Don’t Forget That Training is a Pillar of a Strong Compliance Program

Don’t forget that Training is a Pillar of a Strong Compliance Program   

Since regulators first embraced the risk-based approach to supervision of banks, training of staff has been recognized as one of the pillars of a strong compliance program. In its 2002 article entitled “A Banker’s Guide to Establishing and Maintaining an Effective Compliance Management Program”, the Kansas City Federal Reserve Bank discussed the importance of training to a compliance program:

“The importance of having a staff that is knowledgeable of regulatory requirements cannot be overstated. Regardless of an institution’s philosophy and policies, ultimately it is line staff who process transactions and interact with customers. If employees are not adequately trained in compliance matters, errors are certain to occur” [1]

Mark W Olson, Member of the Board of Governors of the US Federal Reserve System, also emphasized this point in his remarks at the American Bankers Association’s Regulatory Compliance Conference.  He stated in part that:

“Training on policies, procedures, and associated controls is a component of compliance-risk management that should not be overlooked. Examiners will determine whether the banking organization’s training program ensures that compliance policies, procedures, and controls are well understood and appropriately communicated throughout the organization. [2]

These are just two of several statements by regulators that make it clear that training of staff is not only important, but that is an essential component of compliance. There must be a mechanism in place to make sure that everyone associated with your institution is kept abreast of changes to regulations that directly impact its operations. In addition, when management and staff have a clear understanding of the requirements of regulations, they are more effective and efficient. While good training will not make up for unsafe and unsound practices, a well trained staff can cover a multitude of “sins”.

The Case for “Live” Training

Most financial institutions these days use some form of internet training to fulfill their compliance training needs.   Online courses are for the most part accepted as the most cost effective way to conduct training for staff.  We would like to suggest that cost efficiency may not ultimately be the most important consideration.  Most compliance programs at small institutions consist of online training programs that allow participants the ability to take tests multiple times until the desired score is achieved.  Unfortunately, a common strategy for the participants is to eschew reading the material, go straight to the test, take it, write down the answers to the questions that they got wrong and then retake the test with answer guide in hand. While this process will help to ensure that everyone has received a passing grade on the training, it does little to increase staff knowledge of regulations. This is not meant to be an indictment of online training programs at all.

Instead, it is a suggestion that a complete compliance training program must have a great deal more.  Consider the nature of compliance regulations. Whether we like to admit it or not compliance regulations have a history of being earned!  For example, Regulation B (The Equal Credit Opportunity Act) was passed to address the fact that women and minorities were being denied equal access to credit.  And the Truth in Lending Act is the result of former banking practices that mislead borrowers about the real costs of the loans they were getting.   Consumer regulations have been designed to address areas that have been proven to cause consumer financial harm

Because consumer regulations are designed to either prevent certain behaviors, collect information on the results of bank practices or to provide complete information through disclosures, a great deal is left open for interpretation.  There are even times when regulations direct that staff must interpret information to the best of their ability (Government Monitoring Information in HMDA).  Often when a regulation is misunderstood, violations result.

We have found that when management and staff alike are given the opportunity to hear a bit of the history of the regulation it makes a big difference in the overall level of compliance.  Knowing WHY a regulation was enacted goes a long way toward understanding what it is that the regulation is trying to accomplish.  Taking this idea one step further, giving staff information on what it is that the current regulation is trying to accomplish goes a long way toward obtaining positive participation in the compliance effort.

By helping to ensure that staff members understand the specifics of compliance regulations, you can greatly enhance the effectiveness of the program.  Staff who understand what it is that the regulation is trying to accomplish can feel empowered.  Whether or not staff members agree with the regulation, understanding it is key.  With the basic understanding of the regulation as a tool, the number of misinterpretations and resulting errors are greatly reduced.

Courses on consumer regulations should at least annually include information about the history and the legislative intent of the regulation.   Optimally, staff will be given the opportunity to work through case studies during the training session as these are very helpful in increasing understanding of the regulation.

Training Can be a Cost Saver
In the area of compliance, the most frequent violations of regulations are a direct result of either misunderstanding the requirements of regulations or ignorance of changes to regulations. Training courses that cover the requirements of consumer regulations are extremely effective in reducing these kinds of violations. While compliance violations rarely result in the closure of a bank, the fines, penalties and reimbursements that result can have a drastic impact on profitability.

Do not Give Training the Axe

Although the examination handbooks don’t specifically say it, the fact that training is listed as one of the “pillars” of the compliance program suggests that it is at least as important as the other pillars.  And yet, for reasons that are lost in tradition, this area often is not treated as an important part of compliance.

Even in the toughest of economic times, training of staff and management is a necessity. Through training courses that are specifically designed to meet the needs of individual organizations, financial institutions can be prepared to meet the challenges of a changing regulatory environment. As one of the most important pillars of a strong compliance program, training should never be considered a luxury!

[1]A Banker’s Guide to Establishing and Maintaining an Effective Compliance Management Program (the Guide). Federal Reserve Bank of Kansas City , 2002

[2]  Remarks by Mark W Olson, Member of the Board of Governors of the US Federal Reserve System, at the American Bankers Association’s Regulatory Compliance Conference, Orlando, 12 June 2006.


Strengthening Your Compliance Program-Getting to the Root of the Problem

Getting to the Root of the Problem- An important Step to Strong Compliance

The compliance examiners are coming!  It is time to get everything together to prepare for the onslaught right?   Time to review every consumer loan that has been made and every account that has been opened in the last 12 months, right? Not necessarily!  The compliance examination is really an evaluation of your compliance management program (“CMP”).  By approaching your examinations and audits as an evaluation of the effectiveness of your overall CMP, the response to the news of an upcoming review becomes (almost) welcome.

The Elements of the CMP

There is really no “one size fits all” way to set up a strong compliance program.  There are, however, basic components that all compliance management systems need.  These components are often called the pillars of the CMP.  The pillars are:

  • Policies and procedures
  • Internal Controls
  • Management Information systems
  • Training

The relative importance of each of these pillars depends on the risk kevels at individual financial institutions.  The compliance examination is a test of how well the institution has identified these risks and deployed resources.   For example, when one has highly experienced and trained staff coupled with low turnover, the need for fully detailed procedures may be minimal.  On the other hand, at an institution where new products are being offered regularly, the need for training can be critical.   The central question is whether or not risks have been properly identified at your institution.  Once risks have been identified have effective steps been taken to mitigate risks.

Making the CMP fit Your Bank 

Making sure that your CMP is right-sized starts with an evaluation of what the institution is doing and the inherent risk in that activity.  For example, consumer lending comes with a level of risk.  Missed deadlines, improper disclosures or misinterpretations of the requirements of the regulations are risks that are inherent in a consumer portfolio.   In addition to the risks inherent in the portfolio are the risks associated with the manner in which the institution conducts it consumer business.   Are risk assessments conducted when a product is going to be added or terminated?  Both decisions can create risks.  For example, the decision to cease HELOC’s may create a fair lending issue; while the decision to start making HELOC’s has to be made in light of the knowledge and abilities of the staff that will be making the loans and the staff that will be reviewing for compliance.

We suggest that compliance has to be a part of the overall business and strategic plan of any financial institution.  The best way to make sure that the CMP is appropriate is to include compliance in all of the business decisions.   The CMP has to be flexible enough to absorb changes while remaining effective and strong.

The Test of the CMP

Probably the most efficient way to determine the strengths and weakness of the CMP is by reviewing the findings of internal audit, and examinations as well as quality control checks.  When reviewing these findings what is most important is getting to the root of the problem.    Both the findings and the recommendations that can be found in examination and audit reports can be used to help “tell the story” of the effectiveness of the CMP.  As the institution receives its readout of findings and recommendations, it is very important to ask the examiner or auditor “In your opinion, what was the cause of this finding?”  Generally, we believe that you will find that the answer you receive will be candid and extremely helpful in addressing the problem.  Let’s face it, sometimes findings occur when people have bad days.  On those bad days, even the secondary review may not quite catch the problem.  These are generally not the types of findings that should keep you up at night.

The findings that should cause concerns are the ones that result from lack of knowledge or lack of information about the requirements of a regulation.  These findings are systemic and tend to raise the antenna of auditors and examiners.  Unfortunately, too often the tendency for institutions is to respond to this kind of finding by agreeing with it and promising to take immediate steps to address it.  Without knowing the root cause of the problem, the fix becomes the banking version of sticking one’s finger in the dyke to avoid a flood.

Addressing Findings  

We suggest a five step process to truly address findings and strengthen the CMP;

  1. Make sure that the compliance staff truly understands the nature of the finding.  This may sound obvious, but far too many times there is a great deal loss in translation between the readout and the final report.  Many of our clients have stated that they felt like what was discussed at the exit doesn’t match the final report they receive.  We recommend fighting the urge to dismiss the auditor/examiner as a crank!  Call the agency making the report and get clarification to make sure that concern that is being express is understood by staff.
  2. Develop an understanding of the root cause of the finding.  Does this finding represent a problem with our training?  Perhaps we have not deployed our personnel in the most effective manner.  It is critical that management and the compliance team develop an understanding or why this finding occurred to most effectively address it.
  3. Assign a personal responsible along with an action plan and benchmark due dates.   Developing the plan of action and setting dates develops an accountability for ensuring that the matter is addressed.
  4. Assign an individual to monitor progress in addressing findings.  We also recommend that this person should report directly to the Audit Committee of the Board of Directors.  This builds further accountability into the system.
  5. Validate the response.   Before an item can be removed from the tracking list, there should be an independent validation of the response.  For example, if training was the issue; the response should not be simply that all staff have now taken the training.  The process should include a review of the training materials to ensure that they are sufficient, feedback from staff members taking the training. In addition, a quality control check should be performed.

Not only does determining the root cause of a problem make the response more effective, but in doing so, the CMP will be strengthened.  For example, it may be easy to see that an institution has a problem with disclosing right of recession disclosures.  It may be harder to see that the problem is not the people at all, but that the training they received is confusing and ineffective.  Only by diving into the root cause of the problem can the CMP be fully effective.

Please Join us For a Free 15-Minute Webinar

Preparing for the Next Compliance Year
Are You Ready for 2016 ?

We’d Love to Have You Join Us for Another Regulatory Briefing

Day: Thursday, December 17, 2015
Time: 10 am pacific / 9 am mountain / 12pm central /1 pm eastern
Duration: 15 minutes, plus Q&A
Who Will Benefit: Compliance Staff, BSA Staff, Lending Operations, Deposit Operations, Compliance Officers, Chief Risk Officers, Chief Credit Officers, Auditors

To register please go to and click on the “Regulatory Briefings” tab

Planning Your Compliance Year

Planning Your Compliance Year

As the year comes to close, for most people, it is time to celebrate with family and friends and to look forward to the new year with anticipation.  For risk and compliance officers at financial institutions, the new year comes with a bit of a different perspective.  For many years now, each new year brings a different set of regulations and the challenges of keeping financial institutions in compliance.   This is not necessarily a bad thing.  New challenges can present an opportunity for new and more efficient solutions.   There are some steps that you can take that can truly help you get to the goal of “getting on top of compliance”.

Step One- Information Gathering

There are several sources for regulatory changes.  It is important to consider the fact that compliance and risk expectations can be changed by more than the implementation of new regulations.   Regulatory agencies respond to world events, the political environment, resources allocations, technology and many other factors.   One valuable source of information that is often overlooked are the annual plans or statements that are issued by the prudential regulations.  All three issue a plan that addresses the areas that they will emphasize in the upcoming year.   [1]  In addition, there are many organizations and agencies that list the effective dates for regulations.  At VCM, we have a form that lists regulations, effective dates and whether or not the regulation will apply to your organization. [2]  Gathering information on the new regulations and regulatory initiatives is a key first step for planning the compliance year.

Step Two – Setting the Parameters

We believe that the next step should always be completing a risk assessment.  More often than not we come see risk assessments that are performed specifically for the purpose of meeting a regulatory requirement.  In many cases, these assessments are completed and put away without being looked at until it is time to do an annual update.  We believe that Instead, that the risk assessment provides an excellent opportunity to set the parameters for your own compliance program.  We recommend that that risk assessment should include:

  • The areas where there have been regulatory of internal audit findings in the past
  • The types of products that the Bank offers and the risks associated with those products
  • New products that are being contemplated
  • The management reports that are currently being generated by software
  • Changes in regulations that might affect the bank
  • Changes in staff that have occurred or are planned.

The risk assessment should be designed to determine the areas where your institution has the greatest risk for violations or findings.  It is critical that the assessment should be brutally honest and unflinching in its assessment of the compliance needs for your institution.

The most important part of this step is to remember to USE the document that you have prepared!  The risk assessment should be the basic document that helps you make the case to senior management for additional staff and/or resources.   The risk assessment should also be used to help set the scope of the internal audits that are performed.  It is very rare that there will be time to cover every potential issue in a year so the risk assessment should help prioritize resources.    The risk assessment should also be the document from which the training calendar should be set.

Step Three- Checking Twice  

In addition to going through the regulations, it is necessary to make sure that your policies and procedures match the requirements.  For example, have you developed a solid method for making sure that you comply with the “valuations rules” of regulation B and Z  Do you know what these are and how they affect you?

It is also a very good idea to sign up for all of the “Free stuff” that the regulators publish about compliance.   These can be used as useful supplemental training tools.  There is a great deal of very helpful information made available by the Federal Reserve and the CFPB in particular.  [3]

Step Four-Call for Help!

One of the benefits of completing a comprehensive compliance risk assessment is that the results can help you determine the level of support that is needed.   Far too often compliance departments get additional resources after the staff has been overwhelmed or has experienced a poor result from an audit or examination.  However, we suggest that the old saying that an ounce of prevention is worth a pound of cure applies.  Identifying the areas that are the highest risk and asking for help in those areas before they become a problem is best practice that will enhance your compliance program and the quality of your life!

Of course one of the best areas to get support for compliance is through the staff at your bank.   At the end of the day compliance is a team effort that requires the input of the whole bank to be most effective.  One of the themes that we have noticed over the years is that people tend to buy in more when they understand the how’s and whys of compliance.  While online training classes are clearly efficient and relatively inexpensive, they sometimes can lack the perspective that gives the staff members the reason why the particular regulation exists.   For example, we have found that taking the time to explain what it is that BSA laws and rules are trying to accomplish to the staff members who are opening accounts has dramatically improved the collection of data for CIP.  The same is true for Regulation B and a host of other areas.  By helping bank staff understand that there really are good reasons why you are so insistent on complete and accurate disclosures, you can greatly reduce the error rate in these disclosures.   The help from staff that you get, the more efficient you can be.

Step Five- Execute the Plan

Once you have completed the risk assessment, prioritize the risks and asked for help, it is time to execute the plan.   Make sure that the scope of the audits that you are getting will actually meet your needs and give you information on how things are going.   Regulators have become increasingly critical of audit scopes that are too general or that do not cover specific areas of compliance weakness at the bank.   The internal audit is an important tool that should be used to help find areas that need attention.  It is true that the auditor is your friend.  The results of audits should be taken seriously and positively as this is your opportunity to determine levels of compliance without having regulatory problems.

Like all good coaches, as a compliance officer you know the areas where your team is the weakest.  Make sure that your compliance plan is designed to address these areas from the outset.  If training has been a concern for example, then make sure that you have addressed the root of the problem.

Step Six-Remain Flexible

There is a parable that says that if you want to prove that God has a sense of humor- then try making your own plans.  There is no question that the best-laid plans can sometimes go awry.  Therefore, it is important that you build flexibility into your plan.  For example, even though you may have wanted to do flood insurance testing in the first quarter, you might find that the bigger area of risk is compliance with HMDA.  Even though flood insurance will always be a “hot button” issue, there are times when the greater area of risk can be somewhere else.  The point is that your plan must have the ability to hit all of the highest areas of risk to ensure that your program is successful.

Planning your compliance year cannot only keep you ahead of trouble; it can help you start making different New Year’s resolutions!

[1] See for example,,

[2][2] This form can be found on our website at