Getting to the Root of the Problem- An Important Step for Strong Compliance

You have just received word that the compliance examiners are coming.  So now it is time to get everything together to prepare for the onslaught, right?   Time to review every consumer loan that has been made and every account that has been opened in the last 12 months, right? Not necessarily; the compliance examination is really an evaluation of the effectiveness of your compliance management program (“CMP”).  By approaching your examinations and audits as a test of the compliance program, the news of an upcoming review becomes (almost) welcome.  

Because the examiners are ultimately making an assessment of the CMP, it is critical to understand the overall effectiveness of your program from the outset.  In particular, it is necessary to be able to detect and analyze the root cause of compliance problems at your institution. 

The Elements of the CMP

There is really no “one size fits all” way to set up a strong compliance program.  There are, however, basic components that all compliance management systems need.  These components are often called the pillars of the CMP.  The pillars are:

·        Board Oversight

·        Policies and procedures

·        Management Information systems including risk monitoring

·        Internal Controls

The relative importance of each of these pillars depends on the risk levels at individual institutions.  The compliance examination is a test of how well the institution has identified these risks and deployed resources.   For example, in a financial institution that has highly experienced and trained staff coupled with low turnover, the need for fully detailed procedures may be minimal.  On the other hand, when new products are being offered regularly, the need for training can be critical.   The central question is whether the institution has identified the risks of a compliance finding and having done so, taken steps to mitigate risks.  

Making the CMP fit Your Institution   

Making sure that your CMP is right-sized starts with an evaluation of the products that are being offered and the inherent risk in that activity.  For example, consumer lending comes with a level of risk.  Missed deadlines, improper disclosures or misinterpretations of the requirements of the regulations are risks that are inherent in a consumer portfolio.   In addition to the risks inherent in the portfolio are the risks associated with the way the institution conducts it consumer business.   Are risk assessments conducted when a product is going to be added or terminated?  Both adding and ending a product can create risk.   For example, the decision to cease HELOCs may create a fair lending issue; while the decision to start making HELOCs should consider the knowledge and abilities of the staff that will be making the loans and the staff that will be reviewing for compliance.  

As a best practice, compliance has to be a part of the overall business and strategic plan of a financial institution.  The CMP has to be flexible enough to absorb changes at the bank while remaining effective and strong.  

The True Test of the CMP

Probably the most efficient way to determine the strengths and weakness of the CMP is by reviewing the findings of internal audits and examinations.  Most important is determining what caused the problem.  Moreover, not only the findings, but the recommendations for improvement that can be found in examination and audit reports can be used to help “tell the story” of the effectiveness of the CMP.  It is very important to determine the root cause the finding.  Generally, the answer will be extremely helpful in addressing the problem.  There are times when the finding is the result of a staff member having a bad day.  On those bad days, even the secondary review may not quite catch the problem.  For the most part, these are the types of findings that should not keep you up at night.  

 The findings that cause concerns are the ones that result from lack of knowledge or lack of information about the requirements of a regulation.  These findings are systemic and tend to raise the antenna of auditors and examiners.  Unfortunately, too often the tendency is to respond to this kind of finding by agreeing with it and promising to take immediate steps to address it.  Without knowing the root cause of the problem, the fix becomes the banking version of sticking one’s finger in the dyke to avoid a flood.  

Addressing Findings  

We suggest a five-step process to truly address findings and strengthen the CMP.

 1.       Make sure that the compliance staff truly understands the nature of the finding.  This may sound obvious, but far too many times there is a great deal lost in translation between the readout and the final report.  If staff feels like what was discussed at the exit doesn’t match the final report, here is a communication concern.  We recommend fighting the urge to dismiss the auditor/examiner as a zealot!  Call the agency making the report and get clarification to make sure that the concern that is being expressed is understood by staff.   

 2.       Develop an understanding of the root cause of the finding.  Does this finding represent a problem with our training?  Perhaps we have not deployed our personnel in the most effective manner.  It is critical that management and the compliance team develop an understanding for why this finding occurred to most effectively address it.  

 3.       Assign personal responsible,  along with an action plan,  and benchmark due dates.   Developing the plan of action and setting dates develops an accountability for ensuring that the matter is addressed. 

 4.       Assign an individual to monitor progress in addressing findings.  We also recommend that this person should report directly to the Audit Committee of the Board of Directors.  This builds further accountability into the system.   

5.       Validate the response.   Before an item can be removed from the tracking list, there should be an independent validation of the response.  For example, if training was the issue; the response should not be simply that all staff have now taken the training.  The process should include a review of the training materials to ensure that they are sufficient, feedback from staff members taking the training, and finally a quality control check of the area affected.   

Not only does determining the root cause of a problem make the response more effective, but in doing so, the CMP will be strengthened.  For example, It may be easy to see a problem with disclosing right of recession disclosures.  It may be harder to see that the problem is not the people at all, but that the training they received is confusing and ineffective.  Only by diving into the root cause of the problem can the CMP be fully effective.