Compliance is recognized by the financial industry as a high-risk function. Failure to manage it effectively can result in high costs to an institution, as witnessed by many supervisory enforcement actions and fair lending settlements over the years.

Compliance management is an important element of an institution’s overall risk management efforts. It makes sense to ensure that it is “owned” by line managers, those whose operations will generate either compliance or noncompliance, just as with all other elements of the institution’s overall risk. To make compliance management work well — effectively and efficiently — line personnel need to be given the tools to succeed at compliance and then held responsible for their results. When senior management establishes accountability and all staff believe it, and compliance performance is measured meaningfully, positive compliance results can occur.

As with other aspects of compliance management, identifying and categorizing levels and types of compliance risks are critical to both efficient operations and effective outcomes in any system of enforcing accountability.

Noncompliance as Risk

In recent years, federal agencies have made a fundamental shift in how they examine financial institutions for compliance within their overall examination process, adopting a risk-based methodology. The agencies’ programs are designed to focus examiner attention on areas within financial institutions that may pose the most significant risks, including compliance.

The agencies work to promote a sound risk-management process at each regulated financial institution, one centered on the evaluation and management of risks. The agencies try to help financial institutions implement compliance programs that focus on anticipating, evaluating, managing and communicating about key compliance risks.

“Compliance risk” is defined as that risk to earnings or capital that arises from violations of or nonconformance with laws, rules, regulations, prescribed practices or ethical standards. The agencies’ examination procedures provide that compliance risk can damage an institution through any or all of the following consequences:

• Regulatory or judicial fines and penalties 
• Payments of damages to aggrieved parties 
• Voiding of contracts
• Diminished reputation
• Reduced franchise value (due to monetary and reputation losses or penalties)
• Diminished business opportunities
• Lessened expansion potential (e.g., when fair lending or Community Reinvestment Act problems delay or disallow corporate changes, mergers or acquisitions)

The supervisory agencies recognize that an important element in avoiding these risks and their resultant costs is an effective accountability system, in which institution staff feel they own their roles in the overall program.

Establishing Accountability

An effective accountability system has to be built around a solid design. A few key elements are needed to make it succeed: management commitment; appropriate training of and communication to all staff; regular, independent testing of performance; and consistent enforcement of responsibility.

Management Commitment
Solid support from both the board of directors and senior management is vital to the success of any compliance (or other) management function. It should also be seen as in their best interests since the risks and penalties for noncompliance are tremendous, and the board and management are ultimately responsible for the institution’s compliance (and other) performance.

Management and the board need to understand the true importance of compliance — it is not a job to be relegated to one person, or a small group, and ignored by everyone else. “Everyone else” includes those who drive the institution’s compliance performance, and they must be given the tools to succeed and held accountable for their results.

Training and Communication
Training is the foundation for effective compliance and accountability, since employees cannot be expected to comply with the plethora of laws and regulations that govern banking today if they have not been given appropriate instruction on what is required of them.

In structuring a compliance training program, the first step is a needs assessment — the types of products and services offered, current level of staff knowledge, problems identified in audits and examinations, and so forth.

The goal of the compliance training is to provide line officers and other staff with the information they need to produce positive compliance results in their particular area or job. It is not to be an exercise in information overload. Therefore, the person in charge of training (whether classroom, online, etc.) needs to scope out the relevant laws and regulations to be covered, determine how to tie the rules into the institution’s functions, decide which media and tools to use, and so forth.

Regular communication of compliance information is an important complement to regular training. It helps keep staff aware of changes in the compliance rules and expectations, as well as keeping compliance issues on their “radar screens.”

Testing
A robust internal compliance review program, including both periodic audits and ongoing monitoring, can serve several purposes. These include giving early warning of problems, providing a defense against litigation, meeting regulatory expectations, and furnishing measurements of department/area or individual performance.

Enforcement
Without consistent enforcement of accountability for compliance performance, all the other elements are pretty much for naught. If individual line managers and other personnel are “let off the hook” for poor compliance performance because, for example, of high loan production volume, the system is likely to fail.

Making It Work

Human nature being what it is, there needs to be incentives for good compliance performance and, perhaps more importantly, disincentives for poor results. In addition, if all staff are not held to the same standards, then any exhortations for good results and performance will ring hollow to everyone. Those that the institution tries to hold to proper standards will begin to resist, since they are expected to meet standards that others are not. Such a “program” is not fair and cannot succeed.

Compliance performance elements should be factored into job descriptions, performance evaluations and incentive pay. It needs to be clear that line managers are ultimately responsible and accountable for compliance performance in their areas, and that compliance is an explicit part of everyone’s job.

If there are line managers who cannot or will not take responsibility for their own or their area’s compliance performance and, therefore, expose the institution to risk, the institution should send them packing and replace them with managers who are positive about compliance issues and willing to take on this important obligation.

Otherwise, the institution has to pay for expensive, redundant processes to check the work of that person(s) or area and fix their errors. Running such a “fix-it” shop is not an efficient way to manage compliance. Establishing and enforcing accountability can produce the lowest-cost compliance — compliance that is embedded in the institution’s normal operations rather than added on, with everyone working to get it right the first time.

A useful tool for running an accountability system is an accountability matrix, which can be customized to fit an institution’s particular situation, structure and needs. It can help assure management that someone or an area has been designated as responsible for each compliance rule or issue that impacts its lines of business. The matrix should outline the rules or issues, who is responsible for them, which areas they affect, and so forth.

Conclusion

As discussed, accountability for compliance performance — good or bad — is essential for an institution’s success in effectively managing its compliance function. Properly structured and enforced, a strong accountability program helps ensure cost-effective, positive compliance results.