Compliance Should Be Easy, Right?
Compliance is a piece of cake, especially if you mean well, right? After all, treating customers fairly is just the right thing to do. And bankers are nice people, aren't they? So as long as we all mean well, compliance is no big deal. And as long as everyone does their job, everything is ok. After all, the bank has a compliance officer, right?
Wachovia just sent more than 80 customer statements to a single customer and the mailings contained personal information. Oops.
ChoicePoint sold extensive personal information (information most consumers didn't even know was collected, much less that ChoicePoint exists) to bad guys. In fact, they sold a whole lot of information to a lot of bad guys. Oops.
ChoicePoint didn't tell anyone for months. Oops.
BankAmerica lost some backup data on account information for lots of consumers - including federal employees - even including Senators, for goodness sake - and didn't say anything for several months. Now they say they're sorry. Oops.
Has your CEO ever wondered where compliance comes from?
Of course, mistakes happen from time to time. We do the best we can to prevent them (at least most of us try to), but sometimes things just go wrong. A compliance program is designed to achieve compliance on several fronts. First, the program tries to make things happen correctly. This is where policies, procedures and training come in. We analyze the requirements, we look at our resources, decide how to get the job done, and provide instructions and training. And if your program is a really good one, you hold people accountable for their responsibilities.
That's the front part of compliance. The other part of a compliance program is finding and fixing things when they go wrong. And this is also where corporate governance comes in. When something goes wrong, the ethics question is whether to protect the institution or the customer. Too often, the institution chooses to protect itself - while hoping that nothing really bad will happen.
What, exactly, does ChoicePoint think will happen to consumer data purchased by crooks? Does ChoicePoint really think that the crooks, having paid for the data, will decide to be nice and not use it?
The find-and-fix part of the compliance program is absolutely essential. This involves monitoring, auditing, and changes or adjustments. It means correcting mistakes and finding ways to prevent more mistakes. This is where auditing, reporting, and responses from management and the board are essential. This is what ChoicePoint and others did not do - until caught.
Compliance is about looking at the entire picture, from the customer's perspective as will as the corporations. The errors occurred on ChoicePoint's watch. It is up to ChoicePoint to take the first step. Not only is ChoicePoint the one that made the mistake in the first place, they are the ones with the ability to find the problem and take steps to correct it. They are also the only ones who can take steps to prevent similar problems in the future.
Examiners are now following risk-based examination procedures. These procedures look at more than risk alone. They look at how the institution plans for and responds to risk. These recent consumer data "events" illustrate how important this approach is for examiners and for institutions. If the cost seems high, look at it this way: when identity theft occurs, the financial institutions lose right along with their customers. Preventing it is in everyone's interest. And, of course, if we don't act responsibly, Congress will pass more laws.
Copyright © 2005 Compliance Action. Originally appeared in Compliance Action, Vol. 9, No. 3, 3/05
|
Print Friendly!
Email This Article!
Discuss NOW!