I am the Compliance Manager of a mid-size mortgage lender in Ohio. I took this job recently, and one of the first things I found out is that the company has no risk ratings assigned to compliance requirements. Now I am developing the risk ratings and could use some guidance.
What I am looking for is a list of risks associated with compliance risk. I can work with a list and apply it to our situation if you let me know how to go about it.
My question is, what are the levels of compliance risk?
ANSWER
In assigning risk ratings, it is often a good idea to draft a checklist, the completion of which produces a rating. However, your question is more narrow. You seek guidance in forming the levels of compliance risk itself. I think this is a good place to start; however, at some point, you should create a checklist to be in a position to apply the ratings in a standardized manner regularly.
There are regulatory requirements that directly impact compliance risk categories. These requirements can be assessed for their risk by determining if they are affected by any of the risk factors that present increased compliance risk. That may seem tautological, but first you determine the risk factors that increase risk and then you evaluate how those factors affect the major risk categories.
If you do not have such procedures and checklists, we can assist you.
Please contact me HERE for more information.
Over time, as details emerge, you will further refine your risk ratings when they are entered into the checklists. You will find that not all factors carry the same amount of risk. The continuing updates to procedures and checklists would be tracked and documented. Sometimes your updates will result from an incident that triggers a re-evaluation of the risk factor.
In my view, there are six basic compliance risk categories. These basic categories will likely be expanded depending on a company’s size, products, services, complexity, risk profile, and business strategy.
Basic Compliance Risk Categories
Penalties
The regulatory agencies can impose additional penalties for violations of various regulations in addition to the general penalties the regulatory agencies can impose as part of their overall enforcement powers.
Most of these penalties are criminal and civil monetary penalties, but one exception is the Community Reinvestment Act, where the penalty for violation can involve a denial of bank applications for expansion, merger, and so forth; or the savings account/MMDA transaction limitations, where the penalty can involve the recalculation of reserve requirements. Within these areas, the penalties for noncompliance can be severe. The Bank Secrecy Act and Regulation O are two such areas.
As another example, finance-charge and annual percentage-rate calculation violations under Regulation Z, for example, require mandatory reimbursement.
Litigation
The significant risk of customer litigation is ever-present. Within these areas, violations can lead to substantial risks of civil liability to customers.
In many cases, the law provides additional damages beyond those suffered by the customer, such as specific additional money damages, attorneys’ fees, class action status, and so forth. For example, violation of the right of rescission under Regulation Z can lead to customer litigation, resulting in the loss of the security interest and income from the loan.
Examiner Scrutiny
Increased scrutiny by examiners should be a constant risk evaluation of compliance decisions. These areas currently receive increased scrutiny during regulatory examinations.
For example, BSA and Regulation O receive increased scrutiny during almost every examination.
As another example, compliance with flood insurance requirements is an area that is currently experiencing increased scrutiny by some agencies in some areas.
New Area
I define a “New Area” as compliance requirements that are relatively new, or areas in which the financial institution only recently introduced products that required compliance with that particular requirement.
To assist you in identifying new compliance requirements, I suggest a checklist or matrix (as I’ve mentioned above) because such a formatted method would include the effective date for regulations that became effective in, say, 2012.
Internal Violations
In this category, I group the previous internal review violations. These are areas where violations were found as a part of the financial institution’s own internal compliance monitoring.
Exam Violations
Previous exam violations need special attention in the form of specific remedies, monitoring, and testing. These are areas in which violations were found during a previous regulatory examination. They will be amongst the first review subjects in the subsequent examination.
Some words about compliance checklists.
I want to give you a few tips for creating a checklist or regulatory compliance matrix. You don’t need to make the checklists complicated. But you need to establish a replicable format across all categories, departments, and functions.
There are several ways in which the checklist can be used to help assess the risk involved. One simple method would be to place an “X” in the appropriate column for each of the compliance requirements listed in the rows if that factor is present for that requirement. An “X” indicates that the requirement requires more scrutiny than usual – the more “Xs” there are, the higher the risk.
Another method would be, rather than using an “X,” to rank the risk using a number (1-3, for example, “1” being the lowest risk and “3” being the highest) to classify the risk in even more detail. The risk numbers in each row would then be added up to obtain an overall risk score for each compliance requirement – the higher the number, the higher the risk for that requirement. This method has an advantage in that some factors are “more equal” than others, and their existence alone merits much more attention than usual. The primary example of this is the area of previous examination violations.
In the numerical risk evaluation, repeat violations are to be avoided at all costs, which is why this factor merits increased attention; so, using a numerical program, each area involving repeat violations would involve the highest degree of risk (viz., a “3” using a 1-3 risk rating program).
This method also has the advantage of being able to vary the weight of each risk factor for each requirement. For instance, while all of Regulation Z is subject to litigation risk because of the civil liability provisions of Truth In Lending, some of the requirements of Regulation Z are more likely to be subject to litigation than others.
Another method would be, rather than using an “X,” to rank the risk using a number (1-3, for example, “1” being the lowest risk and “3” being the highest) to classify the risk in even more detail. The risk numbers in each row would then be added up to obtain an overall risk score for each compliance requirement – the higher the number, the higher the risk for that requirement. This method has an advantage in that some factors are “more equal” than others, and their existence alone merits much more attention than usual. The primary example of this is the area of previous examination violations.
In the numerical risk evaluation, repeat violations are to be avoided at all costs, which is why this factor merits increased attention; so, using a numerical program, each area involving repeat violations would involve the highest degree of risk (viz., a “3” using a 1-3 risk rating program).
This method also has the advantage of being able to vary the weight of each risk factor for each requirement. For instance, while all of Regulation Z is subject to litigation risk because of the civil liability provisions of Truth In Lending, some of the requirements of Regulation Z are more likely to be subject to litigation than others.
For example, the right of rescission and the APR and finance charge disclosures are more likely to be the subject of litigation than the record retention requirements. Therefore, in this case, the right of rescission and the APR and finance charge requirements would be rated a “3,” while the record retention requirements would be rated a “1”.
In the checklist, the “Penalties” and Litigation” risk columns might be filled in with a “?” to designate those compliance requirements where the law provides for specific additional penalties that can be assessed by regulators and additional damages that customers can recover in litigation.
In addition, to help you identify those requirements that are new, the “New Area” risk column is filled in with a “?” for those regulations that are new or revised in the past year.
In the checklist, the “Penalties” and Litigation” risk columns might be filled in with a “?” to designate those compliance requirements where the law provides for specific additional penalties that can be assessed by regulators and additional damages that customers can recover in litigation.
In addition, to help you identify those requirements that are new, the “New Area” risk column is filled in with a “?” for those regulations that are new or revised in the past year.
Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director
Lenders Compliance Group
Chairman & Managing Director
Lenders Compliance Group
