Professional Documents
Culture Documents
Compliance Risk
Compliance Risk
Kelsey
and Michael Matossian, CPA, CMA, CRP
R
ISK MANAGEMENT IS A PREREQUISITE FOR DIRECTING VIRTUALLY ALL ASPECTS OF COMPLIANCE.
Compliance officers conduct risk assessments, prepare risk profiles, implement risk-
based procedures, perform risk-based monitoring, and manage risk-based regulatory
examinations. Is there an equation a compliance officer can use to understand exactly what
these risks are? Perhaps something like the number of branches, plus asset size, multiplied
by percentage of loans secured by property in a flood zone, divided by the number of cus-
tomers located in Financial Action Task Force (FATF) countries equals the amount of training
to be recommended to the board of directors?
ing controls must be developed and implemented as needed after identified risks have been compre-
hensively assessed, potential impact to the bank has been evaluated, and the effectiveness of existing
controls has been determined. In developing and implementing regulatory compliance programs,
financial institutions are wise to utilize a risk-based versus rule-based approach, focusing compliance
resources on minimizing the greatest risks to ensure that the risk taken is the risk intended.
Included in an effective compliance risk management damage, regulatory sanctions, and, in severe cases, loss of
program are a governance structure appropriate for the franchise or rejected mergers and acquisitions.
bank’s activities that demonstrates a management com- Effective management of compliance
mitment to sound compliance risk management practices;
compliance resources reasonable for the business activities risk can also possess the following positive
performed; policies and procedures that are maintained business benefits:
to ensure consistent application of laws; and compliance ■ A strong compliance program speaks to
training, reporting, and communication processes. These
elements, along with others supported by senior leadership, organizational integrity, a building block of
compliance officers, business lines, and corporate partners ethical corporate culture.
serve to identify key compliance risks and develop and ■ An ethical corporate culture helps build
implement controls to mitigate them.
At the outset, it is important to address two common a strong reputation with customers, share-
misconceptions about compliance risk management. First, holders, employees, and communities.
short of deciding to go out of business, no bank will ever
eliminate compliance risk. Second, there is no such thing as Consequences of Noncompliance
“taking the risk” and intentionally disregarding regulatory Financial loss—whether in the form of civil damages in
requirements. Compliance with regulations is expected, and a class action lawsuit for truth-in-lending finance charge
while not all regulations are zero-tolerance, intentional or errors, fines for missing OFAC-prohibited wire transfers,
willful disregard of any regulations, even if the ramifica- costs associated with privacy violations, or the expense
tions of violations seem insignificant, can result in extensive incurred due to refilling inaccurate Home Mortgage Dis-
detrimental consequences. closure Act (HMDA) data, just to mention a few—warrants
With these two general misconceptions covered, the first mention in defining compliance risk. In many banks,
following aims to define compliance risks, discuss identifica- consumer-lending compliance may incur the greatest costs
tion of risks within a bank, and offer some specific sugges- due to complicated truth-in-lending regulations, where
tions on how a bank can assess its specific risks. reimbursements to customers are likely should something
go wrong. Anti-money laundering (AML) compliance is
Defining Compliance Risk another area where financial implications are obvious, with
While there may be slight variances depending upon on a several multimillion-dollar fines recently assessed for defi-
bank’s circumstances, consider the following as a possible cient programs. In addition to lawsuits and fines, financial
overall definition of compliance risk: ramifications in compliance matters include associated costs
The adverse consequences that can arise from systemic, such as the implementation of new systems, hiring consul-
unforeseen, or isolated violations of applicable laws and reg- tants and lawyers, and printing correct disclosures.
ulations, internal standards and policies, and expectations Of course, the risk does not end with the potential costs
of key stakeholders including customers, employees, and the for violations and the expenses sustained in fixing them.
community, which can result in financial losses, reputation Due to the nature of the financial services business, which
relatively quickly. Compliance risks associated with major according to a scale, with the low end representing a pro-
business initiatives must therefore be part of the planning gram that needs improvement and the high end indicating
and implementation process. If a bank has a formal proj- that a strong program is in place. In completing the QSA,
ect-planning infrastructure, compliance risk identification a compliance officer may identify the program’s efficiencies
assessments should be part of the process. This can be and weaknesses as well as help assess the bank’s overall risk
included as a documented component of the business ini- exposure.
tiative, preferably identifying both the compliance risks and While there is no hard and fast formula for calculating
the management processes employed, if applicable, for any compliance and assessing risk, there are a variety of key
new or increased risks triggered by the initiative. The busi- risk indicators. In light of today’s regulatory environment
ness risk profile should also be changed if the initiative has a and increased scrutiny, it is important that we utilize a risk-
material impact on the overall compliance risk. While many based approach in managing compliance. Moreover, it is
initiatives raise the degree of risk, others—such as a major important that we elevate compliance beyond adherence
upgrade to a loan documentation system that automates a to regulation through basic functions, to be incorporated
manual APR calculation process—may reduce it. as an essential element in risk management culture. Only
The business risk profiles should roll up to a bank-level through careful evaluation and regular assessment of risks
compliance risk profile. As with business risk profiles or can we manage compliance and be assured that the risk
assessments, this can be a component of an integrated risk taken is the risk intended. BC