The Federal Reserve Bank of Kansas City recently prepared a publication titled A Banker's Guide to Establishing and Maintaining an Effective Compliance Management Program (the Guide). With the Bank's permission, we are presenting the Guide in two consecutive issues of Compliance Corner.
The Guide is designed to outline some considerations to help organizations manage an effective compliance program. It includes sections on compliance risk assessment, program structure, audit coverage, compliance aids, "red flags," frequent violations, communication, and training. Since this is a generic publication, each topic should be considered within the context of an organization's size and complexity. In addition, since both regulations and the compliance environment change, some of the information contained in the Guide may become outdated at some point in time.
|The topics covered in this issue include:|
In the Federal Reserve's supervision of state member banks in recent years, the focus in consumer compliance, as well as safety and soundness, has been on the assessment of risk to the financial institution and the customers it serves. From a bank's perspective, risk management should focus resources on the most important regulatory requirements in a cost-effective manner. We believe that compliance risk can be broken down into two types of risk — product risk and regulation risk — which are discussed below.
Product risk refers to characteristics of a bank that are likely to affect the probability and impact of noncompliance. These characteristics are related to such factors as the bank's size, management expertise, and business orientation. To more effectively manage compliance, you may wish to consider the product risks applicable within your institution. For your information, the four product risk factors used by Federal Reserve examiners are listed and discussed below.
Product Materiality — The materiality of a product is a factor of its importance relative to other products offered by the bank. Materiality may be expressed in terms of the assets or total deposits of the bank or, in the case of off-balance-sheet products, by the number or amount of commitments or sales.
Product Stability — Product stability is measured by the product's age and complexity relative to other products offered by the bank. New and high-growth products would be expected to contain higher risk. On the other hand, a high degree of automation may mitigate other factors.
Product Management — Issues considered in this risk factor include the experience of management with new product offerings in general and with this product in particular. The quality and effectiveness of training and internal controls, the thoroughness of the internal and external audit functions, and the absence of past adverse findings should be considered when evaluating this factor.
Bank/Branch Size (Market Share) — In general, large banks/branches affect a greater number of consumers and bring a more complex array of products to the markets they serve. As such, large banks/branches have a higher level of risk than small ones. Market share qualifies this risk factor when the dominance of a bank or the absence of financial service alternatives produces a reliance on the bank by area consumers disproportionate to the bank's size. The reverse may also be true of large wholesale or special purpose banks.
Regulation risk refers to the potential consequence to the general public and the bank of noncompliance with the regulation. Factors under this risk category include financial harm to consumers; legal, reputation, and financial harm to a bank; new laws, regulations, or amendments thereof; historical industry compliance; and the burden of corrective action, including potential civil and financial liability. The risk inherent in the consumer protection laws and regulations fluctuates in relation to changes in legislation, or market and public policy considerations. In establishing or evaluating a compliance program, you may first wish to consider the regulation risks that accompany your products.
Federal Reserve examiners currently utilize the following regulation risk ratings1 for planning the scope of examination coverage. The risk-focused scoping process will typically require a more in-depth review of products affected by the higher-risk regulations.
|Risk||Statute or Regulation 2||Section for Review|
|Real Estate Settlement Procedures Act (Reg X)||Mortgage Servicing Transfer Disclosure|
|Right to Financial Privacy Act||All|
|Fair Debt Collections Practices Act||All|
|Unfair or Deceptive Acts or
Practices (Reg AA)
|Rule of 78s||All|
Availability Act (Reg CC)
|Truth in Savings Act (Reg DD)||All|
|Reserve Requirements (Reg D)||All|
|Fair Credit Reporting Act (FCRA)||All|
|Consumer Leasing (Reg M)||All|
|Interest on Deposits (Reg Q)||All|
|3||Real Estate Settlement Procedures Act (Reg X)||All provisions except those rated 1 and 4|
|Truth in Lending Act (Reg Z)||All provisions except those rated 4|
|Electronic Funds Transfer Act (Reg E)||All|
|Regulation B and Fair Housing Act (FHA) 3||Provisions not covered by FFIEC interagency procedures|
|4||Truth in Lending Act (Reg Z)||APR, finance charge, HOEPA, rescission|
|National Flood Insurance Act (Reg H)||All|
|Privacy of Consumer Financial Information (Reg P)||All|
|Real Estate Settlement Procedures Act (Reg X)||Section 8|
|HMDA and CRA||Data Verification|
The structure of a bank's compliance program depends on many factors, including management's philosophy, the past compliance performance of the institution, and the tenure and knowledge of bank employees. A less structured program may be adequate for a small organization with noncomplex products and a history of strong compliance. However, as an institution grows, adds branches, and increases its product offerings, a more structured program is typically appropriate. A structured program includes written policies and procedures that provide ongoing guidance to staff, particularly when management or staff turnover occurs. You should consider the following areas as you evaluate the appropriateness of the structure of your bank's compliance program.
Written Policies — Formal written policies that outline compliance responsibility help ensure that all employees are aware of their role in achieving compliance. Depending on the depth of these policies, key compliance personnel may use them to ensure that specific goals are met and tasks are completed.
Policy Implementation — The most thorough and encompassing written policies and plans will have no effect on compliance performance without effective implementation. Consider identifying areas of responsibility in the written policies and developing a mechanism for the regular reporting of policy implementation and compliance.
Compliance Goal-Setting — During the bank's annual planning process, management should also consider compliance goals. Appropriate strategies for meeting these goals should be determined and sufficient resources allocated during the budgeting process.
Resources — Management must assess and provide for the level of resources necessary to achieve or maintain the targeted level of compliance performance. Compliance resources include compliance personnel, line personnel, senior management involvement, staff training, and outside compliance publications.
Board and Senior Management — The institution's board of directors should maintain an appropriate level of knowledge of bank compliance efforts and performance. Their oversight may be accomplished through regular briefings on such topics as audit and review activities, problem resolution, training efforts, and staff turnover. Additionally, participation in compliance committee activities provides board members and senior management with more direct involvement in the bank's compliance efforts. When a bank experiences compliance difficulties, board and senior management attention is often found lacking.
Compliance Officer — Whether full- or part-time, the bank's designated compliance officer should be someone with sufficient time to devote to monitoring and directing the bank's compliance activities. The compliance officer and any assigned assistants should be of sufficient competency and have the requisite knowledge and authority. It is critical that the compliance officer has the authority to require and enforce correction of compliance problems. In addition, proper reporting lines are important to prevent conflicts of interest. Ideally, the compliance officer should report directly to the directorate, its compliance committee, or the bank's chief executive officer.
Compliance Committee — Many institutions with successful compliance programs have established compliance committees that meet regularly and consist of personnel from various levels and departments. Senior management's presence and/or support of such activities should be evident.
Accountability — Compliance accountability should be an identifiable part of the institution's corporate culture.
Proactive vs. Reactive— A proactive compliance program adapts itself to the needs of the particular institution and the changing regulatory environment. Proactive programs deter violations before they occur whereas reactive programs may rely solely on outside information, such as external audits or examinations, to identify areas that need improvement. The risk-focused examination procedures established by the Board of Governors limit transaction testing when a bank has proactive internal systems.
Audits and Reviews
An audit and review plan is an integral part of an effective compliance program. Appropriately carried out, it can help management identify areas of weakness and strength. It may point to issues that require additional training or identify individuals who do not understand bank procedures or regulatory requirements. It may also uncover discrepancies between branches, departments, or individuals. Regardless of the institution's size or the structure of its compliance program, the bank should establish some level of compliance audit and review. Some considerations for audits and reviews are discussed below.
Scope and Timing — The frequency and depth of reviews and audits should be commensurate with the bank's level of risk. In addition, audits of cyclical compliance issues should be timed appropriately.
Schedules — An annual, quarterly, or monthly audit and review schedule may be a valuable compliance tool. It can serve as a tickler system for compliance personnel to ensure that all necessary audits and reviews are completed and it can be an effective monitoring tool for bank management. However, audit and review plans should remain flexible enough to allow for additional or alternate coverage when weaknesses are identified.
Workpapers — Audit worksheets should allow the reviewer to document results, draw conclusions, and evaluate the causes of noted errors. The examiner checklists for the various regulations contained in the Federal Reserve Board's Consumer Compliance Handbook may be a helpful starting point in designing audit workpapers.
Communication — Determine the appropriate people/levels of management with whom to communicate audit and review findings. The frequency and form of such communication should also be considered. If compliance problems are ongoing, a higher level of management oversight with more frequent and more formal communication may be warranted.
Follow-up — Appropriate follow-up procedures ensure that problems noted in audits and reviews are corrected in a timely manner. Actions taken to correct problems should be communicated to the appropriate staff as well as any consequences for uncorrected problems.
Written Procedures — Periodic reviews of written procedures help to ensure that they remain consistent with regulatory changes, operating systems, and management philosophy. If written procedures do not comply with regulatory requirements, it is also unlikely that actual transactions will comply.
Transactional Reviews — Standard transaction testing identifies problems only after they have occurred. Tools such as checklists and in-process reviews may prevent errors before they occur.
Interview/Observe Staff — Some differences between actual operating procedures and written guidelines are difficult to detect. Interviews with staff and/or observation of customer contact may reveal otherwise undetectable problem areas.
External Reviews — Some compliance consulting firms offer compliance review services. Often these reviews may be tailored to the specific needs of the institution.
Branches — One of the most common difficulties in managing compliance is ensuring consistency between branches, particularly new ones. Audits and reviews should be structured to address this compliance pitfall. Procedural reviews should ensure that all branches process transactions similarly. Consider having the same individual audit transactions of a particular type across all branches. If branch employees audit only their respective branch's transactions, differences may go undetected.
Changes (computer conversions, new forms, changes to work flow, staff turnover, etc.) — Change and compliance errors are often correlated. Consider using change events as "triggers" for audits and reviews.
Examinations — While regulatory examinations should not be used as a substitute for an audit and review program, examiner findings and recommendations should affect the audit and review process. In addition to impacting the scope and timing of internal audits and reviews, examination results and recommendations should be communicated to the appropriate staff and acted upon.
Look for the next issue
of Compliance Corner, when the topics of training, communication,
compliance aids, "red flags," and frequent violations will be covered.
As always, feel free to contact Connie Wallgren, Vice President and Chief Examinations Officer at (215) 574-6217 with any questions on your institution's compliance programs.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.