Consumer Compliance Outlook: Third Issue 2022

The Effects of Communications and Organizational Structure on Compliance Management

by Katie Ringwald, Supervisory Examiner, Federal Reserve Bank of St. Louis

How does your organization structure compliance? Who is tasked with overseeing compliance, and how are the responsibilities delineated? Are appropriate staff members receiving the information they need in a timely fashion? How does the board and senior management stay apprised of compliance issues?

As these questions suggest, an organization’s structure, including its assignment of compliance responsibilities among specific personnel, can significantly impact its compliance management system (CMS). While the appropriate structure will vary among institutions (based on their risk profile, products, asset size, and other factors), all institutions benefit from clear communications and appropriate reporting lines to mitigate risk and avoid compliance management deficiencies. It is therefore important for banks to ensure that board and senior management are appropriately informed to make decisions in their role overseeing the CMS.

This article reviews three case studies to illustrate how deficiencies in an institution’s compliance structure and communications process can adversely affect CMS. After each scenario, we explore the root cause of the identified issues and examples of proactive actions the institutions could have undertaken to prevent them from occurring. Each discussion concludes with key takeaways and sound practices to consider to facilitate compliance management.

Case 1: Managing Fair Lending Risk

During a compliance examination of a $600 million bank, examiners noted compliance weaknesses in the rapidly growing mortgage division, including management turnover; unclear staff roles, responsibilities, and expectations; and inadequate communication among the board, bank management, and mortgage division management. Examiners raised the following concerns with management:

Since the previous examination, the board hired a new compliance officer (CO) with oversight of the bank’s overall compliance and fair lending programs.
The CO reported directly to the bank’s chief risk officer (CRO), who was responsible for communicating fair lending issues with the board but was not involved in day-to-day compliance management. Additionally, the CO’s communication to the CRO was limited and high level.
Additional fair lending training was not provided to the CO because of prior loan compliance experience.
Mortgage division staff indicated to examiners that the CO performed fair lending reviews.
Discussions with the CO revealed that although the CO performed fair lending reviews for the bank, neither those reviews nor the broader fair lending program, which included fair lending policies and other internal controls, encompassed the mortgage division in their scope.

Examiners noted disparities in the bank’s mortgage lending patterns in majority‒minority census tracts when compared with a group of comparable lenders. Without the CO conducting fair lending analyses of mortgage lending patterns, bank management was unaware of these deficiencies.

Given the substantial gap in the bank’s CMS, examiners issued supervisory guidance directing the bank to develop a fair lending risk management program commensurate with its risk profile, including the increased risk from growth in its mortgage division. Sound practices that could have prevented these compliance weaknesses include accountability, training, and communication, which are discussed next.

Accountability: The board and senior management could have prevented the fair lending weaknesses by clearly identifying and communicating the individuals responsible and accountable for each component of the CMS. One effective approach is to assign an “owner” for each compliance regulation and product line specific to the scope of the bank’s activities. For example, a staff member(s) could be assigned ownership of Regulation B/Equal Credit Opportunity Act and the Fair Housing Act. The scope of ownership could be defined to include all loan products, and the owner could then assign specific duties to ensure compliance. Clarity is key in establishing roles and responsibilities, which are often outlined in a written policy. (The institution in this example had a formal compliance policy in place, but it had not been updated since the previous CO departed or since the recent growth of the mortgage division.) To ensure consistency and accountability, an effective control would be to schedule regular reviews of policies and procedures to ensure they clearly outline staff roles and responsibilities, including upon significant personnel or business-related changes.

Training: Given the CO’s limited fair lending background, the training provided for the new CO was inadequate to effectively manage and oversee the compliance and fair lending programs for the entire bank and mortgage division. It is the responsibility of the board and senior management to ensure designated compliance personnel receive the appropriate training to be able to manage their responsibilities. Specifically, compliance staff need resources, including regular, designated training time and access to reputable training sources, to capably fulfill their assigned duties and stay abreast of regulatory changes.

Communication: This institution filtered compliance information to the board through the CRO, who only provided high-level summaries to the directors. While this approach may be appropriate for some institutions, it requires the front-line compliance managers to keep the CRO apprised of compliance issues. The head of the mortgage division also reported to the board but did not focus on consumer compliance. As a result, the board was not informed of the compliance risks for its mortgage operations. Had the board and management been more involved in managing compliance risk and the changes that occurred during the review period, they may have recognized that growth in the mortgage division increased fair lending risk and taken appropriate action.

One specific challenge examiners have observed is business lines operating in siloes. As seen in this example, the mortgage division operated largely on its own, and the CO did not request or receive the information necessary to provide appropriate fair lending risk management. This type of breakdown can occur when compliance departments are isolated from specific business lines (such as a separate commercial division, mortgage division, or marketing department). An attentive and informed CRO can help prevent these breakdowns. Communications across different business lines are important to ensure compliance issues affecting multiple areas are being identified and addressed.

Case 2: An Absence of Authority

Examiners recently reviewed a $1 billion institution experiencing steady, organic growth. While this institution had a capable and experienced CO, the bank’s reporting lines limited the CO’s ability to enact change. As the review continued, examiners found:

The CO was responsible for overseeing periodic compliance reviews, including transaction testing of loan and deposit accounts. The compliance reviews effectively identified issues, and findings were assigned to business line managers and tracked on a log. Despite this system, examiners identified multiple repeat findings, indicating that management was aware of consumer compliance issues but did not consistently correct them.
The board expected business line managers to work with and support compliance management; however, resolution of issues depended on individual business line managers to work with compliance staff. Business line managers were responsible for reporting department summaries to the board. As a result, the board was often unaware of the severity of compliance issues or the status of corrective actions.
Examiners determined the bank’s reporting structure was ineffective. They subsequently downgraded the institution’s compliance rating and issued supervisory guidance to ensure compliance resources were appropriate to provide effective oversight of the CMS. Sound practices that could have prevented these oversights from occurring include establishing authority and improvements in communication.

Authority: Sound compliance programs ensure those tasked with overseeing compliance management have the authority to effect change. This can be accomplished through reporting systems that inform the board and senior leadership of compliance issues as they arise. Effective reporting systems are detailed enough to apprise the board of severe, systemic, or repeat compliance issues in a timely manner. Creating incentives for department managers to maintain compliance in their respective business lines can also help ensure issues are corrected. Even when a single employee (such as the CO) is formally delegated to oversee a bank’s compliance system, sound compliance management programs include board and management teams that value compliance throughout the organization and set the “tone at the top.”¹

Communication: Communication is critical for achieving desired compliance outcomes. In this example, more detailed reporting to the board may have resulted in quicker responses from business line leads and prompted corrective action. Sound practices that examiners have observed at strong institutions include regularly evaluating membership on compliance and audit committees to ensure a consistent flow of information across all involved departments and product lines, and regular compliance discussions and training at the board level. Compliance information provided to the board should be detailed enough to convey the bank’s risks. The method of communication may vary, depending on the complexity of the institution’s operations. For example, smaller, less complex institutions may use committee minutes as a reporting mechanism, while larger institutions may display compliance reports on sophisticated dashboards.

Case 3: Understanding Your Operations

A $350 million community bank offering a standard mix of consumer and commercial loan and deposit products had implemented a new overdraft program with minimal input from compliance staff regarding the specifics of the software setup. During the following exam, regulators made these observations:

Compliance personnel believed and informed regulators that the bank’s software assessed overdraft fees on the “available balance.”
By reviewing account histories, examiners found that for all types of transactions, the deposit platform’s software settings actually imposed overdraft fees based on the “actual/ledger balance.”
Examiners observed a weakness in the CMS related to the oversight of the overdraft program, given compliance management’s lack of understanding of the bank’s overdraft operations. A sound practice that could have prevented this oversight is collaboration.

Collaboration: Knowledgeable compliance personnel fully understand their institution’s systems and operations to identify potential consumer compliance risks. In this scenario, compliance staff were not properly informed or consulted in the setup of the new program. If compliance had been involved in reviewing the software settings, researching available options, and making intentional decisions about the program setup, the misunderstanding of how the bank’s overdraft program worked could have been avoided. As it sounds, collaboration requires the institution’s various business lines and departments to work together. In this instance, effective collaboration may have looked like having the IT department explain how the software operates to the compliance staff and seeking input. Compliance and IT may have also collaborated with the software provider for more information on their options to make informed decisions.

Communication: Bank personnel reached out to the software vendor after examiners identified the issue; the vendor advised how to change the software settings for assessing fees based on the actual balance. Solving the issue required communication between compliance, IT, and the software vendor. The board of directors was also promptly made aware of the finding so it could oversee follow up.

Conclusion

The structure and lines of communication in a bank’s compliance operations can help prevent compliance concerns and address them when they occur. Sound practices include setting up an organizational structure that ensures accountability for all compliance regulations as they relate to the institution’s business activities. Strong compliance programs provide training to compliance staff to ensure they understand their duties and make sure they have the authority to enact change. Once the structure is established, sound programs ensure appropriately detailed communication among the various internal and external parties involved, with a focus on communicating compliance information to the board and senior management. Effective communication may require different departments and business lines to collaborate and to focus on breaking down silos. No one type of organizational structure is right for all institutions, but the sound practices discussed in this article are generally applicable. Specific questions should be raised with your primary regulator.

Thank You, Katie Ringwald

Consumer Compliance Outlook (CCO) thanks Katie Ringwald, a supervisory examiner at the Federal Reserve Bank of St. Louis and a member of the CCO writers’ cohort, for her service on the cohort. The cohort is a group of supervisory staff at the Reserve Banks who frequently contribute articles to CCO. Katie is rotating off the cohort after her five-year tenure. In addition to this article in the current issue, she has written “Mortgage Servicing: Managing Change” (Consumer Compliance Outlook, Fourth Issue 2020) and “Early Observations on the TILA-RESPA Integrated Disclosure Rule” (Consumer Compliance Outlook, Fourth Issue 2019).

ENDNOTES

¹ See Robert L. Triplett II, “Understanding How Culture Drives a Bank’s Mission,” Consumer Compliance Outlook (First Issue 2018).

² For a more complete overview of the elements of effective board and management oversight, see Consumer Affairs Letter 13-21: Guidance on Managing and Outsourcing Risk (Revised February 26, 2021). Note: In 2021, the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Comptroller of the Currency issued for comment “Proposed Interagency Guidance on Third-Party Management.” See 86 Federal Register 38182 (July 19, 2021). The comment period closed, and the agencies are working on the final guidance.

³ This topic was discussed in more detail in the 2018 issue of the Federal Reserve Board’s Consumer Compliance Supervisory Bulletin.