I am the first full time compliance officer for the bank. Therefore, I have not had the luxury of a mentor or program to follow. My question to all experienced veterans, just whom exactly do I share my compliance reviews with? Is there a usual and customary practice? Is it necessary to share with the internal auditor? Do the examiners have certain expectations? Unfortunately, I am getting the feeling that senior management doesn’t even want me to share with the examiners the reviews; why commit suicide by handing over the ammunition they need to cite violations. I would think that the examiners would like to see that we are trying to detect, prevent, and monitor. However, if I keep pointing something out and there have been no steps to rectify the issue, I can see how the examiners could take issue with management; hence the reason not to share.

You don't have to worry about being shot for volunteering your compliance reports--your examiners will ask for them. Senior management should design a program to keep informed as to compliance deficiencies and corrective actions. This could be through reporting to a senior officer of the bank, with ultimate reporting to the bank's Board or designated committee of the Board. Or you could develop a compliance committee structure with reporting responsibilities to the Board.

I am also the first compliance officer at this institution, although I have been one for others in the past. My audits go to all senior managers and then are presented to the audit committee (along with the responses) at the quarterly meeting. I report to the Internal Auditor and he reviews all audits prior to distribution.

Hi, I am not exactly seasoned, however I can tell you that I share my findings with
appropriate department heads, so they can review and implement any recommentdations.
My final report is issued to the Audit/Compliance Committee and cc'd to the CEO.
The examiners will ask for your review workpapers and I would say let them have whatever they
want. (:)) Also, anything of issue is recorded in the committee meeting minutes, and
the chair of the committee reports to the full Board. So, the examiners will eventually find
out what they need to know.
PS- Our I/A audits my reviews and findings to see if the recommendations have been
addressed.
Good luck.

This thread illustrates good reasons why the C/O should be out of the auditing business and line management should review its own work via quality control. As soon as the gun is fired, there's a smoking gun for examiners to identify and use to shoot you again.

If properly designed and executed within the business unit and its operations support unit(s), necessary controls should work effectively. The auditor can determine if required QC procedures are being followed.

The regs say we have to do certain things, but with the exception of BSA, none say that we have to police ourselves and hand the results to examiners.

Not to mention that it is really difficult to audit a policy that you just wrote and got board approval for!

I'm going on 2 years as CO for my organization, and did not have one on one training with the previous CO...If anyone is willing to share information on compliance review templates, instructions or programs...I would really appreciate it...

The BOL User - Javier

I agree completely-the C/O in some smaller institutions is the only one qualified or available to do compliance auditing, and if the c/o presents a policy to be approved by the BOD and adhered to by senior management, then so be it. In this case, as long as the policies are in line with the regs or are pulled from a subscription type product, there should not be a problem. It would then just be the c/o's job to make sure that policy was being complied with. It would be a perfect world if they only did the training, policies, etc. but most folks I know have to do both sides. In some centralized functions, this can actually be an advantage because you will have a better understanding of what area needs training the most because you found the exceptions noted in the audit and you will be more likely to follow up and monitor progress since you have to report to the BOD.

Dealing with compliance and internal auditing is generally ok, as long as you have the full support of management and the board and are able to truly work independently. In small banking environments, the last couple of factors can be difficult to obtain at times.

Autumn, you give your review to the internal auditor, for review, before distributing to senior management?

The key to successful compliance in any bank is senior management. Without senior management's support and total buy-in to your compliance program, you can resign yourself to a "just gettin by" compliance program (or brush up your resume and move on). Our bank has a 100% compliance expectation and that makes all the difference in the world, especially in a community bank environment.

Another critical issue is the independence of the audit and compliance areas. If you are able to remove staff to a position of reporting to the Board instead of a product line manager, all the better.

You should start by researching the ABA and possibly your state associations for books and articles on designing and implementing a compliance program. This should include your job description, who you report to, what you audit and when. Then who you report your audits to.

The latter should go to those who need to respond to it, perhaps that senior manager and periodically to your board or audit committee.

Look at the exam questionnaires from your regulator. They should audit your program and its effectiveness. The questions there will give you clues as to what has to be covered. Then decide how to best implement all of the requirements into your bank's culture and infrastructure.

Request all the schools you can, and then conferences.

Good luck.

Quote:

---

Unfortunately, I am getting the feeling that senior management doesn’t even want me to share with the examiners the reviews; why commit suicide by handing over the ammunition they need to cite violations.

---

That, unfortunately, is a very common attitude with management that has never taken compliance seriously. This is a very difficult mind-set to change, so I do wish you luck.

One approach you may try is this:
The examiners are going to a Risk-Based Compliance exam (or at least the FDIC is.) This type of exam can go very easily IF the examiners can see that you have a strong compliance program that includes monitoring and audit. The examiners will want to see the monitoring and audits to make sure they are effective.

If you can show that your compliance program can detect errors and put correction action in place to prevent those violations, then you are in for a much better time as opposed to having NOTHING to show the examiners. If you have nothing to show the examiners, then they can fall back to a full scope exam where they will be testing transactions and looking for violations. I can tell you from experience, your institution will be in for a VERY difficult time if examiners find systemic violations that were never caught or noticed by management.

Or for the short version of that - You are better off finding your own mistakes and showing that to the examiners than having the examiners find the mistakes on their own.

However, if you find violations and management does not want to do anything to correct them, then you will have problems at exam time.

Yes the internal auditor reviews my work prior to distribution. I also report to him. He never changes my findings, but sometimes I have to change the way I word something so everyone can understand.

Most everyone appears to take their findings to their board, compliance committee, etc. However, how do you take the findings down to the officer level? Does anyone (the CO) meet with the officer directly to let them know what exceptions were found? We are a large bank ($4B) and will take our reviews to the business unit senior manager. However, it appears the senior manager is not taking this back to their officers and the officers then tell us they didn't know they had exceptions. We do follow up training with the group but not one on one. We looked at having self-reviews in the business unit, but the bank balked and said they do not have the "experience" and/or training the CO has. Loan processing is centralized. Yes -it is a little scary. Any thoughts are appreciated.

IMO - review findings should be discussed with the officer/manager responsible for those areas first. That way, if there's erroneous information in the report, or a miscommunication, etc. - no one gets embarassed when the report is presented to the board and/or audit committee.

This also allows the issue owner to have some sort of resolution thought out and ready to be presented when the audit committee frowns and asks what's being done about this.

I am the C/O for a community bank with 10 branches. Although it’s in the plans, we are not yet centralized; therefore my compliance reviews are performed at the branches. Once a branch audit is complete, I meet with the branch manager along with the Risk Manager and the Branch Operations Manager for an exiting review to go over the review results. The branch manager has one week to respond to the report and notify me of procedures and/or corrective actions that he/she has put in place to assure that violations do not occur again. A copy of my report and the B/M response is then given to the CEO and Senior Loan Officer. It is also discussed with the compliance committee and BOD.

your results should be discussed with the internal auditor in as much detail as is necessary in the circumstances. as to your written reports, choose your words carefully as they will be subject to review by the regulators. always understate any problems in your written reports, you can always emphasize their severity in your DISCUSSIONS with management. never use such phrases in your written reports as "these violations constitute a pattern and practice" ; etc. these and many others are "red meat" for regulators.

I agree with Richard's position. Comliance Officers should manage compliance, not audit. Monitoring can be done by the line of business and auditing can be done by the Audit Dept. I've seen it work...and work well.

audit should not manage compliance but there must be coordination between these functions. internal audit charters always reference "adherence with banking laws and regulations". internal audit should always "be in the loop" regarding significant compliance issues, especially potential problems.

Hey guys (and gals), don't forget there are us out here who are in charge of both compliance and auditing. Unfortunately, you can't always keep the two apart and they do play off one another quite a bit.

We have a formal audit program, so I try to concentrate on spot monitoring of different areas.

Whenever I find anything, I generally call the person(s) involved and say something along the lines of "I need to talk to you about -------."

What I try to do is to clarify what I have found, what the person(s) involved know about the transaction, what their understanding is of any particular law or regulations, etc. I look upon this as an opportunity to educate and to find ways to prevent the same thing from happening again.

If I find the situation resulted from a one-time misunderstanding or forgetfullness, depending on the seriousness of the situation, I may leave it at a verbal reminder or I may do a memo or e-mail to the person to remind them of what they need to remember with a copy to the department supervisor and also to my boss.

If the situation seems to indicate a more general level of a training need or a need to clairify or change policy, then I will take that up with my boss and the necessary members of senior management.

Of course I do sometimes get the "Oh no, what have I done?" response to my intial questions.....

The compliance reviews I perform are provided to the department heads of the area identified in the review as well as executive management. In addition, I provide quarterly reports to the Board of Directors identifying reviews and whether or not those reviews have received an adequate management response.