Consumer Compliance Outlook: Third Quarter 2009

The Bank Director's Role in Establishing a ‘Culture of Compliance’

By Andrew Olszowy, Manager, Consumer Compliance Examinations, Federal Reserve Bank of Boston

This article provides insights into a bank director's role in fostering an effective compliance culture and provides a basic model that can be applied in a proactive compliance risk management program.


The hallmark of the Federal Reserve System's approach to consumer compliance supervision is its emphasis on ensuring that appropriate risk management controls are in place and consumers' rights are protected. As Federal Reserve Governor Elizabeth Duke recently stated before Congress:

"One objective of our consumer compliance examination program is to identify compliance risks at banks before they harm consumers and ensure that state member banks have appropriate controls in place to manage those risks. In conducting a consumer compliance examination at a state member bank, examiners review the commitment and ability of bank management to comply with consumer protection laws as well as the bank's actual compliance with such laws."1

One of the most important components of this approach is the board of directors' oversight of the bank's compliance risk management program. In addition to establishing expectations for the institution, the board must first understand the nature of the risks significant to the institution and sufficiently empower senior management to measure, monitor, and control these risks. The level and scope of such activities vary with the size and complexity of the organization. However, the concept is the same. Organizations with the most effective compliance management programs do not layer consumer compliance over operations, but instead imbed the concept of consumer compliance within daily operations. In other words, they have a "culture of compliance."

In a previous issue of Consumer Compliance Outlook, Phyllis Harwell from the Board of Governors of the Federal Reserve System wrote that successful compliance risk management starts at the "top of the house."2 The board of directors sets the tone of compliance for an institution, not only in words but in actions. An environment should exist where senior management and the organization's staff are not merely comfortable but obliged to communicate compliance risks as issues are identified and help to establish controls. It is the board that must establish this culture of compliance.


Before directors can establish a positive culture to effectively oversee consumer compliance risks, they must first identify and clearly understand those risks. Examiners consider this process when they evaluate an organization's board of directors.3 The current volatile environment, from both a regulatory and an economic perspective, makes it challenging for directors to accomplish this mission. The regulatory environment is experiencing an unprecedented period of change, while the current economic climate is also pressuring banks to become more creative in product offerings as a means to generate additional earnings. Adopting and offering more complex products and services, of course, increases the organization's compliance risk. Additionally, the supervisory or audit process may uncover areas of potential weakness within functions that were believed sound from a compliance standpoint.

The good news is that the board of directors is not alone as part of the compliance management program. Directors can, and should, turn to the organization's compliance officer or compliance function to assist in identifying such risks. Armed with appropriate information, the board can then set the risk appetite for the organization as well as the tone of its compliance management program.

Regulators are often asked how directors should approach overseeing consumer compliance in their organization. There is clearly no single correct answer to this question. However, when faced with a new regulatory concern, directors should work with their compliance management and consider asking the following questions:

These suggested questions are only a starting point and do not guarantee insulation from adverse examination findings. They can, however, provide the foundation for the types of discussion that addresses the root of various compliance risks and stimulate the type of interaction seen in an engaged "top down" compliance management program.


Perhaps the most effective way to demonstrate this approach is to apply these suggested discussion topics to an actual regulatory change. On July 14, 2008, the Board of Governors approved final rules amending Regulation Z (Truth in Lending) adopted under the Home Ownership and Equity Protection Act (HOEPA).4 These new rules, most of which become effective October 1, 2009, require significant changes that affect residential lending disclosures and mortgage advertising. The following points provide an example of the type of information a board may want to obtain from a compliance function presentation on the HOEPA final rules.






This example is more of an outline, but it helps to demonstrate an important point: The most effective compliance risk management programs are proactive and driven by the board of directors. By engaging the compliance function, the board accomplishes two important tasks: 1) directors receive the information they need to be better informed on compliance issues and better equipped to set the organization's risk appetite; and 2) the board establishes the expectation that compliance is a priority, thereby establishing a "culture of compliance." Specific issues and questions should be raised with the consumer compliance contact at your Reserve Bank or with your primary regulator.