Skip to content Skip to navigation menu
Your browser is not supported by this site.
Please update to the latest version, or use a different browser for the best experience.

Insights & Trends

The CLEAR Picture

Back to In This Issue Subscribe
January 2017 edition

Supporting effective compliance programs: The oversight roles of the board audit and risk committees in regulatory compliance (part 2)

By Paul Osborne, CPA, CAMS, AMLP, and Peggy Sepp, CIA; Crowe Harworth

This is Part 2 of a two-part series from Crowe Harworth on the many aspects of supporting an effective compliance program. View the first part of this article in the November issue of The CLEAR Picture. As in Part 1, readers will find portions of sample reports the audit and risk committees might receive from the risk and compliance officers, as well as groups of questions the audit and risk committees should consider asking the risk and compliance officers. By addressing these questions, the audit and risk committees will go a long way toward fulfilling their fiduciary responsibility of providing oversight to the effectiveness of the organization’s compliance program.

BoardroomTo be effective, a financial organization’s compliance program must be an integral part of strategic planning, ongoing operations, and daily decision making. To support the audit and risk committees’ oversight roles, the organization’s risk and compliance officers should provide regular, succinct communication. In its oversight role, the applicable committee should ask the necessary questions to assure itself of the program’s effectiveness.

Education and training

An effective compliance program includes the education of directors, officers, managers, employees, contractors, and vendors about compliance program standards and procedures, as well as related responsibilities. Additional education about specific risk areas should be provided to those who work or practice in areas with higher inherent risk.

In addition, directors should be educated on all facets of the programs being reviewed by examiners to ensure that communications with regulators are meaningful. Directors should understand items such as the difference between safety and soundness (from an institution’s composite rating under the Uniform Financial Institutions Rating System) and consumer reviews, as well as specialty areas such as the Bank Secrecy Act, anti-money laundering, and technology reviews. Directors and management can take advantage of resources their primary regulator and the Consumer Financial Protection Bureau provide to understand the regulatory process.

Sample Audit Report

New-employee education
All new employees received compliance education within 30 days of being employed, as required by policy, and they signed the “Compliance Program Acknowledgment Statement” indicating that they understand their responsibilities related to the compliance program and will act accordingly.

Annual education
Ninety-eight percent of employees and contractors completed the annual compliance program education in the past year.

Compliance risk-specific education
Education was provided to the suspicious activity investigators about the requirements for documenting the investigation of alerts received from the anti-money laundering system.

Suggested audit or risk committee questions

  1. Is compliance education provided to the entire organization?
  2. Has the effectiveness of the compliance program education been assessed, and, if so, what were the results?
  3. What policies and other measures have been developed to enforce education requirements and provide remedial education as needed?

Risk assessment, auditing, and monitoring

An annual risk assessment, as well as auditing and ongoing monitoring, are important components of an effective compliance program. A robust risk assessment process identifies risk areas that become part of the annual compliance monitoring work plan. To assess and address risks on an ongoing basis, organizations should employ a means to monitor internal systems to identify potential gaps in compliance with applicable laws, regulations, and policies. Monitoring helps identify potential compliance concerns early, thereby substantially reducing exposure to government or whistleblower claims. In addition to the compliance monitoring performed, internal audit performs an audit risk assessment, which includes compliance testing. Audit testing results are presented in a separate report to the audit committee by the director of audit.

Compliance risk assessment
A recently conducted compliance program risk assessment led to the development of the Annual Compliance Work Plan.

Emerging risk areas related to the compliance program
The compliance department monitors significant compliance investigations and regulatory developments in the financial industry. These include:

  • Enforcement actions and penalties
  • The regulatory exam schedule
  • Current complaints

Suggested audit or risk committee questions

  1. How effective is the annual risk assessment process in identifying high-risk compliance concerns?
  2. What assurance is there that high-risk items are being proactively monitored or audited?
  3. How are the audit and risk committees kept apprised of significant regulatory and industry developments that could affect the organization’s risk?
  4. Is the compliance risk assessment being updated proactively to address industry issues affecting other financial organizations?

Response to detected deficiencies

Once a potential compliance issue has been identified, the organization must respond. Even when standards and procedures are in place and an avenue is available for employees to voice their concerns, progress will not be made unless the organization responds to the identified situation and makes concerted efforts to prevent similar conduct or issues from arising in the future.

Compliance concerns update
For example, in one organization the following compliance concerns were identified in one quarter:

  • Adjustable-rate mortgage reset rates: An unrelated inquiry resulted in the discovery of certain adjustable-rate mortgage resets not being set up appropriately in the subsidiary system, resulting in overpayment of interest by the customers affected. The investigation narrowed the issue to 20 customers, and restitution was calculated and mailed to them. The cause was determined to be systemic. Since the incident, the bank has outsourced mortgage servicing, including adjustable-rate mortgage resets, to a vendor whose system is able to calculate them correctly. Periodic reviews of the vendor’s system calculations are performed as part of vendor oversight.
  • Servicemembers Civil Relief Act: A customer complained of being charged an interest rate above 6 percent on his residential real estate loan despite the letter he submitted to the bank explaining his deployment as an active military service member. The investigation revealed that the issue was isolated and caused by human error, and the rate was adjusted retroactively.
  • Government investigation: A letter was received from the Justice Department requesting records related to a nationwide investigation into money laundering. Legal counsel is overseeing the record disclosure process.

Suggested audit or risk committee questions

  1. What is the process by which the organization evaluates and responds to suspected compliance concerns?
  2. What processes are in place so appropriate measures are taken in response to identified weaknesses?
  3. Has management provided the compliance officer with the necessary autonomy and sufficient resources to perform assessments and respond appropriately to compliance concerns?
  4. Are compliance issues appropriately reported to the applicable government agency and repayments made as necessary?
  5. Are corrective action plans implemented and appropriately monitored?

Consistent enforcement standards

Consequences for noncompliance should be in place, and they should be applied consistently regardless of an individual’s position in the organization. An employee performance evaluation should include the employee’s commitment and adherence to the standards of conduct and the compliance program.

Privacy breach: disciplinary actions
Discipline was applied in relation to privacy breaches. One breach involved customer information not being secured during nonbusiness hours in the lending department. A second breach was identified during a compliance monitoring review and involved a branch banker giving customer information to someone on the phone without asking the proper questions to ensure the caller’s identity.

Suggested audit or risk committee questions

  1. Do management and the board receive reports demonstrating that the standards of conduct are communicated and followed and that, when they are not followed, employees are held accountable?
  2. Are disciplinary actions applied consistently across the organization?
  3. How does management ensure consistent enforcement of standards?

Conclusion

An organization’s compliance program supports leadership by proactively identifying and addressing compliance concerns, and the audit or risk committee plays an important role in the program’s oversight. An audit or risk committee that considers the answers to the questions here and conducts appropriate oversight is not only fulfilling an important part of its fiduciary responsibilities but also increasing the likelihood of an effective compliance program. Further, the compliance program cannot be viewed as an additional activity separate from day-to-day operations. It might seem to be a cliché, but compliance is the responsibility of every member of the organization. To be truly effective, compliance must be an integral part of strategic planning, ongoing operations, and daily decision making.

References
Office of the Comptroller of the Currency, “Compliance Management System: Comptroller’s Handbook,” August 1996, http://www.occ.gov/publications/publications-by-type/comptrollers-handbook/cms.pdf

Office of the Comptroller of the Currency, “Risk Management of New, Expanded, or Modified Bank Products and Services,” OCC Bulletin 2004-20, May 10, 2004, http://www.occ.gov/news-issuances/bulletins/2004/ bulletin-2004-20.html

Office of the Comptroller of the Currency, “The Director’s Book,” October 2010, http://www.occ.gov/ publications/publications-by-type/other-publications-reports/The-Directors-Book.pdf

Board of Governors of the Federal Reserve System, “SR 08-8,” Oct. 16, 2008, http://www.federalreserve.gov/ boarddocs/srletters/2008/sr0808.htm

About Crowe Horwath

Compliance with AML regulations is important for financial institutions and the criminal justice system in the United States. Crowe Horwath LLP, one of the largest public accounting, consulting, and technology firms in the country, currently works with more than 1,100 financial services organizations and can assist clients in meeting regulatory expectations. Crowe offers a unique depth of knowledge in virtually all aspects of AML programs and can work with financial institutions of any size to help determine an appropriate AML strategy.

Court Express