By William J. Showalter, CRCM; senior consultant, Young & Associates

The financial industry recognizes compliance as a high-risk function. Failure to manage it effectively can result in high costs to an institution, as witnessed by many supervisory enforcement actions and fair lending settlements over the years.

Compliance management is an important element of an institution’s overall risk management efforts. It makes sense for line managers—those whose operations generate either compliance or noncompliance—to “own” compliance, just as they do all other elements of the institution’s overall risk. To make compliance management work effectively and efficiently, senior management must give line personnel the tools to succeed at compliance and hold them responsible for their results.

When senior management establishes accountability and all staff believe in it, and when the institution measures compliance performance in a meaningful way, the institution can achieve positive compliance results.

As with other aspects of compliance management, identifying and categorizing levels and types of compliance risks are critical to both efficient operations and effective outcomes in any system of enforcing accountability.

Noncompliance as risk

In recent years, the federal agencies have made a fundamental shift in the way they examine financial institutions for compliance within their overall examination process over a decade ago – to handling it with a risk-based methodology. Examiners design programs to focus attention on areas within financial institutions that may pose the most significant risks, including compliance.

The agencies work to promote a sound risk-management process at each regulated financial institution, one centered on the evaluation and management of risks. The agencies try to help financial institutions implement compliance programs that focus on anticipating, evaluating, managing, and communicating about key compliance risks.

“Compliance risk” means the risk to earnings or capital that arises when institutions violate or fail to conform with laws, rules, regulations, prescribed practices, or ethical standards.

The agencies’ examination procedures provide that compliance risk can damage an institution through any or all of the following consequences:

• Regulatory or judicial fines and penalties
• Payments of damages to aggrieved parties
• Voiding of contracts
• Diminished reputation
• Reduced franchise value (due to monetary and reputation losses or penalties)
• Diminished business opportunities
• Lessened expansion potential (e.g., when fair lending or Community Reinvestment Act problems delay or disallow corporate changes, mergers, or acquisitions)

The supervisory agencies recognize that an important element in avoiding these risks and their resultant costs is an effective accountability system, where institution staff feel they own their pieces of the overall program.

Establishing accountability

A solid design must form the foundation of an effective accountability system. The system needs a few key elements to succeed: management commitment, appropriate training and communication for all staff, regular and independent performance testing, and consistent enforcement of responsibility.

• Management commitment. Solid support from both the board of directors and senior management is vital to the success of any compliance (or other) management function. It should also be seen as in their best interests since the risks and penalties for noncompliance are tremendous, and the board and management are the ones ultimately responsible for the compliance (and other) performance of the institution. Management and the board need to understand the true importance of compliance – it is not a job to be relegated to one person, or a small group, and ignored by everyone else. “Everyone else” includes the ones who drive the institution’s compliance performance, and they must be given the tools to succeed at it and be held accountable for their results.
• Training and communication. Training is the foundation for effective compliance, and effective accountability, since employees cannot be expected to comply with the plethora of laws and regulations that impact banking today if they have not been given appropriate instruction as to what is required of them. In structuring a compliance training program, the first step is a needs assessment – types of products and services offered, current level of staff knowledge, problems identified in audits and examinations, and so forth. The goal of the compliance training is to provide line officers and other staff with the information they need to produce positive compliance results in their particular area or job. It is not to be an exercise in information overload. Therefore, the person in charge of training (whether classroom, online, etc.) needs to scope out the proper laws and regulations to be covered, how to tie these rules in to the institution’s functions, what media and tools to use, and so forth. Communication of compliance information on a regular basis is an important complement to the “regular” training. It helps keep staff aware of changes in the compliance rules and expectations, as well as keeping compliance issues on their “radar screens.”
• Testing. A good compliance internal review program – both periodic audits and ongoing monitoring – can serve several goals. These include giving an early warning of problems, providing a defense against litigation, and meeting regulatory expectations, in addition to furnishing measurements of department/area or individual performance.
• Enforcement. Without consistent enforcement of accountability for compliance performance, all the other elements are pretty much for naught. If individual line managers and other personnel are “let off the hook” for poor compliance performance because, for example, of high loan production volume, then the system likely will fail.

Making it work

Human nature being what it is, there need to be incentives for good compliance performance and, perhaps more importantly, disincentives for poor results. If management does not hold all staff to the same standards, then any calls for strong results and performance will ring hollow. Employees who the institution continues to hold to proper standards will begin to resist, since management expects them to meet measures that others do not. Such a “program” is unfair and cannot succeed.

Institutions should factor compliance performance elements into job descriptions, performance evaluations, and incentive pay. It needs to be clear that line managers are ultimately responsible and accountable for compliance performance in their areas, and that compliance is an explicit part of everyone’s job.

If there are line managers who cannot or will not take responsibility for their own or their area’s compliance performance and, therefore, expose the institution to risk, the institution should send them packing and replace them with managers who are positive about compliance issues and willing to take on this important obligation.

Otherwise, the institution has to pay for expensive, redundant processes to check the work of that person(s) or area and fix their errors. Running such a “fix-it” shop is not the efficient route to take in managing compliance. When management establishes and enforces accountability, it can achieve the lowest-cost compliance — compliance embedded in normal operations rather than added on after the fact — with everyone working to get it right the first time.

Management can use an accountability matrix as a tool to run an accountability system. Institutions can customize the matrix to fit their specific situation, structure, and needs. The matrix helps management ensure that someone or some area takes responsibility for each compliance rule or issue that affects its lines of business. It should spell out the rules or issues, who is responsible for them, which areas they impact, and so forth.

Conclusion

Accountability for compliance performance – good or bad – is essential for an institution’s success in effectively managing its compliance function. Properly structured and enforced, a strong accountability program helps ensure cost-effective positive compliance results.