I am new to banking and have been charged with auditing the compliance department. Since I don't know what all the regulations are much less which are the most critical, I could use some insights from those more experienced in banking than I am. Anyone will to share their thoughts? Any and all help is greatly appreciated.

As Compliance Manager, my department has been audited several time. The auditors looked at how we monitor for conpliance with such things as Reg D&Q, Reg E, HMDA, etc. BSA was also monitored in Compliance, so we went through a thorough audit of our reporting procedures. Additionally, they looked at all the audits we had done of different regulations and followed through to see if our findings had been corrected.

It might be a good idea to start with a nice, hot bowl of "Alphabet Soup" from BOL!

Just click on it, determine which ones apply to your bank (check your bank's products against each regulation to see if that regulation applies) and then go to the tools section to see if there is an audit tool for the regulation you wish to audit.

You can also go to your regulator' website and see what their handbook says about how THEY audit a particular regulation.

I neglected to mention that I am to conduct an internal audit of the overall compliance department at our bank. I think this would address goal and objective setting, annual audit plan for compliance auditing, administration of compliance function, compliance education, etc. I can incorporate the excellent suggestions offered by VirginiaBanker and ncmountainman into such an audit. Are there other items I need to consider? Is there guidance as to how a compliance department in a bank should be organized, its scope, reporting, authority, etc.?
Thanks for all your help.

You should be looking at the Compliance Program, whether the program and accompanying business line procedures cover the regs in "Alphabet Soup" plus BSA, flood, FCRA (which partially comes in on Reg V these days), etc. or WHY a particular reg does not apply to the bank. You want to make sure that compliance is following their program, completing the approved testing program(assuming they audit for regulatory compliance), review the training schedule to see that departments get the training that is appropriate to their line of business (deposit regs for branches, lending for lending areas, etc.). The reporting is not so important as long as they are allowed to fulfill their charter although it is more common for compliance to be independent in some fashion. How are new regs implemented? Are ads and the website approved prior to publication and are compliant?

Check the department staff training, are they staying up to date on regs?

If you feel that the compliance program is comprehensive enough, there are no independence problems, training, implementation and monitoring are covered in the program and followed, you should be good to go.

You are auditing for an effective compliance program/department, not each reg, if I read your question correctly. The compliance department is auditing each reg and you are confirming that process.

What kaybee said! I'm lazy though...so I just copied and pasted most of my regulatory compliance audit program.

1 Obtain the Regulatory Compliance Policy and/or written procedures.
Date of last Board Approval:________________________

2 Discuss policy and procedures with a member of management responsible for the area to be audited.

3 Obtain the most recent regulatory examination. If deficiencies were noted in the exam, have they been addressed?

4 Obtain the most recent Internal Audit. If deficiencies were noted in the audit, have they been addressed?

5 Review the Internal Control Questionnaire for weaknesses related to Regulatory Compliance.


Authorization
6 Review the board of directors minutes and verify the following about the compliance officer’s reporting relationship:
• He or she reports directly to the COO for administrative issues.
• He or she reports directly to the audit committee of the board of directors on compliance reporting issues.

7 Review the board of directors minutes and verify the following about the compliance officer’s authority:
• He or she has the authority to perform compliance monitoring in all departments.
• He or she exercises independence with respect to compliance issues.
• He or she has the authority to implement corrective actions as needed.


Compliance Officer Responsibilities
8 Question the compliance officer about his or her responsibilities. The compliance officer should have the following responsibilities:
• Administer compliance programs in the bank.
• Coordinate and develop procedures to implement laws and regulations.
• Establish and maintain a compliance library.
• Establish and maintain a schedule for training personnel in the various laws and regulations affecting the bank.
• Help in the development of appropriate policies.
• Help in the development of appropriate procedures for new products and new policies.
• Follow up on any corrective actions implemented in bank departments.
• Ensure that the bank complies with any enforcement actions and takes necessary corrective actions.

9 Examine the compliance review calendar to ascertain whether the following areas are schedule for review:
• Federal consumer regulations:
o Truth-in-Lending Act
o Usury laws
o Flood Disaster Protection Act
o Adjustable-rate mortgage regulation
o Interest on deposits
o Real Estate Settlement Procedures Act (RESPA)
o Electronic Funds Transfer Act
o Right to Financial Privacy Act
o Unfair or Deceptive Practices Acts
o Expedited Funds Availability Act
• Consumer leasing laws
o Fair Debt Practices Collection Act
o Soldiers’ and Sailors’ Civil Relief Amendments Act
o Community Reinvestment Act (CRA)
o Federal fair lending regulations:
o Equal Credit Opportunity Act (ECOA)
o Fair Housing Act
o Fair Credit Reporting Act
o Home Mortgage Disclosure Act (HMDA)
o Federal trust regulations:
o Employee Retirement Income Security Act (ERISA)
o 12 CFR section 9 (governs national banks)
• Other federal regulations:
o Bank Secrecy Act
o Financial Institutions Regulatory Act (FIRA) (Regulation O)
• Applicable state laws
• Securities and Exchange Commission (SEC) securities transfers

10 Verify that the compliance officer has been active in training bank staff through any of the following methods:
• Internally produced training sessions
• Information from outside consulting firms or bank trade groups
• Other cassettes, videotapes, manuals, or software
11 Verify that the compliance officer has completed sufficient continuing education since the previous internal audit to effectively administer the compliance program and maintain any certifications.


Compliance Officer Effectiveness
12 Review the compliance reports generated by the compliance officer. For all examples of reported noncompliance, perform the following procedures:
• Verify that the department under review took action on the examples of noncompliance.
• Verify that the compliance reports give reasonable steps to correct errors.
• Compare these instances with the internal audit reports in the related areas to evaluate the coverage of the compliance review.


13 Review the compliance monitoring review scope and verify the following about appropriate regulatory changes:
• They were implemented in the compliance officer’s review.
• They were thoroughly discussed with department managers to alert management to the impact on their areas.
• They were implemented in the appropriate department’s internal control procedures.

14 Review the previous 18-month schedule to ascertain the compliance coverage.
• Verify that reviews were performed in a timely manner.
• When the schedule was not adhered to, determine whether the reasons were documented and whether the delays appeared to be reasonable.


Documentation and Report Requirements
15 Review the general compliance monitoring review report format and verify that the following categories are included:
• Scope of monitoring review
• Intent of regulation
• Violations or noncompliance
• Recommended corrective action
• Effective date of correction
16 Review the board of director’s minutes to verify that the compliance officer reported to the board on a quarterly basis. Also verify that the subject matter included in those reports covered, but was not limited to, the following:
• Compliance projects
• Future regulatory changes and the related impact on the bank
• Recommendations of a material nature to specific departments
• General recommendations to strengthen compliance in the bank

17 Verify that compliance monitoring support documentation and work papers meet the following requirements:
• They are maintained in a logical order.
• They are neat and properly indexed.
• They are saved for a reasonable length of time.

Many thanks to all who responded. I am very grateful for your help.

Isn't the compliance audit program posted in this thread missing some key consumer compliance regulations? What about validating compliance internal controls, such as advertising review, business unit policies and procedures, and product development controls?

Based on your bank's products/services, perhaps the audit program could be expanded to include:

* Truth in Savings Act
* Gramm-Leach-Bliley Act
* Reg D (certain sections only)
* Loans to Insiders
* Reg V (those sections that have been finalized)

Just wanted to raise the questions.....

Derek...thanks for bringing those up. This was the first year through so we were looking at upper level controls and not doing much transactional testing or validation. What's not mentioned here, but is in the Internal Audit report is that I review all compliance audit reports that the compliance officer prepares (they all are presented to the audit committee). So as the internal auditor I've got a really good idea of what is being done in the complaince department.

The areas listed were just a "for example" listing. I'm going to have to go back check though because I know TIS, GLB and Reg. O are on the compliance officers calander...I cant believe they werent on this laundry list. It makes me wonder if it copied and pasted everything.

Some areas like Advertising, policies and procedures are covered in other audits...often overlapping. The compliance officer also reviews all advertising.

As far as product development...if you've got a good idea on how to get marketing to ALWAYS send ideas through compliance first I'd love to hear it. Our group does really well, but we still have trouble some times.

Compliance, in my view, begins with an attitude from senior management should become a part of the whole culture of every part of the structure.

I regret to say that if your management is asking a newcomer to banking to audit their compliance department then they are missing the first and crucial step of any compliance program and therefore cannot hope to pass audit.

Think twice, at least, before undertaking an exercise for which you are clearly unqualified, no insult intended, and where you could find yourself answering to a regulator if you don't cover all the bases. It has been known for this type of assignment to be deliberately given to someone under qualified precisely because management doesn't want some activity noticed.

No one should be put in this position, and there are still external auditors available for this type of work if your organization truly has no one compete

----nt to do this.

Sorry I cut the end of the message off.

Does anybody have a sample Annual Compliance Plan and an Annual Compliance report (outlining the dept's activities for the year for submission to the Board/Audit Committee)

Retro, send me a PM with your bank email address...