The Risk Based Exam In The Compliance Arena

A panel of regulators at the Maryland Bankers Association's Compliance Conference discussed how their agencies approach the compliance examination using risk and gave valuable advice on how banks should prepare for the risk-based examination.

Representatives from FDIC, OTS, and OCC each described a similar pre-examination planning process. The agencies are using information compiled before the examination to identify any likely problem areas to focus their attention. They also use the pre-examination responses to reduce the amount of time spent in the bank.

An examiner will look first to previous examination reports to determine what problems, if any, had been identified in previous exams. An early step in the new exam will be to evaluate what has been done to resolve those problems.

Next, the examiner will look at changes in the bank that could increase compliance risk. One risk indicator will be whether the bank has introduced any new products since the last exam.

The examiners will also look at whether there have been changes in senior management that could have an impact on how the bank is run and the effort put into the compliance program.

Finally, they will review consumer complaints as an indicator of possible problems in the bank. Certain regulations and transactions are always on the high risk list. These include: private mortgage insurance disclosures, construction loans - particularly how inspection fees are treated, HMDA Loan Application Registers, and substantive discrimination problems under ECOA. Thus, Regulations Z, C, and B are always on the priority list.

Richard Pazereckas, FDIC's Regional Director, DCA, New York, observed that part time compliance managers may be a source of risk. While he stressed that many part time compliance managers juggle their responsibilities effectively, the examiners watch for situations where the part-time manager does not or is not able to give adequate attention to compliance. He stressed that training -including training for the compliance manager - is the key to success.

Rick Freer, OCC's Director for Compliance Operations, advised the audience not to rely on the compliance examination as a substitute for internal audit and controls. When the examiner finds it, it's too late. Freer explained that in small banks ($250 million or less) the examiners will review recent transactions for compliance accuracy. If they find problems, they will expand the scope of review. However, in small banks, they are not supposed to be looking at the bank's policies and procedures. He warned that the small bank procedures do not look at every aspect of every regulation and it is therefore dangerous to rely on the report as a complete assessment of the bank's compliance performance.

In large banks, the examiner will review the bank's compliance program - the bank's compliance management system, and closely review the bank's policies and procedures. Based on that review, the examiner will decide what regulations to include in the exam. The examiner will always look closely at compliance with flood hazard insurance, Bank Secrecy Act, fair lending, and CRA.

Freer identified three aspects of the risk based examination that apply to compliance: Compliance risk - the general level of compliance and the impact of non-compliance; Reputation risk - how the community sees the bank and the risk of negative publicity; and Transaction risk - the risk that employees will not do the right thing when doing their jobs.

Tim Burniston, Director of Compliance Policy at OTS, stressed that institutions are responsible for managing compliance. The dilemma of the regulator is that the examiner should not be responsible for finding all violations but neither should they walk out the door without identifying violations. This dilemma does not relieve the institution of its own compliance responsibility.

Burniston stressed the need for compliance to be ingrained into everyone's job responsibilities. OTS examiners will look at how well put together the bank's compliance program is. The standard priority regulations in an OTS exam are fair lending BSA, CRA, and truth in lending.

OTS examiners will also look at the knowledge level in the institution to evaluate whether employees know what they need to know for compliance. Finally, they will look at past practices identified in exams, new products, and recent changes in laws and regulations, for example the recent changes in flood hazard insurance and RESPA.

Burniston observed that flood hazard insurance and RESPA are two areas that OTS examiners are sure to look at - and frequently find problems.

The OTS examination report includes an evaluation of the institution's compliance management program. In evaluating the compliance program, examiners would look at training for the compliance officer, the reporting relationship to the board, the authority of the compliance officer, the effectiveness of reviews, the knowledge of the compliance officer, and training for bank employees.

The regulators had different responses to the question of the part time compliance manager. Freer explained that if the OCC finds no significant compliance problems, the number of hats worn by the compliance officer would not be a concern. Burniston, while agreeing with Freer, was less optimistic that a compliance manager wearing numerous hats could manage compliance effectively. He prefers to see compliance responsibilities shared by several persons in the bank and described a lone compliance officer as "the ant at the picnic."

The management approach to compliance examinations reduces the importance of file review and de-emphasizes sampling issues. With the exception of fair lending examinations, which follow strict sampling procedures specific to that exam, many examiners now use judgmental sampling in compliance examinations.

ACTION STEPS

Keep a running list of new products. Note when the product was developed and first introduced.
Audit new products for compliance within several months of its introduction - and certainly before your next compliance examination. You may want to consider sharing your audit results with the examiner (especially if good) to facilitate the examination.
Check what the regulators check. Always include finance charge calculations, HMDA reporting, BSA, and fair lending in your compliance audits.
Stay up to date. Get training for yourself. Your regulator advises it!
Never stop training.