Despite all that has been made of Dodd-Frank, the new Consumer Financial Protection Bureau, and the increased focus on consumer compliance throughout the banking industry, we think that the fundamental formula for effective board oversight of the compliance function has not materially changed. We encourage directors to take stock to make sure their bank’s program is adequate. In this season of great contests on the gridiron, we would emphasize that blocking and tackling—and defense generally—remain the keys to success in this area. Be a good coach and make sure that these fundamentals are practiced at your bank.
Bank Regulatory Expectations
We start with the black-letter guidance and then read between the lines based on our experience and judgment. Each of the prudential bank regulators has outlined its expectations for board oversight of the compliance function. Although it’s stated in various ways, the basic recipe for the “compliance management system” is this:
- Compliance program documents and reporting
- Compliance audit
- Board and management oversight
Think of board oversight as “coaching” and the rest as blocking and tackling.
Compliance Program Documents and Reporting
A successful compliance program has and will continue to be based on an effective internal controls environment—your defense. The most important things a board can do here are to maintain effective policies and to expect excellence out of your management team. Designate a chief compliance officer like you would a starting quarterback. Every compliance examiner expects to see a body of current written policies and procedures, including a compliance program document, and strong compliance management leadership.
As is often said, policies establish “what” and procedures say “how.” It is probably not effective or appropriate for your average director to be involved in articulating how compliance gets done. On the other hand, policies should be reviewed at least annually, and the board should ensure that its committees—typically risk or audit—receive and digest reporting sufficient to describe the state of the compliance function. Are we staffed to keep up with changes in law? Is our training sufficient? What complaints do we generally receive? Do we need new or additional software or equipment? Perhaps most importantly, and the subject of our next discussion point, does evidence demonstrate that the program is working?
The regulators describe compliance audit as the means of testing the effectiveness of your compliance program. A related function is self-monitoring. The difference is generally in the level of independence and frequency of reviews. A robust compliance program will include regular self-reviews. Annual testing, either by your internal audit department or by a third party, is a required step, but it cannot take the place of ongoing review through internal monitoring and testing and a formal risk assessment process.
This conclusion has at least two justifications: first, self-monitoring (either by business units or compliance staff) generates real-time data useful to board and management oversight and is most likely to result in swift corrective action. Second, regulators typically “draft” behind compliance audit findings—that is, they make preliminary conclusions about the state of your program based on these reviews. While a genuine, independent and comprehensive compliance audit is an important aspect of a good system, it is preferable to go into these audits with confidence that your program is clean.
The Role of the Coach
While the compliance atmosphere has undoubtedly changed, a board that emphasizes the fundamentals—like a good coach—should succeed on every front. Take an active interest in your compliance management program and make sure it has what is necessary to get the job done.