Planning Your Compliance Year
As the year comes to close, for most people, it is time to
celebrate with family and friends and to look forward to the new year with
anticipation. For risk and compliance officers at financial institutions,
the new year comes with a bit of a different perspective. For many
years now, each new year brings a different set of regulations and the
challenge of keeping financial institutions in compliance. This is
not necessarily a bad thing. New challenges can present an opportunity for
new and more efficient solutions. There are some steps that
you can take that can truly help you get to the goal of getting on top of
compliance.
Step One- Information Gathering
There are several sources for regulatory changes. It
is important to consider the fact that compliance and risk expectations can be
changed by more than the implementation of new regulations.
Regulatory agencies respond to world events, the political environment,
resources allocations, technology and many other factors. One
valuable source of information that is often overlooked are the annual plans or
statements that are issued by the prudential regulations. All three issue
a plan that addresses the areas that they will emphasize in the upcoming year.[1] For
example, the Office of the Comptrollers’ annual report points out that
strategic planning will be an emphasis of the examinations teams in 2017. In
addition, there are many organizations and agencies that list the effective
dates for regulations. At VCM, we have a form that lists regulations,
effective dates and whether the regulation will apply to your organization. [2]
Gathering information on the new regulations and regulatory initiatives is a
key first step for planning the compliance year.
Step Two - Setting the Parameters
The next step is to complete a risk assessment. Often,
we see risk assessments that are performed specifically for meeting a
regulatory requirement. In many cases, these assessments are completed
and put away until it is time to do an annual update. We believe that the
risk assessment provides an excellent opportunity to set the parameters for
your own compliance program. Your risk assessment should include:
· The areas where there
have been regulatory of? internal audit findings in the past
· The types of products the
Bank offers and the risks associated with those products
· New products contemplated
· The management reports currently
being generated by software
· Changes in regulations
that might affect the bank
· Changes in staff that
have occurred or are planned.
The risk assessment should be designed to determine the
areas where your institution has the greatest risk for violations or
findings. The assessment should be brutally honest and unflinching in its
assessment of the compliance needs for your institution.
The most important part of this step is to remember to USE
the document that you have prepared! The risk assessment should be the
basic document that helps you make the case to senior management for additional
staff and/or resources. The risk assessment should also be used to
help set the scope of the internal audits that are performed. It is very
rare that there will be time to cover every potential issue in a year so the
risk assessment should help prioritize resources. The risk
assessment should also be used to set the training calendar.
Step Three- Checking Twice
In addition to going through the regulations, it is
necessary to make sure your policies and procedures match the
requirements. For example, have you developed a solid method for making
sure that you comply with the “valuations rules” of regulations B and Z?
Do you know what these are and how they affect you?
It is also a very good idea to sign up for all the “Free
stuff” that the regulators publish about compliance. These can be
used as useful supplemental training tools. There is a great deal of very
helpful information made available by the Federal Reserve and the CFPB. [3]
Step Four-Call for Help!
One of the benefits of completing a comprehensive compliance
risk assessment is that the results can help you determine the level of
support that is needed. Far too often compliance departments get
additional resources only after the staff has been overwhelmed or has
experienced a poor result from an audit or examination. However, as the
saying goes, an ounce of prevention is worth a pound of cure. Identifying
the areas that are the highest risk and asking for help in those areas before
they become a problem is a best practice that will enhance your compliance
program and the quality of your life!
One of the best areas to get support for compliance is
through the staff at your bank. At the end of the day, compliance
is a team effort that requires the input of the whole bank to be most
effective. One of the themes that we have noticed over the years is that
people tend to buy in more when they understand the how’s and whys
of compliance. While online training classes are clearly efficient and
relatively inexpensive, they sometimes can lack the perspective that gives the
staff members the reason why the regulation exists. For example, we
have found that taking the time to explain what it is that BSA laws and rules
are trying to accomplish to the staff members who are opening accounts has
dramatically improved the collection of data for CIP. The same is true
for Regulation B and a host of other areas. By helping bank staff
understand that there really are good reasons why you are so insistent on
complete and accurate disclosures, you can greatly reduce the error rate in
these disclosures. The more help from staff that you get, the more
efficient you can be.
Step Five- Execute the Plan
Once you have completed the risk assessment, prioritize the
risks and asked for help, it is time to execute the plan. Make sure
that the scope of the audits that you are getting will meet your needs and give
you information on how things are going. Regulators have become
increasingly critical of audit scopes that are too general or that do not cover
specific areas of compliance weakness at the bank. The internal audit
is an important tool that should be used to help find areas that need
attention. It is true that the auditor is your friend. The results
of audits should be taken seriously and positively as this is your opportunity
to determine levels of compliance without having regulatory
problems.
Like all good coaches, as a compliance officer you know the
areas where your team is the weakest. Make sure that your compliance plan
is designed to address these areas from the outset. If training has been
a concern for example, then make sure that you have addressed the root of the
problem.
Step Six-Remain Flexible
There is a parable that says that if you want to prove that
God has a sense of humor- then try making your own plans. There is no
question that the best-laid plans can sometimes go awry. Therefore, it is
important that you build flexibility into your plan. For example, even
though you may have wanted to do flood insurance testing in the first quarter,
you might find that the more urgent area of risk is compliance with HMDA.
Even though flood insurance will always be a “hot button” issue, there are
times when the greater area of risk can be somewhere else. The point is
that your plan can hit all the highest areas of risk to ensure that your
program is successful.
[1] See
for example, http://www.occ.gov/news-issuances/news-releases/2015/nr-occ-2015-130.html,
https://www.fdic.gov/about/strategic/performance/supervision.html
[3] http://www.philadelphiafed.org/results.cfm?sort=rel&start=0&text=compliance`1
No comments:
Post a Comment