August 8, 2014 • Online
Seeking compliance in wrong place?
Part 1: Why compliant banking should look like a well-run assembly line—
with producers paying attention to compliance
By Lyn Farrell
U.S. financial institutions have never been more
focused on the regulatory compliance risk management
function—nor spending so much money to get the job
done.
Since the passage of the Dodd-Frank Act, with its almost
400-required regulations, and the creation of a new
regulatory agency (the Consumer Financial Protection
Bureau), there have been so many regulatory changes.
And there has been a seismic shift in regulator attitudes
with which banks are still struggling to cope.
The combination of these events results in a situation
where banks, particularly large ones, have had a difficult
time developing compliance programs that actually work.
Not only is it difficult to create workable and effective
compliance programs, institutions, both large and small
are spending tens of millions of dollars trying. This
situation is not likely to get better any time soon.
Historically regulatory compliance has been seen as a
completely separate function from the business lines; it
has typically been owned by Risk Management or Legal.
Frequently, Compliance has not been highly regarded by
the bank’s executive management.
Time to stop repeating the same approach?
No other U.S. industry operates this way.
Everyone knows the old way of managing compliance is
not working anymore. Yet most compliance professionals
are just keep trying harder. They sweat to establish more
monitoring programs, create new risk assessments,
develop better complaint management processes, write
new procedures, and, most importantly, hire new people.
Think about this: In every other industry the business product
executive owns every aspect of the product.
They are running faster—but never reaching the goal.
I submit that the only way that large banks can
implement effective regulatory compliance programs at
an affordable cost is to treat compliance as though it were
an element of product quality. The key to making that
work is to require the line of business owners to “own’’
compliance quality. They would accept this as they would
any other quality component, such as customer service.
Is this outlandish? Only in banking, it would seem.
Consider the automobile industry, for example. The
executive in charge of a particular car model will own and
control every part of that car’s design, manufacture, and
sale. If the car sells well and performs well, the product
owner and his or her team reap the rewards. If there
are defects, and a recall happens, he or she also takes
responsibility for that and accepts the consequences for
this outcome.
Imagine a car built the banking way …
But imagine what would happen if that business
line executive did not regard the emissions control
mechanisms to be within his jurisdiction, so that he just
ignored that part of the car?
Because emissions control are regulated by federal and
state regulations, the executive might just say—“It’s just
government regulations; let the compliance group be
responsible for that.”
As the car goes down the assembly line, no one is
installing the emissions control parts. They are waiting
until a separate compliance team installs it almost at
the end of the line. The business line does not care how
the emissions parts are installed because that system is
outside their purview.
Of course, this sounds silly on its face. In reality no
part of the process of designing and manufacturing the
car is left to another entirely separate group that is in a
different reporting line. The executive who owns the car
model owns everything because he or she wants to make
sure it is made well.
However, in banking, the regulatory aspect of a product has
always belonged to the compliance team, in most institutions.
Compliance is part of the so-called “second line of
defense,’’ whereas the line of business—the ‘’first line
of defense’’—is responsible for the other aspects of a
product.
A business line will control its own product development,
marketing, and sales. But when it comes to regulatory
compliance the role of the business line is only to
cooperate with the compliance team as they attempt
to keep the product and the practices surrounding it in
compliance. The business does not step up to own the
entire compliance process.
Compliance starts with a handicap
In order to be effective, a bank’s compliance group
must strive to be included in the right meetings and
conversations and then monitor and test all of the
functions to find errors. When the compliance folks find
questionable practices, often the harder work begins.
The compliance group usually must resort to persuasion
tactics to get things changed or to have things fixed.
Normally, Compliance has limited leverage and no final
control over the bank’s practices.
This state of things is where the industry’s basic problem
lies. Effective compliance programs will work efficiently
when the first line of defense owns regulatory compliance
as a quality component of its products and services.
Any other distribution of responsibilities leaves the
compliance function in a second-class position.
No amount of money will solve that problem.
Banking’s compliance norm must change
The key to effective compliance is to consider it to be a
quality component and to require the business line to
own it. This means:
• Those businesses would be primarily responsible for
effecting compliance within their own lines.
• Business lines would not expect that the compliance
risk management team would intervene to make sure
that there were no problems.
• If regulatory agencies found violations, the line of
business executives would take the responsibility for
that. They and their teams would be the ones to bear the
consequences of mistakes.
This is not the norm in most institutions today. In the
next article in this series I will examine how this new way
of organizing a regulatory compliance program can be
implemented.
Lyn Farrell is managing director of Treliant
Risk Advisors. Farrell holds the CRCM,
CAMS, and AMLP designations. In
2012, Farrell received ABA’s Compliance
Distinguished Service Award.
Published in ABA Banking Journal, August 8, 2014 online. Copyright 2014. All rights reserved.
This file is for web posting and e-mail distribution only; may not be used for commercial reprints.
Provided by The Reprint Outsource, 717-394-7350