Compliance Management Systems A Blueprint for Success

Transcription

1 Compliance Management Systems A Blueprint for Success Date or subtitle May 13, Tim Tedrick, CRCM, CRP Partner ttedrick@wipfli.com 2 Page 1

2 Regulatory FDIC df/ii-3.1.pdf OCC CFPB vision-and-examination-manual-v2.pdf 3 Regulatory FRB ttachment CA_13-19 Riskfocused_Supervision_Program_Document.pdf 4 Page 2

3 Implementing a Compliance Management System Management must first decide how to structure the compliance management system. Committee Officer Team Split responsibility (Loan Compliance Officer and Deposit Compliance Officer) Develop a policy to fit the structure your institution decided on. 5 Five areas of focus Board and Management Oversight (governance) Compliance Program (Policies and Procedures) Training (continuous, based on job impact) Monitoring, Testing, and Auditing (testing for weakness) Complaint Management (listen to customers) 6 Page 3

4 Board and management oversight Set clear expectations/set policy statements Appoint a compliance leader with accountability Concurring Engagement Partner and Partner-in-Charge Partner authority Allocate resources Evaluate audit results Care Partner Percentage of Completion Engagement Manager Partner-in-Charge Manufacturing Practice Partner Interest Rate Swaps Senior Manager IT Controls Director of Business Valuation Services Business Valuation Practice Senior Manger Continuous Improvement 7 Compliance Program Documented! Such a document provides guidance to staff and establishes Board expectations Designed to prevent violations and protect customers Must be up to date Must be available to employees 8 Page 4

5 What should the Compliance Program include? Designation of a Compliance Officer or presence of a functioning Compliance Committee Has knowledge of Laws and impact to the institution Coordinates compliance efforts across the organization Manages compliance monitoring and audit findings, as well as corrections 9 What should the Compliance Program include? Policies and Procedures Policies state management s compliance goals Procedures provide detail for performing transactions They provide consistency Biggest aid to achieve compliance 10 Page 5

6 Training is also a key piece of a compliance program For everyone, including directors Cover regulations AND FI s own Policies and Procedures Have a schedule Use various methods Maintain a training file Assess knowledge retention Refresh as things change 11 Compliance Management System What is the difference between monitoring, testing, and auditing? 12 Page 6

7 Three lines of defense - Monitoring Think of monitoring as quality control testing as the production occurs. This provides more immediate results to management regarding internal production successes or failures. Should be done at regularly scheduled intervals Should be done by department staff 13 Three lines of defense - Monitoring Results should be reported Include disclosures, calculations, transactions, posted notices, marketing literature, anything recently changed 14 Page 7

8 Three lines of defense - Testing Internal Quality Control Making sure the monitoring is effective Should be done at regularly scheduled intervals Can be done by compliance staff Results should be reported Include disclosures, calculations, transactions, posted notices, marketing literature, anything recently changed 15 Three lines of defense - Auditing A formalized testing program based on a set schedule. The schedule is determined by a formalized risk assessment. Tests the effectiveness of the Compliance Program Identifies noncompliance with laws and policy gaps Assesses if Board directives are being followed Complements monitoring & testing activities 16 Page 8

9 Three lines of defense - Auditing Should be independent Results should be reported to Board or Audit Committee Risk-based scope 17 Compliance Risk Assessments The compliance risk assessment should: Cover all areas of the Bank (loans, deposits, operations, trust, nondeposit investment products). Detail areas rated. Contain an analysis of how the ratings were defined. Be presented to the Board and/or Audit Committee for approval. Be revisited at least annually or when major changes occur. 18 Page 9

10 Compliance Risk Assessments For many community institutions, a simple rating system of low, medium, or high risk from the outset is the best way to begin. Define functional areas, products, or regulations to cover. Document your risk assessment. Be able to justify your ratings. 19 Compliance Risk Assessments Prior Exceptions Potential financial reimbursement or civil money penalties Quality of written procedures and policies and implementation Complexity of regulation Regulatory priority and newness of the regulations Centralization of document preparation and standard of software used or reliance on third parties Volume of transactions impacted by regulation Asset size number of bank offices Staff stability and knowledge 20 Page 10

11 Complaint Management Establish a system to receive and manage complaints Determine if there are trends Evaluate for possible violations of law Use information to improve customer service 21 Closing CMS Comments Successful compliance management is ongoing; you don t set up a CMS and think that s it Successful compliance management involves everyone at the institution, not just the compliance officer Successful compliance management should result in a good regulatory examination Successful compliance management isn t hard if you tackle it in components (how many? 5!) 22 Page 11

12 One More Time! Board and Management Oversight (governance) Compliance Program (Policies and Procedures) Training (continuous, based on job impact) Monitoring, Testing, and Auditing (testing for weakness) Complaint Management (listen to customers) 23 Questions? 24 Page 12

13 i.com 25 Page 13

14 Area of Responsibility Develop and coordinate the Financial Institution s efforts to comply with laws and regulations. Develop compliance policies and procedures. Implement compliance policies and procedures. Revise compliance policies and procedures. Maintain current knowledge of applicable laws, regulations and issues. Monitor legislative and regulatory developments for the Financial Institution and report important compliance developments to management and other Financial Institution personnel. Research regulatory issues and respond to compliance questions from Financial Institution personnel, utilizing legal and regulatory reference manuals or contacting consultants, professional associations and organizations as appropriate. Develop training to educate Financial Institution personnel on compliance requirements and procedures in their respective areas of responsibility. Implement training to educate Financial Institution personnel on compliance requirements and procedures in their respective areas of responsibility. Conduct training to educate Financial Institution personnel on compliance requirements and procedures in their respective areas of responsibility. Monitor compliance with laws and regulations throughout the Financial Institution. Develop internal controls as well as provide for external reviews to test compliance. Coordinate responses and corrective actions to these reviews, if necessary. Assess the effectiveness of Financial Institution compliance efforts. Develop procedures to address corrective action and time frames guidelines for corrections. Assist Financial Institution management with the handling of substantive consumer complaints against the Financial Institution, working with legal counsel and regulatory agencies when appropriate. Review forms, notices, brochures and advertisements for compliance with laws and regulations. Participate in meetings to bring the compliance perspective to the development of new products and services and modification of existing ones. Assist in preparing for audits and regulatory examinations, coordinate audit and examination efforts, provide responses to examinations and audits, and provide support in the Financial Institution s regulatory relations. As time permits, coordinate analysis of proposed regulations and develop position papers and comment letters to regulatory bodies. Develop plan(s) to correct any violations reported by regulatory agencies. Record and maintain minutes of compliance related meetings. Compliance Officer Compliance Committee Department Supervisors Page 14

15 Page 15

16 Page 16

17 BOARD & MANAGEMENT OVERSIGHT (Detail) Key Actions to demonstrate commitment to maintaining an effective compliance management system and to set a positive climate for compliance include: 1) Demonstrating clear and unequivocal expectations about compliance; - The Board and senior management should discuss compliance topics during their meetings. They should include compliance matters in their communications to institution personnel and the general public. Institution management and staff should have a clear understanding that compliance is important to the Board and senior management, and that they are expected to incorporate compliance in their daily operations. 2) Adopting clear policy statements; - Policy statements on compliance topics provide a framework for the institution's procedures and provide clear communication to management and employees of the Board's intentions toward compliance. 3) Appointing a compliance officer with authority and accountability; - Board and senior management must grant a compliance officer sufficient authority and independence to cross departmental lines; have access to all areas of the institution's operations; and effect corrective action. 4) Allocating resources to compliance functions commensurate with the level and complexity of the bank's operations -- To be effective at overseeing compliance and maintaining a strong compliance posture, a compliance officer must be provided with ongoing training, as well as sufficient time and adequate resources to do the job. The compliance officer may utilize third-party service providers or consultants to help administer the compliance program or audit functions. However, the compliance officer should perform sufficient due diligence to verify that the provider is qualified, because ultimately the institution is accountable for compliance with consumer protection laws and regulations. 5) Conducting periodic compliance audits; - A compliance audit is an independent review of an institution's compliance with consumer protection laws and regulations and adherence to internal policies and procedures. The audit helps management ensure ongoing compliance and identify compliance risk conditions. It complements the institution's internal monitoring system. The Board of Directors of the institution should determine the scope of an audit, and the frequency with which audits are conducted 6) Providing for recurrent reports by the compliance officer to the Board Page 17