Rethinking the Community Banking Model

Future Ahead Road Words Arrow Up to Tomorrow

 

Community banks and credit unions have been a key part of the American economy since its beginning.  These are the lending institutions that make loans to small sole proprietors, first time home buyers and dreamers of all kinds.  Over the years, the business model for these institutions hardly varied.   The loan portfolios of community banks across the country will include three similar components:

  • CRE– Commercial real estate loans have been one of the mainstays of the community banking business.  These loans provide a viable, recognizable and reliable (usually) source of income.  The return on investment for these loans has been the source of a large portion of the earnings for community banks for many years.  The drawback of this type of lending is that it ties up a large portion of the capital of a bank and the return on investment takes a significant amount of time to develop.  A loss from one of these loans has the potential to threaten the existence of a small financial institution
  • CNI – Commercial and Industrial loans have been the beating heart for community banks for many years.  Very much like CRE loans, the income from these loans is recognizable and except for a few notable exceptions, reliable.  Not only do these loans have the same concerns as CRE, but the competition for these loans is also fierce and smaller institutions often find themselves left with the borrowers who present the highest level of risk.
  • Consumer products–  In the past 15 years, consumer loans have also proven to be a good source of earnings.  Interest rates for consumer products have remained well above the prime rate and for a financial institution that is properly equipped, consumer products can provide a strong stream of income.   Consumer products also tend to be for smaller amounts, have higher rates of losses and are heavily regulated.

This three-pronged approach to earning income has been a steady, tried and true method for earnings at small financial institutions.  However, there are several factors that are coming together that have threatened this business model.

  • Fintech– Financial technology (“Fintech”) companies are those companies that use software to deliver financial products.  Today one of the most recognizable fintech companies is PayPal.  Using just a smartphone, PayPal gives its users the ability to make payments, pay bills, deliver gift cards and conduct financial transactions with people throughout the country.   For community banks, the knowledge of the existence of PayPal is interesting, but what is more critical is the reason that PayPal was developed.  PayPal and its fintech brethren exist to fill a specific need that Banks was not meeting.
  • NBFI– The Operation Chokepoint program was a program spearheaded by the Justice Department that was aimed directly at Non-Bank Financial Institutions, aka Money Service Businesses.  At the time the program was started, a decision was made that money service businesses represented an unacceptable money laundering risk.   Ultimately, Operation Chokepoint fell into disrepute and was ended.  Although Operation Chokepoint has ended, its legacy is still prevalent.  MSB’s still have significant problems getting bank accounts.    Despite this fact, the amount of money moved through remittances continues to grow.   MSB’s continue to serve this market for a huge population of people who are unbanked and underbanked.
  • Underbanked and Unbanked– The number of unbanked and underbanked families continues to grow.  Unbanked families are those without a bank account and underbanked families are those that use minimal banking services.   The number of people in these families totaled approximately 90 million in 2016[1].   Equally as important as the sheer size of the unbanked and underbanked population is the reason that many of these potential customers remain that way.  High fees, poor customer service, and bad public image have all been contributing factors for the large population of unbanked and underbanked customers.

 

Customer Bases in the Future 

The combination of these forces will greatly impact the future of the business model for community banks.  Customers will continue to change their expectations for their financial institutions.   The traditional balance has changed, instead of being forced to choose the products that financial institutions offer, customers have come to demand products from their companies.

The financial needs of customers have also changed.  Electronic banking, online account opening, remote deposit capture and iPhone applications are now almost necessities.   Younger customers, who make up a significant number of the unbanked and underbanked population rarely use traditional forms of community banking such as branch visits.  Fast information, fast movement of money, low costs transactions and accessibility are most desirable to the potential clients of today’s financial institutions.

Implications for the Small Bank Business Model  

Fintech companies, NBFI’s and the need for new and different services presented by the unbanked and underbanked population will all continue to put pressure on community bankers to begin to make a change. Change may be hard, but it is also inevitable and necessary.  For community banks and credit unions now is a good time to consider NBFI’s as viable and important customers.  They are a vehicle for consumers to meet their ongoing needs and they need bank accounts.

Fintech companies’ reason for existing is to fill the unmet needs of unbanked and underbanked.   These companies have developed applications that allow everything from alternate means of credit scoring to international transfer of funds using applications.  A community bank or credit union that creates a partnership with the right fintech company can offer products and services that will greatly distinguish them in the market and allow for continued growth and alternate means of income.   2020 is a great time to start thinking about a new business model.

 

 

 

***James DeFrantz is Principal at Virtual Compliance Management. For more information please visit our website at www.VCM4you.com ***

[1] [1] In our most recent survey, published in October 2017, the FDIC reported that 7 percent of households were unbanked, lacking any account relationship at an insured institution. The survey also showed that an additional one-in-five (or 19.9 percent of) households were underbanked, defined as households in which a member had a bank account, but nevertheless turned to alternative financial services providers during the year to address one or more needs for transactional services such as check cashing or credit. Altogether, the survey reported that some 90 million Americans, or nearly 27 percent of households, are unbanked or underbanked.

 

The Beneficial Ownership Rule- A Two Part Series

 

UBO TWO

 

Part Two – Due Diligence-the Fifth Pillar

In the first part of this series we described the new beneficial ownership rule.  We talked about the reasons that the rule was passed, and we noted that the central idea of this rule is making sure that financial institutions get complete information when an account is opened for a legal entity.   This is especially true when a legal entity has a complex ownership structure.    There is a second aspect of the rule that changes the due diligence process for legal entities to a dynamic one.   This portion of the rule is called the “fifth pillar” of BSA/AML compliance programs.

Due Diligence

Under the new Beneficial Ownership rule, the definition of due diligence is essentially changed, especially for accounts that are opened for legal entities.   The rule specifically requires institutions to obtain background information on any person that owns, or controls the legal entity.  For purposes of this rule, ownership is defined as anyone who maintains an ownership stake of 25% or more of the entity.  Control means anyone who has a significant responsibility to manage or direct the entity.  A controlling person could have zero ownership interest in an entity.

 

Currently information about the persons who control, or own legal entities is not necessarily required, although as a best practice, this information should often be considered important to the due diligence process.   The Beneficial Ownership rule makes obtaining the ownership and control information a requirement of the account opening and due diligence process.  The rule also requires that financial institutions should write policies and procedures that reflect these requirements.     The rule notes that the policies and procedures should be risk based and should detail the various steps taken based upon the risk rating of the account.   The types of documentation that can be considered acceptable for meeting the requirements of the rule are described.

Due Diligence as a dynamic process

When developing your compliance program to meet the requirements of the new rule, consider that due diligence for legal entities should become a dynamic process.  It won’t be enough to obtain ownership and control information at the time the account is opened and then stop.  There must be ongoing monitoring of accounts for changes in the ownership or control and analysis of what those changes mean.

In recent years, one of the tactics that money launders have employed is to take over legitimate long-standing business to hide “dirty money”.   For example, in late 2014, the Los Angeles area garment industry was overrun by a scheme known as “Black Market Peso Exchanges.   Drug money was used to purchase goods and then the goods were shipped to other countries where they were resold and converted back to cash.  In many cases, the reason that this scheme was able to proceed was that the person or persons that desired to launder the money became a part owner of what was once a legitimate business.

In a similar manner, when a person who has bad intentions is able to control an entity, then the possibility that suspicious activity might occur goes up exponentially.   An important part of ongoing monitoring for suspicious activity must be continuing due diligence on both the ownership and controlling persons of an entity.

Asking the second Question

Once information is obtained about the owners and/controllers of a legal entity there is an additional review process that should occur.   Does the owner or controller of the legal entity increase the likelihood or potential for money laundering?  In the alternative, does the information that you have obtained about the owner or controller leave more questions than answers?  For example, suppose your corporate customer runs a small flower shop on main street.  One day, a 30 % interest in the flower shop is purchased by a man who is the owner of the local casino.  Why would the owner of a casino want a flower shop business?  Since a casino is a high cash, high risk, business, and people do still buy flowers with cash, there is an increased risk that the new controlling person may try to move some of his money through the deposits of the flower shop.  In this case, the best practice would be to find out all that you could about the new owner and why this controlling interest makes sense.   Moreover, now is the time to determine whether or not your BSA department still has the capability to monitor the flower shop now that it has a new owner.  Do you have the ability to determine whether suspicious activity might be occurring?  Not only should due diligence be dynamic, it should also include the analysis necessary to make the most efficient use of the information obtained.

 

 

***James DeFrantz is Principal at Virtual Compliance Management. For more information please visit our website at www.VCM4you.com ***

The Beneficial Ownership Rule- A Two Part Series

UBO

 

Part One – What is the rule and What Does it mean to Me?

 

On May 11, 2016, the Financial Crimes Enforcement Network (“Fincen”) announced its final rule strengthening the due diligence requirements for covered financial institutions.  This rule is generally known as the “beneficial ownership rule”.   This rule represents a significant change in the overall administration of Bank Secrecy Act/Anti-Money laundering (“BSA/AML”) compliance programs.   The purpose of the change was made clear in Fincen’s announcement of the final rule”

 

“Covered financial institutions are not presently required to know the identity of the individuals who own or control their legal entity customers (also known as beneficial owners). This enables criminals, kleptocrats, and others looking to hide ill-gotten proceeds to access the financial system anonymously. The beneficial ownership requirement will address this weakness [1]

 

Put another way, the purpose of this rule is to address one of the biggest weaknesses in the current system for identifying suspicious activity.   The fact that that financial institutions have been required to obtain information about a legal entity without considering the ownership and /or control of the legal entity has allowed many a “bad guy” to effectively hide his/her illicit activity.   The preamble to the rules lists out several examples of how legal entities have been taken over by criminals in an effort to launder money.  Some of the more interesting examples included:

 

  • A series of shell companies that were used to take over and loot a publicly traded mortgage company.
  • Using a series of small legal entities to cover a drug smuggling ring
  • Using a series of companies that were ostensibly for movie production to hide large amounts of cash that was being used for human trafficking

 

In all of the cases that were cited, the common feature was the ownership and control of the legal entities was obscured by a complex holding structure.   The beneficial ownership rule is designed to addresses this practice.   The rule requires that a financial institution doing business with a legal entity should know who owns and controls the entity.   This is the enumerated requirement. However, it should be the understood that simply knowing this information is not enough.  Once the due diligence information is obtained, it is critical to ensure that it makes sense in context.   For example, does it really make sense that a flower shop owner also owns a casino?  These business are entirely unrelated except for the fact that they are both often cash intensive businesses.

 

The Rule Itself 

 

The final rule creates a “fifth pillar” in the standard group of expectations for a comprehensive BSA/AML compliance program.  Ongoing and risk based due diligence for customers will now be considered an essential part of the compliance program.   The rule makes due diligence a dynamic process rather than the traditional process that essentially ended at the time the account was opened.  Financial institutions are expected to stay abreast of who the beneficial owners of a legal entity are and how their ownership might impact ongoing monitoring of the account.   As the beneficial owners change, then the manner in which the account is viewed should change accordingly.

 

Beneficial Ownership is a broad definition that includes both ownership and control.

 

Ownership – is denied as any person who directly or indirectly owns more than 25 percent of the equity of a legal entity

 

Control – The term “beneficial owner” means a single individual with significant responsibility to control, manage, or direct the legal entity customer (e.g., a Chief Executive Officer, Vice President, or Treasurer).

 

These two prongs are critical because there are many times when a person or persons could actually have a minimal ownership stake in a firm or even no actual legal ownership, but still have the ability to control the firm.   The rule requires all covered institutions to obtain information on all people who own or control a legal entity.

 

Financial institutions are expected to design policies and procedures that detail how staff will use their best efforts to establish and maintain written procedures that are reasonably designed to identify and verify beneficial owners of a legal entity customer. The procedures must allow the financial institution to identify all beneficial owners of each legal entity customer at the time of account opening unless an exclusion or exemption applies to the customer or account.  [2]

 

Why Wait?

 

The rule requires all covered institutions to be in compliance.  Covered institutions in this case means:

 

“For purposes of the CDD Rule, covered financial institutions are federally regulated banks and federally insured credit unions, mutual funds, brokers or dealers in securities, futures commission merchants, and introducing brokers in commodities” [3]

 

Though this rule only technically only applies to covered institutions, it will be prudent for all financial institutions to become familiar with the requirements of the regulations and to apply the standards enumerated therein.  Financial institutions will expect that their Money Service Businesses meet the same standards because the risks for undetected suspicious activity is the same.

 

There is absolutely no reason to wait to implement the principals detailed in the rule.  By developing policies and procedures that are able to determine beneficial ownership, a financial entity can have more effective risk mitigation of its customer base.  At the end of the regulatory day, knowing your customers and what it is that they do is the heart of any string AML Compliance program

 

 

 

In Part Two- we will discuss the details of a strong beneficial ownership program.

 

***James DeFrantz is Principal at Virtual Compliance Management.  For more information please visit our website at www.VCM4you.com ***

 

 

[1] www.federalregister.gov/articles/2016/05/11/2016-10567/customer-due-diligence-requirements-for-financial-institutio

[2] These excluded entities include banking organizations; entities that have their common stock listed on the New York, American, or NASDAQ stock exchanges; SEC-registered investment companies and advisers; CFTC-registered entities; state-regulated insurance companies; foreign financial institutions established in jurisdictions that have beneficial ownership reporting regimes; and legal entities with private banking accounts subject to FinCEN rules

[3] FIN-2016-G003  questions

 

 

 

Changing Your Outlook on Internal Audits

Change part two

There are myriad whitepapers and scholarly articles discussing control environment theories. Many of these documents discuss in detail the components of the concept of controls.  At the heart of the matter, the control environment is comprised of your institutions ability to identify the risks inherent in ongoing operations compared to the steps you have taken to mitigate those risks.   Put another way, why DO you have written policies and procedures?  What are they designed to do?   Policies and procedures often seem like an arcane phrase that auditors and examiners like to glibly toss out, but they really are the heart of the control environment.  The process of developing policies and procedures should follow the development of a risk assessment.  Risk assessments are too often performed as a matter of course and then forgotten throughout the year.

An effective risk assessment of your compliance program can be an excellent source document for various things including budgeting requests for additional resources and scoping of audits.   Completing the assessment includes considering the inherent risk at your institution, the internal controls that have been established to address risk and a determination of the residual risk.   The process is intended to be one of self-reflection and consideration of the areas of potential weakness.  For those areas that have the potential to be a problem, the best practice is to make sure they are included in the scope of an audit.  Audit firms are more than happy to work with the management of the institutions they are reviewing on developing a scope.  One of the crucial goals of the audit is to uncover areas where there are weaknesses in internal controls.  For example, in your risk assessment, you may have noted a large number or errors in disclosures for new accounts.  This are should subsequently be a focus for the internal auditors when the compliance audit is performed.

 

In the previous blog, we talked about the FFIEC compliance rating system gives a great deal of incentive to follow a process in this order

  • Complete risk assessment covering products and services
    • Plus
  • Development of the policies and procedures designed to address the risk identified in the first step
    • Plus
  • Development of the policies and procedures designed to address the risk identified in the first step
    • Equals
  • Your control environment

 

Of course, that is not the end of the story.   If fact, that is only the first half.   Once the control environment has been established, it is critical to determine which controls are preventative and which are detective.

Preventative Controls:  are designed to keep errors or irregularities from occurring in the first place. They are built into internal control systems and require a major effort in the initial design and implementation stages.   Put another way, preventative controls are designed to keep bad things form happening at the inception.

Detective Controls:  is an internal control intended to find problems within a company’s processes. Detective controls are designed to find problems in delivery and implementation

The way that you test these controls depends on how they are designed to work.  In the case of preventative controls, the test is to determine whether they keep a transaction form being completed based upon an error.  Detective controls are designed to catch problems in the overall process such as adverse actions that have a problem trend.

Consider the implications for the internal audit process.  The current process tests the results and not the control environment.  Your auditor could test 50 loans and find no problem.  The conclusion that is drawn is that all is well; but really how do you know that loans 51-70 are not all problem loans?   The idea here is to self-police by testing the control environment

As we noted in the first part of this series, the scope of the internal audit function at financial institutions has been an area of focus for regulators.  Regulators have focused on whether the scope of internal audits meets both regulatory standards and is appropriate in light of the overall risk profile of a financial institution.  It is the second of these two considerations that has most often caused findings and created concerns.    It is, therefore, critical that the scope of audits reflect an understanding of the risks inherent at your financial institution.

A control risk assessment (or risk assessment methodology) documents the internal auditor’s understanding of the institution’s significant business activities and their associated risks. These assessments typically analyze the risks inherent in a given business line, the mitigating control processes, and the resulting residual risk exposure of the institution. They should be updated regularly to reflect changes to the system of internal control or work processes, and to incorporate new lines of business.[1]

At smaller institutions, there generally is not a full-time internal auditor on staff.  This does not obviate the need for comprehensive and timely risk assessments.  Unfortunately, the risk assessment process is often overlooked.   The risk assessment should consider the following:

Past Examination and Audit Results

It goes without saying that the past can be a prelude to the future.   Prior findings are an immediate indication of lack of effectiveness of internal controls.  It is important that the root cause of the finding or recommendations from regulators is identified and addressed.  Internal audits should coordinate with the risk assessment to test the effectiveness of the remediation.

Changes in Staff and Management

Change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change.  For example, suppose the head of Note Operations is brand new.  This new manager will want to process loans using her/his own system.  Loan staff who may be used to past procedures may become confused.  Change generally increases the possibility of findings or mistakes.   Your risk assessment should take into account the risks associated with changes and how best to address them.  In addition, this is an area that should be covered by internal audit as it presents a risk.

Changes in Products, Customers or Branches

It is also important that your risk assessment consider all of the different aspects of changes that have occurred or will occur during the year.  Any new products or services, new vendors, and/or marketing campaigns that are designed to entice new types of customers are all changes that impact the overall risk profile of the institution.    The resources necessary to address these changes should also be a consideration for the internal audit.

Changes in Regulations

Over the past few years, there have been a huge number of changes to regulations, guidance and directives from Federal and State agencies.  Many of these changes do not impact smaller institutions directly, but many do.  Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year.   Part of your risk assessment process has to consider changes that will affect your institution.  The internal audit scope should also consider whether the institution is prepared to meet changing regulatory requirements.

Monitoring systems in place

The information systems being employed to monitor the effectiveness of internal controls should be considered.  For many institutions, this system is comprised of word of mouth and the results of audits and examinations.  Information used by senior management and reported to the Board should be sufficient to allow credible challenges by the Board.[2]

Using the Risk assessment to Set Audit Scopes

Once a risk assessment is completed, the results should be directly tied to the internal audit schedule.   The FIIEC guidance points out the relationship between the internal audit plan and the risk assessment:

An internal audit plan is based on the control risk assessment and typically includes a summary of key internal controls within each significant business activity, the timing and frequency of planned internal audit work, and a resource budget.[3]

The risk assessment should prioritize the potential for findings, while the audit scope should be developed to test mitigation steps made to reduce findings.

The criticism that is often raised about outsourced audit is that the scope is incomplete.  This is often the case because outsourced vendors have developed their scope based upon best practices, and their experiences at various institutions.  While this is obviously a best practice for the audit vendor, the problem is that it doesn’t always fit the individual institution.   Information from a comprehensive risk assessment should be incorporated into the scope of an internal audit.

In this manner, the auditor can best consider the areas of risk that are the highest priority at a particular institution.  For example, when developing the scope for an independent audit of a BSA/AML program, the scope should include the most recent risk assessment.  Changes in the customer base, an increase in the overall risk profile of the bank or a change in personnel are all factors that should be included in the audit scope.  In addition, the auditor should consider whether current monitoring systems have the capability to properly monitor the additional level of risk.  Finally, the professional abilities of the BSA staff should be considered as they relate to additional risk.

Outsourced internal audit firms design the scopes for the audits that they conduct based upon their knowledge of auditing, regulatory trends, best practices and the overall knowledge of their staff.  This practice allows the firms to bring a wealth of experience and important information from outside of the financial institutions that they are reviewing.   When your audit firm presents you the scope that they propose it is based upon completely external actors and considerations.  This is not a criticism of the firm, it is a standard practice.   However, setting of the scope for internal audits is really supposed to be a collaborative effort, and both the audit firm and your institution are best served by developing the scope for audits together, after all, who knows the strengths and weaknesses of your institution better than the management?  To get the biggest bang for your buck, why not tie the audit scope into the results of your risk assessment?

Ultimately, it is the responsibility of the Board to ensure that the internal audit is effectively testing the strength of internal controls.

[1] Interagency Policy Statement on the Internal Audit Function and its Outsourcing

[2] See for example, OCC Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations

 

[3] Interagency Policy Statement on the Internal Audit Function and its Outsourcing

Changing Your Outlook on Internal Audits -a Two-Part Series

change

Part One- A New System of Review    

Starting in 2017, the FFIEC (the organization that is comprised of the major financial institution regulators) changed the way compliance programs are rated.  Instead of a one grade for the program there is now actually a three-prong test that makes up the final rating.   The three-parts of the test are

  1. The overall compliance program including the written program, resources dedicated to the program compared to the overall risk profile of the portfolio, experience and competency of management
  2. Board and management oversight- essentially the level and quality of reporting to management.  In addition, the follow-up to problems noted and remediation implemented
  3. Harm to consumers- The violations that are discovered have varying degrees of potential for harm to consumers.  Some are very technical in nature and can be remedied by a small fix.  Other violations might require the dreaded ‘look-back” and reimbursement.

In its press release describing the new rating system, the FFIEC wrote extensively about the goals for using this approach for compliance going forward. [1] Among the goals are to make the compliance examination more risk based and to allow each institution the opportunity to develop and maintain a compliance program that is tailored to the risk profile of the institution

One of the aspects of this new rating system that is often overlooked is the focus on the “self-policing”

Opportunities Provided by These Changes

The new compliance rating represents significant changes in the ability of banks to alter their compliance destiny.   The emphasis on self- detection and self-policing allows financial institutions to perform self-evaluation and diagnose compliance issues internally.

In the new rating system, there is a premium placed on the idea that an institution has compliance and/or audit systems in place that are extensive enough to find problems, determine the root of the problems and make recommendations for change.  To impress the regulators that an organization is truly engaged in self-policing, there must be evidence that senior management has taken the issue seriously and has taken steps to address whatever the concern might be.  For example, suppose during a compliance review, the compliance team discovers that commercial lenders are not consistently given a proper ECOA notification.  This finding is reported to the Compliance Committee along with a recommendation for training for commercial lending staff.   The Compliance Committee accepts the recommendation and tells the Compliance Officer to schedule Reg. B training for commercial lenders.  This may seem like a reasonable response, but it is incomplete.

This response does not rise to the level of self-policing that is discussed in the FFIEC memo; a further step is necessary.  What is the follow-up from senior management?   Will senior management follow up to make sure that the classes have been attended by all commercial lending staff?  Will there be consequences for those who do not attend the classes?  The answers to these questions will greatly impact the determination of whether there is self-policing that is effective.   Ultimately, the goal should be to show that the effort at self-policing for compliance is robust and taken seriously at all levels of management.  The more the regulators trust the self-policing effort, the more the risk profile decreases, and the less likely enforcement action will be imposed.

Self-Reporting

At first blush self-reporting seems a lot like punching oneself in the face, but this is not the case at all!   The over-arching idea from the FFIEC guidance is that the more the institution is willing to work with the regulatory agency, the more likely that there will be consideration for reduced enforcement action.  Compliance failures will eventually be discovered and the more they are self-discovered and reported, the more trust that the regulators have in the management in general and the effectiveness of the compliance program.   The key here is to report at the right time.  Once the extent of the violation and the cause of it have been determined, the time to report is imminent.  While it may seem that the best time to report is when the issue is resolved, this will generally not be the case.  The regulators may want to be involved in the correction process.  In any event, you don’t want to wait until it seems that discovery of the problem was imminent (e.g. the regulatory examination will start next week).

Remediation

What will your institution do to correct the problem?  Has there been research to determine the extent of the problem and how many potential customers have been affected?      How did management make sure the problem has been stopped and won’t be repeated?  What practices, policies and procedures have been changed as a result of the discovery of the problem?  These are all questions that the regulators will consider when reviewing efforts at remediation.  For example, if it turns out that loan staff has been improperly disclosing transfer taxes on the Loan Estimate, an example of strong mediation would include:

  • A determination if the problem was systemic or with a particular staff member
  • A “look back” on loan files that for the past 12 months
  • Reimbursement of any customers who qualify
  • Documentation of the steps that were taken to verify the problem and the reimbursements
  • Documentation of the changed policies and procedures to ensure that there is a clear understanding of the requirements of the regulation
  • Disciplinary action (if appropriate for affected employees)
  • A plan for follow-up to ensure that the problem is not re-occurring

Self-policing allows an institution the ability to positively impact its regulatory fortunes.   The goal under this new system is to document the effectiveness of the system of controls in place.  The effectiveness of the control environment will impact all three of these ratings.  Generally, more favorable ratings will extend the amount of time before your next examination is scheduled.

Ultimately, the new compliance ratings system highlights a financial institutions ability to establish its control environment.

In part Two we will discuss the control environment

 

*** James Defrantz is Principal at Virtual Compliance Management Services LLC***

***For More Information Please Feel free to contact Us at WWW.VCM4you.com***

[1] The full press release can be found at http://www.ffiec.gov/press/pr110716.htm

 

 

Making the Case for MSB’s

 

MSB!

For many thousands of workers in the United States, the end of the week renews a weekly ritual; payday.  For those workers who are expatriates, payday renews another ritual, the trip to the local money transmitter also known as Money Service Businesses.  Money Services businesses are defined by FinCEN as follows:

The term “money services business” includes any person doing business, whether on a regular basis or as an organized business concern, in one or more of the following capacities:

(1) Currency dealer or exchanger.
(2) Check casher.
(3) Issuer of traveler’s checks, money orders or stored value.
(4) Seller or redeemer of traveler’s checks, money orders or stored value.
(5) Money transmitter.
(6) U.S. Postal Service.

For many years MSB’s have served the needs of the expatriate workers who are sending money home.  The remittance market is a multi-billion-dollar business serving a large population of the people who tend to be underbanked or unbanked.

 

Storm Clouds

In 2013 the US Department of Justice initiated Operation Chokepoint.  This initiative was described in a 2013;

Operation Choke Point was a 2013 initiative of the United States Department of Justice, which would investigate banks in the United States and the business they do with firearm dealers, payday lenders, and other companies believed to be at higher risk for fraud and money laundering.[1]

The Justice Department’s decision to focus on the activities of MSB’s directly impacted their treatment by banks.  Soon, MSB’s became persona non-grata; the major theme was that these organizations have potential for money laundering and therefore had to be given scrutiny.   There was a second theme that was less prominent; the better the monitoring the lower the risk.   Eventually the regulators were forced to cease the initiative.  Unfortunately, a great deal of the stigma associated with MSB’s remains.

Community Banking Transitions  

Today community banks are experiencing shrinking margins in traditional business lines.  Competition for C & I and CRE has become fierce, shrinking margins and making lending in these areas more expensive.   In the meantime, the main reason for community banking- serving the underserved is still an area that has a great deal of space for growth.   In 2016, the FDIC estimated that 27% of all households were unbanked or underbanked.

The Remittance Market

Remittances are a growing market that continues to grow according to the world bank statistics $138,165,000,000 in remittances was sent from United States to other countries in 2016.  In 2018, the market is expected to grow more than in the previous two years for several reasons.   The average size of an individual remittance remains $200.00.   There are a number of money transfer business that have developed systems that are familiar to the customers and efficient in their delivery.  The forces created by operation chokepoint and growing remittance market are creating great opportunities.  Despite the huge demand and potential for fee income, many MSB’s are in search of a banking relationship.

Why Should a community bank consider an MSB relationship?    

Because of the history we have already discussed for many banks, the term MSB ends the discussion.  However, for those banks that are looking for ways to improve overall profitability; there are several positives to consider

  • Fee income: Because the business model is built on small dollar transactions, there is a large volume of transaction.  Each transaction has the potential to generate fees.  The experience of banks that offer accounts to MSB’s has vbeen a steady reliable source of fee income.
  • Small expenditures of capital: The expenditure of capital that is necessary is largely dependent on the strength of your overall BSA compliance program.  At the end of the day, the financial institution must dedicate sufficient resources to monitor the activity of the MSB.
  • Extremely Low Cost: The costs of the resources mentioned above can and often is covered by the client MSB.
  • Serving the underserved: As we previously noted, the vast majority of the customers using MSB’s are part of the larger underbanked and unbanked population.
  • Opportunities for new markets, projects and a whole new generation of bank customers: Today’s MSB customer can easily be tomorrow’s entrepreneur who opens a large business account at your bank.

 

 

 

 

MSB’s and Risk

For many institutions the decision has been made that the regulatory risk associated with Money service Business is too great to justify offering the product.  Of course, most of make this decision harken back to the struct scrutiny of Operation Chokepoint.

The fact that so many MSB’s lost their banking relationships caused the FDIC (the main “tormentor of financial institutions in this area) to issue FIL 5-2015 which was directed at the mass “de-risking” that that banks were forcing on MSB’s.

 

The FDIC is aware that some institutions may be hesitant to provide certain types of banking services due to concerns that they will be unable to comply with the associated requirements of the Bank Secrecy Act (BSA). The FDIC and the other federal banking agencies recognize that as a practical matter, it is not possible for a financial institution to detect and report all potentially illicit transactions that flow through an institution.   Isolated or technical violations, which are limited instances of noncompliance with the BSA that occur within an otherwise adequate system of policies, procedures, and processes, generally do not prompt serious regulatory concern or reflect negatively on management’s supervision or commitment to BSA compliance. When an institution follows existing guidance and establishes and maintains an appropriate risk based program, the institution will be well-positioned to appropriately manage customer accounts, while generally detecting and deterring illicit financial transactions.[2]

Put another way, the regulators were noting that despite the appears otherwise the principles for  managing the risks of MSB’s still applied; the better the monitoring, the lower the risk.   When considering whether to offer an MSB a bank account, your financial institutions should be able to administrate the account to keep risks low.  In addition to the guidance published by the FDIC, FinCen, the FFIEC and the other banking regulatory agencies have all published guidance making it clear that there are no absolute regulatory restrictions on banking MSB’s.

The time is now for community banking institutions to consider the possibility of baking relationship with MSB’s

[1] Zibel, Alan; Kendall, Brent (August 8, 2013). “Probe Turns Up Heat on Banks”The Wall Street Journal

[2] FIL 5-2015

 

 

RETHINKING THE BUSINESS MODEL FOR COMMUNITY BANKING

dreamstime_m_83856129

 

Community banks and credit unions have been a key part of the American economy since its beginning. These are the lending institutions that make loans to small sole proprietors, first time home buyers and dreamers of all kinds. Over the years, the business model for these institutions hardly varied. A review of the loan portfolios of community banks across the country will include three similar components:
• CRE- Commercial real estate loans have been one of the mainstays of the community banking business. These loans provide a viable, recognizable and reliable (usually) source of income. The return on investment for these loans have been the source of a large portion of the earnings for community banks for many years. The drawback for this type of lending is that it ties up a large portion of the capital of a bank and the return on investment takes a significant amount of time develop. A loss from one of these loans has the potential to threaten the existence of a small financial institution
• CNI – Commercial and Industrial loans have been the beating heart for community banks for many years. Very much like CRE loans, the income from these loans is recognizable and except for a few notable exceptions, reliable. Not only do these loans have the same concerns as CRE, the competition for these loans is fierce and smaller institutions often finds themselves left with the borrowers who present the highest level of risk.
• Consumer products – In the past 15 years, consumer loans have also proven to be a good source of earnings. Interest rates for consumer products have remained well above the prime rate and for a financial institution that is properly equipped, consumer products can provide a strong stream of income. Consumer products also tend to be for smaller amounts, have higher rates of losses and are heavily regulated.
This three-pronged approach to earning income has been a steady, tried and true method for earnings at small financial institutions. However, there are several factors that are coming together that have threatened this business model.
• Fintech – Financial technology (“Fintech”) companies are those companies that use software to deliver financial products. Today one of the most recognizable fintech companies is PayPal. Using just a smart phone, PayPal gives its users the ability to make payments, pay bills, deliver gift cards and conduct financial transactions with people throughout the country. For community banks, the knowledge of the existence of PayPal is interesting, but what is more critical is the reason that PayPal was developed. PayPal, and its fintech brethren exist to fill a specific need that Banks were not meeting.
• NBFI – The Operation Chokepoint program was a program spearheaded by the Justice Department that was aimed directly at Non-Bank Financial Institutions, aka Money Service Businesses. At the time the program was started, a decision was made that money service businesses represented an unacceptable money laundering risk. Ultimately, Operation Chokepoint fell into disrepute and was ended. Although Operation Chokepoint has ended, its legacy is still prevalent. MSB’s still have significant problems getting bank accounts. Despite this fact, the amount of money moved through remittances continues to grow. MSB’s continue to serve this market for a huge population of people who are unbanked and underbanked.
• Underbanked and Unbanked- The number of unbanked and underbanked families continues to grow. Unbanked families are those without a bank account and underbanked families are those that use minimal banking services. The number of people in these families totaled approximately 90 million in 2016 . Equally as important as the sheer size of the unbanked and underbanked population is the reason that many of these potential customers remain that way. High fees, poor customer service and bad public image have all been contributing factors for the large population of unbanked and underbanked customers.

Customer Bases in the Future
The combination of these forces will greatly impact the future of the business model for community banks. Customers will continue to change their expectations for their financial institutions. The traditional balance has changed, instead of being forced to choose the products that financial institutions offer, customers have come to demand products from their companies.
The financial needs of customers have also changed. Electronic banking, online account opening, remote deposit capture and iPhone applications are now almost necessities. Younger customers, who make up a significant number of the unbanked and underbanked population rarely use traditional forms of community banking such as branch visits. Fast information, fast movement of money, low costs transactions and accessibility are most desirable to the potential clients of today’s financial institutions.
Implications for the Small Bank Business Model
Fintech companies, NBFI’s and the need for new and different services presented by the unbanked and underbanked population will all continue to put pressure on community bankers to begin to make a change. Change may be hard, but it is also inevitable and necessary. For community banks and credit unions now is a good time to consider NBFI’s as viable and important customers. They are a vehicle for consumers to meet their ongoing needs and they need bank accounts.
Fintech companies reason for existing is to fill the unmet needs of unbanked and underbanked. These companies have developed applications that allow everything from alternate means of credit scoring to international transfer of funds using applications. A community bank or credit union that creates a partnership with the right fintech company can offer products and services that will greatly distinguish them in the market and allow for continued growth and alternate means of income. 2018 is a great time to start thinking about a new business model.

 

 

Section 1071 of the Dodd Frank Act- A New Look at Fair Lending – A Two-Part Series Part One- Towards a LAR for Commercial Loans

dreamstime_m_49670116

As the dust settled form the financial meltdown of 2008 there were a large number of new significant regulations to consider.  The qualified mortgage rules, mortgage servicing rules and appraisal valuations all garnered a great deal of attention and focus.  Of course, due to the impact of these rules, this attention was well deserved.   However, as the dust settled from getting compliance programs in place, it is time to give attention to future regulatory requirements.

One of the most significant of the future regulations is section 1071 of the Dodd Frank Act.  This section amends the Equal Credit Opportunity Act (AKA as Reg. B) to require banks to gather information about applicants for commercial loans.   The information that will be gathered is very similar to information that is currently required by the Home Mortgage Disclosure Act (HMDA).  Many believe that the future of this regulation is in doubt due to the general hostility of the current presidential administration to the Dodd Frank Act.  Regardless of whether this regulation becomes fully implemented, the information that it requires is well worth considering.

 

Specifics

For the time being, this section of the Dodd Frank Act has been put on hold until the implementing regulations have been written.  There are many who believe the future of the CFPB is in doubt, but merely hoping things change is not a successful strategy.  Earlier in 2017, the CFPB started taking comments on the regulation with an eye toward developing a final rule early next year. It is likely the regulation will be implemented in some form early in 2018.

What is the type of information that is required?  So far, the list of information required is as follows:

 

‘‘(1) IN GENERAL. —Each financial institution shall compile and maintain, in accordance with regulations of the Bureau, a record of the information provided by any loan applicant pursuant to a request under subsection (b).
‘‘(2) ITEMIZATION.—Information compiled and maintained under paragraph (1) shall be itemized in order to clearly and conspicuously disclose—

‘‘(A) the number of the application and the date on which the application was received;

‘‘(B) the type and purpose of the loan or other credit being applied for;

‘‘(C) the amount of the credit or credit limit applied for, and the amount of the credit transaction or the credit limit approved for such applicant;

‘‘(D) the type of action taken with respect to such application, and the date of such action;

‘‘(E) the census tract in which is located the principal place of business of the women-owned, minority-owned, or small business loan applicant;

‘‘(F) the gross annual revenue of the business in the last fiscal year of the women-owned, minority-owned, or small business loan applicant preceding the date of the application;

‘‘(G) the race, sex, and ethnicity of the principal owners of the business; and

‘‘(H) any additional data that the Bureau determines would aid in fulfilling the purposes of this section.

‘‘(3) NO PERSONALLY IDENTIFIABLE INFORMATION.—In compiling and maintaining any record of information under this section, a financial institution may not include in such record the name, specific address (other than the census tract required under paragraph (1)(E)), telephone number, electronic mail address, or any other personally identifiable information concerning any individual who is, or is connected with, the women owned, minority-owned, or small business loan applicant.

When the regulation is enacted, what will be required?  Why are the regulators doing this to us?   In reverse order, the reason given for this change to the ECOA is as follows:

“The purpose of this section is to facilitate enforcement of fair lending laws and enable communities, governmental entities, and creditors to identify business and community development needs and opportunities of women-owned, minority owned, and small businesses” [1]

Put another way, the purpose of the collection of this information will be to allow banks, economists and regulators to more completely and accurately determine the types of loans that are being requested by minority and women owned business.  Presumably, the collected data will be used to provide regulators with tools to craft legislation to help expand fair lending laws and rules to the commercial lending area.  The merits of whether these regulations should be expanded to the commercial lending will be discussed in part two of this blog.

There are some unique features to the requirements of this law.  For example, the lending staff member who is doing the underwriting is NOT ALLOWED to ask the questions required by the law;

Where feasible, no loan underwriter or other officer or employee of a financial institution, or any affiliate of a financial institution, involved in making any determination concerning an application for credit shall have access to any information provided by the applicant pursuant to a request under subsection (b) in connection with such application.[2]
The idea here is this information must not be part of any credit decision, and the bank is under an obligation to present evidence that this information has been segregated from the credit decision.  Therefore, even in cases where there are too few staff members to totally segregate the collection of the information from the loan staff, a protective wall still must be created.

If a financial institution determines that a loan underwriter or other officer or employee of a financial institution, or any affiliate of a financial institution, involved in making any determination concerning an application for credit should have access to any information provided by the applicant pursuant to a request under subsection (b), the financial institution shall provide notice to the applicant of the access of the underwriter to such information, along with notice that the financial institution may not discriminate on the basis of such information[3]

 

The time is coming when this information must be collected and the Bank must make sure that once it is collected, that the information has no impact on the credit decision.

 

Implications for the Future

What does this regulation mean for the future?  It is of course, difficult to predict the future with any real accuracy.    However, it is clear that the trend for regulations is that the scope and influence of fair lending and equal credit opportunity laws will increase in influence over the next decade.   It will be increasingly important for banks to determine with detail the credit needs of the communities they serve.  Moreover, there will be increased emphasis on banks’ ability to show how the credit products being offered meet the credit  needs of that same community.

Why not start now?

The obvious question to ask is with all of the regulations that are coming into effect at this point  and the resulting requirements, why start dealing with a regulation that has not come into existence?  Why not cross that bridge when we come to it? In fact, there is a chance that this law may never get an implementing regulation.

Delay will result in higher costs and increase the risk of noncompliance.   Whether or not Section 1071 is implemented within the next year or the next few years, information about the borrowers you serve and the products that you offer to serve them should be part of your strategic plan, fair lending plan and CRA plan.  This information will be a critical component of showing your regulators that you are a vital part of the local economy and community.  Moreover, this information should be a critical part of your institutions’ drive to reach out to the new customers who are currently among the large number of unbanked and underbanked.  This pool of potential customers is one of the keys to successful banking in the future.  In fact, whether or not the regulation is ever implemented, developing information on women and minority owned businesses will be a ket strategic advantage for the financial institutions that realize the vast potential that these business owners present.

In Part two of this blog, we will make the case for collection of information on loans to women and minority owned businesses regardless of regulation requirements.

 

Why Should Small Financial Institutions Perform Compliance Risk Assessments?   

dreamstime_m_60227541

The concept of risk assessments is often associated with large banks and financial institutions – but it shouldn’t be.  Oftentimes, the ugly truth about risk assessments is that they are prepared specifically to meet a regulatory requirement and not much more.  The common practice is to perform an annual risk assessment for BSA, get it approved and for the most part, put it away and don’t think about it again until the next year.  The completion of this risk assessment is performed to meet regulatory requirements and not much else.    Risk assessments of the overall compliance program are rare, due to many factors including lack of time and resources.

Risk assessments can, and should be, used as a tool in the overall compliance toolkit.   When a compliance risk assessment is properly completed and deployed it have many uses including audit planning, cost reduction, training development and resource allocation to name a few.   Ultimately, the risk assessment should be used as the bedrock of a strong compliance program.

 

The Component Parts of a strong Compliance Risk Assessment

 

Past examination and audit results– It goes without saying that the past can be a prelude to the future, especially in compliance.   Prior findings are an immediate indication of problems in the compliance program.   It is important that the root cause of the finding is determined and addressed.  The compliance risk assessment must include a description of the cause of the findings and the steps being taken to mitigate the risk of a repeat.  We recommend that the action should be more than additional training.   However, without testing to determine whether the training is effective, the risk of repeat findings remains high.  It should also be noted that a lack of past findings does not necessarily mean that that the coast is clear. Each compliance area should be reviewed and rated regardless of whether there were past findings.   In some cases, there are findings that are lying in wait and have not yet been discovered.

Changes in staff and management– change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change.  For example, suppose the head of Note Operations is brand new.  This new manager will want to process loans using her/his own system.  Loan staff who may be used to doing compliance checks at certain times during the loan origination process might become confused.  This increases the possibility of findings or mistakes.   Your compliance risk assessment should consider the risks associated with changes and how best to address them.

Changes in products, customers or branches-It is important that your risk assessment consider all the different aspects of changes that have occurred or will occur in the Bank during the year.  This will include any new products or services, new vendors and marketing campaigns that are designed to entice new types of customers.  The risk assessment should consider what resources will be required and how they should best be deployed.  Before new products are introduced, the compliance team should consider the time necessary to make sure that all of the processes are in place.  New advertising means both technical and fair lending compliance considerations.

Changes in Regulations– Over the past five years, there have been a huge number of changes to regulations, guidance and directives from Federal and State agencies.  Many of these changes do not impact small financial institutions directly, but many do.  Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year.   Part of your risk assessment process must consider changes that affect your bank or will affect you bank.   As a best practice, it is advisable to review the annual report of your regulator to determine the areas of focused that are planned for the year.  Regulators are transparent with this information and their publications will indicate areas of examiner focus for the upcoming year.

Monitoring systems in place – Finally, the systems that you use to monitor compliance should be considered.  For many small institutions, this system is comprised of word of mouth and the results of audits and examinations.   Part of your assessment should include a plan to do some basic testing of compliance on a regular basis.  After all an ounce of prevention……

 

The Analysis

Once you have gathered all the information necessary for completing the analysis, we suggest using analyses that doesn’t necessary assign numbers to risk, but prioritizes the potential for findings.  Remember the effectiveness of your compliance program is ultimately judged by the level and frequency of findings.   The effective risk assessment reviews those areas that are most likely to result in findings and develops a plan for reduction.

 

Inherent Risk

For each regulation that applies to your institution, you must first determine the level of inherent risk. According to the Federal Reserve Bank, inherent risk can be defined this way:

 

“Inherent consumer compliance risk is the risk associated with product and service offerings, practices, or other activities that could result in significant consumer harm or contribute to an institution’s noncompliance with consumer protection laws and regulations. It is the risk these activities pose absent controls or other mitigating factors.”[1]

Your compliance risk assessment should consider the inherent risk associated with each product that is offered.  For each regulation, consideration should be given to the penalties associated with a violation. As a best practice, the likelihood of review of the area by regulators should also be factored into the overall level of inherent risk.  For example, flood insurance is an area that is likely to be examined every time the examiners conduct a review and this should factor into the overall inherent risk rating of the area.

Effectiveness of Controls  

Once the inherent risk has been established, the next step is to assess the overall effectiveness of internal controls.  Your internal controls are the policies, procedures, training and monitoring that are performed on a regular basis.   This includes audits and internal reviews that are performed by the compliance department.

To complete the analysis, it is necessary to be self-reflective, honest and brutal!  If staff is weak in its understanding of the requirements of Regulation B, it is necessary to plan to address the weakness.   If more training is necessary, or if, heaven forbid, a consultant is needed in certain areas, it really is appropriate as part of the assessment to say so and attempt to make the case to management.  We have found that the cost of compliance goes up geometrically when faced with enforcement action.  It is much more efficient to seek the assistance when there are only potential problems as opposed to when actual problems have been found.

 

Residual Risk  

Residual risk is defined as the possibility that compliance findings will occur after consideration of the effectiveness of controls.  The less effective the controls, the higher the residual risk.   Again, it is critical that the assessment in this area is one that must be brutally honest.  If overall controls, are not what they should be, the weaknesses that exist should be reflected in the risk assessment.  The goal of the assessment is to determine the areas that have the highest levels of risk and to allocate resources accordingly.

Using the Document

The compliance risk assessment is like a Swiss army knife- it has several uses.   First, the compliance risk assessment should be used to help with the planning and scoping of audits for the year.  The highest areas of risk should receive the greatest scrutiny by the auditors.  Moreover, the highest risk areas should be scheduled for review as early in the year as possible so that remediation efforts can be commenced and tested.

Rather than setting a basic training schedule, use the assessment to make sure that classes are focused on areas where the risk assessment has shown the potential for problems.    The risk assessment can also be used to set the priorities for which policies and procedures need to be updated and in what order.  The compliance risk assessment is a good tool for measuring the level and quality of compliance resources. As part of the risk assessment process, the level and quality of resources must be considered.   As the process is concluded, it is natural to use the results to develop specific requests for additional staff, software, training or other resources that are necessary to maintain a strong compliance program.

Creating the Compliance Environment

Probably the greatest untapped asset for any compliance officer is the staff at your institution.  Without the support and input of the people who are contacting customers and performing day to day operations, the effectiveness of your compliance program will be greatly limited.    Of course, one of the greatest impediments to getting the “buy-in” of staff is the perception of compliance that many in the banking industry have.  There is generally dislike and disdain for anything compliance related.  Compliance rules have been developed over time in response to unfair and sometimes immoral behavior on the part of banks.  Most of the regulations have a history that is interesting and can help explain what it is that the regulation is attempting to address.  Taking the time to discuss the history of the regulations and what it is that they are trying to address can go a long way toward getting staff involvement. Making sure that senior management accepts the importance of compliance and the costs of non- compliance can help increase support.

A comprehensive compliance risk assessment should be the key to a strong compliance program. Using the results of the compliance risk assessments to plan the compliance year and deploy resources can be a very effective tool towards reducing compliance risks.

[1]COMMUNITY BANK RISK-FOCUSED CONSUMER COMPLIANCE SUPERVISION PROGRAM

Getting to the Root of the Problem- An Important Step for Strong Compliance

 

dreamstime_m_68175961

 

You have just received word that the compliance examiners are coming.  So now it is time to get everything together to prepare for the onslaught, right?   Time to review every consumer loan that has been made and every account that has been opened in the last 12 months, right? Not necessarily; the compliance examination is really an evaluation of the effectiveness of your compliance management program (“CMP”).  By approaching your examinations and audits as a test of the compliance program, the news of an upcoming review becomes (almost) welcome.

Because the examiners are ultimately making an assessment of the CMP, it is critical to understand the overall effectiveness of your program from the outset.  In particular, it is necessary to be able to detect and analyze the root cause of compliance problems at your institution.

 

The Elements of the CMP

There is really no “one size fits all” way to set up a strong compliance program.  There are, however, basic components that all compliance management systems need.  These components are often called the pillars of the CMP.  The pillars are:

 

  • Board Oversight
  • Policies and procedures
  • Management Information systems including risk monitoring
  • Internal Controls

 

The relative importance of each of these pillars depends on the risk levels at individual institutions.  The compliance examination is a test of how well the institution has identified these risks and deployed resources.   For example, in a financial institution that has highly experienced and trained staff coupled with low turnover, the need for fully detailed procedures may be minimal.  On the other hand, when new products are being offered regularly, the need for training can be critical.   The central question is whether the institution has identified the risks of a compliance finding and having done so, taken steps to mitigate risks.

Making the CMP fit Your Institution

 

Making sure that your CMP is right-sized starts with an evaluation of the products that are being offered and the inherent risk in that activity.  For example, consumer lending comes with a level of risk.  Missed deadlines, improper disclosures or misinterpretations of the requirements of the regulations are risks that are inherent in a consumer portfolio.   In addition to the risks inherent in the portfolio are the risks associated with the way the institution conducts it consumer business.   Are risk assessments conducted when a product is going to be added or terminated?  Both adding and ending a product can create risk.   For example, the decision to cease HELOCs may create a fair lending issue; while the decision to start making HELOCs should consider the knowledge and abilities of the staff that will be making the loans and the staff that will be reviewing for compliance.

 

As a best practice, compliance has to be a part of the overall business and strategic plan of a financial institution.  The CMP has to be flexible enough to absorb changes at the bank while remaining effective and strong.

 

The True Test of the CMP

 

Probably the most efficient way to determine the strengths and weakness of the CMP is by reviewing the findings of internal audits and examinations.  Most important is determining what caused the problem.  Moreover, not only the findings, but the recommendations for improvement that can be found in examination and audit reports can be used to help “tell the story” of the effectiveness of the CMP.  It is very important to determine the root cause the finding.  Generally, the answer will be extremely helpful in addressing the problem.  There are times when the finding is the result of a staff member having a bad day.  On those bad days, even the secondary review may not quite catch the problem.  For the most part, these are the types of findings that should not keep you up at night.

 

The findings that cause concerns are the ones that result from lack of knowledge or lack of information about the requirements of a regulation.  These findings are systemic and tend to raise the antenna of auditors and examiners.  Unfortunately, too often the tendency is to respond to this kind of finding by agreeing with it and promising to take immediate steps to address it.  Without knowing the root cause of the problem, the fix becomes the banking version of sticking one’s finger in the dyke to avoid a flood.

 

Addressing Findings

 

We suggest a five-step process to truly address findings and strengthen the CMP.

 

  1. Make sure that the compliance staff truly understands the nature of the finding.  This may sound obvious, but far too many times there is a great deal lost in translation between the readout and the final report.  If staff feels like what was discussed at the exit doesn’t match the final report, here is a communication concern.  We recommend fighting the urge to dismiss the auditor/examiner as a zealot!  Call the agency making the report and get clarification to make sure that the concern that is being expressed is understood by staff.

 

  1. Develop an understanding of the root cause of the finding.  Does this finding represent a problem with our training?  Perhaps we have not deployed our personnel in the most effective manner.  It is critical that management and the compliance team develop an understanding for why this finding occurred to most effectively address it.

 

  1. Assign personal responsible,  along with an action plan,  and benchmark due dates.   Developing the plan of action and setting dates develops an accountability for ensuring that the matter is addressed.

 

  1. Assign an individual to monitor progress in addressing findings.  We also recommend that this person should report directly to the Audit Committee of the Board of Directors.  This builds further accountability into the system.

 

  1. Validate the response.   Before an item can be removed from the tracking list, there should be an independent validation of the response.  For example, if training was the issue; the response should not be simply that all staff have now taken the training.  The process should include a review of the training materials to ensure that they are sufficient, feedback from staff members taking the training, and finally a quality control check of the area affected.

Not only does determining the root cause of a problem make the response more effective, but in doing so, the CMP will be strengthened.  For example, It may be easy to see a problem with disclosing right of recession disclosures.  It may be harder to see that the problem is not the people at all, but that the training they received is confusing and ineffective.  Only by diving into the root cause of the problem can the CMP be fully effective.