Section 1071 of the Dodd Frank Act- A New Look at Fair Lending -  A Two-Part Series

Part One- Towards a LAR for Commercial Loans

As the dust settled form the financial meltdown of 2008 there were a large number of new significant regulations to consider.  The qualified mortgage rules, mortgage servicing rules and appraisal valuations all garnered a great deal of attention and focus.  Of course, due to the impact of these rules, this attention was well deserved.   However, as the dust settled from getting compliance programs in place, it is time to give attention to future regulatory requirements.  

One of the most significant of the future regulations is section 1071 of the Dodd Frank Act.  This section amends the Equal Credit Opportunity Act (AKA as Reg. B) to require banks to gather information about applicants for commercial loans.   The information that will be gathered is very similar to information that is currently required by the Home Mortgage Disclosure Act (HMDA).  Many believe that the future of this regulation is in doubt due to the general hostility of the current presidential administration to the Dodd Frank Act.  Regardless of whether this regulation becomes fully implemented, the information that it requires is well worth considering.

Specifics

For the time being, this section of the Dodd Frank Act has been put on hold until the implementing regulations have been written.  There are many who believe the future of the CFPB is in doubt, but merely hoping things change is not a successful strategy.  Earlier in 2017, the CFPB started taking comments on the regulation with an eye toward developing a final rule early next year. It is likely the regulation will be implemented in some form early in 2018.  

What is the type of information that is required?  So far, the list of information required is as follows: 

‘‘(1) IN GENERAL. —Each financial institution shall compile and maintain, in accordance with regulations of the Bureau, a record of the information provided by any loan applicant pursuant to a request under subsection (b).

‘‘(2) ITEMIZATION.—Information compiled and maintained under paragraph (1) shall be itemized in order to clearly and conspicuously disclose—

‘‘(A) the number of the application and the date on which the application was received;

‘‘(B) the type and purpose of the loan or other credit being applied for;

‘‘(C) the amount of the credit or credit limit applied for, and the amount of the credit transaction or the credit limit approved for such applicant;

‘‘(D) the type of action taken with respect to such application, and the date of such action;

‘‘(E) the census tract in which is located the principal place of business of the women-owned, minority-owned, or small business loan applicant;

‘‘(F) the gross annual revenue of the business in the last fiscal year of the women-owned, minority-owned, or small business loan applicant preceding the date of the application;

‘‘(G) the race, sex, and ethnicity of the principal owners of the business; and

‘‘(H) any additional data that the Bureau determines would aid in fulfilling the purposes of this section.

‘‘(3) NO PERSONALLY IDENTIFIABLE INFORMATION.—In compiling and maintaining any record of information under this section, a financial institution may not include in such record the name, specific address (other than the census tract required under paragraph (1)(E)), telephone number, electronic mail address, or any other personally identifiable information concerning any individual who is, or is connected with, the women owned, minority-owned, or small business loan applicant.

When the regulation is enacted, what will be required?  Why are the regulators doing this to us?   In reverse order, the reason given for this change to the ECOA is as follows:

“The purpose of this section is to facilitate enforcement of fair lending laws and enable communities, governmental entities, and creditors to identify business and community development needs and opportunities of women-owned, minority owned, and small businesses” [1]

Put another way, the purpose of the collection of this information will be to allow banks, economists and regulators to more completely and accurately determine the types of loans that are being requested by minority and women owned business.  Presumably, the collected data will be used to provide regulators with tools to craft legislation to help expand fair lending laws and rules to the commercial lending area.  The merits of whether these regulations should be expanded to the commercial lending will be discussed in part two of this blog.

There are some unique features to the requirements of this law.  For example, the lending staff member who is doing the underwriting is NOT ALLOWED to ask the questions required by the law;

Where feasible, no loan underwriter or other officer or employee of a financial institution, or any affiliate of a financial institution, involved in making any determination concerning an application for credit shall have access to any information provided by the applicant pursuant to a request under subsection (b) in connection with such application.[2]

The idea here is this information must not be part of any credit decision, and the bank is under an obligation to present evidence that this information has been segregated from the credit decision.  Therefore, even in cases where there are too few staff members to totally segregate the collection of the information from the loan staff, a protective wall still must be created. 

If a financial institution determines that a loan underwriter or other officer or employee of a financial institution, or any affiliate of a financial institution, involved in making any determination concerning an application for credit should have access to any information provided by the applicant pursuant to a request under subsection (b), the financial institution shall provide notice to the applicant of the access of the underwriter to such information, along with notice that the financial institution may not discriminate on the basis of such information[3]

The time is coming when this information must be collected and the Bank must make sure that once it is collected, that the information has no impact on the credit decision. 

Implications for the Future

What does this regulation mean for the future?  It is of course, difficult to predict the future with any real accuracy.    However, it is clear that the trend for regulations is that the scope and influence of fair lending and equal credit opportunity laws will increase in influence over the next decade.   It will be increasingly important for banks to determine with detail the credit needs of the communities they serve.  Moreover, there will be increased emphasis on banks’ ability to show how the credit products being offered meet the credit  needs of that same community. 

Why not start now?

The obvious question to ask is with all of the regulations that are coming into effect at this point  and the resulting requirements, why start dealing with a regulation that has not come into existence?  Why not cross that bridge when we come to it? In fact, there is a chance that this law may never get an implementing regulation. 

Delay will result in higher costs and increase the risk of noncompliance.   Whether or not Section 1071 is implemented within the next year or the next few years, information about the borrowers you serve and the products that you offer to serve them should be part of your strategic plan, fair lending plan and CRA plan.  This information will be a critical component of showing your regulators that you are a vital part of the local economy and community.  Moreover, this information should be a critical part of your institutions’ drive to reach out to the new customers who are currently among the large number of unbanked and underbanked.  This pool of potential customers is one of the keys to successful banking in the future.  In fact, whether or not the regulation is ever implemented, developing information on women and minority owned businesses will be a ket strategic advantage for the financial institutions that realize the vast potential that these business owners present. 

In Part two of this blog, we will make the case for collection of information on loans to women and minority owned businesses regardless of regulation requirements. 

Why Should Small Financial Institutions Perform Compliance Risk Assessments?   

The concept of risk assessments is often associated with large banks and financial institutions – but it shouldn’t be.  Oftentimes, the ugly truth about risk assessments is that they are prepared specifically to meet a regulatory requirement and not much more.  The common practice is to perform an annual risk assessment for BSA, get it approved and for the most part, put it away and don’t think about it again until the next year.  The completion of this risk assessment is performed to meet regulatory requirements and not much else.    Risk assessments of the overall compliance program are rare, due to many factors including lack of time and resources.

Risk assessments can, and should be, used as a tool in the overall compliance toolkit.   When a compliance risk assessment is properly completed and deployed it have many uses including audit planning, cost reduction, training development and resource allocation to name a few.   Ultimately, the risk assessment should be used as the bedrock of a strong compliance program.  

The Component Parts of a strong Compliance Risk Assessment

Past examination and audit results- It goes without saying that the past can be a prelude to the future, especially in compliance.   Prior findings are an immediate indication of problems in the compliance program.   It is important that the root cause of the finding is determined and addressed.  The compliance risk assessment must include a description of the cause of the findings and the steps being taken to mitigate the risk of a repeat.  We recommend that the action should be more than additional training.   However, without testing to determine whether the training is effective, the risk of repeat findings remains high.  It should also be noted that a lack of past findings does not necessarily mean that that the coast is clear. Each compliance area should be reviewed and rated regardless of whether there were past findings.   In some cases, there are findings that are lying in wait and have not yet been discovered.    

 Changes in staff and management- change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change.  For example, suppose the head of Note Operations is brand new.  This new manager will want to process loans using her/his own system.  Loan staff who may be used to doing compliance checks at certain times during the loan origination process might become confused.  This increases the possibility of findings or mistakes.   Your compliance risk assessment should consider the risks associated with changes and how best to address them.

Changes in products, customers or branches-It is important that your risk assessment consider all the different aspects of changes that have occurred or will occur in the Bank during the year.  This will include any new products or services, new vendors and marketing campaigns that are designed to entice new types of customers.  The risk assessment should consider what resources will be required and how they should best be deployed.  Before new products are introduced, the compliance team should consider the time necessary to make sure that all of the processes are in place.  New advertising means both technical and fair lending compliance considerations.  

Changes in Regulations- Over the past five years, there have been a huge number of changes to regulations, guidance and directives from Federal and State agencies.  Many of these changes do not impact small financial institutions directly, but many do.  Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year.   Part of your risk assessment process must consider changes that affect your bank or will affect you bank.   As a best practice, it is advisable to review the annual report of your regulator to determine the areas of focused that are planned for the year.  Regulators are transparent with this information and their publications will indicate areas of examiner focus for the upcoming year.   

Monitoring systems in place – Finally, the systems that you use to monitor compliance should be considered.  For many small institutions, this system is comprised of word of mouth and the results of audits and examinations.   Part of your assessment should include a plan to do some basic testing of compliance on a regular basis.  After all an ounce of prevention……

The Analysis

Once you have gathered all the information necessary for completing the analysis, we suggest using analyses that doesn’t necessary assign numbers to risk, but prioritizes the potential for findings.  Remember the effectiveness of your compliance program is ultimately judged by the level and frequency of findings.   The effective risk assessment reviews those areas that are most likely to result in findings and develops a plan for reduction.   

Inherent Risk

For each regulation that applies to your institution, you must first determine the level of inherent risk. According to the Federal Reserve Bank, inherent risk can be defined this way: 

“Inherent consumer compliance risk is the risk associated with product and service offerings, practices, or other activities that could result in significant consumer harm or contribute to an institution’s noncompliance with consumer protection laws and regulations. It is the risk these activities pose absent controls or other mitigating factors.”[1]

Your compliance risk assessment should consider the inherent risk associated with each product that is offered.  For each regulation, consideration should be given to the penalties associated with a violation. As a best practice, the likelihood of review of the area by regulators should also be factored into the overall level of inherent risk.  For example, flood insurance is an area that is likely to be examined every time the examiners conduct a review and this should factor into the overall inherent risk rating of the area.  

Effectiveness of Controls  

Once the inherent risk has been established, the next step is to assess the overall effectiveness of internal controls.  Your internal controls are the policies, procedures, training and monitoring that are performed on a regular basis.   This includes audits and internal reviews that are performed by the compliance department.  

To complete the analysis, it is necessary to be self-reflective, honest and brutal!  If staff is weak in its understanding of the requirements of Regulation B, it is necessary to plan to address the weakness.   If more training is necessary, or if, heaven forbid, a consultant is needed in certain areas, it really is appropriate as part of the assessment to say so and attempt to make the case to management.  We have found that the cost of compliance goes up geometrically when faced with enforcement action.  It is much more efficient to seek the assistance when there are only potential problems as opposed to when actual problems have been found.   

Residual Risk  

Residual risk is defined as the possibility that compliance findings will occur after consideration of the effectiveness of controls.  The less effective the controls, the higher the residual risk.   Again, it is critical that the assessment in this area is one that must be brutally honest.  If overall controls, are not what they should be, the weaknesses that exist should be reflected in the risk assessment.  The goal of the assessment is to determine the areas that have the highest levels of risk and to allocate resources accordingly.  

Using the Document

The compliance risk assessment is like a Swiss army knife- it has several uses.   First, the compliance risk assessment should be used to help with the planning and scoping of audits for the year.  The highest areas of risk should receive the greatest scrutiny by the auditors.  Moreover, the highest risk areas should be scheduled for review as early in the year as possible so that remediation efforts can be commenced and tested.  

Rather than setting a basic training schedule, use the assessment to make sure that classes are focused on areas where the risk assessment has shown the potential for problems.    The risk assessment can also be used to set the priorities for which policies and procedures need to be updated and in what order.  The compliance risk assessment is a good tool for measuring the level and quality of compliance resources. As part of the risk assessment process, the level and quality of resources must be considered.   As the process is concluded, it is natural to use the results to develop specific requests for additional staff, software, training or other resources that are necessary to maintain a strong compliance program.  

Creating the Compliance Environment

Probably the greatest untapped asset for any compliance officer is the staff at your institution.  Without the support and input of the people who are contacting customers and performing day to day operations, the effectiveness of your compliance program will be greatly limited.    Of course, one of the greatest impediments to getting the “buy-in” of staff is the perception of compliance that many in the banking industry have.  There is generally dislike and disdain for anything compliance related.  Compliance rules have been developed over time in response to unfair and sometimes immoral behavior on the part of banks.  Most of the regulations have a history that is interesting and can help explain what it is that the regulation is attempting to address.  Taking the time to discuss the history of the regulations and what it is that they are trying to address can go a long way toward getting staff involvement. Making sure that senior management accepts the importance of compliance and the costs of non- compliance can help increase support. 

A comprehensive compliance risk assessment should be the key to a strong compliance program. Using the results of the compliance risk assessments to plan the compliance year and deploy resources can be a very effective tool towards reducing compliance risks.

---

[1]COMMUNITY BANK RISK-FOCUSED CONSUMER COMPLIANCE SUPERVISION PROGRAM

Getting to the Root of the Problem- An Important Step for Strong Compliance

You have just received word that the compliance examiners are coming.  So now it is time to get everything together to prepare for the onslaught, right?   Time to review every consumer loan that has been made and every account that has been opened in the last 12 months, right? Not necessarily; the compliance examination is really an evaluation of the effectiveness of your compliance management program (“CMP”).  By approaching your examinations and audits as a test of the compliance program, the news of an upcoming review becomes (almost) welcome.  

Because the examiners are ultimately making an assessment of the CMP, it is critical to understand the overall effectiveness of your program from the outset.  In particular, it is necessary to be able to detect and analyze the root cause of compliance problems at your institution. 

The Elements of the CMP

There is really no “one size fits all” way to set up a strong compliance program.  There are, however, basic components that all compliance management systems need.  These components are often called the pillars of the CMP.  The pillars are:

·        Board Oversight

·        Policies and procedures

·        Management Information systems including risk monitoring

·        Internal Controls

The relative importance of each of these pillars depends on the risk levels at individual institutions.  The compliance examination is a test of how well the institution has identified these risks and deployed resources.   For example, in a financial institution that has highly experienced and trained staff coupled with low turnover, the need for fully detailed procedures may be minimal.  On the other hand, when new products are being offered regularly, the need for training can be critical.   The central question is whether the institution has identified the risks of a compliance finding and having done so, taken steps to mitigate risks.  

Making the CMP fit Your Institution   

Making sure that your CMP is right-sized starts with an evaluation of the products that are being offered and the inherent risk in that activity.  For example, consumer lending comes with a level of risk.  Missed deadlines, improper disclosures or misinterpretations of the requirements of the regulations are risks that are inherent in a consumer portfolio.   In addition to the risks inherent in the portfolio are the risks associated with the way the institution conducts it consumer business.   Are risk assessments conducted when a product is going to be added or terminated?  Both adding and ending a product can create risk.   For example, the decision to cease HELOCs may create a fair lending issue; while the decision to start making HELOCs should consider the knowledge and abilities of the staff that will be making the loans and the staff that will be reviewing for compliance.  

As a best practice, compliance has to be a part of the overall business and strategic plan of a financial institution.  The CMP has to be flexible enough to absorb changes at the bank while remaining effective and strong.  

The True Test of the CMP

Probably the most efficient way to determine the strengths and weakness of the CMP is by reviewing the findings of internal audits and examinations.  Most important is determining what caused the problem.  Moreover, not only the findings, but the recommendations for improvement that can be found in examination and audit reports can be used to help “tell the story” of the effectiveness of the CMP.  It is very important to determine the root cause the finding.  Generally, the answer will be extremely helpful in addressing the problem.  There are times when the finding is the result of a staff member having a bad day.  On those bad days, even the secondary review may not quite catch the problem.  For the most part, these are the types of findings that should not keep you up at night.  

 The findings that cause concerns are the ones that result from lack of knowledge or lack of information about the requirements of a regulation.  These findings are systemic and tend to raise the antenna of auditors and examiners.  Unfortunately, too often the tendency is to respond to this kind of finding by agreeing with it and promising to take immediate steps to address it.  Without knowing the root cause of the problem, the fix becomes the banking version of sticking one’s finger in the dyke to avoid a flood.  

Addressing Findings  

We suggest a five-step process to truly address findings and strengthen the CMP.

 1.       Make sure that the compliance staff truly understands the nature of the finding.  This may sound obvious, but far too many times there is a great deal lost in translation between the readout and the final report.  If staff feels like what was discussed at the exit doesn’t match the final report, here is a communication concern.  We recommend fighting the urge to dismiss the auditor/examiner as a zealot!  Call the agency making the report and get clarification to make sure that the concern that is being expressed is understood by staff.   

 2.       Develop an understanding of the root cause of the finding.  Does this finding represent a problem with our training?  Perhaps we have not deployed our personnel in the most effective manner.  It is critical that management and the compliance team develop an understanding for why this finding occurred to most effectively address it.  

 3.       Assign personal responsible,  along with an action plan,  and benchmark due dates.   Developing the plan of action and setting dates develops an accountability for ensuring that the matter is addressed. 

 4.       Assign an individual to monitor progress in addressing findings.  We also recommend that this person should report directly to the Audit Committee of the Board of Directors.  This builds further accountability into the system.   

5.       Validate the response.   Before an item can be removed from the tracking list, there should be an independent validation of the response.  For example, if training was the issue; the response should not be simply that all staff have now taken the training.  The process should include a review of the training materials to ensure that they are sufficient, feedback from staff members taking the training, and finally a quality control check of the area affected.   

Not only does determining the root cause of a problem make the response more effective, but in doing so, the CMP will be strengthened.  For example, It may be easy to see a problem with disclosing right of recession disclosures.  It may be harder to see that the problem is not the people at all, but that the training they received is confusing and ineffective.  Only by diving into the root cause of the problem can the CMP be fully effective. 

Re-Imagining Compliance- A Three-Part series

Part One – Compliance is here to Stay

Every culture has its own languages and code words.  Benign words in one culture can be offensive in another.  There was a time when something that was “Phat” was really desirable and cool while there are very few people who would like being called fat!  Compliance is one of those words that, depending on the culture, may illicit varying degrees of response.  In the culture of financial institutions, the word compliance has some negative associations.   Compliance is often considered an unnecessary and crippling cost of doing business.  Many of the rules and regulations that are part of the compliance world are confusing and elusive.  For many institutions, has been the dark cloud over attempts to provide new and different services and products.  

Despite the many negative connotations that surround compliance in the financial services industry, there are many forces coming together to alter the financial services landscape.  These forces can greatly impact the overall view of compliance.  In fact, it is increasingly possible to view expenditures in compliance as an investment rather than a simple expense.   In this three-part blog, we ask that you reimagine your approach to compliance.  

Why do we have Compliance Regulations?

 Many a compliance professionals can tell you about how difficult it is to keep everybody up to date on the many regulations that apply to financial institutions.  However, if you ask why exactly do we even have an Equal Credit Opportunity Act or a Home Mortgage Disclosure Act (“HMDA”), it would difficult to get a consensus.   All of the compliance regulations share a very similar origin story.   There was bad or onerous behavior on the part of financial institutions, followed by a public outcry, legislative action to address the bad behavior and then eventually regulations.  The history of Regulation B provides a good example:

A Little History

The consumer credit market as we now know it grew up in the time period from World War II and the 1960’s.  It was during this time that the market for mortgages grew and developed and became the accepted means for acquiring property, financing businesses, developing wealth and upward mobility.  By the late 1960’s the consumer credit market was booming. 

The Equal Credit Opportunity Act (“ECOA”) and regulation B are not nearly as old as you might think. In fact, the first attempt at regulating credit access was the Consumer Credit Protection Act of 1968.  This legislation was passed to protect consumer credit rights that up to that point been largely ignored.  The 1968 regulation was passed as the result of continuing growth in consumer credit and its effects on the economy.  For example, in the year before the regulation was passed, consumers were paying fees and interest that equaled the government’s payments on the national debt!  One of the goals of the Consumer Credit Protection Act was to protect consumer rights and to preserve the consumer credit industry.  

The Civil Rights Movement was occurring at the same time as the passage of the CCPA and in 1968, the Fair Housing Act was passed by Congress.  The FHA was designed to assist communities that that had been excluded from credit markets obtain access to credit.  We will discuss the Fair Housing Act in more detail next month.  

One of the things that the CCPA did was to empanel a commission of Congress called the National Commission on Consumer Finance.  This commission was directed to hold hearings about the structure and operation of the consumer credit industry.  

Unintended Consequences

While performing the duties they were assigned, the members of the National Commission on Consumer Finance conducted several hearings about the credit approval process for consumer loans.  The stories and anecdotes from these hearings raised a tremendous public outcry about the behavior of banks and financial institutions that were in the business of granting credit.   One of the common themes of the testimonies given was that women and minorities were being left behind when it came to the growth of the consumer credit market.  Public pressure forced additional hearings on the consumer credit market, and the evidence showed that women in particular and minorities in general were being given unfair and unequal treatment by banks. 

What was Going On? 

So what were banks doing that was a cause of concern?  There were several practices that had become normal and regular for banks when the applicant for consumer credit was a woman or a member of a racial minority group.  

Women had more difficulty than men in obtaining or maintaining credit, more frequently were asked embarrassing questions when applying for credit, and more frequently were required to have cosigners or extra collateral.   When a divorced or single woman applied for credit she was immediately asked questions about her life choices, sexual habits, and various other personal information that was both irrelevant to the credit decision and not asked of men. 

Racial minorities had difficulty even obtaining credit applications let alone credit approvals.  In cases, where members of minority groups attempted to get a loan applicant, there were either told that the bank was not making consumer loans, or that the area that the person lived was outside of the lending area of the bank. 

For applicants that receive public assistance, child support of alimony, banks would not consider these as sources of income under the theory that they were temporary and might disappear.  

Despite being subjected to embarrassing or incorrect information, in the cases where women and minorities persisted and completed a credit applications, banks would drag out the process for interminable time periods and would engage in strong efforts to discourage the applicant from going forward.  

In many cases, when a person lived in a neighborhood that was predominately comprised of minorities, the borrower was told that the collateral did not have enough value without further explanation.  

The ECOA

Though these stories created a great deal of interest, the CCPA was not amended until 1974 when the first Equal Credit Opportunity Act was passed.  This Act prevented discrimination in credit based on sex and marital status. 

Why are there a Regulation B and the ECOA?

The development of the consumer credit market brought with it a series of bad behaviors that directly and negatively impacted the ability of women and minorities to obtain credit.   These behaviors included asking women to check with their husbands before getting a loan, denying a single woman credit, discouraging minorities from applying for credit and outright refusal to grant credit.  

The law and regulation are designed to open credit to all who are worthy by limiting practices that unfairly exclude groups of people and by making sure that applicants are fairly informed of the reasons for a denial.  

The regulations exist because there was bad behavior that was not being addressed by the industry alone.  Many of the compliance regulations share the same origin story. 

Compliance is not all Bad

Sometimes, we are caught up on focusing on the negative to the point that it is hard to see the overall impact of bank regulations.   One of the positive effects of compliance regulations is they go a long way toward “leveling the playing field” among banks.   RESPA (the Real Estate Settlement Procedures Act) provides a good example.  The focus of this regulation is to get financial institutions to disclose the costs of getting a mortgage in the same format throughout the country.   The real costs associated with a mortgage and any deals a bank has with third parties, the amount that is being charged for insurance taxes and professional reports that are being obtained all have to be listed in the same way for all potential lenders.  In this manner, the borrower is supposed to be able to line up the offers and compare costs.  This is ultimately good news for community banks.  The public gets a chance to see what exactly your lending program is and how it compares to your competitors.  The overall effect of this legislation is to make it harder for unscrupulous lending outfits to make outrageous claims about the costs of their mortgages.   This begins to level the playing field for all banks.  The public report requirements for the Community Reinvestment Act and the Home Mortgage Disclosure Act can result in positive information about your bank.    A strong record of lending within the assessment area and focusing on reinvigoration of neighborhoods is a certainly a positive for the bank’s reputation.  The overall effects of the regulations and should be viewed as a positive.  

Protections not just for Customers

In some cases, consumer regulations provide protection not just for consumers but also for banks.  The most recent qualifying mortgage and ability to repay rules present a good case.  These rules are designed to require additional disclosures for borrowers that have loans with high interest rates.   In addition to the disclosure requirements, the regulations establish a safe harbor for banks that make loans within the “qualifying mortgage” limits.  This part of the regulation provides strong protection for banks.  The ability to repay rules establish that when a bank makes a loan below the established loan to value and debt to income levels, then the bank will enjoy the presumption that the loan was made in good faith.  This presumption is very valuable in that It can greatly reduce the litigation costs associated with mortgage loans.  Moreover, if a bank makes only “qualifying mortgages’ the level of regulatory scrutiny will likely be lower than in the instance of banks that make high priced loans. 

Compliance regulations will no doubt be a part of doing business in the financial industry for the foreseeable future.   However, all is not Considering a strategy that embraces the regulatory structure as an overall positive will allow management to start to re-imagine compliance and consider greater investment.   In our next blog, we will discuss the forces that are converging to make the return on investment in compliance strong. 

Strategic Risk- a top Consideration in 2017

Strategic Risk- a top Consideration in 2017

For many financial institutions as January ends, the implementation phase of plans begins.  As you put the finishing touches on your plans and give it one last look, among the critical things to consider should be your assessment of strategic risk.  For the prudential regulators (the FDIC, the Federal Reserve, the OCC and the CFPB), strategic risk has become the preeminent issue, as indicated in public statements, guidance and planned supervisory focus documents.  The main issue driving strategic risk is the convergence of unbanked/underbanked people, the growth of financial technology (” fintech”) firms and shrinking demand for traditional lending.  And to paraphrase the comments of Comptroller of the Currency Thomas Curry, those who fail to innovate are doomed. 

Strategic risk is generally defined as:  

Strategic risk is a function of business decisions, the execution of those decisions, and resources deployed against strategies. It also includes responsiveness to changes in the internal and external operating environments.[1] 

The OCC’s Safety and Soundness Handbook- Corporate Guidance section discusses strategic risk as follows: 

The board and senior management, collectively, are the key decision makers that drive the strategic direction of the bank and establish governance principles. The absence of appropriate governance in the bank’s decision-making process and implementation of decisions can have wide-ranging consequences. The consequences may include missed business opportunities, losses, failure to comply with laws and regulations resulting in civil money penalties (CMP), and unsafe or unsound bank operations that could lead to enforcement actions or inadequate capital.[2]

More to the point, strategic risk today is the difference between being able to “think outside the box” and being mired in tradition.   Banking as we know it is being disrupted by technology.  There are many customers who have never had bank accounts and an equally large number of people who use banks on a limited basis.  Many fintech firms  have been founded specifically to offer products that meet the needs of these customers.  Products such as online lending, stored value and bill payments are here to stay and they are changing the places customers look to fill their banking needs.  

Both the FDIC and the OCC in their annual statements recognized the need to address strategic risk and will be looking at the institutions they regulate to determine the level of consideration of this risk.  [3]

So, what does consideration of strategic risk look like?  It means consideration of new types of products, customers and sources of income.  It also means reimagining compliance.  

Types of Products

Today a traditional financial institution offers a range of deposit products, consumer loans and commercial loans traditional loans.  Tomorrows’ bank will offer digital wallets, stored value accounts, and financing that is tailored to the needs of customers.  Loans with terms like $7,200 with a 7-month term which are not economically feasible, will be commonplace soon.  Commercial loans will come with access to business management websites that offer consultation for the active entrepreneur, savings account will be attached to the digital profile of the customer.  Banking will be done from the iPad or another digital device.   Your institution can be part of this updated version of banking or continue to suffer declines as your current customer base grows old and disappears.   Consider deciding which fintech companies will allow your bank to offer a full range of products that have not yet been offered.  No need to reinvent the wheel, simply join forces  

Types of Customers

The number of customers that are available for traditional commercial lending products is a finite pool and there is tremendous competition for these customers.  However, for financial institutions that are willing to rethink the lending process there are entrepreneurs and small businesses that are seeking funding in nontraditional places.  Fintech companies have developed alternative credit scoring that is highly accurate and predictive.  Consider partnering with these firms to allow underwriting of nontraditional loan products.      

The dreaded “MSB” word

In the early part of this decade we experienced the unfortunate effects of “operation chokepoint” a regulatory policy specifically aimed at subjecting MSB’s to strict scrutiny.  Many financial institutions ceased offering accounts to these businesses. The law of unintended consequences was invoked as many of the people who used the MSB’s were left without financial services.  Even today there are sizable communities of people are still hurt by the inability to get financial services.  More importantly, financial institutions are missing the opportunity to develop fee income, expand their customer base and reshape the business plan. 

MSB’s facilitate a huge flow of funds that flow throughout the world in one form or another and the more financial institutions are a part of that flow, the safer and more efficient it will be.  MSB’s provide an extremely important service that will be filled one way or another- why not be part of it? [4] 

Compliance as an investment

When considering overall strategic risk, an institution must balance risk levels with the systems in place to mitigate that risk.  New products and different types of customers carry with them different levels and types of risk.  Your system for risk management and compliance must be up to the task of administrating new challenges.   The traditional planning process considers the compliance program only after the products and customers have been determined.  A proactive approach to risk would consider expanding the resources and capabilities of the compliance department to an end; adding products and services that can breathe economic life into your institution.     

When the ability to monitor, and administrate new products and customers is acquired by the compliance program, your financial institution can grow and expand.  Now is the time to start thinking of compliance as an investment rather than an expense.   This of course requires an investment in compliance, but the return is well worth it. 

For a more complete discussion or reimagining compliance as an investment please contact us at ***www.VCM4you.com***

---

[1]Businessdirectory.com

[2] OCC Comptrollers Handbook-Safety & Soundness- Corporate Risk management

[3] OCC Report Discusses Risks Facing National Banks and Federal Savings Associations

WASHINGTON — The Office of the Comptroller of the Currency (OCC) reported strategic, credit, operational, and compliance risks remain top concerns in its Semiannual Risk Perspective for Fall 2016, released today.

[4] Per the world bank High-income countries are the main source of remittances. The United States is by far the largest, with an estimated $ 56.3 billion in recorded outflows in 2014. Saudi Arabia ranks as the second largest, followed by the Russia, Switzerland, Germany, United Arab Emirates, and Kuwait. The six Gulf Cooperation Council countries accounted for $98 billion in outward remittance flows in 2014.

Aligning Your Compliance Department With Risk

There are many reasons financial intuitions suffer through periods of poor compliance performance.  The causes for these problems are myriad.  One of the key contributors to compliance woes is often overlooked.  When resources in the compliance department are misaligned or inadequate, trouble is bound to follow.  Inadequate resources result from not just a small compliance staff, but also instances of “over-compliance”.   Misaligned staff occurs when your institution’s risk assessment fails to identify the highest risks or is not used as part of the compliance planning process.    

Inadequate Resources

Too few resources can result from many different sources including:

·         Training – Online training is a good first start for helping staff understand the basics of compliance.  These courses are cost effective and provide good basic information about various topics in compliance.  However, training that includes some in-person components tends to be more effective.  In-person classes allow staff to review case studies, ask in-depth questions and gain a more complete understanding of the rationale for regulations.  In addition, these types of classes significantly increase the retention for participants.   

·         Software used for monitoring – Determine whether your software provider effectively helps you monitor compliance activities.  Many compliance officers “take what they get” from their software providers and make do with the reports that get generated.  Having a discussion with your vendor can result in significant changes.  Software providers have significant resources including the ability to tailor the report you receive to meet specific needs.  If the reports that are generated create more work than they resolve questions, now is good time to have a discussion with your software provider. 

·         Compliance officer overburdened – Compliance has become a full-time occupation.  In addition to constant reporting requirements there are nuances to the position that require the full focus and attention of the compliance officer.   Despite these requirements, there are many compliance officers that serve in various capacities in addition to their compliance duties.   When a compliance officer is overburdened, the compliance program suffers.  Attention can only be addressed toward the pressing issues of the moment.  Potential problems are left for consideration at the time they have become compliance violations. 

·         Too Much Unnecessary information – In some cases, it is possible to engage in “over-compliance”, meaning developing data bases that are simply too large to effectively review and interpret.  For example, some institutions make a habit of filing Suspicious Activity Reports on all clients that have even a whiff of questionable activity.  Alternatively, some institutions include a large portion of their customer base as high risk customers.  The sentiment for taking this course of action is understandable- a conservative approach to risk.  However, the net result of taking such an approach is information overload.  Massive amounts of data are presented to compliance staff rendering them unable to keep up and the process gets overwhelmed.  

Misaligned Compliance

Compliance resources are limited in almost all institutions.   This is also true in the regulatory agencies that supervise financial institutions.  Therefore, the regulatory institutions take the risk based approach to supervision.   The goal of the risk based approach is not to necessary catch every flaw in a compliance system.  The idea is that the areas of greatest risk should receive the most attention.  The same philosophy is at the heart of the compliance rating system announced by the FFIEC.   The effectiveness of the compliance program will be reviewed and rated.  Individual findings of low importance will still be addressed, but put into an overall context of risk.   The point is that the areas with the highest risk should get the most attention. 

At your institution, one of the ways to make your compliance program most effective is to concentrate on the highest levels of risk.   You can do this be “letting go” in some cases and focusing on others.  One of the areas that is illustrative is an institution with many Suspicious Activity Reports.   For example, in this case the institution has $1 billion in assets that writes SARS on over 70 clients a month.   The SAR process requires that each of these SAR reports has a follow-up at 90 days.  The SAR reports describe activity that such as structuring and potential tax evasion.  The compliance team at this institution has determined that all potential structuring activity will result in a SAR.   The institution quickly finds out that the time that is taken by filing SARS and following up on them leaves little time to research the customer and to determine if there are business reasons for the activity that is viewed as suspicious.   The number of SARs continues to grow while the amount of time that is spent on research of individual customers continues to shrink.  Eventually SARs are filed late and compliance concerns are noted by the regulators.   

In the above instance, a re-alignment of compliance resources would focus on getting to “know your customer”.  By doing research on the customer and talking to them, the activity may not be suspicious at all.  For example, one customer deposits cash in amounts between $8,000 and $9,300 every two days.  This pattern may not be structuring at all if the customer is a small store that can prove the deposits are the actual cash receipts for the day.  The compliance team could ask the customer to report cash sales weekly, match the results with the deposits and have a level of comfort that structuring was not taking place.  Without a proper balance between KYC and SAR reporting, a compliance team can engage in a death spiral that included excessive SAR filing and inadequate research.  

Compliance programs should look for the root cause of a concern and address that root cause rather than attempt to apply “bandages” when findings are noted.    Training programs that help staff learn about the financial needs of the client base are also an effective means to aligned compliance resources.  If your institution does not offer credit cards, then course information on these products could be reduced in exchange for information on current products.

Aligning Compliance to Risk

The compliance risk assessment is the best place to start the alignment of compliance risk to resources.  Developing a comprehensive and effective compliance risk assessment will allow the institution to identify the greatest areas of risk and to direct resources to those areas.

***For More Information on aligning your Compliance Department with risk, please visit www.VCM4you.com ***