Buying a Bank? 10 Key Compliance Due Diligence Considerations

discovery.jpgM&T Bank’s recent acquisition of Hudson City Bancorp, right on the heels of M&T’s exit from the Troubled Asset Relief Program, is a strong indication that bank consolidations and acquisitions are likely to continue in the near future.

Whether acquisitions help to shore up capital, expand markets, or serve other purposes, numerous financial institutions are pursuing these deals. But are they performing the due diligence necessary to protect themselves from the potential compliance downside of these transactions?

If you’re considering an acquisition or consolidation deal, you can’t afford to skimp on due diligence. The old adage of “one man’s trash is another man’s treasure” definitely does not apply in these situations—when you acquire an institution, its trash remains trash.

The transaction price should reflect the related risks. Higher risks and compliance issues can generate fines and penalties that should not be overlooked when negotiating, but you have to know about the risks before you can negotiate over them. And that’s where due diligence comes in.

Before acquiring or consolidating with another institution, you should consider certain questions about that institution. While the following list is not all-inclusive, answering these questions will have you headed in the right direction:

1.  Does the institution provide products to money-service business (MSB) customers (e.g. wire transfers, currency exchange)? If so, how many, and what types of controls are in place to minimize the risks associated with those customers?

2.  What are the volumes of its currency transaction reports (CTRs), suspicious activity reports (SARs), and wire transfers, both domestic and international?

3.  Does it use an automated system for transaction monitoring, and if so, has the system been validated recently? Did those validations identify any gaps?

4.  Which types of controls are in place to help confirm compliance with the Office of Foreign Assets Control (OFAC) requirements?

5.  Are the loan and deposit operations centralized or decentralized, and is any portion of its operations outsourced to a third party? The answers to these questions will determine the potential amount of risk being acquired.

6.  Which types of products does it offer its consumers? Does it offer any types of unusual products that generally are not available from other financial institutions?

7.  How many different types of loan or deposit processing systems does it currently maintain?

8.  Which types of quality control processes are in place for keeping lines of business up to date on regulatory changes? Are those changes validated once they are required and implemented?

9.  How often is compliance tested and reported to management?

10. What is the structure of the compliance management program, and how does the program define “compliance?”

You wouldn’t buy a car without looking under the hood for potential problems that could come back to bite you down the road. The same rationale should apply to bank transactions, where the potential costs stand to be much, much greater. Regulatory agencies are placing a higher emphasis on compliance. It is your responsibility to demonstrate that you did your due diligence if you acquire any potential regulatory issues. If you cannot show proof of due diligence, you could face regulatory penalties.

Focusing on What’s Important to the Audit Committee: Three Things That Should Be on Everyone’s Mind

magnifying.jpgAfter the passage of the Sarbanes-Oxley Act, audit committee members experienced an increase in the intensity of the spotlight the public and regulators placed on them—and the focus didn’t just affect public companies. The current financial crisis again has put a spotlight on the responsibilities that all boards and audit committee members face. Although audit committees are actively engaged with their management teams and internal and external auditors, it can be difficult to know what should be the focus of those ongoing discussions.

So what are the things that audit committees should be thinking about today? Highlighted here are three of the critical risk areas that audit committees should have on their minds.

1. Earnings and Growth Plans: Early Assessments of the Risks

The credit challenges and related complications of the financial crisis are improving for many banks. Management teams are focused on returning to sustainable profits. Lending groups are actively looking to build their portfolios, and management teams are considering new products and services and expanding existing programs.

Audit committees need to be aware of the strategies their organizations are considering and of the associated risks. Internal audit should be auditing those risks. Whether a bank is considering resurrecting an old lending strategy or launching a new product or service, early action by the audit committee and internal audit will safeguard the organization. Audit committees and internal audit should work to understand their organization’s initiatives, limits and controls, and understand the risk monitoring that exists at their institutions.

2. Compliance: Effective, Efficient, and Critical for Survival

Compliance doesn’t always seem like the most strategic topic, but a lack of compliance can have consequences that quickly become strategic. Consumer regulations have changed significantly over the past few years, and more changes are on the horizon as the regulatory focus on consumer compliance has increased noticeably.

Audit committees should understand not just the details of compliance for individual regulations, but the compliance program itself. Having a robust system in place to identify changes, assess the enterprise-wide effects, and respond effectively is the only way that ongoing compliance can be achieved. Internal audit cannot just rely on management monitoring systems; it must perform independent testing of the compliance program and of compliance risks. Audit committees should understand the risk assessment process and internal audit’s coverage approach with respect to consumer compliance, and they should be comfortable that the compliance program will produce consistent and efficient results across all regulations and lines of business.

3. Enterprise Risk Management: Present, Comprehensive, and Insightful

Enterprise risk management (ERM) has been a topic of conversation for many years, but the level of discussion within banks and regulatory examinations is greater today in light of the financial crisis. Companies need an ERM process that is designed to address all risks across an organization and that provides meaningful information to executive management and the board. In addition, in response to the Dodd-Frank Wall Street Reform and Consumer Protection Act, which requires a board-level risk committee for firms with more than $10 billion in consolidated assets, examiners sometimes are asking much smaller organizations to put programs in place that include board-level oversight.

Audit committees should understand their bank’s ERM program, and internal audit should evaluate its effectiveness. Questions to consider include: Does a program already exist, and, if so, who owns the program? Are the right people involved? Do the results prompt the right discussions (are the company’s biggest risks part of the conversation)? Do the board and executive management support the process and the outcomes?

The goal of ERM is not to simply to comply with a regulatory mandate, but to establish a disciplined process whereby the most significant risks are summarized for insightful discussion and response. As it does with all critical areas of its bank, an audit committee must make sure that the ERM function exists and that it is operating as intended.

Having confidence in the quality and scope of the internal audit function should be a priority for any bank’s audit committee. Though the three critical areas discussed above are not exhaustive, they represent some of the larger issues facing banks today. Ongoing changes are inevitable. Adding specific consideration of changing risks—and potential changes to audit plans—could be a useful topic for audit committees to add to their agendas.

New regulation puts additional burdens on compliance staff

overwhelmed.jpgIn the current economic climate, banks are rightly focusing on safety and soundness issues. Banks must ensure, however, that they also effectively manage their compliance function because banking regulators are increasingly focused on this area in response to the numerous regulatory changes that have recently occurred and are likely to occur in the near future. Even if a bank’s compliance practices have not been criticized in the past, there is no guarantee that they will be approved by regulators at the bank’s next examination. Here are some highlights from a recent report by the Financial Institutions Group of the law firm of Barack Ferrazzano Kirschbaum & Nagelberg LLP, in Chicago:

  • Banking regulators are significantly downgrading many banks’ consumer compliance ratings because they are concerned that their compliance management systems are not equipped to handle the potentially numerous regulatory changes to be implemented by the Consumer Financial Protection Bureau. Banking regulators view violations of recent regulations and/or repeat violations, even if such violations are minimal in number and the bank engages in minimal consumer banking activities, as being especially indicative of an ineffective compliance management system. Importantly, banks with weak compliance systems will likely have their management ratings downgraded as well.
  • Banking regulators are conducting in-depth reviews of lending practices and are increasingly referring cases of alleged discrimination by banks to the Department of Justice. Even long-standing lending practices have recently been criticized by examiners. Banking regulators are concerned with:  1. the extent to which banks give their loan officers discretion regarding pricing and underwriting, 2.  whether any pricing variances in any lending activity reflect discrimination against a particular group or in favor of another group, 3. if lending policies or practices may have a disparate impact on a protected class, 4. if assessment areas are appropriate, and the extent to which banks are lending throughout their entire assessment areas, 5. if changes in assessment areas reflect potential redlining, and 6. if banks are steering certain borrowers to particular loan products.
  • Section 5 of the Federal Trade Commission Act (the “UDAP law”) prohibits unfair or deceptive trade practices, and the Dodd-Frank Wall Street Reform and Consumer Protection Act expands this area further by prohibiting “abusive” acts or practices. It is increasingly common today for banking regulators to evaluate violations of compliance regulations under the UDAP law as well, and we will now likely see banking regulators evaluate such violations under the new “abusive” standard.
  • Banking regulators are delving deeply into mortgage loan originator compensation under the Truth in Lending Act and Regulation Z. Effective for compensation earned on applications received on or after April 1, 2011, a mortgage originator’s compensation cannot, with few exceptions, be based on any factor other than the amount of the credit extended. One general prohibition is the payment of compensation based on the profitability of the branch, division or entire bank.
  • Recently, several large banks settled lawsuits with the Department of Justice for allegedly violating the Servicemembers Civil Relief Act (the “SCRA”). These banks allegedly foreclosed on service members without obtaining court orders and/or charged service members interest rates in excess of the 6 percent interest rate cap under the SCRA. These settlements will likely prompt additional service members to file lawsuits against banks, or file complaints with their military offices for improper treatment under the SCRA.

Download the full report in PDF format.

New Media Compliance Issues: Is Social Media Right for Your Institution?

socialmedia.jpgAt the heart of social media – blogs, social networks and other multimedia endeavors –  is a real-time, open and public dialogue accessible by anyone with Internet access. By the time your legal and compliance department has vetted a 140-character tweet, the conversation has changed. The reality of instantaneous engaged marketing with your customers can excite production staff and perplex compliance personnel. It doesn’t help that many of the rules that apply to the use of social media were created long before blogs and social networking consumed our lives. Perhaps this is one reason why the banking industry has lagged behind in the social media movement. But in the new reality, to ignore the movement is to be left behind. That is why financial institutions, regulators and attorneys are starting to get on board. The landscape may be unsettled, but it’s not entirely unmanageable.

Businesses, including financial institutions, are starting to see the vast potential for social media use.  Companies are connecting with their customers almost instantaneously and are receiving the kind of immediate feedback that once would have been obtainable only via costly and time-consuming surveys. Many companies are using social media as a customer service platform to create an online community of connected customers. The bottom line is maximization of advertising dollars. Businesses can reach any number of plugged-in consumers through the click of a button. Unlike television or radio ads, an online advertisement can be accessed any time, day or night, and gives the business the ability to change the course of the marketing communication mid-stream to create a fluid message in tune with current trends.  With all of these benefits, why has the financial industry been so slow to adopt social media?  Blame it on the disconnect between static regulations and innovative technology.

Compliance Issues In Social Media

The rules of compliance haven’t directly changed due to the advent of social media. However, the facts have changed, impacting the application of the rules. The underlying risk to your institution stems from the nature of how social media impacts the delivery and retention of information in addition to the ever-present privacy concerns.

Information Delivery

Deceptive Advertisements: The Federal Trade Commission (FTC) has long been the guardian of the consumer in the advertising arena. The rules are seemingly simple – advertisements have to be truthful and not deceptive. Easy enough, right? What if I told you that an employee blog that you may or may not know about could be considered an endorsement under the FTC Act if the employee is touting one of your institution’s products or services? In this instance, the blog post in question would have to be entirely truthful and the employee would be required to disclose his or her relationship with your institution regardless of whether your institution is aware of, or has authorized the message. (See the FTC’s Revised Guidelines concerning the use of endorsements and testimonials in advertising. This is just one among countless examples of these types of rules, present at the state and federal level.

Advertising Disclosures: What about microblogging ( i.e., the 140 character tweet)? If an interest rate for a consumer loan product is quoted, how can all of the accompanying disclosures required under state and federal law possibly fit? Crafting the message in light of the limitations of the medium is a critical factor in an institution’s ability to comply with the rules. 

Federal Securities Laws and Blue-Sky Laws: For publicly-traded companies, regulators have begun to address social media in the context of securities laws. Forward-looking statements regarding company performance are a delicate issue, even after thorough vetting by legal counsel. Employers will be liable for the statements of their employees, authorized or not.

Information Retention

Your institution already employs some level of technology to assist you in the collection and retention of certain types of information. This may be in the context of advertising retention rules per state law or e-discovery rules under the Federal Rules of Civil Procedure. Additional retention and reporting requirements come into play under the Sarbanes-Oxley Act, USA PATRIOT Act and other related laws. By its nature, social media is harder to capture and catalogue for later recall. However, technology providers have emerged that focus specifically on this type of media. 

Privacy and Security

Some companies use social media sites for customer support. This use requires special attention, especially in an industry as heavily regulated as banking. Institutions must ensure that any use of social media avoids conflict with existing privacy laws and internal security policies. In addition, regulators are growing increasingly concerned about information technology risks and have adopted compliance guidance.

Suggestions for Conquering Your Institution’s Social Media Fears

Demonstrating that you are cognizant of the risks associated with social media and addressing those risks with thoughtful and effective policies and procedures is just as important as the end-result. Here are a few suggestions:

Dedicate significant time and resources to developing current policies and procedures regarding social media. A number of stakeholders will be critical to this process and they should start by analyzing known risks. The results are highly dependent on your institutions risk profile and the process should be thoroughly documented. Show your work. Regulators will want to know that you take these policies seriously and have acted with a sufficient amount of diligence and caution. Make sure your social media policies and procedures are effectively communicated to your employees. Address violations of social media policy swiftly and decisively.

Monitor for compliance and protect your institution’s brand. The social aspect of social media creates the possibility that some users will have less than stellar things to say about your institution. Treat those situations as a customer service teaching moment and a way to gain feedback about your institution. In addition, to the extent that you have protected trademarks or servicemarks, develop guidelines for employees with communication privileges so that they can adequately protect those marks in the public arena.

Consider using third parties to assist you. There are a number of technology companies available to assist you in message search and monitoring, access management and archival solutions. Reach out to those companies. At the very least, you may get some ideas on areas of focus for your policies and procedures. At best, you’ll find a competent vendor partner to automate what would otherwise be a laborious process.

Go slow. Total institutional immersion into social media doesn’t have to happen overnight. Take the time to create a culture that embraces the effective use of social media and the related compliance components. Consider slowly adding mediums and employees into the fold after adequate training and guidance.

Vendor Management

In a recent interview with, Donald Saxinger, senior examination specialist at the FDIC, suggested that social media providers would have to be treated as vendors for purposes of the FDIC’s Guidance for Managing Third-Party Risk (FIL 44-2008). In addition, he suggested that social networking sites could be considered to be the type of vendors that banks must report to the FDIC under the Bank Service Company Act (BSCA) within 30-days after the relationship begins. (12 U.S.C. § 1867(c)).

The basic premise of the third-party risk management is that the board of directors and senior management are ultimately responsible for the activities conducted by third-parties on behalf of the bank to the same extent that they would be if the activity were handled within the institution. The majority of the guidance from the FDIC pertains to “significant third-party relationships”; however, institutions should consider following this guidance for all social media vendors. Until there is more guidance available pertaining specifically to social media vendors, those companies should be treated as any other vendor would. This means completing a risk assessment on the outsourced activity, due diligence in selecting a third-party, contract structuring and review, and continuing relationship oversight.

The BSCA requires institutions to use the FDIC form titled Notification of Performance of Bank Services to report all vendors performing “Bank Services” as defined in 12 U.S.C. § 1863. Institutions should consult with their legal counsel as to what social media vendors fall under this category for reporting purposes. This question could be difficult until further formal guidance is issued.

Two things are certain with social media – it’s inevitable and ever-changing. Some of these same discussions took place with the adoption of email usage. Just read the disclaimers at the bottom of your last email exchange. Caution and innovation don’t often mix, but your institution can make the best of both worlds with a little time and effort.

Role of the Audit Committee: Managing the Director of Internal Audit

Pat-WhitePaper.pngExecutive Summary

Managing internal audit is one of the most critical functions of the audit committee. The audit committee not only oversees the internal audit function of an organization, but often recruits and hires the director of internal audit, who reports directly to the audit committee. The committee must take care to ensure the audit function’s independence from management and make decisions about how to handle whistleblower complaints and internal investigations. A best practice is to have an executive session during every audit committee meeting to allow the director of internal audit to discuss issues privately with the committee. The audit committee chairman also should have a trusting relationship with the director of internal audit that is based on open communication.

The Importance of Independence from Management

The director of internal audit must have free and open access to the board-level audit committee in order to ensure that he/she has total independence and the freedom to take whatever steps are deemed appropriate to investigate audit matters.  Accordingly, the director of internal audit (DIA) reports directly to the audit committee, which is generally represented by the chairman. In fact, it works best when the audit committee assumes responsibility for recruiting and hiring the DIA.  While bank management (via its human resources department) might assist in such matters, it is the audit committee that oversees the process and makes the hiring decision.

Because the audit committee chairman is not on-site on a regular basis, the DIA often reports administratively (represented by a dotted line on the organizational chart) to an executive level bank manager.  This might be the chief risk officer, the chief financial officer, the president, or the chief executive officer.  The level at which the DIA reports administratively can be reflective of the organization’s tone regarding the importance of the internal audit function and of protecting its independence.  It is often therefore recommended that the DIA report administratively to the CEO unless there is strong justification for doing otherwise. This administrative oversight might include matters such as approving vacation absences and coordination of other, internal management functions.  This management-led administrative oversight does not, however, extend to the performance of internal audit duties. 

In the event bank management has an issue with or concern about the performance of the DIA, management should communicate such issues and concerns directly to the audit committee chairman.  For example, if management observes that the DIA is not effectively managing his or her staff or that the manner in which audits are being conducted is overly confrontational and/or ineffective, management would discuss such matters with the audit committee chairman (and not with the DIA directly).  The audit committee then has direct responsibility for investigating and discussing such matters with the DIA. 

Management must take care to respect the DIA’s independence and not take any actions that might impair the DIA’s independent judgment.  It is the audit committee’s duty to ensure this.

The DIA and the audit department staff work very closely with the audit committee, often functioning as the committee’s staff.  It should be noted that this role is unchanged when some or all of the internal audit functions are out-sourced to private vendors.  In such event, the DIA still reports to the audit committee and he/she supervises the vendors.  The audit committee is responsible for reviewing and approving all outsourced audit vendor engagements.

Now let’s talk about how this works in real life.

How to Handle Audit Meetings

Who is generally invited/present at audit committee meetings?  And how might the presence of senior level bank management impact the DIA’s independence or opportunity to speak freely to members of the audit committee?  How should the audit committee handle concerns raised by the DIA or by bank management?

Different boards function differently.  There is no carved in granite rule about who should be invited to attend audit committee meetings.  Often the CFO, the CEO, the chief risk officer, the chief credit officer, and/or representatives from the external audit firm are in attendance at audit committee meetings.  Some banks invite management representatives from the areas that have been audited to attend the meeting when that audit is being reviewed.   Who attends is not important?but it’s important to make sure that whoever is in attendance does not interfere with the DIA’s independence.  To ensure that the DIA has free and open communication with the committee, the audit committee chairman should schedule an executive session at the end of each audit committee meeting.  Do not wait until the end of the meeting to ask if there is anything that the DIA would like to discuss in executive session.  Instead, schedule an executive session as part of the agenda for every single meeting.  If there is nothing to discuss, the executive session will simply adjourn.  An executive session can take place in multiple parts.  First, all bank management is excused and the DIA is invited to stay with the committee.  Once everyone but the DIA has been excused, the committee chairman should ask the DIA to discuss any concerns he or she has.  The audit committee chairman might ask the DIA to confirm that staffing is adequate (to ensure that budgetary limitations are not resulting in inadequate staffing); or whether bank management is appropriately responding to and following-up on all audit matters.

In the event that the DIA comes forward with a concern of such nature, the audit committee is then responsible for addressing those concerns and for giving direction to management.  The audit committee must do so in a constructive manner, so that it does not reflect negatively on the DIA.

For example, let’s say that the DIA does not feel that he or she has adequate staff.  The committee’s minutes might reflect that a discussion took place about the number of audit hours that are required to adequately address the bank’s internal audit schedule, and the committee concluded that the current staffing level is not adequate.  The committee, therefore, recommends either the addition of another member to the internal audit team, or that the DIA engage an external vendor to perform portions of the internal audit work.  Addressing it in that manner makes it the committee’s recommendation.

Similarly, if there are a number of open audit findings – matters that have been open for some time – and the DIA does not feel that management is taking appropriate steps to resolve them; the DIA might bring that to the committee.  The committee’s minutes could reflect that a discussion took place about the large number of open audit matters that appear to have been open for too long a period of time and the committee will discuss such concerns with the president or CEO to ensure that they are being given appropriate attention by the responsible manager.  Again, addressing it in that manner makes it the committee’s recommendation.

Whistleblower Issues

Whistleblower issues are generally directed to the audit committee chairman and/or to the director of internal audit.  When the audit committee chairman receives notice of a perceived whistleblower issue, the audit committee chairman should immediately contact the director of internal audit so that the two of them can discuss and determine how best to investigate the matter.  Whistleblower matters require confidentiality and trust.  When requested, care must be taken to protect and ensure the anonymity of the reporting party.  When deemed appropriate, the DIA and audit committee chairman may engage external, third-party professionals to help investigate whistleblower matters.

Performance Problems – Performance Evaluation

The audit committee, generally via its chairman, completes the formal performance evaluation of the director of internal audit.  The audit committee chairman may solicit input from other bank management and from other committee members, as appropriate.  While the bank executive manager who supervises the DIA for administrative purposes participates in this process, it is the audit committee chairman who takes the lead.  This confirms that the DIA reports directly to the audit committee.


The relationship between the director of internal audit and the chairman of the audit committee should be one of openness and trust.  These two individuals both tasked with the independent oversight of internal audit matters must be free to communicate with one another and they must trust one another to protect the confidentiality of such communications at all times.

CRA Comes to Life

WK-CRA-WhitePaper.pngExecutive Summary

The Community Reinvestment Act (CRA) requires that every insured depository institution meet the needs of its entire community. It also requires the periodic evaluation of depository institutions’ records in helping meet the credit needs of their communities. Proactively monitoring CRA performance is important for several reasons. The record is taken into account when considering an institution’s application for deposit facilities, meaning it will directly impact any contemplated acquisitions and/or branch openings. Additionally, the record will be regularly examined by the federal agencies that are responsible for supervising depository institutions and a rating will be assigned. Since the results of the exam and the rating are available to the public—customers, competitors and community groups—an institution’s CRA performance can impact its reputation. Banks must understand the characteristics of their assessment area and regularly monitor their performance to ensure the equal credit extension throughout their entire customer base.

This paper will explain the purpose and requirements of CRA and how as a board member, you can provide oversight regarding your institution’s CRA obligation.

Compliance Burden Grows Heavier

The Grant Thornton LLP Bank Executive Survey polled nearly 400 bank CEOs and CFOs in April and May about the economy and regulatory reform’s impact. Nichole Jordan, Grant Thornton’s national banking and securities industry leader, talks about some of the highlights, and offers some insights on the new compliance burden.

What did you find particularly significant about the survey’s findings?

Thirty-nine percent of respondents indicated they thought the Dodd-Frank Act would be effective or somewhat effective in preventing or reducing the threat of a future taxpayer-funded bailout.  As we take a look at Dodd-Frank one year later, we’ve been evaluating some of the more positive benefits: having compensation linked more closely to long-term performance with a focus on reducing riskier behavior and having more data transparency with a greater focus on risk management and an emphasis on a culture of compliance.  In addition, living wills create a formal structure that will benefit both those within and outside of the systemically important institution.

What did you think of the more stringent capital requirements in Dodd-Frank?

Internally within an institution, those are heavy demands to meet and it certainly limits growth in certain aspects.  However, the perception externally and in the marketplace is that having increased capital requirements is very important in this environment, especially with what we’ve seen over the last 18 months.

It certainly would seem to put more pressure on management teams.

We are seeing management teams making a shift in focus as they look at how to increase margins and overall, how to improve profitability in the institutions. We’re seeing an emphasis on trying to increase growth, but at the same time, recognizing the challenges associated with that in the current environment. Efficiency initiatives are increasing as well in banks from the standpoint of striving to develop efficiency enhancements into various processes and ensure internal controls are properly in place.

Where do you see the greatest potential for efficiency gains?

There has been a lot of success within certain institutions as they evaluate the centralization of various processes handled in multiple locations.  One example to look at from an accounting standpoint: If there are several individuals at multiple locations handling accounting for a particular branch or the reporting structure at various branches, you could centralize that process, not to reduce headcount, but to centralize by region or even at the headquarter’s location.

In the survey, there was a nearly unanimous agreement that the regulatory burden is the top concern and yet, half feel it won’t be effective at all in preventing the next crisis.

How do you react to that?

It’s difficult for any law to fully reduce the risk of the failures. Dodd-Frank would likely mitigate the risk scenario that we have just experienced, so if the pattern stays the same from what we have had over the past couple of years, Dodd-Frank would have a significant impact in reducing the risk of economic failure.  The likelihood of that same pattern occurring is relatively small, but do I think it will reduce risk? Yes.

What should the banks be doing from a compliance standpoint right now to get ready for Dodd-Frank?

One best practice would be to fully evaluate the impact and develop a timeline and an action plan that will address some of the key areas.  As we have seen, in today’s climate, an enterprise risk management process, a risk management committee and a chief risk officer are the new normal.

How should management decide whether to invest internal resources to handle the increased compliance burden or engage third parties?

Because everything is so new, it lends itself more toward being outsourced and hiring individuals who live and breathe this every day and can share that knowledge gained from serving a variety of institutions.  In future years, the inside management team can then lead the maintenance and compliance effort after the complexities of the implementation phase have been addressed.

The Internal Auditor’s Role in Regulatory Compliance

risks.jpgThe compliance audit, like other audit activities, is intended to provide feedback to management and the audit committee about the control environment, ongoing compliance and conditions for potential risk. The compliance audit should evaluate the effectiveness of the compliance management program, including policies and procedures, training, monitoring and consumer complaint response. A financial institution’s audit committee should determine the scope of an audit and the frequency with which audits are conducted.

This topic is often a key component of regulatory compliance examination feedback, particularly when specific regulatory violations have occurred. We see examiners questioning institutions about their overall compliance program management and digging into the elements of policies and procedures, training, quality control assessment and the like. Overlying compliance program management is the role of internal audit. What was internal audit’s assessment of the institution’s compliance with individual regulations, and of the program overall?

Elements of a Compliance Management Program

Regulatory guidance and best practices have helped define which elements are necessary to help an organization mitigate risks associated with compliance.

Typically, the basic elements include:

  1. Designation of a compliance officer
  2. Policies
  3. Procedures (internal processes and controls)
  4. Regulatory change management
  5. Training
  6. Quality control (monitoring)
  7. Consumer complaint response process
  8. Audit

Historically, compliance has been viewed as an organizational stepchild rather than an essential core function of an organization. Integrating the compliance function into the culture of the business empowers those responsible for compliance with a framework to fulfill their mission. Successful integration encompasses shared communication and education about compliance-related responsibilities, which helps employees at all levels to understand their responsibilities.

The two elements of assessing the overall effectiveness of a compliance program are quality control and audit. Let’s expand more on those components.


The end goal of a quality control function is to monitor how well departmental policies and procedures are being executed. Ultimately, the function should be risk-based, focusing the most resources on the areas of greatest risk. An effectively designed quality control program has an employee–such as a supervisor or other employee independent of the originator of the activity–review an ongoing risk-based sample of the work performed in an applicable area. A quality control program should be designed to assess certain areas based on the residual risk exposure of non-compliance.

Completed quality control reviews should be aggregated and reported to the compliance officer for review. The compliance officer should assess applicable areas for overall effectiveness to identify any increasing trends within departments. This oversight allows management to allocate resources on a risk-based, quantifiable basis.

Finally, the compliance officer should provide a consolidated report to the board of directors or designated compliance committee for final oversight. The consolidated report should provide a broad overview of the organization’s compliance posture so the board can continue to provide big-picture, strategic direction.


The compliance audit provides for an independent assessment of departmental policies and procedures as well as a review of compliance with rules and regulations. Like the quality control program, the compliance audit should be risk-based. Determining where to focus audit resources should be based on an initial risk assessment that considers various information, including (but not limited to) examination findings, changes to the regulatory landscape, errors or violations, problems in the past, employee turnover in the compliance department or line of business and results of the quality control reviews. The results of the risk assessment determine the scope of the coverage and testing of the compliance audit.

The compliance audit results should be provided in formal, detailed reports that outline findings and management’s action plan to resolve each finding. These audits should be conducted by an individual independent of the compliance management function and reported in the same format, manner, and protocol as the organization’s overall audit function. Auditing the compliance function should be conducted on a less frequent basis than the quality control program; timing of the audits can be on a rotational basis and supported by the results of the risk assessment process.

It should be noted that the compliance audit scope can and should cover all of the elements of the compliance management program, including training and quality control, and not be limited to detailed testing of compliance with regulations. The resulting audit reports should be presented directly to the audit committee, and all findings should be tracked for resolution.

Compliance Across the Board

The current regulatory environment requires a new business model for compliance that stretches to all facets of an organization. The role of internal audit can enhance the success of a compliance management program by providing informative feedback that enhances the program’s effectiveness and sustainability.

Building a Better Bank Through Sound Risk Management

ICS Compliance has one mission, which is to help the banking and financial services industry manage its risk in today’s challenging and rapidly changing environment. The 14-year-old firm, which is headquartered in New York and has offices in 17 cities across the United States, employs more than 150 risk management experts whose specialties include compliance, internal audit, and credit risk management. Recently, Bank Director spoke with CEO John F. White about the importance of having a strong risk management program, and how it benefits the bank.

What are the most pressing regulatory concerns today?

Whenever you have the kinds of problems in the industry that we’ve had over the last couple of years, Washington wants to regulate with a strong hand, just like the Sarbanes-Oxley Act nine years ago. So the most pressing regulatory concern is that banks maintain a comprehensive risk management program in accordance with the CAMELS Ratings (Capital adequacy, Asset quality, Management, Earnings, Liquidity, and Sensitivity to market). Strong risk management, which includes compliance, internal audit, and credit review programs, will help banks get high ratings in these areas, which in turn will help them maintain a high level of profitability.

What should banks be doing now in terms of risk management?

Banks must implement a comprehensive risk management program, consisting of a compliance program that includes BSA/AML and manages all of the evolving regulatory rules and regulations; an internal audit program that evaluates the effectiveness of the control environment; and a credit review program that monitors asset quality and assures that all loans are being reviewed and rated properly in a timely manner. If a bank has a strong risk management program in place it’s not only less likely to be criticized, but it’s also going to achieve higher earnings and stronger capital.

As the industry’s regulatory burden increases, what’s the key to having an effective compliance program?

It’s crucial that management and the board keep themselves up to date on all the new regulatory requirements and that they allocate the necessary resources to managing compliance risk. You have to have experienced people who understand compliance and BSA/AML. You need to have the right systems and processes in place so that you’re getting all the information you need to manage the risk properly. Regulatory compliance can be especially challenging for small banks that can’t afford to build the necessary infrastructure to manage compliance risk effectively. But they can still accomplish that without making a costly investment by partnering with the support of a qualified vendor that understands the rules and regulations and knows how to establish a strong risk management program. The regulators are very comfortable with this approach. They are less concerned about how it gets done than with the fact that it is getting done.

What is the board’s role from a governance perspective when it comes to risk management?

The board is not responsible for day-to-day management of the bank, but it is responsible for oversight and protecting the interests of the shareholders. The bank has to have written compliance, internal audit, and credit review programs in place; the board has to approve them. The board also has to make sure that the bank has qualified compliance, audit, and credit review officers in place, and if the bank isn’t going to manage all facets of the program itself, the board has to ensure that a qualified vendor has been selected to work closely with the officers. Finally, the board must ensure that appropriate and timely corrective actions are being taken in response to regulatory examinations and audit findings.