Who Defines Compliance?
One of the most common questions asked by new compliance officers is "what, exactly, is compliance?" No-one seems to have a clear, definitive answer to this - particularly not the management that made the compliance assignment. So the neophyte compliance officer begins a search to discover what this new job entails.
The fact is that there is no definition of compliance. There is no clear delineation of compliance responsibilities. Instead, each compliance manager structures the job to fit the institution's needs and the individual's skills.
Some come to the job with lending experience. Some started as tellers. Others moved into compliance from the audit department - or compliance was moved into audit. Did anyone graduate from high school or college with the goal of being a compliance manager? We haven't heard of anyone yet.
So how should we define this job? A reasonable starting point is the definition of compliance. However, this is where the first problems begin. There is no official list (nor should there be) of what compliance covers and includes.
In the early days, compliance was synonymous with consumer credit protection. This worked for a while, when the primary issues were Truth in Lending, Fair Housing and Equal Credit Opportunity, and Fair Credit Reporting. Even electronic transfers fit into this categorization - sort of.
Then, things got more complicated. We started to get deposit regulations such as Expedited Funds Availability. At this point the nomenclature got blurry. And it became blurrier when Bank Secrecy became a compliance issue instead of a bank security issue. And, of course, CRA stood alone (out in the middle of the field) throughout this raging debate, growing like a mushroom cloud. At some point, bank presidents ignored the definition problem and simply started sending everything that came from a federal regulatory agency over to the compliance officer. This was not necessarily because the topic was assigned to compliance. More typically, the president sent it to compliance on the assumption that the compliance officer might have a glimmer of an idea what to do with it. It was the president's response to growing regulatory burden. As a result, the science and practice of compliance grew.
If compliance managers were turf-grabbing types, this could have been an opportunity to build an empire. But most compliance managers wisely saw this trend as ominous, leaving them with two undesirable choices: functioning as the mail-room for undeliverable regulatory missives, or obediently taking upon themselves responsibilities for activities about which they knew little. The third option - pass it on to someone else - only worked if the target wasn't skilled at ducking.
All too often, the new activity ended up in compliance simply because it didn't fit anywhere else. Since compliance doesn't have clearly defined borders, it was difficult to keep new territory from being added on. Examiners have added momentum to this phenomenon because they need to know who is responsible. Examiners readily agree that it could or should be the compliance officer.
When we allow the compliance job to be defined this way, we take on the job of managing chaos. Compliance management is a form of risk management. Compliance programs are designed to cause things to happen at certain times and in certain ways. This is the skill. But the skill makes use of extensive and detailed knowledge. How many regulations can one person be responsible for? Figure out your limit and stick to it.
Copyright © 2001 Compliance Action. Originally appeared in Compliance Action, Vol. 6, No. 12, 10/01
First published on 10/01/2001