By Kathlyn L. “Lyn” Farrell
One of the worst events that can happen to a bank is the imposition of a regulatory enforcement action. They are expensive, time-consuming and not quickly resolved. In 2006, the three federal banking agencies (Office of the Comptroller of the Currency, Federal Deposit Insurance Corp. and the Federal Reserve), along with the Financial Crimes Enforcement Network, issued a total of 149 formal enforcement actions against the financial institutions they regulate. These actions included formal agreements, consent actions and civil money penalties, and were the result of violations of various laws, including the Bank Secrecy Act (BSA), the Flood Disaster Protection Act (FDPA) and the Home Mortgage Disclosure Act (HMDA), among others. Some were the result of management deficiencies, such as weak credit controls. Although in itself this is a large number of actions, it is not the total number of enforcement actions. The number of informal actions (memorandums of understanding) is not made public, so their number is unknown.
Regulatory enforcement actions are always expensive for the institutions involved. Fines and penalties are often levied, consultants are sometimes mandated, time-consuming review and remediation processes are usually required. The good news is that enforcement actions are preventable. A strong, proactive program of corrective action when problems are found or suspected is the best defense a financial institution can have. All of the violations and program deficiencies that gave rise to the enforcement actions began as smaller problems. If these problems had been identified and systematically corrected after discovery, the institution would have nothing to fear from its regulatory agency.
Following is a checklist of actions a bank or financial institution can take after identifying a deficiency to prevent the problem from becoming something worse.
Identify the deficiency with an audit: It goes without saying that a robust audit program is a necessity in every financial institution. However, based on the public disclosure of institutions that had HMDA and FDPA problems, not all institutions regularly audit all sensitive functions. You can’t fix a problem if you aren’t aware of it. Experts must periodically review high-risk banking activities, such as BSA, HMDA, FDPA and the quality of a bank’s loan portfolio. The experts can be either from within the institution or from the outside. For example, HMDA data must be accurate when filed with the federal government. Once the data is input into the final form, after the first of each year, the bank should have a sample of the data reviewed by someone other than the one responsible for the data quality, in order to verify the accuracy.
Identify the root causes: Another basic rule is: you can’t fix it if you don’t know what caused it. For example, the failure to identify and report suspicious activity could be a deficiency in the bank’s data-gathering process that requires a software solution. However, the same deficiency could result from a lack of understanding of the legal requirements by the bank’s staff. It could also be because the bank has not devoted enough staff to this function. Flood violations can result from a lack of training commercial lenders, for example. Finding the root cause will lead to the next step.
Plan a strategy for correction: This is often the place where the process breaks down. Many times, bank management believes that because the problem has been uncovered and discussed with the appropriate departments, it will be solved. This is not necessarily true. The key to a successful correction is to make sure that someone “owns” the solution; in other words, someone must be responsible for taking the agreed-upon action to fully correct the deficiencies through the entire process. In the case of multiple problems, more than one person might be needed. Unless there is a clear delegation of responsibility, there is likely to be a glitch in this step. One suggestion is to form a committee (usually with no more than five people) to take charge of the entire process. The committee can assign tasks to responsible individuals. For example, if the bank has not been obtaining flood determinations on commercial loans and some of the portfolio might be exposed to a flood risk, the committee can decide how the missing determinations will be obtained, who will check the flood status, how borrowers will be notified if the property is in a special flood hazard area and how the bank will verify that flood insurance is obtained on appropriate loans. These steps might be delegated to one department or to several individuals, but someone who feels the responsibility to get it accomplished must own each step in the process.
Allocate sufficient resources: This step is also ripe for problems. Since correcting problems are not income producing, bank management will not want to spend any unnecessary money on the fix. However, being too frugal in the process can be a false economy. If the deficiencies are not corrected and an enforcement action is taken against the bank, the cost will be much greater. The person (or committee) responsible for the corrective action should decide what is needed, how much it will cost and then present the case to management for the necessary resources. For example, software to automate the suspicious activity process is expensive. However, it is not as costly as BSA civil money penalties, nor is it as expensive as a regulatory agency’s requirement to undertake a “look back” of previous transactions to determine if suspicious activity has occurred. In fact, some institutions that have been required to perform “look backs” report that the cost was several times greater than the penalty assessed. The bottom line is: spend what is necessary to fix the problem before a regulatory exam.
Get advice from an expert: Sometimes when a bank is undertaking a corrective action, technical regulatory questions crop up or questions come up regarding the scope of the work. The best practice when questions arise is to call an expert. In most cases, calling the examiner responsible for the bank is a good choice. The bank’s examiner-in-charge will have the bank’s best interest in mind and will be able to give advice on the regulations themselves and on the agency’s expectations and perspectives.
Get buy-in from the rest of the bank: In almost every case, more than one department in the bank is complicit when there is a failure to comply. All departments need to feel a responsibility to assist with the corrective action and be willing to comply with all new procedures necessary to prevent violations in the future. For example, if the bank’s HMDA data has errors, everyone – including the application takers who obtain monitoring information, the lenders who record the purpose of the loan and personnel who enter the data – needs to agree to new procedures or more rigorous review in order to prevent errors in the future. It goes without saying that the senior management of the bank must be supportive of the corrective action in order for it to be successful.
Implement the corrective action: Once the person or committee has determined the action necessary, the time has come to formally implement the corrective action. This may involve updating the procedures, reviewing files, correcting data entry, creating new forms, purchasing and installing software and conducting training. In short, take all the action necessary to make sure the errors are corrected and new procedures are in place to prevent them from recurring. All steps should be fully and completely documented. If an exam uncovers the same errors (those that existed prior to the corrective action), the documentation will be valuable in making the bank’s case that the errors were found and fixed. Communication is important at this phase. Bank management should send a clear message that the new procedures are important and communicate the expectation of future compliance.
Monitor the function regularly: After the corrective action is finished and new procedures are in place, a regular monitoring process should be installed to make sure the problems don’t crop up again. For example, if the deficiencies involve flood insurance, the operations area should review all loans before funding or booking to determine if flood insurance is required. Regular reviews of files should include a determination of whether flood insurance is required and, if so, that the bank has a copy of the current insurance policy.
Implement periodic audits: We have come full circle – the final step is the same as the first. Independent audits are a crucial part of making sure that procedural deficiencies and regulatory violations do not go unnoticed. Auditing for compliance requirements, including BSA, should be conducted annually. Review of internal control procedures should also be done on an annual basis. Bank management should respond in writing to all deficiencies noted in these audits. When a problem has been identified and corrective action taken, it is important to audit the function after a few months of operation to ensure the fix worked and that no residual problems remain.
Taking a proactive stance toward corrective action is the key to avoiding the nightmare of regulatory enforcement actions.
Kathlyn L. “Lyn” Farrell, CRCM, CAMS, is director of risk management for Sheshunoff Management Services (800-477-1772). She has designed and implemented procedures to help ensure regulatory compliance in all areas of banking, and has extensive experience in Internet banking issues and BSA compliance.