ABA Bank Compliance - May/June 2011

Contents

–

| Vo

| N

10
|
Don’t Get Caught
in the UDAP Net:
New Standards, Expanding Risks

Overall, the UDAP net has grown wider and is being

cast even further by policy makers and regulators. In

the end, this means there is greater likelihood that

banking practices may be caught in the UDAP net.

By ThomAS G. PAREiGAT AND mEG SCzyRBA, CRCm

18
|
Effective Comment Letters
make a Difference

Bank compliance risk managers can either watch

as others sculpt and mold their world, or they

can help shape their environment through active

involvement. Comment letter writing is one of the

most effective ways to stay involved.

By ViRGiNiA o’NEiLL AND PAT ShUTTERLy

28 |
Assessing
Compliance Resource Needs—
Banks on the Leading Edge

This article guides the reader through the pertinent

considerations, providing examples of “what can go

wrong,” and concluding with the theme that each

bank should take a risk-based approach in the

appropriate allocation of compliance resources.

By JAmES h. WiSTmAN, mBA, CAmS,

AND AARoN KAhLER, CFE, CAmS

32 |
AmL and Anti-Fraud Convergence:
Planning your Roadmap

A holistic approach to combating financial crimes

is crucial to avoid the costs of non-compliance

and financial losses tied to fraud. Combining

BSA /AML and anti-fraud programs can help

arm the institution with the real-time data

required for protection from threats.

By Tom LEUCh TNER

Don’t get caught in the

net

“Unfair or deceptive acts or practices in or affecting commerce are hereby declared unlawful.”

BY THOMAS G. PAREIGAT AND MEG SCZYRBA, CRCM

THIS ONE SENTENCE, COURTESY OF SECTION 5 of the Federal Trade Commission Act [15 USC 45(a)(1)], is the statutory genesis of the rule we know fondly as“UDAP. ” While all businesses are generally covered by Section 5 of the FTC Act, federal banking regulators have the authority to cite institutions for engaging in practices that are considered unfair or deceptive. In recent years, examining agencies have increased their UDAP-related scrutiny and stepped

Practices That Have Been Deemed Deceptive

General

■■

■■ ■■

Deceptive practices

■■ ■■ ■■ ■■ Credit cards ■■

Home loans

■■

Deposit products

■■

BY VIRGINIA O’NEILL AND PAT PATRICK SHUTTERLY

Effective Comment Letters Make a Difference

CoLUmNS
4
|
Governance

By PAUL oSBoRNE, CPA,

HE RECENT FINANCIAL SYSTEM CRISIS and Congress’ enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act (DFA) are literally and figuratively re-forming the banking landscape. The DFA calls for more than 250 new regulations to be written during the next several years, and many of them will be proposed by the new Consumer Financial Protection Bureau (CFPB). Bank compliance risk managers can either watch as regulators, consumer advocates, and others sculpt and mold their world, or they can help shape their environment through active involvement in the regulatory implementation process. Comment letter writing is one of the most effective ways to get involved.

History shows that regulators listen when bankers speak through
effective comment letters, and the ultimate outcome is good for all
stakeholders—the financial industry, the regulators, and most impor-
tant, the consumers of financial products and services. Do you doubt
this? Read on then, to find success stories in which bank comment
letters had a positive impact on regulatory proposals. To encourage
bankers—especially compliance managers—to respond with effective
comment letters to the anticipated flood of DFA regulatory proposals
and to ease the job of writing them, this article will
■■
give insight into how the new bureau differs from the regulatory
agencies with which bankers have long dealt, and how that difference
will affect the content of industry comments to regulatory proposals
■■
provide real-world advice from financial industry representatives and
compliance managers—tips that time-constrained bankers can use
to gather materials and draft their own comment letters
■■
provide additional sources of information
We hope that after you discover how relatively easy it is to do, you
will incorporate comment letter writing into your job responsibilities
and will be willing to comment on the regulatory proposals that affect
your area of operational responsibility.

Comment Letters Matter—
Especially Ones from Bankers
The American Bankers Association (ABA) writes scores of comment
letters each year, articulating the “industry” response to regulatory
proposals. The ABA incorporates the banking industry’s views based
on feedback from membership committees, banker peer groups, and
ad hoc working groups. But ABA staff also urges individual banks to
write their own letters. The ABA recognizes that bankers are in the best
position to write meaningful comment letters because they understand
the business of banking and how the proposed regulation will affect
bank operations, products, and services. Bankers can include specific
information about how a proposed rule will affect an individual bank
and its ability to serve the needs of customers. This information is
extremely valuable to the regulatory agency staff members who write
the regulations. After all, they are not bankers, and many have never
worked in a bank. A proposal might sound reasonable to the staff
members who work at the agencies, but bankers have the unique ability
to tell them exactly how or why the regulation will create burdens or
unnecessary costs and to point outthe unintended consequences for
consumers, their communities, and the broader economy.

CPo, AmLP; DAViD Fi TES,

CFiRS; AND CLAy ToN

mi TChELL, CFiRS

16 | ABA BANK COMPLIANCE | MAY-JUNE 2011 MAY-JUNE 2011 | ABA BANK COMPLIANCE | 17

8
|
Compliance

BY JAMES H. WISTMAN, M.B.A., CAMS, AND AARON KAHLER, CFE, CAMS

management

By CARL G. PRy, CRCm

Assessing Compliance Resource Needs

IN THE EVER-CHANGING regulatory environment of the banking industry, audit committees and chief auditors are increasingly asking, “How can we assess whether internal budgeting and staffing are appropriate for the institutional compliance function?” This is in part due to the ever-rising cost of compliance programs, especially in the wake of recent enforcement orders relating to regulatory deficiencies such as those concerning anti-money laundering (AML), the Office of Foreign Assets Control (OFAC), and the Foreign Corrupt Practices Act (FCPA). This article provides an authoritative analysis, guiding the reader through the pertinent considerations, providing examples of what can go wrong, and concluding with the theme that each bank should take a risk-based approach to assessing its compliance risks and utilize the assessment in the allocation of compliance resources.

Banks on the Leading Edge

meet annually with each department and provides required training. The compliance officer also sets aside time for preparation of training materials and recordkeeping (e.g., attendance lists). However, in many larger firms the human resources department has a tight grasp on any and all training provided to staff (e.g., new product launch, sales practices, sexual harassment), so it is human resources that will either (1) schedule a compliance officer to appear now and then to deliver targeted content on banking regulations, or (2) retain an external compliance expert to come onsite to deliver the targeted content. It is very easy for executive management to underestimate the time it takes to operate a robust compliance training program in a large firm, and there are several steps to getting this right: targeting the appropriate audiences, scheduling the training rooms and attendees, preparing the content, delivering the content, keeping track of attendance, marking up exams, and notifying attendees of grades. Chasing each of the no-shows is in itself a major headache and a time-consuming process. In parallel to classroom training, many firms also establish budgets for online, conference call, or video/DVD training. For some institutions, operating the compliance training program is so complicated that it becomes a full-time position within compliance with supporting administrative staff and a separate annual budget. To cut through this uncertainty and complexity, it is often recommended that annual compliance training needs be formally set forth as a training needs assessment. This approach helps to forecast the burdens of annual compliance training (including board-level training) and can be structured with the look and feel of the annual audit calendar, which often includes estimated auditor hours.

38
|
The other Side

By STU LEhR, CRCm

“How can we adequately assess whether internal budgeting and staffing are appropriate for the institutional compliance function?”

The short answer is, “hard to say,” and that is primarily because
the role of the compliance department (aka the “compliance
function”) differs markedly from bank to bank. Thus, while it
may be appropriate to say something like, “A compliance depart-
ment may need to have one head count for every 150 employees
of the bank,” that rule of thumb is only the very beginning of
the evaluation and budgeting process.To arrive at a reasonable
overall budget for the compliance function, itis very helpful to
break down the compliance program into the same components
that are evaluated by the regulators:
■■
training
■■
policies and procedures (that guide employee conduct and
firm-wide recordkeeping)
■■
monitoring by compliance officers
■■
compliance management

almost always the case that several desktop procedures will also need to be
revised, taking valuable time and expertise. The process of managing potential
regulatory changes affecting your institution within a calendar year can be
one of great uncertainty, particularly concerning the amount of time and
level of expertise thatwill be required to reach compliance.
To cut through the complexity, it is recommended that a compliance
policy calendar summarizing upcoming effective dates of announced regula-
tory changes be developed. By updating institutional regulatory objectives
every month, compliance can use the calendar as an internal resource in
editing and approving new policies and procedures. This forward-looking
approach (as opposed to a reactive approach) greatly reduces the compliance
burden by allowing the institution to stay one step ahead of the deadlines.
Executives can also coordinate with compliance officers and estimate how
much work will be required over the coming quarter. If it is determined
that in-house resources will be insufficient to stay ahead of the curve, then
executives can decide to retain additional resources/consultants. This can
then be documented with appropriate supporting rationale and reported
to the audit committee.

DEPARTmENTS

Compliance Training In some institutions, the compliance function handles all aspects of training on regulatory requirements. In these firms, it is quite clear that the compliance officer must construct a budget, and this is often done on a department-by-department basis. That is to say, the compliance officer budgets a number of hours to

Compliance Monitoring Surveillance performed by compliance officers is another area where compliance functions vary widely in timeliness and sophistication. In all cases, the basic process is one in which compliance-related records that have been generated by employees, in both client-facing and operational divisions, are reviewed by independent compliance officers; this approach is necessary to evidence the bank’s ongoing operational compliance with applicable laws and regulations.

A documented training needs assessment is an approach that appeals to many audit committees and helps prevent audit and compliance from scheduling an audit in the midst of scheduled training sessions. Compliance Policies and Procedures It is very difficult to predict the burdens associated with making appropriate revisions to compliance-related policies; plus, after policies are revised, itis 26 | ABA BANK COMPLIANCE | MAY-JUNE 2011 MAY-JUNE 2011 | ABA BANK COMPLIANCE | 27

40
|
Regulatory
Development

Benefits of Emerging Regulations: HOW TO MEET THE CHALLENGE z d A Surmountable Challenge: UTILIZE A PLANNING FRAMEWORK o

Table

REGULATIONS ARE CHANGING; examiners are now taking a close look at the risks that banks are exposed to as a result of money laundering and fraud activities. The evolving regulations that force a closer examination and linkage of fraud and money laundering are timely and warranted. It has become clear that a new perspective and resulting methodology are required to frame precisely the programs, systems, and processes necessary to respond to both fraud threats and regulatory changes. While there is a tendency to think of fraud and money laundering detection in silos, they are in fact often linked, and this is the reason regulators are making these important regulatory changes. Regulations will likely continue to evolve in this direction, and an enterprisewide financial crime strategy and framework can help your institution stay ahead of those changes.