Community banks should start buildinga risk-focused compliance program yesterday.

Getting ready for your bank’s next consumer compliance exam will require a new, different mindset. Your bank can easily trip and fall over a practice you never noticed — much less thought of as “harmful.” To bankers who have recently been through this new exam procedure, it’s a case of “Damn!  We never saw THIS coming!”

The new exam procedure focuses on two major things:

  1. how well your bank is managing the inherent product/service risks and
  2. how well you have foreseen and mitigated potential consumer harm.

Far more than in the past, the examination will include a hard look at potential Fair Lending and UDAAP issues. Why? Because they relate to legal risk, compliance risk and the real biggie, “consumer harm.” In some cases, this involves a bank practice you didn’t even know you were doing. (Yeah, I know, but it happens all the time. If you don’t believe me, go compare your excess transaction disclosure with your advertising; or, better yet, compare your interest crediting on quarterly statement accounts with your account disclosures; finally, compare your funds availability disclosure with your settlement dates.) Hopefully, you’re good. But, you’d be smart to check — before you-know-who shows up.

So, how do you re-orient the bank toward a consumer compliance risk focus? The answer is simple. The “doing” is not so much.

STEP ONE: Get up to speed. Here’s a good place to start

In July 2014, the Federal Reserve published their Second Quarter 2014 Consumer Compliance Outlook. The lead article was “Risk-Focused Consumer Compliance Supervision Program for Community Banks.”  Every Risk Manager and Compliance Officer should carefully read the article and provide the bank’s executive officers with an annotated copy outlining the implications to the bank.

 STEP TWO: Talk to your regulator in advance; get a feel for what your “risk profile” looks like to them.

Before you get the notice of next your scheduled exam, call your “relationship manager” and start a dialog about how the risk-focused exam will affect your bank. The examiners will be building a “risk profile” of your bank before they show up. Their on-site investigation will be very much governed by the profile. If you are smart, you’ll understand in advance how they feel about you bank when viewed through a “risk” lens.

STEP THREE: Start developing an across the board “risk assessment” outlining what you are doing to lower your “residual” risk.

In times before now, examinations were principally transaction based. Examiners looked at what your files said and made judgment about your level of compliance. That’s still a factor, but a greater factor is how your bank is managing risk.  “Managing risk” means what control features your bank has in place to reduce a product’s inherent risk to an acceptable “residual” risk.

STEP FOUR: Put on your consumer hat and take a look what potential harm (however slight) may arise to a buyer of your products.

Warning: this will not make you popular among your peers at the bank. Frankly, for too long, too many of us have figured that as long as we disclosed the facts, even if it was in “fly-speck light face font,” we were fine. Turns out that’s wrong. Big time.

Another thing we have been wrong about is not sweating the small stuff. Recently, a $1 billion bank got hit because of a $0.50 difference in price for a credit report between married borrowers and unmarried “co-borrowers.” The total impact was less than $2K. But the examiners made a feast over it Their position was, “Hey, this is harmful to the consumer. It doesn’t matter if it’s only fifty cents. Harm is harm.”

This probably cost the bank 200+ hours to research and make reimbursements. The lesson: it’s like the man said, there’s no “di minimus” when it comes to harming the consumer. None.

Related to this is what my favorite banking attorney calls, “Hiding the Ball.” That happens when your disclosures, in fact, are accurate, but are hard to find and buried in fine print. If you’ve got language like this (and I used to see them in “Bounce Proof” disclosures) you should re-think your policy — I mean your policy to hide unpleasant information deep in the thicket of legalese.

 STEP FIVE: write a simple, plain English procedure, supplemented with a spreadsheet-format Risk Assessment.

Detail your analysis of the inherent risk of each product and service along with what you’re doing to mitigate the risk.  Include in your assessment some hard numbers: how much, how many, how much increase/decrease over last year. Stuff like that. (I have a sample BSA Risk Assessment I can send you if you’d like to see how this can be done. It would have to be adapted for Consumer Compliance, but it’s a good place to start.)

Here’s a key component of this Risk Assessment: you must analyze the potential harmful effects on the bank and on the consumer if a third party screws up.  (For example, who’s your cash card vendor?  What due diligence have you done to assure yourself they are the poster-child for third party bank vendors?)

Second key component: analyze areas that may not be clear or fair, or are flat-out adverse to consumer interests. As mentioned above, just because you actually disclosed all facts, may not be enough.  If you are deemed to have made the disclosure hard to find, or if it was worded like a PhD dissertation, or worse (attorneys take note) if was in tortured-but-standard legalize, you could still be cited for harming consumers. (Think about it, if you have a segment of customers you know struggle with English, much less legalese, can you really defend your disclosures as “not-deceptive?)

 STEP SIX: show your regulator an early draft of your Risk Assessment.

The time for clarifying examiner expectations is before the exam starts. The new risk-focused exam procedure is going to force banks to make examiners a partner to the business. (Interesting note: consumer compliance exams will have a “follow up” by the examiner about half-way toward the next scheduled exam. That’s for the purpose giving your bank a “checkup.” They’ll want to have serious answers to what’s up? What’s new? Stuff like that. In my mind, a bank’s better off proactively managing this ongoing examiner interest.)

STEP SEVEN: Publish, train and monitor your bank’s compliance with your risk mitigation procedures — and remember, that includes minimizing the risk of consumer hardship, not just “transnational’ compliance.

Every time I do a deposit or loan audit, I find at least two significant instances where the bank is not doing what the policy/procedure says it does. (I’m not complaining, because it’s actually an important part of the Bank Consultant’s Full Employment Act compliance.) My point is: it is not wise to count on your employees being intensely interested in being compliance poster children. You may have a great policy and exquisitely detailed procedures that are actually exquisitely ignored. Shocking, yes. Reality, yes, as well. The solution: keep that training up. Be scrupulous about auditing or reviewing your compliance.


Need help? It’s a close as your phone.

Our goal, like yours, is to get maximum compliance for the minimum dollars. We are experienced compliance management professionals. We provide as much or as little assistance as you need. Remember, sometimes the work gets done faster, and less expensively, if you have a professional playing on your team. Ready to talk about how this can work for you?
Call me, 828-230-5802
 (Want to know how we work?)


View George Self's profile on LinkedIn