Part One: A New System of Review
The FFIEC (the organization comprising major financial institution regulators) has changed how compliance programs are rated. Instead of a single grade for the program, there is now a three-pronged test that determines the final rating. The three parts of the test are:
- The Overall Compliance Program: This includes the written program, resources dedicated to the program compared to the overall risk profile of the portfolio, and the experience and competency of management.
- Board and Management Oversight: This evaluates the level and quality of reporting to management, as well as the follow-up on noted problems and implemented remediation.
- Harm to Consumers: This considers the potential harm of discovered violations to consumers. Some violations are very technical and can be remedied with minor fixes, while others may require more extensive actions like a “look-back” and reimbursement.
In its press release describing the new rating system, the FFIEC outlined the goals of this approach for compliance going forward. The goals include making compliance examinations more risk-based and allowing each institution the opportunity to develop and maintain a compliance program tailored to its risk profile.
Opportunities Provided by These Changes
The compliance rating represents significant changes in banks’ ability to influence their compliance outcomes. The emphasis on self-detection and self-policing allows financial institutions to perform self-evaluations and diagnose compliance issues internally.
The rating system places a premium on having extensive compliance and/or audit systems capable of identifying problems, determining their root causes, and recommending changes. To impress regulators, institutions must show evidence that senior management takes compliance issues seriously and has taken steps to address concerns. For instance, if a compliance review reveals that commercial lenders are not consistently providing proper ECOA notifications, the finding should be reported to the Compliance Committee along with a recommendation for training the commercial lending staff. While scheduling training is a reasonable response, it is incomplete without follow-up from senior management to ensure attendance and accountability.
Self-Reporting
At first glance, self-reporting might seem like a self-punitive action, but it is not. According to the FFIEC guidance, the more an institution collaborates with the regulatory agency, the more likely it is to receive consideration for reduced enforcement action. Compliance failures will eventually be discovered, and self-discovery and reporting build trust in management and the effectiveness of the compliance program. The key is to report at the right time—after determining the extent and cause of the violation, but before it becomes imminent that regulators will discover the issue on their own.
Remediation
How will your institution correct the problem? Has there been research to determine the extent of the issue and how many customers are affected? How will management ensure the problem is resolved and won’t recur? These are critical questions regulators will consider when reviewing remediation efforts. Strong remediation examples include:
- Determining if the problem is systemic or isolated to a particular staff member
- Conducting a “look-back” on loan files for the past 12 months
- Reimbursing affected customers
- Documenting steps taken to verify the problem and reimbursements
- Changing policies and procedures to prevent recurrence
- Taking disciplinary action if appropriate
- Planning follow-up actions to ensure the issue does not reoccur
Self-policing positively impacts regulatory outcomes. A robust control environment impacts all three rating components, and favorable ratings can extend the time between examinations.
What is a Control Environment?
The control environment consists of your institution’s ability to identify risks inherent in operations and the steps taken to mitigate those risks. Written policies and procedures, often seen as bureaucratic necessities, are central to this environment. Developing policies and procedures should follow a thorough risk assessment, which is not just a routine task but an ongoing process.
The FFIEC compliance rating system incentivizes a structured approach:
- Complete a risk assessment covering products and services.
- Develop policies and procedures to address the identified risks.
This forms the control environment, but it doesn’t end there. It’s crucial to distinguish between preventative and detective controls. Preventative controls aim to stop errors before transactions are completed, while detective controls identify problems in the overall process.
Self-Policing and Internal Audits
Self-policing involves testing the effectiveness of the control environment. Traditional audits may test a sample of loans and find no issues, leading to a false sense of security. Instead, self-policing should test the control environment itself.
The revised CC Rating System emphasizes self-policing, offering an opportunity to rethink the internal audit program. By focusing on the control environment, including both preventative and detective controls, institutions can demonstrate proactive compliance management.