Aligning Your Compliance Department With Risk

There are many reasons financial intuitions suffer through periods of poor compliance performance.  The causes for these problems are myriad.  One of the key contributors to compliance woes is often overlooked.  When resources in the compliance department are misaligned or inadequate, trouble is bound to follow.  Inadequate resources result from not just a small compliance staff, but also instances of “over-compliance”.   Misaligned staff occurs when your institution’s risk assessment fails to identify the highest risks or is not used as part of the compliance planning process.    

Inadequate Resources

Too few resources can result from many different sources including:

·         Training – Online training is a good first start for helping staff understand the basics of compliance.  These courses are cost effective and provide good basic information about various topics in compliance.  However, training that includes some in-person components tends to be more effective.  In-person classes allow staff to review case studies, ask in-depth questions and gain a more complete understanding of the rationale for regulations.  In addition, these types of classes significantly increase the retention for participants.   

·         Software used for monitoring – Determine whether your software provider effectively helps you monitor compliance activities.  Many compliance officers “take what they get” from their software providers and make do with the reports that get generated.  Having a discussion with your vendor can result in significant changes.  Software providers have significant resources including the ability to tailor the report you receive to meet specific needs.  If the reports that are generated create more work than they resolve questions, now is good time to have a discussion with your software provider. 

·         Compliance officer overburdened – Compliance has become a full-time occupation.  In addition to constant reporting requirements there are nuances to the position that require the full focus and attention of the compliance officer.   Despite these requirements, there are many compliance officers that serve in various capacities in addition to their compliance duties.   When a compliance officer is overburdened, the compliance program suffers.  Attention can only be addressed toward the pressing issues of the moment.  Potential problems are left for consideration at the time they have become compliance violations. 

·         Too Much Unnecessary information – In some cases, it is possible to engage in “over-compliance”, meaning developing data bases that are simply too large to effectively review and interpret.  For example, some institutions make a habit of filing Suspicious Activity Reports on all clients that have even a whiff of questionable activity.  Alternatively, some institutions include a large portion of their customer base as high risk customers.  The sentiment for taking this course of action is understandable- a conservative approach to risk.  However, the net result of taking such an approach is information overload.  Massive amounts of data are presented to compliance staff rendering them unable to keep up and the process gets overwhelmed.  

Misaligned Compliance

Compliance resources are limited in almost all institutions.   This is also true in the regulatory agencies that supervise financial institutions.  Therefore, the regulatory institutions take the risk based approach to supervision.   The goal of the risk based approach is not to necessary catch every flaw in a compliance system.  The idea is that the areas of greatest risk should receive the most attention.  The same philosophy is at the heart of the compliance rating system announced by the FFIEC.   The effectiveness of the compliance program will be reviewed and rated.  Individual findings of low importance will still be addressed, but put into an overall context of risk.   The point is that the areas with the highest risk should get the most attention. 

At your institution, one of the ways to make your compliance program most effective is to concentrate on the highest levels of risk.   You can do this be “letting go” in some cases and focusing on others.  One of the areas that is illustrative is an institution with many Suspicious Activity Reports.   For example, in this case the institution has $1 billion in assets that writes SARS on over 70 clients a month.   The SAR process requires that each of these SAR reports has a follow-up at 90 days.  The SAR reports describe activity that such as structuring and potential tax evasion.  The compliance team at this institution has determined that all potential structuring activity will result in a SAR.   The institution quickly finds out that the time that is taken by filing SARS and following up on them leaves little time to research the customer and to determine if there are business reasons for the activity that is viewed as suspicious.   The number of SARs continues to grow while the amount of time that is spent on research of individual customers continues to shrink.  Eventually SARs are filed late and compliance concerns are noted by the regulators.   

In the above instance, a re-alignment of compliance resources would focus on getting to “know your customer”.  By doing research on the customer and talking to them, the activity may not be suspicious at all.  For example, one customer deposits cash in amounts between $8,000 and $9,300 every two days.  This pattern may not be structuring at all if the customer is a small store that can prove the deposits are the actual cash receipts for the day.  The compliance team could ask the customer to report cash sales weekly, match the results with the deposits and have a level of comfort that structuring was not taking place.  Without a proper balance between KYC and SAR reporting, a compliance team can engage in a death spiral that included excessive SAR filing and inadequate research.  

Compliance programs should look for the root cause of a concern and address that root cause rather than attempt to apply “bandages” when findings are noted.    Training programs that help staff learn about the financial needs of the client base are also an effective means to aligned compliance resources.  If your institution does not offer credit cards, then course information on these products could be reduced in exchange for information on current products.

Aligning Compliance to Risk

The compliance risk assessment is the best place to start the alignment of compliance risk to resources.  Developing a comprehensive and effective compliance risk assessment will allow the institution to identify the greatest areas of risk and to direct resources to those areas.

***For More Information on aligning your Compliance Department with risk, please visit www.VCM4you.com ***