Why Should Small Financial Institutions Perform Compliance Risk
Assessments?
The concept of risk assessments is often associated with large
banks and financial institutions – but it shouldn’t be. Oftentimes,
the ugly truth about risk assessments is that they are prepared specifically to
meet a regulatory requirement and not much more. The common practice
is to perform an annual risk assessment for BSA, get it approved and for the
most part, put it away and don’t think about it again until the next year. The completion of this risk assessment is
performed to meet regulatory requirements and not much else. Risk
assessments of the overall compliance program are rare, due to many factors
including lack of time and resources.
Risk assessments can, and should be, used as a tool in the
overall compliance toolkit. When a compliance risk assessment
is properly completed and deployed it have many uses including audit
planning, cost reduction, training development and resource allocation to
name a few. Ultimately, the risk assessment should be used as
the bedrock of a strong compliance program.
The Component Parts of a strong
Compliance Risk Assessment
Past examination and audit results- It goes without saying that the past can be a prelude to the
future, especially in compliance. Prior findings are an immediate
indication of problems in the compliance program. It is important
that the root cause of the finding is determined and addressed. The
compliance risk assessment must include a description of the cause of the
findings and the steps being taken to mitigate the risk of a repeat. We
recommend that the action should be more than additional
training. However, without testing to determine whether the
training is effective, the risk of repeat findings remains high. It
should also be noted that a lack of past findings does not necessarily mean
that that the coast is clear. Each compliance area should be reviewed and
rated regardless of whether there were past findings. In some
cases, there are findings that are lying in wait and have not yet been discovered.
Changes in staff and management- change is
inevitable and along with changes comes the possibility that additional
training should be implemented or that the resources available to staff should
also change. For example, suppose the head of Note Operations is brand
new. This new manager will want to process loans using her/his own
system. Loan staff who may be used to doing compliance checks at
certain times during the loan origination process might become confused.
This increases the possibility of findings or mistakes. Your
compliance risk assessment should consider the risks associated with changes
and how best to address them.
Changes in products, customers or branches-It is important that your risk assessment consider all the
different aspects of changes that have occurred or will occur in the Bank
during the year. This will include any new products or services, new
vendors and marketing campaigns that are designed to entice new types of
customers. The risk assessment should consider what resources will be
required and how they should best be deployed. Before new products are
introduced, the compliance team should consider the time necessary to make
sure that all of the processes are in place. New advertising means both
technical and fair lending compliance considerations.
Changes in Regulations-
Over the past five years, there have been a huge number of changes to
regulations, guidance and directives from Federal and State agencies.
Many of these changes do not impact small financial institutions directly, but
many do. Moreover, there are often regulations that are finalized in one
year that don’t become effective until the following year. Part of
your risk assessment process must consider changes that affect your bank or
will affect you bank. As a best practice, it is advisable to review
the annual report of your regulator to determine the areas of focused that are
planned for the year. Regulators are transparent with this
information and their publications will indicate areas of examiner focus for
the upcoming year.
Monitoring systems in place –
Finally, the systems that you use to monitor compliance should be
considered. For many small institutions, this system is comprised of word
of mouth and the results of audits and examinations. Part of your
assessment should include a plan to do some basic testing of compliance on a
regular basis. After all an ounce of prevention……
The Analysis
Once you have gathered all the information necessary for
completing the analysis, we suggest using analyses that doesn’t necessary
assign numbers to risk, but prioritizes the potential for findings.
Remember the effectiveness of your compliance program is ultimately judged by
the level and frequency of findings. The effective risk assessment
reviews those areas that are most likely to result in findings and develops a
plan for reduction.
Inherent Risk
For each regulation that applies to your institution, you must
first determine the level of inherent risk. According to the Federal
Reserve Bank, inherent risk can be defined this way:
“Inherent
consumer compliance risk is the risk associated with product and service
offerings, practices, or other activities that could result in significant
consumer harm or contribute to an institution’s noncompliance with consumer
protection laws and regulations. It is the risk these activities pose absent
controls or other mitigating factors.”[1]
Your compliance risk assessment should consider the inherent
risk associated with each product that is offered. For each
regulation, consideration should be given to the penalties associated with a
violation. As a best practice, the likelihood of review of the area by
regulators should also be factored into the overall level of inherent
risk. For example, flood insurance is an area that is likely to be
examined every time the examiners conduct a review and this should factor into
the overall inherent risk rating of the area.
Effectiveness of Controls
Once the inherent risk has been established, the next step is to
assess the overall effectiveness of internal controls. Your internal
controls are the policies, procedures, training and monitoring that are
performed on a regular basis. This includes audits and
internal reviews that are performed by the compliance department.
To complete the analysis, it is necessary to be self-reflective,
honest and brutal! If staff is weak in its understanding of the
requirements of Regulation B, it is necessary to plan to address the
weakness. If more training is necessary, or if, heaven forbid, a
consultant is needed in certain areas, it really is appropriate as part of the
assessment to say so and attempt to make the case to management. We have
found that the cost of compliance goes up geometrically when faced with
enforcement action. It is much more efficient to seek the assistance when
there are only potential problems as opposed to when actual problems have been
found.
Residual Risk
Residual risk is defined as the possibility that compliance
findings will occur after consideration of the effectiveness of
controls. The less effective the controls, the higher the residual
risk. Again, it is critical that the assessment in this area
is one that must be brutally honest. If overall controls, are not
what they should be, the weaknesses that exist should be reflected in the risk
assessment. The goal of the assessment is to determine the areas
that have the highest levels of risk and to allocate resources
accordingly.
Using the Document
The compliance risk assessment is like a Swiss army knife- it
has several uses. First, the compliance risk assessment should
be used to help with the planning and scoping of audits for the
year. The highest areas of risk should receive the greatest scrutiny
by the auditors. Moreover, the highest risk areas should be
scheduled for review as early in the year as possible so that remediation
efforts can be commenced and tested.
Rather than setting a basic training schedule, use the
assessment to make sure that classes are focused on areas where the risk
assessment has shown the potential for problems. The
risk assessment can also be used to set the priorities for which policies and
procedures need to be updated and in what order. The compliance risk
assessment is a good tool for measuring the level and quality of compliance
resources. As part of the risk assessment process, the level and quality of
resources must be considered. As the process is concluded, it
is natural to use the results to develop specific requests for additional
staff, software, training or other resources that are necessary to maintain a
strong compliance program.
Creating the Compliance Environment
Probably the greatest untapped asset for any compliance officer
is the staff at your institution. Without the support and input of the
people who are contacting customers and performing day to day operations, the
effectiveness of your compliance program will be greatly
limited. Of course, one of the greatest impediments to
getting the “buy-in” of staff is the perception of compliance that many in the
banking industry have. There is generally dislike and disdain for
anything compliance related. Compliance rules have been developed over
time in response to unfair and sometimes immoral behavior on the part of
banks. Most of the regulations have a history that is interesting and can
help explain what it is that the regulation is attempting to address.
Taking the time to discuss the history of the regulations and what it is that
they are trying to address can go a long way toward getting staff involvement. Making
sure that senior management accepts the importance of compliance and the costs
of non- compliance can help increase support.
A comprehensive compliance risk assessment
should be the key to a strong compliance program. Using the
results of the compliance risk assessments to plan the compliance year and
deploy resources can be a very effective tool towards reducing compliance
risks.
No comments:
Post a Comment