The financial safety of U.S. consumers is protected by a broad array of laws that govern the provision of banking services and products. These laws typically have one or more purposes: (1) to protect consumers from harm or abuse; (2) to provide consumers with information that helps them understand a banking transaction; and (3) to ensure fair access to the credit markets for all consumers. In addition to its fundamental mission of contributing to public confidence in the financial system, one of the FDIC's primary goals is to ensure that state nonmember banks comply with consumer protection laws and regulations. The agency does this through the compliance examination process as well as through the processing of consumer complaints.
During the past decade, the FDIC's approach to compliance examinations has evolved. Its original approach was relatively simple and was based almost exclusively on reviewing actual banking transactions for adherence to regulatory and statutory requirements. This approach worked well when consumer laws and regulations were few in number. However, as banks expanded product and service offerings and Congress continued to pass or revise consumer protection laws, the resource demands of implementing an extremely detailed, transaction-oriented approach grew considerably. It became harder to complete examination schedules and write meaningful examination reports. The FDIC recognized that it was impossible, and in many cases unnecessary, to rely so heavily on transaction analysis to evaluate a bank's compliance posture.
An Evolutionary Process
In 1996, the FDIC reengineered and streamlined its compliance examination procedures and incorporated the important step of risk-scoping. Under the risk-focused approach to examinations, the extent of transaction testing depends on assessing a bank's risk of noncompliance in a particular area. Compliance examiners were instructed to focus on regulatory areas that posed the greatest risk to the bank and the greatest potential harm to consumers.
In July 2003, the Corporation built on that progress by initiating top-down, risk-focused compliance examinations. Although the 1996 reengineering effort introduced needed adjustments, additional changes in the marketplace needed to be addressed. In response, the FDIC combined the risk-based examination process with an in-depth evaluation of a bank's compliance management system.
A bank's "system" is the confluence of directorate and management oversight, internal controls, and compliance audits. The examination approach assesses how well a bank identifies emerging risks, remains current on changes to laws and regulations, ensures that employees understand compliance responsibilities, incorporates compliance into business operations, reviews operations to ensure compliance, and takes effective corrective action to address violations of law or regulation and weaknesses in the compliance program. Based on an assessment of the quality of the compliance management system, compliance examiners use transaction testing to pinpoint regulatory areas for further evaluation. The intensity and extent of transaction testing depend on a bank's risk profile.
For example, the intensity and extent of transaction testing in a bank that has a solid history of compliance with the flood insurance regulations, administers a well-constructed training program, conducts periodic reviews to ascertain flood insurance compliance, reports any exceptions to the board of directors, and addresses them promptly and thoroughly, can certainly be tempered. Instead, the examiner can consider these positive indicators and reduce the intensity of any transaction review deemed necessary to ensure that the bank's system is working properly. In fact, depending on the strength of the bank's overall corporate compliance program, the breadth of the bank's own testing, and the degree of reliance the examiner can place on the results, the examiner has the discretion to forego transaction testing for this subject area. Under the old approach, the examiner likely would have delved into the bank's files without considering these positive indicators.
New Realities, New Challenges
What prompted the FDIC to modify its compliance examination program in 2003? A careful look at the marketplace showed that much had happened in the financial and regulatory communities since 1996, as indicated by the following developments:
- The number and complexity of federal consumer protection laws had significantly increased. Congress had enacted new laws pertaining to privacy, fair credit reporting, identity theft, and securities sales, to name a few.
- Attention to corporate governance compelled banks to review and strengthen internal controls, policies, and practices.
- Agency examination resources were taxed every time a new law was enacted, as were bank resources.
- The industry raised concerns about regulatory burden that prompted regulators to review their practices and consider alternative ways to fulfill examination mandates.
Such factors prompted the FDIC to ask a number of questions about its approach to compliance examinations:
- Was the compliance examination program positioned to absorb and adapt to these and future industry and legislative changes?
- How could we break the cycle of incrementally adding more examination resources every time a new law was passed or an old one was substantially revised?
- Did our examination reports include information that could help bank management design and implement more effective compliance programs?
- Could we modify our internal processes to reduce the resource demands associated with on-site examinations?
- Had we provided our compliance examiners with clear expectations about our examination process?
Upon consideration of these questions, the FDIC concluded that additional regulatory responsibilities were certainly adding to the length of our examinations, placing stress on our examiners and the industry. Our examination reports could add more value if we explained the significance of violations in the context of a bank's operational weaknesses.
In addition, the FDIC had long impressed on bank boards of directors and senior management that they are ultimately responsible for compliance, and that they need to include compliance as a core risk management function. Examination experience told us that the industry was listening, and larger banks in particular were migrating toward a top-down risk management orientation. However, our examination process appeared to be a step behind.
And finally, looking to the presence or absence of violations as the chief determinant of a bank's compliance performance presented an incomplete picture of its overall compliance risk management structure. For example, evaluating a bank's overall compliance posture on violations alone ignores whether new products can be successfully implemented from a compliance standpoint, whether the bank is positioned to absorb future regulatory changes, or whether a staff training program is sufficient to facilitate ongoing compliance.
The business case for change was clearly there. A strategy emerged that was based on three components—reorienting the process, changing on-site examination workflow, and revamping examination reports.
Reorienting the process toward a top-down, risk-focused approach to examinations that focuses on a bank's compliance management system was a natural first step. This approach places emphasis on the directorate's and senior management's administration of the bank, which includes identifying, monitoring, and managing risk and ensuring that the bank complies with consumer protection, fair lending, and community reinvestment laws and regulations.
Although the details of a particular bank's system will vary depending on its history and business plan, effective compliance management systems share common characteristics. Senior management sets the tone by supporting compliance and providing resources that will ensure a strong system. The compliance officer has sufficient knowledge and authority and keeps current on regulatory changes, and the compliance officer reviews new products before roll-out to avoid potential problems. The bank has in place, and follows, policies and procedures appropriate to its product lines. Staff is trained commensurate with its responsibilities, and internal monitoring identifies and remedies problems before they multiply. Consumer complaints are treated as an early warning system for potential problems, and the bank's audit program helps management understand the causes of problems so future occurrences can be prevented.
Small banks without a wide variety of products may not have a single dedicated compliance officer or an independent audit function. However, they will have sufficient resources devoted to compliance to enable staff to understand and carry out its responsibilities. Small banks also will have a functioning internal monitoring system.
Changing examination workflow fosters efficiencies and new ways of thinking about how compliance fits into a bank's overall corporate risk management plan. Starting each compliance examination by looking for violations of federal consumer laws and regulations and then drawing conclusions about how a bank manages its compliance responsibilities did little to address operational weaknesses or prevent future violations. Under the new approach, examiners first establish a compliance risk profile that reflects the quality of the bank's compliance management system. Succeeding examination staff will use the risk profile as part of the process of establishing the scope of the examination. This approach can increase efficiency by focusing the examiner's attention on substantive changes to the bank's operations and compliance infrastructure since the previous examination and enabling examiners to direct finite examination staff resources toward areas that present the greatest risks.
Revamping the compliance report of examination to specifically relate violations to what they mean in the context of the bank's compliance management system helps foster meaningful corrective actions. Writing the report in a way that helps management understand where its system works well and where it needs to tighten controls and procedures puts violations in context.
The revised examination report format places comments and conclusions about board and management oversight, the compliance program, and the internal review program on the first page, along with recommendations for corrective action. Separate subsections for each compliance management system element include summary statements that characterize each element as strong, adequate, or weak. Moreover, the examiner discusses the positive and negative aspects of each element to support the summary, and the recommendations are tied to these comments.
Expected Outcomes of the Top-Down, Risk-Focused Approach
The FDIC's intent is that the new approach will result in a smoother, more efficient examination process as compliance risk profiles are established for each supervised bank. In addition, rather than simply enumerating a list of violations, examination reports will become more meaningful as they will address the quality of the bank's compliance management system and make recommendations for correcting weaknesses.
Any time saved through this new approach will permit examiners to concentrate on the problems of banks with weak compliance management systems and those that require more than a normal level of supervisory attention. Of critical importance, this approach will help move compliance from the back room to the boardroom by establishing a tone and climate that support the incorporation of compliance risk management into the way employees do business, all the way down the line.
Effective compliance program management at a bank starts at the top—with the board of directors and senior management, who are responsible for the bank's management and control. The top-down, risk-focused approach to compliance examinations complements the importance of directorate and senior management accountability for a bank's compliance risk management system. In addition, the new approach helps to ensure that the FDIC's compliance examination program continues to be effective in a dynamic environment. As the industry paradigm has shifted to enterprise-wide compliance risk management, so has the FDIC's approach to supervision.
John M. Jackwood
Senior Policy Analyst