Click Cover to Read Digital Edition



Shared Servicing & Outsourcing
Feb. 23-24
San Francisco
ABA Mutual Community Bank Conference
March 1-5
Gaylord Palms Resort
ABA Mutual Community Bank Conference
March 22 & 23
Marriott Marquis
Washington, D.C.
Card Forum & Expo
April 8-10
More events >  

<- Back

Share |

Print Friendly and PDF

For a Clear Compliance Solution, Think Cloudy

By: Dan W. Holt

Community banks are investing significant capital and operating budget for compliance and risk management, and the end is not in sight. There is more to come. IT complexity continues to increase, security risk is expanding as more potential entry points from new online and mobile channels emerge, and compliance is becoming more challenging as the wave of new regulations continues to swell as a result of the financial crisis.

Bankers are operating in a “perfect storm” of legislation, compliance and risk. Combined, these developments will drive compliance costs higher, creating a strain on margins for community banks that may even threaten their survival. For community banks to survive, they must get their compliance and risk management houses in order now, so they can be prepared to endure the coming wave of regulations.

Joe Carnevali, senior vice president, information technology officer of Paso Robles, Calif.-based Heritage Oaks Bank with almost $1 billion in assets and 15 branches, said, “With the challenge to increase revenue, banks are spending increased time and resources in risk assessment and compliance rather than meeting the community banking needs and generating profit.”

What is needed is not more resources and investment, but rather a rethinking of the way compliance and risk is managed. Survival will require community banks to innovate and adopt a new outsourcing approach, similar to the way they have tackled comparable technology, security and core processing operations.

This outsourcing approach must also transition community banks from a project-based to an examination-ready mentality. This can be accomplished through a cloud-delivered platform that ensures compliance policies, data and processes are always up-to-date.

What Is an “Examination-Ready” State?

An examination-ready state means an institution is in a constant ready state for examiners, will automatically be alerted on a timely basis to make needed process changes and can instantly generate up-to-date reports. Data is captured at the point of origin then re-purposed for each compliance program. A single data repository reduces data integrity issues and resource requirements, while improving reporting accuracy. If information changes, it is captured once and reflected throughout all of your compliance areas.

Being examination-ready also requires that compliance experts constantly and diligently integrate new compliance rules and changes to ensure a dependable and up-to-date risk and compliance program that can deliver all these benefits.

So, how can a comprehensive compliance and risk management program be delivered in real time at an affordable cost? The answer is a cloud-delivered outsourcing approach.

What Is a Cloud-Delivered Approach?

Cloud-delivered compliance is an outsourced software-as-a-service delivery model that provides a more cost effective solution that frees the community bank’s internal resources to focus on deposit acquisition, revenue generation and customer-facing activities. This outsourcing approach also offers a new strategy of compliance and risk management that drives down costs, simplifies compliance and risk management operations, and expands community institutions’ risk management intelligence.

When asked about Heritage Oaks Bank’s decision to outsource compliance, Carnevali said, “Regulatory requirements in recent years have also increased the need for improved board reporting and increased documentation. The need for qualified and credentialed support to compile and manage the information as well as prepare and present this information to the board in a manner deemed appropriate by regulatory agencies is what drove us to consider and implement a managed service approach to compliance.”

Plumas Bank, a Quincy, Calif.-based bank with operations in northeastern California and northern Nevada, was concerned about strict compliance and the resources it requires and also made a corporate decision to adopt an outsourced, cloud-based compliance program. The transition to the managed compliance service was headed by Rose Dembosz, executive vice president/manager of operations, and Elizabeth L. Steffen, assistant vice president/administrative services manager of technology resources.

In response to why the bank made this decision, Dembosz, provided the following perspective: “Compliance must always be maintained and it is virtually impossible to do with limited staff. It is ever changing and can become outdated very quickly. A major concern of Plumas Bank is to make sure that all 2,300 pages of federal regulations have been addressed. This is a very time-intensive process, and with the many projects that the bank is currently managing, this would require resources to be pulled from other assignments that need full attention.”

“Plumas Bank has reaped great benefits from the expertise and intelligence of compliance experts from our outsourced compliance services provider,” said Steffen. “There has been tangible time savings in the area of research, particularly with regards to FFIEC compliance and business continuity planning. Having such knowledgeable resources that respond extremely quickly has been a great benefit to Plumas Bank.”

Advantages of Cloud-Delivered Services

1. Economies of scale. Most community banks do not have the budget to hire more staff to handle all of the new areas of regulation. An outsourced compliance service provides economies of scale that can be treated as a monthly operational expense. Banks can outsource compliance tasks to a team of experts instead of hiring additional in-house resources or expecting existing personnel to keep up to date on every compliance area.

The same is true of compliance and risk management processes. Community banks are required to regularly conduct audits and self-assessments, creating and maintaining a host of compliance documents mandated by examiners and the board. Traditional methods, involving the compilation of disparate data entered in multiple places and used in different ways, are manually intensive, difficult to manage and become quickly outdated.

A common cloud-delivered compliance platform, with intelligent content predefined and development costs shared by multiple institutions, yields significant savings. Instead of building programs from the ground up, the bank leverages a hosted platform being paid for by peer institutions and maintained by the outsource provider.

2. Cost-effectively expand your pool of compliance expertise and intelligence. A managed compliance service provides community institutions a deep bench of compliance and risk experts who are tapped into Capitol Hill and new industry developments, trends and best practices instead of relying on a few resources to be up to date with every area of regulation. A centralized compliance service increases the institution’s access to risk management knowledge while removing the task of maintenance.

3. Automate and streamline repetitive processes. Most compliance programs are created and executed in a silo. When compiling and collecting all of the information for an IT risk assessment about servers, printers, computers, customer data, software and networks, the data is typically stored and managed independently from other audit or compliance tasks. With an examination-ready platform, data is shared and re-purposed on an as-needed basis.

4. Eliminate redundancy and keep risk data relevant (and examination-ready). An examination-ready compliance program does not wait for an annual review of an institution’s risk posture to incorporate changes. Changes to programs and controls are made as assets and threats change. The traditional compliance strategy is to execute a program audit or review at a point in time each year. The bank does a compliance review, creates a report and puts it on the shelf. As soon as it is complete, it is out of date.

With an examination-ready compliance service, a bank will be able to report its status at any time, and be prompted to update controls and programs throughout the year as changes occur. If it adds a new network or server or engages a new vendor, these actions create new risk to the bank, and the compliance program will alert the bank to make modifications to the plans now, as they occur — putting the bank into a constant examination-ready state.

5. Expand support for all CAMELS areas. An examination-ready compliance and risk management program provides a solution for the entire bank’s regulatory environment and eliminates silo solutions. An integrated solution addresses all of the CAMELS, consumer, AML/BSA and other compliance areas that consume recurring and redundant resources.

To survive the perfect storm of IT complexity, risk and regulatory compliance, community banks will need to adopt a new model for managing risk. Adopting a managed compliance service will reduce costs, simplify compliance operations, improve risk management and put your institution into an examination-ready state.

For a clear solution, it is time to think cloudy.

Dan W. Holt is CEO and co-founder of Heit Inc., based in Fort Collins, Colo., and a leader in leveraging cloud technology for community banks. For more information, visit

Copyright © February 2011 BankNews Media