Establishing a comprehensive Compliance Management System
By Mary Thorson Wright
The world seems abuzz about so-called reality television. The typical scenario from such programs places a group of participants in demanding, problematic or adversarial situations for which they must bond as a team and develop viable solutions.
Does it sound like “reality compliance”? That may not be far from the truth. The demands of managing regulatory compliance are uncontested, and depending on the disposition of the participants inside and outside of the bank, compliance management exists with varying degrees of problems and adversity.
Through guidance, each of the federal bank regulators prescribes a Compliance Management System (CMS) as the framework for an effective compliance solution. Although they vary by format, the content of the agencies’ guidance includes consistent broad-spectrum elements, which may seem largely theoretical, but their framework can be used effectively to manage regulatory requirements and changes. To make the CMS framework effective, every community bank needs to customize it in the context of its profile and performance.
According to the regulators, a CMS is how a financial institution:
- learns about its compliance responsibilities;
- ensures that employees understand these responsibilities;
- ensures that requirements are incorporated into business processes;
- reviews operations to ensure responsibilities are carried out and requirements are met;
- and takes corrective action and updates materials as necessary.
Just how can your community bank do all of those things? Well, it can do them through your compliance officer, working in concert with executive management, operational managers, business line managers and auditors.
Hands-on employees can benefit from a broader awareness of the regulatory picture.
To learn about compliance responsibilities, first understand your bank’s activities and what they mean in terms of specific regulatory requirements. Executives are likely more familiar with concepts of compliance management and the day-to-day activities that support it. Hands-on employees can often benefit from a broader awareness of the regulatory picture and its connection to what they do every day.
Here are sets of questions to ask to begin to assess your bank’s CMS, and the purpose behind asking and answering those questions:
Questions: Under what bank charter do we operate? What agency is our prudential federal regulator? Do we also have a state regulator? What is the bank’s asset size, and does that impose any special rules?
Purpose: Federal interagency policies and procedures have greatly streamlined their CMS requirements; however, some matters require adherence to agency-specific guidance or may be based on state laws or banking rules.
Questions: What products and services does our bank offer? What regulatory requirements apply to each of those products and services? Do we offer and administer products and services directly, or do we use third parties to offer or administer them?
Purpose: Your bank has the responsibility to manage compliance for any product, service or activity it offers or administers directly and for those offered or administered through third-party vendors.
Questions: If certain compliance requirements don’t apply to our bank (for instance, because we currently do not offer products or services to which they apply, or our bank currently does not meet the criteria for coverage, such as an asset-size threshold), do we have sufficient controls in place to monitor and confirm that ongoing, or to identify changes that cause us to take action?
Purpose: Compliance management changes must be evaluated for significant events, such as adding products or changing product terms, asset-size fluctuations, changing the bank’s charter to a different regulator, and opening or closing branch offices. The challenge often is to make those significant events visible.
Prepare staff to use CMS
A Compliance Management System is the method by which a bank manages its entire consumer compliance process. In a three-part series starting this month, Independent Banker discusses the foundation for establishing and using a Compliance Management System. In the September and October issues, look for articles that address how the compliance management audit function as well as the role of the board of directors and senior management in executing and overseeing a comprehensive compliance program.
To ensure employees understand compliance responsibilities and why their performance is important, a two-pronged approach is desirable: preparatory training, and feedback on actual performance for reinforcement.
Compliance is a unique discipline, and most people don’t just know compliance, like something they would learn from family members or study in public school. Training in specific requirements is necessary—due in some part to the expansive nature of compliance subjects, variable banking scenarios, and the volatile nature of compliance rules and technical requirements over time.
Aristotle believed in a “triptych” presentation method: “Tell them what you are going to tell them, tell them, then tell them what you told them.” You may count three times (or seven!) that you relate certain compliance information, but do it no fewer than two times—first, during the upfront training.
Training also may be needed as feedback after compliance shortfalls are identified, and even in the absence of problems, periodic refresher training offers reinforcement and creates a venue to field questions that may be hovering beyond detection.
To incorporate compliance into business processes, a culture of compliance that fosters open communication among compliance, operations and business lines is crucial. Compliance is frequently misunderstood. It is not a revenue generator, but rather a revenue and asset protector, and business and compliance have a symbiotic relationship.
Compliance doesn’t function effectively in a silo of solitary confinement, and the business does not produce with maximum value without the risk-management activities of compliance. Compliance execution will not be achieved, deadlines will not be met, and business will forfeit the value of so many employee hours working with customers and business partners in the absence of a strong team alliance.
Checks and balances are needed to ensure operational responsibilities are carried out and requirements are met. A good compliance management process should have you literally going in circles—train, implement, test, repeat!
Based on compliance performance, take corrective action, train and update materials as necessary. Testing and monitoring allows allocation of resources to the most urgent tasks. If compliance is running like a well-oiled machine for certain areas, you can divert some resources to other matters.
Apply real-world examples
Preparing for the upcoming Home Mortgage Disclosure Act or Military Lending Act (MLA) changes could be used as examples of assessing CMS performance. Here are sets of relevant CMS questions your community bank should ask:
- Does HMDA (or the MLA) apply to our bank? What are the criteria for coverage? Are we meeting those criteria? Is coverage imminent?
- If the law or regulation applies to us, what changes will be required? What departments, people, products, policies and procedures are affected? Have we determined how systems, processes and documents will need to be changed or what new resources are needed?
- What is the effective date for compliance? The effective date for most of the HMDA changes is Jan. 1, 2018, and although the effective date for compliance with the MLA was Oct. 1, 2015, compliance is mandatory by Oct. 3, 2016. What does the timeline need to look like to achieve compliance and complete testing by or before those dates? What training should be provided and to whom?
At this point, most HMDA-reporting banks have established a practice and brought employees under the tent for a sound HMDA compliance process. Now the industry is challenged by the addition of 25 new data points, 14 fields modified from previous requirements and nine unchanged data points, bringing the total to 48 unique data fields for which covered community banks must collect and report data. Without training, employees will not inherently understand all of those changes and how the overall HMDA recordkeeping and reporting process for the bank will work. The MLA presents its own changes that require training in its definitions, coverage and procedural requirements.
Monitor and test
Following evaluation, training and implementation, new or revised compliance procedures and documentation must be monitored and tested to verify the effectiveness of policies and procedures; assess the integrity and completeness of records and reports; and determine what steps come next.
Questions your community bank should ask in assessing its CMS framework for compliance monitoring and testing include:
- Have we built internal or external checks into our compliance program for the changes?
- What mechanisms do we have in place to monitor compliance ongoing?
HMDA, for instance, is reported annually for the previous calendar year; however, your bank’s HMDA compliance management process should operate all year long to detect and remedy issues early.
An effective CMS program demands real compliance. Begin with the broad CMS framework offered by the federal regulators and custom fit it to the characteristics, functions and performers in your bank’s compliance activities. With that foundation, build a robust plan with oversight from your board of directors and managers, details of your bank’s compliance program, and the checks and balances audit.
Upcoming Compliance Dates
Oct. 3, 2016
Mandatory implementation date for Military Lending Act.
Jan. 1, 2017
Effective date for final Home Mortgage Disclosure Act (HMDA) reporting changes, excluding low-volume depository institutions from coverage (fewer than 25 home-purchase loans, including refinancings of home-purchase loans).
Jan. 1, 2018
Effective date for final HMDA reporting changes (most requirements relate to institutional and transactional coverage, and data collection, recording, reporting and disclosure).
Jan. 1, 2019
Effective date for final HMDA reporting changes to enforcement provisions and additional amendments to reporting provisions, including use of the Consumer Financial Protection Bureau’s electronic submission process.
Jan. 1, 2020
Effective date for final HMDA Rule quarterly reporting provisions for institutions reporting at least 60,000 applications or covered loans in the preceding calendar year.
Mary Thorson Wright, a former Federal Reserve managing examiner, is a financial writer in Virginia.