For Bank Chief Risk Officers, No Room for Error in Compliance

By definition, risk-taking means a bank will suffer defeats, whether it's a hit to the securities book when the market tanks, or a mortgage souring when the customer loses a job.

But for chief risk officers, "win some, lose some" isn't good enough anymore when managing regulatory risk.

Limiting the damage may equal success in managing other risk categories, such as credit. But a 100% success rate is now viewed by many as the only way to victory in compliance. Even if an error does not indicate a bank-wide compliance problem, banks don't want to deal with the regulatory headaches such slip-ups could create in today's charged environment: big fines, embarrassing headlines, costly administrative hassles.

"Compliance is not the same thing as running a credit score on a new loan or a stress test on a derivatives book. This is different," said former Federal Reserve Board Gov. Susan Bies, who previously held senior titles, including chief risk officer, at First Tennessee and now sits on Bank of America's board. "There isn't a range of outcomes; the outcome has to be 'no error.'"

While unforeseen threats like a cyberattack or massive fraud may pose the most direct catastrophic risk to an institution today, many CROs spend enormous amounts of time on the more tangible concern of compliance risk. Some CROs say the emphasis on regulatory matters can even detract from attention paid to other risk-related matters.

The amount of time spent on regulatory implementation "can happen to the detriment of actual risk management," said P.W. "Bill" Parker, the chief risk officer at U.S. Bancorp.

"What garners the most attention is keeping up with the changing regulatory requirements and expectations. … It's extensive change," Parker said. "A large part of the job is a regulatory interaction function and in some cases a project management function — just making sure that all of the new regulatory requirements get implemented."

Regulators: CROs' Biggest Fans

Indeed, regulatory compliance and risk management are now joined at the hip, especially at bigger banks.

Not only have regulators promoted the ideas of having a CRO and developing good risk management cultures, but many institutions — recognizing the slim room for error — have assigned their risk department to oversee the general compliance workload rather than leave it to the legal department.

"There are mistakes that could be made [in compliance] that could flow into reputational risk for the company," said Edward Schreiber, the CRO at the $57 billion-asset Zions Bancorp., who after coming on board in 2013 established a direct reporting line between the firm's compliance function and his department.

Some CROs can even thank the regulators for their jobs. Plenty of institutions had CROs before the crisis, but it is now required for companies above $50 billion in assets.

The Office of the Comptroller of the Currency's risk management framework for large banks — known as "heightened standards" — requires the appointment of a "chief risk executive" one level below a CEO to lead the bank's risk management unit, although a bank under certain conditions can have multiple "CREs." The CRO is also the only senior executive position required by the Fed's prudential supervisory standards for big banks under the Dodd-Frank Act.

But some say reliance on CROs may still have taken off at larger banks even without the bank regulators' mandate in order to handle the flood of rules and enforcement regimes — including the Consumer Financial Protection Bureau — emanating from the crisis and Dodd-Frank.

Deloitte's recent risk management survey, which polled 71 large financial institutions around the world across banking and nonbanking sectors, found adoption of the CRO position at 92% of the firms, up from 89% in 2012 and 65% in 2002. When asked what risk category would rise in importance over the next two years, regulatory and compliance risk was the area most often ranked among the top three.

"The bank does not have a CRO because regulators require it. It is fundamentally a good business decision and was made completely independent of Dodd-Frank or anything else," said Helga Houston, the CRO at the $68 billion-asset Huntington Bancshares.

Even without the requirement, Huntington would have a CRO in this environment. "It's really more about the incremental impact of the increased provisions under Dodd-Frank, and from the CFPB too, in balancing and making sure that we're meeting those requirements, many of which make us a lot better," Houston said.

Since the CRO is often supervising the bank's regulatory program, he or she is often a primary contact for the regulatory agencies.

"There's probably not a week that doesn't go by that I'm not having some type of discussion with the regulators," said Schreiber, of Zions, who was formerly the CRO at TD Bank. (Zions owns eight banks, including state and federal charters.) "There's no substitute for good and consistent communications, whether you're delivering good news or bad news, with your regulator."

CROs say it is not just the direct consequences of a regulatory mistake — such as a fine or supervisory sanction — but the potential for a mistake to affect other risk areas that poses concern.

"If you are not executing transactions cleanly and transparently, it creates compliance risk, which creates legal risk, which creates reputation risk," said C. Matthew Lusco, the chief risk officer at the $121 billion-asset Regions Financial.

Trickle-Down Effect

The intense focus on compliance risk is not limited to the big banks.

Nancy Foster, the chief risk officer at the $2.4 billion-asset Park Sterling Corp. in Charlotte, N.C., said that like so many other things in the industry, the Fed and OCC's mandate for large banks to have a CRO has effectively trickled down to make the CRO's role increasingly common at smaller companies too.

"It's really [the regulators'] influence that pushed the chief risk officer role," said Foster, who chairs the Risk Management Association and was formerly the chief risk officer at CIT. "It was externally influenced more than it was internally influenced."

The potential for compliance mistakes — and the consequences of such errors — stretches across multiple size categories, she added.

"Compliance risk is big for all banks right now," Foster said. "There's basically been a zero tolerance for error with the regulators and nothing is ever perfect. Never. That keeps you up at night. One minor error can stop you in your tracks if the regulators decide to make an issue out of something."

Confronting the tough compliance landscape, institutions may be tempted to curtail relationships that increase their regulatory risk. But such "derisking" is also discouraged by regulators, who frown upon the wholesale dropping of client accounts in certain industries or geographies in order to ease regulatory burden.

Regulators are "encouraging much more of a risk-based approach, either customer-by-customer or product-by-product, and making a determination about whether or not the business can be managed in an effective way in accordance with regulatory requirements," said John Caruso, a principal in KPMG's Forensic Advisory Services practice.

But, he added, CROs face a tough balancing act trying to manage regulatory risk while not stepping over the line into a derisking strategy that draws regulatory concerns.

While the regulators' stance is "understandable, one has to put themselves in the shoes of the chief risk officer," Caruso said. "The regulatory risk is significant. … Just in the exam context, the regulators can inflict great challenge on a bank merely by making findings that require extensive remediation that can time-consuming, costly and resource-draining."

To align a bank's compliance program with its overall risk management efforts, a growing number of institutions are positioning the chief compliance officer on a direct reporting line to the CRO.

Because of the regulatory risk, boards "still need the chief compliance officer reporting directly up to either the audit committee of the board or a different committee. ... But as banks start to establish more of a risk management committee of the board, the question is: Could we wrap that chief compliance officer underneath the CRO, so that the CRO has oversight of all risks?" said Ryan Rasske, senior vice president for risk and compliance at the American Bankers Association. "A handful of institutions have already adopted that model."

But such structural changes in reporting are still relatively recent, raising questions about whether they will become the norm in the industry, he said.

"We don't have enough history yet to determine whether that's the right model to follow or not," Rasske said.

Just Complying Isn't Enough

At the big banks, the magnitude of compliance risk stems not just from the number of rules, but from the large potential for error resulting from so many people in large organizations working in business lines that are all governed by the new set of federal requirements. This is compounded by regulators' focus not just on whether institutions are complying with rules and regulation, but how they are complying.

"What we want to see is good compliance, not mere compliance," Fed Gov. Daniel Tarullo said at a conference last year about bank culture hosted by the central bank.

"As in financial risk management, the perceived importance of what appear to be similar compliance efforts can vary greatly across firms," Tarullo said. "Are compliance programs put in place by risk managers or general counsels understood as a kind of background noise that should not drown out the voices urging employees to 'make their numbers,' or are they seen as reflecting the views and priorities of senior management?"

Some CROs view themselves as needing to foster a cultural ethos in their organization that leads to prudent behavior.

"One of my primary roles is being an advocate for culture," said Lusco, of Regions.

But others said the cultural tone at the institution needs to be set by the CEO.

"The lead for that should be the CEO and the board and then it cascades down from there," said Parker. Schreiber agreed that "the better support that comes" from the CEO and the board, "the easier it is for the culture to be established and maintained."

Bies said overseeing a compliance program has become about managing "softer kinds of risk." It's harder to predict what regulators will focus on in an examination or investigation than, say, how bond prices will move in a given year or how many homeowners will refinance their mortgages.

Compliance requirements create "huge risk that banks have to manage today in the new environment that we're in. It's people-driven and about finding metrics, and there is zero tolerance," she said. "This is pushing the envelope in figuring out what a CRO does. The modeling that you could do around it isn't the traditional volatility models or loss models that you would have had in credit and asset-liability risk management."

Parker said one of his objectives at U.S. Bancorp is integrating compliance specialists into business line groups to serve as a "risk management partner, rather than just sending matters to compliance for approval."

"Compliance people should be risk managers," he said. "Many of the issues that are dealt with are not simply black and white. It's not a matter of checking the box for the lowest common denominator."

Yet Parker said he hopes for a calmer future when regulation drives less of the discussion around risk management.

"There's probably no nirvana of a stable environment, but I look forward to a period where things have matured more and we're spending time to really dig in and fine-tune risk management practices and not be focused on whether or not it complies with some particular regulatory provision," he said.

Alan Kline contributed to this article.

For reprint and licensing requests for this article, click here.
Law and regulation Compliance Enforcement C-suite M&A Dodd-Frank
MORE FROM AMERICAN BANKER