Compliance Management Program

Here’s What the Examiners are Looking For

A sound compliance program is essential to the efficient and successful operation of the institution. Below is a C&P from the FDIC’s examination manual. (If you want to see what the CFPB says a Compliance Program looks like, go here: http://files.consumerfinance.gov/f/201210_cfpb_supervision-and-examination-manual-v2.pdf)

Basic Parts of Compliance Management

A compliance program includes the following components:

• Policies and procedures
• Training
• Monitoring
• Consumer complaint response

A financial institution should generally establish a formal, written compliance program. In addition to being a planned and organized effort to guide the institution’s compliance activities, a written program represents an essential source document that will serve as a training and reference tool for all employees. A well planned, implemented, and maintained compliance program will prevent or reduce regulatory violations, provide cost efficiencies, and is a sound business step.

It is expected that no two compliance programs will be the same and that the formality of a program will be dictated by numerous considerations, including:

• size of institution,
• number of offices,
• how it is organized,
• business strategy,
• types of products,
• location of each office and
• international or internet based business

Effectiveness is Paramount

The formality of the compliance program is not as important as its effectiveness. This is especially true for small institutions where the program may not be in writing but an effective monitoring system has been established that ensures overall compliance. However, during periods of expansion or turnover of staff, a written compliance program becomes more important because individuals with the particular knowledge or experience may no longer be with the institution or available for contact. Regardless of the degree of formality, all financial institutions are expected to manage their compliance programs proactively to ensure continuing compliance. Compliance efforts require an ongoing commitment from all levels of management and should be a part of an institution’s daily business operations

Policies and Procedures

Compliance policies and procedures generally should be described in a document and reviewed and updated as the financial institution’s business and regulatory environment changes. Policies should be established that include goals and objectives and appropriate procedures for meeting those goals and objectives.

Generally, the degree of detail or specificity of procedures will vary in accordance with the complexity of the issue or transactions addressed. An institution’s policies and procedures should provide personnel with all the information needed to perform a business transaction. This may include applicable regulation cites and definitions, sample forms with instructions, institution policy, and, where appropriate, directions for routing, reviewing, retaining, and destroying transaction documents.

For example, loan application procedures should be established so that institution personnel consistently treat all applicants equitably and fairly. These procedures should clearly convey to staff the regulatory requirements and the institution’s lending policy, including the institution’s nondiscriminatory lending criteria.

Similarly, contracts with third parties should set clear expectations for adherence to relevant laws and regulations. Compliance policies and procedures are the means to ensure consistent operating guidelines that support the institution in complying with applicable federal consumer protection laws and regulations, both directly and through the use of third-party providers. Also, these criteria will provide standards by which compliance officers and line managers may review business operations.

Training

Education of a financial institution’s Board of Directors, management, and staff is essential to maintaining an effective compliance program. Line management and staff should receive specific, comprehensive training in laws and regulations, and internal policies and procedures that directly affect their jobs.

The compliance officer should be responsible for compliance training and establish a regular training schedule for Directors, management, and staff, as well as for third-party service providers, where appropriate.

Training can be conducted in-house or through external training programs or seminars. Once personnel has been trained on a particular subject, a compliance officer should periodically assess employees on their knowledge and comprehension of the subject matter.

An effective compliance training program is frequently updated with current, complete, and accurate information on products and services and business operations of the institution, consumer protection laws and regulations, internal policies and procedures, and emerging issues in the public domain. For example, loan officers, as well as other front-line personnel regularly interacting with loan applicants, should be fully informed about the loan products and services offered by the institution and thoroughly knowledgeable about all aspects of the consumer credit protection laws and regulations that apply.

Monitoring

Monitoring is a proactive approach by the institution to identify procedural or training weaknesses in an effort to preclude regulatory violations. Institutions that include a compliance officer in the planning, development, and implementation of business propositions increase the likelihood of success of its compliance monitoring function.

An effective monitoring system includes regularly scheduled reviews of:

• disclosures, calculations for various product offerings;
• document filing and retention procedures;
• posted notices, marketing literature and advertising;
• various state usury and consumer protection laws and regulations;
• third-party service provider operations; and
• internal compliance communication systems that provide updates and revisions of the applicable laws and regulations to management and staff.

Changes to regulations or changes in an institution’s business operations, products, or services should trigger a review of established compliance procedures. Modifications that are necessary should be made expeditiously to minimize compliance risk, and applicable personnel in all affected operating units should be advised of the changes.

Monitoring also includes reviews at the transaction level during the normal, daily activities of employees in every operating unit of the institution. This might include, for example, verification of an annual percentage rate, or a second review of a loan application, before the transaction is completed. Monitoring at this level helps establish management and staff accountability and identifies potential problems in a timely manner.

Compliance officers should monitor employee performance to ensure that they are following an institution’s established internal compliance policies and procedures. The frequency and volume of employee turnover at an institution should be factored into the schedule for reviews. Such reviews are especially critical after problems have been noted during past audits or examinations, regulation changes, new products are introduced, mergers occur, or when additional branch locations are opened.

Consumer Complaint Response

An institution should be prepared to handle consumer complaints promptly. Procedures should be established for addressing complaints, and individuals or departments responsible for handling them should be designated and known to all institution personnel to expedite responses. Complaints may be indicative of a compliance weakness in a particular function or department. Therefore, a compliance officer should be aware of the complaints received and act to ensure a timely resolution. A compliance officer should determine the cause of the complaint and take action to improve the institution’s business practices, as appropriate. An institution should also monitor complaints to and/or about third parties that are providing services on behalf of the institution.

Compliance Audit

A compliance audit is an independent review of an institution’s compliance with consumer protection laws and regulations and adherence to internal policies and procedures. The audit helps management ensure ongoing compliance and identify compliance risk conditions. It complements the institution’s internal monitoring system. The Board of Directors of the institution should determine the scope of an audit, and the frequency with which audits are conducted. The scope and frequency of an audit should consider such factors as: An audit may be conducted once a year, or may be ongoing where all products and services, all applicable operations, and all departments and branches are addressed on a staggered basis. An audit may be performed “in-house” or may be contracted to an outside firm or individual, such as a consultant or accountant. A financial institution that outsources the audit should make certain that the auditor is well-versed in compliance, and that the audit program is based on current law and regulation, as well as comprehensive in scope. Generally, a strong compliance audit will incorporate vigorous transaction testing. Regardless of whether audits are conducted by institution personnel or by a contractor, the audit findings should be reported directly to the Board of Directors or a committee of the Board. A written compliance audit report should include:

• scope of the audit (including departments, branches, product types and third-party relationships reviewed);
• deficiencies or modifications identified;
• number of transactions sampled by category of product type; and
• descriptions of or suggestions for, corrective actions and time frames for correction.

Board and senior management response to the audit report should be prompt. The compliance officer should receive a copy of all compliance audit reports, and act to address noted deficiencies and required changes to ensure full compliance with consumer protection laws and regulations. Management should also establish follow-up procedures to verify, at a later date, that the corrective actions were lasting and effective.

Wow.  This is pretty complicated.  If you’d like to talk this over and see about improving your BSA/AML compliance program, reach out to us.  Call or click the button the top right side of the screen.