If you are or have been in the compliance arena, you are familiar with this scenario: the examiners have just come to your office with a somber countenance. They are here to report a significant finding resulting from their review, and they may want to impose a consent agreement. You have several options:
A) Hide under your desk and hope they go away B) Engage in histrionics and accuse them of picking on your bank C) Threaten to sue D) Listen closely to what they are saying and ask a series of questions that will allow you to deal with the finding effectively
The fact is that findings happen! There are findings, and then there are FINDINGS! The way you deal with each will greatly impact your compliance life. There are several critical steps your institution can take to ensure your response has the greatest impact.
Step One – What Exactly is the Finding?
It is crucial to gather all the information you can from the examiner when they present the finding. In many cases, findings result from miscommunication or misunderstanding. For example, an examiner at one bank asked where flood insurance policies were stored and was told they were kept in the loan file. However, the person who gave this answer was unaware that the procedure had changed and flood loan policies were now kept elsewhere. Initially, the examiners were ready to cite the bank for several violations of the flood rules because the information in the loan files was outdated, and they were prepared to recommend a consent order. It is very important to determine the exact nature of the violation from the outset.
It is also important to identify the specific regulation, guidance, or rule that has been violated. By referring to the source of the regulatory requirement, you can get a clear picture. As part of this process, understand whether the rule in question is new or has been around for some time. While older rules may seem more serious, a reinterpretation of a rule can have the same impact as a new one. There are sometimes areas that receive new or increased focus, such as enhanced due diligence for high-risk customers as part of AML examinations.
The source of the finding is a critical consideration when determining the level of enforcement action. Even though it is understandable, we recommend that you never use the “I was never cited for this before” response. Just as you wouldn’t use the excuse “I speed regularly on the freeway” with a highway patrolman, it won’t work with regulators.
At the end of the day, ensure you can explain the violation to someone else as a test to confirm your understanding of the issue.
Step Two – Why Did This Happen?
A frequent mistake institutions make is simply fixing the cited problem, such as starting to make missing disclosures. However, this approach is merely a bandage and doesn’t necessarily address the root cause of the finding. The next step in managing a finding is identifying the root cause of the problem.
Several questions can help determine the root cause of a finding. Was it a training issue? Were policies and procedures outdated and inefficient? One of the most important questions is whether the problem is systemic or limited to an individual staff member or business line. Is the issue a lack of understanding of the regulation, or does training need reinforcement? Determining the root cause allows the institution to assess the magnitude of the issue and build an appropriate response.
Step Three – Is This Indicative of a Bigger Problem?
Once the root cause is determined, assess whether the findings indicate a larger problem. There are many reasons for findings, but some reasons suggest a bigger issue. For example, if staff were unaware of regulatory changes, there is a fundamental flaw in the compliance management program. This does not mean your compliance staff is incompetent, but rather that sufficient resources are needed to communicate regulatory changes and implement necessary procedures.
Alternatively, the issue may be one of training. While online training programs are cost-effective and widely accepted by regulators, they may not always suffice. In-person training that details the history and goals of a regulation can be more effective in reducing findings and violations.
Step Four – Communicating
It is important to communicate the findings to senior management and the Board to keep them fully informed. As a best practice, communicate the root cause and proposed solution simultaneously. Demonstrating an understanding of the finding and presenting a plan to fix the problem is an excellent way to show regulators you grasp the breadth and depth of the concern. Building a relationship based on trust and communication is crucial, especially when the findings are severe.
Step Five – Find Out the Regulatory Implications
As mentioned earlier, there are findings, and there are FINDINGS! In some cases, the finding may require a small correction. In others, the examiner may find a pattern and practice of violations, leading to enforcement actions up to and including civil money penalties. It is critical to determine from the examiners whether they will consider a finding a repeat finding, as repeat findings indicate a general weakness in the compliance program and are always considered grave.
Suppose You Don’t Agree
Many financial institutions either don’t agree with a finding or have misgivings but go along to get along. While this may seem to make life easier, it is not the most prudent path. ASK for clarification—not to be argumentative, but to avoid locking yourself into an untenable position. If the examiner asks for something infeasible (e.g., acquiring new software), understanding the source of the finding is important. If it is an interpretation or regulation, there may be a change in the next examination, as different teams have different interpretations. Ultimately, a forceful yet respectful disagreement is beneficial and respected by the regulators.