Skip to content Skip to navigation menu
Your browser is not supported by this site.
Please update to the latest version, or use a different browser for the best experience.

Insights & Trends

The CLEAR Picture

Back to In This Issue Subscribe
November 2016 edition

Supporting effective compliance programs: The oversight roles of the board audit and risk committees in regulatory compliance (Part 1)

By Paul Osborne, CPA, CAMS, AMLP, and Peggy Sepp, CIA; Crowe Harworth

This is part 1 of a 2-part series from Crowe Harworth on the many aspects of supporting an effective compliance program. Watch for the second part in the January issue of The CLEAR Picture.

boardroomTo be effective, a financial organization’s compliance program must be an integral part of strategic planning, ongoing operations, and daily decision making. To support the audit and risk committees’ oversight roles, the organization’s risk and compliance officers should provide regular, succinct communication. In its oversight role, the applicable committee should ask the necessary questions to assure itself of the program’s effectiveness.

Depending on the organization’s size and complexity, a financial organization’s board of directors delegates oversight of compliance program activities to the audit and risk committees and in some cases one committee that encompasses both.

Compliance for financial institutions can be divided into many areas, with numerous governing bodies providing standards and guidance. The nature, scope, and complexity of the financial institution will determine the assignment of duties and responsibilities, the time allocated, staffing, and the program’s degree of formality. Typically, the risk officer is responsible for management oversight of the overall compliance program, which encompasses many business units and disciplines. Consumer compliance oversight typically is the responsibility of the compliance officer, who often reports to the risk officer. If the organization does not have a risk officer, the responsibility may be shared directly by multiple managers, including the compliance officer, chief accounting officer, and credit officer. In this article, we refer to management responsible for compliance as the risk and compliance officers.

The compliance landscape has become increasingly complex for financial institutions. The number of governing bodies overseeing financial institutions, as well as the depth of their reach, has grown since the early 2000s. This level of compliance places a large burden on management and the board. Governing bodies providing standards and guidance for financial institutions include the following:

  • Commodity Futures Trading Commission
  • Consumer Financial Protection Bureau
  • Federal Deposit Insurance Corp.
  • Federal Financial Institutions Examination Council
  • Federal Reserve Board
  • Financial Crimes Enforcement Network
  • Financial Industry Regulatory Authority
  • National Association of Insurance Commissioners
  • National Automated Clearing House Association
  • National Credit Union Administration
  • Office of Foreign Assets Control
  • Office of the Comptroller of the Currency
  • Securities and Exchange Commission
  • U.S. Department of Justice
  • U.S. Department of the Treasury
  • Various state regulatory authorities

A typical audit or risk committee meets at least once per quarter, and members have the critical responsibility of understanding and overseeing the effectiveness of the organization’s compliance program. With the high volume of information presented in a short time at these meetings, it is important to make the most of these opportunities. Effective communication between the risk and compliance officers and the audit and risk committees is vital for effective oversight of the compliance program. Therefore, risk and compliance officers must meet the challenge of providing the appropriate level of detail in a written report in advance of the meeting and a concise presentation of important trends and risks during the meeting.

The attributes of an effective compliance program provide a framework that includes governance oversight. To exercise their fiduciary responsibilities, the audit and risk committees should receive regular reports on the elements of an effective compliance program:

  • High-level oversight
  • Standards of conduct
  • Open lines of communication
  • Education and training
  • Risk assessment, auditing, and monitoring
  • Response to detected deficiencies
  • Consistent enforcement standards

Throughout this article, readers will find portions of sample reports the audit and risk committees might receive from the risk and compliance officers, as well as groups of questions the audit and risk committees should consider asking the risk and compliance officers. By addressing these questions, the audit and risk committees will go a long way toward fulfilling their fiduciary responsibility of providing oversight to the effectiveness of the organization’s compliance program.

High-level oversight

The audit and risk committees must promote a culture of compliance and support the risk management process. Designating a high-level individual to oversee all aspects of a compliance program, including program effectiveness, sends the message that compliance is a high priority.

In addition, to support the risk and compliance officers, a compliance committee should be established to advise the compliance officers and assist with managing the program. The committee would serve as an additional opportunity for training and emphasizing the importance of compliance. The tone at the top and the overall culture of an organization are the keys to the success of the compliance program.

Compliance program oversight
The management compliance committee’s membership was expanded to include the new third-party risk manager. The committee’s membership now includes:

  • Compliance officer – chair
  • General counsel
  • Internal audit manager
  • Chief information officer
  • Risk officer
  • Chief security officer
  • Credit policy officer
  • Director of operations
  • Director of retail operations
  • Third-party risk manager
  • Human resource director

Compliance program effectiveness
The annual compliance program effectiveness assessment was conducted. The assessment identified the following needs:

  • Focusing on delivering education annually to all employees
  • Conducting a thorough annual compliance-related risk assessment as an area for improvement
  • Following up more consistently to confirm that corrective actions have been implemented and are effective

Suggested audit or risk committee questions

  1. How is the organization’s compliance program structured?
  2. Has management allocated sufficient resources to the program?
  3. In what ways does the tone at the top support a culture of ethics and integrity for all employees?
  4. Do the risk and compliance officers have sufficient authority to manage the program effectively?
  5. How are regulatory requirements identified, communicated, and properly implemented?
  6. Who is monitoring external issues that could affect the organization?
  7. What conclusions can be drawn from compliance, internal audit, and exam results?
  8. Are our risk and compliance officers speaking with peers about the regulatory experiences of similar institutions to gain insight into best practices our institution should adopt?

On a risk-adjusted basis, a bank account opened by a student receiving funds to pay for living expenses, education fees, and the general lifestyle would likely be classified as low risk. The risk would change significantly if the student/customer were to facilitate payments for a third party, even more so if the student allowed the third party to make widespread use of the account. Everyone knows increased risks lead to increased costs, but how can such costs, including the investigation of suspicious transactions and the submission of suspicious activity reports, be applied to the customer, in this scenario a student?

Standards of conduct, policies, and procedures
It is critical for an organization to create a culture of integrity and communicate to employees the standards and procedures to which they should adhere – as well as the consequences for them when standards are not met. Therefore, the organization should have standards of conduct – approved by the board of directors – that articulate the organization’s commitment to ethical business practices and describe the behavior expected of all full-time, part-time, and temporary employees, board members, contractors, and vendors.

Compliance-related policies and procedures
The management compliance committee has reviewed and updated the following policies:

  • Privacy and security policy
  • Third-party vendor management policy
  • Bank Secrecy Act and anti-money laundering policy

Conflicts of interest
On an annual basis, the organization’s directors, officers, and employees are required to complete a conflict-of-interest disclosure questionnaire. One hundred percent of those who were required to complete the questionnaire did so. The compliance officer investigated and addressed each of the disclosures that involved a potential conflict of interest.

Suggested audit or risk committee questions

  1. What steps has management taken to gain acceptance of the standards of conduct throughout the organization, including among employees, contractors, vendors, and board members?
  2. How does management know that the standards of conduct are understood and accepted throughout the organization?
  3. Does the organization have policies in place that address compliance risk areas, such as complaint management, customer harm and abusive practice principles, consumer protection, and fair lending?

Reporting: open lines of communication

Hotline calls and other reports
The following table summarizes the hotline activity for the first quarter. The volume of calls increased 20 percent from the prior quarter, indicating that more employees might consider it worthwhile to make such reports. The number of calls is consistent with national norms.

Hotline activity table

The five calls in the “Management” category were from the same department. The manager was new to the organization and was not following the policy on overtime appropriately.

Two privacy complaints were reported via reporting channels other than the hotline activity recorded in the table. Both of those complaints were substantiated breaches involving inappropriate disclosures of confidential information to individuals who were not authorized to receive the information. The employees involved were disciplined and educated on the proper procedure for sharing information.

Suggested audit or risk committee questions

  1. How are reporting systems, such as the compliance hotline, monitored to verify that reported matters have been resolved appropriately?
  2. What actions are taken currently to inform employees of the availability of the hotline and other reporting mechanisms and to encourage their use without fear of retaliation?
  3. Are significant issues that come to light investigated without retaliation, and are corrective actions taken?
  4. Are patterns or trends in calls or reports identified and further investigated?

Watch the January issue of The CLEAR Picture for Part 2 of this series, delving into education, risk assessment, and how to consistently enforce your standards.

References

Office of the Comptroller of the Currency, “Compliance Management System: Comptroller’s Handbook,” August 1996, http://www.occ.gov/publications/publications-by-type/comptrollers-handbook/cms.pdf

Office of the Comptroller of the Currency, “Risk Management of New, Expanded, or Modified Bank Products and Services,” OCC Bulletin 2004-20, May 10, 2004, http://www.occ.gov/news-issuances/bulletins/2004/bulletin-2004-20.html

Office of the Comptroller of the Currency, “The Director’s Book,” October 2010, http://www.occ.gov/publications/publications-by-type/other-publications-reports/The-Directors-Book.pdf

Board of Governors of the Federal Reserve System, “SR 08-8,” Oct. 16, 2008, http://www.federalreserve.gov/boarddocs/srletters/2008/sr0808.htm

About Crowe Horwath

Compliance with AML regulations is important for financial institutions and the criminal justice system in the United States. Crowe Horwath LLP, one of the largest public accounting, consulting, and technology firms in the country, currently works with more than 1,100 financial services organizations and can assist clients in meeting regulatory expectations. Crowe offers a unique depth of knowledge in virtually all aspects of AML programs and can work with financial institutions of any size to help determine an appropriate AML strategy.

Complete your due diligence with Westlaw Court Express