A compliance checklist for CEOs? That almost sounds like an oxymoron. Traditionally, bank CEOs did not give much thought to regulatory compliance unless something went wrong. However, as the regulatory environment continues to be enforcement-focused, bank CEOs must scan not only the economic landscape, but the regulatory one as well.
As CEOs set the priorities for their bank each year, what should be the regulatory compliance priorities for 2012? The problem is — there are so many regulations, and with Dodd-Frank, many more to come, where do you start?
Based on our experience and on recent bank regulatory enforcement actions (both public and private) here is a compliance "to-do list" for 2012 for banks of all sizes.
1. Establish a UDAAP Compliance Program
Unfair, Deceptive, or Abusive Acts or Practices is perhaps the biggest consumer protection regulatory risk facing banks today. Many enforcement actions, both formal and informal, cite UDAAP as the source. Even before the CFPB was officially up and running, the other banking regulators were aggressively examining for UDAAP compliance. UDAAP is unusually subjective and very broad, covering most banking transactions. Interpretations are not black and white and activities that have not previously been criticized are coming under fire. An institution's best compliance defense is to develop a UDAAP compliance program specifically designed to produce fairness and clarity in banking transactions.
A good UDAAP program, at the minimum, must have the usual compliance elements: policies, procedures, risk assessments, monitoring and testing and a formal governance structure. However, it needs more than this. UDAAP violations are often found deeply embedded in the operations of the institution — areas where compliance departments usually do not venture. Effective UDAAP compliance will need more than just regulatory subject matter expertise (the typical compliance department skill set). It will need operational and IT experience. Successful regulatory compliance departments of the future will consist of a variety of experts — with the ability to analyze bank products and services comprehensively — and see them from a consumer perspective. Another essential component to a UDAAP compliance program is a well-managed consumer complaint process that captures all complaints, notes the root causes and tracks complaint trends over time.
2. Perform a comprehensive fair lending check up
Fair lending compliance presssure has not abated at all. The Justice Department recently imposed the largest ever civil money penalty for fair lending violations. Prudential bank regulators also continue to issue fair lending enforcement actions; the regulatory emphasis in examinations is as focused as ever.
A fair lending program must include all bank lending products, not just mortgages. While mortgage lending remains the area of highest scrutiny — especially mortgage servicing, other types of loans can be problematic as well. A fair lending program must include such products as direct and indirect auto loans, unsecured consumer loans and hybrid products, such as deposit advance loans.
High risk areas in fair lending include discretionary pricing and product steering. These activities are under particular scrutiny.
If the bank allows lenders to set prices on any types of loans — even for purposes of meeting the competition — a well-designed risk management program is essential to monitor and test for fair lending concerns.
3. Conduct a proactive redlining review
Redlining claims are making a comeback. Banks should not wait for their regulator to determine where the bank's loans are being made and if the bank is serving all areas of its communities. CEOs should have a complete and thorough understanding of where the bank's loan dollars are going as well as how their marketing dollars are being spent. Special attention should be paid to low and moderate income areas within the bank's assessment area(s).
Mortgage lending is not the only type of loans to consider in a redlining review. Take a look at where consumer loans and small business loans are made. If there are low or moderate income geographies within the bank's footprint that are light on loans, determine the reason before your regulator asks. Having a plan and knowing and being able to tell your story (before your examiner does) is one of the best ways to avoid redlining problems.
4. Get your small business lending in shape for data collection
One of the new requirements of the Dodd-Frank Act is that banks must collect and report small business loan data annually — much like HMDA data is now reported. This data collection will enable regulators to determine if an institution is fairly lending to women and minorities. Until the actual regulations are written, data collection is not required. So, in the time available before the rules are in place, banks should take the opportunity to get small business portfolios in good shape—from a fair lending perspective.
One potentially troublesome small business loan issue is pricing. Many institutions have rate sheets and controls on consumer loan pricing, but not for small business loans. Regulatory agencies will eventually be able to analyze small business loan data much like they now review HMDA data, and will be able to compare pricing on loans made to women and minority borrowers. It is crucial to develop and implement effective pricing and underwriting policies and controls for small business loans. 2012 is the time to get these policies and control elements in place.
5. Make sure your BSA/AML program "pillars" are still intact and working
For the last couple of years there has been a prevalent perception that the regulatory agencies were placing less emphasis on Bank Secrecy Act/anti-money laundering programs. Whether or not that perception was true, BSA compliance enforcement is definitely making a comeback. Every bank CEO should be sure that the essential BSA program "pillars" are in place and effectively working. These pillars include: effective BSA/AML internal controls; a qualified BSA officer; an independent BSA/AML audit, preferably annually; and BSA training.
Here are a couple of specific things to watch for. Weak or ineffective suspicious activity reporting is most often the culprit when a BSA enforcement action is issued. Make sure that the bank has updated transaction monitoring software. Remember that not all such software is created equal and SAR look backs are very expensive. If the bank's suspicious activity monitoring and fraud identification are in two separate areas — think about combining them. Not only can efficiencies often be gained, but this combination of effort can be helpful in identifying and reporting suspicious activity.
Secondly, BSA training is often taken for granted, but the lack of effective training can, by itself, be the grounds for an enforcement action. Make sure training is broad enough, is provided to enough of the bank’s staff and is of high quality. Job specific training is the best.
Narrowing down bank regulatory issues to five priorities is inherently difficult in these extraordinary regulatory times, but if these five are in good shape, the bank has a good chance of a having a quiet 2012 on the compliance front.
Kathlyn L. Farrell is a managing director of Treliant Risk Advisors.