Knee Deep in Regulation

As cause and effect relationships go, it’s nearly as predictable as tossing a burning match into a pile of gasoline-soaked rags. After any major financial crisis, either the U.S. Congress or the federal banking regulatory agencies react by heaping even more regulation on a banking industry that is already heavily regulated. And sure enough, the powers that be in Washington responded to the collapse of the subprime mortgage market two years ago by issuing a dizzying array of new laws and regulations, including separate amendments to the Real Estate Settlement Procedures Act (RESPA) and the Truth in Lending Act-which mandated significant changes in how residential mortgage loans are made.

Unfortunately for the banking industry, official Washington didn’t stop there. Last year Congress also passed a new credit card law, while the Federal Reserve Bank issued new rules that will place significant restrictions on bank overdraft fees. Add it all up and you have what Rebecca Jenkins, executive vice president and manager of corporate compliance at BB&T Corp. in Winston-Salem, North Carolina, calls a “veritable tsunami of new and proposed banking regulations.”

With so much activity occurring at the same time, it’s hardly surprising that bank executives like Jenkins are drowning in all the new compliance requirements. Not only are banks required to have policies and procedures in place to comply with the new regulations, they must be able to demonstrate compliance to their state and federal regulators through ongoing monitoring and periodic audits. When a single new regulation of any significance goes into effect, it can produce a chain reaction throughout the organization as new policies are written, computer software programs are modified, and people are trained on new procedures. But when several new regulations take effect more or less at the same time, it can result in a 10-car pileup on the compliance highway.

“It’s a strain on the infrastructure and resources to keep up with all the changes going on right now,” says Mark Ross, president and chief operating officer at Bank of the Ozarks Inc., a $3 billion community bank located in Little Rock, Arkansas. “It’s just the environment that we find ourselves in now.”

Given the explosion in new laws and regulations, it’s paramount that bank and thrift CEOs and directors take a fresh look at how they are managing compliance risk in their institutions. Are they emphasizing teamwork and open communication throughout the organization? Have they made the best use of technology and considered strategies like outsourcing to help manage the sharp increase in new requirements? Although the federal banking regulatory agencies may have some sympathy for the strain that all the new regulations have placed on bank compliance departments, the word “forbearance” is simply not in their vocabulary given the heated political climate in Washington. Like it or not, financial institutions will have to rise to the occasion and meet the new compliance challenges head on.

“The regulatory scrutiny is greater now than it has ever been,” says John Soffronoff, president at ICS Compliance, a New York-based consulting firm that specializes in regulatory compliance for the bank and thrift industries. “You might think they would cut them a little more slack, but that’s not what we’re seeing at all. The head of the banking agencies don’t want to be back in front of Congress explaining why the banks aren’t complying with all the new laws, and that flows all the way down to the examiners.”

Although a large institution like BB&T-with $165 billion in assets, making it the 10th largest in the country-has far more resources than a small community bank to meet these new compliance requirements, its sheer size and complexity magnifies the challenge. Not only is BB&T a large consumer bank and a big mortgage lender, it also has a major trust operation and a securities broker/dealer subsidiary that have unique regulatory restrictions of their own.

Major regulatory changes like the new mortgage loan settlement procedures in RESPA reverberate throughout the bank, beginning on the front end with lenders and loan closers and extending to the back end with computer systems and the operations staff. Typically, when a major change like this occurs, Jenkins will form a task force made up of all the affected areas throughout the bank to map out and implement a compliance strategy. Task forces have been formed over the last year or so to prepare for the new RESPA regulations, as well as the new credit card and overdraft fee restrictions.

Since 2006, however, BB&T has adopted a centralized approach to compliance, with a relatively small corporate staff working closely with each business unit within the company. Jenkins and her team help the businesses develop all the necessary policies and procedures, and they also monitor each businesses’ compliance through ongoing testing, but the ultimate accountability belongs to the business units themselves. “The line of business or affiliate is responsible for compliance being achieved,” she says. The only exception is the bank’s compliance with the Bank Secrecy Act and various anti-money-laundering regulations, which Jenkins oversees directly.

One of the advantages of this more centralized structure, where the business units are in effect required to police themselves rather than having an embedded compliance officer constantly looking over everyone’s shoulder, is that it provides the corporate staff with greater independence and autonomy. “No compliance officer can be pressured into overlooking something because they fear for their job or their bonus,” says Jenkins.

For Suanne Mingrone, the chief corporate compliance officer and head of regulatory relations at SVB Financial Corp., a $12.2 billion bank in Santa Clara, California, most of the new consumer protection regulations have relatively little impact on her bank since it focuses primarily on corporate customers. That said, there are still plenty of regulations that SVB does have to comply with, including the privacy protection requirements in the Gramm-Leach-Bliley Act, the Bank Secrecy Act and various anti-money-laundering provisions, and the Sarbanes-Oxley Act. Like BB&T, SVB has also pursued a policy of holding its various business units accountable for their own compliance with all applicable laws.

“We work closely with our business partners,” says Mingrone. “Our goal is to have [the] compliance [process] integrated with the business units.” Compliance at SVB tends to be a collaborative effort, with Mingrone’s team working closely with the bank’s legal department to understand any new regulation or regulatory change as well as the risks of noncompliance, and then working with the business units themselves to incorporate any necessary changes in how they operate. As much as possible, the emphasis is on teamwork and partnership rather than being compliance cops or auditors. “The compliance staff literally would need to triple or quadruple in size if we took on the auditing role,” Mingrone says.

Mingrone also meets quarterly with SVB’s corporate governance committee and works hard to keep them abreast of any compliance issues with the bank that might draw attention from its primary regulators, which are the Federal Reserve Board in Washington and the California Department of Financial Institutions. “Surprises are usually not a good thing,” she quips.

Although Bank of the Ozarks is not particularly small as community institutions go, its resources have been stretched thin by all the new consumer protection measures that have come out in recent years. “Our dedicated compliance staff is very, very small,” says Mark Ross, president and chief operating officer. Working with its compliance staff, the bank’s business units are expected to play a major role in developing new policies and procedures that adhere to such changes as the new mortgage loan closing requirements under RESPA and the new overdraft protection rules that will take effect this summer. One of the ways in which Bank of the Ozarks has tried to manage its compliance costs is to outsource the necessary auditing to an outside firm.

When Ross considers the impact that all the new regulations are having on his company, he worries about more than the cost of compliance. The measures could force his people to do things differently-and not always in ways that Congress or various federal agencies anticipated or intended. Ross points to all the new regulations in the home mortgage market, including settlement procedures and interest rate disclosures. “Those are truly challenging and, in fact, do impact the way we do business,”he explains.

For example, some of the RESPA amendments were intended to make it more difficult for lenders to take advantage of borrowers by offering them high-cost mortgages when they might qualify for a less expensive loan. “[All lenders are] responding to that in a different way,” says Ross. “Some people are saying they’re not going to make high-cost loans anymore.” Bank of the Ozarks hasn’t decided what it will do going forward, Ross explains. The problem is that the bank operates in a lot of rural Arkansas markets where the loan applicants don’t always fit comfortably in the mold of a conforming home loan that later can be sold into the secondary market. “We keep those rather than sell them, so we want to get a higher rate to compensate for the risk,” he says.

One option would be for Bank of the Ozarks to no longer make high-rate home loans, which will hurt some of its rural customers by limiting their access to the mortgage market. Or it may continue making the loans, but approach the process differently. “It may force us to go to centralized pricing and less delegated authority,” Ross says. “It gets too complicated for individual lenders to decide on their own how things get done. And that pushes us down the path of doing things the way the big banks do them.”

In today’s challenging regulatory environment, it’s important that banks and thrifts adopt compliance strategies that reduce risk to the enterprise while making the most effective use of internal resources. Unfortunately, the industry’s regulatory burden is increasing at a time when its profitability is under intense pressure, so every compliance dollar needs to be spent wisely.

What follows are various strategies for managing compliance risk as effectively as possible:

Talk to your regulator. The federal banking regulators may have private sympathy for what banks are experiencing since the explosion in new regulations places a strain on their resources as well, but it’s highly doubtful they will cut institutions under their supervision any slack when it comes to compliance with the latest set of rules. Montrice Yakimov, managing director for compliance and consumer protection at the Office of Thrift Supervision in Washington, says her agency will weigh all of the steps an institution has taken in preparation for new regulation when it considers an enforcement action for noncompliance. In effect, a strong effort to meet the compliance requirements-even if it falls somewhat short-is likely to mitigate any penalty the agency might impose. “But we absolutely expect compliance on the due date,” she says.

At the same time, depository institutions should not hesitate to consult with their primary regulator when they are uncertain about some aspect of compliance, Yakimov says. “There is an opportunity for give and take,” she explains. “Thrifts have case managers assigned to them and they can act as a liaison to compliance examiners at the agency.”

Soffronoff at ICS says it’s important that institutions be proactive when dealing with their regulators on compliance issues. “They need to hear from the bank about what their challenges are in implementing a new compliance policy,” he says. “Be as transparent as possible and don’t be afraid to go back to the agency and get help with kickoff guidance on a new regulation.”

At SVB, Mingrone hosts what she calls a “kickoff” before every compliance exam in which she and senior managers in the bank do a thorough review of SVB’s compliance program with the examiners before they start poking around in the bank. “If we can demonstrate that we have a sound program, it means they don’t have to drill down and do a lot of testing,” she says. “The regulators are very strapped for resources. This allows them to pull back and take more of a risk management approach.”

Indeed, it’s important to understand that in recent years the banking regulators have changed their philosophy when it comes to compliance examinations. John Hurlock, director of risk management in the business consulting group at Sheshunoff Consulting + Solutions in Austin, Texas, says the agencies used to be very “proscriptive” in their approach. “Compliance used to be ‘Here’s what you have to do,’” he says. “Now it’s ‘Tell us what you do and if we like it, fine. If not, there’s a problem.’” Because of this new approach, there’s an opportunity for a proactive bank with a strong compliance program to lessen the scope of the examination if the regulators like what they hear.

Involve the board. Since the board of directors is ultimately accountable for everything that happens inside the bank, its members need to have a clear picture of how compliance risk is being managed. At the community bank level, governance responsibility for regulatory compliance generally resides with the audit committee, although larger institutions with standing risk committees may place responsibility with that group. Regardless of what the governance structure is, directors should be briefed at least quarterly on their institution’s compliance risk profile-and more frequently if necessary. “The board of directors should never be surprised by a negative examination report,” says Yakimov at the OTS.

Most important, boards need to be proactive in terms of understanding the risks-particularly with so many new regulations going into effect. “Be engaged and be involved,” says Yakimov. “Know what’s going on inside the institution. Ask questions. What are the new regulations? What has [the corporate] staff done to comply with the regulations?”

Other questions directors should be asking, according to Ann Jaedicke, assistant comptroller for compliance policy at the Office of the Comptroller of the Currency in Washington, include:

u2022 What products are being affected by recent changes in consumer protection laws?

u2022 Who in the bank is taking responsibility for making sure the institution complies with the new laws?

u2022 Will the bank meet the effective date of the new regulations?

u2022 What contact has the bank had with its primary regulator and what information has it provided?

u2022 Do we have sufficient staff resources to handle the new compliance requirements or is extra help required?

u2022 Are outside service providers the bank relies on aware of the new regulations, and are they making the necessary changes to maintain compliance?

Engage the bank’s business leaders. Shifting accountability for compliance to an institution’s primary business units may be a simple case of making virtue out of necessity. After all, those business units all have more resources to deal with the increased compliance burden than a small corporate staff-and they also own the risks. “Involve the business lines,” advises Soffronoff at ICS. “The [corporate] staff can’t do it all. If the businesses don’t understand the regulations, the [compliance program] won’t be successful.”

But according to Mingrone at SVB, there’s another good reason to actively engage the business units in the compliance effort. “It’s important to change the mindset around compliance,” she says. “Compliance is everyone’s responsibility.” And when the compliance staff and business units work together as partners, it creates a sense of ownership throughout the organization that actually increases the likelihood that compliance will be achieved.

Look outside for help. Compliance has become so complex and demanding that some form of outsourcing is an option that most banks give careful consideration to. Hurlock at Sheshunoff Consulting, which provides a full range of compliance services across a variety of risks and will administer an institution’s compliance program on an outsourcing basis, points to the sheer breadth of compliance requirements that most banks and thrifts face-everything from privacy under Gramm-Leach-Bliley to mortgage loan settlement procedures under RESPA and financial reporting and disclosure issues under Sarbanes-Oxley. “It’s impossible for one person in any organization to cover all the bases,” he says.

Even if an institution doesn’t want to outsource its entire compliance program, it may make sense to rely on subject matter experts outside the organization to administer a piece of it. A perfect example is the Bank Secrecy Act and various anti-money-laundering regulations that are highly demanding because of their complexity and the sheer volume of consumer transactions that most banks generate in a year. AML RightSource LLC, a Cleveland, Ohio-based firm, was formed seven years ago by a group of former partners at the accounting firm Deloitte & Touche to focus exclusively on the BSA/anti-money-laundering market. The firm provides both consulting and ongoing administrative services that include transaction monitoring, customer risk profiling, and regulatory reporting. “Banks are in the business of buying and selling money,” says Thomas Pratt, the firm’s president and also one of its founders. “They’re not in the business of monitoring their customers’ business for suspicious transactions. “That’s our business. We’re subject-matter experts in this area.”

In most outsourcing relationships, the bank is actually leveraging the infrastructure and skill set of a third party at a cheaper rate than it would cost to maintain those resources in-house. “Banks can buy into a BSA/AML department where the costs are shared with other banks,” Pratt says.

Use technology to help the bank achieve compliance. When used intelligently, technology can ease the regulatory burden and improve the effectiveness of a bank’s compliance program. At BB&T, Jenkins makes a quarterly presentation to the bank’s audit committee that includes a “compliance risk heat map” showing all the various regulatory requirements to which bank the must adhere and their severity of risk at any given point in time. But without the ability to aggregate and analyze data from all four corners of the organization, Jenkins would not be able to provide the board with this synthesized view of risk. “If you’re going to intelligently manage risk, you can’t afford to have it in silos,” she explains.

Technology can also be used to facilitate compliance by reducing errors in businesses that involve a high number of complicated transactions. Harland Financial Solutions Inc., a Lake Mary, Florida-based technology company that provides a wide variety of products and services to the financial services industry, offers a product called LaserPro that provides standardized application and closing modules for commercial, consumer, and residential mortgage loans. The three modules are federal and 50-state compliant, and the real estate module has been updated to reflect the recent amendments to RESPA and the Truth in Lending Act.

According to Mitch Lucas, who oversees Harland’s compliance activities, the real estate module can detect the kind of critical errors that might later come to the attention of a regulator during a compliance examination and issue warnings to the bank. He cites the example of a state that caps late fees on mortgage payments at 18%. If a borrower who is a resident of that state were mistakenly hit with a higher fee, the system would automatically generate a critical warning. “The system provides regulators with greater comfort because of the warning system,” Lucas says. “If a bank can’t get the small stuff right, they start worrying about the big things.”

Perhaps one of the biggest underlying challenges of regulatory compliance is that it’s widely perceived as something banks have to do rather than want to do. And for those institutions that adopt a check-the-box approach in their compliance efforts, Hurlock says most will never be better than average performers. That’s why he urges his clients to find ways of using the compliance process to improve their profitability. As an example he cites the Bank Secrecy Act, which requires banks to collect valuable data on their customers. “Figure out how to use that information in your sales process,” he says. “You’ll be more effective in collecting the data.”

And that would truly be an example of finding virtue in a regulatory necessity.