ABA Bank Compliance - September/October 2012

GOVERNANCE | BY paul r. osBorne, cpa, cpo, amlp, and
claYton J. mItchell, cams, cFIrs
Beyond the Checklist: Compliance
Audits for Today’s Challenges

As Curry noted, the risk of operational failure is embedded in every activity and product of a bank, from its processing, accounting, and information systems to the implementation of its credit risk management procedures. It is also apparent that some consumer compliance and other required disclosures embedded in these operational processes are receiving increased attention from regulators. Yet many banks continue to regard compliance as a cost center and are saving money on systems and processes to enhance their income. If those systems and processes break down as a result, their financial condition and reputation is at risk.

Rather than restricting compliance
efforts, banks should be expanding their
traditional approach, going beyond a
mere “checklist” methodology to un-
cover the operational risks that Curry
suggested should take priority.
adjustments to its borrowers. Inaccurate
payment adjustments also could result
from a system error, such as a failure to
round the interest rate up or down, after
applying the margin as described in the
mortgage agreement. Such operational
breakdowns can lead to loss of income
and reimbursement of previously real-
ized revenue, customer complaints, and
potential allegations of unfair, deceptive,
or abusive acts or practices (UDAAP).
Or perhaps what seems like a
straightforward policy decision could
have an adverse effect on customers.
A bank, for example, might have a
legitimate business reason to close a
particular branch on weekends and cut
off transaction processing at 2 p.m. on
Fridays, while keeping the drive-up win-
dow open until 6 p.m. After the change,
a loan payment made at that branch
on a Friday after work would not be
recorded until Monday. If the payment
was due Friday, the borrower could be
charged a late fee and additional interest
if appropriate operational controls are
not in place to identify and appropri-
ately backdate the transaction (keeping
in compliance with certain transactions
subject to Section 12 CFR 1026.36(c) of
the Truth in Lending Act).

Worse yet, this policy could have an inadvertent impact on qualified borrowers in protected classes under the Equal Credit Opportunity Act, Fair Housing Act, and other related fair lending regulations. A borrower who patronizes a branch that does offer weekend hours

IN A MAY 2012 SPEECH, Comptroller of the Currency Thomas Curry made the startling observation: Operational risk has eclipsed credit risk, moving to the top of the list of safety and soundness issues for institutions supervised by the Office of the Comptroller of the Currency (OCC).

and posts weekend transactions to the preceding Friday would have more opportunities to make a payment without incurring a late fee. If that branch is in a high-income neighborhood with a high population of non-protected classes and the branch with shortened hours is in a low-income area with many minorities, discrimination charges could result.

Understanding Operational Risk Every regulatory agency defines risk uniquely. In a recent discussion about operational risk, the OCC stated that operational risk—the risk of loss due to failures of people, processes, systems, and external events—is high and increasing. 1

For example, lenders are required to accurately identify and upload the applicable mortgage rate indexes when preparing to notify adjustable-rate mortgage borrowers about impending interest rate changes. If a bank’s process results in the incorrect index being applied, the bank will relay inaccurate payment

The Better Approach to
Compliance Audits

For decades, the very nature of compliance—with its focus on black-and-white regulations—lent itself to a black-and-white approach to audits. The compliance auditors approached their task with literal or figurative checklists of items, such as disclosures at account opening, up-to-date lobby posters, and timely interest rate adjustments. They could mark the appropriate pass or fail box for each item and transfer the information to their reports.

Even just a few years ago, this approach was still perfectly acceptable, perhaps even universally applied. Now, however, regulations are changing constantly, along with the examiners’ mind-sets and expectations. Compliance audits must reflect the current trends, patterns, and practices, such as the newfound emphasis on operational risk.

Like campers, compliance professionals can work from traditional checklists. A camper’s traditional checklist includes such basic considerations as sleeping bags, tents, and flashlights. However, a better-prepared camper would also consider factors such as the weather forecast, traffic patterns, the specific campground’s facilities, and access to emergency medical care. In a compliance context, going beyond the checklist means identifying