As published in ABA Bank Compliance (now ABA Risk and Compliance) – March/April 2018
The role of the compliance team has evolved over the decades to meet the regulatory demands of an industry with new products, advancing technology and consumer demands for ease of access and service. So, it makes sense that today’s compliance team requires more complex knowledge and skills than it did in the past. And, in order to have an effective compliance team, it is essential to have a comprehensive compliance program, called a Compliance Management System, or CMS.
A CMS is an integrated system comprised of written documents, functions, processes, controls, and tools that will help your bank comply with legal requirements and minimize harm to your customers due to legal violations. The CMS should be woven into every functional area in your organization, from sales to advertising to operations and administration.
The bank regulatory agencies establish and communicate the expectations for an effective CMS. For example, the Consumer Financial Protection Bureau’s (Bureau) Supervision and Examination Manual states:
“To maintain legal compliance, an institution must develop and maintain a sound CMS that is integrated into the overall framework for product design, delivery, and administration across their entire product and service lifecycle. Ultimately, compliance should be part of the day-today responsibilities of management and the employees of a supervised entity; issues should be self-identified; and corrective action should be initiated by the entity. Institutions are also expected to manage relationships with service providers to ensure that service providers effectively manage compliance with federal consumer laws applicable to the product or service being provided.”
Small and large financial institutions alike must continue to evolve their compliance teams to set the culture of compliance throughout the organization, resulting in a more effective CMS. Building such a compliance team requires a blueprint specific to the organization, yet flexible enough to meet a constantly changing business and regulatory environment.
The Three Lines of Defense
For the compliance team to be effective, it must lay out the plans for the three lines of defense: first (business lines and compliance), second (risk and compliance), and third (internal audit). Defining its roles and responsibilities is a critical first step, and often and may be led by the corporate compliance group or the Chief Compliance Officer (CCO) in conjunction with his/her colleagues in the business lines, support functions, and internal audit. The chart below provides an illustration of how the lines of defense are generally structured.
Because the entire institution has an obligation to manage compliance activities effectively, defining who is responsible, accountable, consulted, and informed of these activities is the cornerstone to a successful CMS. While the defense lines may be blurry within a smaller institution, clarity of responsibility is still important. Depending on an institution’s business objectives and strategy, it may choose to assign certain first line responsibilities to the second line or vice versa, and hire a qualified external firm to execute the compliance internal audit activities.
The Building Blocks
Regardless of the size or structure of the institution, the compliance team plays a pivotal role in the CMS. In today’s regulatory environment, the second line compliance team is more than a ready reference for regulations and a monitoring function. If it is to foresee and prevent compliance risks and help develop the compliance culture, it requires a balance of the following various competencies:
- Compliance acumen—to perform its duties advantageously, the compliance team must be well-versed on the regulatory requirements, or at a minimum, know how to research and interpret requirements applicable to the institution’s products and services.
- Operational and risk management knowledge—a keen understanding of the business and related processes and risks is imperative. In addition, when an error or exception occurs, a proper root cause analysis is necessary to ensure the process change addresses the cause of the error, not just the symptom. Without this knowledge and analysis, it is difficult to apply the laws and regulations, or understand where compliance risk exists. One mission of the compliance team is to be an advocate for the business and find ways to say “yes” rather than only saying “no”. A strong working knowledge of the business and operations will help to explore options, and compliance will be able to better fulfill that mission.
- Systems knowledge and process improvement—with the advent of financial technology (FinTech) and regulatory technology (RegTech), the compliance team must possess the skills to understand relationships between data sets and identify warning signs. However, before technology can be effective, policies and practices must translate to compliant, efficient, and repeatable processes. Automation of monitoring processes will also require individuals with process improvement and technology skills. Forming methods to perform compliance related activities better and faster will elevate the compliance team’s value to the organization.
- Change agent—the compliance team must be skilled in change management and inspire the hearts and minds of colleagues across the organization as it relates to compliance. Persuasive communication and negotiation skills are as important and perhaps more so than the regulatory requirements themselves. When a regulation or a process changes, the compliance team must ensure the business lines understand and accept the change for the new process to be sustainable.
- Coach and trainer—One of the team’s main responsibilities is to advise on compliance questions and issues and to train on regulatory requirements. Excellent presentation and communication skills are required for training and presentations to everyone from business lines to senior management, the board, and regulatory agencies.
- Facilitator—Ideally, the compliance team is involved in business strategies including product and service development or changes to key operational processes. Occasionally, compliance risks may require discussion across functional areas and the compliance team may facilitate such discussion to ensure all impacted parties come together and understand the risks and how to adequately address them.
CMS criticism within enforcement or supervisory actions highlights the breadth and depth of business and regulatory knowledge expected of compliance teams. So many skills and disciplines are needed, and it can be difficult to find them all in one person, especially at smaller institutions where it is more difficult to balance the cost of compliance with other business objectives. Larger institutions may have more leeway in building the team, though constraints are also present such as limited budgets and competitive offers from other companies or business units.
When deciding the make-up and structure of the compliance team and whether to build or selectively buy compliance services, consider the following:
- Education and Experience—To date, compliance officers have evolved from various educational and working backgrounds including operations managers, risk managers, internal auditors, examiners, and attorneys to name a few. While each discipline may approach the compliance program from different starting points, all must do so in a risk-based fashion. For example, a risk manager may approach risk measurement from a product viewpoint and then apply the regulatory requirement while an attorney may start with a regulation and look at which products and services to which they apply.
- Training—A good compliance officer who is also an effective trainer is not easy to find. It is often a challenge to deliver the technical content to a group and do it in an interesting way that is also conducive to visual, auditory, read/write, and kinesthetic learners. Consider leveraging training and development professionals within the human resources function to provide compliance training developed with the compliance team’s assistance. This approach not only addresses a skill gap, but it also teaches the compliance team about different learning styles, and it helps educate the training/human resources function on compliance. Keep in mind that the most memorable and successful compliance training is customized to the institution, and delivered in a way that allows a forum for questions and answers.
- Internal audit—Internal audit expertise is costly and difficult for a smaller institution to maintain. For cost/benefit considerations, many community institutions outsource the internal audit function (including compliance audits), to a firm with the requisite expertise. Larger institutions typically have internal audit functions, but they may still choose to co-source certain compliance audits (such as fair lending) that require a higher level of expertise than is resident in-house. Where is all the good compliance talent? Good compliance officers are still very much in demand. Through the last several years, in light of the implementation of the Dodd-Frank Consumer Protection Act, there has been an increase in the number of compliance professionals. Finding the right fit requires analysis of what is most important to the culture and existing state of compliance within an institution.
Recruiting firms have created a niche for compliance specialties and for the right position, engaging such a firm may be well worth it. Compliance talent may also be present within the ranks of the institution. For example, individuals who possess mortgage loan expertise, where most of the lending consumer compliance requirements are involved, would bring a level of operational knowledge to complement the team. Internal auditors looking to be more involved in the operations while utilizing their audit skills would also be good team members.
Required Upkeep
Once the right team is on board, what strategies will make them want to stay? Management and Board support is probably the most important job satisfaction factor to a good compliance officer. Without it, no matter how hard one tries, it will be an uphill battle that in the end will not be worth climbing, especially with the high demand for compliance talent.
Support means compliance has a seat at the management table and is informed and involved with certain management decisions. It means being able to challenge decisions that present potential compliance risk and work through solutions collaboratively. Compliance must also be able to present issues and approach business lines in a constructive and diplomatic fashion. After all, everyone is working for the same institution and has the same goals!
In a constantly changing regulatory landscape, training and education is very important for the compliance team. Training on technical regulatory content is a given. Essentially, the team operates as an internal consulting firm. They must be able to speak comfortable with all levels of bank employees from tellers to management and even the Board of Directors. As a result, they should receive training that includes interpersonal, communication, presentation, and negotiation skills.
Communication with the regulators and facilitation of examinations also largely rests within the compliance function. A variety of technical and compliance management training options are available through industry association schools, seminars, conferences, and webinars. A program that allows different team members to participate in rotation is a great start. Hiring managers with professional certifications such as the ABA’s Certified Regulatory Compliance Manager (CRCM) and Certified AML and Fraud Professional (CAFP) demonstrate the institution’s commitment to compliance.
As with any profession that is in demand, a competitive compensation package and an inclusive working environment is vital to hiring and retaining effective personnel, from compliance analysts to the CCO. Institutions building their teams will want to incorporate opportunities for advancement within the team.
Working Together
For a CMS to be truly effective, the team must be seen and heard throughout the organization as advisors rather than the “compliance police.” Fostering collaborative working relationships with all lines of business and support functions will deepen the culture of compliance. It is up to compliance, with management’s support, to set that tone. Managers must also allow the compliance team, armed with organizational and regulatory knowledge, the opportunity to see, think, and interact on their own. Compliance is not just about the regulations, and more importantly, it is about communication creating an effective feedback process for the institution to operate within the spirit and boundaries of the myriad of laws and regulations. The right compliance team will make all the difference in ensuring an effective CMS. They will also help an institution mitigate risks by controlling or eliminating improper or non-compliant practices resulting in a higher level of trust with its customers, employees, business partners, and regulatory agencies.
