Whether we like it or not, regulatory examinations are a fact of life for all banks and bankers. Accommodating examinations from the regulators including the associated costs is something that has been dealt with for decades – some might say ad nauseum! Nonetheless, we are stuck with it! It is going to be around for years to come. That said, the regulators are sensitive to the subject, and have taken steps to reduce the burden – particularly for smaller banks. However, compliance with laws and regulation is nothing more than a component of the “business platform” necessary to conduct banking business in the US. In some ways it is just another plank in the platform, just like maintenance of adequate capital or having an audit function – whether it is in-house or outsourced.
During my many years as a regulator, I have been involved in examinations that were contentious and ones that were constructive and everywhere in between. Many would argue that it would be appropriate and necessary for some level of tension to exist between the examiner and the examined, and I would agree. However, with an appropriate level of communication between the bankers and the regulators, recognition and respect for each other’s roles, and attention to professionalism and detail, the process can be navigated more smoothly.
With that in mind, here are some keys to implement during the examination and even the year-round regulatory cycle. Careful attention to the following items will make the process a more positive experience for bankers and regulators.
Keys
Address all prior examination report comments as expeditiously as possible. Failure to address prior examination items by the following examination can, in some cases, lead to an enforcement action. If a prior examination item is not addressed by the next examination, examiners will take comfort from the existence of a detailed plan, that is underway and being tracked, monitored, and verified or validated.
Once an examination report is received, develop a plan to address examination issues. You may be able to do this even before receipt of the examination report, if there was sufficient detail presented at close-out meeting. The plan should include target dates and responsible individuals. Track the work. When completed, use internal audit, or another independent party, to validate the work. A word of caution, if you plan to start addressing serious issues prior to receipt of the exam report, share your intentions and plans with the regulators.
Make sure you fully understand the regulator’s examination comments, issues, recommendations. In my time as a regulator, I came across examination report comments that left me scratching my head. In those cases, I am sure the bankers were confused also. If issues are not clear, you must ask clarifying question(s). Bankers should not fear asking such questions and examiners/regulators should be willing to offer clarification. It benefits everyone.
Ensure that action plans and regulatory and audit issues tracking reports include all pertinent information. At a minimum this should include the issue, the planned action to address the issue, the individual and department responsible, the expected completion date, any intermediate milestone completion dates, and periodic progress updates and final completion date. In the case of a tracking report, also note the date and results of validation by an independent party such as internal audit.
Entry Letter/Information Request/First Day Letter. Make sure you understand the information requested. If the request letter is not clear, seek clarification. Regulators should be receptive to follow-up requests for information.
Banks should provide all information requested by examiners quickly. If there will be a delay in getting all or some of the requested information, let the regulators know as soon as possible. Also, let them know when they can expect the information. It can be frustrating to arrive at a bank to conduct an on-site examination and end up waiting for information.
During the examination, as well as in between examinations, be open and truthful when dealing with the examiners. Intentionally lying to an examiner is a felony. While there traditionally has been a “high bar” to prove a bank or an individual intentionally lied to examiners, avoid misleading or incomplete statements/information. Avoid the “the sin of omission.” This can come back to haunt a bank and can be used as an additive factor computing fines levied against banks. I have seen it happen.
Even with a strong rating or no examination issues, do not rest on your laurels. Given the countless billions of dollars of ill-gotten money, money launderers constantly seek new and more sophisticated methods of laundering ill-gotten proceeds. Banks’ AML/BSA/OFAC systems must be subject to a regimen of continual improvement, and institutions must stay abreast of the latest developments in anti-money laundering techniques and systems.
Over the course of the regulatory cycle – maintain regular and open contact with the regulator(s). Make sure to keep regulators well informed of upcoming significant events. Each institution and regulator will find an equilibrium for communication. Banks must be careful not to use regulators in place of management, consultants, or lawyers.
Do not treat compliance as an add-on duty for an already busy officer of the bank. I have seen institutions short-change the compliance function, considering it as an add-on assignment for an officer who may already have a full plate. It is not a good strategy and may prove costly in the long run.
Ensure that there are adequate human and technological resources dedicated to compliance. Compliance needs qualified and sufficient dedicated resources to effectively mitigate BSA/AML, OFAC and other compliance related risks.
Compliance should be involved in approval of new products, new businesses, acquisitions, and mergers. The role should allow the compliance officer to be able to block approval, if there are serious unresolved compliance issues – such as a lack of understanding, measurement or even consideration of the additional compliance risks that are embedded in a proposal.
Maintain an up-to-date and thorough risk assessment. If you don’t have one – get one, and if you don’t have the expertise in-house to generate one, seek outside help. It will be one of the first things that examiners will review during an examination. If policy/procedure does not call for a periodic risk assessment including methodology, consider developing one. There is guidance in the FFIEC manual and many independent consultants with expertise in this area that are willing to help.
Ensure your technology is up to date. If you are not able to determine this internally, contact your service provider or vendor – or seek help from an outside firm with specialized expertise in this area.
Do you have a model governance policy that addresses all models in use by the various areas in the bank? Regulators are increasingly looking for this. And remember, it is not only about interest rate risk or credit risk.
Periodically review the effectiveness of your transaction monitoring and another BSA/AML/OFAC systems. Does policy call for model validations or tunings? Verify that that scenarios and thresholds in use remain appropriate, and that the system really monitors all transactions that it should. If not, fix it; and, if serious gaps are discovered, inform the regulators of the gaps and your plans to fix them.
Ensure your staff knows your technology’s capabilities and uses it to its full potential. Make sure that staff is properly trained in its use. Having a complex, state of the art Transaction Monitoring System will be of little use if your staff – both Compliance and IT – don’t have the knowledge to use it fully. Moreover, it may do more damage than good, by providing management with a false sense of security.
Ensure that Compliance and IT departments have open lines of communication regarding BSA/AML/OFAC systems and clearly delineated responsibilities with respect to the system(s). Confusion as to which department owns and is responsible for the system(s) can – result in major problems.
BSA/AML/OFAC and Information Technology are specialized areas. Ensure that internal audit staff has the expertise to audit these areas. These specialized skills command higher salaries and can make it difficult for some banks to attract and retain this staff. So, for such institutions, it can be cost effective to outsource specialized audit work to firm(s) with the expertise. [1]
There should be general training for all staff with specific tailored training as necessary. All staff needs general BSA/AML/OFAC training on a periodic basis. In addition, staff that have specific BSA/AML or other compliance related responsibilities should have more intensive and tailored training to enable them to carry out responsibilities in accordance with both bank policy/procedure and legal requirements. This will help them identify suspicious activity more effectively, which is important, since many SARs that are filed result from employee referral.
Understand what your peers are doing.Participate in work groups, attend webinars, seminars, conferences, and read trade publications. Regulator expectations seem to continually increasing, and industry risk mitigation tools and techniques are constantly improving. One of the best ways of keeping your fingers on the pulse is participating in webinars, seminars, attending conferences, – reading electronic and hard copy trade publications, and even seeking further education or certifications.
Policies and procedures ensure practice and policy are consistent. Doing the right thing is very important, but unfortunately, not enough. Ensure that your bank is gives itself credit for doing the right thing in its written policies and procedures. Because………………….
As one of my former colleagues used to like to say: “If it’s not documented, it didn’t happen.” So, document, document, document! Make sure practices are documented in the policies and procedures. Also, policies procedures should include the requirement to document choices and changes in systems, business lines, model parameters-settings-thresholds. Document training attendance. Keep records/minutes/summary memoranda of meetings; not a ‘he said, she said’ exercise, rather it should be substantive points summarizing what was discussed and decided.
As a final note, when in doubt, always err on the side of conservatism, and you usually will be close to where you need to be.
In fact, any preparations for an exam will make for an easier exam process. Above are many key practices you can implement
during a regulatory exam that will make the process a positive experience for both bankers and regulators. Some of the most important to note are communicating, both internally within your institution and externally with the regulators, and documenting plans, decisions, policies, procedures, and practices.
[1] An additional note on IT and IT audit. Do not exclude BSA/AML/OFAC systems (and conversions, etc.) from IT audit. Although they may not be considered critical lito the same extent as a GL accounting systems and core transaction systems, they should be subject to scrutiny from IT audit and subject to the same expectations and controls as other critical IT systems. As we have seen, there can be very significant costs, both tangible and intangible, to failures and gaps in BSA/AML/OFAC systems.
