As published in ABA Bank Compliance (now ABA Risk and Compliance), May/June 2022
A healthy compliance culture embraces a strong compliance management program that includes a regular cadence of quality assurance measures, monitoring, and testing executed by the first, second, and third lines of defense, respectively. The culture and program should also encourage employees to speak up when things are not right, so those responsible can work to make them right. Compliance issues arise through monitoring and testing or from errors that occur in the normal course of business. From time to time, however, issues may result from inattention, negligence, or malicious intent. No matter how they arise, a thorough compliance investigation may be necessary to assess the issue, identify its cause, determine how to prevent it from recurring, and demonstrate management’s commitment to ethics and compliance.
While a compliance investigation is an important component of your compliance management system (CMS), the investigation itself can present its own legal and regulatory risks. Compliance professionals must be aware that the manner and scope in which an investigation is conducted is critically important. When all is said and done, there may be hindsight evaluation tied to how the bank identified and solved a compliance issue and how the bank responded. For this reason, it is important to have a clearly-defined, documented, and executable compliance investigation process. The process will range from a simple review of the issue, applicable processes, and what went wrong, to a full-scale investigation requiring support from compliance, legal, business line, operations, human resources, and project management departments. Discussed in this article are practical considerations related to the compliance investigation process. By taking a thoughtful approach to the internal compliance investigation process, you will be able not only to find the underlying cause of the issue, but also to minimize the institution’s regulatory, legal, financial, and reputation risk.
Compliance Management System and Your Investigation Process
Along with an embedded ethical culture, the right tone from the top, and the desire to do things correctly the first time, an effective CMS will foster strong compliance performance in an institution. Having the key CMS elements in place will not only help deter compliance issues but will make an investigation process easier. Including instructions for the investigation process within the CMS program document will provide guidance and create consistency. It will also ensure inclusion of important details like the:
- Description of the issue;
- Escalation;
- Root cause analysis;
- Compliance investigation requirements;
- Responsibilities;
- Documentation;
- Corrective action plan; and
- Required reporting including the possibility of regulatory self-reporting.
In a normal business day, activities and events may give rise to various compliance issues. It is critical that the first line have effective quality assurance routines to detect such issues as quickly as possible. Dealing with issues swiftly will minimize the impact on customers. Issues can also arise in other ways including self-identified errors, exceptions detected in second-line monitoring and testing, internal audit findings, consumer complaints, third-party vendor monitoring exceptions and complaints, whistleblower reports, or regulatory examination findings. Regardless of how it originated, the nature of the issue will determine if there is need for a full investigation. Ideally, your CMS will include a discussion of the process of investigations both when an issue is identified early or is otherwise isolated in nature, versus an issue that is found to be systemic—and has the potential for significant risk exposure.
Considerations for an Internal Compliance Investigation
A timely and methodical investigation will provide information that may help limit the institution’s regulatory and legal exposure. Below are essential activities to consider before launching a full-scope internal compliance investigation.
Stop the issue from continuing. Immediately stop the process, procedure, system glitch, etc., that is causing the issue. An effective manual or other work-around to address the issue may be necessary until the investigation team identifies the root cause and implements final corrective action.
Understand the issue. Gathering key facts will assist senior management in determining whether the standard CMS issue resolution process is sufficient or whether a full compliance investigation is necessary. Know the facts and document the issue clearly and concisely. Depending on the severity of the issue, it may be prudent to engage in data collection under the direction of bank counsel to preserve any legal privilege as to the issue and the details of what is uncovered.
- Condition – What happened, when and how did it happen, why did it happen (root cause), and who was involved?
- Criteria – Did the issue violate a consumer protection law or regulation or did it have an unfair, deceptive, or abusive impact on customers?
- Cause – What was the source of the issue? Did it happen because of a faulty process, system failure, inadequate policy or procedure, lax implementation, execution failure, poor training, deficient monitoring, negligence, malicious intent, or something else?
- Effect – What is the potential impact of the issue? Who and how many customers? Did customers suffer financial harm? What was the period of time the issue was active? What is the potential for regulatory fines?
- Recommendation – Based on the information gathered, what is the recommendation to stop the issue from occurring and to prevent it from recurring?
Escalate when appropriate. Compliance issues will vary in type and complexity and those that pose the highest risk to the institution require thoughtful but swift action. Having a risk-rating methodology and escalation process spelled out within the CMS program will facilitate issue resolution in an organized manner. High-risk compliance issues warrant escalation to compliance, legal, and business line management for heightened and prompt attention. Issues in this category are usually those that involve patterns in regulatory exceptions resulting in customer harm, claims of discrimination or potential unfair lending, risk of class action or other litigation, repeat issues that continue to recur, whistleblower reports, violations of law, and risk of regulatory fines, to name a few.
Form an Investigation Team (Team). Before diving into the investigation, it is important to identify and engage the parties to the process. In many cases, the compliance department will take the lead in addressing compliance issues noted in the normal course of business. They will work with business line and operations management in determining corrective action and updating tools, systems, and materials, as necessary.
If the nature of the investigation may result in potential legal or regulatory risk, consider having either internal or external counsel lead the investigation depending on the nature of the issue and the expertise required. Business line, operations, technology, finance, and compliance personnel will still need to be involved. If the issue requires disciplinary action, engage the human resources department in the process.
Document the Investigation Plan. Completing the investigation in a thoughtful and thorough manner including meticulous documentation of results and conclusions is critical. The institution’s prudential and compliance regulators and other interested parties, like attorneys, will reference this information so it is important that it “tells the full story.”
How to Conduct a Compliance Investigation
Once management makes the decision to conduct a compliance investigation and identifies the Team, it is a good idea to develop a detailed workplan that addresses the following, at a minimum:
1. Determine roles and responsibilities of key management stakeholders and the Team. The Team should include personnel with compliance, legal, operational, and technology knowledge to effectively ask the right questions and review policies, procedures, and documents related to the issue. Key management stakeholders will provide guidance and direction to the Team. A project manager will pay attention to the details and make sure the investigation keeps moving.
2. Agree on the governance or the structure and processes for decision making, accountability, and behavior of the Team. Many compliance issues are addressed through the CMS issue resolution process. However, if the issue poses consumer harm, the institution may choose to conduct the investigation under attorney-client privilege. The privilege protects the Team’s communications in case of a legal discovery request, for example, as long as the Team follows required communication protocols.
3. Establish a timeline for the investigation. Do not procrastinate but be planful! The sooner the investigation process can begin, the fresher and more vivid the information. Prompt action will also limit potential consumer harm.
4. Clear guidance for documenting the investigation will ensure the Team understands the requirements and provides support for investigatory conclusions. Remember, if operating under attorney-client privilege, pay attention to the defined communication protocols!
5. For interviews, listen intently, take copious notes, and have a list of questions ready. Openended questions will help get to the root cause of the issue. Ask “why?” until the interviewer uncovers all possible answers and discerns the root cause of the issue.
6. When reviewing documents such as policies, procedures, transaction documents, system reports, etc., keep copies of supporting information, cross reference, and summarize observations in a way that allows an independent third party to easily understand the process reviewed.
7. Periodic status meetings for the Team are necessary to ensure the investigation remains on track and that key stakeholders and Team members have a forum for questions and can request guidance from management, legal and others. It will also help keep all parties up to date on developments and conclusions.
8. Based on investigation results, the Team should develop a plan for corrective action. The plan should address the issue’s root cause to prevent recurrence. If the issue has resulted in consumer harm, take care in identifying the population of impacted consumers. Understand the time period for the issue, the product involved, and all possible avenues for consumer harm. Institute controls to ensure customers receive accurate and timely remediation. Check and double-check refund calculations and follow up on unclaimed refunds and returned mail.
9. The Board of Directors (Board) and applicable executive management committees (compliance committee, risk committee, audit committee, etc.) may want to receive formal updates on the investigation from the chief compliance officer and/or the general counsel (especially if under attorney-client privilege). Document the discussion within the particular committee and Board minutes.
10. At the conclusion of the investigation, the project manager, in conjunction with legal and compliance, should gather all supporting documents and reports, store them in a safe electronic and/or physical location, and retain them for the appropriate period.
A clearly documented investigation process is critical to an effective CMS and is an expectation of the prudential regulatory agencies and the Consumer Financial Protection Bureau (bureau). In a typical examination process, regulators will review monitoring and testing results and ask detailed questions about compliance issues, especially those that result in consumer harm. Doing nothing and ignoring deficiencies is not an option. Being ready with the answers will demonstrate the institution’s commitment to the CMS program and hopefully allow for a smoother examination. One more important consideration related to an internal investigation is whether management chooses to self-report the issue and results of the related investigation to its prudential regulator, and/or the bureau for institutions with assets greater than $10 billion.
On March 6, 2020, the bureau issued CFBP Bulletin 2020-1—Responsible Business Conduct: Self-Assessing, Self-Reporting, Remediating, and Cooperating. When a violation of law does occur, the bureau states, “…an entity may self-assess its compliance with Federal consumer financial law, self-report to the bureau when it identifies likely violations, remediate the harm resulting from these likely violations, and cooperate above and beyond what is required by law with any bureau review or investigation.” While there are no guarantees, the bureau states they will favorably consider such responsible conduct in supervisory and enforcement matters. The bulletin lists the questions the bureau will ask which warrants review for incorporation into the compliance investigation process. The table below provides a summary reference.
Conclusion
Minimizing regulatory scrutiny and supervisory or enforcement action is one good reason to conduct compliance investigations. Institutions also benefit in other ways. A robust investigation process signals management’s commitment to employee accountability and to a strong compliance culture. It shows customers, employees, and others that conducting business in compliance with applicable regulations, and in accordance with its pledge to ethics and integrity are important values. An effective CMS along with sound policies, procedures, controls, monitoring/testing, and management oversight are necessary safeguards. If something goes wrong, whether intentional or unintentional, swift action guided by a methodical, thorough process goes a long way in the effort to make things right.
