Fifth Third CEO: We Have 335 People Working Full Time in Risk Management

6-18_5th3rd.pngThe $122-billion asset Fifth Third Bancorp learned the hard way that risk management is important.

“As recently as 2000, when we were a $40 billion bank, we operated with a limited degree of sophistication in enterprise risk,’’ said Kevin Kabat, Fifth Third’s CEO and vice chairman, speaking at Bank Director’s Bank Audit Committee Conference June 6 in Chicago. “I guess you could say we didn’t really even have such a function. We learned the hard way, early in the last decade, that we needed to do something about that.”

After regulators including the Federal Reserve Bank of Cleveland came down on the bank in March of 2003 and ordered a review of risk management and internal control practices, Cincinnati-based Fifth Third got to work.

“Looking now in the rear-view mirror, it was a watershed event for the bank,’’ said Kabat, who was president of the Michigan operation at the time, and was promoted to CEO in 2007.

Regulatory compliance moved into the enterprise risk function. Fifth Third started a risk and compliance committee of the board, appointed a chief risk officer who reported directly to the board and also gave each business unit its own risk officer. The bank created a full risk dashboard in 2004 that enabled senior management and the board to assess its risk profile in different areas, years before many other banks. The code of conduct was revised to build a risk culture among the bank’s more than 21,000 employees. By 2006, Internet fraud threats such as phishing were identified as emerging threats and comprehensive training for employees was developed to address them.

Fifth Third avoided exposure to subprime mortgages. It started to do stress tests of its balance sheet before the government required it for other big banks.

Although no banks walked unscathed through the financial crisis of 2007-2008, Fifth Third already had a risk team in place when the crisis hit and was able to take action early, suspending lending to homebuilders and cutting off home equity lines created by brokers. The bank cut its dividend by two-thirds, conserving $665 million of common equity, and it raised $3 billion in capital in 2008, making itself the last bank to raise trust preferred securities that year.

“To our knowledge, we were the first large institution in the United States to get in front of the crisis by announcing our internal stress test, including our expectation for 2009 losses, and a capital plan to meet it,’’ Kabat said.

The bank made it through the financial crisis well capitalized. However, it has been extremely costly to have such a huge risk management function. In 2003, maybe a dozen people worked in risk management for the bank. Now, about 335 people work full time in risk management, not counting the credit staff, or about 1.5 percent of the workforce.

For Kabat, such a function has been absolutely necessary. And it hasn’t diminished profitability.

Last year, Fifth Third had its second most profitable year in its 155-year history, with profits of $1.5 billion. Return on assets was 1.3 percent and return on average common equity was 11.6 percent.

“While deficiencies in a bank’s financial statements, or poor oversight of them, can create major problems, you are at as much risk, arguably greater, due to poor management of the enterprise risk function,’’ he said.

Meet Rising Compliance Costs with Untapped Internal Resources

5-29-13_Crowe_Post.pngAs almost everyone in the financial institution trenches knows, ever-expanding compliance requirements are taking a toll on banks of all sizes, and some banks are simply resigning themselves to the need to hire additional employees to help shoulder the burden. But many institutions might be able to avoid, or at least reduce, the associated costs by looking within for a solution.

The Federal Reserve Bank of Minneapolis has estimated the relative number of new employees that banks of different sizes might need to hire in response to the same regulatory requirement. It estimated that hiring one additional employee would reduce the return on assets by 23 basis points for the median bank in the group of smallest banks, those with total assets of $50 million or less. Such a decline could cause about 13 percent of the banks that size to go from profitable to unprofitable.

Banks with total assets between $500 million and $1 billion would have to hire three employees and would experience a decline of about 4 basis points in return on assets as a result, according to the Minneapolis Fed. Although very few banks in the larger group would go from being profitable to unprofitable as a result of the heightened regulatory burden, 4 basis points is still a significant reduction in return.

In response to complaints about the dramatic potential effect on “smaller” banks, regulators have indicated that certain new regulations might apply only to big banks or, alternatively, they might adopt a tiered approach. Even if the regulators do demonstrate some flexibility on how new regulations are applied, smaller banks still will need to meet a rising compliance burden for rules and regulations already in place.

In the past five months, for example, relatively small community banks have been hit with severe penalties for fair-lending violations. Three or four years ago, regulators wouldn’t have focused on such institutions, but fair-lending oversight has taken on a new dynamic, and now banks of every size are expected to have robust fair-lending programs. Similarly, oversight of unfair, deceptive or abusive acts or practices (UDAAP) has expanded to cover a much broader scope of activities in the past two years.

While certain sections of the recently implemented servicing amendments to the Real Estate Settlement Procedures Act (RESPA) and the Truth in Lending Act (otherwise known as Reg Z) apply only to banks that handle at least 5,000 mortgage applications a year, nearly every other aspect of these regulations treats all banks the same, regardless of size, and imposes the same fines for violations.

In short, regulators have raised their compliance expectations for every bank these days.

Look Inside First
The bottom line is that your bank, whatever its size, needs someone to be responsible for and well-versed in the regulatory requirements and also to manage the compliance program. Instead of going out and hiring an additional compliance subject-matter expert (SME) to complement your existing compliance manager, though, consider working from within your organization.

You might already have on staff individuals who are qualified to assist with tasks such as monitoring and testing, perhaps an experienced credit analyst, personal banker or loan originator who has shown a strong ability to learn and interest in a long-term career in the banking industry.

For example, you could “borrow” a credit analyst or someone else who is adept at using spreadsheet software and could spare five hours a month to run some spreadsheet sorts of loan application data—both real estate and consumer—for the compliance manager to use for a high-level fair-lending data analysis. Or a personal banker who has shown an understanding of the common deposit regulations could do occasional testing of check holds and error resolution with the appropriate testing spreadsheets.

Don’t limit your consideration to employees with college degrees in finance and accounting. After all, you would be hard-pressed to find compliance SMEs who took a Reg Z course during their college days, even if they majored in finance or accounting. That expertise accrues through real-life experience and continued education. Once you look, you’ll likely find that your front-line people harbor extensive knowledge waiting to be tapped.

Make It a Team Effort
With a strong management structure—including representation and a commitment from all lines of business and senior management—compliance can become a cost-efficient team effort built upon existing resources.

Ongoing monitoring can be conducted within each line of business, with the compliance department merely reviewing it to see that the trends aren’t of concern. Occasional loan data analyses can be conducted by someone outside the compliance department, with the compliance manager providing guidance to confirm the analyst understands the basic concepts of fair lending.

And monthly meetings can be held to recap compliance activities, be they forthcoming new rules, testing and monitoring results, new training requirements or similar topics, and those meeting minutes can be presented to the audit committee. Ultimately, compliance is a long-term commitment, and you might be able to meet your institution’s rising compliance requirements if you look for ways to leverage the talent and experience of your existing personnel.

Managing Social Media Risk: New Guidance From Regulators

2-20-13_Bryan_Cave.pngSocial media has become ubiquitous and many banks are wondering if they can survive without a trendy presence on Facebook, LinkedIn, Twitter, YouTube, and in the “blogosphere.” It is a bit of the Wild West out there though, with few rules in place to protect your message. Instead of yelling at the TV at home, a person can post a negative comment about your business for the world to see and, even if unfair and baseless, there may be little you can do about it. 

Financial institutions use social media in a variety of ways, including marketing, promotions, account applications, consumer feedback and communicating with new and existing customers. Since these communications occur in an informal and largely unsecured environment, it introduces new risks. If your bank is active in social media, or simply advertises consumer banking or other products through social media, new proposed guidance from the Federal Financial Institutions Examination Council (FFIEC) instructs your bank to adopt compliance policies and procedures governing these activities. Even if your financial institution is not active in social media, you need a process for responding to negative comments or complaints that surface through social media platforms.

This article briefly summarizes the proposed FFIEC guidance.

We encourage all interested banks to submit comments on this guidance by the deadline of March 25, 2013.

What are the compliance expectations for banks using social media?

On January 23, 2013, the FFIEC issued a request for comment on a proposed “Social Media: Consumer Compliance Risk Management Guidance.” The intent of the guidance is to help banks, thrifts and non-banks under the supervision of the Consumer Financial Protection Bureau identify, address, oversee and control risk from social media within their overall risk management program. 

What forms of social media are within the scope of the guidance?

The FFIEC considers social media to include forms of interactive online communication in which users generate and share content through the use of text, images, audio and/or video, including:

  • Micro-blogging sites (Facebook, Google Plus, MySpace and Twitter);
  • Forums, blogs, customer review web sites and bulletin boards (Yelp);
  • Photo and video sites (Flicker and YouTube);
  • Professional networking sites (LinkedIn)
  • Virtual worlds (Second Life); and
  • Social games (FarmVille and CityVille).

What should your social media compliance program include?

A financial institution should have a risk management program that allows it to identify, measure, monitor and control risks related to social media. The size of the program should relate to how active the bank is on social media. 

  • Governance structure: Should enable senior management to direct the use of social media to contribute to its strategic goals;
  • Policies and procedures: To monitor social media use and compliance within all applicable laws, including methodologies to manage risks from online activities such as postings, edits, replies and retention;
  • Due diligence process: For managing applicable third party vendor relationships;
  • Employee training: Program that incorporates policies for official, work-related use of social media, and potentially for other uses of social media, including listing prohibited activities;
  • Oversight process: For monitoring data posted to third party social media sites;
  • Audit and compliance: To ensure ongoing compliance; and
  • Reporting parameters: To evaluate the effectiveness of social media against defined goals.

What are the key areas of concern?

  • Compliance and legal risks: Banking and consumer laws must be followed, even in the social media space
    • Deposit/lending products
      1.  A lending advertisement mentioning APY or bonus has certain requirements under the Truth in Lending Act. A link to the full disclosures can be provided in social media.
      2.  A creditor must preserve prescreened solicitations made through social media, as required by the Equal Credit Opportunity Act Regulation B.
    • Bank Secrecy Act/Anti-Money Laundering
      An e-banking product offered or conducted through social media is subject to the BSA/AML policies that apply to all customers, products and services.
    • Payment systems
      If social media is used to facilitate a consumer’s payment transactions all laws, regulations and industry rules apply such as the Electronic Fund Transfer Act/Regulation E, UCC, the Expedidted Funds Availability Act Regulation CC and PCI DSS. 
    • Community Reinvestment Act (CRA
      If a depository institution is subject to the CRA and must maintain specific items in a public file, its policies and procedures should include monitoring social media sites.
    • Privacy
      1.  If social media is part of your customers’ online account opening or use experience, Title V of the Gramm-Leach Bliley Act will apply, which restricts use of personal information shared with third parties, and gives customers the option to opt out of the sharing of such information.
      2.  If a financial institution sends unsolicitied communications to consumers through social media (e.g., spam or SMS text message) the CAN-SPAM Act and the Telephone Consumer Protection Act may govern. 
  • Reputational risk
    • Fraud and brand identity
    • Privacy concerns: Policies and procedures must address risks from receipt, use and sharing of consumer information on a social media.
    • Consumer complaints and inquiries: The inherent nature of social media exposes a bank to reputation risks when users post critical or inaccurate statements.
    • Employee use of social media sites: An employee’s use of social media, even through a personal account, may appear to a customer as reflecting the bank’s official policies.
  • Operational risk
    • Use of information technology, including social media, requires identification, monitoring and management of risk of loss from inadequate or failed processes, people or systems.
    • The incident response protocol for a data breach or account takeover needs to address social media risk.

A Five-Pronged Approach to Dealing with the New Regulatory Landscape

bsns-maze.jpgWhen it comes to compliance, the first step in preparing for the year ahead is to look at the immediate past. Regulators now have higher expectations. There is very low tolerance, if any, for regulatory infractions. Banks face a high degree of pressure to keep residual risk in check while still conducting business profitably. There will likely be mistakes, but the mistakes must be kept to manageable ones that do not fundamentally affect consumer rights. Examinations are tougher. The supervisory focus is on fairness to consumers. Regulators scrutinize data for accuracy and meaning.

The consequences of noncompliance are severe.  In 2011 and 2012, we saw financial institutions reach settlements with the Consumer Financial Protection Bureau (CFPB), the Department of Justice, and the prudential bank regulators for violations of consumer protection and other laws in excess of $1 billion. Not only are the settlements larger than ever, but they include refunds to affected customers as well as penalties. Even more than in the past, the reputational damage from enforcement actions can take years to recover from.

The Year Ahead

The year 2013 will bring continued concern about the daunting challenges posed by regulatory change for U.S. financial institutions. Of the nearly 400 rules required by the Dodd-Frank Act, only about one-third have been finalized, and another third have yet to be proposed, according to Davis Polk & Wardell LLP.  The new requirements are likely to trickle out for years to come. They, along with the adjustments financial institutions must make to accommodate the newly-formed CFPB, will surely test the mettle of even the strongest companies and keep continued pressure on the bottom line. During the year ahead, this consumer-focused scrutiny will take the form of not only deeper and more probing examinations, but more expensive penalties for noncompliance. 

High Risk Areas with Increased Vulnerability

Indications are this trend of focusing on consumer risk will continue in 2013.  We will continue to see supervisory interest in a number of key areas, such as:

  • Fair and responsible products and services
  • Mortgage origination and servicing
  • Treatment of consumer complaints
  • Data integrity
  • Servicemembers Civil Relief Act issues
  • Lender compensation
  • Overdraft protection programs
  • Student lending
  • Reverse mortgage lending
  • Compliance management systems

Governance Guidance for 2013

Successfully navigating the consumer-focused scrutiny in 2013 will depend on whether your institution adopts an integrated, proactive approach to compliance risk management.  To get started, directors must set the tone. First, take responsibility and ownership of your bank’s risks. Know where your bank’s risks are. Understand what your data says about you—including consumer complaints. Wherever possible, control and prevent problems; be confident that you will know where the next problem will surface. And we can’t emphasize this point strongly enough: Manage risks on an integrated basis across the enterprise.

Five Prong Approach to Preparing for 2013

There are a number of actions institutions can take to prepare themselves for 2013 and the regulatory and supervisory deluge to come. We recommend a five-prong strategy for preparing your institution to successfully meet these challenges.

One: Compliance Culture.  Instill a culture that embraces a consumer-centric, principles-based regulatory model. 

Two: Compliance Management System.  Build an integrated system of compliance management with board oversight, a comprehensive program, complaint management, and compliance audit.  

Three: Risk Assessments. Assess risk to the institution as well as the impact of products and services on the consumer.

Four: Fair Lending Risk Assessments. Subject lending data to in-depth statistical analysis, and give products and practices intensified review.

Five: Enterprise Reporting.  Implement a system of compiling information across the risk spectrum on an integrated basis and reporting the right level of detail to the right audience.

Understanding risk is an essential component of any proactive program. When it comes to predicting what will happen in 2013, we can all reasonably expect today’s trends to continue into the foreseeable future. The best strategy is to proactively prepare.

Part III: Remediation – Compliance Lessons from the Construction Industry

tools.jpgFinding A Problem Is One Thing, Fixing It Is Another

Not long ago, I visited an institution we’ll call “Flub Financial.” Flub’s compliance team was knowledgeable and experienced. Their well-executed audit program employed savvy auditors whose comprehensive coverage allowed Flub to easily detect problems. So why did Flub find itself in a multi-million dollar enforcement action? The reason:  Flub kept applying the same practices that had created the problems in the first place.

Management did little to correct the underlying issues. Worse, Flub’s directors exercised even less oversight because they assumed management took care of problems after the board was informed of deficiencies. Simply put, Flub failed to apply our third lesson from the construction industry: Maintenance and repairs are essential to preserving value.

Just as contractors are responsible for a well-built house, directors are accountable for ensuring the compliance program’s sound foundation, and overseeing its ability to detect deficiencies. Moreover, directors must ensure corrective actions are taken when weaknesses occur. Similar to preserving a house, an institution’s success depends on whether corrective actions are taken immediately.

Examiners, much like building inspectors, want to see things working properly. Has prompt action been taken to correct weaknesses noted in routine monitoring as well as during examinations? Do records show how problems were addressed with evidence of corrections made? Good answers to these questions are crucial, because without a proven methodology,   deficiencies may turn into large cracks.

There are three main aspects to successfully implementing corrective action:

1. Specifying and assigning corrective steps,

2. Confirming the correction occurred, and

3.  Following-up at appropriate intervals to ensure the correction’s effectiveness.

Specifying the Steps

To identify and assign corrective steps, the board must determine who, what and how. Who will ensure correction happens? What oversight and work steps are needed and what is the deadline for the correction? How will the assignee apprise the board of their results and how will the board monitor whether the correction worked, or if problems still persist?

It’s essential for the board to assign correction actions to executives, who have the necessary accountability and proper authority, rather than to a department. For example, listing the lending department as responsible leaves it unclear as to who is accountable for doing the work and confirming it was completed. Avoid this mistake by listing specific job titles or individuals. The institution must be able to recreate the chain of events so the board can validate the process, and examiners can confirm that proper repairs were made.

Confirming the Correction

The responsible party should report to the board when the correction is complete. The board should have a regular and predictable interval for these reports with standard formatting. It’s a best practice to require that managers provide evidence of the correction—in other words—trust, but verify. The implementing manager should conduct preliminary validation of the correction, and demonstrate through actions and evidence that the problem is fixed. This action assures directors that management has resolved the issue, not just given it the appropriate lip service.

Follow-up Reviews

Follow-up reviews should be conducted by compliance personnel, after corrective measures are implemented, at the proper timing. Reviews shouldn’t happen too soon because the board won’t be able to tell if the fix stuck. Often, a corrective measure validated within days after its application will seem to work beautifully. This is either because it worked, or because the change is fresh in the minds of staff and they haven’t had time to backslide into old ways.

A minimum interval of 90 days before verifying corrections allows enough time to gather trend and analytical information, and to see whether corrections withstood the test of time. Beware, however, of waiting too long. Problems may persist if the fix wasn’t properly applied at the outset. Imagine waiting a year before reviewing your fix, only to find that the wrong corrective actions were taken.

To recap, avoid these red flags of poor corrective action:

  • Failure to set specific correction standards
  • Failure to designate a single party ultimately responsible
  • Failure to confirm issues are resolved
  • Failure to keep records so when examiners ask how and why certain things were done, the action can be reconstructed and proved

Bottom line, it is simply not enough to have strong policies and procedures, even with a strong audit program that detects weaknesses. It’s crucial to have an equally strong protocol for swift and precise corrective actions. Just like preventive maintenance protects your home, a strong compliance program protects your institution’s value for the long term.

Part II: The Inspection Process – Compliance Lessons from the Construction Industry

quality-guarantee.jpgIn the first article of this series I compared the optimal compliance program to a well-built house. You may recall that the construction of a house and a sound compliance program share three key elements: the blueprint, foundation and framework. In this installment, we’ll talk about two more elements that compliance and construction have in common: inspections and maintenance. For the staff involved, this work can be painful to endure, but altogether necessary.

Just like a home inspection, a banking inspection ensures the safety and soundness of the structure. An overlooked mistake can spell a failed inspection, or worse, a structural collapse—and perhaps liability. Even after a passed inspection, periodic maintenance is required. Prompt detection, and swift and thorough remediation of the problem areas, can halt concerns before they worsen, thereby protecting your institution.

So how do you know whether your institution is ready to pass inspection? How do you determine whether you’re conducting the proper periodic maintenance check-ups and routines to keep your compliance programs as effective as possible? The answer is simple: By exercising proper oversight of these programs at the board level. This oversight is carried out by reviewing the right reports with the right content at the right times. 

Boards of directors must ensure that they gather solid intelligence to carry out their fiduciary duties and make informed decisions. One way to do this is to demand high quality reports at predictable intervals. Reports that are flawed or delivered too infrequently may conceal weaknesses that should be addressed. Reports should occur at three basic intervals:  monthly, quarterly, and annually.

Monthly Report

Monthly reports should focus on tactical execution, delivering performance data and metrics. These reports, typically delivered by the compliance team, should cover frontline activity and demonstrate whether the day-to-day work of compliance is being done on time and accurately. Monthly reporting should shine a bright light where weaknesses may exist, and should state the measures being taken to remedy the deficiencies. 

Quarterly Report

Quarterly reports should focus on trends and analytics that demonstrate whether risk exposures are increasing or decreasing. The quarterly report gives insight into how the compliance program is functioning over time. This report should contain information about regulatory trends, upcoming or changing rules and should consider the environmental and operating conditions that could affect the institution’s progress and performance.

These reports should also summarize the results of compliance monitoring activities that occurred during the quarter and which activities are planned in the quarter ahead. This data allows directors to conclude what, if any, internal events or changes will influence the institution. In general, these reports show the up-to-the-minute state of preparedness for exams and audits.

Annual Report

Finally, annual activities such as audits or reviews generate reports on the program’s effectiveness. This annual look-back reflects how well the institution kept its risk exposures to acceptable levels. These types of reports often opine on the overall capabilities of the executive team and compliance management group in carrying out their responsibilities. These reports take an independent look at the program to gauge its effectiveness, efficiency and performance over a historical period.  

Indicators of Poor Reporting

Good intentions can nonetheless produce bad results if the content of reports is inadequate.  When reviewing your institution’s reports, keep in mind these signs of flawed reporting:

  • Reports that are too long or too detailed. Key points cannot be extracted when the volume of information presented obscures the meaning. 
  • Reports that state only facts but provide no evaluative statements. The board needs to understand whether the data being presented is positive or negative.
  • Reports that fail to identify the root causes of weaknesses. Failure to identify the root cause delays implementing corrections. 
  • Reports that identify the root causes of deficiencies, but do not suggest appropriate corrective action. Solutions should be offered in reports. 
  • Reports that only emphasize weaknesses and ignore strengths. Focusing only on the negatives may inappropriately exaggerate the scope or materiality of an identified problem. 
  • Reports that do not reflect the materiality or severity of an issue. Treating every issue uniformly is a sign that perspective may be lacking.

Financial institution boards have a tough assignment: Overseeing the construction of a stable structure that can withstand not only regulatory scrutiny, but the storms of changing economic and regulatory conditions. Maintaining this structure after it’s built is equally daunting. It requires vigilance toward the review and interpretation of quality data, and applying that information to managing risks in an ever-changing climate. Proper reporting ensures proper maintenance of the compliance program, and a well-maintained program that can be clearly articulated to examiners is the key to passing future inspections. 

But, what if, during the inspection process, you realize that something has gone wrong? In the next article of this series I will go over the corrective steps and actions the board should take to repair the compliance program. 

With the New Focus on the Consumer, the Buck Stops (And Starts) with the Board

stop-start.jpgForward-thinking financial institutions are future-proofing their risk and compliance programs. They are detecting tracking and understanding not only emerging issues, trends and regulatory requirements, but also the next big areas of potential vulnerability. We are hearing from our bank clients that regulatory risk is at the top of the list. While bank directors do not need to be technical compliance experts, they do need to actively oversee compliance management and have an understanding of the changes coming.

Board members can play a central role in the process of re-focusing compliance on what’s important to regulators, and a key trend is a new focus on “fairness” or “impact” to the consumer.  This concept is being led by the Consumer Financial Protection Bureau (CFPB), but quickly accepted by the other agencies. On September 25th the Federal Deposit Insurance Corp. (FDIC) released FIL-41-2012 which “reorients” the consumer examination score to be “based primarily on the impact to consumers.” During regulatory examinations, regulators will evaluate the board’s involvement (or lack thereof) in ensuring that programs are properly articulated and followed.

The Role of the CFPB

The Consumer Financial Protection Bureau has tremendous supervisory and enforcement authority and is already changing the mindset for what compliance means. The CFPB, which examines banks above $10 billion in assets, wants institutions to develop a “culture of compliance,” that focuses more on the risk to the consumer than the potential fines or violations a bank may receive if a violation is found. With the changes in the Dodd-Frank Act to the definition of Unfair, Deceptive, or Abusive Practices (UDAAP), which is now under the domain of the CFPB and applies to all banks and thrifts, it isn’t enough for financial institutions to simply meet regulatory requirements. Now, the way banks relate to customers is important. This dramatically changes the role and responsibilities of not just the compliance department, but of everyone within the bank. In addition, although CFPB is leading this effort, the new FDIC change highlights the need for institutions of all sizes to pay attention to this shift.

There is hope, however, for banks willing to be proactive in addressing the consumer-centric approach.

Culture Change

To be successful, the board needs to embrace an integrated approach to compliance risk management that reflects a consumer-centric viewpoint. This consumer centric approach should be so woven into your business that your employees do not think of it as compliance—instead they look at it as fundamental to their jobs.  This culture needs to promote proactive and forward thinking. In a culture of compliance, the consumer is not the province of a single department, but rather the responsibility of the entire organization.

Compliance Management System

Expect Change. Your compliance program needs to adjust to address the four interdependent parts of the CFPB’s compliance management system, including board and management oversight, compliance program, compliance audit and the enterprise approach to responding and analyzing consumer complaints. The complaint management system may need to be revamped to ensure that management is utilizing the consumer complaint data to understand how products and services impact consumers. In addition to the standard complaint resolution process, your institution will need to ensure they are capturing both written and verbal complaints at all consumer touch points, feeding them into a system that allows for trending analysis, and ultimately changes in processes, supports, controls, and or products.  Don’t forget that your program needs to hold your partners and vendors to the same standards that you hold your own business to.

Consumer Risk Assessments

The first thing the CFPB will do is conduct a compliance risk assessment that evaluates the risks to consumers arising from products, polices, procedures and practices. In preparation, your enterprise risk management and/or compliance risk program needs to be able to identify and respond to risks to the consumer. This risk assessment will likely illuminate risk areas not previously a focus of compliance, raise questions about activities that may currently be considered standard in the industry, and accordingly require changes in operations that staff may resist.

Your systems need to be able to identify risks to both the bank AND to the consumer.  In order to accomplish this, compliance can no longer operate in isolation. Business lines must not only be included, but also assume it is their job to understand the risks to their operations, and have accountability to make the necessary changes within their operations to reduce these risks.

Staff members in different business lines must not only be included, but also assume it is their job to understand the risks to their operations, and have accountability to make the necessary changes within their operations to reduce these risks. To support a change in culture, compliance or risk management cannot be the only areas that the board holds accountable. 

So how do you achieve a culture of compliance, where all employees are held accountable for risk?

The compliance program must change from focusing on past errors and the latest hot topics to evaluating and managing the potential risk to the organization—and to the consumer—generated by both internal and external sources. A forward-thinking organization can identify the next hot issue by proactively evaluating potential risks and adapting compliance programs to mitigate the risks to both the bank and the consumer. The proactive risk-based approach will put you ahead of the new consumer-centric examination approach and ensure the new hot issue doesn’t impact you or your customers.

Buying a Bank? 10 Key Compliance Due Diligence Considerations

discovery.jpgM&T Bank’s recent acquisition of Hudson City Bancorp, right on the heels of M&T’s exit from the Troubled Asset Relief Program, is a strong indication that bank consolidations and acquisitions are likely to continue in the near future.

Whether acquisitions help to shore up capital, expand markets, or serve other purposes, numerous financial institutions are pursuing these deals. But are they performing the due diligence necessary to protect themselves from the potential compliance downside of these transactions?

If you’re considering an acquisition or consolidation deal, you can’t afford to skimp on due diligence. The old adage of “one man’s trash is another man’s treasure” definitely does not apply in these situations—when you acquire an institution, its trash remains trash.

The transaction price should reflect the related risks. Higher risks and compliance issues can generate fines and penalties that should not be overlooked when negotiating, but you have to know about the risks before you can negotiate over them. And that’s where due diligence comes in.

Before acquiring or consolidating with another institution, you should consider certain questions about that institution. While the following list is not all-inclusive, answering these questions will have you headed in the right direction:

1.  Does the institution provide products to money-service business (MSB) customers (e.g. wire transfers, currency exchange)? If so, how many, and what types of controls are in place to minimize the risks associated with those customers?

2.  What are the volumes of its currency transaction reports (CTRs), suspicious activity reports (SARs), and wire transfers, both domestic and international?

3.  Does it use an automated system for transaction monitoring, and if so, has the system been validated recently? Did those validations identify any gaps?

4.  Which types of controls are in place to help confirm compliance with the Office of Foreign Assets Control (OFAC) requirements?

5.  Are the loan and deposit operations centralized or decentralized, and is any portion of its operations outsourced to a third party? The answers to these questions will determine the potential amount of risk being acquired.

6.  Which types of products does it offer its consumers? Does it offer any types of unusual products that generally are not available from other financial institutions?

7.  How many different types of loan or deposit processing systems does it currently maintain?

8.  Which types of quality control processes are in place for keeping lines of business up to date on regulatory changes? Are those changes validated once they are required and implemented?

9.  How often is compliance tested and reported to management?

10. What is the structure of the compliance management program, and how does the program define “compliance?”

You wouldn’t buy a car without looking under the hood for potential problems that could come back to bite you down the road. The same rationale should apply to bank transactions, where the potential costs stand to be much, much greater. Regulatory agencies are placing a higher emphasis on compliance. It is your responsibility to demonstrate that you did your due diligence if you acquire any potential regulatory issues. If you cannot show proof of due diligence, you could face regulatory penalties.

Focusing on What’s Important to the Audit Committee: Three Things That Should Be on Everyone’s Mind

magnifying.jpgAfter the passage of the Sarbanes-Oxley Act, audit committee members experienced an increase in the intensity of the spotlight the public and regulators placed on them—and the focus didn’t just affect public companies. The current financial crisis again has put a spotlight on the responsibilities that all boards and audit committee members face. Although audit committees are actively engaged with their management teams and internal and external auditors, it can be difficult to know what should be the focus of those ongoing discussions.

So what are the things that audit committees should be thinking about today? Highlighted here are three of the critical risk areas that audit committees should have on their minds.

1. Earnings and Growth Plans: Early Assessments of the Risks

The credit challenges and related complications of the financial crisis are improving for many banks. Management teams are focused on returning to sustainable profits. Lending groups are actively looking to build their portfolios, and management teams are considering new products and services and expanding existing programs.

Audit committees need to be aware of the strategies their organizations are considering and of the associated risks. Internal audit should be auditing those risks. Whether a bank is considering resurrecting an old lending strategy or launching a new product or service, early action by the audit committee and internal audit will safeguard the organization. Audit committees and internal audit should work to understand their organization’s initiatives, limits and controls, and understand the risk monitoring that exists at their institutions.

2. Compliance: Effective, Efficient, and Critical for Survival

Compliance doesn’t always seem like the most strategic topic, but a lack of compliance can have consequences that quickly become strategic. Consumer regulations have changed significantly over the past few years, and more changes are on the horizon as the regulatory focus on consumer compliance has increased noticeably.

Audit committees should understand not just the details of compliance for individual regulations, but the compliance program itself. Having a robust system in place to identify changes, assess the enterprise-wide effects, and respond effectively is the only way that ongoing compliance can be achieved. Internal audit cannot just rely on management monitoring systems; it must perform independent testing of the compliance program and of compliance risks. Audit committees should understand the risk assessment process and internal audit’s coverage approach with respect to consumer compliance, and they should be comfortable that the compliance program will produce consistent and efficient results across all regulations and lines of business.

3. Enterprise Risk Management: Present, Comprehensive, and Insightful

Enterprise risk management (ERM) has been a topic of conversation for many years, but the level of discussion within banks and regulatory examinations is greater today in light of the financial crisis. Companies need an ERM process that is designed to address all risks across an organization and that provides meaningful information to executive management and the board. In addition, in response to the Dodd-Frank Wall Street Reform and Consumer Protection Act, which requires a board-level risk committee for firms with more than $10 billion in consolidated assets, examiners sometimes are asking much smaller organizations to put programs in place that include board-level oversight.

Audit committees should understand their bank’s ERM program, and internal audit should evaluate its effectiveness. Questions to consider include: Does a program already exist, and, if so, who owns the program? Are the right people involved? Do the results prompt the right discussions (are the company’s biggest risks part of the conversation)? Do the board and executive management support the process and the outcomes?

The goal of ERM is not to simply to comply with a regulatory mandate, but to establish a disciplined process whereby the most significant risks are summarized for insightful discussion and response. As it does with all critical areas of its bank, an audit committee must make sure that the ERM function exists and that it is operating as intended.

Having confidence in the quality and scope of the internal audit function should be a priority for any bank’s audit committee. Though the three critical areas discussed above are not exhaustive, they represent some of the larger issues facing banks today. Ongoing changes are inevitable. Adding specific consideration of changing risks—and potential changes to audit plans—could be a useful topic for audit committees to add to their agendas.

New regulation puts additional burdens on compliance staff

overwhelmed.jpgIn the current economic climate, banks are rightly focusing on safety and soundness issues. Banks must ensure, however, that they also effectively manage their compliance function because banking regulators are increasingly focused on this area in response to the numerous regulatory changes that have recently occurred and are likely to occur in the near future. Even if a bank’s compliance practices have not been criticized in the past, there is no guarantee that they will be approved by regulators at the bank’s next examination. Here are some highlights from a recent report by the Financial Institutions Group of the law firm of Barack Ferrazzano Kirschbaum & Nagelberg LLP, in Chicago:

  • Banking regulators are significantly downgrading many banks’ consumer compliance ratings because they are concerned that their compliance management systems are not equipped to handle the potentially numerous regulatory changes to be implemented by the Consumer Financial Protection Bureau. Banking regulators view violations of recent regulations and/or repeat violations, even if such violations are minimal in number and the bank engages in minimal consumer banking activities, as being especially indicative of an ineffective compliance management system. Importantly, banks with weak compliance systems will likely have their management ratings downgraded as well.
  • Banking regulators are conducting in-depth reviews of lending practices and are increasingly referring cases of alleged discrimination by banks to the Department of Justice. Even long-standing lending practices have recently been criticized by examiners. Banking regulators are concerned with:  1. the extent to which banks give their loan officers discretion regarding pricing and underwriting, 2.  whether any pricing variances in any lending activity reflect discrimination against a particular group or in favor of another group, 3. if lending policies or practices may have a disparate impact on a protected class, 4. if assessment areas are appropriate, and the extent to which banks are lending throughout their entire assessment areas, 5. if changes in assessment areas reflect potential redlining, and 6. if banks are steering certain borrowers to particular loan products.
  • Section 5 of the Federal Trade Commission Act (the “UDAP law”) prohibits unfair or deceptive trade practices, and the Dodd-Frank Wall Street Reform and Consumer Protection Act expands this area further by prohibiting “abusive” acts or practices. It is increasingly common today for banking regulators to evaluate violations of compliance regulations under the UDAP law as well, and we will now likely see banking regulators evaluate such violations under the new “abusive” standard.
  • Banking regulators are delving deeply into mortgage loan originator compensation under the Truth in Lending Act and Regulation Z. Effective for compensation earned on applications received on or after April 1, 2011, a mortgage originator’s compensation cannot, with few exceptions, be based on any factor other than the amount of the credit extended. One general prohibition is the payment of compensation based on the profitability of the branch, division or entire bank.
  • Recently, several large banks settled lawsuits with the Department of Justice for allegedly violating the Servicemembers Civil Relief Act (the “SCRA”). These banks allegedly foreclosed on service members without obtaining court orders and/or charged service members interest rates in excess of the 6 percent interest rate cap under the SCRA. These settlements will likely prompt additional service members to file lawsuits against banks, or file complaints with their military offices for improper treatment under the SCRA.

Download the full report in PDF format.