“If you don’t know where you are going, you might wind up someplace else.”
Yogi Berra, Philosopher and Baseball Great
Thanks, Yogi! We’d add to that, if you don’t know where you are currently, it is difficult to determine which direction to go to get someplace!
Some topics are worth re-visiting, and the Compliance Risk Assessment is one. The Compliance Risk Assessment is the tool to help you determine where your financial institution is currently – with respect to compliance risk – and provide insight into which direction it should go.
If you’ve been in the financial services industry for a while, you recall a few years back when consumer compliance examinations were based nearly wholly on transactional testing. In recent years, the compliance examination focus has migrated to one heavily dependent on measuring risk and the factors at the financial institution that manage, mitigate, or prevent risk. Transactional testing is still conducted, and, of course, violations are identified, communicated, and assimilated into the overall rating; however, transaction records are more a piece of the data used to indicate the level of risk and the effectiveness of risk management practices.
We last visited the Compliance Risk Assessment process in a MCM Weekly NewsLINEs in September 2015, “Risk Assessment – Establishing a Baseline for Compliance.” Your compliance risk assessment will be specific to your organizational structure, products, services, compliance policies and procedures, and management/board oversight; however, there are some common themes to cohesive risk programs.
What are the basics? What are the elements of a Compliance Risk Assessment, and how do you conduct one? It really boils down to three questions:
1) What’s the worst case compliance scenario impact for our business today and tomorrow?
2) What are we currently doing to control the impact and how well are we doing that?
3) What is the delta between 1 and 2?
What is it?
The Philadelphia Federal Reserve Bank provides this plain-language definition of Compliance Risk Assessment:
“A compliance risk assessment is a procedure that identifies the major inherent risks within a business line, factors in any processes and procedures that are practiced by the institution to control and/or mitigate those risks, resulting in a measurement of the residual risk the business line poses to the institution.”
- Inherent Risk is the level of risk present for products, services and activities if the institution does nothing to prevent or control it. See 1 above.
- Risk Controls are the policies, processes and procedures in place to mitigate and control the risk, and Risk Controls includes an evaluation of the effectiveness of those policies, processes and procedures. See 2 above.
- Residual Risk is the gap between Inherent Risk and Risk Controls and identifies the areas for which compliance efforts should be focused. See 3 above.
Compliance Risk Assessment Components
The products, services, and other activities of the institution need to be included in the Compliance Risk Assessment, as well as characteristics of the institution itself. Compliance Risk Assessment components include, but may not be limited to:
- Products: Complexity, activity volume, new or seasoned, applicable recent or forecast changes
- Organization: Staff changes, size, complexity, centralization or decentralization, compliance culture, formality, automated or manual monitoring systems, recent trends in compliance results, community market
- Third-party resources: Oversight activities, due diligence
- UDAAP: Evaluation of any potentially unfair, deceptive, or abusive acts or practices
- Complaints: Responsive process, comprehensive recordkeeping, evaluation to determine organizational effect
A number of industry organizations, regulatory agencies, and commercial companies offer risk assessment templates, and there is no regulatory requirement to use a specific type of rating system. CFPB has one in the CFPB Supervision and Examination Manual. The Federal Reserve System publishes a Community Bank Risk-Focused Consumer Compliance Supervision Program in which it lays out the factors of risk assessment, evaluation, and management. Similarly, the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), and National Credit Union Administration (NCUA) all publish guidance about risk assessments.
If you have an Excel® spreadsheet, you can create a Compliance Risk Assessment matrix. What is important is that the rating system is used consistently across the risk assessment and offers a means to describe levels of risk.
Just as employees, products, and regulatory requirements change, the Compliance Risk Assessment must also be periodically evaluated for change. It will likely be affected by many different changes or activities of your institution, and, although it may sometimes be uncomfortable, the Compliance Risk Assessment must reflect the institution’s risk posture as it is, not as it should be or management would wish it to be. The value of the Compliance Risk Assessment and this honest portrayal comes from self-identifying and resolving risk.
Around the Industry:
CFPB foregoes regulatory process and issues letter extending rights under ECOA.
On the Horizon:
Catch up on 2016 HMDA announcements before moving to 2017 and 2018.
What is redlining risk, and how are you handling it? Get insight here.