Changing Your Outlook on Internal Audits -a Two-Part Series


Part One- A New System of Review    

Starting in 2017, the FFIEC (the organization that is comprised of the major financial institution regulators) changed the way compliance programs are rated.  Instead of a one grade for the program there is now actually a three-prong test that makes up the final rating.   The three-parts of the test are

  1. The overall compliance program including the written program, resources dedicated to the program compared to the overall risk profile of the portfolio, experience and competency of management
  2. Board and management oversight- essentially the level and quality of reporting to management.  In addition, the follow-up to problems noted and remediation implemented
  3. Harm to consumers- The violations that are discovered have varying degrees of potential for harm to consumers.  Some are very technical in nature and can be remedied by a small fix.  Other violations might require the dreaded ‘look-back” and reimbursement.

In its press release describing the new rating system, the FFIEC wrote extensively about the goals for using this approach for compliance going forward. [1] Among the goals are to make the compliance examination more risk based and to allow each institution the opportunity to develop and maintain a compliance program that is tailored to the risk profile of the institution

One of the aspects of this new rating system that is often overlooked is the focus on the “self-policing”

Opportunities Provided by These Changes

The new compliance rating represents significant changes in the ability of banks to alter their compliance destiny.   The emphasis on self- detection and self-policing allows financial institutions to perform self-evaluation and diagnose compliance issues internally.

In the new rating system, there is a premium placed on the idea that an institution has compliance and/or audit systems in place that are extensive enough to find problems, determine the root of the problems and make recommendations for change.  To impress the regulators that an organization is truly engaged in self-policing, there must be evidence that senior management has taken the issue seriously and has taken steps to address whatever the concern might be.  For example, suppose during a compliance review, the compliance team discovers that commercial lenders are not consistently given a proper ECOA notification.  This finding is reported to the Compliance Committee along with a recommendation for training for commercial lending staff.   The Compliance Committee accepts the recommendation and tells the Compliance Officer to schedule Reg. B training for commercial lenders.  This may seem like a reasonable response, but it is incomplete.

This response does not rise to the level of self-policing that is discussed in the FFIEC memo; a further step is necessary.  What is the follow-up from senior management?   Will senior management follow up to make sure that the classes have been attended by all commercial lending staff?  Will there be consequences for those who do not attend the classes?  The answers to these questions will greatly impact the determination of whether there is self-policing that is effective.   Ultimately, the goal should be to show that the effort at self-policing for compliance is robust and taken seriously at all levels of management.  The more the regulators trust the self-policing effort, the more the risk profile decreases, and the less likely enforcement action will be imposed.


At first blush self-reporting seems a lot like punching oneself in the face, but this is not the case at all!   The over-arching idea from the FFIEC guidance is that the more the institution is willing to work with the regulatory agency, the more likely that there will be consideration for reduced enforcement action.  Compliance failures will eventually be discovered and the more they are self-discovered and reported, the more trust that the regulators have in the management in general and the effectiveness of the compliance program.   The key here is to report at the right time.  Once the extent of the violation and the cause of it have been determined, the time to report is imminent.  While it may seem that the best time to report is when the issue is resolved, this will generally not be the case.  The regulators may want to be involved in the correction process.  In any event, you don’t want to wait until it seems that discovery of the problem was imminent (e.g. the regulatory examination will start next week).


What will your institution do to correct the problem?  Has there been research to determine the extent of the problem and how many potential customers have been affected?      How did management make sure the problem has been stopped and won’t be repeated?  What practices, policies and procedures have been changed as a result of the discovery of the problem?  These are all questions that the regulators will consider when reviewing efforts at remediation.  For example, if it turns out that loan staff has been improperly disclosing transfer taxes on the Loan Estimate, an example of strong mediation would include:

  • A determination if the problem was systemic or with a particular staff member
  • A “look back” on loan files that for the past 12 months
  • Reimbursement of any customers who qualify
  • Documentation of the steps that were taken to verify the problem and the reimbursements
  • Documentation of the changed policies and procedures to ensure that there is a clear understanding of the requirements of the regulation
  • Disciplinary action (if appropriate for affected employees)
  • A plan for follow-up to ensure that the problem is not re-occurring

Self-policing allows an institution the ability to positively impact its regulatory fortunes.   The goal under this new system is to document the effectiveness of the system of controls in place.  The effectiveness of the control environment will impact all three of these ratings.  Generally, more favorable ratings will extend the amount of time before your next examination is scheduled.

Ultimately, the new compliance ratings system highlights a financial institutions ability to establish its control environment.

In part Two we will discuss the control environment


*** James Defrantz is Principal at Virtual Compliance Management Services LLC***

***For More Information Please Feel free to contact Us at***

[1] The full press release can be found at



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s