Quote: "the Compliance Department will be responsible for compliance monitoring and testing"

So, please help us out. testing is pretty clear....so what is included in monitoring?

Ask the author of the sentence. It will mean a half a dozen things to a half a dozen different individuals. I would say the word "testing" is in the same boat. They are nebulous concepts at best.

I would state that they are pretty much the same thing. I have a monitoring program whereby we pull files/transactions and verify that they were done correctly under each regulation. It is important to have a report with followup of all monitoring you do. It is very similiar to "audit" however if the compliance department does it -it doesn't need to be called auditing since that is supposed to be an independent function. We also review policies/procedures for that area when reviewing.

This smells like someone was just named "Compliance Department".

I'n my world, monitoring means that the compliance department sends a periodic statement to various areas asking them to attest that procedures are being followed. These attestations are held for when the regulators come knocking. Testing means the compliance department asks for a list of X transactions in a certain time frame, then picks a sample of these items, and verifies that each one was handled per procedures.

Who is asking this question that makes it so urgent - regulators? internal audit? the compliance officer? senior management?

I think it is nebulous. The problem is that a number of us are all putting our spin on what it means for the Compliance Department. We are starting a program in house for this. Some of us think the Compliance Department should test every facet of every reg during a 12 month period. Some say the department should cherry pick - focusing on the high risk regs/transactions and using the risk assessment as part of the reasons for the choices. Some say the examiners will want to see the "every facet of every reg approach"; others say no, depends on the risk associated with the reg/history, etc. and, on this basis, we will not be criticized that we did not test/monitor everything. We looked for some recent articles/etc on compliance's role in testing and monitoring. I couldn't find anything that addresses this area. Anyone have a link to one you thought worked, please provide it. thanks.

Sounds like your institution may want to consider bringing in a consultant to assist in setting up your program, or an experience Compliance Officer to build your program for you. Seems as if there are too many people are involved with too many differing opinions, that may or may not be best suited to lead your instiution where it needs to go in the compliance area.

Have you evaluated internal controls that are testing compliance, such as reviews of new loans booked or new deposit accounts opened with exceptions issued for errors identified, including regulatory errors? Same for monitoring of things like Reg D transaction limits, NOW account ownership, etc.

Compliance can periodically test to see that controls are working properly.

All "monitoring" does not have to be (and really should not be) by compliance but is part of the bank's overall compliance program.

possibly a frank discussion with your regulator around what they are looking for will save the "he said, she said" conversations and point you on your way.

Someone needs to look at every reg every year - either Audit or Compliance - so sayeth my regulator. Ours (FDIC) were fine with Compliance no doing so as long as the internal audit was comprehensive.

The answer to this question, IMHO, depends on the size-complexity of your organization and the resources available.

If you are a one man/woman compliance shop, looking at "every facet of every regulation", every year, is bit unreasonable. You need to make a list of your applicable regulations and then develop a scoring matrix (inherent/residual risk) to determine the audit frequency. The higher the score, the more frequent the audit and vice versa.

I don't believe that a regulator is going to expect you to cover EVERY item and each facet every year.

Do you really need to audit Management Interlocks every year in it's entirety?

In the world of manufacturing, "monitoring" means quality control or quality assurance. It is paid for and performed by the production units as part of their overall process. They own it, run it, foot the bill, dovetail it with important production goals, and report their results up the food chain.

This same model works in banking too, but significant regulatory responsibilities must be assigned outside the "compliance department." Otherwise, this central office unit with a small staff and smaller budget becomes the dumping ground for anything that looks or smells like a regulation. There should be no surprise when this specialized resource can't keep up with multiple production schedules. (I'm reminded of Lucille Ball & Vivian Vance in the classic Candy Factory skit.)

There are various choke points in the business of gathering deposits, handling payments, and making loans. These are natural points to erect controls that piggyback on the duties already performed by production and servicing staff. For example, the same employee that reviews the accuracy and completeness of new loan packages is the best person to monitor compliance with every regulation that applies to that loan. Automated controls are even better. The maximum involvement and participation by the "compliance department" staff should be to receive and review the QC schedules and results generated by the business units and their support staff.

Asking regulators' preferences for regulatory control, review, testing, monitoring, auditing, or whatever you want to call it is like asking FDIC if you should add more capital. In their minds, redundancy, unnecessary costs, and ineffectiveness are strictly your problem...until the higher and higher cost of satisfying government demands eats up capital. Then...you guessed it--more capital! Their only legitimate expectation is that your company complies with the law. How you get there should be up to you. If they've lead you to believe otherwise, it's time for higher level discussion of the relationship.

Thanks for your responses, everyone. We are getting a better understanding. We are using a consulting firm. Testing used to be done by audit as part of their responsibility. We want to start testing/monitoring processes that Compliance will be responsible for.

I am seeing one trend. Business units are doing QCs or self-tests. This is pushed up to the Compliance area for review and then, in turn, the Compliance tests a sample of the work reviewed and judged OK. This is our very general understanding of that concept. Seems to work from a resources point of view. The Compliance officer and staff simply cannot test everything.

As long as QC results are reliable, summary reports cross your desk, and the testers know that you are accessible when questions arise, your bank gets the most bang for its bucks.