Consumer Compliance Outlook: Third Issue 2020

The Benefits of a Proactive Compliance Program

By Kathleen Benson, Lead Examiner, Federal Reserve Bank of Chicago

“You can pay me now, or pay me later.”

FRAM, one of America’s leading automotive oil filter brands, debuted its well-known slogan back in 1971.¹ Almost 50 years later, this slogan continues to resonate. The small investment in regularly changing a car’s oil filter can help prevent costly repairs from engine failure. Similarly, a proactive consumer compliance management system (CMS) can be an effective tool for financial institutions to help prevent program breakdowns.

Proactive compliance systems that anticipate likely issues may cost more or require more structure in the immediate term ― the “pay me now” part of the slogan. But over the long term, they are usually less costly than programs that only respond to problems once auditors, customers, or regulators identify them. Depending on the severity of a compliance issue, a bank’s reactive program may be no better off than the seized up engine envisioned in the “pay me later” part of FRAM’s well-known advertisement.

Large-scale compliance problems can lead to redisclosure, reimbursement, or other required corrective action, which expose the institution to increased costs or may harm its reputation with its customers. In addition to avoiding these negative outcomes, a proactive CMS provides clarity to management and employees about legal and regulatory compliance requirements, as well as a risk management structure that empowers them to identify and resolve issues before they escalate, contributing to a culture of compliance. The Federal Financial Institutions Examination Council (FFIEC) Uniform Interagency Consumer Compliance Rating System (CC Rating System), released by the FFIEC on November 7, 2016, also encourages institutions to prevent, self-identify, and address compliance issues.² This article will cover the benefits of implementing a proactive CMS, define its elements, and share examples based on examiner observations.

WHAT IS PROACTIVE COMPLIANCE?

Merriam-Webster defines proactive as “acting in anticipation of future problems, needs, or changes.”³ From a CMS perspective, a proactive approach requires an institution’s board of directors (board) and management to be knowledgeable of and identify compliance risk in the organization and to implement risk mitigation strategies appropriate for their defined risk appetite.

Some of the practices we have observed in institutions with proactive compliance programs include documenting critical policies and procedures in writing, implementing robust training methods, and establishing monitoring and audit parameters based on product or compliance risk. In addition to a compliance policy and lending standards established within a bank’s loan policy, written lending-related procedures frequently include areas such as loan administration responsibilities, the breadth of required flood insurance actions, escrow and private mortgage insurance practices, and bank-specific signature practices, among other areas. Deposit processing procedures for check holds and error-resolution items and complaint procedures are also typically in writing. Employees then receive training about the regulatory requirements and the institution’s policies and procedures to ensure compliance with the regulations. Monitoring and audit practices, along with effective management reporting, should provide the business line, management, and the board with assurances that established policies and practices are being followed and conducted in a compliant manner. In summary, the board and management should implement sound compliance risk management practices appropriate to the institution’s size, complexity, and risk profile.

As Merriam-Webster’s definition indicates, a proactive CMS also anticipates change. In financial institutions, this occurs through formal or informal change management processes. These processes anticipate and monitor legal, regulatory, product, or service changes and explicitly consider the impact of these changes on institution resources. This allows the institution to engage affected business line and compliance representatives to implement appropriate solutions in advance of the change. Proactive institutions also keep their boards, marketing staff, and other public-facing employees aware of significant change management plans so they can convey critical information to customers during and after implementation. After change initiatives are implemented, especially for significant changes, proactive institutions conduct reviews to ensure the intended outcomes were effectuated.

A critical component of a proactive CMS is an institution’s culture and the incentives for compliance, or risk management more generally, that the board and management establish for their employees. The culture “influences decisions and actions taken in response to the challenges and opportunities a bank faces.”⁴ Culture and incentives can be harnessed to support a proactive compliance program. Your institution’s culture can support this accountability by communicating the importance of compliance-related business practices to all employees.

IS IT WORTH THE TIME AND MONEY TO BE PROACTIVE?

In the short run, an institution implementing a proactive CMS will incur costs, but they do not have to be excessive. Changing internal processes and reinforcing a desired culture can help support a more proactive compliance program without expending significant funds. But more important, these changes provide an excellent return on investment in the long run by helping the bank avoid potentially disruptive costs associated with corrective actions in unplanned circumstances.

A significant benefit of a proactive compliance function is identifying and preventing possible issues early, when the potential harm to consumers and the costs to rectify the issues are typically lower. This is true for both ongoing operational compliance and for change initiatives with compliance implications. In a proactive compliance function, management and employees increase their knowledge and understanding of the laws and regulations affecting their business areas; therefore, they are more likely to identify and address potential issues. If employees are encouraged to bring forward compliance issues and potential solutions, they will better understand and adhere to procedural, legal, and regulatory expectations. Additionally, having a culture that encourages staff to surface potential compliance issues helps expose management to the challenges experienced by critical business operations. In contrast, an organization that doesn’t actively promote compliance, or fails to recognize the value when compliance issues are identified, is less likely to have an employee come forward with an issue in the future ― potentially leading to otherwise avoidable or readily correctable issues being overlooked.

PROACTIVE CMS RECOGNIZED BY THE CC RATING SYSTEM

One major element in the November 2016 revisions to the FFIEC’s CC Rating System is that it rewards institutions with a proactive CMS with higher examination ratings than institutions with a reactive compliance culture.

Strong compliance programs are proactive. They promote consumer protection by preventing, self-identifying, and addressing compliance issues in a proactive manner. Accordingly, the CC Rating System provides incentives for such practices through the definitions associated with a 1 rating.⁵

The CC Rating System’s language specifically identifies corrective action and self-identification as a CMS assessment factor that limits consumer harm and prevents the recurrence of violations of laws and regulations, as shown in Table 1. The eight assessment factors for board and management oversight and the compliance program include terminology in the one (1) and two (2) rating definitions that recognize actions associated with proactive compliance. One (1) rating terminology includes terms such as commitment, empowered, accountable, anticipates, engages and prompt, among others. Two (2) rating terminology also speaks to the effectiveness of compliance program oversight and third parties, evaluation of product changes, management of identified risks, responsiveness of training to change, and actions taken following the identification of compliance deficiencies.

Table 1: FFIEC Consumer Compliance Rating Scale for Board and Management Oversight Factor

Board and Management Oversight

Board and management oversight factors should be evaluated commensurate with the institution's size, complexity, and risk profile. Compliance expectations below extend to third-party relationships.

Assessment factors to be considered	Corrective action and self-identification
1	Management proactively identifies issues and promptly responds to compliance risk management deficiencies and any violations of laws or regulations, including remediation.
2	Management proactively identifies issues and promptly responds to compliance risk management deficiencies and any violations of laws or regulations, including remediation.
3	Management does not adequately respond to compliance deficiencies and violations including those related to remediation.
4	Management response to deficiencies, violations and examination findings is seriously deficient.
5	Management is incapable, unwilling and/or falls to respond to deficiencies, violations or examination findings.

EXAMINER OBSERVATIONS OF PROACTIVE CMS

Examiners are in a unique position to review both proactive and reactive CMS and to identify their differences. Proactive programs:

receive support from the top of the organization;
focus on the compliance implications of regulatory, product, or service changes;
implement preventative and detective controls to identify compliance issues early; and
investigate compliance issues to fully identify root causes and necessary solutions.

Effective communications throughout the organization, including with the compliance function, the board, and regulatory agencies, is also evident in proactive programs. Table 2 summarizes examiner observations of specific aspects of a proactive CMS in the context of the FFIEC’s CC Rating System assessment factors. Examiners typically identify one or more CMS assessment factor concerns in more reactive institutions.

Table 2: Examiner Observations of Proactive CMS

CMS Assessment Factors

Examiner Observations of Proactive CMS

Board and Management Oversight

Oversight and Commitment
Change Management
Comprehension, Identification, and Management of Risk
Corrective Action and Self-Identification

Recognizing and formally communicating the role of employees in mitigating compliance risk, including in performance expectations.
Encouraging employees to bring issues forward, with proposed solutions.
Monitoring changes in laws/regulations are monitored to assess the impact to the institution.
Analyzing industry wide issues to determine if similar issues exist locally.
Conducting risk assessments to help mitigate risk and enhance controls by adopting sound practices.
Utilizing change management initiatives to identify compliance requirements at the beginning of projects and require sign off on changes prior to implementation.
Resolving issues promptly and considering redisclosure or restitution to address consumer harm if appropriate.
Notifying bank’s regulators when significant issues are identified to confirm remediation actions are sufficient.

Compliance Program

Policies and Procedures
Training
Monitoring and/or Audit
Consumer Complaint Response

Linking training to the regulatory/legal requirement (what) with the rationale (why) and controls (how) to build knowledge.
Automating controls used to prevent and, when possible, identify errors.
Monitoring early warning signals, such as patterns of consumer complaints, loan exception trends, and adverse action timeliness or loan tolerance cures to promptly identify and resolve issues.
Using internal/external reviews to:
- conduct post assessments of major change initiatives and to confirm the resolution of significant internal review or audit findings;
- consider if policy, procedure, or control enhancements are necessary to resolve findings;
- assess the adequacy of training provided to employees; and
- rank findings by significance, including root cause analysis, recommending resolution actions, and requiring management’s response to the findings.

CONCLUSION

A proactive CMS benefits an institution in helping it understand its compliance risk profile and identify potential issues early, when resolution is less costly, disruptive, and potentially harmful to consumers. Establishing a proactive program with support from the board and management recognizes and communicates the benefits of compliance and CMS enhancements and helps to establish a culture of compliance. Although some aspects of a proactive CMS can include explicit costs such as retaining external vendors, many actions involve relatively minor enhancements to existing processes to support a proactive approach and reduce costs in the long run. With the FFIEC’s 2016 rating system explicitly considering the extent to which an institution is proactive, it is worth evaluating if your institution’s CMS is due for a tune up. Specific questions should be addressed to your primary regulator.

Endnotes

¹ See FRAM History.

² See FFIEC Press Release, Uniform Interagency Consumer Compliance Rating System, November 7, 2016.

³ See https://www.merriam-webster.com/dictionary/proactive.

⁴ See “Understanding How Culture Drives a Bank’s Mission,” Consumer Compliance Outlook, First Issue 2018.

⁵ See 2016 Uniform Interagency Consumer Compliance Rating System, p. 23.