Time to Revamp the Compliance Management System

Transcription

1 By William (Wylli) J. Foote, CRCM Time to Revamp the Compliance Management System Compliance professionals have long used guidance by the regulatory agencies as the starting point for building a comprehensive Compliance Management System (CMS). Regulatory agency guidance typically provides information about expected components and aspects for the program. Those become the minimum standards upon which the bank s CMS is based. Although not a wholesale departure from the guidance banks have operated under for many years, some have suggested the Supervision and Examination Manual released a year ago by the Consumer Financial Protection Bureau (CFPB) should be the basis for every bank s CMS going forward. True, the manual was developed and released by the CFPB, which has direct oversight responsibility for banks with assets of $10 billion and up. But the memorandum of understanding entered into by the federal banking regulatory agencies on May 16, 2012 lays the groundwork for effective coordination between the CFPB and the prudential regulators, and it creates potentially more aligned supervision expectations regarding compliance risk management. Although not directed at the supervision of banks under $10 billion, this agreement is already impacting regulators expectations regarding risk management. 8 ABa BANK compliance January-February 2013

2 istock So what does this mean to your bank? What should you do with this information and CFPB guidance at your community bank? You would do well to retool your institution s CMS so that it is consistent with the new guidance. The design of the CMS should have many specific functions. Your bank s program should be enhanced to make sure it addresses these functions. This may also be your chance to improve the compliance culture at your bank or at least get the attention of everyone from the board of directors on down. At the very least, the bank s CMS needs to be re-evaluated in light of the new guidance. The CFPB s Expectations Let s look at each aspect of the CFPB s view of a bank s CMS: Establishes the bank s and each employee s compliance responsibilities If you play board games with friends, you know that before you start a game there s a here are the rules discussion. This is important because there are alternative ways to play and traditional variations to the rules. Everyone needs to understand the rules. The same is true for your CMS: The board is responsible and makes necessary resources available. Management oversees day-to-day implementation and holds all staff responsible in their own areas. The compliance committee (optional, but recommended) establishes systems, processes, disclosures, and the like. The compliance officer/manager/director provides expertise and management of the CMS. Each employee complies with rules within his or her job function. Communicates employee responsibilities Written policies and procedures and supervised day-to-day practices become the standard against which employees operate. Specific job descriptions incorporate compliance-related responsibilities against which performance is evaluated. An understanding of the compliance requirements and use of measurements to gauge performance against such standards when determining salary, bonuses, and disciplinary action can be useful in promoting a compliance culture. Compliance requirements are incorporated into business processes Integrating compliance requirements into each operational process is critical. To make this step fully effective, management needs to make certain that employees are following established process requirements by ensuring comprehensive, written procedures exist to let them know the rules in their area. There are various tools to promote compliance, including checklists, automated systems and system defaults, disclosures, and controls over discretion, among other things. When these tools are firmly embedded into business processes and staff is effectively trained on their uses, employees can consistently hit the compliance mark. Reviews are completed to ensure responsibilities are carried out To reinforce and test the effectiveness of employee activities and day-to-day supervision, it is important to measure performance against compliance standards (or requirements). This performance measurement process includes periodic, documented monitoring reviews completed by a knowledgeable person in each area. It also includes independent reviews completed by competent individuals (including trusted third-party providers). Testing should be riskbased, thorough, carefully documented, and effectively reported. Effective corrective action is taken when results miss the mark When issues are identified that do not conform to compliance requirements, an action plan should identify corrective actions. Fixing the root cause should be the first priority of the action plan for any identified issues including a violation of a rule, an exception to a policy or procedure, or a weakness in a best practice the bank has adopted. Corrective actions implemented should not only address the specific issue but minimize the potential for recurrence. Once all corrective actions are implemented, the final step is to validate that actions taken have been effective. Only then should the issue be considered fully addressed. It is nearly impossible to overemphasize the importance of setting the compliance tone from the top. CMS Components The components of a comprehensive CMS have been clearly delineated by the CFPB. The alignment is slightly different than the long-standing format compliance professionals have been utilizing for decades. Even if your CMS isn t missing functions or components under the new guidance, realigning your CMS freshens the program and renews the commitment. Check to see that your realigned CMS includes the following components. January-February 2013 ABa BANK compliance 9

3 What may have been acceptable in the past may not be sufficient in today s environment. Board and Management Oversight It is nearly impossible to overemphasize the importance of setting the compliance tone from the top. If the top level doesn t clearly demonstrate an individual and collective commitment to compliance, your CMS program starts at a significant disadvantage. The top-level commitment includes effective allocation of resources (staffing, training, and technology). The board and management should insist on regular, formal reports on the status of the CMS. Formal reporting should include setting targets and reporting progress to meet them. Comprehensive Compliance Program Elusive to some, the compliance management policy (which for some institutions may be the unwritten expectations of the board of directors) establishes the blueprint and infrastructure upon which the specific program elements are built. Building the program includes: Implementing comprehensive, written procedures that carry out the direction given in the policy. This includes training staff to follow procedures. Implementing a risk-based compliance training process that includes training that s focused on regulatory requirements, as well as job-specific processes. Of course, all training must be fully documented. Establishing effective, risk-based monitoring of key processes to provide early detection (and correction) of problems. This includes reporting of the monitoring process, as well as followup to resolve identified issues. Specific aspects of the formal program vary based upon the controlling policy. Most CMS programs include the following: Comprehensive, formal, written, annual risk assessment. Whether the risk assessment is based upon specific rules or initiated by business units/functional areas, careful documentation of the process, and conclusions reached is important to the risk assessment. Testing. Driven by risk assessments, monitoring, and independent review, testing should be established with the higher-risk rules/areas being tested more frequently than lower risk rules/areas. Formal change control process. In order to appropriately implement new or revised rules, regulations, and regulatory agency guidance, or to implement new or revised products, services, or delivery channels, a process to manage compliance changes should be established. Vendor management. The use of trusted third parties as part of your bank s compliance solution is often necessary to ensure appropriate independence and adequate expertise. It also may be more financially responsible than other alternatives. Although there are many aspects to vendor management, one that is too often overlooked is the vendor s liability insurance, which should appropriately address both physical and cyber liabilities. Compliance accountability. Often incorporated into job descriptions and performance reviews, holding each person responsible for compliance in their own job duties should be carefully documented in the CMS program. This helps ensure an appropriate compliance culture throughout the organization. Resource use. Driven by the risk assessments (both annual and with each change of control event), compliance resources should be applied based upon risk levels. This includes all aspects, including the way compliance staff spends its time. Consumer Complaints Process Once thought of as an add-on to many banks CMS programs, the importance of the complaints process has been significantly raised, elevating supervisory expectations, public scrutiny, and the use of complaint data by the CFPB. Not only must banks continue to establish processes to respond to written (including ) complaints, verbal complaints should also be addressed. All complaints need to be carefully tracked and analyzed to identify inconsistencies and potential Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) and fair lending implications. Compliance professionals also should track complaints for other purposes indications of poor customer service or weaknesses in staff training, as examples. Independent Review Whether the process is called a review or an audit at your bank, there are key aspects that need to be included at a minimum such as: Sufficient independence. Different levels of independence are deemed acceptable. Some view independence as completely external to the bank, without any previously gained knowledge of the activities that are the subject of the review. Others hold a view that independence is solely a factor of whether or not the reviewer was involved in any aspect of the activity, regardless of whether the participants are internal or external to the bank. The level of independence deemed acceptable by the bank (and the regulatory agency), should be discussed and acknowledged by the board. Sufficient expertise. All compliance professionals know that compliance expertise goes far beyond completing a checklist. Unless the reviewer has appropriate expertise for the activities being reviewed, the results may be unreliable and the conclusions uncertain. Whether the reviewer is internal to the bank or a trusted external provider, their expertise needs to be understood and accepted by the board. Reporting. The results of the independent review should go to the board (or designate). The written report should identify the scope, detail the findings, and be supported by clear, complete work papers. The reviewer should present findings to the board. 10 ABa BANK compliance January-February 2013

4 DON T GO HALFWAY. GO 360. CFPB ComPlianCe, Risk & ComPlaint management. The CFPB has significantly raised the bar for examinations related to UDAAP - consumer complaints, risk management and regulatory compliance. As demand for control and transparency grows, you need proactive visibility into assessments and controls. In the Compliance 360 system, assessments are now fully automated using the compliance assessment checklists and risk assessment templates from the CFPB Supervision and Examination Manual. Consumer complaint management is automated too. Visit to view online demonstrations, learn more and get the 360 VieW. Reach this advertiser through BankComp_ _final.indd 11 C o m p l i a360 n C e GRC SOFTWARE G R C S o l u SUITE tions COMPLIANCE 12/20/12 12:19 PM

5 Six Key Takeaways Review coverage. Reviews should cover applicable and appropriate rules with a risk-based focus. The importance of careful scoping comes into play during the pre-review stages, although care must be taken to make certain the reviewer is not inappropriately influenced during the scoping process. Review structure. Reviews should be structured as appropriate given the bank s size and complexity. The review should consider the uniqueness of the bank, its activities, its products mix, its delivery channels, and other risk factors. Timely reporting. The reviewer should provide timely, accurate reporting to the supervisor/manager of the area covered and the compliance manager to permit verification of the accuracy of findings prior to delivery of the formal report to the board. Corrective action. Following verification of the accuracy of review findings, the root cause of each issue should be identified. An action plan to correct the root cause should be developed and implemented. Following correction of the root cause, the specific issue identified should be resolved. The work isn t finished at this point, however. Once the root cause and issue have been fixed, the corrective action should be validated to ensure that the issue has been fully resolved. Change on the Horizon Clearly there is a lot to consider with the bank s CMS. One thing is clear: What may have been acceptable in the past may not be sufficient in today s environment. Some programs may only need minor tweaks, and some may need to be almost completely rewritten. In either case, compliance professionals always respond to change. And savvy compliance professionals have learned to take advantage of opportunities for change and exceed the minimum standards. So strap on the tool belt. We have some work to do! You would do well to retool your institution s CMS so that it is consistent with the new guidance. This may also be your chance to improve the compliance culture at your bank. When these tools are firmly embedded into business processes and staff is effectively trained on their uses, employees can consistently hit the compliance mark. Fixing the root cause should be the first priority of the action plan for any identified issues. If the top level doesn t clearly demonstrate an individual and collective commitment to compliance, your CMS program starts at a significant disadvantage. The results of the independent review should go to the board. About the Author William (Wylli) J. Foote, CRCM, is director of Virtual Compliance Manager (VCM) Services at Chicago-based TCA. Prior to joining TCA in 2007, Foote was responsible for compliance management at First National Bank of PA, First National of Nebraska, and Illinois-based AMCORE Bank. Foote currently serves as a member of the editorial advisory board of the American Bankers Association s ABA Bank Compliance magazine and is past chair of the ABA s Institute of Certified Bankers. Foote also is past chair of the Institute s CRCM (Certified Regulatory Compliance Manager) advisory board. In addition, he has served on the planning committee of the ABA s National Compliance Conference and on the ABA s Compliance Executive Committee. Foote, who earned a BA degree in economics and management from Trinity International University, is a graduate of both the ABA s National Compliance School and the ABA s National Graduate Compliance School (where he also has been an instructor) and of the Graduate School of Banking at the University of Wisconsin. He can be reached at [email protected]. bigstock 12 ABa BANK compliance January-February 2013