Approaches to Managing Compliance Risk

Article excerpt

Four compliance officers--at institutions ranging from $3 billion to $95 billion--talk about their programs, their backgrounds, and compliance training. They also present their wish lists for the coming year and offer advice to other institutions seeking to strengthen their responses to compliance risk.

In a recent "West Wing" episode, Chief of Staff C.J. Cregg is presented with two solutions to a problem with termites, while she also grapples with the prospect of major repercussions from Leo McGarry's secret meeting with Fidel Castro--not to mention the usual array of critical issues. With equal parts exasperation and exhaustion, she asks, "Can't we just get rid of the damn bugs?"

Compliance officers must feel like that. Not that long ago, compliance was a part-time job at many institutions; now there are compliance departments with multiple personnel, and the task still seems overwhelming. Everyone knows that examiners are looking at some issues with greater scrutiny than others, but no one's telling them which ones aren't critical. It might make sense for a compliance risk manager to pass along over-the-top mitigation demands to a bank's business line managers to ensure enough bug spray to kill the bugs several different ways. However, that's just not realistic. So they must help the business lines figure it out.

Compliance leaders front two community banks and two regional banks stepped out of the fray long enough to answer some questions from The RMA Journal on how their institutions are managing compliance.

The Programs

Responses from all four participants reflect the changing focus of the regulatory environment by stressing the importance of risk-based practices. Michael Matossian, chief compliance officer at Fifth Third Bancorp, says that when managing compliance risk it is imperative to "ensure the risk taken is the risk intended." Pacific Capital Bank's Compliance Department begins its mission statement, "To promote an effective risk control environment that ensures all protections and benefits adopted by lawmakers are extended to each customer of the bank, thus allowing the bank to better serve its communities." Banner Bank's risk-focused program is based on the requirements of its primary regulator, the FDIC, as well as best practices seen at other commercial banks, and is complemented by separate programs addressing BSA/Anti-Money-Laundering (AML), OFAC, and Community Reinvestment Act compliance.


Fifth Third Bancorp and PNC both are migrating toward enterprise-wide compliance programs, Fifth Third is enhancing its "reputation capital" by helping to ensure the bank's ongoing adherence to laws, regulations, and internal controls. An interesting second part of Pacific Capital Bank's mission statement is to minimize the level of regulatory expenses to the bank and its shareholders; the Compliance Department particularly prides itself on expertise in consumer protection regulations.

Not unlike the other institutions, the front end of PNC's process is a partnership with the business lines to help them identify emerging risks, advise them of changes in the regulatory environment, and work with them to develop compliant operating procedures and processes; the back end of the process includes compliance testing prioritized by risk in each business, using the results to work with the business lines on solutions to address any issues. "We maintain very open communication," says Jack Wixted, chief compliance and regulatory officer for PNC. "The stakes are much higher today for maintaining a robust compliance program. As has been seen, failure to do so, especially in anti-money-laundering, can be franchise-threatening. We want issues to surface immediately, so we can help our business lines address them; however, they all know that each line owns the compliance risk and must assume ultimate responsibility."

Fifth Third's compliance program generally consists of decentralized accountability for compliance at the affiliate level, centralized line-of-business direction, periodic compliance risk management (CRM) risk evaluation and assurance monitoring, and independent audits. …