2014 Financial Services Industry Compliance Benchmark Study

Transcription

1 2014 Financial Services Industry Compliance Benchmark Study Presented By: and

2 Executive Summary Beginning in early December 2013, SAI Global Compliance conducted a survey among compliance professionals in the Financial Services industry, over a six week period. Respondents were asked questions relating to budget and priority areas for their compliance departments in Approximately 275 compliance professionals responded to the survey, representing a variety of financial services organizations from across the U.S., ranging in size from organizations with less than $2 billion in assets all the way up to organizations with assets greater than $100 billion. Demographics The majority of survey participants were individuals in compliance roles, primarily Chief Compliance Officers (24%), Vice Presidents/Directors of Compliance (19%), and Compliance Managers (). 5% 7% 5% 4% 11% 4% 3% 3% Survey Participants Title 24% 19% Chief Compliance Officer VP/Director of Compliance Compliance Manager Compliance Analyst Chief Risk Officer Attorney/General Counsel VP/Director of Audit VP of Risk CEO/CFO/COO Internal Auditor Other Survey participants were comprised largely of general banking and lending organizations (41%) with $2 billion or less in assets (37%). The Other organizations included Auto Finance, Consumer Finance and Lending, Non-Bank Lenders and Student Loan Servicers.

3 Survey participants represented organizations largely regulated by the Securities Exchange Commission (53%), the Consumer Financial Protection Bureau (44%), and the Financial Industry Regulatory Authority (). Regulatory Agencies SEC (Securities Exchange Commission) CFPB (Consumer Financial Protection Bureau) FINRA (Financial Industry Regulatory Authority) FRB (Fed Reserve Board) FDIC (Fed Deposit Insurance Commission) OCC (Office of the Comptroller of the Currency) FTC (Fed Trade Commission) NCUA (National Credit Union Administration) OTS (Office of Thrift Supervision) 8% 5% 18% 31% 30% 44% 53% Survey participants represented nearly every state with a slightly higher concentration in the South. 18% 24% 25% 33% Benchmark Findings 2014 Compliance Program Budget Expectations The regulatory landscape for Financial Services has been in a constant state of flux since the Dodd-Frank Act was signed into law. We have seen the creation of a new regulatory agency (The Consumer Financial Protection Bureau), updates to many existing laws, and the creation of new laws and regulations; as well as stricter enforcement and greater oversight. In fact, we have already seen new mortgage rules go into effect on January 10, In spite of all this change, we are seeing a slight reduction in expected budget increases with a smaller percentage of organizations expecting their compliance budget to increase in 2014 over 2013.

4 That said, over half of organizations surveyed indicated they would be increasing their budgets somewhat () or significantly (20%) in Increasing significantly Increasing slightly Staying about the same Decreasing slightly Decreasing significantly Compliance Program Budget 20% 24% 22% 26% 6% 7% 4% 0% 4% 0% % 37% More than 61% of the organizations expecting an increase in their compliance budget are planning to put a portion of that towards additional headcount, with governance, risk and compliance (GRC) software next in line at 49%. Additional Headcount GRC Software / Technology Consulting / Legal Services elearning & Education Allocation of Additional Budget 49% 61% 2014 Compliance Program Priorities and Motives We asked survey participants to rate a list of compliance program areas based on their priority level for each. A ranking of Top Priority would indicate significant dedication of time and compliance resources towards addressing this issue; High Priority would indicate that the issue is among the main areas of focus and will receive adequate resources to address; Medium Priority would indicate that an organization is aware of the issue and has dedicated limited resources to address the issue; and Low Priority would indicate that an organization is aware of the issue but has dedicated very little, if any, resources to address the issue.

5 Ensuring compliance of vendors or business partners Foreign Corrupt Practices Act / Anti-Money Laundering Documenting and investigating consumer complaints Employee compliance training Managing and revising policies and procedures Conducting internal audits Compliance & Ethics training Governance and BOD reporting Management and Containment of Privacy Breaches Building stronger culture of ethics Tracking and reporting conflicts of interest Documenting and investigating incidents Tracking and reporting payments to public officials Tracking and reporting gifts and entertainments Compliance Program Priorities Increased oversight from the CFPB Increased Dodd-Frank legislation Compliance self-assessments/demonstrating compliance 25% 23% 22% 22% 21% 16% 14% 12% 11% 5% 16% 3% 24% 31% 33% 38% 32% 32% 36% 38% 42% 41% 21% 34% 34% 28% 27% A Top Priority High Priority Medium Priority Low Priority N/A 17% 14% 5% 17% 10% 3% 13% 3% 20% 19% 14% 14% 5% 5% 10% 24% 13% 9% 27% 3% 9% 21% 3% 18% 28% 8% 6% 28% 11% 3% 29% 13% 2% 37% 12% 2% 34% 14% 3% 32% 1% 42% 11% 2% 43% 8% 33% 22% The Consumer Financial Protection Bureau (CFPB) has been keeping financial services organizations on their toes as it amends existing regulations and creates new ones. These organizations are working to align their compliance programs with the guidance they have received. As noted in the chart above, increased oversight from the CFPB was a high or top priority for the majority (63%) of survey participants. Respondents also noted increased Dodd- Frank legislation, compliance self-assessments and the ability to demonstrate compliance effectiveness and ensuring vendor and business partner compliance as top compliance program priorities in Through recent enforcement actions and guidance, it has become very clear that regulators expect financial service organizations to have strong and robust compliance programs, as well as the ability to demonstrate compliance effectiveness. We believe this is the driving force behind many organizations conducting compliance self-assessments to help identify potential gaps in compliance. Gaps or areas of risk can then be addressed, helping financial services organizations create stronger compliance programs and, ultimately, helping them to demonstrate the effectiveness of their compliance programs.

6 We also asked survey participants what was driving those priorities in 2014: Primary Drivers of Compliance Priorities Protection of reputation and brand Increasing pressure from other regulators Increasing pressure from the CFPB Increasing focus & audits from the SEC/others related to Dodd-Frank Other regulatory pressures or external auditors Pressure from the CEO or Board of Directors Pressure /expectations from shareholders Reduction in severity of civil enforcement actions 51% 38% 37% 26% 12% 5% 64% 66% Two thirds of respondents (66%) noted protection of reputation and brand was their primary compliance driver for the coming year. This is closely followed by increasing pressure from regulators (64%) and from the CFPB (51%). The same three drivers topped the 2013 list, just in a slightly different order. Additional detail on Compliance Program Effectiveness will be provided in the next section. With increasing pressure from regulators clearly driving compliance priorities for respondents, we also asked survey participants from which regulator they are seeing the greatest increase in regulatory activity. Greatest Increase in Regulatory Activity CFPB (Consumer Financial Protection Bureau) SEC (Securities Exchange Commission) OCC (Office of the Comptroller of the Currency) FINRA (Financial Industry Regulatory Authority) FRB (Fed Reserve Board) FDIC (Fed Deposit Insurance Commission) NCUA (National Credit Union Administration) FTC (Fed Trade Commission) 6% 3% 2% 10% 8% 8% 47% Predictably, almost half of respondents (47%) saw the greatest increase in regulatory activity from the CFPB. Most likely, this is due to the fact that they are a new regulator and are establishing their regulatory domain. Demonstrating Compliance Effectiveness The Consumer Financial Protection Bureau (CFPB) has truly changed how Financial Service organizations need to think about and approach compliance. With their ever growing consumer

7 complaint database, updates to UDAAP (Unfair, Deceptive, or Abusive Acts or Practices) and mortgage rules, guidance regarding responsible conduct, and various new and updated regulations, the CFPB has entered the regulatory environment with a bang. Between the oversight and enforcement under the CFPB and existing regulators, it is vital that Financial Service organizations assess their compliance programs for potential gaps and work to correct any that are uncovered. Creating a strong compliance program that allows an organization to demonstrate their compliance effectiveness is necessary in today s regulatory environment. Effective consumer complaint management is also vital to any organization offering a consumer financial product or service, as these products/services fall under the CFPB s UDAAP purview. UDAAP enforcement has been an area of focus for the CFPB and they have used their consumer complaint database to mine for potential violations. In the 2014 survey we asked respondents who in their organization would lead the process to determine compliance and ethics program effectiveness. The majority (64%) of survey participants indicated that the Chief Compliance and/or Ethics Officer in their organization are responsible for demonstrating compliance program effectiveness. The remaining respondents were equally split between General Counsel (12%), Internal Audit (12%), and Other (12%) which was primarily Chief Risk Officer or CEO. Responsible for Demonstrating Compliance Effectiveness 12% Chief Compliance or Chief Ethics Officer 12% General Counsel 12% 64% Other Individual responsible for compliance and ethics program Internal Audit We asked survey participants a series of questions relating to the methods used to document and demonstrate compliance program effectiveness, their overall confidence in those methods, and for which elements of their compliance program they can currently demonstrate effectiveness. We have seen a shift in the results compared to past years, with 82% of 2014

8 respondents indicating they use Internal Audits and/or Self-Assessment Results compared to 74% in Method used to Demonstrate Compliance Program Effectiveness Internal audit and/or assessment results 82% 74% External audit results 50% 58% Ad hoc or qualitative measures 41% 38% Quantitative measures 37% 45% Manual scorecard 36% Attestation survey results 14% 29% Automated scorecard or software system 17% Frequency or quantity of fines and sanctions We saw a small drop in the use of External audit results this year (50%) versus 2013 (58%). The use of Ad hoc or qualitative measures rose from 38% in 2013 to 41% in While only 17% indicated they are using an Automated scorecard or software system in 2014, up slightly from in Additionally, we asked the 2014 survey participants to indicate the process they use for conducting compliance self-assessments. Thirteen percent indicated they were using a packaged software system to conduct compliance self-assessments compared to 10% in 2013, 8% indicated they were using internally developed tools compared to 16% in 2013, 26% are using adhoc processes compared to 20% in 2013, and 53% are using a manual, but well-defined process for conducting compliance self-assessments which is unchanged from We also asked survey participants to indicate their level of confidence in the methods they are using to document and demonstrate compliance program effectiveness. Confidence in Methods used to Document and Demonstrate Compliance Program Effectiveness Already proven in successful external audits and reviews Already proven in successful internal audits Highly confident although not yet proven Moderately confident Not very confident 5% 6% 7% 1% % 23% 20% 27% 43% 46%

9 The majority of survey participants indicated that their method is already proven successful in external (43%) or internal (21%) audits, compared to 46% proven successful in external audits and 27% in internal audits in Only 5% of survey participants indicated they were highly confident in their method, virtually unchanged from Twenty-two percent of 2014 respondents were moderately confident compared with 20% in It is of note that more than 80% of survey participants who indicated they were using an automated scorecard or software to document and demonstrate compliance program effectiveness had already had this method prove successful in an audit. This compares to 34% of survey participants who indicated they were using a combination of manual and other processes. Along these lines, we asked survey participants to identify the elements of their corporate compliance program for which they can currently demonstrate effectiveness. For which elements of your corporate compliance program can you demonstrate effectiveness today? Policies, procedures and controls Education of employees on compliance and ethics programs Compliance oversight Code of conduct Monitoring and auditing compliance and ethics programs Appropriate response and corrective action plans Ethics oversight Consistent enforcement and discipline of violations Due diligence to avoid delegation of authority to unethical individuals 45% 42% 54% 64% 62% 76% 75% 81% 78% The majority of compliance professionals indicated a high degree of confidence in their overall ability to demonstrate compliance program effectiveness, as well as in their compliance and ethics education program. Respondents also noted that, on average, 66% of organizations are providing compliance training annually by risk area. While there is high confidence in some areas, the chart above suggests that there are certain areas which still present a challenge. Less than half of respondents indicated that they are able to demonstrate compliance program effectiveness in the areas of Consistent Enforcement and Discipline of Violations and Due Diligence to Avoid Delegation of Authority to Unethical Individuals.

10 Finally, as it is an area of increasing concern among providers of consumer financial products, we asked survey participants to tell us if they have had to demonstrate their UDAAP program effectiveness. Have you had to demonstrate your UDAAP program effectiveness? No, not at this time NA / don t know Yes, to internal auditors Yes, to a regulator Yes, to our Board of Directors Yes, to external auditors 13% 13% 17% 24% 22% 46% With stricter enforcement of UDAAP via the CFPB, this is a growing area of focus for many financial service organizations. Conclusion SAI Global Compliance would like to thank all of the compliance professionals from financial services organizations who provided their valuable input to this benchmark study. We recommend that financial services organizations consider using software applications specifically designed for Risk Management, Regulatory Compliance, and Audit Management to automate and streamline their governance, risk, and compliance efforts. By leveraging proven applications as many are already doing, financial services organizations will have the visibility necessary to identify gaps, remediate issues and ultimately demonstrate the effectiveness of their compliance programs. For more information, please visit