QUESTION
At this time, we are handling five
banking examinations. The most we’ve handled at one time was seven exams.
We are stretched to the limit in working on them. We are in all the states, but this demand on us is daunting, to say the least.
Over time we put together a process flow for dealing with examinations, which has worked out well, as far as it goes. But we keep having to tweak it because some examiners keep changing their processes.
We need help in creating more procedural descriptions based on the regulator’s point of view. Our interest is in meeting the regulator’s expectations.
What are the typical expectations of banking department examiners?
ANSWER
You ask a very important question.
Any financial institution that is not prepared procedurally for a banking
examination exposes itself to potentially adverse findings. If you are dealing
with multiple exams at one time, the task of handling them all effectively is
really tough if you don’t have actionable procedures. The exposure climbs if
you are not cognizant of the examiner’s expectations.
My firm provides readiness support and hands-on involvement in banking examinations. One feature we often encounter is a client’s lack of procedures in being responsive to bank audits. In effect, many companies seem to be passively waiting for regulatory scrutiny rather than being proactively getting ready for it. Although they do not really know what to expect, they also do not seem to understand what the examiner expects!
I am going to answer your question with a generalized overview. Each financial institution varies in terms of its size, complexity, and risk profile. Each company’s procedures will reflect its business structure and risk tolerance. It is possible to provide some insight into the kind of procedures you should develop in light of a regulator’s expectations. Too often, though, companies provide procedures based on what they believe should be done without really understanding the regulatory review process.
In determining risk, regulatory agencies usually review or perform the following tasks:
· Develop a compliance risk profile for the financial institution, considering its organization structure, business lines, operations, and past supervisory performance.
· Determine the level of
a company’s compliance management system (CMS), including determining
management’s level of knowledge and attitude toward compliance, management’s
responsiveness to current issues, the company’s compliance organization
structure, management information systems, policies and procedures, training,
and monitoring and audit programs.
• Test transactions
based on risks and management’s efforts and responses.
• Validate an institution’s HMDA data and conduct a fair lending review.
As a matter of act, the FDIC uses a tool as its first step, the Assessment of Risk of Consumer Harm (ARCH). Other agencies and several state banking departments use a similar assessment for scoping a compliance examination in their pre-examination planning.
There is a logic behind the pre-examination plans: managing the examination based on risk factors tends to reduce the overall on-site requirement and identifies areas requiring more supervisory attention.
A central focus is a company’s compliance management system (CMS) because it enables examiners to identify causes of compliance deficiencies and suggest appropriate corrective action. If you have not used our CMS Tune-up support, you should get it done as soon as possible. It is cost-effective, hands-on, and quick. You need to know your firm’s compliance strengths and weaknesses in your compliance management system. So, contact us!
The following is a generic and categorical outline of a mortgage lenders’ banking examination from a regulator’s point of view.
Request Letter
Before arriving at the bank, the regulator will issue a request letter for information, specific responses to be sent to the examiner-in-charge before the on-site review, and other responses for review on site. The request letter may ask that the following material be gathered and made available:
· Work papers of all compliance audits performed since the last examination, including the audit reports issued, documentation of corrective action taken, and the response from management
· Copies of bank compliance policies and procedures
· Fair lending information
· HMDA-LAR (if applicable)
· Minutes of the compliance officer, committee, or board meetings regarding compliance issues
· Printouts or electronic files of loans and related files
· Tracking documentation, such as logs, pricing, and so forth
· Copies of compliance forms and disclosures
· Résumés of all compliance personnel
The company’s chairman of the board or president usually receives this request letter and passes the information on to the compliance officer, who is then responsible for seeing that all of the information is compiled for the examiners and that key personnel responsible for these items are aware of the examiners’ arrival date.
When the bank examiners arrive, they should be given adequate accommodations for their time at the company. A private room, such as a conference room, with Internet connectivity, is preferred. The information requested by the examiners should be made available immediately. The compliance officer should answer any questions examiners may have regarding the audit work papers, the company’s HMDA data, its public comment file, or any other requested compliance information.
The following sections focus on each of the items the regulator may examine as outlined in the request letter.
Audit Procedures Work Papers
Examiners usually review the work papers of the company’s compliance auditor to determine what steps were followed in the audit of a particular area or regulation. If the auditor has thoroughly documented the results of an internal audit and kept detailed work papers, the examiner may review those work papers and not perform any additional procedures or testing.
Policies and Procedures
The examiners will review copies of the compliance policies and procedures in conjunction with the audit work papers and any compliance audit reports to determine if they are being followed. For instance, a company may have several policies regarding loan approvals. These policies may include the type of employment, length of employment, length of residence, credit history, and any other factors used to evaluate creditworthiness. The examiners may review loan approvals and denials to ensure that all customers are being treated equally based on the loan policies and procedures. Note the importance of a company following its own policies and procedures!
Required Reporting
In addition to the policies and procedures, its fair housing information and the HMDA data (if applicable) will be reviewed to make sure that the financial institution is not discriminating against any group of people with respect to home loan transactions. These transactions include home purchase loans, home improvement loans, and refinance loans. If the mortgage lender is also a department, division, or subsidiary of a bank that files CRA data, the HMDA information also will be analyzed in conjunction with that CRA data.
Community Reinvestment Act (if applicable)
Under the CRA, banks are strongly urged to take an active role in meeting the credit needs of their communities, not to exclude low- to moderate-income families. Examiners carefully review the HMDA report in connection with the CRA data. Bank examiners review a bank’s CRA program and internal documentation on the role it has taken in complying with the CRA as well as the bank’s CRA public comment file. Irrespective of the apparent compliance with Regulation C, the regulation that implements HMDA data collection and filing, if examiners feel that the bank is not meeting the requirements of the Community Reinvestment Act, they can impose stiff penalties, including ceasing any branching or merging by a bank.
Compliance Management System
A company’s compliance management system (CMS) comprises mainly three areas: board and management oversight, compliance program, and compliance audit. When your CMS is working well, and all parties are actively involved in the compliance system, the company’s compliance risks will be limited and the program strong. Examiners prioritize this central focus of a company’s risk profile.
If you want to information about our CMS Tune-up, please let us know!
Management and Board Involvement
Regulators are now taking a “top-down” approach in their reviews, so examiners will focus on the amount of management and board involvement in the company’s compliance management system. I strongly urge management and the board to take an active role in compliance. Document the involvement. Management committee minutes and board minutes should reflect that management and the board:
· Demonstrate compliance expectations to employees.
· Adopt clear compliance policy statements.
· Appoint a compliance officer with authority and accountability.
· Allocate adequate resources in all areas.
· Review periodic audits.
· Discuss compliance activities, actions, strengths, and weaknesses in their meetings.
Printouts, Online Access, Digital Reviews
Printouts or electronic files of all loans are usually requested for a specified period. Examiners will need access to such information and documentation. They can also request additional information concerning selected items from the reports to choose an audit sample for further review.
Compliance Forms and Disclosures
Regulators review numerous forms and disclosures. These forms are sometimes developed internally or purchased from an outside vendor. The regulator will review all of the compliance forms used by the company to ensure that they satisfy applicable regulatory requirements.
The compliance officer should review these forms and disclosures before submitting them to a regulator in order to ensure that they comply with the company’s policies and the latest regulatory requirements. Personnel should not change disclosure or reporting forms before the compliance officer has a chance to approve the changes. This procedure will minimize the regulatory examiner’s discovery of incorrect or inadequate disclosure.
Résumés
Examiners also may request copies of résumés of all compliance personnel, which will disclose the extent of a company’s compliance experience. Individual résumés should include a list of all compliance schools or seminars attended by the employee, information about the employee’s education, and the general background of the employee, including work history. It would be best if you had these resumes updated at least annually.
Exit Conference
When the examiners have completed the fieldwork, they will conduct an exit conference with management. The compliance officer should attend this meeting.
If the compliance officer thinks that an area has been noted as an exception in error, inform management of the opinion and its reasoning. Management can then discuss this issue with the examiners. If management and the examiners do not reach an understanding concerning the exception, management may want to request an opinion letter from the main office of the regulator.
Audit Report of Examination
After the examiners have conducted the exit conference, they will compile a written report. When management receives this report, it will usually ask the compliance officer to help with the response.
The compliance officer must look at all exceptions noted in the report and immediately take action to see that they are corrected and cleared. The corrective action taken should be included in the company’s written response to the examiners.
Management and the board should be well informed and included in the responsive process to ensure that corrective action has been implemented, training with appropriate personnel has taken place, and continued monitoring for compliance is occurring.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group
