What’s your “compliance mindset”?
Upgraded federal compliance ratings process requires fresh approach
- |
- Written by Pam Perdue, Continuity
Attitude may play a role in how well your bank scores in new federal compliance ratings, suggests consultant Pam Perdue.
At a recent technology event, a motivational speaker set forth his developmental program based on the work of Stanford University psychologist Dr. Carol Dweck.
Dweck's landmark work, Mindset: The New Psychology of Success, distinguishes levels of human achievement based on "fixed" versus "growth" mindsets. A grossly oversimplified synopsis of this groundbreaking book is as follows:
• In a "fixed" mindset, people believe they are born with a finite amount of capacity and capability, whether physical, intellectual, or relative to resources.
• Those with a "growth" mindset believe they can expand, learn, and grow in any area and every direction.
More than mere optimism, a "growth" mindset allows the individual to pursue success more vigorously and explore a wider range of options for achieving it. "Fixed" mindset folks, on the other hand, tend to stay within their comfort zones, believing that venturing outside of their pre-defined personal limits will result in danger and/or failure.
Which describes you and your bank?
No doubt you are thinking: How do psychological paradigms apply to compliance ratings?
Very directly it seems, if our real-time interactions with bankers are any indication.
Since April 1, federal examiners have been using new interagency assessment criteria to establish consumer compliance examination ratings for banks.
What we’ve seen during the past few months is that the bankers with a "growth" mindset readily and quickly adapted their compliance programs to meet the new standards. They viewed the new procedures as an opportunity to leverage modern technology to get compliance work done more efficiently, and document it more effectively.
Meanwhile, those with a "fixed" mindset are still trapped by a predictable pattern.
First, they whine and complain about how onerous and troublesome the new requirements are. Then spend months agonizing over just how to update the same spreadsheet they've been constantly doing upkeep on for the last 30 years. Then complain some more about how no one in their bank is going to like cooperating with their antiquated approaches.
In other words, the bankers with a growth mindset got ready faster, and were prepared to drive better outcomes—with less effort—than their fixed-mindset counterparts.
Looking at the new ratings
Moving forward, let’s examine the ratings as revised.
The sections below identify each of the new ratings criteria by category and the assessment factors under each. As you digest these new inquiries, be mindful of how your institution is performing, documenting, and creating an evidence trail that each of these criteria are being met.
Chances are, if you haven’t started using technology more intelligently in your risk and compliance functions, you may be missing opportunities to streamline this tracking and reporting process.
Assessment Category 1: Board and Management Oversight
Are the board and management sufficiently engaged in the institution’s compliance management system?
Assessment Criteria:
• Oversight and Commitment
The board’s level of oversight and commitment is demonstrated by making appropriate resource allocation for the size and complexity of the institution; hiring and retaining competent and knowledgeable staff; developing and enforcing a suitable governance structure; and assuring proper third-party due diligence and oversight.
• Change Management
Examiners will consider the speed and adequacy of response to change; consideration of regulatory impacts when making product or service changes; and monitoring of performance after the change.
• Risk Management
An institution’s ability to identify, measure, monitor and control risk exposures, including emerging risks, will be evaluated.
• Self-identification and Correction
Examiners must evaluate how quickly and accurately institutions can identify errors or weaknesses and fix the problems noted.
Assessment Category 2: Compliance Program
Is program design sound? Is its execution effective?
Assessment Criteria:
• Policies and Procedures
An assessment of whether policies and procedures are sufficient, providing adequate guidance to personnel on how to manage and mitigate compliance risk, must be made.
• Training
Examiners will inspect whether training is timely, comprehensive, and tailored to job responsibilities. Other areas of inquiry will include whether training is: periodically reviewed to confirm attendance and testing results; and whether it is updated proactively when products or regulations change.
• Auditing and Monitoring
Examiners must decide whether the institution maintains effective, timely, comprehensive, and up-to-date programs which allow for identification of changing risk exposures and any organizational or process deficiencies.
• Consumer Complaint Response
Processes for intake, investigation, and response will be analyzed to determine whether they are executed accurately and timely and include periodic analysis of complaint results for identifying and responding to any noted patterns or trends.
Assessment Category 3: Violations/Consumer Harm
Was the law broken? To what extent were consumers harmed?
Assessment Criteria:
• Root cause
Examiners must determine whether the cause of weaknesses was major or minor and how easily correctable are the issues.
• Severity
The type and extent of impact to consumers as a result of the issue(s) will influence examiner ratings of violations/consumer harm.
• Duration
When assessing ratings, examiners must consider the time period over which violation or harm persisted.
• Pervasiveness
Whether violations or harm was widespread or isolated is a factor in deciding examination ratings.
Inside the ratings process and bank response
Within each criteria, examiners are asked to decide whether the institution’s programs are strong, adequate, inadequate, seriously deficient, or critically absent.
Along this continuum, there is quite a bit of room for subjective interpretation of the terminology, leaving opportunity for discussion as well as disagreement on how performance is viewed and rated by examination teams.
Given the level of precision now articulated for these criteria, bankers have to be prepared to demonstrate compliance differently than they did in the past.
Previous methods of inspection called for risk-based approaches to transactional testing and sampling. So long as you were generating compliant outcomes at the end of a transaction, the methods by which you got there received little scrutiny.
Imagine now, that's flipped on its head, and the method by which you get there is now what's being scrutinized. The quality and effectiveness of your compliance management system is now what’s under review.
A solid, stable, and well-built system can withstand intense and frequent change and still deliver compliant outcomes. A reliable CMS is what examiners expect to see, and they’ve laid out the recipe for creating one with their new examination protocols.
To achieve success, your compliance management systems must also have a “growth”-based approach. Like the humans who oversee them, they must flexible and adaptable to any set of circumstances.
Whether regulation volumes grow or shrink, whether products and services are added or taken away, whether specific employees join or depart ... your CMS has to roll with the changes.
To best prepare your organization for the new examination criteria, a few minutes spent confirming that you’ve modernized your mindset as well as your methods will be time well spent.
About the author
Pam Perdue, a former compliance officer and Federal Reserve senior examiner, is EVP & Chief Regulatory Officer at Continuity, a regtech firm.
Tagged under Compliance, Risk Management, Compliance Management, Compliance/Regulatory, Feature, Feature3,
