Why Should Small
Financial Institutions Perform Compliance Risk Assessments?
The concept of risk assessments is often associated with large
banks and financial institutions – but it shouldn’t be. Oftentimes, the ugly truth about risk
assessments is that they are prepared specifically to meet a regulatory
requirement and not much more. Perform
an annual risk assessment for BSA, get it approved and for the most part, put
it away and don’t think about it again until the next year.
Risk assessments can, and should be, used as a tool in the
overall compliance toolkit. When a compliance
risk assessment if properly completed and deployed it have many uses including audit
planning, cost reduction, training development
and resource allocation to name a few. Ultimately,
the risk assessment should be used as the bedrock of a strong compliance program.
The Component
Parts of a strong Compliance Risk Assessment
Past examination and audit results- It goes without
saying that the past can be prelude to the future, especially in the area of
compliance. Prior findings are an immediate indication of problems
in the compliance program. It is important that the root cause of
the finding is determined and addressed. The compliance risk assessment
has to include a description of the cause of the findings and the steps being
taken to mitigate the risk of a repeat. We recommend that the action
has to be more than additional training. Training tends to be
the number one answer and of course it is important. However, without
testing to determine whether or not the training is effective, the risk of
repeat findings remains high. It should also be noted that a lack of past
findings does not necessarily mean that that the coast is clear. Each compliance area should be reviewed and
rated regardless of whether there were past findings. In some cases, there are findings that are lying
in wait and have not yet been discovered.
Changes in staff and management- change is
inevitable and along with changes comes the possibility that additional
training should be implemented or that the resources available to staff should
also change. For example, supposed the head of note operations is brand
new. This new manager will want to process loans using her/his own
system. Loan staff who may be used to doing compliance checks at
certain times during the loan origination process might become confused.
This increases the possibility of findings or mistakes. Your
compliance risk assessment should take into account the risks associated with
changes and how best to address them
Changes in products, customers or branches-
continuing on with the idea that change is going to happen, it is important
that your risk assessment consider all the different aspects of changes that
have occurred or will occur in the Bank during the year. This will
include any new products or services, new vendors, marketing campaigns that are
designed to entice new types of customers. The risk assessment should
consider what resources will be required and how they should best be
deployed. Before new products are introduced, the compliance team has to
consider the time necessary to make sure that all of the processes are in
place. New advertising means both technical and fair lending compliance
considerations.
Changes in Regulations- Over the past five years,
there have been a huge number of changes to regulations, guidance and
directives from Federal and State agencies. Many of these changes do not
impact small financial institutions directly, but many do. Moreover,
there are often regulations that are finalized in one year that don’t become
effective until the following year. Part of your risk assessment
process has to consider changes that affect your bank or will affect you
bank. As a best practice, it is advisable to review the annual
report of your regulator to determine the areas of focused that are planned for
the year. Most regulators are
transparent with this information and their publications will indicate areas of
examiner focus for the upcoming year.
Monitoring systems in place – finally, the systems
that you use to monitor compliance should be considered. For many small institutions,
this system is comprised of word of mouth and the results of audits and
examinations. Part of your assessment should include a plan to do
some basic testing of compliance on a regular basis. After all an ounce
of prevention……
The Analysis
Once you have gathered all of the information necessary for
completing the analysis, we suggest using analyses that doesn’t necessary
assign numbers to risk, but prioritizes the potential for findings.
Remember the effectiveness of your compliance program is ultimately judged by
the level and frequency of findings. The effective risk assessment
reviews those areas that are most likely to result and findings and develops a
plan for reduction.
Inherent Risk
For each regulation that applies to your institution, you
must first determine the level of inherent risk. According to the Federal Reserve Bank,
inherent risk can be defined this way:
Inherent consumer compliance risk is the risk associated with
product and service offerings, practices, or other activities that could result
in significant consumer harm or contribute to an institution’s noncompliance
with consumer protection laws and regulations. It is the risk these activities
pose absent controls or other mitigating factors.[1]
Your compliance risk assessment should consider the inherent
risk associated with each product that is offered. For each regulation, consideration should be
given to the penalties associated with a violation. As a best practice, the likelihood of review
of the area by regulators should also be factored into the overall level of
inherent risk. For example, flood
insurance is an area that is likely to be examined each and every time the
examiners conduct a review and this should factor into the overall inherent risk
rating of the area.
Effectiveness of
Controls
Once the inherent risk has been established, the next step
is to assess the overall effectiveness of internal controls. Your internal controls are the policies, procedures,
training and monitoring that are performed on a regular basis. This includes audits and internal reviews
that are performed by the compliance department.
To complete the analysis it is necessary to be
self-reflective honest and brutal! If staff is weak in its understanding
of the requirements of Regulation B, it is necessary to state that and make a
plan to address the weakness. If more training is necessary or if,
heaven forbid, a consultant is needed in certain areas, it really is
appropriate as part of the assessment to say so and attempt to make the case to
management. We have found that the cost of compliance goes up
geometrically when a bank is faced with enforcement action. It is much
more efficient to seek the assistance when there are only potential problems as
opposed to when actual problems have been found.
Residual Risk
Residual risk is defined as the possibility that compliance
findings will occur after consideration of the effectiveness of controls. The less effective the controls, the higher
the residual risk. Again, it is critical
that the assessment in this area is one that has to be brutally honest. If overall controls, are not what they should
be, the weaknesses that exist should be reflected in the risk assessment. The goal of the assessment is to determine the
areas that have the highest levels of risk and to allocate resources
accordingly.
Using the Document
The compliance risk assessment is like a Swiss army knife-
it has several uses. First, the compliance
risk assessment should be used to help with the planning and scoping of audits
for the year. The highest areas of risk
should receive the greatest scrutiny by the auditors. Mover, the highest risk areas should be scheduled
for review as early in the year as possible so that remediation efforts can be
commenced and tested.
Rather than setting a basic training schedule, use the assessment
to make sure that classes are focused on areas where the risk assessment has
shown the potential for problems. The risk assessment can also be used to set
the priorities for which policies and procedures need to be updated and in what
order. The compliance risk assessment is
a good tool for measuring the level and quality of compliance resources. As
part of the risk assessment process, the level and quality of resources must be
considered. As the process is concluded,
it is natural to use the results to develop specific requests for additional
staff, software, training or other resources that are necessary to maintain a
strong compliance program.
Creating the
Compliance Environment
Probably the greatest untapped asset for any compliance
officer is the staff at your institution. Without the support and input
of the people who are actually contacting customers and performing day to day
operations, the effectiveness of your compliance program will be greatly
limited. Of course one of the greatest impediments to getting
the “buy-in” of staff is the perception that many in the banking industry have
of compliance. There is generally dislike and disdain for anything
compliance related. Compliance rules have been developed over time in
response to unfair and sometimes immoral behavior on the part of banks.
Most of the regulations have a history that is interesting and can help explain
what it is that the regulation is attempting to address. Taking the time
to discuss the history of the regulations and what it is that they are trying
to address can go a long way toward getting staff involvement.
Making sure that senior management accepts the importance of
compliance and the costs of non- compliance can help increase support.
A comprehensive compliance risk assessment
should be the key to a strong compliance program.
No comments:
Post a Comment