Compliance risk rises to top of board agenda

We’ve asked several Banking Exchange bloggers and other contributors to examine the Wells Fargo affair from the vantage of their areas of specialty. With this entry in our series, compliance expert Richard Riese considers the impact of the situation on board compliance oversight.—Steve Cocheo, executive editor and digital content manager

Repercussions from the Wells Fargo cross-selling incentives case are still being felt. Congressional hearings, regulatory follow-up, public debate, and capital market fallout make the common corporate shibboleth for settling government enforcement actions “in order to put it behind us and move forward” ring more hollow than usual.

Obviously, there were failures in the operation of the Wells cross-selling incentive program. Opening accounts without consent and creating accounts without customer knowledge, let alone approval, were surely not activities authorized by Wells Fargo’s policies and procedures.

Nonetheless, even the best compliance programs don’t operate instantaneously. Sales call recording reviews, customer complaints, and other red flags all go through stages of audit and investigation before root causes can be identified and corrected.

Some form of this process did take place at Wells, but whatever controls were in place to identify such aberrant activity apparently did not rise to the task in an acceptable timeframe.

Still, in a case where injured account holders incurred an average of less than $2.50 per account in damages, what can bank directors—and, indeed, all bankers in a supervisory capacity—learn? What lessons can be taken from what has turned into such an outsized, record-setting, and reputation-smashing embarrassment to the nation’s largest bank and its highly regarded CEO?

From a board of directors oversight perspective, two early lessons emerge:

• Enable early board engagement when control failures implicate compromised ethics.

• Reframe “materiality” for the board’s consideration of compliance risk matters.

Let’s review these points in detail, and then consider their implications for boardroom behavior.

Enabling early board engagement

One lesson for directors to learn is the need to incorporate options in compliance program oversight for early engagement at the board level when control failures implicate ethical dimensions. Such matters can’t wait for the monthly, or even quarterly, presentation by Compliance or Risk Management.

When staffers violate policies by devising ways to game the system, compliance failure has gone beyond typical human error, insufficient training, or lax monitoring. The bank’s core value of customer trust is compromised. The board must be put on early alert.

Board members are the ultimate guardians of the institution’s cultural and ethical standards. Placing any such threat on the board’s agenda at an early stage accelerates the chances of it being resolved. No board wants to have a control failure of an ethical nature linger as an agenda item.

In addition to an early alert, board policies should also provide for early escalation of management reviews to board committees and the option for early intervention by board-level authorities.

The path is there. Audit or Risk Committees are well suited to serve as readily available board-level structures to handle early escalation. They are normally responsible for evaluating management reviews of control performance on a regular schedule. But such committees are just as capable of accelerating that process when circumstances demand.

Early intervention is a further stage of accelerated board-level engagement.

For example, in an incentive plan control failure situation, early intervention may take the form of suspending the incentive compensation program while audits or investigations are being carefully conducted. Such a suspension of the suspect program creates a significant imperative for the compliance or audit staff to prioritize their work and for the business line to cooperate with that sense of priority.

Of course, not every regulatory violation warrants early board engagement. Compliance management programs are designed to prevent, detect, and correct compliance deficiencies, including rule violations, at a business line or senior management level. Directors’ time and expertise are scarce resources that are not to be consumed by normal management functions.

So distinctions must be made about what type of issues trigger early engagement.

Focusing the trigger for early board engagement around ethical standards and core values will help make those often intangible concepts more concrete pillars of your corporate culture.

Reframe “materiality” for compliance risk matters

A second lesson that bank directors should learn is that the normal frame of reference for evaluating risk tolerance is not appropriate for consumer compliance risk decisions.

The Securities and Exchange Commission has a concept of “materiality.” That concept dominates public corporation boardrooms as the yardstick for risk assessment. However, it has the effect of under-estimating the exposure faced by a bank for compliance failures.

In fact, that concept leads to an over-estimate of the board’s risk appetite for such failures.

Directors accustomed to the large numbers associated with credit default and interest rate risk in multi-billion dollar portfolios can easily lose perspective when the losses incurred for remedying compliance miscues are orders of magnitude smaller. A $1 trillion-asset company’s materiality threshold is far above a seven figure compensatory damage claim.

In addition, where the consumer harm to be remedied is fundamentally the refund of bank fees, executive management and the board may further discount the materiality of the loss, from a risk tolerance perspective.

After all, banks forgive fees every day. In most large banks employees at customer representative levels are empowered to resolve customer complaints or encourage customer loyalty by forgiving or refunding fees within policy limits.

However, more is at stake in defining compliance risk tolerance than the monetization of any consumer harm.

Applying the standard notion of “risk tolerance” to regulatory violations is difficult to conceive of as other than an oxymoron. Setting out to accept regulatory error has both an ethical and a legal component that makes many directors uncomfortable, as it should.

It is like saying that disregarding consumer rights is an acceptable cost of business—when it surely is not. This is why directors do not “tolerate” the risk of illegality as much as they concede a degree of organizational fallibility to be accompanied by controls to minimize and correct unauthorized conduct.

In the highly regulated and closely supervised banking industry, regulatory risk is an additional factor to be considered in determining one’s consumer compliance risk appetite. This risk introduces multiple sources of uncertainty: lack of regulatory clarity, varied examiner judgment over official guidance, and absence of publicly available legal precedents, among others.

Regulatory risk also encompasses the risk of straining the supervisory relationship in ways that can erect barriers on fronts unrelated to the original compliance issue.

Every bank knows that unresolved enforcement or supervisory matters can jeopardize application activity that can in turn disrupt long-term business plans.

Considering “proportionality” and prioritization

Furthermore, the current political atmosphere has also exacerbated the public’s sensitivity to banking industry issues. As a residual effect of the Great Recession, members of the banking industry—and especially its largest members—work under heightened public scrutiny that exacerbates each institution’s regulatory risk.

It is this accumulation of uncertainty and political sensitivity affecting regulatory risk that translates to an undermining of the concept of proportionality that normally provides a common foundation for agency and industry risk dialogue.

The fundamental principle for risk-based supervision and risk management is that risk drives priorities and proportionality contributes to the rank ordering of those priorities.

In other words, things that cause the most harm should get the highest priority attention and should be remedied in proportion to the relative harm inflicted.

However, proportionality has been undermined by the uncertainty of regulatory risk as reflected in the willingness of regulatory agencies to impose disproportionate civil money penalties more as a matter of governmental leverage than any established legal precedent.

Neither incentive compensation nor cross-selling are illegal activities. A program to reward employees for cross-selling of accounts—with a real value proposition for customers and after obtaining their consent—can be adopted. Compliance procedures can be devised to address the risk that a small percentage of staff may deviate from approved policy and assure that customers who are actually harmed are compensated and that offending bank staff are disciplined.

However, it seems unlikely that a bank’s directors could have anticipated that despite compensating any injured consumers and disciplining offending employees, the bank would still be assessed a record-setting CFPB penalty and pay redundant penalties to the OCC and the City of Los Angeles totaling 36 times the amount customers were financially damaged and had been repaid.

In fact, it seems unlikely that any compliance officer could have projected such an astronomical multiplier to represent the regulatory risk incurred, or recommended board approval for such a level of risk tolerance.

This gap between risk expectations and risk experience demonstrates a key conclusion. That is, that the lack of proportionality affecting regulatory risk and the inappropriateness of applying the standard definition of materiality to compliance risk assessments compel a reframing of all boards’ consideration of compliance risk tolerance under current circumstances.

Management should connect the dots for directors

Of course, an institution the size of Wells—and in reality all of the banks over the $10 billion threshold for CFPB jurisdiction—incorporate compliance risk assessments into the board reporting function.

However, sophisticated risk rankings and colorful heat maps are not substitutes for clear prose.

Risk ratings invite a degree of reliance on the projected precision of their numbers that is not merited and contributes to mis-framing the risk appetite decision. After all, what shade of red would one paint the Wells incentive plan heat map to convey the likelihood of a record-setting penalty?

More explanatory prose conveys by operational segment:

• Associated potential harm to consumers.

• Regulatory risk and reputational exposure to the bank.

• Expected efficacy of program controls to deliver performance within the tolerance of organizational leadership for the expected residual risk.

• Consequences when someone does not work by the rules—and simple ethics.

Such prose may not be able to solve the presence of uncertainty and lack of proportionality. However, it can describe the nature and consequences of that uncertainty in more actionable terms for directors.

Boards must find their direction now

Other banks’ directors must now deal with the spillover of this record-setting settlement. Cross-selling incentive plans will get increased scrutiny by all regulators.

Going forward, it falls to directors to focus their efforts on assuring that in a SMAART* compliance program the components of Assessment and Accountability are strengthened by reframing the process to define their risk appetite and by refining their role in an early engagement process.

Making these improvements will help banks and their boards determine what viable options exist between the untenable horns of the dilemma about whether to fight or fold in the face of disproportionate government leverage.

* SMAART stands for Systems, Monitoring, Assessment, Accountability, Response, and Training.