Forward-thinking financial institutions are future-proofing their risk and compliance programs. They are detecting tracking and understanding not only emerging issues, trends and regulatory requirements, but also the next big areas of potential vulnerability. We are hearing from our bank clients that regulatory risk is at the top of the list. While bank directors do not need to be technical compliance experts, they do need to actively oversee compliance management and have an understanding of the changes coming.
Board members can play a central role in the process of re-focusing compliance on what’s important to regulators, and a key trend is a new focus on “fairness” or “impact” to the consumer. This concept is being led by the Consumer Financial Protection Bureau (CFPB), but quickly accepted by the other agencies. On September 25th the Federal Deposit Insurance Corp. (FDIC) released FIL-41-2012 which “reorients” the consumer examination score to be “based primarily on the impact to consumers.” During regulatory examinations, regulators will evaluate the board’s involvement (or lack thereof) in ensuring that programs are properly articulated and followed.
The Role of the CFPB
The Consumer Financial Protection Bureau has tremendous supervisory and enforcement authority and is already changing the mindset for what compliance means. The CFPB, which examines banks above $10 billion in assets, wants institutions to develop a “culture of compliance,” that focuses more on the risk to the consumer than the potential fines or violations a bank may receive if a violation is found. With the changes in the Dodd-Frank Act to the definition of Unfair, Deceptive, or Abusive Practices (UDAAP), which is now under the domain of the CFPB and applies to all banks and thrifts, it isn’t enough for financial institutions to simply meet regulatory requirements. Now, the way banks relate to customers is important. This dramatically changes the role and responsibilities of not just the compliance department, but of everyone within the bank. In addition, although CFPB is leading this effort, the new FDIC change highlights the need for institutions of all sizes to pay attention to this shift.
There is hope, however, for banks willing to be proactive in addressing the consumer-centric approach.
To be successful, the board needs to embrace an integrated approach to compliance risk management that reflects a consumer-centric viewpoint. This consumer centric approach should be so woven into your business that your employees do not think of it as compliance—instead they look at it as fundamental to their jobs. This culture needs to promote proactive and forward thinking. In a culture of compliance, the consumer is not the province of a single department, but rather the responsibility of the entire organization.
Compliance Management System
Expect Change. Your compliance program needs to adjust to address the four interdependent parts of the CFPB’s compliance management system, including board and management oversight, compliance program, compliance audit and the enterprise approach to responding and analyzing consumer complaints. The complaint management system may need to be revamped to ensure that management is utilizing the consumer complaint data to understand how products and services impact consumers. In addition to the standard complaint resolution process, your institution will need to ensure they are capturing both written and verbal complaints at all consumer touch points, feeding them into a system that allows for trending analysis, and ultimately changes in processes, supports, controls, and or products. Don’t forget that your program needs to hold your partners and vendors to the same standards that you hold your own business to.
Consumer Risk Assessments
The first thing the CFPB will do is conduct a compliance risk assessment that evaluates the risks to consumers arising from products, polices, procedures and practices. In preparation, your enterprise risk management and/or compliance risk program needs to be able to identify and respond to risks to the consumer. This risk assessment will likely illuminate risk areas not previously a focus of compliance, raise questions about activities that may currently be considered standard in the industry, and accordingly require changes in operations that staff may resist.
Your systems need to be able to identify risks to both the bank AND to the consumer. In order to accomplish this, compliance can no longer operate in isolation. Business lines must not only be included, but also assume it is their job to understand the risks to their operations, and have accountability to make the necessary changes within their operations to reduce these risks.
Staff members in different business lines must not only be included, but also assume it is their job to understand the risks to their operations, and have accountability to make the necessary changes within their operations to reduce these risks. To support a change in culture, compliance or risk management cannot be the only areas that the board holds accountable.
So how do you achieve a culture of compliance, where all employees are held accountable for risk?
The compliance program must change from focusing on past errors and the latest hot topics to evaluating and managing the potential risk to the organization—and to the consumer—generated by both internal and external sources. A forward-thinking organization can identify the next hot issue by proactively evaluating potential risks and adapting compliance programs to mitigate the risks to both the bank and the consumer. The proactive risk-based approach will put you ahead of the new consumer-centric examination approach and ensure the new hot issue doesn’t impact you or your customers.