11/16/2015

ForBanks,RethinkingRegulatoryComplianceManagementDeloitteRisk&ComplianceWSJ

OriginallyPublishedJuly29,2014,12:01AMET

ForBanks,RethinkingRegulatoryCompliance
Management
Asregulatoryguidanceforbanksbecomesincreasinglyforceful,financialinstitutionsare
workingtoestablishcomplianceframeworksthatareequippedtomeetmorestringent
standards.InthepostDoddFrankActregulatoryenvironment,theassumptionthatguidanceis
justanexpectation,ratherthanarequirement,isnolongeracceptable.
Historically,regulatoryguidancewasdeliveredinthecontextofshould,asin,banksshould
dox,yorz.Recentdevelopmentsmakeitclearthatshouldisbeinginterpretedasshall,at
leastforlargerorganizations.Bankleadersandboardsarebeingchallengedtocometoterms
withthenewrealityofcompliance,saysJ.H.Caldwell,apartneratDeloitte&ToucheLLP.To
remaincompliantandavoidthemajorfinesandreputationalrisksthatcomewithenforcement,
theywillwanttounderstandthesizeandshapeofthecomplianceinfrastructurethatwillbe
needed,includingthepeople,processandtechnology,Mr.Caldwelladds.
RegulatorybodiessuchastheConsumerFinancialProtectionBureau,FederalDeposit
InsuranceCorporation,BoardofGovernorsoftheFederalReserve,theBaselCommitteeon
BankingSupervisionandOfficeoftheComptrolleroftheCurrency(OCC)areleadingthe
charge.Theyareexaminingbanksagainstcomplianceriskmanagementguidance,and,in
somecases,bringingenforcementactionsforanunderlyingweaknessifitrisestoanunsafeor
unsoundconditionorpractice,oraregulatoryviolation.
FindingaBaselineThoughaStrategicSelfassessment
Forabank,itiscriticaltodevelopastrategyforhowtoassessitscompliancewithapplicable
guidanceandthenenhanceitsenterprisecompliancemanagementprogram.Astartingpointis
astrategicselfassessmentoftheoverallcomplianceriskmanagementprogram,saysJohn
Graetz,aprincipalatDeloitte&ToucheLLP.Manybankingorganizationshavenotundertaken
theeffortrequiredtoproactivelyassesstheirlevelofcompliancewithregulatoryguidance,
largelybecauseknowinghasntbeenmissioncritical,headds.
AnexampleofregulatoryguidanceistheFederalReservesSR088guidanceoncompliance
riskmanagement.AnotheristheproposedregulationinvolvingtheOCCsHeightened
Expectationsthatcodifiesitsgettingtostrongexpectationsforbanksover$50billionin
assets,effectivelyevolvingregulatoryguidanceintorequirements.Manybanksunderstandthe
http://deloitte.wsj.com/riskandcompliance/2014/07/29/forbanksrethinkingregulatorycompliancemanagement/tab/print/

1/5

11/16/2015

ForBanks,RethinkingRegulatoryComplianceManagementDeloitteRisk&ComplianceWSJ

conceptsofSR088andtheOCCsgettingtostrongmantra,andtheyhaveimplemented
complianceriskmanagementframeworkstoaddressthem.However,manybanksexecution
upontheseframeworksisincreasinglybeingviewedbyregulatorsasinadequateinmeetingthe
heightenedregulatoryexpectations.Theshortfallsofteninvolveestablishingtrueindependence
forcompliancemanagementanddecisionsaroundtheadequacyofthecompliancebudgetand
relatedissues,suchascompensationforpersonnelandeffectiveescalationofcompliance
issues.
Strategicselfassessmentscanbeimportanttoolsforidentifyingandassessinghow
compliancerisksarebeingoverseenatboththelineofbusinessandenterpriselevels.They
alsocanhelporganizationsidentifyissuesandnoncomplianceandallowtimetoaddressthem
priortointernalauditandregulatoryexaminations.Inperformingaselfassessment,itisprudent
toanchorregulatoryguidancetobusinessandenterpriseprocesses,whichcanprovide
additionaltransparencyintowhererequirementsarebeingmet,ornot,withinanorganization.
Theselfassessmentcanbeusedasabasisforanalyzingcertainaspectsthatarekey
componentsforacomplianceprogramframework(seechart).Withrespecttothese
components,thereappearstobeemergingandcommonindustrychallengesindesigningand
executingeffectivecomplianceprograms.ThesechallengesunderscorethefocusofSR088
andinclude:
Afirmwideapproachtocomplianceriskmanagementthatgeneratesmeaningfulcompliance
riskinformationandanalysiscapabilities,notjuststaticreporting.
Formalizedandsystematicprocesses,aswellasclearresponsibilitiesandaccountabilities
tosupportindependentcomplianceoversight.
Comprehensiveandriskfocusedcompliancemonitoringandtestingthatevaluatecontrol
effectivenessaswellascompliancewithlawsandregulations.
Analysisandreportingtoolstofacilitateeffectiveboardandseniormanagementoversight.
Criticalcomponentsofarobustregulatoryriskmanagementprogram
Formoredetails,refertothischart.

http://deloitte.wsj.com/riskandcompliance/2014/07/29/forbanksrethinkingregulatorycompliancemanagement/tab/print/

2/5

11/16/2015

ForBanks,RethinkingRegulatoryComplianceManagementDeloitteRisk&ComplianceWSJ

MappingStrategicPlanning
Afteranorganizationhasdetermineditsbaselineandidentifiedanycomplianceprogramgaps,
thenextstepisbuildingastrategicplan.Theplanshouldhelpanswersuchquestionsas:
Whatdoesourcompliancefunctionseektoachieve?
Whatisthemissionandvisionofcompliance?
Howwillcompliancesupportcorebusinessgoals?
Isthereanopportunitytodrivefurthercostefficiencythroughtheuseoftechnologyand
tools?
Itisimportanttokeepinmindthatthisisastrategicplanonlyforcompliancerisk,notrisk
managementoverall.Anorganizationmayalreadyhaveastrategicvisionforriskmanagement.
Butcomplianceriskistoocriticaltobeaddressedasasubsetoftheoverallriskmanagement
plan.Acompliancespecificstrategicplanshouldbedevelopedtoalignwiththeoverallvisionof
http://deloitte.wsj.com/riskandcompliance/2014/07/29/forbanksrethinkingregulatorycompliancemanagement/tab/print/

3/5

11/16/2015

ForBanks,RethinkingRegulatoryComplianceManagementDeloitteRisk&ComplianceWSJ

theorganizationwhiledivingdeeperintocompliancespecificdevelopmentneeds.
MovingtoanActionPlan
Oncethestrategicplanhasbeenbuilt,detailedactionsandmilestonesforexecutingtheplan
shouldbedefinedanddocumentedviaanindepthactionplan.Theactionplanshouldaddress
gapsidentifiedduringtheselfassessmentprocess,actionsrequiredforimplementationofthe
strategicplanandanyopenregulatoryfindingspertainingtothebanksmanagementof
compliance,saysMr.Graetz.
Targetdatesforcompletionofeachactionshouldbeidentified.Thesedatesshouldbeheavily
consideredanddiscussedpriortobeingdocumentedasitislikelythattheactionplanwillbe
sharedwithinternalauditandtheregulatorsandthatthedateswillbesocialized,especiallyif
thereareanyopenregulatoryfindingsrelatedtoanyactions,henotes.
Inaddition,accountableexecutivesshouldbealignedtoeachaction.Demonstrationof
executiveaccountabilityandtoneatthetopiskeyinsatisfyingregulatoryexpectationsand,
moreimportant,incaseswhereanorganizationaltransformationistakingplace.Itscriticalthat
associatesexperiencethecommitmenttochangeatthetopofthehouse.Theirwillingnessto
playanintegralpartintheoperationalizationofthebanksstrategicplanandtargetoperating
modelisvitalforthesuccessofthefuturestatevision,Mr.Caldwelladds.
Effectiveexecutionoftheactionplanwilltypicallyleadtothedevelopmentof,orrevisionto,
variouselementsoftheenterprisecompliancemanagementprogram.Theseelementsmay
includegovernanceandcriticalcomplianceriskmanagementcommittees,globalcompliance
policyandprocedures,riskassessmentprocessandamonitoringandtestingmethodology.
Endnotes
1.BoardofGovernorsoftheFederalReserveSystem.SupervisoryLetterSR088.2008.ComplianceRiskManagementProgramsandOversightat
LargeBankingOrganizationswithComplexComplianceProfiles.http://www.federalreserve.gov/boarddocs/srletters/2008/SR0808.htm
2.U.S.DepartmentoftheTreasury,OfficeoftheComptrolleroftheCurrency,2014.OCCGuidelinesEstablishingHeightenedStandardsforCertain
LargeInsuredNationalBank,InsuredFederalSavingsAssociations,andInsuredFederalBranchesIntegrationof12CFPParts30and170.

RelatedResources
WhenshouldbecomesshallRethinkingcompliancemanagementforbanks
DataAnalyticstoPlayaCentralRoleinBanksGrowthStrategies
AFinancialSectorPlaybookforStrongRiskManagement
ManagingGlobalEthicsandComplianceasanAsset,notanExpense
AligningComplianceRiskManagementtoBusinessPriorities
EthicsandCompliancePrograms:MovingfromGoodEnoughtoGreat
ComplianceMetrics:UsingtheRightYardstick
ThispublicationcontainsgeneralinformationonlyandDeloitteLLPanditssubsidiaries("Deloitte")arenot,bymeansofthis
http://deloitte.wsj.com/riskandcompliance/2014/07/29/forbanksrethinkingregulatorycompliancemanagement/tab/print/

4/5

11/16/2015

ForBanks,RethinkingRegulatoryComplianceManagementDeloitteRisk&ComplianceWSJ

publication,renderingaccounting,business,financial,investment,legal,taxorotherprofessionaladviceorservices.This
publicationisnotasubstituteforsuchprofessionaladviceorservices,norshoulditbeusedasabasisforanydecisionor
actionthatmayaffectyourbusiness.Beforemakinganydecisionortakinganyactionthatmayaffectyourbusiness,you
shouldconsultaqualifiedprofessionaladvisor.Deloitteshallnotberesponsibleforanylosssustainedbyanypersonwho
reliesonthispublication.Copyright2015DeloitteDevelopmentLLC.

Copyright2014DowJones&Company,Inc.AllRightsReserved
Thiscopyisforyourpersonal,noncommercialuseonly.DistributionanduseofthismaterialaregovernedbyourSubscriber
Agreementandbycopyrightlaw.Fornonpersonaluseortoordermultiplecopies,pleasecontactDowJonesReprintsat1800
8430008orvisit
www.djreprints.com

http://deloitte.wsj.com/riskandcompliance/2014/07/29/forbanksrethinkingregulatorycompliancemanagement/tab/print/

5/5