When an examiner requests a meeting during an examination to discuss some trend or pattern that’s been spotted in the bank’s numbers, it’s too late to begin thinking about getting ahead of the curve.
More than likely, the bank is already headed toward remedial work, some internal embarrassment, or even some reputational damage. And those consequences could have been anticipated and prevented had the bank been taking more of a forward-looking attitude in measuring, tracking, and evaluating its activities, and then deciding what the numbers it generated implied about the bank.
As compliance begins to blend more into risk management, banks have to look ahead and figure out not only what monitored behavior adds up to, but how it will look to regulators in the context of newer filters like UDAAP (unfair, deceptive, and abusive acts and practices), and whatever challenges await over the horizon.
“Understanding emerging risks requires a heightened awareness of changing conditions and an assessment of the risk’s impact, its connection to other risks, and implications for a bank’s strategy,” said Carol Yee, senior vice-president and chief compliance officer at People’s United Bank, during ABA’s Regulatory Compliance Conference earlier this year.
The conference session Yee and her fellow speakers gave was titled “Emerging Risk: Defining the Canary in a Coal Mine.”
Fellow speaker Andrew Steinbaugh, senior compliance manager at $16.2 billion-assets First National Bank of Omaha, pointed out that in an era in which the Consumer Financial Protection Bureau (CFPB) describes itself as a “data-driven” organization, it behooves banks to gather data about their operations. “But it’s not just that we have the data,” said Steinbaugh, “but what we do with it that matters.”
Yee said that a key point of the data is pinpointing risk issues. Without solid means of measuring and recording risks taken, the bank has no means of seeing where risk stands and setting its whole-bank risk appetite.
In Yee’s presentation, she stressed the importance of tracking and evaluating trends not only for the use of the compliance and audit functions, but for the direct feedback to executives of business units. That is how the $32.9 billion-assets bank, based in Bridgeport, Conn., attempts to stay ahead of the curve. However, what especially stood out was how the bank looks at not only end results of its policies, processes, and actions, but at interim issues.
Training—key regulator focus
One such issue is training. Traditionally, it has been seen as a staff function—important, but not directly related to bank end-products.
However, Yee said that her bank has found examiners expressing more and more interest in and concern about training. According to Yee, they have homed in on not only whether employees are being trained, but how much detail the training goes into, and whether the training, especially in regulatory matters, merely takes a general approach, or if it delves deeply into how the regulation is handled at People’s United specifically.
Regulators increasingly want to see the bank getting something out of training besides boxes checked off on an annual schedule. So the bank has been closely tracking issues such as failure rates when employees receive post-training testing; “repeat offenders” who don’t attend mandatory training sessions; and employees who do take their training, but who do so chronically late.
Data-driving your bank
While Yee stressed the importance of gathering internal data in her presentation, she explained that identifying and monitoring risks begins with an awareness and understanding of regulatory risks. This comes by informing the entire organization, as appropriate, of existing laws and regulations; proposed new laws and regulations; relevant cases and administrative rulings; and ongoing developments.
As new rules and guidance come out, the bank should be relating them to its business lines and products, according to Yee. In her presentation, she pointed to some of the CFPB’s early UDAAP actions as examples of how government actions can provide some clarity regarding expectations for all institutions.
Communication—and ensuring that communication occurs—is critical to this process. Yee explained that People’s United now maintains a database of existing and pending legal and regulatory issues, and uses the database to ensure that every part of the bank that is responsible for handling a given compliance matter is kept in the loop for that regulation or issue. This helps units be aware of requirements before they become panic projects.
“Sometimes, as compliance officers, we think that it may be easy to implement something—‘It’s just a disclosure after all,’ we may think. But we have to understand what the business unit’s requirements are,” said Yee. Producing the data required as part of a disclosure may take a good many programming changes and other measures, she pointed out.
Use feedback, don’t choke on it
Two primary sources of customer feedback are complaints and social media, said Yee.
Complaints are a valuable source of what’s on customers’ minds. A risk-minded bank, said Yee, will step up its review of certain types of complaints when there appears to be an ongoing, or increasing, problem.
Multiple aspects of complaints must be measured and evaluated. For example the source of complaints, including business lines and geographic locations, needs to be studied to determine if there are widespread problems or localized ones.
The underlying cause for a complaint also may help the bank improve a product, process, or approach. For example, analyzing complaints may indicate that the standard explanations that staffers use in describing the bank’s products and services are not clear.
On the other hand, analysis may indicate that there is a broader issue—possibly products are being offered to customers for whom they aren’t suited. Or, potentially, a fairness issue may be exposed.
The complaint analysis process continues, said Yee, by gathering data about the bank’s responses to complaints. Gathering and evaluating this data may indicate inadequate service to specific customer segments, or otherwise unequal treatment. Management and compliance would want to be the ones discovering such a pattern, rather than examiners or some outside party.
In some cases, Yee added, complaints may simply be a matter of economic developments. Even so, it is still important for management and the compliance staff to understand the reasons why customer objections are coming up.
For example, Yee pointed out that a floating-rate credit product may have the rate increased for the first time. While the customer may not be happy about that, the loan product may be operating exactly as designed and as accepted by the customer.
Social media—the topic of a feature article on page 30—is another means for the savvy bank to see how customers feel about products and their delivery. Yee said it is important for the bank to review and weigh postings on social media by customers as well as by employees.
“This concerns not just things said on our own site,” she explained, “but what’s been posted on blogs, on other accounts, and on other sites about the bank’s products and services.” At People’s United, corporate communications monitors third-party commentary about the institution.
Watching third parties
Vendor management is a major concern for regulators these days, and banks have been devoting more effort to managing many aspects of these outside relationships. Yee’s presentation, for instance, dwelt on arrangements where the bank gives the outside operator substantial control over customer relationships.
She reviewed multiple areas for evaluating third parties’ compliance performance, and said it was important to be clear how complaints involving customers served by these vendors are handled. A significant concern is how well they have been trained in handling customer data in conformance with bank policy and privacy regulations, and measurement of their performance. She suggested that debt collection services should be scrutinized, as they appear to be of growing interest to regulators.
Checker checking the checkers
Another facet of the risk management process is a bank’s audit function, covered by speaker Joanne Granata, managing vice-president, compliance internal audit, Capital One (USA) N.A. At her institution, an internal committee devoted to emerging risks is chaired by audit. At the ground level of operations, she said, “what we are looking for is to be sure that the highest risks are accounted for.”
Granata stressed the importance of interdepartmental communication. “Audit can’t do this in a silo.”
Ultimately, she said, a bank must develop a means of scoring the facets of risks for each business activity, with the highest scores receiving priority.
That process will require the bank’s staff to be flexible at times, she said. A function identified as an emerging risk may have its internal review shifted ahead of the original plan. In addition to having the timing of the review accelerated, the scope of the original audit work plan for that function may be expanded, depending on the types of risks that have been identified.
More articles from ABA's Regulatory Compliance Conference online