Consumer Compliance Outlook > 2009 > Third Quarter 2009

Consumer Compliance Outlook: Third Quarter 2009

The Bank Director's Role in Establishing a ‘Culture of Compliance’

By Andrew Olszowy, Manager, Consumer Compliance Examinations, Federal Reserve Bank of Boston

This article provides insights into a bank director's role in fostering an effective compliance culture and provides a basic model that can be applied in a proactive compliance risk management program.

THE ROLE OF THE DIRECTOR IN ENSURING CONSUMER COMPLIANCE

The hallmark of the Federal Reserve System's approach to consumer compliance supervision is its emphasis on ensuring that appropriate risk management controls are in place and consumers' rights are protected. As Federal Reserve Governor Elizabeth Duke recently stated before Congress:

"One objective of our consumer compliance examination program is to identify compliance risks at banks before they harm consumers and ensure that state member banks have appropriate controls in place to manage those risks. In conducting a consumer compliance examination at a state member bank, examiners review the commitment and ability of bank management to comply with consumer protection laws as well as the bank's actual compliance with such laws."¹

One of the most important components of this approach is the board of directors' oversight of the bank's compliance risk management program. In addition to establishing expectations for the institution, the board must first understand the nature of the risks significant to the institution and sufficiently empower senior management to measure, monitor, and control these risks. The level and scope of such activities vary with the size and complexity of the organization. However, the concept is the same. Organizations with the most effective compliance management programs do not layer consumer compliance over operations, but instead imbed the concept of consumer compliance within daily operations. In other words, they have a "culture of compliance."

In a previous issue of Consumer Compliance Outlook, Phyllis Harwell from the Board of Governors of the Federal Reserve System wrote that successful compliance risk management starts at the "top of the house."² The board of directors sets the tone of compliance for an institution, not only in words but in actions. An environment should exist where senior management and the organization's staff are not merely comfortable but obliged to communicate compliance risks as issues are identified and help to establish controls. It is the board that must establish this culture of compliance.

HOW MUCH IS ENOUGH?

Before directors can establish a positive culture to effectively oversee consumer compliance risks, they must first identify and clearly understand those risks. Examiners consider this process when they evaluate an organization's board of directors.³ The current volatile environment, from both a regulatory and an economic perspective, makes it challenging for directors to accomplish this mission. The regulatory environment is experiencing an unprecedented period of change, while the current economic climate is also pressuring banks to become more creative in product offerings as a means to generate additional earnings. Adopting and offering more complex products and services, of course, increases the organization's compliance risk. Additionally, the supervisory or audit process may uncover areas of potential weakness within functions that were believed sound from a compliance standpoint.

The good news is that the board of directors is not alone as part of the compliance management program. Directors can, and should, turn to the organization's compliance officer or compliance function to assist in identifying such risks. Armed with appropriate information, the board can then set the risk appetite for the organization as well as the tone of its compliance management program.

Regulators are often asked how directors should approach overseeing consumer compliance in their organization. There is clearly no single correct answer to this question. However, when faced with a new regulatory concern, directors should work with their compliance management and consider asking the following questions:

• What? — What is this regulation/guidance? What is the change? Why was it adopted?
• Impact? — What is the impact for our institution? What products does it affect? Do we require system upgrades? What is the difficulty of this new/changed regulation? What is the risk of noncompliance?
• Cost? — What is the estimated cost of compliance? Training? Systems? Forms?
• Plan? — What is management's plan for implementing and monitoring compliance?

These suggested questions are only a starting point and do not guarantee insulation from adverse examination findings. They can, however, provide the foundation for the types of discussion that addresses the root of various compliance risks and stimulate the type of interaction seen in an engaged "top down" compliance management program.

APPLYING THE MODEL

Perhaps the most effective way to demonstrate this approach is to apply these suggested discussion topics to an actual regulatory change. On July 14, 2008, the Board of Governors approved final rules amending Regulation Z (Truth in Lending) adopted under the Home Ownership and Equity Protection Act (HOEPA).⁴ These new rules, most of which become effective October 1, 2009, require significant changes that affect residential lending disclosures and mortgage advertising. The following points provide an example of the type of information a board may want to obtain from a compliance function presentation on the HOEPA final rules.

What?

• These amendments to the regulation create a new "higher-priced mortgage" (HPM) category with new accompanying protections. They also add new protections to all closed-end loans secured by a consumer's principal dwelling. Finally, they create additional advertising restrictions on residential lending.
• The goal of the amendments is to protect consumers from abusive, unfair, or deceptive acts or practices in lending, servicing, or advertising. The changes are designed to preserve responsible lending and sustainable homeownership.

Impact?

• This is not just a subprime regulation. The HPM threshold trigger of 1.5 percent over average prime mortgage offer rates for first liens is low enough to affect some conforming loans.
• The HPM rules apply to first- and second-lien home purchase, refinance, and home equity loans secured by the consumer's principal dwelling. It does not apply to home equity lines, construction loans, or reverse mortgages.
• The HPM protections include underwriting requirements, restrictions on prepayment penalties, and requirements for escrow accounts on first-lien loans.
• The final rules also impose certain restrictions on all credit secured by a consumer's principal dwelling and requires earlier disclosures on all closed-end mortgages.
• The amendments create several new advertising standards, including additional information about rates, monthly payments, and other loan features. The final rule also bans seven deceptive or misleading advertising practices.
• These are fairly comprehensive rules requiring changes in existing procedures, additional reporting requirements with regard to the Home Mortgage Disclosure Act (HMDA), possible system modifications, and training across several business lines.
• Truth in Lending provisions are strongly enforced by regulators.

Cost?

• Training will be required across several business lines. Underwriters will need to be instructed on the new restrictions. HMDA reporting will need to capture the new HPMs. Marketing will need to be aware of the new requirements.
• System vendors will need to be contacted to determine what aspects can/should be automated.
• New internal worksheets and checklists may need to be created.

Plan?

• The compliance function will continue to become familiar with the new rules.
• A roll-out plan for full compliance will be developed with time frames in accordance with the mandatory compliance date.
• Senior management will be provided with a high-level summary of the changes.
• A survey of affected business lines and processes will be conducted.
• Affected staff will receive training on the final rules.
• The compliance function will work in conjunction with business line management to assist in the modification of procedures, checklists, and systems.
• A system vendor will be contacted to ensure that proper modifications are in place.
• A regulator will be contacted for consultation/questions.
• A final survey of the roll-out plan will be conducted prior to the mandatory effective date.

SUMMARY

This example is more of an outline, but it helps to demonstrate an important point: The most effective compliance risk management programs are proactive and driven by the board of directors. By engaging the compliance function, the board accomplishes two important tasks: 1) directors receive the information they need to be better informed on compliance issues and better equipped to set the organization's risk appetite; and 2) the board establishes the expectation that compliance is a priority, thereby establishing a "culture of compliance." Specific issues and questions should be raised with the consumer compliance contact at your Reserve Bank or with your primary regulator.

• 1 Governor Elizabeth A. Duke, "Federal and State Enforcement of Financial Consumer and Investor Protection Laws ," hearing before the House Financial Services Committee, 111th Congress, March 20, 2009.
• 2 "A successful compliance risk management program starts at the 'top of the house.' The board and senior management set the tone of compliance for the organization. They must convey a culture of compliance not only in words but also in actions. Culture is also evidenced by the organization's risk appetite, the stature of corporate compliance, the emphasis on full compliance, the compensation of compliance staff, and the penalties for noncompliance, to name a few." Phyllis Harwell, "Managing Consumer Compliance Risks in Today's Economic Environment," Consumer Compliance Outlook (First Quarter 2009).
• 3 "In order for the board and senior management to carry out their responsibilities, they need to understand the organization's current compliance risks." Governor Mark W. Olson, "What Are Examiners Looking for When They Examine Banks for Compliance?," speech at the American Bankers Association's Regulatory Compliance Conference, Orlando, FL, June 12, 2006.
• 4 The announcement and final rulemaking are available on the Board's website .