Why IS there a Community Reinvestment Act?  

As anyone in compliance can attest to, there are myriad consumer compliance regulations.  For bankers, these regulations are regarded as anything from a nuisance, to the very bane of the existence of banks.  However, in point of fact, there are no bank consumer regulations that were not earned by the misbehavior of banks in the past.  Like it or not these regulations exist to prevent bad behavior and/or to encourage certain practices.   We believe that one of the keys to strengthening a compliance program is to get your staff to understand why regulations exist and what it is the regulations are designed to accomplish.  To further this cause, we have determined that we will from time to time through the year; address these questions about various banking regulations.  We call this series “Why IS there….” 

 

Introduction

The Community Reinvestment Act (“CRA”) is probably one of the most misunderstood and unfairly maligned of all of the consumer protection regulations.  Since its enactment, the CRA has been characterized as the regulation that makes financial institutions make “bad loans”.     It is not all uncommon to hear financial institutions refer to their problems loans as “CRA loans”.  Ironically, the preamble of the regulation makes it clear that there is nothing in the regulation that encourages bad loans.  

The CRA is actually a part of a series of financial institution laws and regulations that were aimed directly at lack of credit availability in low to moderate income areas.   The CRA followed similar laws passed to reduce discrimination in the credit and housing markets including the Fair Housing Act of 1968, the Equal Credit Opportunity Act of 1974 and the Home Mortgage Disclosure Act of 1975 (HMDA). The Fair Housing Act and the Equal Credit Opportunity Act prohibit discrimination on the basis of race, sex, or other personal characteristics. The Home Mortgage Disclosure Act requires that financial institutions publicly disclose mortgage lending and application data. In contrast with those acts, the CRA seeks to ensure the provision of credit to all parts of a community, regardless of the relative wealth or poverty of a neighborhood.   

All of these regulations were enacted to address the ongoing concerns caused by insufficient credit in low to moderate income areas.   In 2007 Ben Bernanke, then Chairman of the Federal Reserve discussed the need for the enactment of the CRA:  

Several social and economic factors help explain why credit to lower-income neighborhoods was limited at that time. First, racial discrimination in lending undoubtedly adversely affected local communities. Discriminatory lending practices have deep historical roots. The term "redlining," which refers to the practice of designating certain lower-income or minority neighborhoods as ineligible for credit, appears to have originated in 1935, when the Federal Home Loan Bank Board asked the Home Owners' Loan Corporation to create "residential security maps" for 239 cities that would indicate the level of security for real estate investments in each surveyed city.¹ The resulting maps designated four categories of lending and investment risk, each with a letter and color designation. Type "D" areas, those considered to be the riskiest for lending and which included many neighborhoods with predominantly African-American populations, were color-coded red on the maps--hence the term "redlining" (Federal Home Loan Bank Board, 1937). Private lenders reportedly constructed similar maps that were used to determine credit availability and terms. The 1961 Report on Housing by the U.S. Commission on Civil Rights reported practices that included requiring high down payments and rapid amortization schedules for African-American borrowers as well as blanket refusals to lend in particular areas.^[1]

In addition to the problems caused by redlining, one of the main concerns that the Community Reinvestment Act was designed to address was the problem created by deposits being taken and not being reinvested in the same communities.

Congress became concerned with the geographical mismatch of deposit-taking and lending activities for a variety of reasons.   Deposits serve as a primary source of borrowed funds that banks may use to facilitate their lending. Hence, there was concern that deposits collected from local neighborhoods were being used to fund out-of-state as well as various international lending activities at the expense of addressing the local area’s housing, agricultural, and small business credit needs.[2]

Part of what Congress recognized by passage of the CRA is the role that financial institutions play in the development (or lack thereof) of communities.     

According to some in Congress, the granting of a public bank charter should translate into a continuing obligation for that bank to serve the credit needs of the public where it was chartered.  Consequently, the CRA was enacted to “re-affirm the obligation of federally chartered or insured financial institutions to serve the convenience and needs of their service areas” and “to help meet the credit needs of the localities in which they are chartered, consistent with the prudent operation of the institution.” [3]

Despite its reputation otherwise, the Community Reinvestment Act doesn’t require any specific type of lending.  It does ask financial institutions to identify the credit needs of the community in which it is located and to do all that is possible to meet those credit needs. 

Since it was first passed there have been relatively few changes in the regulation itself.  There HAVE been changes in the way it is administrated.  The most significant of these changes are:  

·         Making evaluations public- The Financial Institutions Reform, Recovery and Enforcement Act of 1989 made the results of every CRA examination available to the public for review.

·         Differentiating between small, medium and large banks – In 1995, the CRA regulations were changed so that the smaller the institution, the more streamlined the CRA examination would be.   

 

 

 

CRA Requirements  

Despite the size of the lending institutions, there are three tests on which CRA performance is judged.   The three tests are: 

·         Lending Performance- at its most basic, this is a test that considers the size and resources of the financial institution.  In addition, the economic opportunities that exist in the service area of the institutional are considered.  These factors are then compared to the level and distribution of loans that the institution originated.   Special attention is paid to geographic distribution of loans.  The idea here is to make sure that certain neighborhoods are not being left out of lending.    

·         Investment Performance – This reviews the level of activity of a financial institution in overall community development.  Community development can be accomplished through lending or investing in funds that are aimed at community development.  The definition of what does and does not qualify as community development has been a matter of controversy for several years and may be revised soon. 

·         Service – The third test for CRA performance considers the amount services that financial institutions offer in low to moderate areas.  Factors considered include things such as the record of opening and closing retail bank branches, particularly those that serve LMI geographies and individuals, the availability and effectiveness of alternative systems for delivering retail banking services in LMI geographies and to LMI individuals, range of retail banking services in each geography classification, extent of community development services provided and the innovativeness and responsiveness of community development services

Small institutions that are under $304 million[4] in assets have the option of deciding whether or not they want their performance under the last two tests reviewed.     For each of these tests there are degrees of activity that can be rated on a scale that goes from “substantial noncompliance” to “outstanding”. 

There is nothing in any of these tests that requires a financial institution to make bad loans or even to seek out risky investments.  Instead, the directive of the CRA is that an institution should do all it can to identify opportunities for investments and services within all the communities that it serves.  Put another way, the CRA is asking financial institutions to find the “diamond in the rough” in low to moderate income communities. 

CRA in the News 

As the 2008 -2010 financial crises began to subside, and experts began to look for causes, the CRA became a favorite villain for many.  Opponents of CRA placed the blame for predatory and subprime lending on the need to meet the requirements of CRA.  The argument goes that banks and financial institutions made risky loans to unqualified borrowers because that is what is required by the CRA.  There have been many scholarly articles and journal entries that have bene written to address this topic- and the recent movie ‘The Big Short’ also includes a great deal of information.  Despite the arguments there has been little to no effort made to significantly change the regulation. 

 

The Community Reinvestment Act was passed at a time when financial institutions refused to invest in low to moderate income areas.   The main goal of this regulation is to get financial institutions to become good neighbors and to do their best to find customer who might otherwise be overlooked.

---

[1] The Community Reinvestment Act: Its Evolution and New Challenges  Chairman Ben S. Bernanke

At the Community Affairs Research Conference, Washington, D.C.  March 30, 2007

 

[2] The Effectiveness of the Community Reinvestment Act Darryl E. Getter   Congressional Research service 2015   

[3] Ibid

[4] The figure for the smallest institutions is adjusted annually based upon the Consumer Price Index. 

You Need a BSA Software Model Validation!     

Since the beginning of crime, there has been a need to hide the ill-gotten gains of criminal activity.  Early bad guys held their loot in caves.  Later, treasure chests provided a means of hiding criminal wealth.   However, despite the form that ancient loot took, the goal was and has always been to reduce loot to cash to currency so that it can be used in exchange for other goods and services.   The need to take illicit assets or money and hide its source is known commonly as “money laundering”.  Criminals of all sorts engage in money laundering and have become exceedingly sophisticated in their pursuit of hiding the sources and uses of their money.  

Because the “bad guys” continue to evolve, the history of the Bank Secrecy Act and Anti-Money Laundering laws (“BSA”) is one of ongoing change.  The laws that make money laundering illegal can be traced back to the Bank Secrecy Act of 1970.   Since the time the BSA was passed, there have been seven major legislative changes to the overall legislative scheme that covers this area.  Probably the most famous of these is the Uniting and Strengthening America by Providing Appropriate Tools to Restrict, Intercept and Obstruct Terrorism Act of 2001.  Of course this is more popularly known as the Patriot Act.  

As technology has changed, so have the goals of many of the criminals that want to launder money.  In addition to drug dealers, there are terrorists and persons that engage in human trafficking; all of whom are developing ways to hide their cash. 

Each of the changes in BSA/AML laws were designed to improve the overall monitoring of cash and cash equivalent transactions.  As the regulations changed, the expectations of the regulatory bodies evolved.  Today, no self-respecting financial institution would consider operating without a full BSA/AML compliance program.   Moreover, it is not feasible to try to get away with a manual system for tracking and aggregating the transactions of customers.   A sound BSA/AML program includes software that helps staff aggregate and monitor transactions of its customers.  

Along with the expectation that your financial institution will obtain BSA/AML monitoring software is also the requirement that a model validation be performed.  

 The Source of the Data Validation Requirement 

The OCC and the Federal Reserve issued guidance in 2011 that was called Supervisory Guidance on Model Risk Management”[1] .  This guidance was first thought to deal with only the financial models such as those that are used for projecting interest rate risk or the allocation of the allowance for loan losses.   However, a more complete review of the information included in the guidance has produced increased expectations in the area of BSA/AML. 

In relevant part, the guidance states that a model is defined as follows: 

“For the purposes of this document, the term model refers to a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates. Models meeting this definition might be used for analyzing business strategies, informing business decisions, identifying and measuring risks, valuing exposures, instruments or positions, conducting stress testing, assessing adequacy of capital, managing client assets, measuring compliance with internal limits, maintaining the formal control apparatus of the bank, or meeting financial or regulatory reporting requirements and issuing public disclosures. The definition of model also covers quantitative approaches whose inputs are partially or wholly qualitative or based on expert judgment, provided that the output is quantitative in nature”[2]

When one reads this definition of a model, it is clear that BSA/AML monitoring software is included.  The guidance is directed toward the idea that modeling software cannot be a panacea when it comes to compliance.  Models can only be effective when they are part of a complete compliance program in any area.  In the area of BSA/AML compliance, this is especially true.  

The model guidance points out that there are several areas of risk that are associated with the use of models at a financial institution.  Many of these risks apply to BSA/AML monitoring software.   When the areas of risk are simplified, the two main concerns for BSA software are:

1.       The data that is being collected and loaded into the monitoring software is inaccurate: and

2.       The data that is being collected is insufficient to properly mitigate risk.  

 

Data Validation

To address the first of the above enumerated risks, all banks should perform a data validation. [3]   This process is basically what it sounds like.  The data validation is the process of making sure that the information in your monitoring software is being accurately and completely loaded from your core system.   While this portion of the guidance may be straight forward, there are few points to remember when preparing to perform an appropriate data validation.  

Know Thy Software

It is important to know the type of software that you are using.  Generally, there about five types of monitoring software that are currently popular and on the market.  It is important to know which type of software your institution is using so that you can determine whether the appropriate data is being pulled.  The five types of software are:

·         Risk based- These are systems that incorporates various factors such as NAICIS codes, zip codes, volume and frequency to predict higher risk customers

·         Rule based- system that compares transactions to scenarios that mimic suspicious activity

·         Behavior based- These systems establish a base line for a customer and track activity that exceeds the baseline

·         Intelligent systems- This software is based on decision trees that follow data that has indicated suspicious activity

·         Combination- These systems incorporate two or more of the above into the software.  

Regardless of the type of system that you are using, it is important to recognize how your system works so that you know the data points that should be recognized.   For example, if you are using behavior based software, it is important to recognize what information the software needs to know to establish the baseline for a particular customer. 

Software-Know thy User

It is critical that all of the transaction codes that your bank uses are being properly loaded into, and recognized by the software that you are using.   Each bank has its own unique set of transaction codes that have been established to identify transactions that are conducted.  The software vendor cannot know all of the idiosyncrasies of your bank and it is therefore incumbent on your compliance staff to ensure that the transaction codes are being properly loaded and recognized by your monitoring software. 

Compare to the Core

Many banks we have worked with use the data validation information that is provided by the vendor.  However, it is important to remember that this validation will simply tell you what happened to the information that you gave to the vendor.  If there are other errors in logic or misunderstandings about what information should be captured, this will not appear in the vendors’ validation.  We recommend that the data validation should be completed by comparing the software information to core data information.  

 Ongoing Validation

Many banks and vendors believe that once a data validation has been done, there is little need to do another one.  If everything checks out and all data is being loaded properly, what is the problem? have you ever logged onto your computer and found that everything had changed, even though you did not do anything different?  BSA software is the same.  Even though you may not have consciously made changes to the software or to the processes, things change for various reasons.  Because change is constant, it is a best practice to test data validity on a regular basis.    Consider this; if you do find a problem, it will be necessary to go back to the last data validation to determine the extent of the problem.  The longer you have waited, the bigger the problem!

The Known Knowns

Finally, a data validation would not be complete without considering what the data actually does and does not display.  For example, one weakness of many software monitoring programs is the inability to closely monitor transfer transactions.  Suppose a customer cashes a check and gives the proceeds to another customer who deposits the cash.  It is important to be able to determine how this information would be captured by the software.  In the alternative, if the information is not captured by the software, what provisions have been made to monitor such a transaction?

 

 

 

 

Model Validation

It is not enough to simply test whether or not the data in your BSA/AML software has been properly mapped.  You must also determine that the software is doing what the bank needs it to do to monitor suspicious activity.  

The OCC guidance points out that the use of models in any banking environment must fit within a risk framework.  This framework has essentially four elements:

·         Business and regulatory alignment – the model must fit the bank’s risk profile and regulatory requirements

·         Project management – a proper and appropriate implementation is an ongoing project that is dynamic as the bank’s operation

·         Enabling Technology – The use of the technology should facilitate the bank’s ability to meet its regulatory requirements

·         Supporting documentation – As a best practice, documentation of the rational for using the model should be maintained. 

For BSA/AML, monitoring software, the risk framework means that regulators expect financial institutions to know how its software works as well as the “blind spots”   for transactions that may not be completely covered by the way the software operates.   The expectations are that your staff will use monitoring software as a tool that is constantly being sharpened and improved.  The model validation process is the means to ensure that the software is improving.  

Its 11pm- do you know what your software is doing?   

The first consideration in completing a model validation is to determine just which type of software you are using and how it works; in other words the conceptual  framework of the software.    

It is important to document that the institution is aware of which type of software it has.   Moreover, it is important to document how this software’s concept aligns with the risk profile.   The model has to be one that has the ability to discern the transactions that your BSA assessment has identified as higher risk.  Ultimately, the expectation is that you will be able to document what it is that your software is monitoring and how it is keeping track of your risky transactions.   You should be able to document just how alerts are created and what they mean.  Are you getting a report when a customer sends a wire for the first time?  How about the first time a wire goes to a foreign country?  Does the software have the ability to track and aggregate ALL transactions associated with one customer and her affiliates?   

Along the same lines, it is critical that a gap analysis is performed to determine where the system has “blind spots”.  Ultimately, the conceptual framework of the software that you are using must match the products, customers and transactions of your bank.  

Practice Makes Better (Never Perfect)

Many institutions are shocked to find that they have been criticized for keeping the default settings of the software.  We are being conservative, the logic goes, by keeping the settings of our software as wide and open as possible.  However, this is most certainly not a best practice.  The use of models is supposed to be a tool that enhances the ability of the BSA staff to determine suspicious activity and act on that information as is necessary.  Default settings do not reflect the risk profile of an individual firm and often lead to a large number of alerts.  When alerts are generated for transactions that are clearly ordinary or not at all suspicious, the output from the software becomes ineffective as the BSA staff spends hours on superfluous data.   The model has to be trained to know the risk profile of the institution and to look at data that is outside of that profile.  Therefore, as a part of a model validation, it is necessary to review the rules or settings in place and to adjust to optimize the software.   This process should be based upon both the experience of the BSA staff as well as by doing comparative testing.  An effective means of optimization and tuning is to use test several accounts.  Using core data, a staff member can ensure that all transactions that should be considered suspect are being noticed by the software with alerts. 

Who’s Minding the Store?

The guidance from the OCC and the Federal Reserve also makes clear that a critical component of model risk management is output analysis.  The best data in the world will be very ineffective in the hands of a staff member who does not know how to interpret it.  Moreover, the staff that receives and analyzes data must also have the ability to act on their conclusions.    The output of monitoring software should be reported to senior management on a regular basis along with information about the actions taken in response to the data.   It is not simply enough to show that the software is creating alerts that result in a Suspicious Activity Report (SAR).  The expectation is that at some point when a customer has received multiple SARs, the data will be reported to senior management and a decision should be made whether or not to continue the relationship with the customer. 

Governance (It ALWAYS Comes Down to This!)

Ultimately, model validation comes down to the overall governance being practiced at a bank.  Models are only as effective as the structure in which they are used.   The guidance notes that there has to be governance structure that surrounds the use of monitoring software.  This structure should include:

·         Senior Management and Board Involvement – through regular reporting to the Board or a committee of the Board

·         Policies and Procedures – which should be updated on an annual basis

·         Roles and Responsibilities – the staff who are responsible for reading and interpreting the data should be designated by the Board. 

·         Enterprise Risk Management and Reporting – the software must be dynamic and should change along with the risk profile of the bank.

·         Independent Audit and Testing- The overall model’s effectiveness should be reviewed and tested regularly by an independent party.

 

 

PLEASE JOINS US FOR OUR FREE 15-MINUTE WEBINAR “ARE BSA SOFTWARE INDEPENDENT REVIEWS NECESSARY” THIS THURSDAY APRIL 21, 2016 AT 10AM PST.  PLEASE GO TO WWW.VCM4YOU.COM TO REGISTER.

---

[1] See OCC 2011-12;  Federal Reserve SR 11-7

[2] Ibid 

[3] The guidance clearly applies to ALL banks. 

Getting to the Root of the Problem- An important Step to Strong Compliance

The compliance examiners are coming!  It is time to get everything together to prepare for the onslaught right?   Time to review every consumer loan that has been made and every account that has been opened in the last 12 months, right? Not necessarily; the compliance examination is really an evaluation of the effectiveness of your compliance management program (“CMP”).  By approaching your examinations and audits in the same manner, the response to the news of an upcoming review becomes (almost) welcome.  

The Elements of the CMP

There is really no “one size fits all” way to set up a strong compliance program.  There are, however, basic components that all compliance management systems need.  These components are often called the pillars of the CMP.  The pillars are:

·         Board Oversight

·         Policies and procedures

·         Management Information systems including risk monitoring

·         Internal Controls

The relative importance of each of these pillars depends on the risk levels at individual banks.  The compliance examination is a test of how well the bank has identified these risks and deployed resources.   For example, in a bank that has highly experienced and trained staff coupled with low turnover, the need for fully detailed procedures may be minimal.  On the other hand, at a bank where new products are being offered regularly, the need for training can be critical.   The central question is whether or not the institution has identified the risks of a compliance finding and having done so, taken steps to mitigate risks.  

Making the CMP fit Your Institution  

Making sure that your CMP is right-sized starts with an evaluation of the products that are being offered and the inherent risk in that activity.  For example, consumer lending comes with a level of risk.  Missed deadlines, improper disclosures or misinterpretations of the requirements of the regulations are risks that are inherent in a consumer portfolio.   In addition to the risks inherent in the portfolio are the risks associated with the manner in which the institution conducts it consumer business.   Are risk assessments conducted when a product is going to be added or terminated?  In many cases, either decisions can create risks.  For example, the decision to cease HELOC’s may create a fair lending issue; while the decision to start making HELOC’s has to be made in light of the knowledge and abilities of the staff that will be making the loans and the staff that will be reviewing for compliance.  

As a best practice, compliance has to be a part of the overall business and strategic plan of a financial institution.  The CMP has to be flexible enough to absorb changes at the bank while remaining effective and strong. 

The True Test of the CMP

Probably the most efficient way to determine the strengths and weakness of the CMP is by reviewing the findings of internal audits and examinations.  When reviewing these findings what is most important is getting to the root of the problem.  Moreover, not only the findings, but the recommendations  for improvement that can be found in examination and audit reports  can be used to help “tell the story”  of the effectiveness of the CMP.  It is very important to determine the root cause the finding.  Generally, the answer will be extremely helpful in addressing the problem.  There are times when the finding is the result of a staff member having a bad day.  On those bad days, even the secondary review may not quite catch the problem.  For the most part, these are the types of findings that should not keep you up at night. 

 The findings that cause concerns are the ones that result from lack of knowledge or lack of information about the requirements of a regulation.  These findings are systemic and tend to raise the antenna of auditors and examiners.  Unfortunately, too often the tendency is to respond to this kind of finding by agreeing with it and promising to take immediate steps to address it.  Without knowing the root cause of the problem, the fix becomes the banking version of sticking one’s finger in the dyke to avoid a flood.  

Addressing Findings  

We suggest a five step process to truly address findings and strengthen the CMP.

 1.       Make sure that the compliance staff truly understands the nature of the finding.  This may sound obvious, but far too many times there is a great deal loss in translation between the readout and the final report.  If staff feels like what was discussed at the exit doesn’t match the final report, here is a communication concern.  We recommend fighting the urge to dismiss the auditor/examiner as a crank!  Call the agency making the report and get clarification to make sure that the concern that is being express is understood by staff.   

 2.       Develop an understanding of the root cause of the finding.  Does this finding represent a problem with our training?  Perhaps we have not deployed our personnel in the most effective manner.  It is critical that management and the compliance team develop an understanding or why this finding occurred to most effectively address it.  

 3.       Assign a personal responsible along with an action plan and benchmark due dates.   Developing the plan of action and setting dates develops an accountability for ensuring that the matter is addressed. 

 4.       Assign an individual to monitor progress in addressing findings.  We also recommend that this person should report directly to the Audit Committee of the Board of Directors.  This builds further accountability into the system.   

5.       Validate the response.   Before an item can be removed from the tracking list, there should be an independent validation of the response.  For example, if training was the issue; the response should not be simply that all staff have now taken the training.  The process should include a review of the training materials to ensure that they are sufficient, feedback from staff members taking the training, and finally a quality control check of the area affected.   

Not only does determining the root cause of a problem make the response more effective, but in doing so, the CMP will be strengthened.  For example, It may be easy to see a problem with disclosing right of recession disclosures.  It may be harder to see that the problem is not the people at all, but that the training they received is confusing and ineffective.  Only by diving into the root cause of the problem can the CMP be fully effective. 

Why Should Small Financial Institutions Perform Compliance Risk Assessments?   

The concept of risk assessments is often associated with large banks and financial institutions – but it shouldn’t be.  Oftentimes, the ugly truth about risk assessments is that they are prepared specifically to meet a regulatory requirement and not much more.  Perform an annual risk assessment for BSA, get it approved and for the most part, put it away and don’t think about it again until the next year.    

Risk assessments can, and should be, used as a tool in the overall compliance toolkit.   When a compliance risk assessment if properly completed and deployed it have many uses including audit planning,  cost reduction, training development and resource allocation to name a few.   Ultimately, the risk assessment should be used as the bedrock of a strong compliance program.  

The Component Parts of a strong Compliance Risk Assessment

Past examination and audit results- It goes without saying that the past can be prelude to the future, especially in the area of compliance.   Prior findings are an immediate indication of problems in the compliance program.   It is important that the root cause of the finding is determined and addressed.  The compliance risk assessment has to include a description of the cause of the findings and the steps being taken to mitigate the risk of a repeat.  We recommend that the action has to be more than additional training.    Training tends to be the number one answer and of course it is important.  However, without testing to determine whether or not the training is effective, the risk of repeat findings remains high.  It should also be noted that a lack of past findings does not necessarily mean that that the coast is clear.  Each compliance area should be reviewed and rated regardless of whether there were past findings.   In some cases, there are findings that are lying in wait and have not yet been discovered.    

 Changes in staff and management- change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change.  For example, supposed the head of note operations is brand new.  This new manager will want to process loans using her/his own system.  Loan staff who may be used to doing compliance checks at certain times during the loan origination process might become confused.  This increases the possibility of findings or mistakes.   Your compliance risk assessment should take into account the risks associated with changes and how best to address them

Changes in products, customers or branches- continuing on with the idea that change is going to happen, it is important that your risk assessment consider all the different aspects of changes that have occurred or will occur in the Bank during the year.  This will include any new products or services, new vendors, marketing campaigns that are designed to entice new types of customers.  The risk assessment should consider what resources will be required and how they should best be deployed.  Before new products are introduced, the compliance team has to consider the time necessary to make sure that all of the processes are in place.  New advertising means both technical and fair lending compliance considerations.  

Changes in Regulations- Over the past five years, there have been a huge number of changes to regulations, guidance and directives from Federal and State agencies.  Many of these changes do not impact small financial institutions directly, but many do.  Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year.   Part of your risk assessment process has to consider changes that affect your bank or will affect you bank.   As a best practice, it is advisable to review the annual report of your regulator to determine the areas of focused that are planned for the year.  Most regulators are transparent with this information and their publications will indicate areas of examiner focus for the upcoming year.   

Monitoring systems in place – finally, the systems that you use to monitor compliance should be considered.  For many small institutions, this system is comprised of word of mouth and the results of audits and examinations.   Part of your assessment should include a plan to do some basic testing of compliance on a regular basis.  After all an ounce of prevention……

The Analysis

Once you have gathered all of the information necessary for completing the analysis, we suggest using analyses that doesn’t necessary assign numbers to risk, but prioritizes the potential for findings.  Remember the effectiveness of your compliance program is ultimately judged by the level and frequency of findings.   The effective risk assessment reviews those areas that are most likely to result and findings and develops a plan for reduction.   

Inherent Risk

For each regulation that applies to your institution, you must first determine the level of inherent risk.  According to the Federal Reserve Bank, inherent risk can be defined this way: 

Inherent consumer compliance risk is the risk associated with product and service offerings, practices, or other activities that could result in significant consumer harm or contribute to an institution’s noncompliance with consumer protection laws and regulations. It is the risk these activities pose absent controls or other mitigating factors.[1]

Your compliance risk assessment should consider the inherent risk associated with each product that is offered.  For each regulation, consideration should be given to the penalties associated with a violation.  As a best practice, the likelihood of review of the area by regulators should also be factored into the overall level of inherent risk.  For example, flood insurance is an area that is likely to be examined each and every time the examiners conduct a review and this should factor into the overall inherent risk rating of the area.  

Effectiveness of Controls  

Once the inherent risk has been established, the next step is to assess the overall effectiveness of internal controls.  Your internal controls are the policies, procedures, training and monitoring that are performed on a regular basis.   This includes audits and internal reviews that are performed by the compliance department.  

To complete the analysis it is necessary to be self-reflective honest and brutal!  If staff is weak in its understanding of the requirements of Regulation B, it is necessary to state that and make a plan to address the weakness.   If more training is necessary or if, heaven forbid, a consultant is needed in certain areas, it really is appropriate as part of the assessment to say so and attempt to make the case to management.  We have found that the cost of compliance goes up geometrically when a bank is faced with enforcement action.  It is much more efficient to seek the assistance when there are only potential problems as opposed to when actual problems have been found.  

 

Residual Risk  

Residual risk is defined as the possibility that compliance findings will occur after consideration of the effectiveness of controls.  The less effective the controls, the higher the residual risk.   Again, it is critical that the assessment in this area is one that has to be brutally honest.  If overall controls, are not what they should be, the weaknesses that exist should be reflected in the risk assessment.  The goal of the assessment is to determine the areas that have the highest levels of risk and to allocate resources accordingly.  

Using the Document

The compliance risk assessment is like a Swiss army knife- it has several uses.   First, the compliance risk assessment should be used to help with the planning and scoping of audits for the year.  The highest areas of risk should receive the greatest scrutiny by the auditors.  Mover, the highest risk areas should be scheduled for review as early in the year as possible so that remediation efforts can be commenced and tested.  

Rather than setting a basic training schedule, use the assessment to make sure that classes are focused on areas where the risk assessment has shown the potential for problems.    The risk assessment can also be used to set the priorities for which policies and procedures need to be updated and in what order.  The compliance risk assessment is a good tool for measuring the level and quality of compliance resources. As part of the risk assessment process, the level and quality of resources must be considered.   As the process is concluded, it is natural to use the results to develop specific requests for additional staff, software, training or other resources that are necessary to maintain a strong compliance program.  

Creating the Compliance Environment

Probably the greatest untapped asset for any compliance officer is the staff at your institution.  Without the support and input of the people who are actually contacting customers and performing day to day operations, the effectiveness of your compliance program will be greatly limited.    Of course one of the greatest impediments to getting the “buy-in” of staff is the perception that many in the banking industry have of compliance.  There is generally dislike and disdain for anything compliance related.  Compliance rules have been developed over time in response to unfair and sometimes immoral behavior on the part of banks.  Most of the regulations have a history that is interesting and can help explain what it is that the regulation is attempting to address.  Taking the time to discuss the history of the regulations and what it is that they are trying to address can go a long way toward getting staff involvement. 

Making sure that senior management accepts the importance of compliance and the costs of non- compliance can help increase support. 

A comprehensive compliance risk assessment should be the key to a strong compliance program.

---

[1]COMMUNITY BANK RISK-FOCUSED CONSUMER COMPLIANCE SUPERVISION PROGRAM