Supervision and Examination Manual ( files.consumerfinance.
pdf), for example, makes a clear distinction between the two
functions and provides a good overview of the expectations for
each. The manual states that an effective compliance management
system includes independent audit coverage. The audit function
should review the bank’s compliance with federal consumer financial laws and adherence to internal policies and procedures,
and it should do so fully independent of the other lines of business. The audit program provides the board of directors with a
determination on whether the policies and standards adopted to
guide risk management are being implemented and whether they
provide for the level of compliance and consumer protections
established by the board. Internal audit also should identify any
significant gaps in board policies and standards.
The Bureau’s manual defines monitoring as a separate compli-
ance program element. Monitoring takes a risk-based approach
to promptly identify and correct procedural or training weak-
nesses. Monitoring generally is more frequent and less formal
than compliance audit coverage, and it doesn’t require the same
level of independence from the business lines or the compliance
function. As indicated earlier, it even can be carried out by the
business line itself, with the compliance department providing
oversight. Monitoring can be more agile in targeting specific areas,
and it doesn’t require the same level of documentation as the audit
function, which is more overarching and formal.
Shift to Sustainable Compliance
As banks have evolved and become more complicated, regulators’
expectations have intensified and now focus on more sustainable
compliance management. Guidance on compliance programs has
existed for quite a while, of course, but the expectations now are
more consistent and extend across agencies.
Rather than testing only for compliance with specific regulations, examiners today will scrutinize a bank’s overall compliance management system. Regulators look beyond just the end
result—whether a particular transaction is compliant or not—to
see whether the institution has the processes in place to ensure
compliance for every transaction.
Much of this movement has been driven by the Bureau in
recent years. In fact, the Bureau manual directs examiners to
evaluate monitoring and audit programs to determine whether,
considered together, they are adequate and comprehensive. Many
banks, however, have not considered monitoring and audit as a
whole. Savvy banks now are seeking ways to coordinate the two
functions not only to satisfy regulator expectations but also to
minimize disruptions to internal operations.
The premier resource for compliance practitioners with detailed
updates on federal regulations and consumer protection legislation.
• New Prepaid Rule protections in Regulation Z and Regulation E
• RESPA servicing rule updates
• Updates to the HMDA data collection and reporting rule changes
• New FDIC Deposit recordkeeping rules
• Updates to MSRB rules
Use the Guide to prepare for the Certi;ed Regulatory Compliance
Manager (CRCM) exam!
Reference Guide To
Order now at aba.com/RGRC
Financial institutions deploy the three lines of
defense—monitoring, reviewing, and auditing—
to perform the audit and monitoring functions
in different ways.