The regulators expect it, industry consultants recommend it, and management wants it. What is “it?” Compliance testing. What, then, should be tested? In a nutshell, everything!
Each financial institution is expected to maintain a Compliance Management System (CMS) to establish and meet its compliance responsibilities. The CFPB Supervision and Examination Manual recognizes four interdependent control components that would comprise the CMS:
- Board and management oversight;
- Compliance program, including a process to monitor and test compliance;
- Response to consumer complaints; and
- Compliance audit.
That said, how does a Compliance Officer go about defining the breadth of the scope and determining the depth to which the financial institution’s compliance with laws, regulations, rules, and guidance should be tested?
A primary goal of compliance monitoring is to test policies, procedures, and transactions to ensure compliance with laws and regulations. Compliance monitoring is a proactive process, designed to determine root causes of violations and identify procedural or training weaknesses early to preclude further regulatory violations.
When the financial institution’s primary federal regulator conducts an examination, generally, the starting point for a compliance examination is the entire universe of compliance requirements for which the financial institution is responsible. Take a look at the scope of coverage in your federal regulator’s compliance examination manual. That’s a pretty big bite, even for a full-time Compliance Officer.
The federal regulators start with the full array of compliance requirements, then modify their examination scope and procedures based on certain risk factors.
- What have past examinations shown with respect to the institution’s successful implementation and management of compliance requirements?
- What compliance requirements have been added, modified, or extinguished since the most recent examination was conducted?
- What compliance issues are trending in the industry, and, what does the institution’s business model say about whether it is likely facing similar issues?
- What changes has the institution experienced since the most recent examination? New products/services? New operating systems? New management? New Compliance Officer? Other changes?
- What other factors might influence the effectiveness of the CMS?
Your Mini-Examination Process
When a financial institution conducts compliance testing, it is really conducting a ‘mini-exam.’ Historically, the federal regulators’ examination manuals may have remained sealed in shrink-wrap, collecting dust on the board room bookshelf for years. Hopefully, the availability of electronic sources has increased financial institutions’ willingness to ‘crack open the books’ to look at the descriptions of examination scope and content of the examination procedures.
Institutions should take advantage of the electronic examination manuals and any published revisions of or additions to them from the CFPB, OCC, FRB, FDIC, and NCUA. The full scope should be your starting point.
You may be able to use other resources, as well, to guide your compliance testing process. The National Credit Union Administration (NCUA) has published a Consumer Compliance Assessment Guide. The guide is designed to help management and staff who are responsible for compliance identify and prioritize requirements and conduct compliance reviews. Financial institutions other than credit unions could use such a resource, allowing for any specifics that apply to credit unions only.
Got Risk Assessment?
“Financial institutions face a variety of compliance risks every day, ranging from the risks associated with new products and services to the risks of operational failures involving existing products and services. It is therefore critical that institutions identify, measure, monitor, and manage the consumer compliance risks associated with their products, services, and business lines. A consumer compliance risk assessment (risk assessment) is an excellent tool to help accomplish these tasks. It generally involves identifying the current and future risks for an institution’s structure and business activities and then evaluating the institution’s procedures to control and mitigate these risks.”
The Compliance Risk Assessment, generally documented in a matrix format, is a good place to begin to determine the breadth and depth of compliance testing, and any modifications that are warranted for your procedures. Through the risk assessment, a financial institution can identify inherent risk, evaluate risk management controls, and measure residual risk. In plain language, a financial institution can calculate its vulnerabilities:
What could happen – What we do to keep it from happening = What actually happens
The results shown in the risk assessment determine the degree of potential risk and translate into a “to do” list for compliance testing.
Be your own regulator
Establish a process to ‘be your own regulator’ to test compliance. Begin with the full scope of compliance requirements for your institution. Ask the questions that regulators ask when they are determining the scope of their risk-based examinations. Look at the results of your own testing that has been done since your most recent examination. Evaluate the impact of your current risk assessment on compliance risk.
The result is “What!”
Around the Industry:
Where will the CFPB’s temporary increase in institutional and transactional HMDA coverage thresholds leave your institution? Comment today.
On the Horizon:
CFPB updates Spring 2017 rulemaking agenda.
What steps have you taken to create an effective vendor management program? How do they compare with these?
 Federal Reserve Consumer Compliance Outlook, Fourth Quarter 2014.