by: Stephen King, JD, AMLP

Transcription

1 Community Bank Audit Group Compliance Management Structure / Compliance Risk Assessment June 2, 2014 by: Stephen King, JD, AMLP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2010 Wolf & Company, P.C.

2 Compliance Management Structure OVERVIEW Elements of Compliance Risk Compliance Management Structure Examiner Expectations 2

3 Compliance Risks Compliance Risks include: Agency Actions Restitution Civil Money Penalties Enforcement Actions Civil Liability (RESPA, Fair Housing, Credit Protection) Reputation 3

4 Compliance Risks Increased Lending Scrutiny HMDA errors Flood Insurance coverage TILA / RESPA violations Servicing / Collections / Foreclosures UDAAP Violations Advertising Overdrafts BSA Violations 4

5 Compliance Management Structure I. Board and Management Oversight II. Compliance Program III. Compliance Audit Program 5

6 I. Board Responsibility Board Responsibility includes: Oversight of Compliance Program Leadership Participation 6

7 Board Oversight Adopt clear policy statements regarding the institution s compliance expectations; Appoint a Compliance Officer/Compliance Committee with authority, responsibility and accountability so as to be able to implement and enforce the Compliance Program throughout the institution; Allocate appropriate resources to effectuate compliance functions in both daily practices as well as monitoring and testing roles; 7

8 Board Oversight Approve policies that establish compliance procedures in all areas of the institution, reviewing such policies periodically for changes in both practice and regulatory requirements; Provide for periodic independent compliance audits and testing to ascertain institution s compliance performance; Create a reporting structure to allow the Compliance Officer/Compliance Committee access to communicate compliance concerns; 8

9 Board Oversight Review Examination reports and compliance audits including discussion of recommendations and adoption of corrective measures; and All Board members should regularly attend and actively participate in meetings. 9

10 Board Leadership Leadership on compliance by the Board and senior management sets the tone in an institution. The Board and senior management should regularly discuss compliance topics during their meetings. The Board must clearly communicate the compliance culture of the institution for all employees to respect and follow. 10

11 Board Participation Board and senior management must be active in leadership role. Board members must attend meetings and actively engage. The Board must clearly communicate the compliance culture of the institution for all employees to respect and follow. 11

12 Examination Expectations Compliance examinations start with a top-down, process-oriented, comprehensive review and analysis of an institution's compliance management system including: The Board s and Management s compliance knowledge level and attitude; and The Board s and Management's responsiveness to emerging issues and past or self-identified compliance deficiencies. The Board is responsible for ensuring that the daily operations of the institution are being run by qualified management. 12

13 Examination Expectations Examinations go beyond the mere transactional violation to determine: Has the Board and senior management worked to foster a positive climate for compliance? Has management responded appropriately to deficiencies noted and suggestions made at previous examinations and audits to implement corrective action? How do all levels of the institution keep informed of regulatory changes and developments to ensure continued compliance? 13

14 II. Compliance Program Policies and Procedures, Training, Consumer Complaint Response, Regulatory Change Management, and Monitoring. 14

15 Compliance Policies Formal policies and written procedures for each significant compliance area Policies and Procedures reflect actual processes and controls Policies and Procedures account for applicable state law as well as federal law Appropriate oversight of Policies 15

16 Compliance Training Formal compliance training program on required areas. Formal training tracking program to determine. Timely compliance training on new regulatory areas Education of an institution's Board, management, and staff commensurate with compliance responsibilities and job functions 16

17 Consumer Complaint Management Formal written Consumer Complaint Management policies and procedures detailing processes for addressing and resolving consumer complaints Education of staff commensurate with compliance responsibilities and job functions Evaluation and analysis of complaints for UDAAP and Fair Lending implications. Compliance Monitoring reviews at the transaction level during the normal, daily activities of employees in every operating unit of the institution. 17

18 Regulatory Change Management Formal process for identifying, implementing and testing regulatory changes Continued participation throughout institution Training prior to implementation Pre-Testing and Post-Implementation Monitoring 18

19 Compliance Monitoring Risk-based testing supplemental to Audit Program to focus on higher risk processes and controls Less Independence than audit, but more independence than control Documentation and Reporting 19

20 Examination Expectations Are the policies/procedures customized for the institution's specific products/services? Is the training comprehensive and revised to reflect changes / developments? Is the Consumer Complaint Program properly identifying and evaluating issues? Has Regulatory Change Mgmt flowed through all aspects of Institution? Is Monitoring Program scope substantiated by risk assessment? 20

21 III. Compliance Audit The Compliance Audit program is an independent review of an institution's compliance with consumer protection laws and regulations and adherence to internal policies and procedures. The Compliance audit is a comprehensive evaluation of the institution s activities to identify compliance risk conditions. Written compliance audit findings should be reported directly to the Board or a designated Board committee. 21

22 Examination Expectations Whether the Board reviews and approves all policies and subsequent changes Whether the institution s Compliance Audit Program is adequate based on: Audit independence Scope & frequency Auditor s expertise Institution's monitoring program Complexity of products offered Size of the institution 22

23 23

24 Compliance Risk Assessment OVERVIEW Objectives Scope Components Analysis Utilization within Audit and Monitoring Plans Maintenance Supplemental Assessments 24

25 Objectives The current regulatory compliance environment for financial institutions continues to be in flux. New and changed requirements as a result of Dodd- Frank and other laws come out at a furious pace and old requirements such as the Bank Secrecy Act and Flood continue to face heavy scrutiny. Many financial institutions are having great difficulty in allocating their resources (time, budget, staffing) properly as a result. 25

26 Objectives Performing a compliance risk assessment: Helps prioritize areas of focus within the compliance program Identifies where strong internal controls are warranted Permits appropriate dedication of resources to areas that need them most Assists in the development of the audit plan and compliance monitoring program Meets regulator expectations 26

27 Scope The compliance risk assessment should include within its scope all federal compliance laws and regulations that apply to the institution, as well as state laws and regulations, if applicable. A separate assessment of the risks and controls for each law and regulation is most beneficial. The compliance risk assessment should reflect overall risks for the industry, but more importantly should also reflect the institution s own unique risks as it pertains to the applicable regulations. 27

28 Scope The compliance risk assessment should include ALL operations of the institution. Each department should be involved in the assessment process for regulations impacting the department. Senior management and the Board should review the results of the assessment. 28

29 Components I. Quantity of Inherent Risk II. Quality of Mitigating Controls III. Residual Risk 29

30 Components The Quantity of Inherent Risk rating identifies the level of risk based on the likelihood of a loss or occurrence and the level of impact. Inherent risk should be determined under the assumption that there are no internal controls in place to mitigate the risk. The Quantity of Inherent Risk rating can be High, Moderate or Low. 30

31 Inherent Risk Rating Determination Level of Impact Low High Moderate High High Low Moderate High Low Low Moderate Low High Likelihood of Loss or Occurrence 31

32 Inherent Risk Rating Factors Factors that should be taken into consideration when determining the inherent risk include: Past issues/violations Violations or recommendations regarding the regulation cited in the most recent examination or audit, as well as any litigation that has occurred or complaints received Management/Institutional changes Changes that have occurred in the institution, relating to areas such as management, staffing, policies, vendors or other critical areas 32

33 Inherent Risk Rating Factors Factors that should be taken into consideration when determining the inherent risk include: Capacity The volume of transactions impacted by the regulation, as well as the volume of employees/departments at the institution that are impacted Complexity The degree of difficulty for understanding and complying with the regulation Outsourcing The degree to which the institution outsources compliance for the regulation to a third party outside of its control 33

34 Inherent Risk Rating Factors Factors that should be taken into consideration when determining the inherent risk include: Exposure/Penalties Whether the institution can be penalized for violations and the severity of the penalties Regulatory Environment The degree to which examiners and auditors are showing scrutiny towards the regulation Regulatory Changes Recent changes that have taken place with respect to the regulation (such as new or changed requirements or new interpretations) 34

35 Quality of Mitigating Controls Rating The existence of a strong control environment may be able to reduce the risk posed to the institution. The Quality of Mitigating Controls rating identifies the controls that have been implemented by the institution and the quality of those controls. The Quality of Mitigating Controls rating can be Weak, Adequate or Strong. Strong controls are most critical for areas where there is High inherent risk. For areas where the risk is Low, strong controls are not as critical. 35

36 Quality of Mitigating Controls Rating Factors that should be taken into consideration when determining the quality of mitigating controls include: Policies and Procedures Written policies and written procedures that have been implemented that document the institution s policies, and assist staff in understanding how to perform their tasks and comply Monitoring & Auditing Proactive independent testing performed by the institution (or a third party) that determines whether the institution is complying with the requirements and its internal policies 36

37 Quality of Mitigating Controls Rating Factors that should be taken into consideration when determining the quality of mitigating controls include: Training Steps taken to educate employees so they are aware of the regulatory requirements and how to comply with such requirements Board and Management Oversight The level to which the Board and management is involved with implementing compliance practices with respect to the regulation 37

38 Residual Risk Rating The Residual Risk Rating is the end result of the assessment on each regulation and incorporates both the Quantity of Inherent Risk rating and the Quality of Mitigating Controls rating. The Inherent Risk rating is the principal driver of this score, but strong mitigating controls can result in a Residual Risk rating that is less than the Inherent Risk rating. 38

39 Residual Risk Rating High The volume and complexity of activities related to the regulation expose the institution to significant risks such as litigation, penalties, enforcement actions and damage to reputation. There may be evidence that internal controls are ineffective and may impact operations. Moderate The volume and complexity of activities related to the regulation expose the institution to a degree of risk. There is possible risk of litigation, penalties, enforcement actions and damage to reputation, but they are either not severe, or are mitigated by the presence of strong mitigating controls. Low The volume and complexity of activities related to the regulation is low. There is possible risk of litigation, penalties, enforcement actions or damage to reputation, but it is slight, or are significantly mitigated by the presence of strong mitigating controls. 39

40 Residual Risk Rating Determination Quality of Mitigating Controls Weak Low Moderate High Adequate Low Moderate High Strong Low Low Moderate Low Moderate High Quantity of Inherent Risk 40

41 Analysis Quantity of Inherent Risks Analyzing the risk assessment categories by defining individual requirements will assist in detailing the risk associated with each area, as well as permit the usage of this information for monitoring purposes. Usage of commentary or supporting explanations will be key for discussing why certain answers or ratings were used. 41

42 Analysis Example EFT Inherent Risks 42

43 Analysis Quality of Mitigating Controls Usage of commentary or supporting explanations continues to be extremely important when documenting controls. Audits will ultimately test the effectiveness of the controls relied upon; major issues will warrant a lowering of the control ratings. 43

44 Analysis Example EFT Controls 44

45 Analysis Once the Inherent Risk and the Quality of Mitigating Controls rating has been determined for each category, determine the overall Quantity of Inherent Risk and Quality of Mitigating Controls ratings. Risk weight certain areas as necessary to reflect which areas are more critical than others. These overall ratings should then be combined to determine the Residual Risk rating. 45

46 Analysis Example - Residual Risk Regulation Inherent Risk Quality of Mitigating Controls Residual Risk Bank Secrecy Act High Adequate High Truth-in-Savings Act Moderate Adequate Moderate Right to Financial Privacy Act Low Weak Low Truth-in-Lending Act High Weak High Home Mortgage Disclosure Act High Strong Moderate Electronic Fund Transfers Act Moderate Strong Low 46

47 Results The results of the compliance risk assessment should undergo a final review from the Compliance Officer/Department, as well as senior management of the institution. Things to look out for as part of a review include: Proper understanding of assessment methodology Sufficient documentation of ratings and conclusions Consistent approach throughout entire assessment Assessment of controls in place is accurate 47

48 Results The compliance risk assessment should be presented to the Board for final approval and acceptance of the results. The results should be available throughout the institution when necessary. 48

49 Utilization Audits and Monitoring Any auditing and monitoring performed by or on behalf of the institution should be based on the risk posed. The institution should utilize the inherent risk rating from the assessment to determine the audit schedule for each regulation and monitoring schedule for each requirement. A sample schedule follows: Inherent Risk Rating High Moderate Low Audit Frequency 6 12 months months months 49

50 Utilization - Compliance Audit Plan Regulation Rating Last Audit Next Audit Bank Secrecy Act High January 2011 January 2012 Truth-in-Savings Act Moderate October 2010 April 2012 Right to Financial Privacy Act Low September 2011 September 2013 Truth-in-Lending Act High August 2011 August 2012 Home Mortgage Moderate June 2011 December 2012 Disclosure Act Electronic Fund Transfers Act Low May 2010 May

51 Utilization - Compliance Monitoring Plan Requirement Rating Monitoring Frequency Disclosures Low Annually Periodic Statements Low Annually Receipts Low Annually Pre-Authorized Transfers Low + Semi-Annually Stop Payments Moderate Quarterly Error Resolution High Monthly Overdrafts High - Bi-Monthly 51

52 Maintenance The institution should take steps to ensure that its compliance risk assessment is always up to date. Instances that may warrant updates include: Significant changes to laws and regulations Significant changes in the nature of the institution (acquisitions, major new products or services) Completion of a regulatory examination or major compliance audits At the very least, the institution should review and update its risk assessment annually. 52

53 Supplemental Assessments In addition to an overall compliance program risk assessment, there are some specific regulations or areas to consider implementing supplemental risk assessments. These are areas where there are typically regulatory requirements, examiner expectations or other concerns. 53

54 Supplemental Assessments I. Bank Secrecy Act ( BSA )/Anti-Money Laundering ( AML )/OFAC II. Identity Theft Red Flags III. Fair Lending IV. Unfair, Deceptive and Abusive Acts and Practices ( UDAAP ) 54

55 BSA/AML/OFAC The FFIEC BSA Examination Manual requires a Bank Secrecy Act/Anti-Money Laundering/OFAC risk assessment covering the institution s: Products and Services Customers and Entities Geographic Locations There is no official format for such an assessment and institutions can develop such assessments as they see fit as long as the above areas are covered. 55

56 BSA/AML/OFAC One possible approach: 1. List out all of the institution s products/services, customers/entities and geographic locations. 2. Identify the risks (ex. volume, nature of customers, etc ) and the controls in place for each item identified. 3. Based on the risks and controls described, assign a risk rating to each product/service, customer/entity and geographic location. 56

57 BSA/AML/OFAC BSA/AML/OFAC Risk Assessment highlights and best practices: This risk assessment should be amended on at least an annual basis, or as major changes occur such as: o New products and services o Mergers or acquisitions o Significant examination or audit findings The Risk Assessment should reference data as necessary to support its conclusions; back up for these figures should be maintained in some form (ex. data on volume, number of high risk customers, etc ) 57

58 BSA/AML/OFAC BSA/AML/OFAC Risk Assessment highlights and best practices: The risk assessment should contain an overall rating for the BSA/AML and OFAC programs. Overall ratings for products/services, customers/entities and geography is also a good practice. The Risk Assessment should be presented to the Board for approval. Areas where the institution accepts the risk of not having certain controls in place should be included in the risk assessment so as to receive approval of accepting such risk from the Board. 58

59 BSA/AML/OFAC Examples of areas where the institution may be accepting risk includes dollar thresholds for performing OFAC verification and logging cash activity (ex. currency exchanges or ATM deposits). The risk assessment should include appropriate documentation supporting the risk-based reasoning behind any dollar thresholds utilizes. Institutions should maintain back up documentation supporting their conclusions. 59

60 Sample BSA/AML/OFAC Assessment Section 60

61 Identity Theft Red Flags The Identity Theft Red Flag regulation requires institutions to establish a risk assessment of their covered accounts. The risk assessment must: Identify the covered accounts that apply to the institution; Identify the account opening and account access methods for these accounts; and Identify the institution s previous history with identity theft. 61

62 Identity Theft Red Flags One possible approach: 1. List out all of the account products offered by the institution. 2. List out any possible account opening method and access method that the institution permits for each specific account, then (involving business lines as applicable) ensure that the opening and access methods are accurate for each account. 3. List out previous identity theft history, either for each specific account, or in general for the institution if such incidents are rare. 62

63 Identity Theft Red Flags The Identity Theft Red Flag Risk Assessment highlights and best practices: Ensure that business lines are involved in the creation and upkeep of this document, since they will best know account opening & access methods as well as identity theft that occurs. The regulation does not require the institution to risk rate covered accounts; including ratings is optional. Likewise, identifying all red flags that apply to the covered accounts is not required, although it is a good practice. 63

64 Sample ID Theft Red Flags Assessment Account Opening Methods Account Access Methods Covered Account: Consumer Checking Account In Person Mail Online In Person Checks ATM & Debit Cards ACH & Preauthorized Transfers Online Banking Telephone Banking Remote Deposit Capture Wire Transfer Previous Identity Theft Experience Fraudulent check cashing Unauthorized electronic funds transfers Stolen cards Fraudulent account opening Unauthorized address changes Employee fraud by an employee adding their name as an authorized user on the account. 64

65 Sample ID Theft Red Flags Assessment Red Flag Identity Theft Red Flag Procedure Procedure Applies 1. Alerts, Notifications or Warnings from a Consumer Reporting Agency A fraud or active duty alert is included with a consumer report. 2. Suspicious Documents Documents provided for identification appear to have been altered or forged. 3. Suspicious Personal Identifying Information Personal identifying information provided is inconsistent when compared against external information sources used by the organization. Yes Yes Yes Covered Account: Consumer Checking Account Preventative/Mitigating Control Description Credit Reports are reviewed for all new applications. This is documented in the ID Theft Red Flags Program. CIP Policy requires the Organization to verify identity, and compare identification to the actual person and/or existing customer profile. CIP Policy requires the Organization to verify identity, and compare identification to the actual person and/or existing customer profile. The Policy also requires the Organization to verify the accuracy of other information provided. Response if the Red Flag Event Occurs Contact the customer to verify information Determine whether a new acct should be opened or an existing acct suspended. Determine whether a SAR should be filed. If deciding to proceed with the application, obtain additional verification and run additional checks to verify the identity of the applicant. Determine whether a new acct should be opened or an existing account suspended. Determine whether a SAR should be filed. If deciding to proceed with the application, obtain additional verification and run additional checks to verify the identity of the applicant. 4. Unusual Use of, or Suspicious Activity Related Shortly following the notice of a change of address for a covered account, the organization receives a request for a new, additional, or replacement card, Yes or for the addition of authorized users on the account. ID Theft Red Flags Program documents controls over changing customer details. Management reviews file maintenance change reports daily and ties back to supporting documentation. Contact the customer to verify the current information on file. Review activity on any other accounts. 5. Notice from Customers, Victims of ID Theft, Law Enforcement Authorities, or Other s Regarding Possible ID Theft in Connection With a Covered Account Held by the Organization The organization is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent Yes account for a person engaged in identity theft. 6. Other Red Flags Electronic messages are returned to mail servers of the Organization that it did not originally send, indicating that its customers/members may have been asked to provide information to a fraudulent Yes webiste that looks very similar, if not identical, to the Organization's website. Organization's existing Policies and procedures document controls over customer and information verification. Review original documentation and account history. Freeze the account and contact the customer. Determine whether a SAR should be filed. The Organization's Privacy Policy is sent to all customers/members annually, and includes a reminder that the organization will not ask for Contact customers and review account history for personal information via the website. The Organization's IT any suspicious activity. Determine whether a SAR Department employs a web monitoring service to scan for fake should be filed. websites. 65

66 UDAAP With the heightened scrutiny in the industry regarding Unfair, Deceptive and Abusive Acts and Practices ( UDAAP ), performing an assessment will assist the institution in avoiding and addressing UDAAP concerns. UDAAP requirements are vague and subject to interpretation, and as such there is no one specific UDAAP risk assessment format that it is required to be in. An approach similar to that done for Fair Lending, but more global in nature may be helpful. 66

67 UDAAP Risks and controls to consider include: Nature of products and services Product development Marketing & Advertising Initial & Subsequent Disclosures Availability of Credit Servicing & Collections Conduct of Employees & Third Parties Consumer Complaint History Supervisory/Examination History 67

68 UDAAP Risks and controls to consider include: Board and Management Involvement Authority and Accountability Compliance Program and Oversight Policies and Procedures Training Monitoring & Audits 68

69 UDAAP UDAAP Risk Assessment highlights and best practices: UDAAP risks may best be approached from a product/service standpoint. Both business line personnel and compliance personnel should be involved in assessing the product. Take into account both the inherent risk of the product and the quality of controls that are in place. Ensure periodic updates take place as nature of products or regulatory environment changes 69

70 Sample UDAAP Risk Assessment PRODUCT: Rewards Checking Accounts Risk Category Risk Rating Risk Category Risk Rating 1. Nature of Product High 9. Supervisor & Examination Moderate History 2. Product Development High 10. Board & Management Moderate Involvement 3. Marketing & Advertising High 11. Authority & Low Accountability for Compliance 4. Initial & Subsequent Disclosures High 12. Compliance Program & Oversight Moderate 5. Availability of Credit N/A 13. Policies & Procedures Low 6. Servicing & Collections N/A 14. Training Low 7. Employees & Third Parties Moderate 15. Consumer Complaint Low Management 8. Consumer Complaints Moderate Overall Risk Rating MODERATE Next Steps: Use the risk ratings as a basis to evaluate additional controls for high risk areas, and for monitoring adherence to regulations and internal policies and procedures. 70

71 Final Thoughts Expect the best. Prepare for the worst. Capitalize on what comes. - Zig Ziglar Big pay and little responsibility are circumstances seldom found together. - Napoleon Hill When you come to a fork in the road, take it. Yogi Berra 71

72 Thank You Stephen R. King, JD, AMLP Director, Regulatory Compliance Services