Regulatory Compliance Consultants
Financial service institutions, increasingly burdened with state and federal regulatory requirements, often find themselves in need of outside consultants; this is happening even when both large and smaller banks are adding in-house compliance officers. We asked some compliance consultants the following two questions to get their idea of the key issues that banks are dealing with and the best way to stay on top of them – outside compliance consultant, inside compliance officer, or both?
1) In your experience, what are the three hot-button compliance issues banks are dealing with today?
2) With more and more smaller banks being inundated with regulatory issues, at what point should a bank seek the help of a compliance consultant or add an in-house compliance officer to its staff?
Susan N. LeDuc, Certified Regulatory Compliance Manager (CRCM), Gallagher, Callahan & Gartrell P.A., Concord, N.H.
Three of the hottest bank compliance issues today are:
Data Security: Data security is an enterprise-wide, top-to-bottom issue that involves everything from where are customer files kept to what form of encryption is being used in online banking applications. Banks are being asked to determine what risks may be out there and mitigate for them. It puts banks in the position of trying to stay one step ahead of the fraudsters.
Vendor Management: Banks must proactively manage their vendor relationships because of the risks associated with providing customer information to a vendor. This spills into vendor contract negotiation, tracking and monitoring. Just as banks use a monitoring process to confirm regulatory compliance, each bank should be using a similar process to ensure contractual compliance by and with its vendors.
Bank Secrecy Act: Although we are not seeing many banks with regulatory citations for BSA, we know that banks are spending significant resources to ensure compliance with the Bank Secrecy Act and USA PATRIOT Act. This includes customer identification procedures, review of higher risk-rated customers for unusual or non-customary transactions, filing of Suspicious Activity Reports, and other forms of reporting to regulatory and law enforcement officials.
All banks are subject to increasing regulatory pressures; however, smaller institutions have the distinct disadvantage of a diseconomy of scale. Although a smaller bank has fewer resources (money, expert staff, etc.), it is required to comply with almost as many regulatory requirements as a much larger institution. Additionally, the regulatory tone has shifted away from a check-all-the-boxes form of compliance to a risk management focus. Banks are required to assess the risks inherent in their business, including regulatory risk. Generally, the function of determining the risk rating for each identified risk serves to gauge how intense the mitigation, training, monitoring and testing functions should be for that issue. It does not mean that a low-rated risk deserves no mitigation, etc. Especially at the audit level, every risk will be expected to be mitigated to some degree. My answer to the question is that a bank will need a compliance consultant or new/additional in-house staff whenever risks are not being appropriately identified or mitigated. If a bank doesn’t know what its risks are or whether its risks are being properly mitigated, it should get assistance immediately.
Pamela C. Buckley, CRCM, Integrated Compliance Solutions LLC, Wellesley
Regulation DD Final Rule: Financial institutions have been busy revising their periodic statement disclosures to reflect fees associated with overdraft protection programs. The good news, for some, is that only institutions that actively promote these programs are required to modify periodic statement disclosures. However, the final rule requires that all banks modify their Truth in Savings disclosures to state when an overdraft may occur.
Another important point is that providing information about the payment of overdrafts in response to a balance inquiry made through a telephone response machine, ATM or the bank’s Web site is not considered a response to a consumer-initiated inquiry requiring additional advertising disclosures.
Fair Credit Reporting/FACT Act: The FFIEC published FCRA/FACTA Examination Procedures in February 2006 and the examiners are using them. So, now would be a good time to make certain that you are complying with the various FACTA requirements such as the negative information and credit score notices. Also, be sure to expand your FCRA policy to include all FACT Act requirements.
BSA/AML/OFAC: The FFIEC BSA/AML Examination Manual published in June 2005 requires financial institutions to perform BSA/AML/OFAC risk assessments. The manual also requires banks to identify high-risk customers and accounts. Another critical step is to create a transaction profile for each high-risk account, documenting the expected daily cash activity, wire transfer activity, loan activity, etc. Banks must then develop a process to centrally monitor daily activity and to report unusual or suspicious activity. Don’t forget to establish a system for updating the profiles annually based upon a review of 30-60 days of activity.
Deciding when to seek outside help or hire a compliance officer is a question that bankers seem to be facing more often than ever these days. For starters, there are more consumer protection laws and regulations on the books than ever. Second to none is the overwhelming current focus on Bank Secrecy and Anti-Money Laundering compliance. The net result is that it has become crucial for bankers to assess the level of internal compliance knowledge and if it is lacking, to do something about it. But before deciding whether to hire an in-house compliance officer or engage an outside consultant, there are several key questions that must be considered:
• Do the department managers have a clear understanding of the regulatory compliance laws and regulations affecting their department?
• Do department managers know about and communicate regulatory amendments and new legislation to others? If so, are they proactively recommending revisions to internal policies, procedures and disclosures to ensure ongoing compliance?
• Has the institution adopted a risk-based approach to managing compliance? Are compliance audits and monitoring reviews being conducted on a regular basis? If so, have the regulators been pleased with the audit and monitoring reports as presented? How are managers and staff being trained on regulatory compliance laws and regulations, both when hired and throughout their career with the institution?
• Do managers and staff have a reliable resource to turn to when they are faced with challenging compliance issues?
The answers to these and other key questions should help in determining whether outside expertise is necessary and appropriate.
Dana Briggs, BankPro Advisers, Sandwich
For my client banks, the primary focus of regulators recently has been the Bank Secrecy Act and its related components: anti-money laundering, SARs reporting, and Customer Identification Program.
Other important compliance areas include verifying disclosure notices for a variety of regulations, including new account opening, Regulation E, Regulation CC, and Privacy.
Information security, vendor management, and business continuity planning appear to be areas that are receiving stronger attention. We are currently working with several banks to develop and implement new business continuity programs that respond comprehensively to more recent regulatory requirements than previous disaster recovery plans.
The increasing compliance requirements are resulting in banks having to dedicate more resources to this area. Most banks of $500 million in assets now have at least one dedicated employee for compliance, and this threshold has been lowered in recent years. Smaller institutions may have part of a person’s time devoted to this function and/or rely on each department to maintain compliance in its area of expertise.
Consultants can be valuable for smaller institutions as they can bring specialized knowledge and tools to establish and maintain effective compliance programs. Even in larger organizations, depending upon the background and expertise of the compliance officer, a consultant can provide value in specific areas of need. Consultants can be especially helpful when a new or significantly revised regulatory requirement is introduced, mandating a new compliance program for which no one in the bank will have experience.
Jay Friedland, CEO, M&M Consulting LLC, Brunswick, Maine
The honest answer is probably BSA, BSA and BSA. We’ll also add Fair Lending and Flood. BSA violations (and recommendations) now probably equal all other compliance-related violations combined. Whether called violations or recommendations, whenever I see a thick examination report, my first thought is not that it is thick because it is filled with compliments.
Frequent BSA deficiencies include no BSA/AML risk assessment, inadequate customer due diligence and lack of an effective, documented SAR identification, due diligence and decision-making process.
Of the non-BSA matters, key fair lending issues include spousal signatures and indirect lending. Spousal signature concerns relate to improperly obtaining spouses’ signatures on commercial loans. The indirect lending issue is that dealer discretion in setting specific customer rates has potential for sex and age discrimination. Banks are expected to be proactive in managing this risk.
Flood has been a significant issue for many years, and with the hurricane-related flood damage in the South and recent flooding in New England, I expect continued emphasis.
When does a bank need an in-house compliance officer and when should a bank seek the help of a compliance consultant? We have seen banks over $500 million do consistently well on compliance exams without a full-time compliance officer, while some smaller banks with full-time personnel have not. This reflects many factors such as bank culture, extent of compliance ownership by line management and extent and nature of bank activities. If pushed for a number, most $250 million-plus banks should strongly consider having a dedicated compliance officer.
Banks are increasingly turning to compliance consultants for a variety of reasons, even if they have a dedicated compliance officer. Compliance used to be more about the technical compliance with regulations. Violations now often relate to unpublished interpretations or “compliance management” concerns. Banks often first learn about these issues on an exam. As new interpretations and issues arise, we provide guidance to help ensure that banks are not blindsided. It is very difficult for in-house compliance officers to otherwise get this perspective. Moreover, compliance has become considerably more complicated over the years and outside firms bring specialized expertise. M&M has nine full-time professionals in our compliance unit allowing us to thoroughly “dig in” to regulatory changes and provide clients easy-to-use guidance. Lastly, there is very little that we have not seen before, so that we can cost-effectively help banks address issues by performing independent reviews, providing training and developing procedures.
For banks without full-time compliance officers, we additionally perform the resource-person role that would typically be handled by the compliance officer and also help develop compliance programs and ensure that the programs are effective.