ABA Bank Compliance - September/October 2012

Compliance audits
must reflect the
current trends,
patterns, and
practices, such
as the newfound
emphasis on
operational risk.

the root causes of items marked as “fail,” as well as the potential effects of those failures in terms of penalties, fines, and damage to reputation. In other words, both campers and compliance professionals will have more success if they take into account additional information rather than being satisfied with a basic checklist.

By walking through the process with the owner, a compliance auditor can more easily key in on gaps and areas for improvement. This contrasts with the all-too-common reaction when failures turn up on the checklist: Declaring that employees just don’t know what they’re doing and recommending more training. A bank can provide hours and hours of training, but until the root cause is addressed, the problem will persist.

Suppose that a bank executive has more than 50 overdrafts on his account, in violation of Regulation O, “Loans to Executive Officers, Directors, and Principal Shareholders of Banks.” The executive claims the violation was inadvertent (which is allowable per Regulation O guidelines), and the compliance auditor sends the executive for training and drops the matter. The same violation can easily crop up again. The better response would be to install controls that would prevent such overdrafts or require insiders to participate in an overdraft program—and make sure that overdrafts are adhering to Regulation O requirements.

than fight them. It’s essential that the different functions not operate as silos that can duplicate efforts or send contradictory messages to personnel. The compliance function should support a bank’s overall risk management.

An Asset Protection Center It’s time for banks to get away from treating compliance as a cost center and see it for what it really is—an asset protection center. By minimizing fines and penalties, compliance protects the bank’s assets. And, in an environment of ongoing developments, such as the new Risk Analysis Division (RAD) examination procedures, the status quo checklist approach to compliance simply is no longer an option. ■

ABOUT THE AUTHORS: PAUL R. OSBORNE, CPA, CPO, AMLP, is a partner with Crowe Horwath LLP in the Indianapolis office. Reach him at (317) 706-2601 or via email at paul.osborne@crowehorwath.com. CLAYTON MITCHELL is with Crowe Horwath LLP in the Indianapolis office. Reach him at (317) 208-2438 or via email at clayton.mitchell@crowehorwath.com.

Rooting Out Operational Risk

Identifying root causes and their implications can, in turn, help compliance auditors identify and report on operational control deficiencies and, ideally, provide meaningful recommendations to help mitigate the risks. That’s because the root cause of a compliance failure often is an operational breakdown, such as lack of appropriate line-of-business checks and balances or failures in management information systems. Do the lending department’s procedures, for example, include pre- and post-closing processes to identify compliance gaps? In terms of the implications of the root causes (or, essentially, the quantification of the risk), an auditor should consider such factors as whether a failure is pervasive or isolated and whether it constitutes an unfair, deceptive, or abusive act or practice, given the increased environmental factors surrounding UDAAP.

Perhaps the most critical step in digging for root causes is consulting with process owners.

A Caveat

To be most effective, the compliance audit function must harmonize and support the other areas of risk management—including the internal audit, loan review, Treasury management, and security and privacy functions—rather