How to make compliance management work for you

Compliance keeping is the regulatory sister to housekeeping. What are the key elements to keeping compliance, and what must community banks do to manage it effectively?

By Mary Thorson Wright

This month, we kick off a series of grassroots compliance management articles. First, we lay the groundwork, covering managing regulatory requirements, regulatory proposals and implementing changes; exploring sound sampling techniques to look for compliance errors; and explaining how to make it all jive, from internal policies and written procedures all the way to actual practices.

Sound compliance management requires efforts to stay abreast of changes, whether these are in technical requirements and their interpretations, regulatory enforcement, your organization, its policies, or its products and services. Compliance management must be a living, changing process that allows your community bank to detect issues affecting compliance and address requirements, or make corrections or adjustments in a timely manner.

The keys to keeping up with compliance requirements include:

  • understanding each requirement. Read announcements of proposed or final rules completely and pay attention to coverage, definitions of key terms, disclosure requirements and timing rules
  • staying abreast of changes to the business model of the bank, its policies, and its products and services.
  • Ask yourself: Do the requirements, or any part of them, apply to your bank and its products or services, including those performed by third-party vendors? If yes

  • Identify the departments, stakeholders, policies, procedures, systems and documentation that the change or requirements might affect.
  • For regulatory proposals, communicate the potential impact to key stakeholders and provide updates as the proposals evolve.
  • For interim or final rules, gain a solid understanding of the requirements, note the effective dates of changes and, working backward, estimate key benchmark dates. Communicate with key stakeholders to begin steps for the project: planning, implementing, training, testing for effectiveness and making adjustments.

If the answer is no, create a brief record of your assessment process and conclusion. If it is possible that future events might cause your bank to become subject to the requirement(s), ensure processes are in place, either through compliance monitoring procedures or those of internal audit, to periodically check for coverage.

Sampling matters
An effective compliance management system (CMS) must include methods to test the completeness, accuracy and effectiveness of compliance functions. Policies and procedures require comprehensive periodic reviews. However, using a representative sample is generally an effective method of identifying errors or omissions in transactions and records. The results of sampling can guide subsequent actions, such as training, operational changes and re-looks.

How much sampling is enough? What constitutes a representative sample will be determined by your organization’s structure, its practices and its products and services. Sampling is generally conducted for new transactions or records that have been created since the most recent review of the target area. Areas in which problems have occurred in the past generally require more frequent reviews and heavier sampling that aims to confirm that previous corrective actions have been effective.

Create a sampling plan that is based on your community bank’s products and services, and its exposure to regulatory risk. The bank’s compliance risk assessment and a review of any previous testing results are good places to start. What type(s) of loan products are listed on the risk assessment? Residential mortgage loans? Then residential mortgage loans should be included in the scope of the sampling plan.

From there, break the samples down further to closely represent the bank’s lending practices. The sample for your bank may or may not include loans originated and sold, in-house loans, junior lien loans and so on. The sample should show some of each type in the bank’s product line, and it should demonstrate a variety of loan originators and branch locations, regardless of low volume or other differentiating factors. Expand the sample to follow a lead on any potential violations or policy exceptions.

Keeping consistent
To be effective, your community bank’s CMS must demonstrate consistency. Most community bankers know that even if your compliance performance is technically correct, inconsistencies in related documentation, like written procedures, are fertile ground for regulatory criticism. After identifying and implementing regulatory requirements, the greater challenge may be to manage the upstream and downstream effects of changes to keep the CMS harmonious.

The compliance obligations of the community banking industry can be overwhelming and are compounded by the numerous ways each is exposed in the bank. Written policies and procedures, transactional records, file documentation, training records, monitoring and auditing records, and the communications of management and staff should all reflect technical requirements and applicable organizational conditions that are accurate and consistent.

Keeping up with regulatory and organizational developments, identifying and addressing compliance exceptions, and comparing compliance sources in your community bank for accuracy, appropriateness and consistency with actual practices is critical to successful compliance keeping.

Mary Thorson Wright, a former Federal Reserve examiner, is a financial writer in Virginia.