Detailed Notes on Compliance

Payment and Income

  • Commercial portions of customer payments eventually balance out.
  • This balance is monitored by prudential regulators like FDIC, OCC, and the Fed.
  • States are also increasingly involved by enacting their own rules.

State Regulations

  • State laws are becoming increasingly important to monitor.
  • New York is setting trends in areas like debt, junk fees, and cybersecurity, influencing other states.

Compliance Responsibilities

  • Compliance is the duty of every employee, not just a single person.
  • Lenders, whether consumer or commercial, play a key role in the compliance journey from application to servicing.

What it Means to Be Compliant

  • Compliance means adhering to all applicable laws, rules, and regulations at the federal, state, local, and tribunal levels.
  • Flood insurance is a key local regulation. Its applicability depends on whether a structure is permanently affixed according to local rules (e.g., manufactured homes).
  • Compliance involves taking an independent stance and understanding how one's actions affect the overall regulatory requirements.

Compliance Officer's Role

  • Compliance officers define regulatory requirements, offer guidance, but shouldn't dictate the precise steps to compliance.
  • The method achieving compliance lies with the individual, provided it's legitimate and legal.

Evolution of Examinations

  • Examinations have evolved from simple conversations about fair lending programs.
  • Examiners now require documented policies and procedures, even if not explicitly mandated by the rules, to aid new examiners and ensure consistency.
  • If it's not documented, it didn't happen.

Compliance Risk Management Program

  • Unlike BSA programs, there's no specific regulation for a compliance risk management program, but it is expected by regulators.
  • Financial institutions "must develop and maintain a sound compliance management system (CMS)"
  • CMS is already laid out in exam manuals.
  • Examiners follow the exam manual, and institutions should prepare accordingly.
  • It's preferable for institutions to identify their own mistakes before an examiner does.
  • Since Feburary the CFPB has been tasked with approaching for all exams as the banks.

Examiner Variations

  • Each examiner does things differently. OCC examiners, for example, are keen on veteran-related initiatives.

Key Elements of a Compliance Management System

  • CMS, compliance program, and compliance risk management all emphasize risk assessment.
  • Risk assessment is the most critical CMS component: If you don't know where the risk is, you cannot manage it.
  • Engage the "doers" in identifying risks. They have better insights than compliance officers.
  • Risk assessments should consider diverse areas like deposit operations (account openings, deposits, wires, transfers, Reg E, checks).

Scope of Risk Assessment

  • Risk assessments aren't limited to deposit and loan departments, finance and servicing areas should be included.
  • They should encompass the entire enterprise.

Board and Management Oversight

  • Effective compliance starts with board and management oversight (tone from the top).
  • A culture of compliance is essential, where everyone accepts responsibility as part of their role.

Program Components

  • Key program components include policies, procedures, training, monitoring, and auditing.
  • Monitoring and auditing are overlapping, involving self-policing to identify and rectify mistakes proactively.

Self-Policing

  • Self-policing to identify and rectify mistakes proactively.

Board's Responsibility

  • The board is ultimately responsible for compliance.
  • Compliance applies to commercial customers and, individual customers (consumer), though not all rules apply equally.

Risk Assessments and Change Management

  • Risk assessments should be ongoing, not a one-time event.
  • Change management is crucial, especially when employees leave or retire.
  • Job sharing and backups can mitigate risks associated with personnel changes.

Regulatory Perspective

  • The regulatory goal is to ensure operations align with laws, rules, and regulations.
  • Guidance documents clarify rules, but shouldn't create new requirements.
  • The focus of current administration is on consumer harm prevention.

Root Cause Analysis

  • Significant complaints indicate potential consumer harm, prompting a root cause analysis.
  • Reputational risk should always be considered.

Communication and Expectations

  • Communicating compliance responsibilities is essential.
  • Examiners focus on detecting, preventing, and correcting issues.
  • Consent orders often stem from a lack of an effective compliance risk management program.

Addressing New Products and Services

  • The need for policies on new products depends on whether they will be pursued in the future or are a one-time event.
  • All exceptions to a new product require documentation to be created.

Tone from the top

  • Leadership sets the tone: Compliance is important and incorporated into daily operations.

Meaningful Communication and Quantification

  • Examiners expect meaningful conversations about compliance, not just regurgitation of rules.
  • It highlights the importance of using metrics, losses, dollar amounts, actual cases to quantify risks impacts.

Important Roles

  • A board-appointed compliance officer is essential, as is a collaborative committee including diverse groups.
  • At least one board member should serve on the compliance committee.

Capital and Earnings

  • Compliance impacts both capital and earnings; it's not just overhead.
  • Noncompliance can lead to significant costs like consent orders and audits.

Staff Involvement

  • Staff should communicate concerns and ideas to management.
  • Risks include credit, interest rate, liquidity, price, operational, strategic, and reputational factors.

Managing Compliance Risk

  • Effective compliance risk management involves identifying, measuring, monitoring, and controlling risks.
  • Programs should be tailored to an institution's risk level, products, services, and geography.

Key Expectations

  • Key expectations are board oversight, clear directions, clear responsibilities, and accountability.
  • Policies should address common exceptions.
  • The compliance officer should receive copies of all exceptions for tracking purposes.

BSA and Compliance Exceptions

  • BSA exceptions require BSA officer approval and potentially board approval.

Risk Assessment Does Not Identify Rule Violations

  • What It IS: It tells what to look for (threats, vsulnerabilities, controls).

Risk-Based Focus

  • Risk-Based Focus in Compliance, while focusing on highers risks, you still need to comply with everything.
  • One must be ready to touch it all to make sure it is still good.

Collaboration

  • The take away: Talk to each other to identify weaknesses and risks.

Risk Assessment Components

  • Its a living, breathing thing: identification, evaluation, and estimation of risks that are involved within an organization in terms of products, services, people and processes, and much more.

Geography Component

  • Depending on good or bad it is, one must continue monitoring that risk.

Interest Rate, Market, Cyber Risk and More…

  • Many of which can have a large impact on a companies operations!