Compliance Burden Grows Heavier


The Grant Thornton LLP Bank Executive Survey polled nearly 400 bank CEOs and CFOs in April and May about the economy and regulatory reform’s impact. Nichole Jordan, Grant Thornton’s national banking and securities industry leader, talks about some of the highlights, and offers some insights on the new compliance burden.

What did you find particularly significant about the survey’s findings?

Thirty-nine percent of respondents indicated they thought the Dodd-Frank Act would be effective or somewhat effective in preventing or reducing the threat of a future taxpayer-funded bailout.  As we take a look at Dodd-Frank one year later, we’ve been evaluating some of the more positive benefits: having compensation linked more closely to long-term performance with a focus on reducing riskier behavior and having more data transparency with a greater focus on risk management and an emphasis on a culture of compliance.  In addition, living wills create a formal structure that will benefit both those within and outside of the systemically important institution.

What did you think of the more stringent capital requirements in Dodd-Frank?

Internally within an institution, those are heavy demands to meet and it certainly limits growth in certain aspects.  However, the perception externally and in the marketplace is that having increased capital requirements is very important in this environment, especially with what we’ve seen over the last 18 months.

It certainly would seem to put more pressure on management teams.

We are seeing management teams making a shift in focus as they look at how to increase margins and overall, how to improve profitability in the institutions. We’re seeing an emphasis on trying to increase growth, but at the same time, recognizing the challenges associated with that in the current environment. Efficiency initiatives are increasing as well in banks from the standpoint of striving to develop efficiency enhancements into various processes and ensure internal controls are properly in place.

Where do you see the greatest potential for efficiency gains?

There has been a lot of success within certain institutions as they evaluate the centralization of various processes handled in multiple locations.  One example to look at from an accounting standpoint: If there are several individuals at multiple locations handling accounting for a particular branch or the reporting structure at various branches, you could centralize that process, not to reduce headcount, but to centralize by region or even at the headquarter’s location.

In the survey, there was a nearly unanimous agreement that the regulatory burden is the top concern and yet, half feel it won’t be effective at all in preventing the next crisis.

How do you react to that?

It’s difficult for any law to fully reduce the risk of the failures. Dodd-Frank would likely mitigate the risk scenario that we have just experienced, so if the pattern stays the same from what we have had over the past couple of years, Dodd-Frank would have a significant impact in reducing the risk of economic failure.  The likelihood of that same pattern occurring is relatively small, but do I think it will reduce risk? Yes.

What should the banks be doing from a compliance standpoint right now to get ready for Dodd-Frank?

One best practice would be to fully evaluate the impact and develop a timeline and an action plan that will address some of the key areas.  As we have seen, in today’s climate, an enterprise risk management process, a risk management committee and a chief risk officer are the new normal.

How should management decide whether to invest internal resources to handle the increased compliance burden or engage third parties?

Because everything is so new, it lends itself more toward being outsourced and hiring individuals who live and breathe this every day and can share that knowledge gained from serving a variety of institutions.  In future years, the inside management team can then lead the maintenance and compliance effort after the complexities of the implementation phase have been addressed.

The Internal Auditor’s Role in Regulatory Compliance


risks.jpgThe compliance audit, like other audit activities, is intended to provide feedback to management and the audit committee about the control environment, ongoing compliance and conditions for potential risk. The compliance audit should evaluate the effectiveness of the compliance management program, including policies and procedures, training, monitoring and consumer complaint response. A financial institution’s audit committee should determine the scope of an audit and the frequency with which audits are conducted.

This topic is often a key component of regulatory compliance examination feedback, particularly when specific regulatory violations have occurred. We see examiners questioning institutions about their overall compliance program management and digging into the elements of policies and procedures, training, quality control assessment and the like. Overlying compliance program management is the role of internal audit. What was internal audit’s assessment of the institution’s compliance with individual regulations, and of the program overall?

Elements of a Compliance Management Program

Regulatory guidance and best practices have helped define which elements are necessary to help an organization mitigate risks associated with compliance.

Typically, the basic elements include:

  1. Designation of a compliance officer
  2. Policies
  3. Procedures (internal processes and controls)
  4. Regulatory change management
  5. Training
  6. Quality control (monitoring)
  7. Consumer complaint response process
  8. Audit

Historically, compliance has been viewed as an organizational stepchild rather than an essential core function of an organization. Integrating the compliance function into the culture of the business empowers those responsible for compliance with a framework to fulfill their mission. Successful integration encompasses shared communication and education about compliance-related responsibilities, which helps employees at all levels to understand their responsibilities.

The two elements of assessing the overall effectiveness of a compliance program are quality control and audit. Let’s expand more on those components.

1.    QUALITY CONTROL

The end goal of a quality control function is to monitor how well departmental policies and procedures are being executed. Ultimately, the function should be risk-based, focusing the most resources on the areas of greatest risk. An effectively designed quality control program has an employee–such as a supervisor or other employee independent of the originator of the activity–review an ongoing risk-based sample of the work performed in an applicable area. A quality control program should be designed to assess certain areas based on the residual risk exposure of non-compliance.

Completed quality control reviews should be aggregated and reported to the compliance officer for review. The compliance officer should assess applicable areas for overall effectiveness to identify any increasing trends within departments. This oversight allows management to allocate resources on a risk-based, quantifiable basis.

Finally, the compliance officer should provide a consolidated report to the board of directors or designated compliance committee for final oversight. The consolidated report should provide a broad overview of the organization’s compliance posture so the board can continue to provide big-picture, strategic direction.

2.       COMPLIANCE AUDIT

The compliance audit provides for an independent assessment of departmental policies and procedures as well as a review of compliance with rules and regulations. Like the quality control program, the compliance audit should be risk-based. Determining where to focus audit resources should be based on an initial risk assessment that considers various information, including (but not limited to) examination findings, changes to the regulatory landscape, errors or violations, problems in the past, employee turnover in the compliance department or line of business and results of the quality control reviews. The results of the risk assessment determine the scope of the coverage and testing of the compliance audit.

The compliance audit results should be provided in formal, detailed reports that outline findings and management’s action plan to resolve each finding. These audits should be conducted by an individual independent of the compliance management function and reported in the same format, manner, and protocol as the organization’s overall audit function. Auditing the compliance function should be conducted on a less frequent basis than the quality control program; timing of the audits can be on a rotational basis and supported by the results of the risk assessment process.

It should be noted that the compliance audit scope can and should cover all of the elements of the compliance management program, including training and quality control, and not be limited to detailed testing of compliance with regulations. The resulting audit reports should be presented directly to the audit committee, and all findings should be tracked for resolution.

Compliance Across the Board

The current regulatory environment requires a new business model for compliance that stretches to all facets of an organization. The role of internal audit can enhance the success of a compliance management program by providing informative feedback that enhances the program’s effectiveness and sustainability.

Building a Better Bank Through Sound Risk Management


ICS Compliance has one mission, which is to help the banking and financial services industry manage its risk in today’s challenging and rapidly changing environment. The 14-year-old firm, which is headquartered in New York and has offices in 17 cities across the United States, employs more than 150 risk management experts whose specialties include compliance, internal audit, and credit risk management. Recently, Bank Director spoke with CEO John F. White about the importance of having a strong risk management program, and how it benefits the bank.

What are the most pressing regulatory concerns today?

Whenever you have the kinds of problems in the industry that we’ve had over the last couple of years, Washington wants to regulate with a strong hand, just like the Sarbanes-Oxley Act nine years ago. So the most pressing regulatory concern is that banks maintain a comprehensive risk management program in accordance with the CAMELS Ratings (Capital adequacy, Asset quality, Management, Earnings, Liquidity, and Sensitivity to market). Strong risk management, which includes compliance, internal audit, and credit review programs, will help banks get high ratings in these areas, which in turn will help them maintain a high level of profitability.

What should banks be doing now in terms of risk management?

Banks must implement a comprehensive risk management program, consisting of a compliance program that includes BSA/AML and manages all of the evolving regulatory rules and regulations; an internal audit program that evaluates the effectiveness of the control environment; and a credit review program that monitors asset quality and assures that all loans are being reviewed and rated properly in a timely manner. If a bank has a strong risk management program in place it’s not only less likely to be criticized, but it’s also going to achieve higher earnings and stronger capital.

As the industry’s regulatory burden increases, what’s the key to having an effective compliance program?

It’s crucial that management and the board keep themselves up to date on all the new regulatory requirements and that they allocate the necessary resources to managing compliance risk. You have to have experienced people who understand compliance and BSA/AML. You need to have the right systems and processes in place so that you’re getting all the information you need to manage the risk properly. Regulatory compliance can be especially challenging for small banks that can’t afford to build the necessary infrastructure to manage compliance risk effectively. But they can still accomplish that without making a costly investment by partnering with the support of a qualified vendor that understands the rules and regulations and knows how to establish a strong risk management program. The regulators are very comfortable with this approach. They are less concerned about how it gets done than with the fact that it is getting done.

What is the board’s role from a governance perspective when it comes to risk management?

The board is not responsible for day-to-day management of the bank, but it is responsible for oversight and protecting the interests of the shareholders. The bank has to have written compliance, internal audit, and credit review programs in place; the board has to approve them. The board also has to make sure that the bank has qualified compliance, audit, and credit review officers in place, and if the bank isn’t going to manage all facets of the program itself, the board has to ensure that a qualified vendor has been selected to work closely with the officers. Finally, the board must ensure that appropriate and timely corrective actions are being taken in response to regulatory examinations and audit findings.