True or false: Growing compliance challenges stemming from the Consumer Financial Protection Bureau, as well as heightened expectations from other industry regulators, are challenges about which community banks need not worry.
The answer? False. There is little question that the CFPB and other regulatory agencies are taking actions that will affect community banks, perhaps significantly.
One of the questions being raised more often in the current environment by executives of financial institutions is whether their compliance management functions are strong enough, due to heightened regulatory expectations in the wake of the financial crisis, as well as a general belief that community banks will not be immune from the long reach of the CFPB. In fact, the CFPB has responsibility for promulgating and interpreting consumer regulations that will directly and indirectly impact banks and non-bank providers of consumer financial products.
Community bank executives who believe improving their compliance management function is necessary are being influenced by two interrelated factors:
1. Examiners appropriately have had a safety and soundness examination focus for the past decade (or more). As a result, the priorities of community bank executives have been asset quality, capital adequacy and revenue/earnings growth. Given these priorities, they have had difficulty convincing their boards of directors, and often themselves, that an investment in compliance management is prudent.
2. New regulations, higher regulator expectations and the attendant increased cost of compliance (and non-compliance) are forcing many organizations to take a fresh look at how they manage compliance and to look for more efficient and cost effective methods.
The elements of an effective compliance management function include the following:
There are a number of lessons that community banks can learn from some of the common issues identified in compliance examinations of larger banking organizations. These include:
1. Inadequate oversight — This may result from inadequate director/executive education, reporting and policies, or lack of executive-level support for the objectives of the compliance program.
2. Poor communication with examiners — Regardless of the regulatory agency involved, communication with the bank’s examination team is critical. If the bank does not instill confidence in, or appears to be unknowledgeable about, compliance-related matters, findings that the bank may perceive to be minor can take on much greater significance in an examination report.
3. Lack of independence or stature of the chief compliance officer — Regulators routinely criticize situations where CCOs are not sufficiently independent of the business, do not provide “credible challenge” to the business and do not have a seat at the table needed to be effective.
4. Inadequate compliance testing — Testing scoping and coverage of compliance regulations is inadequate, poorly documented, or conducted by insufficiently trained or inexperienced personnel.
5. Poor compliance risk assessment — Compliance risk assessments may not be comprehensive or may fail to consider all relevant risk factors.
6. Insufficient forward-looking perspective — Examiners have a high expectation that banks not only have adequate compliance management functions today, but also consider the impact and plan for implementation of changes on the horizon.
Carol M. Beaumier is the executive vice president, global industry programs at Protiviti. Scott E. Jones is a managing director for Protoviti in Los Angeles. Steve Lafrance is a director for Protiviti, Los Angeles.