The compliance examiners are coming! It is time to get everything together to prepare for the onslaught right? Time to review every consumer loan that has been made and every account that has been opened in the last 12 months, right? Not necessarily! The fact of the matter is that the compliance examination is really an evaluation of your bank’s compliance management program (“CMP”). By approaching your examinations and audits as an evaluation of the effectiveness of your overall CMP, the response to the news of an upcoming review becomes (almost) welcome.
The Elements of the Compliance Management Program (CMP)
There is really no “one size fits all” way to set up a strong compliance program. There are, however, basic components that all bank compliance management systems need. These components are often called the pillars of the CMP.
The pillars are
- Policies and procedures
- Internal Controls
- Management Information Systems
The relative importance of each of these pillars depends on the risk levels at individual banks. The compliance examination is a test of how well the bank has identified these risks and deployed resources. For example, in a bank that has highly experienced and trained staff coupled with low turnover, the need for fully detailed procedures may be minimal. On the other hand, at a bank where new products are being offered regularly, the need for training can be critical. The central questions, have you properly identified the risks that exist at your bank and having done so, have you taken the necessary steps to mitigate risks?
Making the CMP fit Your Bank
Making sure that your CMP is right-sized starts with an evaluation of how the bank is doing and the inherent risk in that activity. For example, consumer lending comes with a level of risk. Missed deadlines, improper disclosures or misinterpretations of the requirements of the regulations are risks that are inherent in a consumer portfolio. In addition to the risks inherent in the portfolio are the risks associated with the manner in which the bank conducts it consumer business. Are risk assessments conducted when products are going to be added or terminated? In many cases both decisions can create risks. For example, the decision to cease HELOC’s may create a fair lending issue; while the decision to start making HELOC’s has to be made in light of the knowledge and abilities of the staff that will be making the loans and the staff that will be reviewing for compliance.
We suggest that compliance has to be a part of the overall business and strategic plan of a bank. The best way to make sure that the CMP is appropriate for the bank is to include compliance in all of the business decisions. The CMP has to be flexible enough to absorb changes at the bank while remaining effective and strong.
The Test of the Bank Compliance Management Program
Probably the most efficient way to determine the strengths and weakness of the CMP is by reviewing the findings of the internal audit and examinations, as well as quality control checks. When reviewing these findings what is most important is getting to the root of the problem. Moreover, we suggest that not only the findings, but the recommendations that can be found in examination and audit reports can be used to help “tell the story” of the effectiveness of the CMP. As the Bank receives its readout of findings and recommendations, it is very important to ask the examiner or auditor “In your opinion, what was the cause of this finding?”. Generally, we believe that you will find that the answer you receive will be candid and extremely helpful in addressing the problem. Let’s face it, sometimes findings occur when people have bad days. On those bad days, even the secondary review did not quite catch the problem. For the most part, these are the types of findings that keep examiners up at night.
The findings that cause concerns are the ones that result from lack of knowledge or lack of information about the requirements of a regulation. These findings are systemic and tend to raise the antenna of auditors and examiners. Unfortunately, too often the tendency for banks is to respond to this kind of finding by agreeing with it and promising to take immediate steps to address it. Without knowing the root cause of the problem, the fix becomes the banking version of sticking one’s finger in the dyke to avoid a flood.
We suggest a five step process to truly address findings and strengthen the CMP.
- Make sure that the compliance staff truly understands the nature of the finding. This may sound obvious, but far too many times there is a great deal lost in translation between the readout and the final report. Many of our clients have stated that they felt like what was discussed at the exit doesn’t match the final report they receive. We recommend fighting the urge to dismiss the auditor/examiner as a crank! Call the agency making the report and get clarification to make sure the concern that is being expressed is understood by bank staff.
- Develop an understanding of the root cause of the finding. Does this finding represent a problem with our training? Perhaps we have not deployed our personnel in the most effective manner. It is critical that management and the compliance team develop an understanding of why this finding occurred to most effectively address it.
- Assign a personal responsible along with an action plan and benchmark due dates. Developing the plan of action and setting dates develops an accountability for ensuring that the matter is addressed.
- Assign an individual to monitor progress in addressing findings. We also recommend that this person should report directly to the Audit Committee of the Board of Directors. This builds further accountability into the system.
- Validate the response. Before an item can be removed from the tracking list, there should be an independent validation of the response. For example, if training was the issue; the response should not be simply that all staff have now taken the training. The process should include a review of the training materials to ensure that they are sufficient, feedback from staff members taking the training, and finally a quality control check of the area affected.
Not only does determining the root cause of a problem make the response more effective, but in doing so, the CMP will be strengthened. It may be easy to see that a bank has a problem with disclosing right of recession disclosures. It may be harder to see that the problem is not the people at all, but that the training they received is confusing and ineffective. Only by diving into the root cause of the problem can the CMP be fully effective.[/vc_column_text]