Regulators expect to see lines of defense

Community banks often find themselves subject to unexpected regulatory criticism and potential enforcement actions because examiners contend that they lack a sufficiently robust compliance management system.

Such criticism is a shift. In the past, only banks committing significant compliance violations were likely to have their compliance management system come under regulatory fire. Now even banks that did not necessarily have significant violations identified during an examination still can end up with a written comment in the examination report (a Matter Requiring Attention or “MRA”) directing the institution to develop and implement a formal, written “CMS.”

To avoid the complications an MRA can trigger, community banks should take the lead in assessing and developing a sufficient CMS or compliance management program (CMP). In addition to meeting regulators’ expectations and spelling out compliance responsibilities, an effective CMP also can help establish a corporate culture in which compliance is properly viewed as an integral part of the bank’s business activities.

What regulators say they look for

Regulators’ interest in the sufficiency of the overall compliance management system, rather than a narrow interest in specific violations, should come as no surprise. The various regulatory agencies have published guidance that makes it clear they are looking for management to have a thoughtful, current, and effective program in place.

FDIC’s Compliance Examination Manual, for example, devotes an entire chapter to the agency’s expectations regarding compliance management systems, opening with this comment: “Financial institutions operate in a dynamic environment influenced by industry consolidation, convergence of financial services, emerging technology, and market globalization … All these forces combine to create inherent risk. To address this risk, a financial institution must develop and maintain a sound compliance management system that is integrated into the overall risk management strategy of the institution. Ultimately, compliance should be part of the daily routine of management and employees of a financial institution.”

Similarly, the Consumer Financial Protection Bureau devoted the majority of its Summer 2013 Supervisory Highlights to emphasize the major components of CMS it expects to see in the banks and nonbanks it directly supervises. In its article the agency noted, “The CFPB expects every entity it supervises to have an effective CMS adapted to its business strategy and operations.”

Although community banks are not yet subject to direct CFPB supervision, the bureau’s influence is felt at all levels of the industry. In addition, the Federal Reserve and various other regulatory agencies long have expressed similar expectations through both exams and historical guidance .

Complications and challenges

With federal financial regulatory agencies recently outlining their CMS expectations, it is prudent for banks to take a proactive approach to the issue, rather than waiting for a regulator-prescribed solution. Unfortunately, a community bank’s ability to promptly and effectively enhance its CMS often is complicated by a variety of factors that reflect today’s banking environment.

• New regulations. A number of far-reaching rule changes become effective in 2014. Financial institutions will be subject to initial compliance examinations that will evaluate banks’ implementation of various changes prescribed by the Dodd-Frank Act, including qualified mortgage rules and an increased focus on unfair, deceptive, and abusive acts and practices (UDAAP). Many institutions still face significant challenges in the development of the necessary operational processes to fully comply with these new supervisory mandates.

• New products. Technological advances and competitive pressures continue to drive banks to develop a variety of new banking products and services. Efforts to develop new products and delivery channels come with a new set of regulatory requirements and challenges that must be considered.

• Inadequate resources. In response to regulatory changes and new products and services, bank compliance departments often find themselves operating at capacity just to keep up. Identifying new regulations and developing operational practices to comply with these regulations consumes virtually all of the compliance departments’ available resources, leaving little capacity for developing a far-reaching CMP.

• Business environment. Mergers, acquisitions, and system upgrades and conversions all require a significant compliance investment and could include the redesign or restructuring of the CMS to meet the challenges created by the change in the environment.

A proactive approach: The three lines of defense

In the face of these complications, some banking executives are reluctant to voluntarily undertake the challenge of developing a comprehensive compliance management system that would meet growing regulatory expectations. The natural inclination is to wait until regulators direct the institution to do so as a result of the examination.

However, waiting may not be a desirable option anymore. In many instances, if regulators detect a CMS during an examination that does not measure up to their updated standards, they will often direct the institution to make certain enhancements that are likely to be considerably more expansive and complex than if the bank was to do so on its own using its own risk assessment and prioritization criteria.

Ultimately, the more prudent approach is to be proactive, so the institution has a robust CMS in place that is appropriately designed to meet elevated supervisory expectations.

Such a system will clearly define the various roles and responsibilities for effective execution of the compliance program. Traditionally, these responsibilities are allocated using the conventional risk management model’s “three lines of defense”: 

1. The individual lines of business. The board and senior management should establish a strong risk culture and a commitment to compliance in each of the bank’s operational areas. Each line of business should have controls to provide ongoing compliance and a process for escalating and reporting issues that exceed established thresholds.

2. The compliance management function. This department must be adequately staffed and trained and led by a qualified compliance officer with independence from the lines of business. The compliance function provides advice and guidance on compliance issues, in addition to monitoring compliance.

3. Internal audit. Fully independent, with the authority to challenge both the lines of business and compliance management functions, the internal audit group provides regularly recurring review and reports results directly to the board. Audits should be comprehensive and well-documented with sufficient process, sample sizes, and documentation to meet regulatory expectations.

The CMS should establish a satisfactory balance of responsibilities among these three lines of defense, but it is important that the entire compliance management program be subject to internal audit review.

Essential CMS principles

Published guidance from federal regulators spells out their expectations in terms of what an effective CMS comprises. In general terms the program should address board and management oversight, compliance program policies and procedures, and audit scope and frequency. Furthermore, the institution’s internal audit plan should include review of the compliance management program.

While guidance issued by U.S. regulators varies somewhat in terms of specific requirements around a CMS, it is reasonably consistent with the basic principles spelled out by the Basel Committee on Banking Supervision in its 2005 policy paper, “Compliance and the Compliance Function in Banks.”  The ten principles outlined in the Basel paper offer a framework for developing an institution’s overall CMS and are organized into four general areas of concern: 

1. Compliance-related responsibilities of the board of directors

2. Compliance-related responsibilities of senior management

3. Organizing and governing principles of the compliance function, including its independence, the adequacy and qualifications of its resources, its responsibilities for both guidance and monitoring, and its relationship with Internal Audit

4. Other matters, including cross-border or jurisdictional questions and the appropriate use of outsourcing in carrying out compliance-related functions

Change control management: a critical component

The frequency and pace of new banking regulations and the business environment create challenges for any program. In this environment, maintaining adequate change control is critical to compliance.

Adequate change control management requires very specific processes and procedures—along with discipline in the various lines of business—to make sure that compliance and other risk management functions are active participants whenever the bank is contemplating a change that will affect customers in any way. The effort involves not only establishing adequate policies and procedures to implement a change, but also testing the change to see that it was implemented as expected.

The change control process encompasses more than regulatory changes, in which the compliance department naturally takes the lead. It extends to all other types of change in which Compliance might not have an obvious role to play. Examples include new products and services, new delivery channels, new fees or charges, new forms, new rates, new systems, and the significant changes that occur with mergers and acquisitions—in short, anything that changes the way the bank interacts with customers.

Getting started

No two compliance management systems will be the same. Each CMS must reflect the institution’s particular situation, including size, number of branches, organizational structure, business strategy, consumer product lines, and other factors.

An important early step in developing an appropriate system is to perform a thorough risk assessment to identify what the system must accomplish, taking into consideration both regulatory guidance and the institution’s defined risk appetite.

Once the risks have been identified, a CMP plan would be developed. The plan should incorporate the compliance management principles discussed earlier. It should be designed to manage the particular compliance risks identified as part of the bank’s risk assessment. An effectively designed CMS achieves the appropriate balance of responsibilities among the three lines of defense, and then allocates the necessary resources—both internal and outsourced—to implement the program.

For community banks, it is critical to know whether or not your CMS will meet the evolving regulatory expectations. A CMS self-assessment can identify potential program weakness that can be addressed ahead of time. The benefit of this exercise is to avoid potential regulatory criticism and the resultant costs and pressures that come with regulatory action. Such a proactive approach offers the additional benefit of establishing clear lines of responsibility for achieving compliance in all of the bank’s operations.

About the authors

Eric Durham, CRCM, AMLP, is a director with Crowe Horwath LLP in the Grand Rapids, Mich., office. He can be reached at [email protected].

Justin Van Beek, CPA, CIA, CRMA,is with Crowe in the Los Angeles office. He can be reached at [email protected].