Charting a Compliance Course Through an Uncertain Dodd-Frank Landscape

Since it has assets of roughly $1.2 billion, Cashmere Valley Bank in Washington State would appear to be $8.8 billion shy of the threshold for compliance with the Dodd-Frank law. But nothing's easy with Dodd-Frank, and the bank assumes it will have to follow the law, although most of the underlying rules have thus far been written in sand.

Cashmere Valley is turning to outsourcing to help make sense of the complicated legislation that after two years is still developing as provisions get delayed, clarified or rewritten. For banks with assets of less than $10 billion, it's not even clear which parts of the law apply.

For Sue Ozburn, Cashmere's chief information officer, the compliance burden is already heavy for an IT staff of about 11 people. The bank has turned to a managed compliance service including a roster of tools, content and new rules tracking. The services, provided by the ATTUS Technologies unit of Computer Services (CSVI), include self-assessment tools to review current compliance plans and updates on new rules, including topics such as mortgage regulatory updates, underwriting standards and vendor management. The compliance service will also be part of a yearly IT risk assessment, with bullet points detailing what the bank needs to work on in the coming year, along with an overall risk rating of information security. "That helps us get a quick update on the program to the board of directors," Ozburn says.

A number of community banks are turning to outside providers to help with Dodd-Frank compliance, giving ATTUS plenty of company in the space. For example, the $334 million-asset Bank of Marion in Illinois, has outsourced compliance work to Continuity Controls. Since a standard set of compliance tools or tech has yet to emerge to deal with Dodd-Frank, many of these deals are around regulatory change management, to help the banks deal with the fluid rulemaking process.

"The legislation brings about many provisions that community banks have to evaluate to determine where they apply. I don't think Dodd-Frank was intended to apply to every bank, it was more aimed at the larger banks. But we believe the examiners will enforce the law on community banks," Ozburn says.

A number of Dodd-Frank provisions are expected to have an impact on community banks. According to Davenport Evans, a law firm in Sioux Falls, S.D., these provisions include revised mortgage lending requirements under the Truth in Lending Act, expanded disclosure of credit information to consumers, requirements tied to collection of data on small-business loans, and expanded examination authority for non-bank subsidiaries such as mortgage affiliates.

Ozburn says a particular concern is vendor management. The bank will use the ATTUS service to classify vendors in a tiered system of risk based on exposure of customer data to that vendor, as well as ensuring the controls at that vendor regarding the protection of the bank and its customers in line with Dodd-Frank rules on third party suppliers.

The bank is automating the vendor risk process via a digital form from ATTUS that's designed to classify that supplier's risk based on the bank's answering questions about that vendor.

Cox says this vendor management process, if done manually, would involve the assessment of hundreds of third-party suppliers.

"It's not just IT vendors. When you take a complete download of our accounts payable system, it's hundreds of vendors. Some have no risk at all, but there are vendors that have access to customer data," she says.

The outsourcing comes at the same time as the bank attempts to shore up its continuity strategy.

"The IT department has a lot on its plate … you cannot manage the compliance issues coming at us by hand, [ATTUS] has their hands on this all of the time," Ozburn says.