Regulatory Requirements & Compliance: Ensuring Effective Outcomes

Regulatory Requirements & Compliance: Ensuring Effective Outcomes

Presented By: John E. Palmer, CPA Managing Director/Principal

Agenda

• Compliance Management System

• Risk-Based Approach

• Compliance Training

• Monitoring and Internal Audit

• Communication

• Recommended Steps

Compliance Management System

CMS

Compliance Management System• Reflect the bank’s business, culture, vision• Identify and quantify compliance risks • Build compliance into business processes

and culture – who is responsible?• Supported by a risk – based compliance

program• Demonstrate strong communication and

accountability

CMS

Interdependent Elements• Board and Management oversight• Compliance program• Compliance monitoring and audit

Management Responsibilities

• Clear and unequivocal expectations• Clear policy statements• Authority and accountability• Adequate resources• Periodic compliance audits• Reports to the Board• Issue tracking and resolution

Board Responsibilities

• Understand Requirements• Delegate Authority, but not Responsibility• Ensure Qualified Management• Provide Adequate Resources• Supervise Management

– Establish policies– Monitor implementation– Provide for independent reviews– Address supervisory reports

• Maintain Independence

Risk-Based Approach

Compliance Risk-Based Program

• Risk Matrix/Applicability• Risk Assessments• Risk Assessment Concepts/Methods• Success Factors

Regulator Institution Type

Applicable Universe of Laws, Regulations, and

Guidance

Business Lines, Delivery Channels, Products/Services,

and Practices

Applicability MatrixREQUIREMENTS

Policies and Procedures

Internal Controls MonitoringTraining

Risk Assessment

Self -Assessment

Internal Audit

Risk Assessments

• Compliance• BSA/OFAC/Customer Risk Rating• Information Security - GLBA• ACH (Cash Management/Electronic

Banking)• Red Flag Assessment

Risk Assessment Terms and Concepts

• Inherent Risk vs. Residual Risk• Exposure – Extent of Possible Damage• Likelihood- Probability of an Event

Occurring• Risk Tolerance Measurements• Risk Controls• Risk Ranking and Heat Map

Risk Tolerance Measurements

• Events that Establish Managements Tolerance for Risk.

• Examples:– Regulatory Violations and fines– Customer Complaint Letters– Regulatory Exam Criticism

Risk Controls

• Risk controls relate to activities that are implemented to reduce the likelihood of an exposure event occurring. These activities include both preventive and detective controls:

• Preventive measure– Training/automated system

• Detective measure – Review after the fact. Can also mean audit

and monitoring activities

Business Unit/Department: Consumer Lending - Underwriting

Strong

Manager: John Doe

Acceptable

Date: June, 2007Weak

Inherent Risk Level(Risk Without Controls)

Potential Likelihood of Potential Likelihood ofRisk Components Impact Occurrence Impact Occurrence

1=Low 1=Low 1=Low 1=Low# 5=High 5=High 5=High 5=High

1 Credit / Concentration 5 3 5 3 Acceptable Acceptable Weak Acceptable2 Interest Rate 5 3 5 3 Weak Weak Weak Weak3 Liquidity 5 3 4 2 Strong Acceptable Acceptable Weak4 Operations 4 3 2 2 Strong Strong Strong Acceptable5 Regulatory Compliance 4 4 3 3 Strong Acceptable Acceptable Acceptable6 Strategic 5 3 5 3 Strong Weak Weak Weak7 Price / Market 4 4 3 3 Acceptable Acceptable Acceptable Acceptable8 Reputation 5 4 5 4 Weak Weak Weak Weak9 Transaction

10 Information Technology 4 3 Strong Weak Weak Weak11 Reporting 4 4 3 3 Acceptable Acceptable Acceptable Acceptable

total 45 34 35 26items 10 10 9 9

36 0 0 010 0 0 0

Business Unit/Department 0.0 0.0 0.0 0.0Consumer- Underwriting 4.5 3.4 3.9 2.9 n/a n/a n/a n/a

0.0% 0.0% 0.0% 0.0%

Mitigating Controls (Strong - Acceptable - Weak)

Sr. Executive Management Oversight Policies and Procedures Risk Measurement,

Monitoring & ReportingInternal Control

Environment

Mitigating ControlsEffective oversight, comprehensive policies, accurate reporting and strong internalcontrols.

Ineffective oversight, inappropriate or missing policies, minimal reporting and/orinsufficient internal controls.

Average oversight, good policies, fair reporting and adequate internal controls.

weighted total# of items

average

Residual Risk Level(Risk With Controls)

Success Factors

• Measurable outcomes from a risk – based compliance program should include: – Risks are identified, measured and subject to

a control structure– Supported by tailored policies procedures

and functional controls at the business level– The compliance monitoring schedule and

testing program has been set around the risk profile

– Results are reported effectively and tracked

Compliance Training

Compliance Training

• Board, Management, Staff• Job-specific, Role-based• Blended learning

– Online– Classroom

• Recordkeeping

Compliance Monitoring and Auditing

Compliance Monitoring

• Risk-based, proactive testing• Self-monitoring at the department level• Monitoring by the Compliance Department

– New products, services, delivery channels– New or amended regulations– New staff

• Tracking corrective actions

Compliance Auditing

• Integrated Audits– Test compliance with high-risk laws and

regulations during operational audits

• Targeted Compliance Audits

• Compliance Function Audit– Evaluate the effectiveness of the compliance

function

Communication

Communication

• The biggest challenge in communication is to first think through the following basic concepts:– Audience– Purpose of the communication– How do you need the audience to respond– Level of detail needed for the purpose– Risk level of content– Importance of timing and frequency

Types of Communication

• Risk Assessments • Program and Scope overviews• Monitoring/Audit reports• Board/Management reports• Open issue tracking reports• Program status and progress reports• Business unit monitoring results

Recommended Steps

• Take a deep breath • Sit back and relax• Review where you are• Consider is your message heard• Does your program have the right risk

based balance• Write down 5 action steps to improve your

program

• results

Thank You

John E. Palmer, CPAManaging Director/Principal jpalmer@icscompliance.com

Office: (954) 489-2712Cell: (954) 806-1863