Communication: The Oft Forgotten Component of Bank Compliance

green headphones near laptop and microphone
Photo by samer daboul on Pexels.com

Banks spend enormous sums of money each year to meet their federal and state regulatory compliance requirements. They hire professionals with the requisite experience to tackle things like their Bank Secrecy Act and Information Security programs; they invest significant budget dollars in today’s sophisticated compliance software tools; and they spend countless hours developing policies, processes, and procedures to stay compliant.

But despite all that time, money, and effort, the one thing that often gets overlooked when it comes to bank compliance is communicating about it often and to everyone in the organization.

A Steady Stream of Communication

Several years ago, the Financial Crimes Enforcement Network (FinCEN) issued an Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance. While this publication was geared toward BSA programs in 2014, its logic still applies today to a bank’s enterprise approach to compliance. Just as FinCen suggested then, it still is today: “The culture of an organization is critical to its compliance.”

Building a culture of compliance requires a steady stream of communication.

Upstream Communication

Ever since the 2008 financial crisis, federal banking regulators have emphasized that bank boards are ultimately responsible for all business operations, including compliance. Often, board members come from a variety of industries. Even those with a background in financial services often do not have particular compliance expertise.

That’s why they rely on those within the Compliance or Risk Management Office with the requisite expertise to keep them abreast of changes to regulatory guidance and laws, as well as to internal or external environmental changes that could impact the bank’s ability to comply with existing or changing regulations.

Cross-stream Communication

The Compliance Office is an interdependent function of almost every other bank area, including individual business units, corporate communications, e-commerce, finance, information technology, legal, marketing, product development, operations, risk management, and even third-party service providers. An institution’s ability to effectively comply with their regulatory requirements demands an open and healthy back-and-forth line of communication between the Compliance Office and these other areas.

For instance, if marketing is working with product development to roll out a new product and its corresponding marketing collateral, the Compliance Office should be in the loop. Conversely, if a new regulation is going into effect, such as the General Data Protection Regulation did in May, then it is incumbent upon the Compliance Office to provide timely details and periodic updates to the managers of all directly and indirectly impacted functions.

Downstream Communication

The everyday task of complying with many banking regulations falls on the shoulders of employees in either customer-facing or operations roles. They cannot be expected to do a good job at such compliance if they do not have the support and information they need.

Support comes in the form of senior management emphasizing their dedication to a culture of compliance in every word and action they take. Employees only buy-in when they believe senior management is on board and leading the way.

Information should come from the Compliance Office on a timely and routine basis, so that employees understand their responsibility to specific regulations, the importance of complying with them to the overall health of the institution and its customers, and  where to go for help if they don’t understand either.

Don’t Let a Failure to Communicate Undermine Your Compliance Efforts

Sophisticated technology has certainly helped streamline bank compliance efforts, but it shouldn’t be considered a replacement for good, old-fashioned communication, which today, thanks to such technology, can be delivered in any number of ways to those who need it, so that it is at their fingertips at all times.

And by good, old-fashioned communication, I mean exactly what your sixth grade English teacher taught you. Explain the who, what, where, when, and why of the situation as concisely and yet comprehensively as possible.

The by-product of such communication is proof to bank examiners of your commitment to building a culture of compliance.

 

The OCC’s Risk Outlook

This week the Office of the Comptroller of the Currency (OCC) published its Semiannual Risk Perspective, which gives bank compliance officers and risk managers an important glimpse into the federal banking agency’s current outlook on risk.

Here is a brief summary of the report.

The Basics of the OCC’s Semiannual Risk Perspective

Every six months, the OCC’s National Risk Committee (NRC) issues the agency’s Semiannual Risk Perspective. According to the introduction to the Perspective, the NRC is made up of senior OCC supervisory and policy officials who meet quarterly.

The NRC is responsible for monitoring “the condition of the federal banking system and identifying key risks,” as well as monitoring emerging threats.

This Spring 2018 Semiannual Risk Perspective was published on May 24, 2018, and is based on data as of March 31, 2018, except where otherwise noted.

Overall Report Card

The Perspective’s Executive Summary provides an overall status of the banking system:

  • Condition of Federal Banking System: Strong
  • Comparison of System’s Condition: 2017 and 2018 show improvement over 2016
  • Economic Environment: Supports loan growth and profitability
  • Asset Quality: Sound
  • Capital and Liquidity: Near historical highs
  • Earnings: Improving
  • Overall Risk Management Practices: Incrementally improving

On Operational Risk

The OCC reports that “Operational Risk is elevated as banks adapt business models, transform technology and operating processes, and respond to evolving cyber threats.”

Specific threats to operational risk include the following:

  • Ever increasing threat of cyber attacks
  • Growing bank reliance on third-party vendors to perform critical functions
  • Concentration of third-party risk due to the “consolidation among large technology service providers”
  • Evolving business and operating models that include new delivery channels, products, and services

On Compliance Risk

The OCC warns that Compliance Risk “remains elevated,” with particular concern in the following areas:

  • Bank Secrecy Act (BSA) Compliance Challenges: The combination of the “dynamic nature” of money laundering along with “evolving delivery channels” makes complying with the BSA difficult. The OCC warns banks that are “engaging in such offerings” to refine and update their BSA compliance programs to ensure they are adequately mitigating the associated risks.
  • BSA and Anti-Money Laundering (AML) Compliance Risk Management Systems: The OCC notes that, such BSA/AML risk management systems “often do not keep pace with evolving risks, resource constraints, changes in business models, and regulatory changes.”
  • OFAC Sanctions: The OCC questions whether bank OFAC compliance programs are keeping pace with the increasing number and complexity of sanctions programs.
  • Overall Regulatory Complexity: The number of amended regulations and/or highly complex requirements continue to present challenges for banks.
  • Specific Complexity of TRID: The OCC acknowledges the continued bank struggle to incorporate the Truth-in-Lending RESPA Integrated Disclosure (TRID) forms.

On Interest Rate Risk

The OCC states that, “There is uncertainty in how bank deposits will react to increasing interest rates. Banks may experience unexpected adverse shifts in liability mix or increasing costs that may adversely affect earnings or increase liquidity risk.”

Read the OCC’s complete Semiannual Risk Perspective for Spring 2018 for an even more in-depth analysis of the current state of banking in the United States.

 

Wells Fargo Consent Orders Are Must-Reads for Bank Risk Management

pexels-photo-259027.jpegIt has been 10 days since news broke that the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) filed consent orders against Wells Fargo, resulting in a combined $1 billion civil money penalty (CMP). Many headlines about this story focused on the bank’s mortgage and auto lending practices. In reality, there is a more informative story here, especially for anyone involved in bank risk management or compliance.

Of course the 16-page OCC Consent Order for Civil Money Penalty, the 35-page OCC Cease and Desist Order, and the 35-page CFPB Consent Order are not as thrilling to read as a New York Times bestseller, but they are telling. And reading through the orders provides more details than the news blips about them, details that bank risk management and compliance officers can find useful in strengthening their own risk management and compliance practices.

 5 Telling Facts in Consent Orders Against Wells Fargo

  1. The Financial Hit Goes Beyond $1 Billion: Most TV and print outlets announced that Wells Fargo was fined $1 billion by the two regulatory agencies. That is true in that their net CMP was $1 billion. It is interesting to note, however, that the OCC fined the bank $500 million and the CFPB fined it $1 billion for a total of $1.5 billion in CMPs, although the CFPB agreed to accept the $500,000 collected by the OCC as part of its settlement. In addition, the orders call on the bank to develop remediation plans for customers it is alleged to have harmed, which will lead to additional costs for the bank.
  2. The OCC Focus Is on Risk Management: While news stories ran with the mortgage and auto lending practice allegations, likely because that was the message in the CFPB order, the OCC focuses first and foremost on risk management before addressing the other two issues. The order’s opening paragraph states that, “The OCC has identified deficiencies in the Bank’s enterprise-wide compliance risk management program that constituted reckless unsafe or unsound practices and resulted in violations of the unfair acts or practices provision of Section 5 of the Federal Trade Commission Act…”
  3. The Alleged Risk Management Deficiencies Extend in Time and Scope: The OCC claims that, “Since at least 2011, the Bank has failed to implement and maintain a compliance risk management program commensurate with the Bank’s size, complexity and risk profile.” The alleged deficiencies also impacted almost every aspect of the program, including the plan’s execution, the expertise of the personnel involved, the assessment and testing of the plan, the reporting to the Board, and its overall implementation.
  4. UDAP and UDAAP Used by OCC and CFPB: As discussed before in this blog, unfair, deceptive or abusive acts or practices (UDAAP) and its cousin unfair and deceptive acts and practices (UDAP) are often handy regulations for regulatory agencies to cite because of their broad scope. In addition to the OCC’s unfair claim outlined in point #2, the CFPB alleges unfair acts and practices in violation of the Consumer Financial Protection Act (CFPA) in regard to Wells Fargo’s mortgage and auto lending practices. On the former, the CFPB claims that the bank “unfairly failed to follow the mortgage-interest-rate-lock process it explained to some prospective borrowers.” On the latter, it claims the bank “operated its Force-Placed Insurance program in an unfair manner.”
  5. Vendor Management Comes into Play: Both the OCC and the CFPB orders indicate that the auto lending practices in question involved the bank’s vendor, reinforcing the fact that banks are ultimately responsible for the functions being performed by their vendors.

The moral of this story for banks and credit unions of all sizes: make sure that 1) your risk management practices are appropriate for your risk profile; 2) nothing you or your vendors are doing in word or deed can be deemed unfair, deceptive or abusive; and 3) you are routinely monitoring your vendors to ensure that they are fully and effectively complying with all the rules and regulations that apply to your institution and to them.

 

SEC Issues Interpretive Guidance on Cybersecurity Disclosures

By Mary Crotty, freelance writer for banks and third-party service providers

Despite our best efforts, cyber attacks continue to plague U.S. businesses, including those in the financial services industry. Even large and globally sophisticated entities fall prey, as witnessed by the Equifax breach last summer. Just as advancements in science often require new ethical standards, the latest developments in and incidents of cybercrime often result in new or updated regulatory guidance.

Although the Interpretive Guidance on cybersecurity posted in the Federal Register yesterday by the Securities and Exchange Commission (SEC) does not mention the Equifax breach, its focus on disclosure requirements and director/officer/insider ethics suggest that last summer’s extensive and embarrassing incident at one of the three major credit reporting agencies may have influenced the content and timing of this guidance.

Setting the Stage

In explaining its reason for issuing the February 26, 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures, the SEC notes that, “In a digitally connected world, cybersecurity presents ongoing risks and threats to our capital markets and to companies operating in all industries, including public companies regulated by the Commission.”

It goes on to note that, “Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.” While this reliance on data and technology spurs growth and opportunity in our world, it also exposes organizations to the risk of harm to or theft of both. The preventative and mitigation efforts used to fight cybercrime extol a heavy cost.

Therefore, “Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber attack.”

Expansion of 2011 Guidance

This latest guidance expands upon original SEC guidance on cybersecurity disclosures issued in October 2011. The guidance published and effective as of February 26, 2018,  discusses two topics not specifically covered in that 2011 guidance:

  1. Disclosure Policies and Procedures: “This release stresses the importance of maintaining comprehensive policies and procedures related to cybersecurity risks and incidents. Companies are required to establish and maintain appropriate and effective disclosure controls and procedures that enable them to make accurate and timely disclosures of material events, including those related to cybersecurity. Such robust disclosure controls and procedures assist companies in satisfying their disclosure obligations under the federal securities law.”
  2. Director/Officer/Insider Ethics: “We also remind companies and their directors, officers, and other corporate insiders of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws and also of their obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents.”

More from the SEC Cybersecurity Disclosure Guidance

In addition, the guidance indicates the following:

  • The SEC understands that not all information may be initially available or that an investigation may still be in process, “However, an ongoing internal or external investigation–which often can be lengthy–would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
  • Companies bound by this guidance are required to correct previous disclosures as needed due to additional or different information coming to light.
  • There is a list of factors that can help a company evaluate its cybersecurity risk for disclosure purposes, including, but not limited to, the severity and frequency of past cyber incidents, the probability and potential magnitude of future occurences, and the adequacy of preventative measures.
  • The financial impact of cybersecurity incidents and defense measures must be “incorporated into financial statements on a timely basis.”

Cybersecurity Should Be a Priority for All Businesses

Public companies regulated by the SEC are not the only ones at material risk from cybercrime. In today’s world, all companies are at risk, including community banks, credit unions, regional banks, and national and multi-national financial institutions. The cost of defending against cybercrime maybe be high, but the cost of not doing so is potentially much higher.

OCC Warns Banks Against Complacency

By Mary Crotty, Freelance Writer for Banks and Third-Party Service Providers

Twice a year the Office of the Comptroller of the Currency (OCC) releases a summary of current and emerging risk trends for the banking system. The OCC’s latest “Semiannual Risk Perspective for Fall 2017” (Perspective) was published last Friday, January 18, and is based on financial data compiled and analyzed through June 30, 2017.

While noting a strong economy and continued improvement in overall bank performance, the Perspective does sound some warning bells. “The current operating environment presents strategic risk for many banks in increasingly diverse ways. Thus, this report emphasizes the need for vigilance by bank management at this point in the economic cycle.”

OCC-Noted Risk Areas

  • Credit Policy and Practices: The OCC warns that banks are slowly loosening their commercial credit underwriting practices due to increased competition. It also noted an increased concentration in Commercial Real Estate (CRE), a trend it noted could hurt the entire financial system if not monitored and checked.
  • Cybersecurity Programs: Cyber criminals continue to evolve their methods and tools faster than bank cybersecurity programs can keep up.
  • Vendor Management Programs: Banks’ increasing reliance on third-party service providers, especially for critical functions, continues to concern the OCC.
  • Bank Secrecy Act (BSA) Compliance: Just like cybercrime, money laundering continues to evolve into an ever more complex crime that creates significant problems for banks. The OCC warns that banks are struggling to comply with the BSA, even before the related Customer Due Diligence (CDD) Final Rule goes into effect on May 11, 2018.
  • Consumer Protection Compliance: According to the Perspective, consumer compliance risk management continues to be an issue for banks “due to the increasing complexity in consumer compliance regulations.”
  • Current Expected Credit Loss (CECL) Model: The OCC also warns that the “current expected credit losses standard for which implementation begins in 2020 may pose operational and strategic risk to some banks when measuring and assessing the collectability of financial assets.”

Avoid Complacency

The Perspective reads like a road map for determining what areas will receive the most attention during upcoming regulatory examinations. There are two things your bank can do right now to improve its performance on such examinations:

  1. Review the following policies and make sure processes and procedures reflect any updates: Credit Policy, Cybersecurity Policy, Vendor Management Policy, Bank Secrecy Act Policy, UDAAP Policy and other consumer protection policies.
  2. Reiterate your bank’s policy stances by communicating them with your employees.