By Jessica Caballero, CRCM, Senior Manager of Strategy and Evangelism, Banker’s Toolbox 

BSA/AML Reform

Eight Things a Compliance Officer Should Focus on in 2019

Now that we’re already one month into 2019 (how is that possible?!) and the holiday haze is wearing off, it’s time to really dive into 2019. With the beneficial ownership-ridden 2018 in the rearview mirror, here are eight things a compliance officer should focus on this year:

  1. Formalize the Three Lines of Defense

I know you’ve heard about it at conferences, and you’ve read about it in your closely-followed industry periodicals. You know what it is, but you may be thinking: “I’m too small for that.” The truth is you aren’t. The three lines of defense – front line business units, independent risk management (hey there, compliance officer!) and internal audit – are scalable to financial institutions of all sizes and varying levels of complexity. You are not exempt from prudent risk management due to your size. Do you have to comply with the stringent requirements of the OCC’s Heightened Standards – NO. However, you should have a solid and effective risk management program that crosses the entire organization. Dare we call it Enterprise Risk Management (ERM)?!

To have an effective ERM program, you need the equally strong and uniquely divided three lines of defense. Formalize the structure in your Risk Policy. Your regulator will love it!

  1. Keep Your Regulatory Change Management Policy Updated

As the storm of consumer compliance overhaul slightly settles, some of you may be thinking: “I’m almost done with this regulatory change management plan.” I’m sorry to burst your bubble but you shouldn’t be. A solid regulatory change management program is one that is in place during both the calm and the crazy. If you wait for another influx of regulatory change to dust-off the regulatory change management policy, you are already two steps behind. This program should continue to evolve and mature even in times where the regulatory environment isn’t wrought with change.

  1. Identifying New and Emerging Risks

This should be an ongoing, continuous process. Your front-line business units should always have an eye out for new and emerging risks. They deal with them on a daily basis. Is there a newly implemented process that is showing poor results during quality control exercises? Is there a certain product causing a spike in consumer complaints? Is your front line seeing a new check fraud or elderly financial abuse trend? Ensure that two-way dialogue with business units is rich so that risks do not go uncovered!

  1. Modernize Your Risk Assessment Process

You know that Selena Gomez song, “I’m so sick of this same old love…”? Yeah, me neither – but, it always makes me think of work when I’m (not) listening to it in the car. I’m so sick of that same ole risk assessment, policy, training slide deck, fill in the blank here. You can’t possibly think that you are properly identifying, tracking and measuring risk using the same tool you implemented the year that mean regulator told you that you needed a risk assessment. It isn’t working! I promise! You have to modernize your practices, including your risk assessment process, to properly mitigate risks.

  1. Eliminate Exceptions

Speaking of terribly catchy pop songs – Bye, Bye, Bye… to exceptions! Exceptions are okay…until they become the rule. I know that you want friends at work and a table to sit at when you go to the breakroom for lunch, but sometimes you have to be the bad guy. Exceptions should not become an excuse. They aren’t an allowance to go around the policy. They should be only used in times where it is a true anomaly and something you could have not excepted to encounter when authoring the policy. Take a close look at exceptions across the organization. Let them help drive your policy and process revision schedule as well as training schedule for the year.

  1. Do a culture check

Look, I know writing policy and procedures is the joy of your life. You thinking about it on the evenings and the weekends and it really just fills your cup. I get it – you’re a compliance officer. Have you ever stopped to think about what happens after you release that masterpiece into the wild?

Change! It should affect change! Words on paper do nothing to help you manage your program and mitigate compliance risk. Do you know how that change happens? People and systems…and you need people to work your systems. So it really comes down to people. Your people have to make it happen. Their day-to-day work activities can either open you up to undue risk, or they can fully mitigate any risks you may be facing. The best workers are happy workers. Here at Abrigo we see people as the key to success, and you should too. Monitor employee satisfaction qualitatively and quantitatively to ensure you are properly mitigating conduct risk in your organization. Your exceptions tracking and finding remediation plan will thank you.

  1. Set a cadence with marketing

Do you remember that one time there was a new product code in the system and the marketing campaign hit the internet, but the compliance department had no idea a new product was being introduced? No? Good – that means you’re killing it! If this has happened to you, you need to open the communication with marketing to ensure it doesn’t happen again. You should have a seat at the table when new products and services are being discussed, even in the infancy stages. You are the key player for identifying potential compliance risks that these new products and services can introduce to your institution. If you don’t currently have a seat at the table, squeeze in a chair! Put some time on the marketing leader’s calendar, explain the criticality of compliance within product and marketing, and make a new friend. You won’t regret it!

  1. Face Your Findings Remediation

Every institution should have a matured and well-implemented findings remediation process for audit and regulatory findings. If not, it is time to play catch up. Findings remediation should be a formal process with participation and buy in from all business units and risk management functions. Progress should be monitored and measured with results communicated to senior management, executive committees, and the Board, as appropriate. I know that sometimes it feels like your dirty laundry is being aired, but it is all for the greater good. A clean audit may mean that you need new auditors. There are always new and emerging accepted practices, and these findings are how you grow and develop your program.

If you need help with achieving or implementing any of these eight steps, we’re here to help. Our advisory services team can help with any short or long-term projects at your institution.

– Jessica Caballero, CRCM

Jessica Caballero is a former OCC Examiner, where she was responsible for examining all functional areas including asset quality, consumer compliance, capital markets, and information technology for financial institutions of varying risk profiles and asset sizes. Prior to joining Banker’s Toolbox, Jessica was a compliance consultant with Compliance Alliance assisting community banks with the implementation of Dodd-Frank, including the risk assessment process, policy creation, and the overall implementation of a comprehensive compliance management program. Jessica is a Senior Manager of Strategy & Engagement for Abrigo, focusing on providing education to bankers and facilitating industry trainings across the nation on various risk management topics. Jessica is a Certified Regulatory Compliance Manager (CRCM).