Part One- A New System of Review
Starting in 2017, the FFIEC (the organization that is
comprised of the major financial institution regulators) changed the way
compliance programs are rated. Instead
of a one grade for the program there is now actually a three-prong test that
makes up the final rating. The three-parts
of the test are
- The overall compliance
program including the written program, resources dedicated to the program
compared to the overall risk profile of the portfolio, experience and competency
of management
- Board and management
oversight- essentially the level and quality of reporting to
management. In addition, the
follow-up to problems noted and remediation implemented
- Harm to consumers- The violations
that are discovered have varying degrees of potential for harm to consumers. Some are very technical in nature and
can be remedied by a small fix.
Other violations might require the dreaded ‘look-back” and reimbursement.
In its press release describing the new rating system, the
FFIEC wrote extensively about the goals for using this approach for compliance
going forward. [1] Among
the goals are to make the compliance examination more risk based and to allow
each institution the opportunity to develop and maintain a compliance program
that is tailored to the risk profile of the institution
One of the aspects of this new rating system that is often
overlooked is the focus on the “self-policing”
Opportunities Provided by These Changes
The new compliance rating represents significant changes in
the ability of banks to alter their compliance destiny. The
emphasis on self- detection and self-policing allows financial institutions to
perform self-evaluation and diagnose compliance issues internally.
In the new rating
system, there is a premium placed on the idea that an institution has
compliance and/or audit systems in place that are extensive enough to find
problems, determine the root of the problems and make recommendations for change.
To impress the regulators that an organization is truly engaged in
self-policing, there must be evidence that senior management has taken the
issue seriously and has taken steps to address whatever the concern might
be. For example, suppose during a compliance review, the compliance team
discovers that commercial lenders are not consistently given a proper ECOA
notification. This finding is reported to the Compliance Committee along
with a recommendation for training for commercial lending staff. The
Compliance Committee accepts the recommendation and tells the Compliance
Officer to schedule Reg. B training for commercial lenders. This may seem
like a reasonable response, but it is incomplete.
This response does
not rise to the level of self-policing that is discussed in the FFIEC memo; a
further step is necessary. What is the follow-up from senior
management? Will senior management follow up to make sure that the
classes have been attended by all commercial lending staff? Will there be
consequences for those who do not attend the classes? The answers to
these questions will greatly impact the determination of whether there is
self-policing that is effective. Ultimately, the goal should be to
show that the effort at self-policing for compliance is robust and taken
seriously at all levels of management. The more the regulators trust the
self-policing effort, the more the risk profile decreases, and the less likely
enforcement action will be imposed.
Self-Reporting
At first blush
self-reporting seems a lot like punching oneself in the face, but this is not
the case at all! The over-arching idea from the FFIEC guidance is
that the more the institution is willing to work with the regulatory agency,
the more likely that there will be consideration for reduced enforcement
action. Compliance failures will eventually be discovered
and the more they are self-discovered and reported, the more trust that the
regulators have in the management in general and the effectiveness of the
compliance program. The key here is to report at the right
time. Once the extent of the violation and the cause of it have been
determined, the time to report is imminent. While it may seem that the
best time to report is when the issue is resolved, this will generally not be
the case. The regulators may want to be involved in the correction
process. In any event, you don’t want to wait until it seems that
discovery of the problem was imminent (e.g. the regulatory examination will
start next week).
Remediation
What will your
institution do to correct the problem? Has there been research to
determine the extent of the problem and how many potential customers have been
affected? How did management make sure the
problem has been stopped and won’t be repeated? What practices, policies
and procedures have been changed as a result of the discovery of the
problem? These are all questions that the regulators will consider when
reviewing efforts at remediation. For example, if it turns out that loan
staff has been improperly disclosing transfer taxes on the Loan Estimate, an
example of strong mediation would include:
- A determination if the problem was
systemic or with a particular staff member
- A “look back” on loan files that for
the past 12 months
- Reimbursement of any customers who qualify
- Documentation of the steps that were
taken to verify the problem and the reimbursements
- Documentation of the changed policies
and procedures to ensure that there is a clear understanding of the
requirements of the regulation
- Disciplinary action (if appropriate
for affected employees)
- A plan for follow-up to ensure that
the problem is not re-occurring
Self-policing allows an institution the ability to positively
impact its regulatory fortunes. The
goal under this new system is to document the effectiveness of the system of
controls in place. The effectiveness of
the control environment will impact all three of these ratings. Generally, more favorable ratings will extend
the amount of time before your next examination is scheduled.
Ultimately, the new compliance ratings system highlights a
financial institutions ability to establish its control environment.
In part Two we will discuss the control environment
*** James Defrantz is Principal at
Virtual Compliance Management Services LLC***
***For More Information Please Feel
free to contact Us at WWW.VCM4you.com***
No comments:
Post a Comment