As published in ABA Risk and Compliance, July/August 2023
Successful compliance begins (and sometimes ends) with a bank’s compliance culture. A compliance mindset must be woven into the cultural fabric of a bank to protect it against widespread compliance issues that can negatively impact its reputation and its bottom line.
The overall organizational culture is comprised of the values, beliefs, and, most importantly, the behaviors of employees. A bank’s compliance culture is intertwined with its organizational culture, and you do not have to look far to find examples of both strong and poor compliance cultures. Recent enforcement actions, such as those related to bad actions involving unrealistic sales goals, unchallenged discriminatory conversations in loan committee meetings, or repeatedly assessing undisclosed fees, highlight inappropriate behaviors resulting in part from a poor compliance culture.
A strong compliance culture creates a working environment where employees understand how and why they do what they do as they assist customers with their financial needs. It also helps the bank maintain the trust of customers and stakeholders and avoid regulatory, legal, and reputational risks. A poor compliance culture can result in a host of issues from disengaged employees and turnover, poor customer service, legal and compliance issues, reputation issues, regulatory fines, and perhaps even bank failures.
Creating a culture of compliance starts at the top. The board and senior management must set the tone for the organization, model ethical behavior, and establish and communicate a framework to guide workplace culture and behaviors.
Management’s communication of sound core values and strategies drives good behavior throughout the bank. A bank president once said, “If we get an outstanding compliance rating from our examiner, we are spending too much money on compliance.” Obviously, management’s goal was to spend just enough time and money to receive a passing grade. That mindset influenced the compliance culture that permeated throughout the bank. It came as no surprise that the bank received a “less than satisfactory” compliance rating at their exam. Leaders must demonstrate a commitment to compliance and make compliance a priority in their objectives, strategies, and decisions. That commitment must also provide appropriate resources, capital, and tools to empower personnel to take the compliant path.
In banking, we often refer to the bank’s compliance management system (CMS), which generally includes board and management oversight and a compliance program comprised of policies and procedures, training, monitoring and/or audit, and programs to appropriately manage consumer complaints and third parties.
But compliance culture goes beyond a bank’s CMS. While establishing a robust CMS is the foundation for a compliance function, the success of the bank’s CMS is related to its compliance culture and management’s commitment to and reinforcement of following the rules and regulations applicable to the products and services it offers. Behaving ethically and with integrity at all levels of the organization is certainly key. A compliance culture where personnel are empowered to speak up and “do the right thing” facilitates continuous improvements in the bank’s delivery of compliant products and services.
To better understand and assess your bank’s compliance culture, consider these keys to success:
Customer Complaints
Customer complaints provide a wealth of information regarding a bank’s compliance culture and can influence the bank’s reputation and customer loyalty. The Consumer Financial Protection Bureau (CFPB) reported it received almost 1.3 million complaints in 2022. Banks with a strong compliance culture maintain a robust complaint management process where complaints are taken seriously, thoroughly investigated, and resolved. The root cause of the complaint is identified and addressed to ensure that similar issues do not recur. Resolving each complaint will make those customers happy, but the goal is to prevent the same issue from happening again to keep all of your customers (and examiners) happy. Underlying or root causes may require procedural or operational changes to prevent ongoing issues. Complaint data provides valuable insight into a bank’s compliance culture and should be assessed for any potential underlying issues that may indicate a larger cultural concern.
Policies and Procedures
While policies and procedures provide important guidance to execute activities in a compliant manner, it is the compliance culture that drives personnel to adhere to policies and procedures. Management communication of what is expected of employees is important to maintaining the bank’s compliance culture. Likewise, employees need to understand and internalize management’s expectations. Policies and procedures define the rules for compliance and should provide clear and detailed guidance to employees regarding their day-to-day activities. Policies and procedures are not helpful if they just sit on a shelf never to be read again…until the regulators ask for them in the next exam. Management should regularly reassess, update, and provide training on policies and procedures to ensure they remain current and relevant and provide clear direction about the behaviors and responses management expects.
Exceptions to established policies and procedures are a growing area of concern and management should know the types of policy and procedure exceptions that occur. A formal protocol requiring prior supervisory approval of exceptions should be established. When exceptions impact higher risk areas like compliance or fair lending (for example, exceptions to loan pricing or underwriting standards), not only should they be prior-approved, but they should also be documented, centrally tracked, and analyzed for trends. Understanding the frequency and nature of exceptions helps to determine whether changes to policies or procedures are needed, or if additional reinforcement is needed to ensure adherence to the existing policies and procedures.
Policies and procedures are instrumental in promoting expected behaviors and are more successful when employees understand why the policies and procedures exist and why they are important. Fostering an environment where personnel understand the “why” leads to a much stronger culture than a “do as it says” environment. Banking is complex, and it is important for all employees to understand the legal and compliance risks associated with their daily tasks and the impact of non-compliance on the bank’s customers, its reputation, and the bottom line.
Management’s Response
Key to a bank’s compliance culture is how its leaders respond to issues. Management should hold themselves and others accountable for compliance, and non-compliance should have consequences. Putting a band-aid on the problem or kicking the can down the road is unacceptable. The CFPB issued Bulletin 2020-01 addressing responsible business conduct and building a culture of compliance in order to prevent consumer harm and minimize compliance violations. The bulletin discusses factors of responsible conduct including self-assessing, self-reporting, remediating, and cooperating with the CFPB. These factors are fundamental to a bank’s compliance culture.
Once an issue is identified, there is nothing more telling about a bank’s compliance culture than how management responds. Management response is closely tied to its compliance culture and influences how likely personnel are to report and escalate errors. Encouraging open and frank discussions for all issues is essential and helps encourage employees to escalate concerns. To borrow a phrase from the U.S. Department of Homeland Security, management should embrace the philosophy of “if you see something, say something” and encourage employees to speak up and ask questions. Just as a bank’s CMS and Code of Conduct and Ethics should encourage employees to report concerns to management, regulators also encourage management to self-report significant issues to the bank’s regulator. As stated in CFPB Bulletin 2020-01, self-reporting issues promptly and completely will be considered favorably by the CFPB, and the same is true for other regulators.
When compliance issues are self-identified, management must take prompt corrective action focused on addressing both the issue itself and the root cause of the issue.
Corrective Action/Root Cause Analysis
Compliance culture should influence corrective action at both the transaction level and the bigger picture. When an issue is identified, successful managers assess the full impact of the issue and avoid focusing on what may only be a symptom of a larger problem. For example, reimbursing a customer who complains about an undisclosed fee is the right thing to do, but stopping there is not enough. Management should ask whether the issue is isolated or if other customers were impacted, whether controls exist to prevent this type of issue from happening and if so, why the controls failed or how they were circumvented. If no controls exist, what controls need to be implemented to prevent the issue from recurring? Comprehensive corrective action should include remediating any customer harm but must also consider whether:
- Additional or alternate operational procedures should be implemented;
- Policies and procedures require updating or need to be developed;
- Additional training of personnel is required;
- Disciplinary action should be taken; and
- Additional or more frequent monitoring/testing is needed.
Many banks have found themselves in a cycle of repeat violations due in part to management prematurely considering issues to be fixed without ensuring that corrective action was effective. Before an issue is considered closed, testing should be performed to confirm that the changes and corrective action was effective at preventing further issues. This might take several months to allow for comprehensive follow-up testing. A strong compliance culture requires taking meaningful steps to address the underlying causes of a problem and making true operational changes when appropriate.
Monitoring
Before being able to respond to an issue, management must be aware that an issue exists. Proactively self-assessing or monitoring for ongoing compliance allows management to self-identify compliance issues or provides assurance that none exist. Management should maintain its commitment to a strong compliance culture and provide appropriate resources to perform formal ongoing evaluation of the bank’s compliance efforts, including sufficient ongoing monitoring at the business transaction level. When monitoring identifies an issue, the process for reporting and escalating issues to management and remediating issues should be clearly defined, and corrective actions should be swift.
Code of Conduct and Ethics
If done correctly, establishing a Code of Conduct and Ethics will help communicate to employees the bank’s core values along with management’s expectation and commitment to doing business compliantly and responsibly. A Code of Conduct and Ethics can only have an impact if employees are aware of it and if all company personnel, especially leadership, embrace it. Regular training regarding the Code of Conduct and Ethics will help to keep it relevant and reinforce management’s commitment to maintaining a culture of compliance.
Whistleblower Hotlines
A whistleblower or fraud hotline encouraging employees to report concerns or wrongdoing helps strengthen the compliance culture. Ideally, employees would be comfortable and confident voicing concerns to their supervisors or other bank management, but hotlines provide an additional way for employees to raise issues. The Sarbanes-Oxley Act requires publicly traded companies to establish a confidential and anonymous way to report potential issues and provides strict protection for whistleblowers ensuring they are able to report issues anonymously without fear of retaliation.
Employee Exit Interviews and Terminations
The human resources department collects information and analyzes trends from employee exit interviews and terminations that can help management understand and improve the compliance culture. An increase in terminations of employees who are unable to meet sales goals, for example, may warrant additional scrutiny of the demands for sales and the amount of emphasis and pressure that supervisors exert. The same would apply if exit interview data from resignations signaled an increased dissatisfaction with the pressure to make sales goals that seem unrealistic. Additionally, any specific concerns expressed that negatively impact the bank’s compliance performance or customers should be explored further to determine the extent of the concern.
Employee Compensation and Incentive Plans
Setting employee compensation and incentive plans that drive good, ethical behavior is also key to strong compliance culture. After the banking crisis of 2008, regulators and industry experts debated the relationship between compensation and the risks taken by bank executives and management that contributed to the crisis. Some studies linked poorly structured compensation packages to executives and managers taking higher risks to reap the benefits of personal short-term gains rather than having the long-term goals of the bank in mind. While regulators established some compensation rules for loan originators under the Truth in Lending Act, rules prohibiting compensation agreements that encourage inappropriate risk-taking have not been finalized for Section 956 of the Dodd Frank Wall Street Reform and Consumer Protection Act. That means these incentive plans are under the discretion of bank management and shareholders.
Compliance culture is impacted by incentive plans at all levels of the organization. Employees focus on what they are incented to do and what personally benefits them. Management must ensure that incentives promote the desired behaviors and incentive plans should channel employees’ actions to meet the bank’s long-term goals and prevent “gaming the system” to benefit themselves to the detriment of the bank and the bank’s customers. Poorly defined incentive plans can incent inappropriate behavior and wreak havoc on the bank’s compliance culture.
Employee Training and Understanding
Many banks that have established robust training curriculums still find themselves with a compliance culture that is lacking. A common cause is that employees may not truly understand what is expected of them even though they complete all the requisite online compliance training courses that have been assigned each year. While many banks rely on policies, procedures, and system parameters as guardrails to help employees with compliance, a true culture of compliance cannot be achieved if employees do not understand why they are doing what they are doing. First line employees, or those frontline and back-office operational employees (also known as first line of defense) must have a deeper understanding of why they are supposed to do something a certain way. They need to understand what the compliance risk is, what the requirements are, how those requirements are operationalized in their day-to-day activities, and what the risks and consequences can be from non-compliance. Only when employees truly understand can a strong compliance culture exist.
In addition to overseeing the compliance program effectively, senior management and the board need to understand the latest and emerging issues. Be sure to include appropriate training for the board of directors and senior management.
Closing Remarks
Although compliance culture is a combination of several components, all the components must work together to be effective at influencing people’s values, beliefs, and behaviors. Management at all levels of the bank must clearly communicate its expectations and must model integrity and ethical behavior. It must provide the right foundation and guidance to promote a strong culture of compliance.
