If you’ve spent any time in the compliance arena, you’re likely familiar with this scenario: The examiners arrive at your office with a serious demeanor. They’ve identified a significant finding during their review and may consider imposing a consent agreement. At this point, you have several options:
A) Hide under your desk and hope they go away.
B) Overreact and accuse them of unfairly targeting your bank.
C) Threaten legal action.
D) Listen carefully, ask clarifying questions, and address the finding effectively.
The truth is, findings are part of the compliance landscape. Some findings are minor, while others are more serious. How you handle each can significantly impact your compliance journey. There are several critical steps your institution can take to ensure the most effective response.
Step One: What Exactly Is the Finding?
It’s crucial to gather all relevant information from the examiner when they present the finding. Often, findings stem from miscommunications or misunderstandings. For example, at one bank, an examiner asked where flood insurance policies were stored and was told they were kept in the loan file. However, the individual providing this information was unaware that the procedure had changed, and the policies were now stored elsewhere. The examiners were initially ready to cite the bank for several violations due to outdated information in the loan files and were prepared to recommend a consent order. Understanding the precise nature of the violation from the outset is essential.
In addition, identify the specific regulation, guidance, or rule that has been violated. By consulting the source of the regulatory requirement, you can gain the clearest picture. Determine whether the rule in question is new or longstanding. While older rules generally carry more weight when cited, reinterpretations can have the same impact as new rules. For example, enhanced due diligence for high-risk customers has become a renewed focus in AML examinations. Understanding the source of the finding is critical when assessing the potential enforcement action.
It’s important to avoid using the “I was never cited for this before” defense. Just because you’ve driven over the speed limit without getting caught doesn’t make it acceptable, and you wouldn’t try that excuse with a highway patrol officer. Ensure you fully understand the violation so you can explain it clearly to someone else.
Step Two: Why Did This Happen?
A common mistake institutions make is simply addressing the specific issue cited in the regulation—e.g., missing disclosures—and assuming the problem is resolved. This approach is merely a bandage and doesn’t address the underlying issue that led to the finding in the first place. The next step in managing a finding is identifying the root cause.
Ask yourself several questions: Was it a training issue? Are policies and procedures outdated or inefficient? Is the problem systemic, or is it isolated to an individual staff member or business line? Do we fully understand the regulation, or do we need to reinforce training? Identifying the root cause allows the institution to gauge the magnitude of the issue and craft an appropriate response.
Step Three: Is This Indicative of a Bigger Problem?
After determining the root cause, assess whether the finding signals a larger issue. There are countless reasons why findings occur, but some suggest more systemic problems. For instance, if the root cause is staff being unaware of regulatory changes, there’s a fundamental flaw in your overall compliance management program. This doesn’t necessarily mean your compliance staff is incompetent; the sheer volume of new regulations can overwhelm any institution. However, it’s essential to have sufficient resources to ensure regulatory changes are communicated and procedures updated.
Alternatively, if the issue is related to training, consider whether online training programs are sufficient. While cost-effective and widely accepted by regulators, sometimes in-person training is more effective, particularly when it comes to understanding the history and goals of a regulation.
Step Four: Communicating the Findings
It’s important to communicate findings to senior management and the Board, ensuring they are fully informed. As a best practice, present the root cause and proposed solution simultaneously. Clearly articulating your understanding of the finding and outlining a plan to address it demonstrates to regulators that you grasp the scope of the issue. Building a relationship based on trust and communication is especially valuable when dealing with severe findings.
Step Five: Understand the Regulatory Implications
As mentioned earlier, there are findings, and then there are FINDINGS. In some cases, a finding may require only a minor correction. In others, the examiner may identify a pattern or practice of violations, leading to enforcement actions, including civil money penalties. It’s crucial to determine early on whether the examiner considers the finding a repeat issue, as repeat findings indicate a general weakness in the compliance program and are always taken seriously. Even a minor or technical finding can escalate to a matter requiring attention or even a supervisory letter. The regulatory implications should also be communicated to senior management.
Suppose You Don’t Agree
It’s not uncommon for financial institutions to disagree with or have reservations about a finding but go along to get along. While this may seem to simplify matters, it’s not always the best course of action. Asking for clarification isn’t about being argumentative; it’s about avoiding an untenable position. For instance, if an examiner requests something infeasible, such as acquiring new software, understanding the source of the finding is key. Different examination teams may interpret regulations differently. A respectful yet assertive disagreement is healthy and can earn respect from regulators.