Good morning all,

After the previous CEO left, compliance and auditing began to be locked out of everything, including policy. We no longer attend training meetings, we can't get into the "shared" folders, we don't receive procedural emails, etc.

For my department, compliance, I believe it is because rather than accept what I am told, I review what is done. Several times I have been given incorrect information from managers. And once when I addressed what was found, I was asked by that same manager for the name of the employee who told me. Now though I am forced to either accept what they say or not do the reports at all. For instance I am working on a RDC risk assessment. Since it is an update, it should be quick and easy, but when I asked to review the folder that contains the documents, I was instead forwarded to the manager who answered the questions, but did not provide proof. This is one of the managers that based on experience, I no longer trust.

If compliance or auditing fails to catch anything and it becomes a problem, fingers are pointed back at us. An example, I am asked to review all marketing before it goes out. So I do, but then they change it. And despite my advising them more than once that they had to disclose the conditions of a promotion, they sent it out without the disclosures and without my knowledge that there were any conditions. When a member complained, upper management asked me what I could do to ensure it doesn't happen again. I responded by saying I needed to be informed and that I can't give good advice if I don't have the whole picture. But that only led to them keeping more from me. Most days I wish I had never taken this job.

Is this way it works in all financial institutions?

Any advice will be appreciated.

No, it's not. Make a CYA file and document things like this so that when the time comes that you're blamed for a compliance error, you can go to that file and show the steps you took to ensure compliance, but show that someone overrode you.

Sorry to hear about this, though . It's hard dealing with that stuff for sure.

And be looking for a different FI. That is no way to run one.

I am fortunate, I work at a bank that ranks compliance and audit as the two most important areas. Everything is controlled through these two areas. Our CEO has made it known that he expects things to be done right. Your regulatory exams should reflect your bank's lack of regard for these areas. You are in dire need of a culture change, and that has to start at the top.

It appears you are in auditing have a detailed conversation with the Audit Committee in executive session.

Sorry to hear you work in such a hostile environment towards compliance and audit. Personally I would dust off my resume and update my LinkedIn profile and start looking for new work. Once you are free, it might be a good idea to reach out to the regulators of that bank (you can do so anonymously) and let them know what is going on.

Never a big fan of burning bridges when you leave a job. The truth generally comes out in the long run. At the present time, one way of bringing attention to this is during your individual audits or audit risk assessment increase your risk and number of hours associated with the audits. When your audit hours increase you can explain why you had to increase hours.

Talk to your Audit Committee Chairman and your EIC. This situation shouldn't continue. You can't do your job effectively, and you shouldn't have to go through this stress either.

I disagree with this management style almost as much as the disaster the OP describes. It's comparable to a football team without an offensive unit.

An auditor should report to the BOD and is an important part of the checks and balances protecting the shareholders' interests from inept, careless, or corrupt managers. You can't protect against yourself--and when you start making policy and operating decisions, you ARE management.

A compliance officer (I prefer "regulatory manager") should be a blend of risk manager and operations support for the various retail businesses. I've seen and tried an assortment of position descriptions and org charts, but the one that always worked best was to have the regulatory support staff dedicated to and reporting up the chain of command to the head of the major retail business lines. That puts the regulatory manager at the table for the exec's staff meetings of all the business line's managers. (In my bank, the appropriate auditor also had a courtesy invitation to most of these meetings--but not a vote.) A smart exec understands that it's always cheaper to do it right the first time and that there's an opportunity cost if you're constantly embroiled in regulatory clean-ups.

Our audit and compliance staff do not have access to my areas shared folders, but when they notify me of an audit, they request certain information, which can include both policy (available on bank internal site to all) and procedures (department shared folder they do not have access to). I download a copy of the procedures and provide to them. I will not grant them, or anyone else who does not have a need, access to our shared folders. You should be able to request the same from the managers of areas you are auditing.

I have never worked for a Bank that granted audit or compliance unfettered access to shared drives for other departments (7 banks and hopefully won't ever get to 8), has always been a request for information and copies.

Credit Unions must comply with the CFPB, NCUA, and some Federal Reserve. Not to mention all the state regulations.

Whether you are at CU or a bank, if you aren't permitted to discuss your concerns with an audit committee or full board, I suggest keeping your eyes and ears open for another institution to work at.

And don't fake your reports, if you are not given access to documents, then your report should state that "Based upon a discussion with the department head, we noted ...."

Examiners will ask soon enough why you aren't testing or reviewing the source documents.

Agree with Happy on access to shared drives, it's not about HOW you get it, it's about just getting it.

The bank seems to have a cat box approach to compliance and audit. Eventually, someone has to clean it out or it starts to stink. Might be good to be a long way away when that happens. Of course, they will blame it all on you when you leave.