Your State Association Presents Building and Maintaining an Effective Compliance Management System Program Materials Use this document to follow along with the webinar presentation. Please test your system before the broadcast. Be sure to print enough copies for all listeners. Friday, July 1, 2016 Presenters: Shawn Kirshner Michael Holley Technical Support (for faster service please submit inquiries via email or online): (Registration & Tech Support): Email- [email protected], Phone- (877)988-7526 FOR ADDITIONAL ASSISTANCE PLEASE REFER TO OUR FAQs
Transcript
Your State Association Presents
Building and Maintaining
an Effective Compliance
Management System
Program Materials
Use this document to follow along with the webinar
presentation. Please test your system before the broadcast.
Be sure to print enough copies for all listeners.
Friday, July 1, 2016
Presenters: Shawn Kirshner
Michael Holley
Technical Support (for faster service please submit inquiries via email or online): (Registration & Tech Support): Email- [email protected], Phone- (877)988-7526 FOR ADDITIONAL ASSISTANCE PLEASE REFER TO OUR FAQs
• The CMS should be clearly established as a “Second Line of Defense” function within the organization.
• When the regulatory environment shifts or changes, an effective compliance system should not merely update policies, but rather initiate project and action plans designed to assess
impact at an enterprise level as well as tactically in the business lines.
• Sound change management enhances your current Compliance System and helps ensure the success of the other areas such as: risk assessment, staffing, self-monitoring, training, policy and procedure enhancements, auditing, reporting and utilization of technology.
• These impacts may result in product and service offering revisions, executive management education, developing or amending risk assessments, audit program changes, business process changes or other changes required to remain in compliance.
• Common deficiencies identified during regulatory examinations include:
• Deficient systems of periodic monitoring;
• Weak independent compliance audits;
• Compliance systems maintaining first line responsibilities.
• What does your Board expect from its Compliance Management Program? If you don’t know that answer, it’s time to ask the question or ask it a different way.
• Whether the Compliance Officer reports directly to the Board or a committee thereof, there is certain information necessary to allow the Board or designated committee to understand
enough to make decisions.
• According to the CFPB, “In a depository institution, the board of directors is ultimately responsible for developing and administering a compliance management system that ensures compliance with Federal consumer financial laws and regulations and addresses and prevents associated risks of harm to consumers.”
Compliance policies and procedures should be documented and in sufficient detail to implement the board-approved policy documents. Overall, examiners are looking to determine
whether compliance policies and procedures:
• Are consistent with board-approved policies
• Address compliance with applicable Federal consumer protection laws in a manner
designed to prevent violations and to detect and prevent associated risks of harm to consumers
• Cover all product and service lifecycles
• Are maintained and modified to remain current and to serve as a reference for employees in their day-to-day activities
• Compliance identifies the relevant inherent risks to the organization’s products, services, business strategy, based upon the institution’s operating model. Executive, senior business
and compliance management needs to be in alignment regarding risk appetite.
• The enterprise compliance risk assessment should define the inherent risks relevant to the institution, and then map those risks to the appropriate business lines.
• The residual risk ratings are determined by the effectiveness of the compliance controls in
place that have been validated through compliance monitoring, internal audits, and/or regulatory examinations. The business should have ownership and understanding of the relevant compliance risks and controls to sufficiently mitigate the regulatory risk to an acceptable level agreed upon by senior management and compliance.
• Business line leaders should collaborate in the mapping process and help to identify the controls in place or the there lack of that will drive the residual risk ratings. This may be a
learning process for the business and provide a forum for compliance to begin building first line compliance control responsibilities.
Monitoring is a critical component of the CMS and may take various forms from different areas, such as business line self-testing and monitoring and structured monitoring and
testing conducted by the compliance department
The compliance function should monitor and test compliance by performing sufficient and representative compliance testing. The results of the compliance testing should be reported up through the compliance function reporting line in accordance with the bank’s internal risk management procedures. Coverage should include:
• Monitoring program should be risk-based, approved by the Board and in-line with the annual compliance objectives approved by the Board and/or other committee(s) overseeing
compliance/risk management
• Plan should be based on the results of a compliance risk assessment that considers the
inherent and residual risk for each area and considers all key compliance regulations applicable to the operations
• The monitoring program should be committed to writing in a set of operating procedures addressing (at a minimum):
• Annual plan / coverage / scope and frequency
• Sampling methodology
• Planning and reporting
• Working paper documentation and quality control/technical review
• Issue follow-up and remediation testing
• Reporting: Formalized and considers control environment, root cause identification, prescriptive recommendations aligned with root cause, and follow-up of management action plans
Change Management Capturing and Evaluating the Relevant Regulations
• Identifying relevant new proposed or changes to existing regulatory requirements to determine the inherent risks:
• Depending upon the regulatory agency that supervises your institution
there are numerous ways to remain connected and receive updates
• For example, the OCC, CFPB, and FDIC publish proposed regulatory changes and with sufficient time to evaluate the implications and provide feedback on interpretation
• Compliance function or legal may review the proposed regulatory change and evaluate and affirm the relevance to your institution
• The Business is highly dependent on Compliance for understanding
what new or revised regulations are applicable and what actions are necessary
• Compliance should contemplate working with the business lines in
determining relevant impact and establishing an impact analysis for new laws and regulations, as applicable
Change Management: Disseminating Regulatory Impacts to the Business Lines
• Once the impact analysis is reviewed and approved by compliance, the analysis should be socialized with the key stakeholders and will be needed to help ensure the proper changes
will occur in a timely and efficient manner
• Depending upon the complexity of the impacts, a planning meeting(s) will need to be held
with the key stakeholders to discuss the regulatory change(s) and the impacts to the current state. During these meeting(s), the following should result:
• Business informed and understands the regulatory change along with the corresponding impacts to
controls, processes, systems, and products/services.
• Business lines provide feedback and occurrence is achieved on the impacts
• Once the regulatory change has been identified and affirmed as inherent risks, your institution should take the next steps:
• Perform a timely and accurate impact analysis that identifies the following:
• What products and services may be impacted?
• What business lines and corporate functions may be impacted?
• What system/s may be impacted?
• What processes may require change?
• What new or modified controls may be required?
• What training may be required and at what level?
• What polices and procedures may be impacted?
• The impact analysis should be documented and follow a standard process that captures all the above points and completed by a compliance manager/officer with sufficient experience and knowledge of the institution
• Once the impact analysis is finalized, Compliance should then socialize the impacts with the appropriate business lines to obtain their feedback and occurrence. This is a critical step to
include key business line process owners to verify assumptions and gain better clarity to process and application level impacts.
• Once the impact analysis is vetted and agreed upon Compliance will be well positioned to determine the proper planning, communication, and collaboration with the business to help ensure the necessary changes occur to effectively met the regulatory requirements.
• Once the impact analysis is fully vetted and concurrence achieved with the business by incorporating relevant feedback into the impact analysis,
Compliance needs to support the change management process.
• Compliance should have a change management process established that
coordinates and, if necessary, facilitates the required changes with the business.
• This should include developing or supporting the following:
• Project plan that identifies activities, tasks, resources, deliverables, milestones, constraints, and dependences that provide for an accurate and feasible
implementation timeline.
• Provide guidance on the design of compliance controls, monitoring, and reporting.
• Communications to the business announcing the changes and subsequent milestones
that are achieved though the implementation.
• Providing the business with guidance and recommendations to proposed process changes, compliance control design, monitoring and reporting.
• This should include developing or supporting the following:
• Training of appropriate personnel and management
• Gating criteria for each phase of the implementation
• Agreed upon key success factors for the implementation process
• Walkthrough and or test the adequacy of the proposed new or amended processes, systems, products and/or services will met the regulatory requirements prior to implementation.
• Address Gaps identified in the walkthrough or testing prior to implementation.
• Once the change management process has been completed hold a final meeting with the business to affirm changes are in place ready to met the new regulatory requirements.
Education of an entity’s board of directors, management, and staff is essential to maintaining an effective compliance program. Board members should receive sufficient information to
enable them to understand the entity’s responsibilities and the commensurate resource requirements. Management and staff should receive specific, comprehensive training that reinforces and helps implement written policies and procedures. Requirements for compliance with Federal consumer financial laws, including prohibitions against unlawful discrimination and unfair, deceptive, and abusive acts and practices, should be incorporated into training for all relevant officers and employees, including audit personnel.
Examiners are looking to determine whether:
1. Compliance training is current, complete, directed to appropriate individuals based on their roles, effective, and commensurate with the size of the entity and nature and risks to consumers presented by its activities
2. Training is consistent with policies and procedures and designed to reinforce those policies and procedures
3. Compliance professionals have access to training that is necessary to administer a
Independent Testing of the Effectiveness of the CMS
• An independent, risk-based audit of compliance should be conducted
• Audit of the adequacy and effectiveness of the program
• Compliance with policy and program
• Risk based testing of controls
• Compliance function and the audit function should be separate, to ensure that the activities of the compliance function are subject to independent review
• Clear understanding and documentation within the company as to how risk assessments and testing
activities are divided between audit and compliance
• Head of audit should keep the head of compliance informed of compliance related findings
• Effective management of outsourcing arrangements
Banks should have effective tracking and monitoring processes in place to ensure that compliance issues identified through internal audit, compliance monitoring, regulatory
examinations and consumer complaints are properly remediated.
• Use of issue tracking databases or issue tracking processes
• Sufficient and complete tracking of the key areas to provide for reasonable management of
compliance risk.
• Delinquent, higher risk items should be reported to senior management and the board as appropriate.
Compliance should develop KPIs and KRIs in order to baseline the current state and have quantitative measures in place as the CMS matures.
This would include the following:
• Reduced compliance errors for impacted business lines.
• Improved efficiency in processing transactions as result of better controls and monitoring during the process.
• KPIs enable compliance to measure the current state to the post-implementation
environment to determine if the process/systems changes actually achieved the desired compliance results.
• Examples: Complaint trending by product, by line of business, by individual; Lending activity in regard to pricing and underwriting overrides, timeliness of decisioning, timeliness of approval to close;
• Training. How effective has training been in improving compliance? Do we have metrics to measure training effectiveness year over year?
In accordance with applicable professional standards, some firm services may not be available to attest clients.
This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction.
