In the first part of this series, “Seeking compliance in wrong place?,” I suggested that bank regulatory compliance has become so complex—and carries such high risk—that it cannot be managed in the same way that it has for the past 40 years.
This week we’ll explore ways to change the model.
Shifting accountability to business units
As a refresher, historically, the compliance function has been the responsibility of the compliance department. Attempts to enforce the regulations against business and operational groups hinged chiefly on the department’s power of persuasion.
In order to be effective in the current environment, the banking world needs to adopt the practices of other industries: Insist that line of business owners take full responsibility for compliance in the same way that they would be responsible for any element of product quality.
Therefore, the job of compliance monitoring should be a quality control practice of the line of business. Compliance departments should operate as a true “second line of defense.” They should be providers of advisory services and second-tier monitoring and testing.
They should not be put in the position of being responsible for practices over which they have little or no control.
I hear this theme of “responsibility without control” theme time and time again from compliance professionals. The complaints grow loudest when a chief compliance officer gets pushed aside or fired due to some compliance enforcement action handed down by a regulatory agency.
Rarely do operations or line of business leaders receive the blame for poor compliance practices.
So, how do you give those who have the ultimate control the final responsibility for compliance?
Keys to managing compliance change
There are five keys that are essential to implementing a stronger first line of defense and transitioning the second line to a true secondary role:
1. Make a cultural shift.
Your bank’s culture must change.
In the past many leaders in the business lines have not regarded highly efforts to improve the institution’s compliance performance. Most have seen compliance requirements as a hindrance to revenue and profit goals.
Such attitudes will have to change in order to make the first line the primary defense against compliance errors. The only way to move the needle in this effort is for the CEO to firmly commit to placing the primary responsibility for compliance quality with the first line of defense—the business unit. The CEO and his team always set the tone that determines the weight and seriousness given to the bank’s compliance effort.
Ultimately, those who work in the lines of business must come to see regulatory excellence as a goal worth achieving
The commitment of executive management should manifest in specific communication to the leadership teams and general communication to the bank as a whole. Communication from the CEO and the executive team should include formal and informal messaging.
Management must also send a message to where employees live: Their wallet.
Cultural change also involves aligning compensation to include compliance performance and a willingness to follow through with action if the culture does not change quickly enough. To have a culture of compliance, the top level of bank leadership has to commit to that goal in reality—not just with lip service.
Once this commitment is made with consistent actions following, the culture will naturally shift.
2. Integration of compliance requirements into business unit organizations.
Compliance quality requirements must be fully integrated into the lines of business policies and procedures.
For example, a policy statement committing the bank to a fair-lending standard would be appropriate. However, there should not be a series of separate compliance policies—regulatory issues should be integrated into other business polices.
Nor should there be stand-alone compliance-related procedures. Regulatory requirements should be integrated into the procedures the lines of business and operational areas use to conduct their business. Only when compliance requirements and duties are seen as an integral part of the business procedures will there be true ownership of the function.
3. Integration of compliance requirements into quality control.
In the same manner, all quality control functions should include regulatory compliance checks, so that regulatory compliance monitoring is done as closely as possible to the time of transactions and operational activities.
In fact, monitoring by the compliance department should be less comprehensive than it is currently. Compliance departments should test the monitoring practices of the business lines and pull small samples of transactions to make sure the quality checks are working—“checking the checkers.”
In this way, the lines of business definitely take the wheel. Compliance becomes a true secondary control function.
4. Compensation and goals must be aligned.
Generally speaking, everyone in a bank should have the same goals, because they all have the same vested interest—i.e., the success of the institution.
Goals should include both profitability and a successful regulatory compliance performance for the organization. When goals are bifurcated—with some people having primarily revenue goals and others having primarily compliance performance or risk management goals, the bank is divided into at least two teams: those who see themselves as striving for profit and those concerned with compliance performance.
Everyone in the lines of business should identify with both.
And, again, key to that is money. Money sends a message.
A line of business executive whose unit has experienced a serious compliance problem should not receive outsized bonuses—even if they have made a lot of money for the bank.
It is obvious that if focus is not placed on making the profitable compliant, there will not be enough money to distribute in healthy bonuses or compensation increases. Both goals—compliance and profit—should be important to everyone.
5. Metrics and reporting should align compliance performance with business results.
One inequity in most institutions is the lack of compliance performance-related metrics that are reported regularly.
Financial performance of business units typically is reported at least monthly and in great detail, by contrast.
Compliance performance metrics—for example, monitoring results—should be included in the regular business line reports so that they are given the prominence they deserve.
Enforcement actions or even voluntary remediation activity should be considered in the same light as negative financial results.
Beginning of a long, tricky road
Moving from the old structure of compliance management to one where the first line of defense bears the primary responsibility will not be easy.
However it is the best way to actually achieve consistently good compliance performance.
And, in the end, that will be much less expensive, and ultimately more profitable, for everyone.