The Changing Nature of Compliance Risk; Passing a Compliance Exam Is the Easy Part

Article excerpt

Science-fiction writer Ray Bradbury said, "Living at risk is stepping off the cliff and building your wings on the way down."

In-flight wing-building is a good analogy for banks' efforts to transform their compliance programs into useful risk-management systems.

Bank compliance systems largely developed in response to risks that arose 20 years ago. They have been revised and extended onto over the intervening years, but in most banks they have not been fundamentally re-engineered.

The risk these old systems were created to meet was the compliance examination. When regulators began conducting these specialized exams in the 1970s, virtually all banks appointed compliance officers and set up basic compliance programs. Since then, the programs have been driven, and evaluated, by the goal of getting a good examination.

A "clean exam" has been equated with low compliance risk.

Well, no more. The six scariest words in the compliance world today are:, "But we got a clean exam!"

Banks that continue to view the examination as the only risk arena for compliance are in danger of missing problems that could do them much more harm than any but the harshest examination-based enforcement action.

Consider the fair-lending enforcement cases that have been pursued by the Department of Justice. Most of the practices involved in these cases had previously been looked at by bank examiners and not cited as illegal.

Examiners knew for years, for example, that Chevy Chase Savings did not have branches in African-American neighborhoods. They had undoubtedly done Regulation B reviews of every depository institution sued by Justice. Some of these banks may have adopted the practices that triggered their Justice investigations only recently, but there is no question that many had been engaged in them for some time--through several or even many examinations.

Indeed, these institutions probably had "clean exams." But they ended up facing the apex of compliance risks--formal enforcement by Justice.

Traditional efforts are inadequate

Today, two things are happening that make traditional compliance programs inadequate:

First, sources of risk are proliferating beyond the primary regulator and its examination process.

Besides Justice, the Department of Housing and Urban Development as well as the Federal Trade Commission are initiating actions against banks and their affiliates. So are, increasingly, state attorneys general. So is the plaintiffs' bar, with private litigation skyrocketing.

Meanwhile, more groups are taking interest in bringing complaints, suits, and Community Reinvestment Act protests.

And the media are reporting these actions with a more active interest and activist slant.

Second, the risks are changing because the rules are no longer clear. "Compliance" used to be about following the regulations which were written by the bank regulators or other federal agencies. This was difficult because the regulations were complicated and detailed, and sometimes required interpretation from the agencies, as with Regulation Z.

And handling this was difficult because the laws and regulations changed often. But it was not usually difficult to know what the rules were. They were there in black and white, in the Code of Federal Regulations, combined with interpretive letters and rulings.

Now, the era of being able to rely on such clarity is ending. The fair-lending cases are evidence of this. So is the Real Estate Settlement Procedures Act (RESPA).

RESPA lawsuits show uncertainty

As of this writing, more than 50 lenders have been sued in class actions for violating RESPA by paying overages to mortgage brokers.

These suits, dubbed "yield spread premium" cases, allege that payments to brokers for charging rates above the lender's standard interest rate violate RESPA's prohibition against giving or accepting kickbacks. …