Having the “Compliance Conversation” in the Face of Changing Expectations. 

One of the constants in the world of compliance is change.   This has been especially true in the last few years, as not only have new regulations been issued; there is now an entirely different agency that regulates banks.  Right now, most are unsure just how the Consumer Financial Protection Bureau (“CFPB”) will affect the banks it does not primarily regulate.   However, it is a good bet that much of what is done by the CFPB will also be implemented in one form or another by the other prudential regulators. 

One of the other constants in compliance has been skepticism about consumer laws in general, and the need for compliance specifically.  It is often easy to feel the recalcitrance of the senior management at financial institutions to the very idea of compliance.  Even institutions with good compliance records often tend to do only that which is required by the regulation.  In many cases, they do the minimum for the sole purpose of staying in compliance and not necessarily because they agree with the spirit of compliance.  Indeed, skepticism about the need for consumer regulations as well as the effectiveness of the regulations are conversations that can be heard at many an institution. 

The combination of changes in the consumer regulations, changes at regulatory agencies and changes in the focus of these agencies presents both a challenge and an opportunity for compliance staff everywhere.  It is time to have “the talk” with senior management. What should be the point of the talk?  Enhancements in compliance can help your bank receive higher compliance ratings while improving the overall relationship with your primary regulator. 

The Compliance Conversation

While there are many ways to try to frame the case for why compliance should be a primary concern at a bank, there are several points that may help to convince a skeptic. 

1)      Compliance regulations have been earned by the financial industry.  A quick review of the history of the most well-known consumer regulations will show that each of these laws was enacted to address bad behaviors of financial institutions.  The Equal Credit Opportunity Act was passed to help open up credit markets to women and minorities who were being shut out of the credit market.  The Fair lending laws, HMDA and the Community Reinvestment Act were passed to assist in the task of the ECOA. In all of these cases, the impetus for the legislation was complaints from the public about the behavior of banks. The fact is that these regulations are there to prevent financial institutions from hurting the public. 

2)      Compliance will not go away!  Even though there have been changes to the primary regulations, there has been no credible movement to do away with them. Banking is such an important part of our economy that it will always receive a great deal of attention from the public and therefore legislative bodies. In point of fact, the trend for all of the compliance regulations is that they continue to expand. The need for a compliance program is as basic to banking as the need for deposit insurance.  Since compliance is and will be, a fact of banking life, the prudent course is to embrace it.  

3)      Compliance may not be a profit center, but a good compliance program cuts way down on the opportunity costs of regulatory enforcement actions.  Many financial institutions tend to be reactive when it comes to compliance.  We understand; there is cost benefit analysis that is done and often, the decision is made to “take our chances” and get by with a minimal amount of resources spent on compliance.   However, more often than not the cost benefit analysis does not take into account the cost of “getting caught”.  Findings from compliance examinations that require “look backs” into past transactions and reimbursement to customers who were harmed by a particular practice is an extremely expensive experience.  The costs for such actions include costs of staff time (or temporary staff), reputational costs and the costs associated with correcting the offending practice.  A strong compliance management system will help prevent these costs from being incurred and protect the institution’s reputation; which at the end of the day is its most important asset. 

 

4)      Compliance is directly impacted by the strategic plan.  Far too often, compliance is not considered as institutions put together their plans for growth and profitability.  Plans for new marketing campaigns or new products being offered go through the approval process without the input of the compliance team.  Unfortunately, without this consideration, additional risk is added without being aware of how the additional risk can be mitigated.   When compliance is considered in the strategic plan, the proper level of resources can be dedicated to all levels of management and internal controls. 

 

5)      There is nothing about being in compliance that will get in the way of the bank making money and being successful.  Many times the compliance officer gets portrayed as the person who keeps saying no; No!” to new products, “No!” to new marketing, and “No!” to being profitable.  But the truth is that this characterization is both unfair and untrue.  The compliance staff at your institution wants it to make all the money that it possibly can while staying in compliance with the laws that apply.  The compliance team is not the enemy.  In fact, the compliance team is there to solve problems.  

 

Getting the Conversation to Address the Future. 

Today there are changes in the expectations that regulators have about responding to examination findings and the overall maintenance of the compliance management program.   There are three fronts that may seem unrelated at first, but when out together make powerful arguments about how compliance can become a key component in your relationship with the regulators. 

First, the prudential regulators have made it clear that they intend the review of the compliance management program to directly impact the overall “M” rating within the CAMEL ratings.   The thought behind evaluating the compliance management program as part of the management rating is that it is the responsibility of management to maintain and operate a strong compliance program.  The failure to do so is a direct reflection of management’s abilities.  Compliance is now a regulatory foundation issue. 

Second, now more than ever, regulators are looking to banks to risk assess their own compliance and when problems are noted, to come forward with the information.  The CFPB for example, published guidance in 2013 (Bulletin 2013-06) that directly challenged banks to be corporate citizens by self-policing and self-reporting.  It is clear that doing so will enhance both the reputation and the relationship with regulators.  The idea here is that by showing that you take compliance seriously and are willing to self-police, the need for regulatory oversight can be reduced.

Finally, the regulators have reiterated their desire to see financial institutions address the root causes of findings in examinations.   There have been recent attempts by the Federal Reserve and the CFPB to make distinctions between recommendations and findings.  The reason for these clarifications is so that institutions can more fully address the highest areas of concern.  By “addressing”, the regulators are emphasizing that they mean dealing with the heart of the reason that the finding occurred.  For example, in a case where a bank was improperly getting flood insurance, the response cannot simply be to tell the loan staff to knock it off!  In addition to correcting mistakes, there is either a training issue of perhaps staff are improperly assigned.  What is the reason for the improper responses?  That is what the regulators want addressed.   

The opportunity exists to enhance your relationship with your regulators through your compliance department.  By elevating the level of importance of compliance and using your compliance program as a means of communicating with your regulators, the compliance conversation can enhance the overall relationship between your institution and your regulator.

Why do Examinations Outcomes Seem so Different From Year to Year?    

 

Many of you who have been in compliance for several years can attest to the experience; five years in a row with a satisfactory rating and then suddenly, everything is wrong.   We have heard this story countless times and in various situations, but the gist is the same.  “We haven’t changed anything that we have done” you say to yourself.  The same policies and procedures, same products, same customers and the same staff and yet, the outcome of the examination is entirely different.  What was once a “satisfactory” rating now is “needs improvement” and in the most extreme cases, enforcement action is pending.  How can this be?  If nothing has changed at your financial institution, then why should the ratings change?  Does it mean that the other examiners didn’t know what they were talking about?  Or perhaps the current examiners came in with an agenda.  

There have been some cases where a particular practice has been reviewed without comment in the past and is now listed as a finding or regulatory violation.  In the compliance world it can often seem that predicting the outcome of an examination is as difficult as predicting the weather.   There are certain steps that you can take to greatly reduce uncertainty.   

Understanding the Examination Process

There are several factors that impact the examination process for financial institutions and it is important to keep these in mind as part of your planning process.   

·         Risk Based:  The examination process is risk based.  Regulators have finite resources to monitor and regulate the institutions that they are charged with supervising.   To address limited resources, at the beginning of each operation year, they go through a risk assessment process that is designed to consider both the highest areas of risk within the pantheon of compliance regulations and rules.  In addition, the regulators develop a formula for risk rating the institutions that they supervise.  Institutions that had previous problems and poor examination results present the highest areas of risk while the steady performers tend to be low risk.  

·         Focus Based:  As part of the risk assessment process, the regulatory agency determines the areas of focus that they will pursue in the upcoming year.  The focus is often based upon the results of previous year’s examination and trends in findings.  Focus can also be on new regulations or in areas that have received a public attention in the past.  The good news here is that the agencies make their deliberations public and announce the areas of focus for the upcoming year. 

·         Relationship Based:  One factor that is often overlooked is the relationship between your regulatory agency and your management.  The whole process of regulatory administration is a relationship.  The more cooperative the relationship, the more information can be obtained and shared between your institution and your regulator.  All of the prudential regulators have made it clear that there is a reward for “self-policing”.  Self-policing involves reporting to regulators when you detect problems, determine the root cause and developing a plan for mitigating the problem.    

·         Current Event Based:  Another factor that is overlooked is how the regulatory agencies are impacted by current events.   Mot consumer regulations that have been enacted were the result of a public outcry about practices that were considered onerous.  When events occur throughout the world that gain the attention of politicians and the general public they can impact the way financial organizations are examined.   For example, when stories of human trafficking receive a great deal of attention on news media, Bank Secrecy Act examinations can easily be impacted and an increased focus in this area could be the result.   

 

Preparing for Your Examination

It is important to keep all of these factors in mind when preparing for your next examination.   As part of the preparation process, there are several steps that you can take to reduce anxiety and uncertainty in the examination process.   

·         Ask Questions:   Once you receive the examination information request package, the time is right to strike up a conversation with the examiner in charge and the filed manager responsible for your institution. Ask about the areas of focus for the examination team.  Also, get a good idea of what it is that they are finding as problems in other institutions.   Remember the examination process has a relational aspect to it.  The more you conversations you can have the more information that you can use in preparation

·         Get to Know the Examination team:   The more that you get to know about the members of the examination team, the more you can tell where the examination will focus.  Each examiner brings with them a set of skills and interests that they will naturally rely on when doing their work.  For example, an examiner may consider him or herself to be experts on flood insurance while being weak in compliance operations.  With this information, you can be fair certain which of the two topics will get the most attention from this particular examiner. 

·         Be helpful (to a Point):  Make sure that you get all of the information requested to the examination team with all deliberate speed.  The quicker that the information is obtained, the quicker the examination will go.  Just of point of information here, you should never be afraid to say “I don’t know” in answer to a question.   One of the most common mistakes that are made during preparation for an examination is to try to finesse an answer, which leads to mistrust, mistakes and misinformation.    

·         Close all Information Gaps:   It is really important to make sure that you understand what the examiners are asking for and what the examination process will be.  It is also important to make sure that key information from your institution is communicated.  If there have been major personnel changes for example, it is important to let the examiners know that and how those changes have impacted your compliance program.   For example, if your compliance officer recently won the lottery and took an early retirement, your compliance program is likely to be dramatically impacted.    

After the Examination  

Once the examination is completed, even in cases where the outcome is very different from the past, finding out what the findings actually are is an important first step.   It is critical to find out all you can from the examiner when they are presenting the finding.  In many cases, findings are the result of a miscommunication or misunderstanding of questions being asked.   For example, at one bank, an examiner asked where flood insurance policies are stored and was told they are kept in the loan file.   However, the person who gave this answer was unaware that the procedure had been changed and flood loan policies were now kept in a different place.  In this case, the examiners originally were ready to cite the bank for several violations of the flood rules because the information in the loan files was stale.  It is very important to determine form the outset the exact nature of the violation being cited.

 

We are aware that many financial institutions either don’t agree or that have misgivings about a finding, but go along to get along.  While this practice may seem to make life easier, it is not actually the most prudent path to take.   ASK for clarification- this is not to be argumentative, but without doing so, you can lock yourself into an untenable position.  In the event that the examiner may be asking something of the institution that is infeasible (e.g. acquiring a new software program).  This is also why it is important to understand the source of the finding- if it is an interpretation or the regulation, there is likely to be a change in the next examination; different examination teams have different interpretations of the regulation.  Ultimately, a forceful yet respectful disagreement is a good thing and is respected by the regulators.

 

“Normalizing” the Examination Process 

There is a well-known commercial for an investment fund that reminds us that “past performance is not a guarantee of future returns”.  The same can be said of the examination process.   A satisfactory rating in the past is simply not a guarantee of the same rating in the future, even if nothing has changed.  There are many factors that come together during an examination and as a best practice considering each of these factors will help to make the outcome of examinations more consistent.  

 

PLEASE JOIN US FOR OUR FREE 15-MINUTE WEBINAR “WHY ARE EXMINATION OUTCOMES SO DIFFERENT?”   THE WEBINAR WILL BE CONDUCTED THIS THURSDAY APRIL 19, 2016 AT 10AMPST. 

FOR INFORMATION PLEASE VISTS WWW.VCM4YOU.COM

Do you Know Your Risk Appetite?

As part of the development of a comprehensive compliance management program, there are specific roles for senior management and another set of roles for the Board of Directors.  Senior management has a functional role that includes the development of written policies and procedures that are then presented to the Board for approval.   On the other hand, the Board of Director’s role includes setting limits and overall policy guidelines.  Among the most important roles of the Board is to determine the overall risk appetite of the institution.   Traditionally, the way that the Board fulfills this function is by developing a risk appetite statement with metrics for measuring adherence to the risk limits.  For Community Banks and small financial institutions, the idea of a risk appetite statement and metrics may seem like a case of overkill.  However, development of the risk appetite framework can be an invaluable tool for strategic planning and resource allocation.  

In one way or another, all financial institutions are making a statement about their risk appetite.  Some choose to consider appropriate risk levels directly and many more do so indirectly.  Each product and service that is offered at an institution, vis-a-vis the resources that are dedicated to compliance create a statement of sorts.   When an institution decides to offer products and services, compliance risks attach regardless of what those products are.  The compliance culture that is developed to support products and services is, a form of a risk statement.  The less emphasis that is placed on compliance the higher the risk that the institution is willing to take.   In many cases, when institutions get into significant regulatory trouble, the root cause is an imbalance between risk appetite and risk management.  Offering a new product without the proper systems in place to monitor compliance and without staff that has the expertise to administer it, is the same as a statement that the risk appetite is high.   

Principles Associated with the Risk Appetite Framework

The idea here is that the Board, with the assistance of Senior Management should develop the “rules of the road” for your institution.  If there are certain levels of risk that the institution is/isn’t willing to take, then the Board should clearly state that position.  The same is true for risk that the Board may be willing to take after consideration and approval.   For example, the Board may state that it does not want the financial institution to make auto loans at all.  However, the best customer of the institution tells a loan officer that he wants a car loan for his son.    The loan officer believes that the customer may be lost of he isn’t accommodated.   The auto loan is presented to the Board for approval and an exception may be made.  

The basic principles for a risk appetite should include at least four considerations: 

1.       The capital level of the institution; Since capital is ultimately what keeps the institution alive a healthy level of capital must be a consideration in the overall willingness to accept risk.  

2.       Compensation of staff; The extent to which staff compensation are tied to profits is a risk management consideration.   Incentives should be weighted toward the idea that profit should be achieved within the risk framework of the institution  

3.       Customer Service; As mentioned above there are times when meeting the needs of the customer base that the institution is trying to maintain may require actions that are out of the ordinary.  The ability of your institution to meet those needs should be considered in the risk appetite framework.   If your customer base happens to be high risk, then the products and services that you will offer are also high risk.  [1]

4.       Compliance; For each consideration of risk, there should be a consideration of the resources that will be allocated to mitigate the associated potential for regulatory violations. 

 

The risk appetite framework should be developed to balance the interplay of the four principle areas of consideration.  For example, a higher level of capital should mean that the level of risk appetite is higher than when capital is low.  Considerations of customer service have to be tempered by capital levels; and so it goes.  

Compliance as Part of the Risk Appetite    

There are many institutions that consider themselves either low risk or no risk for compliance issues because limited retail products and service are offered.   However, compliance is part of this overall process regardless of whether or not you’re in a retail institution.  There are ALWAYS compliance issues.  Regulations such as the Equal Credit Opportunity Act, Anti-money laundering regulations and Unfair Deceptive Abusive Acts or Practices regulations apply to all financial institutions.  

In any financial institution, there are competing interests, and the need to achieve and maintain profitability is often the counterbalance to taking increased risk.   Banking is after all at its essence, the management of risk.   When the competing interests are out of balance, the trouble starts.  Today many financial institutions find themselves searching for sources of income that are different from the traditional positive net interest margins.   The search for nontraditional income has led to consideration of products such as short term loans, MSB’s and mobile banking.   Each of these products have a level of inherent risk as well as substantial potential for profits.  However, the compliance apparatus in place at a financial institution can either significantly raise or reduce the level of inherent risk.   Over the past several years, institutions have found themselves in regulatory trouble by offering products that they either do not fully understand or have the necessary ability to administrate.  

There are many examples of institutions that have allowed the push for profits to far outstrip the compliance program.  In fact, on the websites of each of the major regulatory agencies, there are examples of enforcement actions that have been taken as the result of failure to properly maintain a compliance program.  

Using the risk framework to help with prioritizing  

When a risk appetite framework is developed and implemented even by a small financial institution, the overall effect on compliance is positive.  The process for developing the framework forces a level of consideration and discipline on the Board and senior management that is useful.  The risk appetite process is conducted by comparing the products and services that that the institutions wishes to offer with its ability to safely offer those products and services.  

When a new product is considered, it should receive the same level of thought and consideration.  High risk products are not in of themselves a regulatory “no-no”.   For each additional product or service, the risk appetite of the Board should be considered along with the necessary expenditure on compliance resources.  

Remember the overall state of your CMP says a great deal about your risk appetite.  

 

 

FOR MORE BLOGS, FORMS AND INFORMATION, PLEASE VISIT OUR WEBSITE AT WWW.VCM4YOU.COM

---

[1] Please note- there are no regulatory bans on high risk customer or clients- just a requirement that the high risks are properly managed. 

Why is there a Diversity Section in the Dodd-Frank Act?  

The Dodd–Frank Wall Street Reform and Consumer Protection Act of 2010 was one of the most sweeping banking laws that have been enacted in many years.  Of course, the legislation was passed against the backdrop of one the largest financial crises in world history.  The legislation has many sections and several of the provisions have been heavily discussed.   However, one section of the act, Section 342, has not received much discussion or fanfare at all.  What is Section 342?  It is the section that establishes the Office of Minority and Women Inclusion. 

Are you Aware that the FFIEC has released Guidance Standards for Diversity in Hiring and Procurement? 

On Oct. 25, 2013, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corp., National Credit Union Administration, Consumer Financial Protection Bureau, and Securities and Exchange Commission (SEC) which is collectively known as the FFIEC, issued a proposed interagency policy statement on diversity.   Section 342 of the Dodd-Frank Act requires these agencies to develop standards for regulated entities to assess diversity. The final rule was issued and took effect on June 10, 2015.   

 First Things First-What is this all about?   

One of the things that the Dodd-Frank Act addresses is the effort being made by financial institutions in the area of inclusion of women and minorities in the overall hiring and procurement processes.  The legislative discussion of Section 342 of the Dodd-Frank Act helps to describe what it is that this section of the law is designed to do.   

The Agencies believe that a goal of Section 342 is to promote transparency and awareness of diversity policies and practices within the entities regulated by the Agencies. The establishment of standards will provide guidance to the regulated entities and the public for assessing the diversity policies and practices of regulated entities. In addition, by facilitating greater awareness and transparency of the diversity policies and practices of regulated entities, the standards will provide the public a greater ability to assess diversity policies and practices of regulated entities. The Agencies recognize that greater diversity and inclusion promotes stronger, more effective, and more innovative businesses, as well as opportunities to serve a wider range of customers.[1] 

 

Put another way, the Dodd-Frank Act is trying to get financial institutions to get to know their entire assessment area not only as customers, but as potential employees and contractors.   We believe that this fits in with a larger direction to financial institutions that they should get to know the credit and financial needs of the communities they serve.   Much like the Community Reinvestment Act, there is nothing in the law or the guidance that directs institutions to lower standards or to set quotas.  Instead, the idea here is to make sure that the employment and procurement processes are inclusive.   The fact is that there are many “diamonds in the rough” that go overlooked and as a result, are unbanked or underemployed. 

 Will This Require a Whole new Reporting Process?  

The guidance requires an annual statement on the diversity practices of the Banks and credit unions.  Based upon the standards in the rule, it is not likely that a whole new data collection regime will be required.  Instead, it will be the duty of the Board and senior management to include diversity considerations in the strategic plan and ongoing monitoring of performance.  

 

 According to the proposed guidance, the expectation will be that institutions will

• Include diversity and inclusion considerations in the strategic plan
• Will have a diversity and inclusion plan that is reviewed and approved by the Board
• Will have regular reports to the Board on progress
• Will provide training to all affected staff
• Will designate a senior officer as the person responsible for overseeing and implementing the plan

 

 

What does Diversity Mean? 

For purposes of this definition, “minority” is defined as Black Americans, Native Americans, Hispanic Americans, and Asian Americans, which is consistent with the definition of “minority” in sSection 342(g)(3) of the Act.

The final Policy Statement also states that this definition of diversity “does not preclude an entity from using a broader definition with regard to these standards.” This language is intended to be sufficiently flexible to encompass other groups if an entity wants to define the term more broadly. For example, a broader definition may include the categories referenced by the Equal Employment Opportunity Commission (EEOC) in its Employer Information Report EEO-1 (EEO-1 Report), [2] as well as individuals with disabilities, veterans, and LGBT individuals.

While this may seem like a long list of new requirements, in our opinion that is not the case at all.  When developing a strategic plan and assessing the credit needs of the community, the idea of diversity should be part and parcel of the basic considerations and projections.  It is clear that regulators will increasingly focus on financial institutions ability to identify the financial needs of the communities they serve and to match how the banks activities meet those needs.  In addition, we believe that examiners will ask financial institutions to document the reasons why they are not able to offer certain products.  The same will be true in the area of hiring and procurement.  Financial institutions will need to be able to document diversity efforts and to have a good explanation for the lack of diversity.  

 

It should be emphasized that we do not believe that this guidance is leading towards hiring or procurement quotas.  Instead, the requirement will be for complete and clear documentation of the efforts made to ensure that diverse candidates are being considered. 

 

Why is this a Good Thing?   

Diversity has been, and will always be a strength.  Of course a diverse loan portfolio is one that can absorb fluctuations in various industries without much turmoil.   Diverse ideas and experiences have always lead to innovation.  In point of fact, there has been a history of exclusion of several communities of potential customers by financial intuitions for some time.  The whole point of the Community Reinvestment Act was to get financial institutions to look at all communities for potential clients.   

Earvin “Magic” Johnson has developed a multi-Billion-dollar business based upon the idea that diversity is strength.  His companies have invested in neighborhoods that were traditionally under banked and lacked access to funding.  The success of this company is a good example of how strategic diversity creates opportunities in communities that often get overlooked. 

 Self-Assessment  

One of the more controversial points of the regulation is that it appears to rely on self-assessments.  There are no examinations standards that are mentioned in the guidance.  While some commenters decried the idea that self-policing is too vague; it appears that the expectation is that financial institutions will develop a policy, monitor compliance with that policy and make the results available to the public.    

Self–assessment is both an opportunity and a curse.  The opportunity exists for an institution to self-define itself.  By setting standards that are based on a comprehensive understanding of the community vis-à-vis the capabilities of the bank, an institution has the opportunity to create a strong impression with regulators.  At the end of the day this is what regulators will willingly accept and applaud. 

 Implications

 While it is too early to tell whether the final guidance will have significant costs associated with it, it is obvious that there will be an emphasis on diversity planning and programs for financial institutions. We suggest that the approach should be part of the overall strategic planning process

---

[1]  Joint Standards for Assessing Diversity Policies and Practices of Regulated Entities

 

[2] Ibid