FILING CABINET: Free Materials Enhancing Your Latest Issue-- for subscribers only BOARDROOM BOOTCAMP: SO, YOU’RE THINKING ABOUT A “BOARD PORTAL”? BOARD REPORTING LESSONS FROM GOLDILOCKS KEEPING BOARD FRESH HIRE A DETECTIVE? THE BOARD AND BSA A CLOSER LOOK AT MINUTES DIRECTOR SUCCESS SKILLS LENDING ADVICE FROM A VETERAN MUCH MORE ABOUT MINUTES     For Advertisers Only: How to Reach BDB's Readers With Your Message FREE BOARD HELP: Click for articles about corporate governance issues drawn from the Bank Directors Briefing "The Director’s Job" monthly feature and other sources FREE SAMPLES: Click for sample issues of the newsletter and a subscription form. FDIC's Director's Corner LINK TO ABA'S CORPORATE GOVERNANCE SITE (ABA member banks only!)   OTHER RESOURCES		This article appeared on the website of ABA Bank Directors Briefing newsletter, www.bdbonline.biz, It was posted in July 2007. Copyright 2007 Simmons Boardman Publishing Corp. Your Bank's Roadmap to Compliance Risk Management: Policies and Procedures By Mollie Newsome Sudhoff, senior advisor, Paragon Compliance Group, and, president, Jefferson Cook Associates, Ltd., Winnetka, IL, msudhoff@paragoncompliance.com Safety and soundness policies tend to demand much attention as new banks form and seek growth organically or through acquisition. Members of the boards of director often bring financial expertise from other areas of their professional lives. When a bank is publicly-traded, financial condition is even more of a daily concern for executive management and the board. Creating core policies and procedures that not only guide bank employees toward proper management, but can withstand the test of time is not easy. As these banks become more sophisticated, offering more and more complex products and services, new avenues of risk may be presented, especially in the compliance area. Here we will discuss the fundamentals of policy and procedure development and maintenance, from the perspective of compliance-oriented policy and procedure gap analysis. Consider the following: “Operating with a board of directors which has failed to provide adequate supervision over and direction to the active management of the Institution; operating with management whose policies and practices are detrimental to the Institution and jeopardize the safety of its deposits; engaging in violations of law and applicable regulations...” From a recent enforcement action published on a regulator’s website. Those are comments that no banker wants to read from their regulator. While the monetary penalties may be large or small, the reputational costs are high. So, too, are the costs of time and effort responding to the regulators, which takes time away from valuable business development and customer service time. While the list is long for things that go wrong that are out of the bank’s control, such as hurricanes, floods, and other natural disasters, giving proper attention to policies and procedures can control and manage certain risks thereby avoiding the above comments being directed at your institution. “P&P GAP ANALYSIS” Periodically, your bank should compare the policies and procedures that exist versus what is required. I call this the process of “performing a P & P Gap Analysis.” This process is not to be confused with asset/liability gap analysis. However, both processes share the same goal: to identify risks so that management can intelligently assess the costs and benefits of risk mitigation. First, some fundamentals: While management and ultimately the board of directors is responsible for everything that occurs at the bank, prudent directors make sure that the bank has policies that meet all of the business objectives in a safe and sound manner. The bank must do this while meeting the ethical and regulatory requirements of the jurisdiction of the institution’s charter. Banks and bank employees are held to high standards of fiduciary and ethical conduct, due to the nature of the public interest and the fact that bank deposits are insured by the full faith and credit of the United States up to the limits established by the FDIC. This insurance coverage brings with it a set of expectations that are higher than for uninsured institutions. Where does the bank start? Let’s begin with some definitions. POLICY DOCUMENTS The Federal Reserve Bank of St. Louis (See Insights for Bank Directors, A Basic Course on Evaluating Financial Performance and Portfolio Risk, http://www.stlouisfed.org/col/director/call/whatyouneedtoknow.htm) defines policies as documents having the following features. First comes a statement of objectives. Then, the following three issues should be addressed in adequate detail to assess: (1) Who is responsible; (2) What is permitted and not permitted, i.e., limits; and (3) What actions should be taken and when. Ideally, policies should generally be short and to-the-point documents that describe what activities are permitted and by whom as well what action is deemed necessary if the policy is not followed. In short, these are guiding principles. In a bank or financial institution these usually are presented to the board of director for board approval. Certain policies should always go to the board. These include the following: a. Corporate Governance---several policies including: i. Code of ethics ii. Board of director duties iii. Any Securities and Exchange Commission policies iv. Accounting v. Audit Committee vi. Human Resources b. Credit and loan review c. Regulation O-loans to insiders d. Regulation L-Management Interlocks e. Anti-Money-Laundering/Bank Secrecy Act f. Consumer compliance, including the compliance program g. Privacy h. Funds availability i. Security j. Non-deposit products k. Any other policies that have a major impact on the conduct of bank business; for example, many banks have created a Fair and Accurate Credit Transactions (FACTA) policy, which is approved by the board. PROCEDURES DOCUMENTS This is usually a more detailed document and takes into consideration various departmental roles, and individual roles. It is a “how-to” document that tells the staff what to do to accomplish the policy. Procedures do not always have consequences enumerated in the document, as policies might. Procedures are generally thought to be a practical document—a methodology or course of action. Some would call a procedure “a roadmap of how to do the job at hand.” Procedures are working documents that may change as tools become available and as products change. Generally, procedures do not need board approval. The board of director and senior management have a responsibility to set policy and to ensure that policies and procedures are carried out in a manner to protect bank assets. To carry out policies and procedures, employees need expertise and training. Training is required by regulation for several areas, including Bank Secrecy Act, Regulation CC (Funds Availability), bank security, and information security. (Of course, thorough training is recommended for almost every area of the bank.) Where periodic training is required by regulation, most prudent managers provide such on an annual basis. PERSPECTIVE AND ACTION What is required by law? Let’s take an example. A violation of Regulation C—the Home Mortgage Disclosure Act—is subject to administrative sanctions, including the imposition of civil money penalties, where applicable. Typically, where there are strong procedures in place, an error in compiling or recording loan data is not a violation of the act or this regulation, if the error was unintentional and occurred despite the maintenance of procedures reasonably adapted to avoid such errors. Additionally, regulators and the statutes they enforce generally offer some leeway for making a good-faith effort to comply. However, such leeway goes by the wayside when management does not maintain or enforce proper policies, procedures, and controls. A METHOD THROUGH THE MYRIAD How an institution handles all this internally depends on the fundamental elements of the bank’s risks; including complexity of products; number of branches, size and expertise of staff; location of branches; charter type; and types of customers served. If yours is a small bank that only serves business customers, your consumer-oriented policies might pose only small risks. However, a nationwide banking organization with consumers in all 50 states and beyond would necessitate a robust consumer compliance program. We will focus here on key methodologies to determine if everything is covered. Riskier items should be addressed first. One method is to evaluate your bank’s product mix and then list the policy items required by law. Have competent personnel (either internal or external) read the bank’s existing polices to determine whether these are specific in nature such that they state the objective; define who is responsible; what is or is not permitted; and when action must be taken and by whom. Another key step is to know what your regulator considers riskier. Looking at enforcement actions from your regulator (and others) is one way to determine this. For example, from January through April of 2007 80% of the FDIC’s Civil Money Penalty have been flood-insurance related. On the other hand, 20% have been related to the Home Mortgage Disclosure Act. Interestingly, the Comptroller’s Office has only fined banks for violations of flood and Bank Secrecy Act issues. Does this mean HMDA is not important for national banks? On the contrary—but the data provides some perspective and a place to start your analysis. Also, looking at products that regulators have determined to be problematic can be helpful. Overdraft checking, sub-prime lending, and alt-A lending have been addressed in special guidance from regulators. Once that bank has performed a thorough analysis, this exercise needs to continue on a periodic basis. A fundamental of dual control in banking is to have processes in place to check the checker. Audit might review what Compliance is doing, Compliance would review line policies, etc. Tools to track and maintain policy and procedure compliance can range from simple manual systems to sophisticated matrix-managed computerized programs. Other than the most basic paper and pencil list, one frequently used tracking method is a simple spreadsheet or word processing tabular matrix. These offer the basics for tracking requirements vs. what you have and need not be expensive. Banks can also purchase software that maintains copies of policies and procedures with links to other documents that will be affected when the policy or procedure becomes outdated due to regulatory or internal change. These programs usually link policies and procedures to a department responsible for upkeep and maintenance. Training components may also be tied to these documents. The automated systems offer report generation capabilities that enable one to quickly identify gaps and needed areas of attention when regulations change as these do on a regular basis. IMPORTANCE OF QUESTIONS In either a manual or automated process the key to success is having qualified people asking questions, verifying requirements and documenting the answers. A good review not only means that the policies and procedures list what is required, but that someone is checking to be sure it is being done and being done properly. Testing includes asking questions, validating computer-generated lists against another source or formula to make sure that the procedure comes up with the correct result, or simply reviewing files or products affected by the policy under review. Remember the old adage for use of computerized programs, “garbage in, garbage out.” If the formulas are not correct for calculating the Annual Percentage Rates, if fields are incorrect for HMDA data collection, or dates are wrong for Annual Percentage Yield calculations, then the procedure will not comply with the regulatory requirement. FOLLOWUP IS CRITICAL What happens to audit or monitoring findings? Once something is found to need correction, the results should be disseminated to the people best able to correct the errors, and change policies or procedures to ensure this does not happen again. Just like repeat violations in examination reports, repeated problems with correcting internal review findings is an indicator of increased risk. Policies should be in place that hold employees accountable for their actions or inactions. For example, is policy compliance part of the employees’ performance evaluations? Do compliance infractions carry any weight when determining bonuses or raises? Programs that factor compliance in along with production show that management and the board is serious about its responsibility to honor the regulations. In closing, banking organizations that are serious about growth and profitability must also be serious about compliance. Policy and procedure review and maintenance is one key to compliance and keeping your bank focused on service and profitability. BJ This article appeared on the website of ABA Bank Directors Briefing newsletter, www.bdbonline.biz, It was posted in July 2007. Copyright 2007 Simmons Boardman Publishing Corp.
This website copyrighted 2007 by Simmons Boardman Publishing Corp. All rights reserved.