“Lack of direction, not lack of time, is the problem. We all have twenty-four-hour days.” Zig Ziglar, Motivational Teacher and Trainer
Risk. It’s inherent in the business of lending money.
Financial institutions face risks associated with new products and services, operational failures, and procedures and practices to meet regulatory guidance. To manage risk, institutions must implement a process to identify, measure, monitor, and handle the consumer compliance risks associated with their products, services, and business lines.
One tool designed to help manage consumer compliance risk is commonly known as a Compliance Risk Assessment. A Compliance Risk Assessment generally involves identifying the current and future risks for an institution’s structure and business activities and then evaluating the institution’s procedures to control and mitigate these risks. The delta, or gap, between the identified risks and the institution’s ability to control and mitigate risk provides direction for management and the compliance professional to use resources where they are most critically needed.
We last visited Compliance Risk Assessments in October 2016; however, Compliance Risk Assessments are a pivotal tool in the compliance professional’s quiver and bear revisiting periodically.
What is it?
What are the basics? What are the elements of a Compliance Risk Assessment, and how do you conduct one? It really boils down to three questions:
- What’s the worst-case compliance scenario impact for our business today and tomorrow?
- What are we currently doing to control the impact and how well are we doing that?
- What is the delta between 1 and 2?
The Philadelphia Federal Reserve Bank provides this plain-language definition of Compliance Risk Assessment:
“A compliance risk assessment is a procedure that identifies the major inherent risks within a business line, factors in any processes and procedures that are practiced by the institution to control and/or mitigate those risks, resulting in a measurement of the residual risk the business line poses to the institution.”
- Inherent Risk is the level of risk present for products, services and activities if the institution does nothing to prevent or control it. See 1 above.
- Risk Controls are the policies, processes and procedures in place to mitigate and control the risk, and Risk Controls includes an evaluation of the effectiveness of those policies, processes and procedures. See 2 above.
- Residual Risk is the gap between Inherent Risk and Risk Controls and identifies the areas for which compliance efforts should be focused. See 3 above.
Compliance Risk Assessment components include, but may not be limited to:
- Products: Complexity, activity volume, new or seasoned, applicable recent or forecast changes
- Organization: Staff changes, size, complexity, centralization or decentralization, compliance culture, formality, automated or manual monitoring systems, recent trends in compliance results, community market
- Third-party resources: Oversight activities, due diligence
- UDAAP: Evaluation of any potentially unfair, deceptive, or abusive acts or practices
- Complaints: Responsive process, comprehensive recordkeeping, evaluation to determine organizational effect
Various industry organizations, regulatory agencies, and commercial companies offer risk assessment templates, and there is no regulatory requirement to use a specific type of rating system. CFPB has one in the CFPB Supervision and Examination Manual. The Federal Reserve System publishes a Community Bank Risk-Focused Consumer Compliance Supervision Program in which it lays out the factors of risk assessment, evaluation, and management. Similarly, the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), and National Credit Union Administration (NCUA) all publish guidance about risk assessments. The Federal Reserve System also published a bare-bones risk assessment template in its Consumer Compliance Outlook, Fourth Quarter 2014.
Why perform a Compliance Risk Assessment? Why review it periodically?
It all boils down to whether you manage the compliance risk in your institution or simply react to it. To effectively manage risk, you must first know what it is and where it resides. That will determine your next steps.
The mortgage business is volatile, and the regulatory environment in which we operate is also volatile. The products, services, and other activities of the financial institution need to be included in the Compliance Risk Assessment, as well as characteristics of the institution itself. The Compliance Risk Assessment needs to be a ‘living’ document, that is flexible to accommodate changes in the business and the regulatory environment in which the business operates.
When should a financial institution perform a Compliance Risk Assessment?
The answer to this question is multi-pronged!
If you have not implemented a Compliance Risk Assessment, begin today! There are many sources of information about how to begin and what steps to take to implement a process. One source to help an institution create and perform a risk assessment can be found at this link.
If you have implemented a Compliance Risk Assessment, the game is half-way won. Now, ensure you have:
- Procedures to identify, review, and evaluate any changes (products, people, organizational structure, etc.) that occur in your organization and external changes from regulators and other authorities as they happen. That is the right time to assess the risk for each and append the Compliance Risk Assessment program, if necessary.
- A scheduled periodic review of the entire Compliance Risk Assessment program to ensure its accuracy, completeness, and coverage.
The enhancements or changes to the Compliance Risk Assessment program should be tracked. The results of risk assessments performed should be documented to include scope, findings, management communication, and corrective action or enhancements.
The Compliance Risk Assessment is an invaluable tool to give the compliance professional the earliest warning of future compliance problems. Remember the words of Miguel de Cervantes, Spanish writer and author of Don Quixote: “Forewarned, forearmed; to be prepared is half the victory.”
Around the Industry:
Two fields have been updated in the 2017 Census Data, the FFIEC Estimated MSA/MD non-MSA/MD Median Family Income and Estimated Tract Median Family Income, and in the 2017 Census Data Products and Geocoding System.
On the Horizon:
Get the most recent HMDA reporting guide for 2017 data.
Can collecting too much information cause fair lending violations? See this.