BOARD OF DIRECTORS RESPONSIBILITIES FOR COMPLIANCE MANAGEMENT SYSTEMS



Similar documents
II. Compliance Examinations - Compliance Management System. Compliance Management System. Introduction. Board of Directors and Management Oversight

COMPLIANCE MANAGEMENT SYSTEM

COMPLIANCE MANAGEMENT SYSTEM

Compliance Management Systems (CMS) Division of Depositor and Consumer Protection

Compliance Management Systems A Blueprint for Success

Time to Revamp the Compliance Management System

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Any business relationship between a bank and another entity, by contract or otherwise

FEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C.

Vendor Risk Management in the New Regulatory Environment. kpmg.com

Federal Home Loan Bank Membership Version 1.0 March 2013

Validating Third Party Software Erica M. Torres, CRCM

Third Party Relationships

Are You Ready for the New Foreclosure Processing Regulations?

GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES

OCC 98-3 OCC BULLETIN

How To Manage Risk At Atb Financial

Board of Directors and Management Oversight

6/8/2016 OVERVIEW. Page 1 of 9

FEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C.

New Regulations and Mortgage Document Management: What it Means for Mortgage Servicers

Off-the-Shelf Software: A Broader Picture By Bryan Chojnowski, Reglera Director of Quality

Community Bank Risk-Focused Consumer Compliance Supervision Program

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

RISK MANAGEMENT AND COMPLIANCE

FINAL May Guideline on Security Systems for Safeguarding Customer Information

VII 4.1. VII. Unfair and Deceptive Practices Third Party Risk. Third Party Risk. Introduction. Background

Board of Directors and Senior Management 2. Audit Management 4. Internal IT Audit Staff 5. Operating Management 5. External Auditors 5.

Bank Secrecy Act Anti-Money Laundering Examination Manual

Anti-Money Laundering Policy Manual Table of Contents [Sample Client] Table of Contents

FEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C. CALIFORNIA DEPARTMENT OF FINANCIAL INSTITUTIONS SAN FRANCISCO, CALIFORNIA

DOJ Guidance on Use of the False Claims Act in Health Care Matters

John Keel, CPA State Auditor. An Audit Report on The Dam Safety Program at the Commission on Environmental Quality. May 2008 Report No.

LRES Corporation. Best Business Practices for an Appraisal Management Company

Vendor Management Compliance Top 10 Things Regulators Expect

The FDIC s Response to Bank Secrecy Act and Anti-Money Laundering Concerns Identified at FDIC-Supervised Institutions

OPERATIONAL RISK RISK ASSESSMENT

Susan Costonis, C.R.C.M. Compliance Training & Consulting for Financial Institutions

FEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C. ) CONSENT ORDER. ) FDIC b

June 2008 Report No An Audit Report on The Department of Information Resources and the Consolidation of the State s Data Centers

Risk Management of Outsourced Technology Services. November 28, 2000

Regulatory Compliance - What You Need to Know. John Zasada Principal CliftonLarsonAllen John.zasada@claconnect.com

Presented By Greg Baldwin

Sound Practices for the Management of Operational Risk

Financial and Cash Management Task Force. Strategic Business Plan

Supervisory Highlights

Significant Revisions to OMB Circular A-127. Section Revision to A-127 Purpose of Revision Section 1. Purpose

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Supporting Effective Compliance Programs

Dodd Frank Act Consumer Financial Protection Bureau Mortgage Lending

M-Aud. Comptroller of the Currency Administrator of National Banks. Internal and External Audits. Comptroller s Handbook. April 2003.

BANK EXAMINERS MANUAL FOR AML/CFT RBS EXAMINATION

June 2008 Report No An Audit Report on The Texas Education Agency s Oversight of Alternative Teacher Certification Programs

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

VIRGINIA ASSOCIATION OF COMMUNITY BANKS

Subject: Safety and Soundness Standards for Information

Managing Outsourcing Arrangements

QUALITY MANAGEMENT SYSTEM REQUIREMENTS General Requirements. Documentation Requirements. General. Quality Manual. Control of Documents

OECD GUIDELINES FOR PENSION FUND GOVERNANCE

National Association of Community Health Centers ISSUE BRIEF

FEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C. ) ) ) ) ) ) ) )

PART I - PRELIMINARY...1 Objective...1 Applicability...2 Legal and Regulatory Provision...2

FIRST CITIZENS BANCSHARES, INC. FIRST-CITIZENS BANK & TRUST COMPANY CHARTER OF THE JOINT AUDIT COMMITTEE

Federal Bureau of Investigation s Integrity and Compliance Program

Compliance and Operational Services for Online Lenders

Managing General Agents (MGAs) Guideline

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

VII 5.1. VII. Abusive Practices Third Party Procedures. Third Party Risk. Introduction. Background

NOT ALL COMMUNITY SERVICES BLOCK GRANT RECOVERY ACT COSTS CLAIMED

Navigating Vendor Management Issues in Today s Regulatory Environment

GENERAL MILLS, INC. AUDIT COMMITTEE CHARTER

Work Plan ongoing and planned audit and evaluation projects. Current as of June 5, 2015

Establishing An Effective Corporate Compliance Program Joan Feldman, Esq. Vincenzo Carannante, Esq. William Roberts, Esq.

EURIBOR - CODE OF OBLIGATIONS OF PANEL BANKS

Sample Financial institution Risk Management Policy 2011

Statement of Guidance

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

Corporate Compliance and Ethics Program Effective as adopted on February 21, 2012

Table of Contents Chapter 1 Introduction Goals & Objectives Required Review Applicability...

Growing Vendor Management

Vendor Management Compliance Top 10 Things Regulators Expect

The ADT Corporation. Audit Committee Charter. December 2014

Vendor Management Best Practices

Transcription:

BOARD OF DIRECTORS RESPONSIBILITIES FOR COMPLIANCE MANAGEMENT SYSTEMS Shannon Phillips Jr. Independent Bankers Association of Texas 1700 Rio Grande Street Austin, Texas 78701 sphillips@ibat.org 512.275.2221 Dallas Area Compliance Association Crowne Plaza Dallas 14315 Midway Road Addison, Texas May 21, 2014 1

Compliance Management System The ultimate responsibility for compliance with all statutes and regulations resides with the board of directors (board). A compliance management system (CMS) is how an institution: learns about its compliance responsibilities; ensures that employees understand these responsibilities; ensures that requirements are incorporated into business processes; reviews operations to ensure responsibilities are carried out and legal requirements are met; and takes corrective action and updates tools, systems, and materials as necessary. The regulators generally agree that an effective CMS is commonly comprised of seven interdependent elements: Board and senior management oversight Compliance program structure Policies and procedures Compliance audit/reviews Internal controls Training Response to consumer complaints (CFPB addition) When these are properly developed and work together, an institution will successfully manage its compliance function. When they are not strong or don t work together, an institution will likely fail to comply with federal consumer protection laws and regulations, which may result in civil monetary penalties, litigation, and formal enforcement actions. It can even result in criminal actions. (e.g., OFAC, BSA, Reg. E, Legal Lending Limit, Reg. Y (Bank Holding Company Act)). Board and management oversight The board and senior management are responsible for: Developing and administering a CMS Periodically reviewing the effectiveness of the CMS 2

The board and management must be committed to maintaining an effective CMS and encouraging compliance. Some of things the board can do to demonstrate its commitment and encouragements are: communicating clear and unequivocal expectations about compliance; adopting clear policy statements; appointing a compliance officer with authority, independence, and accountability; allocating resources to compliance functions commensurate with the level and complexity of the institution's operations; conducting periodic compliance audits; providing for recurrent reports by the compliance officer to the board; and timely taking corrective action to address weaknesses The board and senior management set the tone. If it isn t important to the board and senior management or if they don t communicate clear and unequivocal expectations to the bank s personnel and third party providers, it is unlikely that the daily functions of the bank s employees and third party providers will reflect the necessary degree of importance. Consumer Compliance Program Structure The first action the board and senior management must take in creating a CMS, is to appoint a qualified compliance officer with the authority, independence, and accountability to do the job. In addition to or instead of appointing a compliance officer, a bank might appoint a compliance committee made up of staff from each department and at least one member of the board or senior management. A compliance committee can be a good fit for some of the smallest community banks whose size makes it impractical to have a single person responsible for compliance. Having a compliance committee can assist in communicating to staff that compliance is everyone s job. The very smallest banks might even share a compliance officer. Regardless of which approach a bank takes, responsibilities and accountability must be clearly defined. (Another suggestion to communicate the fact that the person holding the position of compliance officer isn t solely responsible for compliance at the bank is changing the title of the compliance officer to something like compliance manager. ) The size and complexity of a bank is an important element in determining the appropriate and adequate structure of the consumer compliance program. The board and senior management must give the compliance officer or compliance committee the authority and independence to: cross departmental lines; have access to all areas of the institution s operations; and effect corrective action. 3

The compliance officer must have knowledge and understanding of all consumer protection laws and regulations that apply to the bank. The compliance officer needs to have knowledge of the operations of the bank and needs to cross departmental lines to communicate with every department. Those departments must keep the compliance officer informed of any changes to products, services, business practices, personnel, etc. that might require risk management. Typically, the CMS will be formal and in writing to act as an essential source document to serve as a training and reference tool for all employees. The formality of the program will be determined by many factors, including: institution s size, number of branches, and organizational structure; business strategy of the institution (e.g., community bank versus regional; retail versus wholesale bank); types of products; location of the institution its main office and branches; and other influences, such as whether the institution is involved in interstate or international banking. A small bank may not have a written program, but it must have an effective monitoring system to assure overall compliance. Regardless of the size of the bank, a written program can be a lifesaver when the bank experiences staff turnover or expansion. Policies and procedures No bank can operate an effective CMS without policies and procedures in place. Policies contain goals and objectives of the bank, and the corresponding procedures set out how the bank will meet those goals and objectives. It is difficult to imagine a policy that wouldn t include a compliance component and many compliance laws and regulations require policies and procedures. By assuring that policies are comprehensive and fully implemented, the board and senior management simultaneously communicate their expectations and commitment to compliance. Generally speaking, the more complex the transaction, the more complex the procedures must be. Procedures provide personnel with guidance to enable them to complete transactions in accordance with law and regulations. Procedures may include regulatory cites, definitions, forms, and instructions. Having written policies and procedures is not as important as having effective policies and procedures. It would be better to have unwritten policies and procedures that were effective than to have ineffective written policies and procedures. Writing down the goals and objectives of the bank and how the bank will meet those goals and objectives does little good if they are 4

not consistently communicated and performed. Make sure that staff is using them daily. Do not write them down and forget them. In small banks, many established goals, objectives and procedures are not reduced to writing, but are instead effectively communicated and performed on a regular basis. Although this may work in some instances, the board and senior management must be aware that written policies and procedures are often required, are more likely to be followed, and are useful when a bank expands or suffers staff or management turnover. Compliance audit/reviews A compliance audit helps management and staff identify compliance risks and ensure ongoing compliance with laws and regulations. The audit can be done either in-house or by a third party. If the audit is performed in-house, it must be done by personnel who are independent of the area and transactions being audited. Small banks may opt for third party audits because they find it difficult to find employees who are both qualified to perform the audit and are truly independent. Audits cannot replace a bank s internal and continuing monitoring system. The board must determine the scope and frequency of audits. In determining the scope and frequency, the board should consider factors such as: expertise and experience of various institution personnel; organization and staffing of the compliance function; volume of transactions; complexity of products offered; number and type of consumer complaints received; number and type of branches; acquisition or opening of additional branch(es); size of the institution; organizational structure of the institution; outsourcing of functions to third party service providers; degree to which policies and procedures are defined and detailed in writing; and magnitude/frequency of changes to any of the above. If a bank chooses to use a third party auditor, it should perform the same due diligence in the selection as it would any other third party vendor. The auditor needs have current and expert knowledge and understanding federal and state laws and regulations. The board should obtain and check the auditor s references. When the auditor concludes the audit, a written audit report should be delivered to the board (or a committee of the board) and the compliance officer that includes: 5

scope of the audit (including departments, branches, and product types reviewed); deficiencies or modifications identified; number of transactions sampled by category of product type; and descriptions of, or suggestions for, corrective actions and time frames for correction. The board and senior management shouldn t delay in its response to the audit report. Management must set up procedure to follow up and verify that corrective actions were taken, effective, and lasting. Internal controls Internal controls must be an integral part of the daily operations to assist in mitigating compliance risk. An effective internal control system promotes and validates adherence to policies and procedures, establishes management and staff accountability, and ensures prompt correction of problems. All levels of bank management are responsible for maintaining internal controls. Internal controls may include: Independent reviews of specific functions or tasks Segregation of duties to create a system of checks and balances Controls over default settings associated with highly automated calculation tools Verification of data before a transaction is completed Appropriate approvals and authorizations Periodic transaction testing and reviews of forms and procedures Training To maintain an effective CMS, the board, management, and staff must receive regular training. Line management and staff must receive training in the laws and regulations and the bank s policies and procedures that affect their specific jobs. The compliance officer is responsible for compliance training and creating a training schedule for directors, management, staff, and third party service providers. The compliance officer will likely create and conduct some of the training in-house. It is unlikely that the compliance officer can create and conduct all of the necessary training. It is imperative that the compliance officer receive training. External training is available from a number of sources, including IBAT. The board and senior management must be seen as encouraging and supporting training. If instead of the compliance officer, the board and senior management communicate training requirements to line management and staff, there will be less push back and resistance to training offered by the compliance officer. 6

Compliance training programs must be updated frequently to keep up with changes to laws and regulations, policies and procedures, and business operations of the bank. In house training must contain a periodic assessment component that tests training participants knowledge and understanding after they are trained. Response to consumer complaints This is a section that was added by the Consumer Financial Protection Bureau (CFPB) 1 and must be considered important by all banks, whether or not they are regulated by the CFPB. Responding to consumer complaints is not new, but it is a new element on the regulators list of interdependent elements of a CMS. The CFPB is a complaint driven agency and the handling of consumer complaint will be considered very important. A bank s board and senior management must ensure that their bank is prepared to handle consumer complaints in a timely manner. Policies and procedures for taking and addressing complaints must be established. The procedures must identify the individuals (or positions) and departments responsible for handling different complaints. All bank personnel must know the policies and procedures in order to expeditiously refer complaints to the correct persons. Persons filing a complaint should be given the name of a single bank staff member who is responsible for their complaint and every time they communicate with the bank, they should communicate with the same person. To ensure timely and sufficient resolution, the compliance officer must receive copies of all complaints and is responsible for managing the complaint process. The board and senior management must communicate its support and encouragement of the compliant process and of the compliance officer s management of the complaint process. Once a complaint is resolved, the job isn t finished. The compliance officer and at least one staff member of the department involved should determine actions to take to avoid further similar complaints. (e.g., improve the bank s business practice; re-train personnel). 1 Although the FDIC doesn t have this as a separate interdependent element of a CMS, it is listed as a subsection of one of the interdependent elements: Compliance program structure. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information