Keeping Your Head Above Water: Four Tips for Managing Flood Insurance Law Changes


1-19-15-Dinsmore.pngAmong the various areas of regulatory compliance, one area—compliance with flood insurance regulations—seems to cause an out-sized level of anxiety, and for good reason. Over the past several years, field examiners have been diligent in identifying and citing violations of the flood regulations, and many of these violations have resulted in imposition of civil money penalties (CMPs) against the violating banks. During 2013 and 2014, nearly 100 flood-related CMPs were imposed on banks, ranging in amount from $1,000 to well over $100,000. Paying penalties is never enjoyable, but is even less so in this era of tight margins and strained profitability.

Last year, President Obama signed into law the Homeowner Flood Insurance Affordability Act (HFIAA) as a way to dial back some of the increased costs associated with 2012 Flood Insurance Reform Act. The HFIAA will bring about a number of new and modified obligations on banks, which will become effective at various times during 2015 and 2016. Changes are coming in the areas of forced placement of insurance, acceptance of private flood insurance, escrowing of premiums, and exemptions to the mandatory purchase of flood insurance.

The ultimate responsibility for ensuring compliance with consumer protection laws and regulations, including flood insurance laws and regulations, rests with the board and senior management. How do you keep your head above the changing waters?

  1. Policies and Procedures. Any change in law or regulation in a compliance area should trigger a review of the bank’s existing policies and procedures in the affected areas. The review should be done with an eye toward necessary or appropriate changes to the policies and procedures. Management also should use this review process to determine to whom the revised policies and procedures need to be communicated to ensure an effective flood insurance compliance program. Certain of the changes may affect personnel outside of the lending and compliance functions at the bank. Once identified, all appropriate personnel should be trained on the new policies and procedures.
  2. Education. The compliance officer’s and real estate loan origination staff’s knowledge and understanding of the changes in the law/regulations are critical to ensuring compliance. The board and senior management have to be willing to expend the necessary resources to educate these folks who are on the front lines of the flood insurance process. Additionally, directors and senior managers also should receive training on the basics of flood insurance regulations so that they can appropriately oversee the compliance function and manage the attendant risk. The regulatory agencies, industry trade associations, and FEMA (Federal Emergency Management Agency) are good sources of training materials.
  3. Customer Communication. Your bank already may be receiving inquiries from customers regarding the impending changes to the flood insurance rules. If not, expect that you will. The changes relating to escrowing premiums, exemptions from mandatory coverage, and private flood insurance are fertile ground for customer questions. Now is the time to review your existing customer communication procedures to be sure that appropriate personnel and/or departments are tasked with handling inquiries, and that all personnel, especially customer-facing personnel, know to whom they should direct customer inquiries regarding flood insurance.
  4. Monitoring and Audit. As previously mentioned, the board and management have ultimate responsibility for ensuring compliance with flood insurance regulations. An effective compliance monitoring/audit function is paramount in carrying out this responsibility. The coming changes in the regulations will require management and the board to revisit certain aspects, if not all, of the flood insurance compliance program. Despite your training and planning efforts to implement perfectly the changes to your flood insurance processes and procedures, mistakes will be made. The wise bank will test the new processes early and frequently to head off any systemic issues. Better you find any problems and fix them, than to have them discovered by the examiners at your next compliance exam.

Changes are coming, and it is safe to say these will not be the last. Getting out ahead of the changes and planning for them is the key to successfully navigating the changing flood waters.

There’s a New Framework for Internal Controls: What Boards Need to Know


10-17-14-Moss-Adams.pngThe COSO framework, which stands for Committee of Sponsoring Organizations of the Treadway Commission, is used by most public companies when reporting on the effectiveness of their internal control over financial reporting in compliance with the Sarbanes-Oxley Act.

The organization, whose sponsoring members include the American Institute of CPAs and the Institute of Internal Auditors, released an updated version of its major guidance document in May of 2013, called Internal Control—Integrated Framework.

As a member of a bank board or audit committee, it is important to have an understanding of how these changes might impact your bank.

Banking regulators are putting more pressure on banks to diversify lending while simultaneously improving credit risk management and reporting, and they are also after banks to focus on IT security. The 2013 framework creates a more formal structure for designing and evaluating the effectiveness of internal controls by codifying the fundamental concepts associated with them. A set of 17 broad principles relating to internal controls, which were present but deeply buried in the earlier framework, now supplement the five components held over from the 1992 framework. These components and associated principles are:

  • Control environment

    • Demonstrates commitment to integrity and ethical values
    • Exercises oversight responsibility
    • Establishes structure, authority and responsibility
    • Demonstrates commitment to competence
    • Enforces accountability
  • Risk assessment

    • Specifies suitable objectives
    • Identifies and analyzes risk
    • Assesses fraud risk
    • Identifies and analyzes significant change
  • Control activities

    • Selects and develops control activities
    • Selects and develops general controls over technology
    • Deploys through policies and procedures
  • Information and communication

    • Uses relevant information
    • Communicates internally
    • Communicates externally
  • Monitoring activities

    • Conducts ongoing or separate evaluations
    • Evaluates and communicates deficiencies

Entities must demonstrate compliance with the principles associated with each component above to conclude that the component is present and functioning.

Also new to the 2013 framework are 75 points of focus that relate to external financial reporting. These specific considerations relate to each principle above, principles such as “assesses fraud risk,” and are important characteristics to consider in determining whether the corresponding principle is, in COSO’s terms, “present and functioning.” Not all points of focus need be met to conclude that a principle is present and functioning.

A key first step is determining how the 2013 framework will affect your internal controls’ design, documentation and evaluation. While many businesses have an abundance of transaction controls but gaps in other areas, banks—which operate in a regulated environment with frequent examinations—are more likely to have implemented many of the entity-level and monitoring controls that other companies lack. Still, since some of these controls may not have previously been identified as key SOX controls, additional documentation may be necessary.

Your staff should begin by matching existing documented controls with the new principles and associated points of focus. Next, they should compare each principle and point of focus to your existing controls to assess whether the controls are sufficient to conclude that each principle is present and functioning. A fair amount of judgment is involved in determining which controls address a specific principle or point of focus, and undoubtedly there will be many relationships between your existing controls and the COSO principles and points of focus.

If you can conclude that the principles are covered, no further analysis is necessary. But if it appears a principle isn’t covered, your staff should determine whether the unmet principle or point of focus is due to an entirely missing control—an activity the institution doesn’t perform—or an undocumented control. Many apparent gaps are often the result of missing documentation, not necessarily missing controls.

At this point, staff should determine whether undocumented controls should be formally documented as part of your bank’s SOX program or if new controls are necessary to mitigate the missing controls. This is an important point and should be considered carefully. Although your SOX program may be based on the 2013 framework, not all points of focus need to be covered by a key SOX control.

The process of mapping your internal control documentation to the principles and points of focus and mapping each principle and point of focus to your documented controls will help you evaluate your mix of control activities, the levels at which activities are applied, and segregation of duties. This exercise will determine how close you are to complying with the COSO 2013 framework—and put you on the path to full compliance.

Is Your Bank Ready for Basel III Compliance?


10-13-14-fiserv.pngBoard members have an important role to play in implementing the latest directives from the Basel Committee on Banking Supervision.

The first implementation deadlines are looming for the standards in the Third Basel Accord, commonly known as Basel III. It’s time for bank directors to make sure they’re up to speed.

Basel III comes into play at a time of worldwide economic uncertainty. Promulgated by the Basel Committee on Banking Supervision, the international forum for supervisory matters based in Basel, Switzerland, this comprehensive set of regulations seeks to instill greater stability and confidence in the banking system by dealing with deficiencies exposed by the financial crisis of the late 2000s.

The Basel III framework includes six key requirements for banks:

  • Hold more and better-quality liquidity
  • Maintain more and better-quality capital
  • Achieve enterprise risk management maturity
  • Ensure robust, comprehensive stress testing
  • Enhance capital adequacy assessments
  • Integrate comprehensive and actionable capital and strategic planning

A new risk-weighted capital framework to determine regulatory capital adequacy based on Basel III becomes effective for community banking organizations (non-complex, with assets between $500 million and $10 billion) on January 1, 2015.

Community Bank Readiness
Many managers and officers of community banks and small regional banks have told me they believe Basel III is really not an issue for them because they’re extremely well-capitalized. However, if these bankers haven’t run the Basel III calculator provided on each banking regulator’s website, their confidence may not be warranted. The risk ratings under Basel III are radically different from anything we’ve seen in the past. And you can’t determine true capital adequacy simply and solely on the basis of the new regulatory capital ratios. Those ratios are merely the ante into the game, the minimum requirement.

In today’s banking environment, the only true measure of capital adequacy is economic capital measured in a customized way for each financial institution, stress-tested to consider all risk elements across the full probability spectrum. A fresh assessment and approach are needed before you can say you’re well-capitalized in a Basel III world.

A Board Responsibility
Basel III should be a top-of-mind concern with every member of the board. Directors have a critical fiduciary role in ensuring Basel III compliance, and in capital and strategic planning in general. The board should be front and center in these areas:

  • Defining risk appetite. First and foremost, boards of directors must define the level of risk that is acceptable for their organizations. Within acceptance of that risk, they must determine what commensurate returns they expect the financial institution to earn.
  • Scenario planning. Through stress testing and scenario planning, boards of directors should look at all potential outcomes and their impact on capital, from low- to high-probability events. Directors should help frame some of these scenarios and stress tests, and thoroughly understand the results. The board must also have a firm grasp on how integrated strategic and capital plans are driving decision making—including risk assumption, resource allocation and the tactical actions of the organization.
  • Right-sizing capital. The board of directors must be instrumental in making sure that the bank’s capitalization properly aligns with the risks assumed by its banking business model. I am an advocate for the “Goldilocks School of Banking.” Like the porridge sampled by the little blonde-haired girl, capital needs to be “just right”—neither too much nor too little, and customized for the financial institution.

RAROC: The One True Metric
Risk-adjusted return on capital (RAROC) is the most all-encompassing performance indicator your organization can employ in assessing your capital position. It is the only metric that considers both full risk and potential return in a strategic business equation.

RAROC is suitable for assessing your total organization, individual business units, products, customers and customer segments. It enables you to determine your economic capital and capital adequacy, while helping optimize how you allocate capital and resources. Risk-adjusted analysis helps your organization intelligently price customer transactions, evaluate profitability, incentivize employees and right-size capital to your risk profile.

The benefits of RAROC are substantial and far-reaching. I encourage your board to insist on using this important tool.

Getting Started
Basel III awareness and compliance begin with the board asking two things of management:

  • Education. Whether it’s provided by the executive team or an outside consultant, the board should insist on a one- to two-hour overview of Basel III—not just focusing on what the regulations require, but also the implications for your banking business model and a strategy to respond.
  • Basel III status report. The board must ask if the executive team has run the pro forma calculations for Basel III capital compliance, and where the capital levels stand today in light of Basel III requirements.

This simple, two-step questioning process is absolutely essential. If it isn’t already underway at your financial institution, it should begin at your next board meeting.

For more information on capitalization and regulatory compliance, see Orlando Hanselman’s white paper, Capital Conundrum: A Call for Clarity and Action.

Weak Consumer Exams Are Holding Up M&A Deals


9-15-14-DavisPolk.pngIt has been several years since the financial crisis, and now banks seeking acquisitions know that they need to have high levels of capital, strong management teams and good asset quality if they hope to get the deal across the regulatory finish line. The key handicap these days, however, is the increased scrutiny on compliance issues at both the acquiring bank and the target bank.

After two years and two extensions of its drop dead date, the M&T Corp-Hudson City Bancorp deal remains in a highly visible state of regulatory purgatory. Others are suffering in a less visible way, and for a broader range of compliance reasons than the anti-money laundering (AML) problems that trapped M&T. Moreover, compliance-related delays can arise from problems at the target even when the acquirer has a strong rating and systems. One of the newest reasons for the delay in M&A regulatory approvals arises because of increased regulatory expectations around consumer financial protection.

For many banks, the results of consumer compliance exam reports are not quite as good as they were a few years ago. For some banks and thrifts, the increased examination standards are an unpleasant surprise, demanding increased infrastructure and investment at a time when there are many competing demands. Just as expectations and examinations gradually increased in intensity in the AML arena a few years ago, they are now increasing in the consumer protection arena, with the expectations of the Consumer Financial Protection Bureau (CFPB) informing the consumer compliance and enforcement practices of the traditional banking agencies. These agencies do not want to appear lax as compared to the CFPB. The CFPB examines banks above $10 billion in assets, but as a result of other banking agencies’ focus, consumer compliance is now a concern even for those banks that are not subject to CFPB examination and enforcement authority. This is leading to two new trends:

  1. For those banks that are subject to CFPB jurisdiction, we are increasingly seeing that the Federal Reserve will seek informal assurances from the CFPB that the most recent exam report is or will be satisfactory before approving an acquisition at the bank holding company level.
  2. A threatened, but unresolved memoranda of understanding or cease and desist in the consumer compliance area, whether at the acquirer or the target, can delay approvals of an acquisition even when all other issues are resolved. This is especially the case when after the closing there is a change of primary regulator.

Whether and how long this trend will hold is unclear but, for now, it is sometimes a reason for an unexpected delay.

As a result, bank boards and managements need to think carefully about consumer compliance issues as they consider their strategic options. There is, of course, a bit of a chicken-and-egg problem here. Community and smaller regional banks may need to get larger in order to have the scale to invest in the new infrastructure that the rising standards demand and yet perceived current problems with poor consumer compliance marks can prevent or delay acquisitions that might bring about scale and scope. The art is to avoid the trap.

What You Don’t Know Can Hurt You: 10 Things to Watch When You’re on a Bank Board


8-8-14-alston-bird.pngThe legal and regulatory climate for a bank is changing on a weekly basis. At least in part due to this, the expectations and liability risk of a bank director are not the same as a year ago, let alone five years ago. To help address this, we crafted a list of some broad themes we believe bank directors should be particularly attuned to now.

Enterprise Risk Management
Risk management is a function, not a committee. Boards need to implement a process to ensure that risks are properly identified and addressed in such a way that the board can demonstrate a “credible challenge” to management. And, beyond creating an effective corporate clearing house for risk, boards need to ensure that the bank possesses a management team capable of carrying out this function.

Third Party Risk
Vendor management has become a hot-button for all banks, as formal and tacit guidance continues to emerge. In addition to performing and memorializing due diligence around vendor selection, banks need to be in a position to understand and properly supervise the work of any vendors. This means having a properly qualified and trained management team that addresses the operational, compliance and other risks potentially resulting from reliance on third parties.

Trust Preferred Securities (TRuPS)
Many banks were forced to defer payments on TRuPS in the aftermath of the 2008-2009 crisis period. With the five year TRUPS deferral period now coming to an end, many bank holding companies don’t possess the funds (and cannot compel a bank dividend) to bring the TRuPS current. Further, regulators have insisted that any proposed capital raise be sufficient not only to pay off the TRuPS, but also to result in a composite CAMELS 2 rating for the bank. Your board needs to understand the resulting threats and opportunities.

Deferred Tax Asset Preservation
Bank regulatory agencies have begun to take issue with rights plans that are designed to preserve deferred tax assets (DTAs), citing the safety and soundness concerns that such plans could present by complicating future capital raises. As regulatory guidance on this point appears imminent, your board needs to understand the implications for your bank and your competitors.

Director Liability
Boards should ensure that they have the benefit of up-to-date exculpation and indemnification provisions in the bank’s charter and bylaws, as well as a robust directors and officers (D&O) insurance policy that is not rendered useless by a host of exemptions. In addition, with so much of the recent banking litigation being focused on process, your board should reconsider and redefine the way that your bank makes, records and polices its deliberations and decisions.

Role of Directors in Lending Decisions
Clearly, directors should be involved in defining the scope of a bank’s lending activities, the delegation of lending authority, and the monitoring of credit concentrations and other risks. But should directors serve on loan committees, and make the actual lending decisions? It’s time to reassess this important issue. Directors making day-to-day lending decisions can blur the lines of proper governance and needlessly expose directors to additional liability risk.

Charter Conversions
Each of the banking agencies seems to be developing a different regulatory mood on key issues, such as business plans, consumer compliance and risk-based regulation. In this post-crisis environment, it is important that you consider whether your bank is appropriately chartered in light of its strategy. Put another way, the trends have changed, and you should consider how these changes affect your bank.

Growth Strategies in a Tough Lending Climate
With traditional loan growth being slow, banks continue to reach for less traditional loan products, such as asset-based lending, factoring, lease finance, reverse mortgages, premium finance, indirect auto lending, warehouse facilities, etc. As always, these products must be considered in light of concomitant compliance risks and capital requirements. Directors should ensure that management performs thorough risk assessments alongside their profit/loss projections.

The Effects of Basel III
Depending upon the size and makeup of your bank, the January 2015 Basel III changes will impact your bank’s regulatory capital position. At a minimum, directors need to understand from the bank’s CFO and auditors that there is a plan anticipating what the pro forma capital position is expected to be under Basel III.

Compliance Issues Can Sink a Strategy
Too many banks with solid strategies have seen their bank’s growth hindered by compliance failures. Bank Secrecy Act/anti-money laundering rules, consumer protection regulations, and poor oversight of third parties can result in enforcement actions and derail growth until the issues are remediated, which can take years. Boards must set a tone at the top with regard to the compliance culture of the bank.

The themes above are top of mind for us, but the environment remains dynamic. This list likely will look very different in another year.

Emerging Regulatory Risks & How to Prepare for Them


As regulators and requirements continue to evolve, today’s bank boards need to proactively prepare for the potential impact emerging risks will have on their institution. In this video, Lynn McKenzie of KPMG reviews the latest regulatory trends and outlines some simple steps for boards to effectively manage those risks.


Coverage Options for Civil Money Penalties


The Federal Deposit Insurance Corp. (FDIC) issued guidance saying banks should not offer coverage for civil money penalties under directors and officers (D&O) liability insurance policies. In this video, Dennis Gustafson of AHT Insurance advises how boards can modify their policies in order to stay in compliance and still cover defense costs.


Silver Lining for Community Banks: Using New Regulations to Your Advantage


4-18-14-Crowe.pngIn recent days and months, there has been much discussion about the challenges small banks face to comply with increased regulatory requirements, particularly those stemming from the Dodd-Frank Wall Street Reform and Consumer Protection Act. Though the costs of compliance have increased and can prove burdensome, especially to small banks, industry observers and participants who approach the requirements with a glass-half-empty attitude are missing an important opportunity: If community banks take a strategic approach to compliance, they can differentiate themselves from the competition.

Going Beyond the Minimum
The benefits of thoughtfully implementing new regulatory requirements have been demonstrated in the past. Consider the know-your-customer requirements that mandated that banks obtain more information about their customers’ behavior to better verify customer identities, which in turn helps identify suspected money laundering activities. When the requirements went into effect, some banks simply did the minimal amount that was required.

Other banks took a more strategic approach. Some saw the new information-gathering requirements as the chance to truly get to know their customers better and enhance the level of service they provide. For example, some institutions developed dynamic discussions with account applicants, with bank staff varying their follow-up questions based on the information new customers provided. These fluid conversations were designed to create better account-opening experiences and to yield insightful data to better serve customers and support new product and service development.

Setting a Community Bank Apart
Community banks can take steps to successfully combine compliance efforts with a focus on enhancing customer service.

  • Fully integrate new regulations for a consistent customer experience. Given the multitude of regulations being implemented during the next several years and their potential impact on bank customers, compliance efforts must be embedded into existing processes. An approach that bolts new systems or processes onto existing ones typically is inefficient and leads to inconsistency that could have a negative effect on customers’ experience with the bank and the bank’s ability to effectively comply with new regulations.
  • Spread compliance-minded professionals bank-wide. It is no longer cost effective or time efficient for a community bank to rely exclusively on its compliance department as the sole line of defense in the bank’s efforts to comply with new regulations. Regular communication with and training of existing personnel is critical to instituting a culture of compliance. When hiring new employees, community banks should seek out professionals who are operationally focused and capable of integrating new regulations and compliance activities into operations.
  • Create open lines of communication. When all those at a community bank expand their focus to include new regulatory requirements, continuous communication is necessary to prevent duplicating efforts. Consider the example of a proactive underwriting manager who invested in a fair-lending tool to boost his department’s compliance activities. Unfortunately, the manager did not inform the bank’s compliance officer, who had already implemented a different fair-lending tool. Regular meetings between lines of business and members of the compliance team will foster more effective and efficient systems of compliance.
  • Seek input from business leaders who understand customer needs. The leaders who manage a bank’s lines of business are accountable for day-to-day activities and are in the best position to recognize how regulatory changes could affect customers. Bringing business leaders into the decision-making process early and often can make the difference between a problematic compliance framework and a solid program that operates as designed and fosters growth of the business.
  • Focus on what the bank does well. Some community banks are jettisoning lines of business that are no longer profitable, especially as they analyze overall rising expenses as well as costs specifically associated with compliance. This is an opportunity to focus exclusively on areas where the community bank excels in serving clients.

    Conversely, competitors eliminating lines of business also can provide community banks with an opportunity to fill a market void and strengthen their competitive position. These types of decisions should be made in the context of market analysis that identifies opportunities and risks.

Small but Mighty
Every bank, regardless of size, will encounter challenges in meeting new regulatory requirements. Finding the silver lining in increased compliance efforts and costs can position community banks as stronger, more competitive, and more focused on their customers’ needs than ever before.

Making Outsourcing Work for Your Bank


With increased regulatory compliance demands, many financial institutions are looking to relieve the pressure by outsourcing their non-core functionality. In this video, Beth Merle of Sutherland Global Services provides insight into which services can be outsourced, how much banks can save and the best way to hold providers accountable.