very similar; to develop a strong and effective compliance management system, a financial institution should develop a risk governance program that incorporates compliance into the overall operation of the bank.  In other words, for large banks risk and compliance are simultaneous and seamless.   There is no reason that this should not be the same for community banks.  Unfortunately, for most community banks, the compliance officer has been the first,  middle and last line of defense when it comes to compliance.  Among the traditional tasks for a compliance officer are writing policies and procedures, attending to training and preparing compliance reports such as the HMDA LAR.   In many community banks, the sheer volume of regulatory changes has made the multiple roles for the compliance officer untenable.   Often the practice is to try to address the perceived highest levels of risk and to put the rest of the tasks off until later.  We have seen cases of policies and procedures that are past due, compliance reviews that have been left uncompleted or audit findings that have not been addressed.   These conditions are generally the result of insufficient resources in the compliance unit.  

Using the three lines of defense approach to compliance and risk management at a community bank may present the opportunity to redeploy staff to higher levels of efficiency.   For example, consider the possibility that business unit heads are charged with maintaining day-to day compliance.  This would necessitate working with the compliance officer to develop procedures, checklists and quality control testing.   Simultaneously, the compliance officer would be asked to work directly with business heads to monitor and measure the level of risk within the business units.  These roles may be non-traditional at a community bank, but they are essential to a “state of the art” compliance management system.   

The 2005 paper by the Basal Committee on Bank Supervision entitled “Compliance and the compliance function in banks”   discusses ten principles that comprise a comprehensive compliance management system.   These ten principles can be loosely divided into four general areas: 

1. Compliance-related responsibilities of the board of directors

2. Compliance-related responsibilities of senior management

3. Organizing and governing principles of the compliance function, including its independence, the adequacy and qualifications of its resources, its responsibilities for both guidance and monitoring, and its relationship with Internal Audit

4. Other matters, including cross-border or jurisdictional questions and the appropriate use of outsourcing in carrying out compliance-related functions[4]

The risk appetite of the bank should be a function of the size and depth of the CMS.  As risk changes, so should the routines of the compliance group.   To make this work, the business lines of the Bank have to be more involved in compliance while the CO has to be more involved in the risk profile.  This may be initially uncomfortable, but in the end, it is the best way to get the biggest bang for the buck out of compliance 

We believe that embracing the philosophy of three lines of defense will allow community banks to gain greater engagement of overall staff in the compliance effort, which will help to attain greater efficiency and reduce the overall cost of compliance.  

 

In part two, we will discuss some of the specifics of the three lines of defense for community banks

---

[1] a front line unit means, except as otherwise provided, any organizational unit or function thereof in a covered bank that is accountable for one of several enumerated risks  and that either: (i) engages in activities designed to generate revenue or reduce expenses for the parent company or covered bank; (ii) provides operational support or servicing to any organizational unit or function within the covered bank in the delivery of products or services to customers; or (iii) provides technology services to any organizational unit or function covered by these Guidelines.

[2] independent risk management should oversee the bank’s risk-taking activities and assess risks and issues independent of the CEO and front line units.

[3] internal audit should ensure that a bank’s Framework complies with the Guidelines and is appropriate for the bank’s size, complexity, and risk profile

[4] “Regulators expect to see lines of defense” Eric Durham, and Justin Van Beek, Crowe Horwath LLP  Banking Exchange  July 3, 2014

Developing an Effective Compliance Risk Assessment

We come across many a risk assessment in our practice.  The ugly truth about most of the assessments that we see is that they are prepared specifically to meet a regulatory requirement and not much more.  Perform an annual risk assessment for BSA, get it approved and for the most part, put it away and don’t think about it again until the next year.  Let’s face it, this is really the rule and not the exception when it comes to preparing assessments. 

Despite the negative emotions that the thought of a risk assessment may produce, we believe that a comprehensive risk assessment is a critical component of planning your compliance year and implementing your compliance program.  We believe that the compliance risk assessment should be the living breathing basis for the way the compliance year unfolds

The Component Parts of a strong Compliance Risk Assessment

Past examination and audit results- It goes without saying that the past can be prelude to the future, especially in the area of compliance.   Prior findings are an immediate indication of problems in the compliance program.   It is important that the root cause of the finding or recommendations from regulators for enhancements is determined and addressed.  The compliance risk assessment has to include a description of the cause of the findings and the steps being taken to mitigate the risk of a repeat.  We recommend that  the action has to be more than additional training.    Training tends to be the number one answer and of course it is important.  However, without testing to determine whether or not the training is effective, the risk of repeat findings remains high. 

 

Changes in staff and management- change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change.  For example, supposed the head of note operations is brand new.  This new manager will want to process loans using her/his own system.  Loan staff who may be used  to doing compliance checks at certain times during the loan origination process might become confused.  This increases the possibility of findings or mistakes.   Your compliance risk assessment should take into account the risks associated with changes and how best to address them

Changes in products, customers or branches- continuing on with the idea that change is going to happen, it is important that your risk assessment consider all the different aspects of changes that have occurred or will occur in the Bank during the year.  This will include any new products or services, new vendors, marketing campaigns that are designed to entice new types of customers.  The risk assessment should consider what resources will be required and how they should best be deployed.  Before new products are introduced, the compliance team has to consider the time necessary to  make sure that all of the processes are in place.  New advertising means both technical and fair lending compliance considerations.  

 

Changes in Regulations- Over the past five years, there have been a huge number of change sto regulations, guidance and directives from Federal and State agencies.  Many of these changes do not impact community banks directly, but many do.  Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year.   Part of your risk assessment process has to consider changes that affect your bank or will affect you bank.  For your review, we have upload a list of regulatory changes to the website.  We do not warrant that the list is comprehensive.  It is a good place to start however, to ensure that you have “covered the bases” for compliance.  

Monitoring systems in place – finally, the systems that you use to monitor compliance should be considered.  For many community banks, this system is comprised of word of mouth and the rsults of audits and examinations.   Part of your assessment should include a plan to do some basic testing of compliance on a regular basis.  After all an ounce of prevention……

 

The Analysis

Once you have gathered all of the information necessary for completing the analysis, we suggest using analyses that doesn’t necessary assign numbers to risk, but prioritizes the potential for findings.  Remember the effectiveness of your compliance program is ultimately judged by the level and frequency of findings.   The effective risk assessment reviews those areas that are most likely to result and findings and develops a plan for reduction.   

To complete the analysis it is necessary to be self-reflective honest and brutal!  If staff is weak in its understanding of the requirements of Regulation B, it is necessary to state that and make a plan to address the weakness.   If more training is necessary or if, heaven forbid, a consultant is needed in certain areas, it really is appropriate as part of the assessment to say so and attempt to make the case to management.  We have found that the cost of compliance goes up geometrically when a bank is faced with enforcement action.  It is much more efficient to seek the assistance when there are only potential problems as opposed to when actual problems have been found.  

 

Creating the Compliance Environment

Probably the greatest untapped asset for any compliance officer is the staff at your bank.  The fact is that without the support and input of the people who are actually contacting customers and performing day to day operations, the effectiveness of your compliance program will be greatly limited.    Of course one of the greatest impediments to getting the “buy-in” of staff is the perception that many in the banking industry have of compliance.  There is generally dislike and disdain for anything compliance related.  However the fact of the matter is that the compliance rules have been developed over time in response to unfair and sometimes immoral behavior on the part of banks.  Most of the regulations have a history that is interesting and can help explain what it is that the regulation is attempting to address.  Taking the time to discuss the history of the regulations and what it is that they are trying to address  can go a long way toward getting staff involvement. 

Making sure that senior management accepts the importance of compliance and the costs of non- compliance can help increase support. 

Using the document

Once the compliance assessment is complete, make sure to make use of it!  The assessment can and should be used to help with planning and scoping audits that are to be performed during the year.  The areas pf the highest risk should be addressed early and should have the most extensive scope. 

Rather than setting a basic training schedule, use the assessment to make sure that classes are focused on areas where the potential for findings and violations occur. 

As part of developing the assessment, the policies and procedures that require updating and approval should be evident.  

The assessment can also be the basis for requesting additional compliance resources including software. Professional assistant or additional certifications. 

 

A comprehensive compliance risk assessment should be the key to a strong compliance program.

What is the future state of compliance in community banks?  

Over the last year, more than 82 new regulations have taken effect!  And you may have just thought that things were getting more and more intense!   The fact of the matter is that compliance and risk have taken center stage of the bank regulatory universe and that will be the case for some time to come.   There are many theories about what caused the financial meltdown that began in 2008, but there is no disagreement that consumers suffered heavily during the worst of it.  Foreclosures, collection actions and lawsuits between banks and consumers have ballooned and have caused a public outcry.   The twin missions of the regulators have become consumer protection and the managing of risk.   Whether or not you agree with this approach, the fact of the matter is that the area of compliance is one where costs are rising and will continue to rise.  

For many years, trade groups, lobbyists and politicians have discussed the possibility that a separate set of rules and regulations should be developed for community banks to relieve them of some of the burdens of compliance that the larger banks have.   Despite the best intended plans, there has been little to no movement in this area.   It is simply not a good or prudent plan to hope that there will be changes in regulations that will allow you to throttle back on compliance!   The fact is that the standards for community banks will be similar to the ones set for larger banks with large compliance staffs. 

The fact is that while the number and scope of regulations are increasing, the expectations for compliance are also increasing.   This is true even for community banks that tend to characterize themselves as “non-consumer” commercial banks.  Even in the event that the Bank makes the decision to offer no consumer products, there are aspects of compliance that will apply.  For example, Regulation B, the equal credit opportunity Act applies to ALL lending.  The same is true for the Community Reinvestment Act.  One of the characteristics of the CRA that all banks must consider is how the products that are being offered meet the credit needs of the community in which they operating.  Flood insurance is required on all properties that are taken as collateral whether the loan is for business purposes or not.    It is also clear that the time is coming when a HMDA-like reporting scheme for business lending will be implemented.  There are also issues that sometime “spring to life” with commercial banks.  For example, a transaction on a building can become HMDA and RESPA covered with the change of zoning or the whim of a customer who decides to live in the building.  

Whether your bank is focused on consumer or commercial lending, compliance will be an important and growing area in the next few years.  The expectations from regulators are clear; there should be a comprehensive compliance program that is well documented and effective.   There should be Board involvement that includes at a minimum, consistent reporting on the results of compliance monitoring and trends at the Bank.  There must be an appropriate level of staff training and specialized training for the compliance officer at your bank.  Other areas of emphasis include the managing of complaints and the analysis of the potential for UDAAP violations.    

Developing a compliance program in 2015 and beyond incudes among other things;

·         Updating policies and procedures

·         Ongoing monitoring of the compliance efforts at the Bank

·         Providing  effective training

·         Obtained detailed scoped audits

·         Keeping abreast of changes in regulations

·         Providing regular reports to the Board of Directors 

Increased expectations for compliance have of course resulted in increasing costs for compliance.   The number of hours dedicated to compliance is an ever increasing number. 

As the requirements for a fully implemented and effective compliance program continue to grow while costs of compliance continue to rise, the time to consider outsourcing arrangements has apparently come.  Many banks are now considering or have implemented co-sourcing components of the compliance function.  Some banks are now even considering the complete outsourcing of compliance.  

What does co- sourced or outsourced compliance look like?   Well, it is different for each bank.   The FDIC has pointed out in recent publications that the idea of a “one size fits all” approach is the very thing that they want to avoid.[1]  The fact of the matter is that the compliance program for each bank has to fit its unique nature.   There are several considerations that should factor into the development of a compliance program.  These considerations include but are not limited to:

·         Current staffing levels

·         Levels of consumer activity

·         Turnover

·         Strategic plan changes

·         Results of recent examinations or audits

·         Demographic changes in the assessment area

Outsourced compliance should consider each of these factors and should provide support where the Bank determines that there is a weakness or potential exposure to risk.  For one bank this might mean performing a series of compliance tests on HMDA entries and then providing training in areas where there are findings.  At another bank, outsourced compliance might mean developing and running the compliance committee. 

There can be little doubt that the current compliance environment is one where the demands on the compliance program of community banks are increasing.   An effective compliance program is one that involves collaborative effort.  One effective means of collaboration is outsourcing or co-sourcing. 

---

[1] See FDIC Supervisory Insights  Vol. 11  Issue 1   Summer 2014

Why Should a Banker be on the side of Compliance? 

Compliance, Compliance, COMPLIANCE!   Sometimes just saying the  word can evoke a dramatic response from Bankers.  According to Jaimie Dimon from Citigroup, big banks are under attack, because they have to answer to several regulators and comply with several regulations.[1]  Even though there has long been talk of a separate set of regulations for community banks, no such changes are in the works.  For now and the immediate future, community banks will face increasing expectations in the area of compliance.    Moreover, the costs of compliance can be prohibitive.  This is especially true if your bank has experienced compliance problems in the past.

Despite the gloom and doom and through all of the curses there are actually reasons to support compliance regulations.    Say what?  

History as a Guide

A quick review of the history of some of the most far-reaching consumer regulations yields a familiar pattern.  In each case, banks and financial institutions engaged in unfair or unreasonable practices.  Eventually,  a public outcry was raised and legislation was passed in response.   The history of the Truth in Lending Act   (Regulation Z) provides a good example.  

Starting in the late 1950’s the United States saw a tremendous growth in the amount of credit.  In fact, in a study the US House of Representatives estimated that the amount of credit in the United States from the end of World War II to the end of 1968 grew from $5.6 billion to $96 billion.   [2]

The growth in credit was fueled by consumer credit and in particular, a growing middle class that created a huge demand for housing, cars and various other products that went  with acquiring the American Dream.   As time passed more and more stories of consumers being misled about  by use of  terms like “easy payments”, “low monthly charges” or “take three years to pay”.   The borrowers found out that  even  though they thought they were paying an interest rate of 1.25 %; with add-ons,  fees and interest payments that were calculated using deceptive formulas , the rate was actually as much as three times what they thought.  
Congress began to investigate the growing level of consumer debt and eventually in 1968; the Truth in Lending Act was first passed.  Congress was clear about what they were trying to do: 
“The Congress finds that economic stabilization would be enhanced and the competition among the various financial institutions and other firms engaged in the extension of consumer credit would be strengthened by the informed use of credit.  The informed use of credit results from an awareness of the cost thereof by consumers. It is the purpose of this subchapter to assure a meaningful disclosure of credit terms so that the consumer will be able to compare more readily the various credit terms available to him and avoid the uninformed use of credit, and to protect the consumer against inaccurate and unfair credit billing and credit card practices.” [3]

The regulations that have been implemented as part of the Dodd Frank law have a similar history.  The most recent financial meltdown was caused in part by the lack of oversight and by financial products that far outpaced the reach of the regulations.  Dodd Frank is the most recent legislative response to the public outcry about the behavior of banks and financial institutions. 

Of course, it is also clear that the behavior that caused the most recent meltdown was not being practiced at community banks.  It is unfortunate that the whole industry is being painted with a broad brush.  However, the fact is that the public does not make much of a distinction between large banks and community banks.  The reputation of the industry suffered mightily during the meltdown.  The good news is that the regulations have helped to restore the confidence of the public in that financial system.   Therefore, while regulations may be bothersome, they do support the industry. 

Overall Effects

Sometimes, we are caught up on focusing on the negative to the point that it is hard to see the overall impact of bank regulations.   One of the positive effects of compliance regulations is that is goes a long way toward “leveling the playing field” among banks.   RESPA (the Real Estate Settlement Procedures Act) provides a good example.  The focus of this regulation is to get financial institutions to disclose the costs of getting a mortgage in the same format throughout the country.   The real costs associated with a mortgage and the deal that a bank has with third parties and the amount that is being charged for insurance taxes and professional reports that are being obtained all have to be listed in the same way for all potential lenders.  In this manner, the borrower is supposed to be able to line up the offers and compare costs.  This is ultimately good news for community banks.  The public gets a chance to see what exactly your lending program is and how it compares to your competitors.  The overall effect of this legislation is to make it harder for unscrupulous lending outfits to make outrageous claims about the costs of their mortgages.   This begins to level the playing field for all banks.  The public report requirements for the Community Reinvestment Act and the Home Mortgage Disclosure Act can result in positive information about your bank.    A strong record of lending with the assessment area and focusing on reinvigoration of neighborhoods is a certainly a positive for  bank’s reputation.  The overall effects of the regulations and should be viewed as a positive.  

Protections not just for Customers

In some cases, consumer regulations provide protection not just for consumers but also for banks.  The most recent qualifying mortgage and ability to repay rules present a good case.  These rules are designed to require additional disclosures for borrowers that have loans with high interest rates.   In addition to the disclosure requirements, the regulations establish a safe harbor for banks that make loans within the “qualifying mortgage” limits.  This part of the regulation actually provides a strong protection for banks.  The ability to repay rules establish that when a bank makes a loan that is below the established  loan to value and debt to income levels, then  the bank will enjoy the presumption that the loan was made in good faith.  This presumption is very valuable in that It can greatly reduce the litigation costs associated with mortgage loans.  Moreover, as long as a bank makes only “qualifying mortgages’ the level of regulatory scrutiny  will likely be lower than in the instance of banks that make high priced loans. [4]

The next time you hear a conversation about how bad consumer regulations are, we suggest that you take a step back.  Consider that the regulations are generally well earned, that they provide stability and can tend to level the playing field for community banks.  Also, please consider the idea that in at least some cases, these regulations provide protections for banks.  You may not turn out to be a consumer zealot, but we think you will give compliance regulations a different accepting look. 

---

[1] Market watch Published: Jan 14, 2015

[2]  Griffith L. Garwood, A Look at the Truth in Lending - Five Years after, 14 Santa Clara Lawyer 491 (1974). 

[3]  See Preamble to 15 U.S.C. 1601 (1970)

[4] Of course, a strong case can be made for the origination of non-qualified loans.   This case will be presented in subsequent blogs.  .