Fortifying the Three Lines of Defense to Combat Compliance Risk

Fortifying the Three Lines of Defense to Combat Compliance Risk

Today s Presenters Thomas Grundy CRCM, Senior Regulatory Consultant, Wolters Kluwer 30 years regulatory/compliance experience: OCC and Federal Reserve Board Compliance professional & consulting background Amy Downey JD, U.S. Banking & Regulatory Compliance Expert, Wolters Kluwer 20 years financial services experience: Consulting Practice director Bank operations VP, general counsel, compliance officer

Topics Risk management expectations Fortifying your Compliance Management System (CMS) Three Lines of Defense Technology Platform for Success

OCC Heightens Expectations for Risk Management The OCC proposed Guidelines expect large national Banks and federal savings associations to establish and implement a risk governance framework ( framework ) to manage and control risk taking by supervised institutions. The OCC s rule includes provisions for: Written risk governance framework Board oversight of the framework Credible Challenge Roles and responsibilities Establish and communicate risk appetite Oversight and accountability for adherence to the framework Board composition

Heightened Expectations for Risk Management Emergence of CFPB Mortgages Fair Lending UDAAP Debt Collection Deposit Advance Products Student Lending Checking Account Access Regulatory Focus Compliance Management Systems Change management Vendor management Cybersecurity Heightened Expectations Why Heightened Expectations should matter to you? Even if you are not a large bank Even if you are not regulated by OCC Industry is moving in the direction of exceeding regulatory expectations through effective deployment of the Three Lines of Defense

Strategic Vision Across the Three Lines Vision What do we have to achieve Strategic Objectives Strategy What level of risk are we prepared to accept to achieve our strategy Risk Appetite Tolerance Levels Within the day-to-day operations; measured and monitored Operational Risk Compliance Risk Market Risk Credit Risks Our Focus

Risk Appetite Defining the Limits Risk Appetite / Target 10 8 Actual Risk 6 4 2 0 2014 2015 2016 2017 Lower Limit Upper Limit Risk Target Risks change continuously defining risk appetite cannot be a one-off exercise Risk appetite, tolerance, targets and limits are not static and must be updated to reflect the environment (economy, markets, regulations, technology, etc.), business strategy and performance

Three Lines of Defense / CMS

Fortifying Your CMS

Three Lines of Defense Fortifying Your CMS Compliance Management Strategic Alignment and Communication Compliance Risk Assessment Identification and Remediation of Violations Complaint Management

Compliance Management Set risk appetite Set compliance culture Appoint qualified CCO Allocate resources Adopt policies Receive reports and ensure issues are being properly addressed Establish Policies and Procedures Training Identification and assessment of risks Monitoring and corrective action Capture Analyze Report on trends and resolution progress Timely resolution Escalation process Adjustment to business practices Independent review Approved scope, schedule and coverage Meaningful reporting and follow-up

Strategic Alignment and Communications Board communicates strategic priorities Policies / procedures / practices align with risk appetite Evaluation of performance / accountability

Compliance Risk Assessment Risks Controls

Issue Identification & Remediation Issue identification Remediation effectiveness Issue tracking / resolution Coordination of remediation efforts Ownership

Complaint Management

Three Lines of Defense

Three Lines of Defense Governing Body/Board/Audit Model Senior Management 1 st Line of Defense Management Controls Internal Control Measures 2 nd Line of Defense 3 rd Line of Defense Financial Control Internal Audit Security Risk Management Quality External Audit Regulator Inspection Compliance Source: The Institute of Internal Auditors, IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control, January 2013, page 2.

1st Line of Defense Business Units

1LD Business Units Front-Line Business Units: Engage in activities designed to generate revenue or reduce expenses; Provides operational support or servicing to any organizational unit or function in the bank; or Provides technology services to any organizational unit or function. Front-Line Business Units create risks for the bank Front-Line Business Units [should] own the risks associated with their activities

1LD Business Units Business Units ( BU ) are accountable for meeting established targets within defined limits in alignment with corporate strategy. With respect to Compliance Risk: Develop BU compliance standards, policies, and procedures Monitor compliance with applicable regulations and risk limits for BU, consistent with standards set by the Compliance Department Conduct/support the compliance risk assessment Identify and incorporate regulatory change to policies, procedures and controls (and control testing) Establish BU standards for responding to complaints Monitor compliance with applicable regulations and risk limits Establish standards for tracking, analyzing, and responding to complaints Report BU compliance metrics to Compliance periodically

1LD Business Units Effective First Line of Defense Requires: Operational clarity/understanding Risk identification and assessment documented at the process level Clearly identify and document controls / control ownership associated with each risk factor

1LD Business Units Process and control mapping Internal control effectiveness monitoring/testing Identify, track, and communicate control deficiencies Establish protocols to drive timely remediation Periodic reporting of compliance metrics and risk updates Work closely with Vendor Management to oversee compliance among vendors providing support to the business

2 nd Line of Defense Independent Monitoring/Oversight

2LD Independent Monitoring / Oversight Compliance Department identifies, measures, and monitors aggregate compliance risks independent of the Business Chief Compliance Officer is responsible for communicating material risks and significant issues Validation of monitoring activities conducted at the first line of defense is vital to maintaining awareness of performance.

2LD Independent Monitoring / Oversight Independent oversight of compliance management across the organization from an enterprise perspective; Design comprehensive compliance management system for institution that is consistent with board s risk appetite; Ensure BU compliance standards meet CD, board, and regulatory standards; Ensure BU controls are properly designed and operating as intended to promote compliance; Independently monitor/ validate and assess compliance; Conduct independent compliance risk assessments; Establish protocols to identify non-compliance and inform BU, senior management, and board of violations; Compile institution-wide compliance metrics / report to CEO and board on regular basis; and Ensure that the business responds to complaints appropriately.

3 rd Line of Defense Audit

3LD Audit Design/implement an audit plan that is reviewed by the Board s audit committee Inventory all material processes, products, services, functions Identify risks Consider prior audit results Changes in management, regulatory environment and/or products Monitor for emerging risks/update plan accordingly Business/functional unit audit coverage Validate monitoring/testing accuracy Test items not included in routine testing Validate adherence to change management protocols

Regulatory Change Example: Mortgage Servicing Line of Defense Routine Servicing Default Servicing Foreclosures First Line QC/QA/UAT Lines of business Functional units Paymentprocessing Escrow Inquiries / QRM / Error resolution / Complaints Risk assessment Collections Bankruptcy Loss mitigation, FP insurance Early intervention, SPOC Loss mitigation procedures Risk assessment RESPA / Dual tracking Foreclosures Vendor due diligence Risk assessment Second Line Monitor/Test ERM Compliance Legal VMO HR Third Line -- Audit Independently test/assess first and second lines ECOA FHA TILA RESPA EFTA FCRA HPA GLBA SCRA UDAAP Complaints ECOA FHA HAMP FDCPA UDAAP Third-party law firms State requirements Local requirements

3LD Audit Internal Audit provides independent, objective identification of risks Regular, direct Board reporting: Audit plan status Risk issues identified by audits and special projects Status of open issues past-due and at risk of past-due Emerging issue/concern identification Direct access to board by the Chief Audit Executive--without senior management filter

Technology Platform for Success

Compliance Management Set risk appetite Set compliance culture Appoint qualified CCO Allocate resources Adopt policies Receive reports and ensure issues are being properly addressed Establish Policies and Procedures Training Identification and assessment of risks Monitoring and corrective action Capture Analyze Report on trends and resolution progress Timely resolution Escalation process Adjustment to business practices Independent review Approved scope, schedule and coverage Meaningful reporting and follow-up

Compliance Management System Board and Senior Management Oversight Set risk Appetite Set compliance culture Risk reports Monitoring Risk assessments Regulatory change mgt. KRIs Control monitoring at LOB Issues Incidents Survey Compliance monitoring Auditing Reports on Strength Program Policies and Procedures Influence initial monitoring and processes Updated based on feedback loop Document attestation Complaint Management Capture Analysis Issues/Actions KRI

Unstructured Content What rules are affected? What regulator is this from? What part of my business is impacted? Status? Do I need to review and retest my controls? What are the relevant dates? I need to write a summary. Are there classifications? Do I need to reassess my risks? I need to store this somewhere.

Three Lines of Defense - HMDA First Identify / implement system updates Identify / implement form updates Update procedures Procedural training Enhance controls Collect and QC data Second Distribute understanding of the requirements Update policy(ies) Compliance training Test and enhance controls Review accuracy of collected data Conduct analysis (HMDA, CRA, FL) Update data management / submission system Third Review change management process Review internal and third party system updates Ongoing testing of process

Technology Considerations Risk Reports Aggregation of old data with new data Increased fair lending scrutiny Risk assessments Newly impacted lines of business New third party risk New controls Monitoring Data quality Analysis Program Policy and Procedure updates Training

Resources Technology Solutions OneSumX GRC for Compliance Management OneSumX GRC for Policy and Procedures CRA Wiz for data management Fair Lending Wiz for analysis Consulting Services Three lines diagnostic assessment Compliance Management System ( CMS ) Review Regulatory Exam Preparation and Remediation Data integrity Review Policy and procedure reviews Regulatory training For additional information visit www.wolterskluwerfs.com or call 800-552-9410