Best Compliance Practices

On-the-ground expert insights on common pitfalls and examination expectations

By Karen Epper Hoffman

The more regulations change, the more compliance burdens stay the same. For community banks, this is particularly true.

Community banks are facing down emerging regulations and guidelines, particularly those surrounding the new qualified mortgages and other consumer protections. They are also looking at potentially heightened scrutiny on their compliance with existing regulations. What this means is an increased demand to be more scrupulous than ever about managing regulatory activities, whether related to safety and soundness or consumer protection. “It’s all about the risk and risk management,” says Jeff Rigsby, president and CEO of CB Resource Inc. in San Juan Capistrano, Calif. “Regulators across the board are looking for more rigor and management here.”

Finally pulling out of the economic downturn that followed on Wall Street’s financial crash, Rigsby believes that “regulators don’t want history to repeat itself.” While community banks have long held a reputation for knowing their customers well, regulators in some cases may have concerns that a difficult lending market and earnings pressure may be nudging some banks to venture into new territories that carry unanticipated risks, he adds.

Stephanie Kalahurka, an attorney with Spencer Fane Britt & Browne LLP in Kansas City, Mo., says that while most new Consumer Financial Protection Bureau regulations go into effect next year (and several do not specifically affect community banks), regulators are already looking to see whether community banks are implementing new rules or considering them in their planning processes.

Jennifer C. Kelly, senior deputy comptroller for midsize and community bank supervision in the Office of the Comptroller of the Currency, says there has been a “lot of interest and … a lot of concerns on the new qualified mortgage rule”—which are being adjusted in response—as well as requests for more clarity on the CFPB’s consumer protection rules.

“There is a lot of concern from community bankers about what might be coming,” Kelly says. At the same time, the OCC and other regulators are “keeping a close eye” on long-time-held regulations like the Bank Secrecy Act and shifting more focus to safety and soundness, where, she admits, “We’ve seen some deficiencies.”

According to Jeffrey Tisdale, managing partner of Tisdale & Nicholson LLP of Los Angeles, Calif., this is all part of a “back-to-basics approach from the bank regulatory agencies.” He says they are now refocusing on issues like BSA, anti-money laundering regulations and safety and soundness issues on the corporate side. New regulations affecting mortgage loans will also be scrutinized closely.

At the same time, Kelly stresses that community banks have historically done very well managing their risks—with more than three-quarters maintaining a satisfactory regulatory rating during the tumultuous economic downturn. “Community banks do a great job in providing products and services to retail customers and small businesses,” she says. “We want to apply rules in a way that does not create undue burden on the banks, but also be smart in the way we apply the regulations.”

With so much on their compliance plate, community banks need to start somewhere if they want to be prepared for the new demands of today’s regulatory environment. The following suggestions from consultants and agency officials address how to get started.

Formulate a plan. “My advice for bankers is always to formulate a written action plan, since there’s so much to capture,” Lucas says. She suggests that bankers take a “multi-layered approach” to putting their plans to paper, often doing something as simple as taking the CFPB’s readiness guide and turning its suggestions into a “checklist.”

Community banks should start putting together their action plans as soon as possible, she adds, suggesting they set an internal deadline of mid-December to “tie up loose ends” and be ready for examination.

Review results from the last exam. If there is one thing for certain, it’s that regulatory examiners will pay added attention to any areas of concern that were pointed out in previous exams. Angela Lucas, vice president for compliance with Brode Consulting Services Inc. in Ravenna, Ohio, suggests carefully combing through the last exam report as well as any internal audit reports to see which (if any) items were cited, what recommendations were made and (perhaps most important) what follow-up has been done.

“If there’s something not yet completed,” she says, “it may help to show you’re progressing on it.”

Keep asset quality high. With the capital rules changing and so many banks competing for the same pool of customers, be careful about risk and capital planning. “Banks are looking for returns anywhere they can get them,” says Kelly, adding that as they build in more risk, they just need to do so mindfully.

A potential renewed focus on safety and soundness and the added demands of Basel III have also put strategic risk and what banks are doing to create capital in the cross hairs, says Rigsby. “Asset quality is a hot button and always will be,” Lucas says.

Know your bank’s risk appetite. Boards of directors and senior management are instrumental in establishing and articulating a bank’s particular risk profile, which should align with the bank’s overall goals and culture, Rigsby says. “You can even have a high-risk appetite,” he adds—as long as the bank’s managers and compliance executives are aware of it and can show that it’s being properly managed.

“If you can identify the risk, measure it, monitor it and control it, if you have a program to say ‘this is how we do these four things,’ then you will be out in front of what the regulators are looking for,” he adds.

Document, document, document. Community bankers are, by nature, good risk managers. But the current regulatory environment puts a higher premium on being able to document risk management and communicate methodology, Rigsby says. “There is now a higher standard of documentation.”

An example Tisdale points out: When it comes to emerging consumer protection regulations in specific, be meticulous in proving that your bank has appropriately prequalified borrowers.

Involve the board and C-suite. One of the areas where community banks have been succeeding, according to Tisdale, is that they are “not fighting regulatory initiatives, in fact they have integrated that compliance focus and moved compliance issues to a higher point on the agenda, from the corporate suite to bank tellers.” Indeed, more top executives and board members are taking more of an interest in compliance, if for no other reason than not wanting to run afoul of examiners.

But experts say the heightened attention to compliance can also help from a strategic risk standpoint. Indeed, the title “chief risk officer” is popping up more frequently, says Elizabeth Fast, partner with Spencer Fane Britt & Browne LLP in Kansas City, Mo.

Work together across lines of business. Community banks have made headway in moving away from the siloes of business that used to create dissonance in regulatory exams, says Lucas, who used to work as an OCC examiner. Lately, she says, she has seen a shift, as more community bankers are crossing departmental lines to work together more closely on compliance issues. That is likely to increase, she says, as more regulatory examiners and bank boards of directors hold bank staff accountable for maintaining consistent compliance throughout the institution.

Put together a compliance committee. One way for upper management and varied lines of business to all come together to focus on compliance directives is to task a cross-departmental committee to handle the oversight. A compliance council should include the bank’s chief compliance officer, any bank officers involved in compliance for individual departments or representatives from bank departments, such as those for lending and deposits and loan processing, and sometimes an internal auditor, Lucas says.

“If banks haven’t already put together a compliance committee with staff and senior executives to oversee safety and soundness and CFPB issues [among other issues], they should,” Tisdale adds. “This will have a lot of impact on the bottom line of companies and could also cost them in terms of lost opportunities and [potential] violations.”

Let the compliance officer focus on compliance. The compliance officer, if a bank had one, often “used to wear several hats,” says Lucas. Now, as regulatory compliance has risen as a priority, she adds, “I’m seeing more compliance officers now who are solely responsible for compliance.” The shift, she believes, began nearly a decade ago as regulators began focusing on the BSA compliance. Now, with new regulations coming down the pipe, consultants underscore that it’s critical to have a point person for whom compliance is the central focus.

Work with vendors. Outside vendors may be tripping up some of their bank customers. According to Kelly, technology advancements and increased reliance on third parties to provide services has meant that some banks are skimping on the proper due diligence upfront and the ongoing monitoring during the relationship. So, if that vendor is responsible for unfair or deceptive practices or is taking on undue risk, it is the bank that will be most effected.

“The banks retain the ultimate responsibility for what a vendor does on their behalf,” Kelly says.

Also, work more closely with vendors to affect the changes necessary to meet new regulatory demands. Case in point: Fast points out that new regulations forced a couple of her community bank customers to extend the cutoff time on loan payments to later in the day, even though that was not within the boundaries of the loan processor for the banks. The banks had to work with their vendors to make sure they could extend their payment processing hours to meet the regulatory need.

Investigate cyber-risks. As banks depend more on Internet-based systems for internal and customer-facing functions, their cyber-risks increase. Lucas has seen community banks falter in not properly controlling and monitoring their social media presence—another online area where they could run afoul of regulatory compliance.


Karen Epper Hoffman is a financial writer currently living in Europe.

Top