The New OCC Exam A Report From The Trenches

By Kathy Curtis

Recently, the bank I work for as Compliance Manager underwent a compliance, fair lending and Bank Secrecy Act examination by the OCC under the new small bank compliance examination procedures. This was my first experience of an agency compliance examination since my appointment to Compliance Manager (five years ago). Verbal descriptions of exam experiences from other Compliance Managers and personal observation as a clerical staff person during past exams did not provide a lot of comfort, particularly since my own internal reviews over the years revealed some compliance exceptions that I didn't think the OCC would be happy about. In this article, I'd like to briefly discuss our experience under the new exam rules and to try to give you some insight into what to expect from your exam team.

As with all exams, we received a request letter to gather records and files to be reviewed. There were about 23 items I was to gather. This took a very short period of time and ended up as a six inch thick, sequentially numbered pile. When the examiners arrived, I pulled together some additional records such as 40 or so actual credit files, our alphabetized file of adverse actions, my internal compliance review programs, audit reports and any replies from management. So far, this didn't seem too bad - (an indication of what was to come). Typically the examiners had very few questions. Several questions they asked picked up on issues I had addressed in my own reports and I was initially concerned that we might have a citation in our exam report.

However, when I researched the issues further, I was able to point out corrective actions taken as a result of our own internal review program, new procedures put into place or improved use of automated systems to prevent the same problem from occurring again. This was satisfactory to the exam team and none of the issues they asked about during the exam made it into the verbal management exit interview for further attention.

I asked the examiners the specific and pointed question about the results of my internal compliance reports and whether any self- detected problems would be reported in their exam reports. The answer was absolutely not; that that would be self-defeating from their point of view in that we would then have no incentive to promote our own internal review program and proactively put corrective actions, new procedures and training into place. They were generally very impressed with the detail in the compliance audit program I use and the thoroughness of reviews and reports developed from this product.

At the end of the examination, I met with the original examiner who started the review to hear her recommendations. Basically, she was very complimentary of the compliance program we had established which includes regular compliance audits, internal procedure review, regular training for existing/transferred employees, and a compliance orientation for all new employees. All the examiners on the team liked that we had board approved policies to support the compliance program and further, that the policies weren't simply canned reproductions. I can customize the policies that come with the software program to the services and products our bank offers which earned compliments from the examiners.

The examiner had two recommendations.
To evaluate the risk each regulation poses to the bank from the standpoint of past violations and negative ramifications for the bank. For example, I have compliance audited each consumer regulation every 12 months. There are some regulations, such as Regulation AA, for which I have found very few or no exceptions due to our use of a software program to create loan documents that actively prevents prohibited provisions from appearing in consumer contracts and through strict control over access to the loan servicing system specifications (set to prevent late charge pyramiding). She recommended that I consider auditing for compliance with Regulation AA every 18 months or even longer if I feel that's appropriate, and that I should review audit frequencies for other regulations with the same idea in mind, i.e., which regulations present the highest risk of non-compliance for our bank, which are minimal risk, and focus on the high risk regulations most frequently.

The second recommendation was that she did not believe it is necessary for our board to have to receive fully detailed copies of my internal compliance audit reports. This is totally up to the preference of our board Audit/Compliance Committee who in our case like to know everything going on. However, from the OCC's point of view, it is sufficient to present an overview of what was found, how serious the problem is for the bank and what was done about it. I should have the details available if the committee members want to know them. In conclusion, I have a very positive impression of a compliance examination. The experience was minimally disruptive to my ability to get other work done, the OCC examiners were courteous and professional, and they made some helpful suggestions. This is what we'd all like to expect from a supervisor; treatment that recognizes the effect of human foible that surfaces in compliance results and that diligent comprehensive internal review programs should be supported and encouraged to flourish.

And a Word from the Bank's President
In reading the attached article, I realized that my bank's Compliance Manager could not easily (a) provide the perspective of senior management and (b) describe a fundamental ingredient of success represented by her personal dedication to run a truly outstanding compliance program.

It seems to me that a bank's approach to compliance starts at the top. Our Board Chair and many of our Board members are lawyers. We believe that a clear understanding of and compliance with the law is a priority. We acknowledge that an active compliance program costs money. We are also convinced that good results represent saved money (hard dollars as well as staff time).

Our bank invested a lot in developing and working with our Compliance Manager, providing her with advanced training and requisite materials. She, in turn, created systems, internal training, and audit procedures. Her self discipline, attention to detail, and follow-through became known throughout the bank. She is well respected and liked. At times her diligence has been the source of frustration from those that would otherwise have chosen to take "short cuts." At times, her interpretation of the law seemed too rigid. Senior management has been faced with cries that "compliance" had become too time consuming, too detailed, and was getting in the way of doing business. Perhaps, on occasion, it did. However, senior management has never wavered in supporting our compliance program or its manager. Our Compliance Manager, in turn, has learned to "sell" good compliance to our staff. Her leadership and skill are fundamental keys to success, and then teamwork must happen.

Thomas B. Hoppin, President / COO, Board Member

ACTION STEPS

Review board approved policies to assure they are complete and updated.
Recommend a compliance audit plan for board approval for each consumer compliance regulation listed in the OCC's examination guidebook and set the frequency for review based upon the compliance risk for your bank.
Include a review of internal procedures with the regular compliance audit.
Complete the compliance audits in a timely and thorough manner.
Assure there is a regular training program for all employees geared toward the aspects of a regulation that affects each employee's job.
Assure transferred and new employees receive a review of the regulatory requirements that affect them in their new jobs.
Provide ongoing reports to management regarding the status of compliance in your bank and don't hesitate to ask for their support and help to emphasize the need for attention to regulatory requirements.