Compliance Risk Management Flashcards
What are the 3 Lines of Defense?
1st line - Business Unit
2nd line - Governance Oversight
3rd line - Internal or External Audit
Roles of a Compliance Professional
- Provide regulatory advice
- Track regulatory proposals and final rules
- Carrying out compliance risk assessments
- Ensure compliance monitoring/testing occurs in the business units
- Track compliance issues
- Advise business units
- Coordinate regulatory exams
- Assist in evaluating compliance training
- Review policies, procedures and marketing materials
- Support change management process
- Ensure the bank’s oversight of third-party service providers
Components of a Compliance Management System (CMS)
- Manage compliance risk
- Mitigate compliance risk
- Have a formalized risk assessment
- Reporting to management
- Apply the CMS
A compliance professional is a member of the task force studying how the bank can reduce customer complaints about holding deposits. One proposed solution involves purchasing an expensive system that will reduce the number of holds placed by evaluating the customer’s history and relationship with the bank. Which of the following roles is MOST important for the compliance professional on the task force?
a. Developing training for tellers who will use the new system
b. Setting parameters for what the system should review to determine the strength of the customer relationship
c. Validating the system to ensure it complies with regulatory restrictions
d. Conducting a cost-benefit analysis to determine if the system is the best solution
c. Validating the system to ensure it complies with regulatory restrictions.
The compliance professional’s role on the task force is to provide knowledge about compliance risk, such as whether the system is in compliance with relevant laws and regulations. The training, parameters and the cost-benefit analysis are more operational in nature.
Legislation was recently enacted to reform consumer real estate protection laws, and the bank will now have to change the way it documents, discloses, and advertises real estate loans, an integral product line at your bank. What should the compliance professional do FIRST to implement the new law within the bank?
a. Read the law and write a new real estate compliance policy
b. Form a task force with the business unit managers whose departments will be affected by the law to collectively form an action plan
c. Talk to the bank president about the need for more resources in compliance
d. Sign up all bank personnel affected by the changes for a seminar on the new law
b. Form a task force with the business unit managers whose departments will be affected by the law to collectively form an action plan.
When implementing new rules, it is beneficial to start with a task force of affected managers that can make decisions about how to implement the new rule. The other actions would eventually become necessary, but it would be timelier to write the new policy and then develop training only after the compliance professional has a clear idea of the needed actions. Talking to the bank president about resources would not be helpful to implementing new legislation, unless it can be shown as necessary to complying as the business units have chosen.
A bank’s president would like to begin offering a new home equity line of credit product within two weeks. In all cases the borrower’s principal dwelling will secure the loan. The president has already launched a planned advertising campaign for the bank’s major service markets. What should the compliance professional do FIRST?
a. Hire an attorney to write the appropriate legal documents and disclosures.
b. Write a memo to the president explaining why the compliance professional should have been in on the process at an earlier date.
c. Begin training sessions for the lending and loan operations staff on the compliance issues involved.
d. Perform a risk assessment to determine the bank’s level of risk in offering this new product.
d. Perform a risk assessment to determine the bank’s level of risk in offering this new product.
Before going forward, the compliance professional needs to determine what level and types of risk are involved. It is possible the new product is similar to an existing product and the new offering will not increase the bank’s risk. After determining the risk, the compliance professional will know better how to proceed.
A bank has a large mortgage department as well as a high HMDA error rate. An expensive software program could automate the process, but the business unit manager does not want to purchase the software because of its expense. Though it is not as efficient, the manager prefers to make some improvements to the manual process, add some more robust monitoring procedures and opt not to purchase the software. What should the compliance professional do?
a. Elevate the issue to a higher authority to force the mortgage department to purchase the software.
b. Nothing; the compliance professional’s job is done with the completed research.
c. Document the fact that the level of risk present with manual systems is acceptable to the mortgage department BU.
d. Write a memo to the president of the bank that explains the risk assessment for this area.
c. Document the fact that the level of risk present with manual systems is acceptable to the mortgage department BU.
The job of the compliance officer is to assess the risks and inform management of those risks. The business unit can decide what level of risk to accept. If the high level of HMDA errors continues, even with the improved procedures, the problem can be escalated and brought to senior management’s attention.
The federal banking agencies have proposed an amendment to Regulation Z that would require a new early disclosure statement for loans secured by the borrower’s principal dwelling. After first reading the proposed change, what should the compliance professional do first?
a. Establish a task force to study the proposed rule.
b. Contact the bank’s platform software vendor to determine whether it will be ready for the change.
c. Prepare a summary document that outlines the effects the proposed rule would have on the bank’s operations.
d. Train bank staff on the new rule.
c. Prepare a summary document that outlines the effects the proposed rule would have on the bank’s operations.
The proposed change is important to the bank. The compliance professional should first analyze its effect and provide that summary to the affected business units, and then establish a task force to study the proposal. Contacting the vendor may be part of the risk considered by the task force. Training bank staff regarding the new rule is not appropriate until the rule is final. Proposed rules sometimes do not become final or may change with the final ruling.
During a recent compliance exam, regulatory examiners found that the bank was not conducting flood hazard area determinations before closing on construction loans. The compliance professional has reviewed the files and agreed with the examiners’ findings. What should be done FIRST?
a. Review the bank’s flood policies and procedures to determine where the compliance failure occurred.
b. Conduct a risk assessment of the flood determination requirement on construction loans.
c. Prepare an analysis for bank management explaining the requirement.
d. Review all construction loan files to determine the extent of the problem.
a. Review the bank’s flood policies and procedures to determine where the compliance failure occurred.
If the compliance professional agrees with the regulators on a finding, the root cause of the error must be determined by consulting policies and procedures. There is no benefit to conducting a risk assessment because the issue is known. After determining the cause, then the extent of the problem must be determined. Only after gathering this pertinent information can the compliance professional write an analysis for management explaining the situation.
When developing a training plan for commercial lenders, which of the following regulations is least important to include?
a. ECOA
b. HMDA
c. Reg O
d. TILA
d. TILA
The compliance professional should risk manage the training program. A commercial group needs to know the rules for fair lending, HMDA, and insider lending. Reg Z is more relevant for the consumer lending audience.
During a recent compliance examination, regulators cited the bank for violations of various marketing regulations. How should the compliance professional FIRST respond?
a. Contact the bank’s marketing manager to discuss the finding.
b. Develop a policy requiring that all marketing materials be reviewed and approved by compliance before being published.
c. Set up a training class for the marketing department.
d. Review the marketing materials and applicable regulations to verify the finding.
d. Review the marketing materials and applicable regulations to verify the finding.
When a bank is cited for a regulatory violation, the compliance professional must first determine whether the bank should agree with it. It is done by reviewing the pertinent regulations and affected materials. If the citation is supported by the regulations, then the compliance manager should discuss it with the marketing manager. Solutions may include training marketing personnel or establishing new policies for reviews.
Who shares in the responsibility for owning compliance risk?
All bank employees.
The Compliance program should address plans to verify adherence to applicable regulations through:
- Ongoing monitoring (adherence to policies, procedures, effectiveness of controls)
- Self-monitoring (well documented periodic reviews by the LOB or compliance with established metrics)
- Corrective Action (root cause analysis, analyze the risks associated with a violation, develop alternative corrective action plans)
A robust risk assessment should drive what three things?
- Compliance testing and monitoring schedule
- Resource planning
- Training
Components of a risk assessment
- Identifying risks by reviewing products and services for compliance.
- Measuring risks of noncompliance through inherent and residual risks.
- Controlling risks by integrating compliance requirements into written policies and daily operations. Controls either prevent errors from occurring or detect them once they’ve occurred.
- Monitoring risks to ensure they are appropriately managed.
- Reporting risks through established mechanisms to ensure process deficiencies are identified and corrected or the risk is accepted.
- Independently evaluating risks through a formal audit process to validate effectiveness of controls and monitoring.