Planning Your
Compliance Year
As
the year comes to close, for most people, it is time to celebrate with family
and friends and to look forward to the new year with anticipation. For risk and compliance officers at financial
institutions, the new year comes with a bit of a different perspective. For many years now, each new year brings a
different set of regulations and the challenges of keeping financial
institutions in compliance. This is not
necessarily a bad thing. New challenges
can present an opportunity for new and more efficient solutions. There are some steps that you can
take that can truly help you get to the goal of getting on top of compliance.
Step One-
Information Gathering
There are several sources for regulatory changes. It is important to consider the fact that
compliance and risk expectations can be changed by more than the implementation
of new regulations. Regulatory agencies
respond to world events, the political environment, resources allocations,
technology and many other factors. One
valuable source of information that is often overlooked are the annual plans or
statements that are issued by the prudential regulations. All three issue a plan that addresses the
areas that they will emphasize in the upcoming year. [1] In addition, there are many organizations and
agencies that list the effective dates for regulations. At VCM, we have a form that lists
regulations, effective dates and whether or not the regulation will apply to
your organization. [2] Gathering information on the new regulations
and regulatory initiatives is a key first step for planning the compliance
year.
Step Two - Setting
the Parameters
We believe that the next step should always be completing a
risk assessment. More often than not we see
risk assessments that are performed specifically for the purpose of meeting a
regulatory requirement. In many cases,
these assessments are completed and put away without being looked at until it
is time to do an annual update. We
believe that the risk assessment provides an excellent opportunity to set the
parameters for your own compliance program.
Your risk assessment should include:
·
The areas where there have been regulatory of
internal audit findings in the past
·
The types of products that the Bank offers and
the risks associated with those products
·
New products that are being contemplated
·
The management reports that are currently being
generated by software
·
Changes in regulations that might affect the
bank
·
Changes in staff that have occurred or are
planned.
The risk assessment should be designed to determine the
areas where your institution has the greatest risk for violations or
findings. It is critical that the
assessment should be brutally honest and unflinching in its assessment of the
compliance needs for your institution.
The most important part of this step is to remember to USE
the document that you have prepared! The
risk assessment should be the basic document that helps you make the case to
senior management for additional staff and/or resources. The risk assessment should also be used to
help set the scope of the internal audits that are performed. It is very rare that there will be time to
cover every potential issue in a year so the risk assessment should help
prioritize resources. The risk
assessment should also be used to set the training calendar.
Step Three-
Checking Twice
In addition to going through the regulations, it is
necessary to make sure that your policies and procedures match the
requirements. For example, have you
developed a solid method for making sure that you comply with the “valuations
rules” of regulations B and Z? Do you
know what these are and how they affect you?
It is also a very good idea to sign up for all of the “Free
stuff” that the regulators publish about compliance. These can be used as useful supplemental
training tools. There is a great deal of
very helpful information made available by the Federal Reserve and the CFPB in
particular. [3]
Step Four-Call for
Help!
One of the benefits of completing a comprehensive compliance
risk assessment is that the results can help you determine the level of support
that is needed. Far too often compliance
departments get additional resources only after the staff has been overwhelmed
or has experienced a poor result from an audit or examination. However as the saying goes, an ounce of
prevention is worth a pound of cure. Identifying
the areas that are the highest risk and asking for help in those areas before
they become a problem is a best practice that will enhance your compliance
program and the quality of your life!
One of the best areas to get support for compliance is
through the staff at your bank. At the
end of the day, compliance is a team effort that requires the input of the
whole bank to be most effective. One of
the themes that we have noticed over the years is that people tend to buy in
more when they understand the hows and whys of compliance. While online training classes are clearly efficient
and relatively inexpensive, they sometimes can lack the perspective that gives
the staff members the reason why the particular regulation exists. For example, we have found that taking the
time to explain what it is that BSA laws and rules are trying to accomplish to
the staff members who are opening accounts has dramatically improved the
collection of data for CIP. The same is
true for Regulation B and a host of other areas. By helping bank staff understand that there
really are good reasons why you are so insistent on complete and accurate
disclosures, you can greatly reduce the error rate in these disclosures. The help from staff that you get, the more
efficient you can be.
Step Five- Execute
the Plan
Once you have completed the risk assessment, prioritize the
risks and asked for help, it is time to execute the plan. Make sure that the scope of the audits that
you are getting will actually meet your needs and give you information on how
things are going. Regulators have become
increasingly critical of audit scopes that are too general or that do not cover
specific areas of compliance weakness at the bank. The internal audit is an important tool that
should be used to help find areas that need attention. It is true that the auditor is your
friend. The results of audits should be
taken seriously and positively as this is your opportunity to determine levels
of compliance without having regulatory problems.
Like all good coaches, as a compliance officer you know the
areas where your team is the weakest.
Make sure that your compliance plan is designed to address these areas
from the outset. If training has been a
concern for example, then make sure that you have addressed the root of the
problem.
Step Six-Remain
Flexible
There is a parable that says that if you want to prove that
God has a sense of humor- then try making your own plans. There is no question that the best-laid plans
can sometimes go awry. Therefore, it is
important that you build flexibility into your plan. For example, even though you may have wanted
to do flood insurance testing in the first quarter, you might find that the
bigger area of risk is compliance with HMDA.
Even though flood insurance will always be a “hot button” issue, there
are times when the greater area of risk can be somewhere else. The point is that your plan must have the
ability to hit all of the highest areas of risk to ensure that your program is
successful.
Planning your compliance year cannot only keep you ahead of trouble;
it can help you start making different New Year’s resolutions!
[1] See
for example, http://www.occ.gov/news-issuances/news-releases/2015/nr-occ-2015-130.html,
https://www.fdic.gov/about/strategic/performance/supervision.html
[3] http://www.philadelphiafed.org/results.cfm?sort=rel&start=0&text=compliance`1
No comments:
Post a Comment