Compliance Officer Title

We are and FDIC regulated bank. Is it required that we have someone with the official title of Compliance Officer? We want to move compliance into overall risk management. The risk management officer will have oversight of all risk and compliance activities. The CMS function will be within the Risk Management area.

I'd think that as long as you have someone filling the role that you can point to when examiners say "I want to talk to the compliance officer," you'd be fine regardless of their title.

That is what our thoughts as well.

There are still some banks that manage the function through a committee or split between various departments (i.e. lending compliance, deposit compliance) versus having a designated "compliance officer". I think as long as CMS pillars are being thoroughly addressed and managed it would be fine. That being said, I'm a big proponent of having one person responsible to ensure the CMS is being managed appropriately and as banks grow I think regulators look for that.

I would not say a specific job title, but would recommend naming the risk officer as the compliance officer, or the person responsible for the CMS in the CMS or Compliance Policy.

It will one person. That person will just oversee both risk and compliance.

You're fine with that set up IMO

Yes, we will explain this in our CMS program.

Compliance (Regulatory and financial crime) can set within the Risk Department. At the end of the day the regulators want to know that the person(s) who is responsible for compliance. I've seen various titles (Compliance Officer, CCO, CRO, etc.). and it almost always more about the persons qualifications and ability to execute.

Long long ago (most of the '80s and '90s), I was responsible for what the industry commonly called "compliance" and the people who did the work were called "compliance officers" (and similar titles for the sub-officer level assistants.) If my office had a door, it would have been titled "Compliance Department." I thought I knew what I did and where my responsibility began and ended.

SOP was that whenever something of a regulatory nature hit the fan in any department of the bank, the department's manager labeled it a "compliance problem." Since the Les Nessman door to my office said "Compliance Department," the problem was delivered to me...no additional resources, no additional staff, and no authority to change procedures or policy in the affected business unit...just the problem. Eventually, I realized that the "Compliance Department" was a 5-lb bag and something needed to change.

Condensing a story that played out over several years, I scraped the name off the office door and replaced it with my unit's newly authorized title "Regulatory Management." My mission statement changed from "do it" to "help affected business units understand their regulatory obligations and meet them, and be ready at any time to sell our results to regulators."

I was required to maintain the highest level of knowledge of all regulations already affecting our company, and awareness of potential/new/revised regulations, our regulators' hot-button items, and common regulatory problems throughout the industry. I managed our relationship with all regulators before, during, and after any type of examination. I assisted with structural issues like policies and DP. Whenever a situation demanded, I rolled up my sleeves and joined the fire fight.

We did our best to decentralize the responsibility for day-to-day compliance, but settled for a hybrid. The biggest business units (credit card, mortgage company, trust company) had already evolved to that arrangement. It was extremely important for them to control the flow of their businesses and a woefully-understaffed and underbudgeted central office support unit (me) was an unacceptable bottleneck. Their execs happily set up internal compliance support units and managed and budgeted them directly. I worked with them when they asked and coordinated with them when regulators were in. My department worked with the smaller business units and other central office units (marketing, facilities, in-house DP, HR/training) however made the most sense.

At the end of the day, my bank realized that the words "compliance officer" were almost meaningless. What mattered was thorough risk assessment and a good plan to protect the bank from the consequences should risk become reality.