As published in ABA Bank Compliance (now ABA Risk and Compliance), July/August 2016
New regulations and changes to existing consumer regulations have been continuous over the last few years. Banks have been working tirelessly to implement these changes and fatigue is setting in. The routine is now very familiar. Review notice of proposed rulemaking. Comment. Review final rules. Interpret. Communicate. Implement, reinforce, and repeat. The strain has been felt bank-wide from the business lines, operations and technology groups, learning and development, and most of all the compliance function. Not to mention we are also responsible for reviewing and keeping up with consent agreements too.
While regulatory changes continue to be finalized and promulgated, supervision and enforcement by prudential regulators and the CFPB continues to intensify. The industry evolution to new products and services involving new technology innovations makes compliance even more challenging. As many of the regulations have not kept up with advancing technologies, compliance review of new products and services requires careful analysis and implementation to ensure banks do not run afoul of the spirit and technical requirements of existing regulations. This is especially important with the migration toward principles-based regulation and the overarching requirements of the Unfair, Deceptive and/or Abusive Acts and Practices (UDAAP) which has been cited in many, if not most, of the enforcement actions issued in the past few years. Benjamin Franklin is often quoted as saying, “In this world nothing can be said to be certain, except death and taxes.” In financial services, and perhaps more specifically, in a compliance officer’s world, that quote might be restated to include “regulatory change.” While the entire organization must respond to regulatory changes, the bank compliance officer is customarily regarded as the leader of regulatory compliance changes. If regulatory change is certain, how does one stay motivated and continue on with enthusiasm? In the face of our increasing workload, we need to work smarter. Ensuring your program is well organized is a good start. Here are some suggestions on what you should include.
Robust Compliance Management System
Since the 2008 financial crisis, the focus on a strong, effective compliance management system (CMS) has been a high priority for banks and regulators alike. There is no doubt that a well-functioning system of checks and balances benefits the bank and its customers. It also engenders a compliance culture that embraces and helps facilitate change. Implementing a robust CMS requires time, effort, skills, resources, and most importantly management commitment. Don’t forget that “robust” is not only a measurement of extent, it also means dynamic. Ol’ Ben is right again!
Though stated differently in each regulator’s guidance on compliance programs, the prudential regulators and the CFPB generally agree on the following interdependent control components of an effective CMS:
- compliance program
- board and management oversight
- responses to consumer complaints
- independent compliance audit Each component plays an integral role in establishing compliance responsibility.
The compliance program should provide the framework and detail the roles and responsibilities for each level of management and the Board of Directors in executing the program. The program must include:
- the scope of coverage, i.e., the products, services and related sales and operational support functions;
- communication of the applicable requirements;
- internal controls to manage the requirements;
- training for those responsible for execution;
- monitoring activities to ensure the procedures, controls, and processes are working effectively and efficiently toward compliance with the requirements;
- mitigation of any non-compliance; and
- reporting on compliance activities to executive management and the Board.
Understanding complaints received from customers and investigating the root cause of the complaints will help point to enhancements required for the compliance program. Finally, an independent audit of the compliance program will provide management and the Board with assurance that the CMS is operating as intended.
The following strategies will also help strengthen the compliance framework:
- Three lines of defense – Implementing a line of defense structure articulates clear accountability for compliance. The first line is comprised of the business and support functions who are responsible for execution of activities in a compliant manner. The second line is risk management, which includes the compliance function and responsibility for guiding, monitoring, and reporting on the effectiveness of compliance activities. The third and final line is internal audit who is responsible for independent assessment of the entire program. The three should work together to ensure the bank “defends” itself and monitors and tests itself to ensure risks from control failures, fraud, or regulatory non-compliance are identified and sufficiently mitigated.
- Preventive and detective controls – While detective controls such as post-funding quality control, periodic monitoring, etc. are necessary to ensure processes are properly followed, preventive controls that catch errors or inaccuracies before they occur are invaluable and are a focus of regulators. Some simplistic and easy to implement preventive controls are based on adequate separation of duties. The loan originator should be separate from the underwriter, they both should be separate from loan processing, closing, cashiering, and recording of the loan in the general ledger. This separation allows for checks and balances before a loan is finalized. In addition, an effective training program, timely supervision, review, and reinforcement of compliance processes by the front lines and support functions is a preventive control, as are system fields that limit data or the format in which data is entered. Identifying compliance errors and inaccuracies prior to the customer signing on the dotted line will not only provide a better customer experience, it will help prevent potentially costly remediation projects, especially if the customer was “harmed” by the error or inaccuracy.
- Fair and Responsible Banking Committee – Some banks have instituted a fair and responsible banking committee to help ensure that products and services are managed in compliance with regulatory requirements and are structured in a fair and responsible manner. Committee membership typically includes representation from various disciplines in addition to compliance such as: business line management, legal, product development, marketing, customer service, complaint management, sales, operations, technology, and risk management. This cross-functional approach encourages communication and ensures the bank as a whole is viewing its offerings fairly and consistently. If the bank has a new product committee that reviews and evaluates new offerings, the fair and responsible banking committee may pick up where the new product committee leaves off, at the point of customer experience. Understanding the customer experience can help a bank retain existing customers and gain new ones. In addition to customer satisfaction surveys that may be conducted by the bank, customer complaints are another important source for measuring customer satisfaction. The fair and responsible banking committee may work with management to understand patterns in complaints and their root cause. This understanding will help identify potential compliance breakdowns and allow the bank to be proactive in addressing resolution and in preventing complaints from recurring. Acquiring bank customers is not easy in this highly competitive and commoditized environment. Having a process to holistically analyze customer feedback whether through surveys or complaints received will help the bank identify areas that require additional compliance and quality of service focus.
- Vendor risk management – Simply stated, your vendor’s compliance error is your compliance error so monitoring vendor performance is critical. The bank may be able or need to outsource the mechanics of a function, but bank management retains responsibility for how the third party performs under the contract and any vendor compliance violations that arise.
Regulatory Change Management
As noted earlier, keeping up with regulatory changes has certainly not been easy and at times may even be overwhelming. A sustainable and repeatable process for addressing changes would certainly help keep things on track.
- Change management – Implement a process to scan the regulatory environment, interpret, understand, and communicate the changes. The process should include identification of the areas impacted by the change such as the business line, operations, systems, training, and communication. It should also clearly ascertain the individuals responsible for effecting the change and the timeline for implementation.
- Project teams – Having effective project management and an assigned, dedicated project manager is critical to implementing regulatory changes, especially those impacting multiple functions within the bank. A cross-functional team will ensure all aspects of the change are properly addressed. And, by the way…one can never start too early!
- Study enforcement actions – The volume and frequency of enforcement actions have increased over the last few years. These actions signal a trend on the areas of focus for the prudential regulators and the CFPB. Besides technical citations of regulations, these actions have cited violations of Unfair, Deceptive and/or Abusive Acts and Practices. Having a process to review these enforcement actions carefully to make sure you understand what went wrong at the other bank and whether it could impact your bank is imperative. Early detection and self-identification of similar issues of non-compliance or unfair, deceptive, or abusive practices will allow the bank to be proactive and thoughtful in addressing corrective actions.
Training
An effective training program is imperative in meeting your bank’s customer service goals quality of execution and compliance with regulatory requirements, which are all interrelated. From a regulatory standpoint, as non-compliance is uncovered and the root cause of the non-compliance is identified, the remediation process will often come back to revising the deficient process and re-training staff. A well-trained customer service representative, deposit operations manager, loan officer, or loan processor will execute within quality standards which results in stronger customer service. Compliance officers need to leverage bank resources to be able to effectively manage compliance-related training. Consider these options:
- Learning & Development – Engage your learning and development department to assess the best approach, focus, and most effective training for the different functional areas and job levels within the bank.
- Buy and Build – Leverage “off the shelf” training modules from trade associations and training vendors. Be sure you can customize or add to the modules to address your bank’s unique processes.
- Keep Good Records – Track compliance training provided to ensure personnel are receiving the right training for their jobs and to provide evidence to the regulators of the bank’s commitment to training.
- External Training – For certain roles within the bank, internal training is not enough. For example, compliance and internal audit personnel benefit from attending training seminars, conferences, and roundtables by gaining not only technical training, but by interacting with their peers and understanding different industry approaches to compliance issues and challenges. It is no secret that good compliance professionals are in demand. External training is one more benefit that should help you retain this expertise.
Be a Student of Your Business
To effect changes and provide value-added assistance to the business lines and support functions, the compliance team must understand the products and services offered, how they are marketed to customers, how they are secured and on-boarded to systems, how they are serviced, and the various issues that may arise along the way. In other words, to be effective a compliance officer needs to stay on top of the business issues in addition to the regulations.
- New products and services – Be involved at the start of new product development. Review changes to existing products, their impact to business lines processes, and required system enhancements. Many banks have instituted new product development committees that include marketing, compliance, internal audit, legal, and information security departments, in addition to the business lines presenting changes or new offerings.
- Product lifecycle – Both new and existing products should be reviewed throughout their life cycle, i.e., inception, marketing, sales, onboarding, servicing, and closing, to ensure they are fair, responsible and compliant offerings. Understand and analyze customer concerns, especially those raised through the bank’s customer complaint process. Determine what the root cause of the concern is and make needed changes to make the customer experience better and to also mitigate any potential regulatory concerns.
Leverage Technology
More than ever, data is at the center of a compliance officer’s world. The day and age of reviewing compliance by just opening a loan file or another customer record is not enough. When one or two regulatory exceptions may lead to a Matter Requiring Attention (MRA) or worse, a compliance officer needs to have a better system of identifying potential issues. Data analysis is a must!
- Know your data – Employ data analytics to manage compliance. Whether it is customer overdraft data or Home Mortgage Disclosure Act (HMDA) data, make sure you understand what it is telling you about the bank’s state of compliance. Implement key performance and key risk indicators to help hone in on areas of concern. Data analytics will not only provide a more comprehensive and broader picture of activities and potential areas of concern, it will make the compliance process more efficient…assuming of course the data has integrity. The regulatory agencies are requesting many data points to help them scope their examinations. The best defense is a good offense—better that you know what they will see before they request it.
- Keep up with new innovations – Banks are adopting new financial technologies (fintech) such as Bitcoin, marketplace lending, new payment services, etc., and look to the compliance officer to provide regulatory guidance and direction on these new offerings. The compliance officer needs to stay abreast of fintech developments and understand the regulatory issues these new technologies may impose. Industry news, webinars, and trade associations provide information on the latest developments. If your bank is considering new fintech offerings, get involved! For example, there are groups mobilizing around marketplace lending and investing and other online platforms.
- Governance, risk management, and compliance (GRC) systems – Corporate governance, enterprise risk management, and compliance functions create and share valuable information amongst each other that is derived from the same systems, people, processes, and data. A GRC system can make for a more efficient compliance process by facilitating execution of risk assessments, ongoing monitoring, and targeted reviews within one system and leveraging data created by other disciplines in the process.
Other Important Considerations
In addition to having the resources and tools to implement a robust CMS and ensuring the compliance team and the bank receives the right training, here are a few more strategies that support the compliance program and make the job easier.
- Strong coordination with internal audit – A strong, collaborative relationship with internal audit will help reinforce a good compliance culture. While internal audit must preserve its independence from the first and second lines of defense, there are certain consulting activities it can perform to assist the bank in implementing compliance changes and requirements. Such activities may include participating in new product committees highlighting potential compliance control issues and reviewing procedures and processes prior to implementation ensuring proper controls are addressed. It is also helpful for internal audit and the risk management and compliance functions to use consistent language when reporting on compliance risk. Consistent definitions for the terms “high”, “moderate”, and “low” risk is a good starting point.
- Regulatory exam facilitation – As the regulatory examination process becomes more onerous and complex, it is helpful to designate an individual to coordinate the examination process. The designated individual could be a project manager or a compliance resource who is able to manage requests for information, coordination of space and technology requirements, scheduling of meetings between the examiners and the business lines, and generally making sure the examination goes smoothly from a logistical and information gathering standpoint. This coordination goes a long way with the examination teams!
- Accountability program – A program that outlines expectations for job performance including quality, customer service, and compliance with policies, procedures, and regulatory requirements reinforces management’s commitment to a strong risk and compliance culture. To be effective, the program must be specific and outline the consequences for lack of accountability. Every compliance officer desires a working environment with a management team that understands the commitment required for a strong compliance culture and an effective compliance management program. The professional liability facing compliance officers is real and is top of mind. There is no doubt that all departments and support functions in a bank experience compliance fatigue and no one is impacted more than the compliance officer. The initiatives described above take coordination and effort. While a bank relies on the compliance officer for technical interpretations, the compliance officer contributes much more than that. To perform the job well and to add value to the organization’s strategic objectives, a compliance officer needs to be a strong communicator, a good listener, a project manager, a change agent, a trainer, a collaborator, and a facilitator.
In today’s regulatory environment, operationalizing regulatory change is a process, not an event. Embedding the process in the bank’s compliance DNA and ensuring the compliance officer has the resources and support of management helps everyone work smarter, eases the strain of implementing regulatory changes, and makes the job of managing compliance at all levels of the organization just a bit easier.