ABA Bank Compliance Officers Survey Part 2
Compliance accountability, and how well it’s spelled out and enforced
- |
- Written by Steve Cocheo
Editor’s Note: ABA recently released the results of the 2011 ABA Bank Compliance Officers Survey, conducted by the ABA Center for Regulatory Compliance. This is the second in a series looking at report findings, with commentary from industry experts. Over 900 compliance officers from a full range of bank sizes responded to ABA’s survey. An ABA member link to the survey report is provided at the end of this article.
Most, but not all banks, spread accountability for compliance performance far beyond the banks’ compliance units nowadays. It’s not exactly a case of “the more the merrier,” but a recognition that in many institutions the challenge is bigger than the units’ ability to handle it, especially when critical errors may be made on the front lines of the bank.
But among all but the largest institutions, there is also a tendency to not be specific in setting standards for compliance performance. And there are some apparent gaps in accountability.
These are overall conclusions to draw from the latest edition of the ABA Bank Compliance Officers Survey. We discussed the survey’s findings in this area with compliance experts, including former federal regulators. Results of the survey sometimes confirmed the experts’ views of what’s going on in the industry, and on occasion surprised them, given how important compliance issues have grown.
A “philosophical” consideration before the numbers
Is this seeming mismatch between accountability and standards a matter of compliance performance being a nonquantifiable goal? Or does it stem from the ideal for compliance being zero tolerance for noncompliance?
John Soffronoff, president at ICS Risk Advisors, favors the latter argument.
“You don’t say, ‘We’ll tolerate some violations’,” Soffronoff explains. “The goal is zero tolerance.” ICS CEO John White makes the point that the cost of noncompliance, in many areas of banking regulation, becomes so expensive that it behooves bank boards to insist that management build tight controls into the organization.
But what about specifics? Soffronoff, formerly of FDIC, cites a passage from the Federal Reserve Board document SR 08-08--“Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles.” It says:
“… quantitative limits reflecting the board of directors’ risk appetite can be established for market and credit risks, allocated to the various business lines within the organization, and monitored by units independent of the business line. Compliance risk does not lend itself to similar processes for establishing and allocating overall risk tolerance, in part because organizations must comply with applicable rules and standards. Additionally, existing compliance risk metrics are often less meaningful in terms of aggregation and trend analysis as compared with more traditional market and credit risk metrics.” (Emphasis added.)
This underscores the thinking behind compliance accountability and this segment of the ABA study.
“The conversation is starting to change out in the market,” says Linnea Solem, director of data privacy and business risk management at Deluxe Corp. “It’s no longer just compliance being talked of, but a broader focus on risk management.”
Tim Burniston, vice-president and senior director, risk and compliance consulting practice at Wolters Kluwer Financial Services, says there are means of quantifying performance, even though risk tolerance is a different affair than in credit and similar fields. A board can clearly look at the types of complaints, and the number of them, in a specific area, comparing year-to-year trends.
Let’s take a closer look at the ABA data.
|
ABA Bank Compliance Officers Survey Part 1 |
|
 |
John Soffronoff, president at ICS Risk Advisors, favors the latter argument.
“You don’t say, ‘We’ll tolerate some violations’,” Soffronoff explains. “The goal is zero tolerance.” ICS CEO John White makes the point that the cost of noncompliance, in many areas of banking regulation, becomes so expensive that it behooves bank boards to insist that management build tight controls into the organization.
But what about specifics? Soffronoff, formerly of FDIC, cites a passage from the Federal Reserve Board document SR 08-08--“Compliance Risk Management Programs and Oversight at Large Banking Organizations with Complex Compliance Profiles.” It says:
“… quantitative limits reflecting the board of directors’ risk appetite can be established for market and credit risks, allocated to the various business lines within the organization, and monitored by units independent of the business line. Compliance risk does not lend itself to similar processes for establishing and allocating overall risk tolerance, in part because organizations must comply with applicable rules and standards. Additionally, existing compliance risk metrics are often less meaningful in terms of aggregation and trend analysis as compared with more traditional market and credit risk metrics.” (Emphasis added.)
This underscores the thinking behind compliance accountability and this segment of the ABA study.
“The conversation is starting to change out in the market,” says Linnea Solem, director of data privacy and business risk management at Deluxe Corp. “It’s no longer just compliance being talked of, but a broader focus on risk management.”
Tim Burniston, vice-president and senior director, risk and compliance consulting practice at Wolters Kluwer Financial Services, says there are means of quantifying performance, even though risk tolerance is a different affair than in credit and similar fields. A board can clearly look at the types of complaints, and the number of them, in a specific area, comparing year-to-year trends.
Let’s take a closer look at the ABA data.
Accountability--beyond the compliance unit
Clearly, a bank’s compliance unit leads the way in many areas of compliance, by definition. And even specialized functions like Anti-Fraud and Anti-Money Laundering have begun to either merge or cooperate where they don’t already reside in one place with all the other “fine print” areas of banking.
Respondents to the survey were asked if they are evaluated annually on the basis of the bank’s compliance performance. Nearly three out of four—74.3%—said they are. There was some variation by bank size, but the trend was strong towards accountability. Banks with less than $100 million in assets reported this least frequently—62.1%--and banks from $1 billion to $19 billion reported it the most often, at 87.5%. (Only one in five respondents overall said that the results of the evaluation had a significant impact on their salaries.)
But the idea that the compliance buck only stops in Compliance is an old notion.
“It reflects the way it was a million years ago, when the compliance officer was held responsible for all compliance,” says Tim Burniston, who came to Wolters Kluwer recently after years with federal regulatory agencies. He says the best practice nowadays is for Compliance to be the trend-setter that shows a bank’s business units how to operate in compliance.
The survey, conducted periodically since 2003, has looked at accountability and the non-compliance, non-management banker. The overall findings have been pretty steady, with the sample indicating most recently that eight out of ten institutions holds these employees responsible for performance of compliance duties in their own work. This is pretty consistent across bank sizes, too.
In some banks, this simply comes under the expectation that employees will do their jobs properly. But in 58.6% of the banks, compliance is in most employees’ job descriptions. Of the remainder, 17.8% don’t use job descriptions, and 23.6% use them, but don’t include compliance duties. (This almost matches the portion of the survey group that does not hold noncompliance employees responsible for compliance errors.)
“My gut sense is that there is greater attention being paid to compliance issues, and greater expectations of compliance in general,” says Ann Jaedicke, managing director at Promontory Financial Group, a global financial services consulting firm and a former senior official at the Comptroller’s Office. “Boards have a greater expectation now that the lines of business in the bank will be on top of what it takes to comply with the law.” (Promontory was founded by former Comptroller of the Currency Gene Ludwig.)
Clearly, a bank’s compliance unit leads the way in many areas of compliance, by definition. And even specialized functions like Anti-Fraud and Anti-Money Laundering have begun to either merge or cooperate where they don’t already reside in one place with all the other “fine print” areas of banking.
Respondents to the survey were asked if they are evaluated annually on the basis of the bank’s compliance performance. Nearly three out of four—74.3%—said they are. There was some variation by bank size, but the trend was strong towards accountability. Banks with less than $100 million in assets reported this least frequently—62.1%--and banks from $1 billion to $19 billion reported it the most often, at 87.5%. (Only one in five respondents overall said that the results of the evaluation had a significant impact on their salaries.)
But the idea that the compliance buck only stops in Compliance is an old notion.
“It reflects the way it was a million years ago, when the compliance officer was held responsible for all compliance,” says Tim Burniston, who came to Wolters Kluwer recently after years with federal regulatory agencies. He says the best practice nowadays is for Compliance to be the trend-setter that shows a bank’s business units how to operate in compliance.
The survey, conducted periodically since 2003, has looked at accountability and the non-compliance, non-management banker. The overall findings have been pretty steady, with the sample indicating most recently that eight out of ten institutions holds these employees responsible for performance of compliance duties in their own work. This is pretty consistent across bank sizes, too.
In some banks, this simply comes under the expectation that employees will do their jobs properly. But in 58.6% of the banks, compliance is in most employees’ job descriptions. Of the remainder, 17.8% don’t use job descriptions, and 23.6% use them, but don’t include compliance duties. (This almost matches the portion of the survey group that does not hold noncompliance employees responsible for compliance errors.)
“My gut sense is that there is greater attention being paid to compliance issues, and greater expectations of compliance in general,” says Ann Jaedicke, managing director at Promontory Financial Group, a global financial services consulting firm and a former senior official at the Comptroller’s Office. “Boards have a greater expectation now that the lines of business in the bank will be on top of what it takes to comply with the law.” (Promontory was founded by former Comptroller of the Currency Gene Ludwig.)
While the Dodd-Frank Act has certainly turned up the heat on that, Jaedicke says that this trend pre-dates the controversial statute. She says anti-money-laundering laws got things moving. The fines for poor compliance tended to be substantial enough--and the publicity harsh--that the risks drew more board attention. “Boards began to re-think who held the compliance reins,” she says. Increasingly, boards and top management began to recognize that, frequently, the weaknesses were in the line units.”
Over the entire survey sample, 38.7% of banks track and record employees’ compliance records. About the same percentage, overall, includes compliance performance in annual employee reviews (38.8%); 13% of the banks don’t conduct formal reviews—especially among the smallest banks—and nearly half (48.1%) don’t include compliance in reviews.
These findings would appear to imply that in many banks compliance performance is something immediate managers rely on their own memory for, and enforce more directly, such as with a reprimand close to the occurrence.
The fact that the percentage of banks holding the non-management, non-compliance employees accountable isn’t higher flabbergasts Mitch Lucas, vice-president, product management and legal compliance, at Harland Financial Solutions.
“I find it amazing that the graphs don’t show all ‘yeses’ in this survey section,” says Lucas. “Who in a financial institution today can act without regard to compliance?”
Lucas points to the creation of the Consumer Financial Protection Bureau as persuasive evidence that accountability should be pushed: “Founding the bureau says to me that Congress is pushing for bank compliance from the back office all the way to the front office.”
Missing link is the business unit itself
The middle ground between accountability at the board level and at the ground level is the business unit, and the survey indicates it’s a place where accountability isn’t as strong.
While there’s frequent accountability at the employee level and in the overall sense, there appears to be a gap in the process in many institutions, especially smaller ones. The survey asked if business line units’ departmental-level compliance records are formally tracked and recorded, and this was the case in only 38% of the banks. By bank size, here’s how respondents answered: under $100 million, 20.5%; $100 million to $499 million, 33.7%; $500 million to $999 million, 52.4%; $1 billion to $19.99 billion, 50.6%; and $20 billion and more, 69.2%.
Again, many institutions don’t build compliance performance into line unit heads’ annual reviews. The survey found that while 28.8% of the banks do weigh compliance in reviews, 45.3% don’t—and 25.9% of the total doesn’t conduct formal reviews at the relevant level. Overall, these findings seem to imply that business unit managers aren’t held accountable for compliance as often as lower-level employees.
Promontory’s Ann Jaedicke says business-unit weaknesses need to be addressed. “You have to make the business unit responsible in some way,” she insists.
“The challenge is balancing the recognition that 100% compliance is impossible with the cost of compliance,” says John Soffronoff of ICS. “It is more important to demonstrate an effective compliance program, which, if in place, should lead to a 1 or 2 compliance rating.”
The middle ground between accountability at the board level and at the ground level is the business unit, and the survey indicates it’s a place where accountability isn’t as strong.
While there’s frequent accountability at the employee level and in the overall sense, there appears to be a gap in the process in many institutions, especially smaller ones. The survey asked if business line units’ departmental-level compliance records are formally tracked and recorded, and this was the case in only 38% of the banks. By bank size, here’s how respondents answered: under $100 million, 20.5%; $100 million to $499 million, 33.7%; $500 million to $999 million, 52.4%; $1 billion to $19.99 billion, 50.6%; and $20 billion and more, 69.2%.
Again, many institutions don’t build compliance performance into line unit heads’ annual reviews. The survey found that while 28.8% of the banks do weigh compliance in reviews, 45.3% don’t—and 25.9% of the total doesn’t conduct formal reviews at the relevant level. Overall, these findings seem to imply that business unit managers aren’t held accountable for compliance as often as lower-level employees.
Promontory’s Ann Jaedicke says business-unit weaknesses need to be addressed. “You have to make the business unit responsible in some way,” she insists.
“The challenge is balancing the recognition that 100% compliance is impossible with the cost of compliance,” says John Soffronoff of ICS. “It is more important to demonstrate an effective compliance program, which, if in place, should lead to a 1 or 2 compliance rating.”
How boards set their expectations for overall compliance
The ABA survey asked three questions relating to how boards and managements, at an overall level, set expectations for compliance. One conclusion is that for many boards and management teams, accountability is something of a judgment call, not something relying on formal yardsticks.
The ABA survey asked three questions relating to how boards and managements, at an overall level, set expectations for compliance. One conclusion is that for many boards and management teams, accountability is something of a judgment call, not something relying on formal yardsticks.
• Has your board or senior management established a written objective or standard relating compliance performance expectations to supervisory criticism or exam rating tolerance?
Four out of ten banks do this. This surprises somewhat, in that this is where a compliance officer would most often seem to sink or swim, and it would seem that more banks would maintain such a standard. Criticism and exam ratings are black and white, leaving little room for argument, though the compliance officer may not be at fault.
Among the largest banks sampled, those over $20 billion in assets, 70.8% maintain such a standard, but the smaller the bank, typically, the less likely this was. Only 37.6% of banks under $100 million reported doing so.
“I was surprised in this section,” says John White, CEO at ICS Risk Management. “I thought it would have been much higher in all categories.”
White notes that poor compliance ratings can indicate the lack of a serviceable compliance program at the bank. He says this is why some institutions come out of compliance exams with orders to engage an outside firm to conduct a management study, to help the bank beef up its abilities and structure.
Four out of ten banks do this. This surprises somewhat, in that this is where a compliance officer would most often seem to sink or swim, and it would seem that more banks would maintain such a standard. Criticism and exam ratings are black and white, leaving little room for argument, though the compliance officer may not be at fault.
Among the largest banks sampled, those over $20 billion in assets, 70.8% maintain such a standard, but the smaller the bank, typically, the less likely this was. Only 37.6% of banks under $100 million reported doing so.
“I was surprised in this section,” says John White, CEO at ICS Risk Management. “I thought it would have been much higher in all categories.”
White notes that poor compliance ratings can indicate the lack of a serviceable compliance program at the bank. He says this is why some institutions come out of compliance exams with orders to engage an outside firm to conduct a management study, to help the bank beef up its abilities and structure.
• Has your board or senior management established a written objective or standard relating compliance performance expectations to financial loss tolerance?
Interestingly, even fewer banks maintained written standards here—only 23.9% of the overall sample. While 56% of the largest banks maintained such standards, among other bank-size categories the activity was less seldom seen, the highest being 28% among those under $100 million in assets.
Interestingly, even fewer banks maintained written standards here—only 23.9% of the overall sample. While 56% of the largest banks maintained such standards, among other bank-size categories the activity was less seldom seen, the highest being 28% among those under $100 million in assets.
• Has your board or senior management established a written objective or standard relating compliance performance expectations to reputation risk tolerance?
Over the entire sample, 34.4% said “yes.” Again, the largest banks did this much more frequently, with 64% saying “yes.” Among the other size classes, the trend was in the mid- to high 30%s.
Bankers were asked what factors had prompted a change in compliance systems, policies, or practices. Most often mentioned were recommendations by compliance staff (63.7%). This was followed by exam findings (62%); audit findings (50.8%); suggestions by consultants or vendors (36.4%); compliance quality assurance efforts (31.8%); suggestions by inside or outside counsel (26.4%); operating employee suggestions (15.4%); and consumer complaints (8%). Patterns differed among bank size categories.
The roles of the board and the regulators, respectively, is interesting, according to Christina Speh, director of compliance strategy and new markets, in Wolters Kluwer’s risk and compliance consulting practice. Speh, a former review examiner at the Fed, has a warning here. Regulatory agencies, she says, have long been very definite that they aren’t responsible for a bank’s compliance program. The institution is.
“They see themselves coming in as if they were external auditors,” says Speh. Ultimately, after they point out weaknesses, it is up to the bank’s board and management to figure out how to fix them.
Upcoming survey and commentary segments:
• How does compliance prevent regulatory costs?
• How well does compliance save bank reputation?
• What are the trends in bank compliance compensation?
The ABA Bank Compliance Officers Survey is a project of the ABA Center for Regulatory Compliance. Members of ABA can download the entire survey report here.
Over the entire sample, 34.4% said “yes.” Again, the largest banks did this much more frequently, with 64% saying “yes.” Among the other size classes, the trend was in the mid- to high 30%s.
Bankers were asked what factors had prompted a change in compliance systems, policies, or practices. Most often mentioned were recommendations by compliance staff (63.7%). This was followed by exam findings (62%); audit findings (50.8%); suggestions by consultants or vendors (36.4%); compliance quality assurance efforts (31.8%); suggestions by inside or outside counsel (26.4%); operating employee suggestions (15.4%); and consumer complaints (8%). Patterns differed among bank size categories.
The roles of the board and the regulators, respectively, is interesting, according to Christina Speh, director of compliance strategy and new markets, in Wolters Kluwer’s risk and compliance consulting practice. Speh, a former review examiner at the Fed, has a warning here. Regulatory agencies, she says, have long been very definite that they aren’t responsible for a bank’s compliance program. The institution is.
“They see themselves coming in as if they were external auditors,” says Speh. Ultimately, after they point out weaknesses, it is up to the bank’s board and management to figure out how to fix them.
Upcoming survey and commentary segments:
• How does compliance prevent regulatory costs?
• How well does compliance save bank reputation?
• What are the trends in bank compliance compensation?
The ABA Bank Compliance Officers Survey is a project of the ABA Center for Regulatory Compliance. Members of ABA can download the entire survey report here.
[This article was posted on March 2, 2012, on the website of Banking Exchange, www.bankingexchange.com, and is copyright 2012 by the American Bankers Association.]
Tagged under Compliance, Risk Management,
