Getting to the Root of the Problem- An important Step to Strong Compliance

The compliance examiners are coming!  It is time to get everything together to prepare for the onslaught right?   Time to review every consumer loan that has been made and every account that has been opened in the last 12 months, right? Not necessarily!  The compliance examination is really an evaluation of your compliance management program (“CMP”).  By approaching your examinations and audits as an evaluation of the effectiveness of your overall CMP, the response to the news of an upcoming review becomes (almost) welcome.  

The Elements of the CMP

There is really no “one size fits all” way to set up a strong compliance program.  There are, however, basic components that all compliance management systems need.  These components are often called the pillars of the CMP.  The pillars are:

·         Policies and procedures

·         Internal Controls

·         Management Information systems

·         Training

 

The relative importance of each of these pillars depends on the risk kevels at individual financial institutions.  The compliance examination is a test of how well the institution has identified these risks and deployed resources.   For example, when one has highly experienced and trained staff coupled with low turnover, the need for fully detailed procedures may be minimal.  On the other hand, at an institution where new products are being offered regularly, the need for training can be critical.   The central question is whether or not risks have been properly identified at your institution.  Once risks have been identified have effective steps been taken to mitigate risks. 

Making the CMP fit Your Bank 

Making sure that your CMP is right-sized starts with an evaluation of what the institution is doing and the inherent risk in that activity.  For example, consumer lending comes with a level of risk.  Missed deadlines, improper disclosures or misinterpretations of the requirements of the regulations are risks that are inherent in a consumer portfolio.   In addition to the risks inherent in the portfolio are the risks associated with the manner in which the institution conducts it consumer business.   Are risk assessments conducted when a product is going to be added or terminated?  Both decisions can create risks.  For example, the decision to cease HELOC’s may create a fair lending issue; while the decision to start making HELOC’s has to be made in light of the knowledge and abilities of the staff that will be making the loans and the staff that will be reviewing for compliance.  

We suggest that compliance has to be a part of the overall business and strategic plan of any financial institution.  The best way to make sure that the CMP is appropriate is to include compliance in all of the business decisions.   The CMP has to be flexible enough to absorb changes while remaining effective and strong. 

 

The Test of the CMP

Probably the most efficient way to determine the strengths and weakness of the CMP is by reviewing the findings of internal audit, and examinations as well as quality control checks.  When reviewing these findings what is most important is getting to the root of the problem.    Both the findings and the recommendations that can be found in examination and audit reports can be used to help “tell the story” of the effectiveness of the CMP.  As the institution receives its readout of findings and recommendations, it is very important to ask the examiner or auditor “In your opinion, what was the cause of this finding?”  Generally, we believe that you will find that the answer you receive will be candid and extremely helpful in addressing the problem.  Let’s face it, sometimes findings occur when people have bad days.  On those bad days, even the secondary review may not quite catch the problem.  These are generally not the types of findings that should keep you up at night. 

The findings that should cause concerns are the ones that result from lack of knowledge or lack of information about the requirements of a regulation.  These findings are systemic and tend to raise the antenna of auditors and examiners.  Unfortunately, too often the tendency for institutions is to respond to this kind of finding by agreeing with it and promising to take immediate steps to address it.  Without knowing the root cause of the problem, the fix becomes the banking version of sticking one’s finger in the dyke to avoid a flood.  

Addressing Findings  

We suggest a five step process to truly address findings and strengthen the CMP;

 1.       Make sure that the compliance staff truly understands the nature of the finding.  This may sound obvious, but far too many times there is a great deal loss in translation between the readout and the final report.  Many of our clients have stated that they felt like what was discussed at the exit doesn’t match the final report they receive.  We recommend fighting the urge to dismiss the auditor/examiner as a crank!  Call the agency making the report and get clarification to make sure that concern that is being express is understood by staff.   

 2.       Develop an understanding of the root cause of the finding.  Does this finding represent a problem with our training?  Perhaps we have not deployed our personnel in the most effective manner.  It is critical that management and the compliance team develop an understanding or why this finding occurred to most effectively address it.  

 3.       Assign a personal responsible along with an action plan and benchmark due dates.   Developing the plan of action and setting dates develops an accountability for ensuring that the matter is addressed. 

 4.       Assign an individual to monitor progress in addressing findings.  We also recommend that this person should report directly to the Audit Committee of the Board of Directors.  This builds further accountability into the system.   

5.       Validate the response.   Before an item can be removed from the tracking list, there should be an independent validation of the response.  For example, if training was the issue; the response should not be simply that all staff have now taken the training.  The process should include a review of the training materials to ensure that they are sufficient, feedback from staff members taking the training.  In addition, a quality control check should be performed.   

 

Not only does determining the root cause of a problem make the response more effective, but in doing so, the CMP will be strengthened.  For example, it may be easy to see that an institution has a problem with disclosing right of recession disclosures.  It may be harder to see that the problem is not the people at all, but that the training they received is confusing and ineffective.  Only by diving into the root cause of the problem can the CMP be fully effective. 

Planning Your Compliance Year

As the year comes to close, for most people, it is time to celebrate with family and friends and to look forward to the new year with anticipation.  For risk and compliance officers at financial institutions, the new year comes with a bit of a different perspective.  For many years now, each new year brings a different set of regulations and the challenges of keeping financial institutions in compliance.   This is not necessarily a bad thing.  New challenges can present an opportunity for new and more efficient solutions.   There are some steps that you can take that can truly help you get to the goal of getting on top of compliance.    

 

Step One- Information Gathering

There are several sources for regulatory changes.  It is important to consider the fact that compliance and risk expectations can be changed by more than the implementation of new regulations.   Regulatory agencies respond to world events, the political environment, resources allocations, technology and many other factors.   One valuable source of information that is often overlooked are the annual plans or statements that are issued by the prudential regulations.  All three issue a plan that addresses the areas that they will emphasize in the upcoming year.   [1]  In addition, there are many organizations and agencies that list the effective dates for regulations.  At VCM, we have a form that lists regulations, effective dates and whether or not the regulation will apply to your organization. [2]  Gathering information on the new regulations and regulatory initiatives is a key first step for planning the compliance year. 

Step Two - Setting the Parameters

We believe that the next step should always be completing a risk assessment.  More often than not we see risk assessments that are performed specifically for the purpose of meeting a regulatory requirement.  In many cases, these assessments are completed and put away without being looked at until it is time to do an annual update.  We believe that the risk assessment provides an excellent opportunity to set the parameters for your own compliance program.  Your risk assessment should include:

·         The areas where there have been regulatory of internal audit findings in the past

·         The types of products that the Bank offers and the risks associated with those products

·         New products that are being contemplated

·         The management reports that are currently being generated by software

·         Changes in regulations that might affect the bank

·         Changes in staff that have occurred or are planned. 

The risk assessment should be designed to determine the areas where your institution has the greatest risk for violations or findings.  It is critical that the assessment should be brutally honest and unflinching in its assessment of the compliance needs for your institution.  

The most important part of this step is to remember to USE the document that you have prepared!  The risk assessment should be the basic document that helps you make the case to senior management for additional staff and/or resources.   The risk assessment should also be used to help set the scope of the internal audits that are performed.  It is very rare that there will be time to cover every potential issue in a year so the risk assessment should help prioritize resources.    The risk assessment should also be used to set the training calendar.  

Step Three- Checking Twice  

In addition to going through the regulations, it is necessary to make sure that your policies and procedures match the requirements.  For example, have you developed a solid method for making sure that you comply with the “valuations rules” of regulations B and Z?  Do you know what these are and how they affect you? 

It is also a very good idea to sign up for all of the “Free stuff” that the regulators publish about compliance.   These can be used as useful supplemental training tools.  There is a great deal of very helpful information made available by the Federal Reserve and the CFPB in particular.  [3]

Step Four-Call for Help!

One of the benefits of completing a comprehensive compliance risk assessment is that the results can help you determine the level of support that is needed.   Far too often compliance departments get additional resources only after the staff has been overwhelmed or has experienced a poor result from an audit or examination.  However as the saying goes, an ounce of prevention is worth a pound of cure.  Identifying the areas that are the highest risk and asking for help in those areas before they become a problem is a best practice that will enhance your compliance program and the quality of your life! 

One of the best areas to get support for compliance is through the staff at your bank.   At the end of the day, compliance is a team effort that requires the input of the whole bank to be most effective.  One of the themes that we have noticed over the years is that people tend to buy in more when they understand the hows and whys of compliance.  While online training classes are clearly efficient and relatively inexpensive, they sometimes can lack the perspective that gives the staff members the reason why the particular regulation exists.   For example, we have found that taking the time to explain what it is that BSA laws and rules are trying to accomplish to the staff members who are opening accounts has dramatically improved the collection of data for CIP.  The same is true for Regulation B and a host of other areas.  By helping bank staff understand that there really are good reasons why you are so insistent on complete and accurate disclosures, you can greatly reduce the error rate in these disclosures.   The help from staff that you get, the more efficient you can be. 

Step Five- Execute the Plan

Once you have completed the risk assessment, prioritize the risks and asked for help, it is time to execute the plan.   Make sure that the scope of the audits that you are getting will actually meet your needs and give you information on how things are going.   Regulators have become increasingly critical of audit scopes that are too general or that do not cover specific areas of compliance weakness at the bank.   The internal audit is an important tool that should be used to help find areas that need attention.  It is true that the auditor is your friend.  The results of audits should be taken seriously and positively as this is your opportunity to determine levels of compliance without having regulatory problems.  

Like all good coaches, as a compliance officer you know the areas where your team is the weakest.  Make sure that your compliance plan is designed to address these areas from the outset.  If training has been a concern for example, then make sure that you have addressed the root of the problem. 

Step Six-Remain Flexible

There is a parable that says that if you want to prove that God has a sense of humor- then try making your own plans.  There is no question that the best-laid plans can sometimes go awry.  Therefore, it is important that you build flexibility into your plan.  For example, even though you may have wanted to do flood insurance testing in the first quarter, you might find that the bigger area of risk is compliance with HMDA.  Even though flood insurance will always be a “hot button” issue, there are times when the greater area of risk can be somewhere else.  The point is that your plan must have the ability to hit all of the highest areas of risk to ensure that your program is successful. 

 

Planning your compliance year cannot only keep you ahead of trouble; it can help you start making different New Year’s resolutions!  

---

[1] See for example, http://www.occ.gov/news-issuances/news-releases/2015/nr-occ-2015-130.html, https://www.fdic.gov/about/strategic/performance/supervision.html

 

[2][2] This form can be found on our website at www.vcm4you.com

[3] http://www.philadelphiafed.org/results.cfm?sort=rel&start=0&text=compliance`1