Why Should Small Financial Institutions Perform Compliance Risk Assessments?

*special contributor report*

By James DeFrantz
Principal at Virtual Compliance Management
April 7, 2016

Originally published here. Republished with kind permission.

With a brief introduction by Brian Monroe, ACFCS Director of Content and Business Development.

This is a great issue to dissect because risk assessments have become the new cornerstone of compliance programs and a critical regulatory pain point.

That is chiefly because they can be very difficult to get right, can employ very complicated backend methodology that forms the informational foundation of the transaction monitoring system and the entire process of compiling data from customers, clients and companies and inputting them into bank legacy and anti-money laundering (AML) systems can be mercilessly picked apart by subjective regulators.

So if the financial crime compliance risk assessment is an endeavor inherently fraught with peril at larger big banks with more resources, expertise and systems prowess, why would a smaller institution even consider getting themselves mired in what can be very vexing initiatives?

Well, there are several, the first being it’s basically an obligation at this point. While not in any AML regulation, the requirement for banks to do compliance risk assessments is firmly ensconced in the interagency exam manual and has been for, I want to say, more than a half-dozen years.

But there are reasons, as DeFrantz points out, that AML risk assessments can be less chore at the behest of regulators and be more of a proactive, broad-based tune up of the core systems, processes and people that make up the compliance department. If done right, the risk assessment can improve efficiency, lower staff and audit pressure and reduce regulatory scrutiny.

Moreover, I can’t even count how many stories I have done revealing a migration of extremely high-risk entities, like politically-exposed persons, foreign money services businesses, third-party payment processors, online casinos and others who were kicked out of larger banks and were trying to set up shop at less savvy smaller institutions, in some cases even bribing their way become part owners of the bank.

So I think DeFrantz’s exposition on this issue is both timely, appropriate and, most likely prescient. Enjoy.

The concept of a risk assessment is often associated with large banks and financial institutions – but it shouldn’t be.

Oftentimes, the ugly truth about risk assessments is that they are prepared specifically to meet a regulatory requirement and not much more. Perform an annual risk assessment for BSA, get it approved and for the most part, put it away and don’t think about it again until the next year.

Risk assessments, however, can, and should be, used as a tool in the overall compliance toolkit. When a compliance risk assessment is properly completed and deployed it can have many uses, including audit planning,  cost reduction, training development and resource allocation to name a few.

Ultimately, the risk assessment should be used as the bedrock of a strong compliance program.

The Component Parts of a strong Compliance Risk Assessment

Past examination and audit results– It goes without saying that the past can be prelude to the future, especially in the area of compliance.   Prior findings are an immediate indication of problems in the compliance program.   It is important that the root cause of the finding is determined and addressed.

The compliance risk assessment has to include a description of the cause of the findings and the steps being taken to mitigate the risk of a repeat.  We recommend that the action has to be more than additional training.    Training tends to be the number one answer and of course it is important.

However, without testing to determine whether or not the training is effective, the risk of repeat findings remains high.

It should also be noted that a lack of past findings does not necessarily mean that that the coast is clear.  Each compliance area should be reviewed and rated regardless of whether there were past findings.   In some cases, there are findings that are lying in wait and have not yet been discovered.

Changes in staff and management– change is inevitable and along with changes comes the possibility that additional training should be implemented or that the resources available to staff should also change.

For example, suppose the head of note operations is brand new.  This new manager will want to process loans using her/his own system.  Loan staff who may be used to doing compliance checks at certain times during the loan origination process might become confused.

This increases the possibility of findings or mistakes.   Your compliance risk assessment should take into account the risks associated with changes and how best to address them

Changes in products, customers or branches– continuing on with the idea that change is going to happen, it is important that your risk assessment consider all the different aspects of changes that have occurred or will occur in the Bank during the year.

This will include any new products or services, new vendors and even marketing campaigns that are designed to entice new types of customers.

The risk assessment should consider what resources will be required and how they should best be deployed.  Before new products are introduced, the compliance team has to consider the time necessary to make sure that all of the processes are in place.  New advertising means both technical and fair lending compliance considerations.

Changes in Regulations– Over the past five years, there have been a huge number of changes to regulations, guidance and directives from Federal and State agencies.  Many of these changes do not impact small financial institutions directly, but some do.

Moreover, there are often regulations that are finalized in one year that don’t become effective until the following year.   Part of your risk assessment process has to consider changes that affect your bank immediately or will affect you bank in the future.

As a best practice, it is advisable to review the annual report of your regulator to determine the areas of focus that are planned for the year.  Most regulators are transparent with this information and their publications will indicate areas of examiner focus for the upcoming year.

Monitoring systems in place – finally, the systems that you use to monitor compliance should be considered.  For many small institutions, this system is comprised of word of mouth and the results of audits and examinations.

Part of your assessment should include a plan to do some basic testing of compliance on a regular basis.  After all an ounce of prevention……

The Analysis

Once you have gathered all of the information necessary for completing the analysis, we suggest using analyses that don’t necessary assign numbers to risk, but prioritizes the potential for findings.

Remember the effectiveness of your compliance program is ultimately judged by the level and frequency of findings.   The effective risk assessment reviews those areas that are most likely to result and findings and develops a plan for reduction.

Inherent Risk

For each regulation that applies to your institution, you must first determine the level of inherent risk. According to the Federal Reserve Bank, inherent risk can be defined this way:

Inherent consumer compliance risk is the risk associated with product and service offerings, practices, or other activities that could result in significant consumer harm or contribute to an institution’s noncompliance with consumer protection laws and regulations. It is the risk these activities pose absent controls or other mitigating factors.[1]

Your compliance risk assessment should consider the inherent risk associated with each product that is offered. For each regulation, consideration should be given to the penalties associated with a violation.

As a best practice, the likelihood of review of the area by regulators should also be factored into the overall level of inherent risk.  For example, flood insurance is an area that is likely to be examined each and every time the examiners conduct a review and this should factor into the overall inherent risk rating of the area.

This is an issue doubly important for financial crime compliance regulators who have shown more of a willingness to make instances of AML non-compliance more public, rather than an informal matter requiring attention (MRA), and hand down monetary penalties if the gaps are extensive or longstanding.

Effectiveness of Controls  

Once the inherent risk has been established, the next step is to assess the overall effectiveness of internal controls. Your internal controls are the policies, procedures, training and monitoring that are performed on a regular basis.   This includes audits and internal reviews that are performed by the compliance department.

To complete the analysis it is necessary to be self-reflective honest and brutal!  If staff is weak in its understanding of the requirements of Regulation B, it is necessary to state that and make a plan to address the weakness.

If more training is necessary or if, heaven forbid, a consultant is needed in certain areas, it really is appropriate as part of the assessment to say so and attempt to make the case to management.  We have found that the cost of compliance goes up geometrically when a bank is faced with enforcement action.

It is much more efficient to seek the assistance when there are only potential problems as opposed to when actual problems have been found.

Residual Risk  

Residual risk is defined as the possibility that compliance findings will occur after consideration of the effectiveness of controls. The less effective the controls, the higher the residual risk.

Again, it is critical that the assessment in this area is one that has to be brutally honest.  If overall controls are not what they should be, the weaknesses that exist should be reflected in the risk assessment.  The goal of the assessment is to determine the areas that have the highest levels of risk and to allocate resources accordingly.

Using the Document

The compliance risk assessment is like a Swiss army knife- it has several uses.

First, the compliance risk assessment should be used to help with the planning and scoping of audits for the year.  The highest areas of risk should receive the greatest scrutiny by the auditors.  Moreover, the highest risk areas should be scheduled for review as early in the year as possible so that remediation efforts can be commenced and tested.

Rather than setting a basic training schedule, use the assessment to make sure that classes are focused on areas where the risk assessment has shown the potential for problems.

The risk assessment can also be used to set the priorities for which policies and procedures need to be updated and in what order.  The compliance risk assessment is a good tool for measuring the level and quality of compliance resources.

As part of the risk assessment process, the level and quality of resources must be considered.   As the process is concluded, it is natural to use the results to develop specific requests for additional staff, software, training or other resources that are necessary to maintain a strong compliance program.

Creating the Compliance Environment

Probably the greatest untapped asset for any compliance officer is the staff at your institution.

Without the support and input of the people who are actually contacting customers and performing day to day operations, the effectiveness of your compliance program will be greatly limited.

Of course one of the greatest impediments to getting the “buy-in” of staff is the perception that many in the banking industry have of compliance.  There is generally dislike and disdain for anything compliance related.

Compliance rules have been developed over time in response to unfair and sometimes immoral behavior on the part of banks.  Most of the regulations have a history that is interesting and can help explain what it is that the regulation is attempting to address.

Taking the time to discuss the history of the regulations and what it is that they are trying to address can go a long way toward getting staff involvement.

Making sure that senior management accepts the importance of compliance and the costs of non- compliance can help increase support.

A comprehensive compliance risk assessment should be the key to a strong compliance program.