ABA Bank Compliance - May/June 2014

Of these two big-ticket items, UDAAP is particularly troubling because the questions examiners raise about bank activities are resulting in recommendations under the auspices of UDAAP. These recommendations permeate risk management analyses and require follow-up despite the absence of a violation.

Post Crisis: Have Expectations for Responding to Examination Findings Changed?

While anecdotal evidence from bankers indicates expectations have changed, our survey of regulators from the four federal banking agencies says that isn’t the case. Regulators indicated that expectations continue to be: address the finding, assess the root cause and deal with it, and establish control processes to sustain and monitor compliance. Historically, regulators assumed that assessing the root cause and modifying controls were inherently understood expectations. Consequently, they were not as detailed in supervision policy or examination reports as some bankers would like. Over time, however, regulators have provided more written guidance.

According to the Regulators

What’s Working: As one of the regulators so aptly put it, “95 percent of banks inherently want to comply.” This sentiment was evident by two key regulator responses when asked, “What is working?”

1. Issues expressly brought to board and senior management’s attention are effectively addressed. While there is some variance between agency terminology for these issues, they generally fall under three captions: matters requiring immediate attention (MRIAs), matters requiring attention (MRAs), and “significant violations” grouped by severity-level category. When in doubt, helpful trigger terms include:

• MRIAs: “Required to, directed to, must, and must give immediate attention to.” An example: violation of Section 8 of RESPA.

• MRAs: “We expect, is expected to, board and management should, and must.” An example: pattern of not providing sufficient adverse action notification.

2. Commencing corrective action during the examination and engaging examiners while still on site to ensure a mutual understanding expectation: The regulators emphasized having sufficient discussion on site to ensure that conclusions are appropriate and corrective action required correlated with the issue.

What’s Not Working: Key aspects of the response process not working include:

1. Root cause analysis of non-MRA issues is lacking. Examinations are uncovering repeat violations or a variation on issues noted at prior reviews because of insufficient root cause analysis. In other cases, written report responses are too general. For example, if a knowledge gap caused a violation, the supervisory expectation would be to determine the extent of the deficien-cies. Was it new or existing staff? Is training sufficient? Are program modifications needed? If it is an institution-wide knowledge gap, does it also apply to other offerings or third-party service providers?

2. Recommendations are not being considered. There are no requirements for banks to respond to recommendations unless expressly stipulated in the examination report. However, some regulators view recommendations as critical to the overall risk management assessment and worthy of attention. More importantly, each of the agencies’ examination guidance considers responsiveness to recommendations when evaluating compliance risk management.

According to the Industry

“What’s Not Working?” Not surprisingly, the bankers’ views differed from those of the regulators and highlighted three perceptions about compliance examinations. While each perception was troubling, the industry’s perceived inability to obtain a “strong” compliance rating was most disappointing to bankers.

Perception #1: Achieving a strong rating is a thing of the past and maintaining a satisfactory rating is challenging at best. All violations are now MRAs, requiring more extensive documentation, monitoring, and reporting. According to feedback, these issues drive a perception of zero tolerance for violations:

• Issues pertaining to rules, such as Regulations CC and E, are morphing into UDAAP comments that result in at least a recommendation.

• Minor technical and isolated issues, typically excluded from the report in past protocols, are being viewed together with material violations in support of program weaknesses.

Perception #2: Gaining clarity around issues and the extent of corrective action expected (required) is a challenge, especially in this new “consumer protection steward” environment. Common questions revolve around: “What’s required?” “What’s nice to have?” “Is there a consequence for over complying?” As an illustration: A bank receives a few complaints that suggest some customers may not have been given disclosures about certain deposit service fees. When thinking about your corrective action options below, ask yourself for each: Is it required by law, is it a regulatory expectation, or is it just good for reputation/customer service?

No matter what your answer might have been in the past, new supervisory policy from the Consumer Financial Protection Bureau (CFPB) may alter your responses, regardless of your primary regulator. The policy, CFPB Bulletin 2013-06 Responsible

Regulators indicated that expectations continue to be: address the finding, assess the root cause and deal with it, and establish control processes to sustain and monitor compliance.