A former regulator maintains that a solid foundation for compliance is likely to keep an institution in the right position to identify and manage all its compliance risks. Here are the nuts and bolts of such a program.
What does it take to manage compliance risk effectively? Most would look to the Compliance Department as the responsible party, but the analysis conducted by your regulator is likely to start at a broader level.
Compliance risk should be part of the risk lexicon of a banking organization. An increasing number of firms explicitly include compliance risk as an exposure and discipline in its own right that is gaining the same stature as market, credit, or operational risk. Some institutions include compliance risk as a subset of operational risk within the risk management framework.
Boards of directors and their committees are making more frequent and substantive inquiries into compliance risk and whether management has an enterprise-wide view of that risk. And, by the way, they want to know what generates compliance risk and whether the overall level of risk is increasing or decreasing. Moreover, directors are likely to ask management pointed questions about their plan of action to ensure that the franchise is not at risk. The party to address the board on this issue is likely the chief compliance officer, chief risk officer, chief regulatory officer, or possibly the general counsel. Regardless of the individual appointed to report to the board, the information required to make the assessment is only partially available from the Compliance Department. Indeed, management of compliance risk is allocated broadly within a banking organization.
At the marketing, sales, or transactional level, bank staff having the initial contact with clients are expected to be familiar with "know your customer" and the USA Patriot Act requirements and issues related to privacy, among others. Customer-facing units usually have considerable responsibility for compliance risk management at a banking organization. Indeed, they view themselves as the owner of the customer relationship and serve as the primary and ongoing control for that interaction.
This ownership role suggests that a great many individuals must have a baseline familiarity with compliance matters. Yet staff in marketing, lending, wire transfers, and so forth are not part of the Compliance Department.
Evaluation of the borrower generally begins with "character." Who is the borrower? Why does the borrower want the money and how will the funds be used? The credit officer conducting this evaluation is not a compliance officer and may not even be the initial point of contact.
In the operations department, where wire transfers are sent, the individual initiating the transfer and the individual approving the transfer are not compliance officers. Yet they must ensure that such transfers are put through a filter to identify problematic counterparties.
The role of the Compliance Department is to set the standards for compliance as appropriate to a bank's business strategy. Compliance officers may direct and manage compliance processes at a banking organization through directives and guidance, but more frequently their influence is what sets the tone.
The compliance standard at a banking organization is set forth in a series of policies or a policy manual developed and issued by the Compliance Department. Those policies summarize the relevant regulations, describe how those regulations are to be applied, provide an overview of the general compliance controls, identify the parties involved in exercising those controls, and specify a reference at the banking organization for further inquiries.
The compliance policies are implemented through procedures drafted by the compliance officers. …