By: Maria Coppinger-Peters
Compliance risk is the current and prospective risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies, and procedures, or ethical standards. Compliance risk also arises in situations where the laws or rules governing certain bank products or activities of the bank’s clients may be ambiguous or untested. This risk exposes the institution to fines, civil money penalties, payment of damages, and the voiding of contracts. Compliance risk can lead to diminished reputation, reduced franchise value, limited business opportunities, reduced expansion potential, and an inability to enforce contracts.
Risks attack from two directions, there is the QUANTITY of risk and the QUALITY of risk. Generally, the best way to uncover potential risks is by using a matrix.
The QUANTITY matrix should rate all factors in a given area, and be rated as high, medium and low based on the risks associated with non-compliance. For example, the Flood Disaster Protection Act (FDPA) has both a monetary risk (mandatory civil money penalties for non-compliance) as well as asset quality concerns in the event of flooding not covered by flood insurance.
The QUALITY of risk indicates what controls the bank has in place and how it mitigates the quantity of risk. Include in your assessment controls and safeguards you have in place to lower the residual risk. Therefore, your quality of risk should decrease depending on your mitigating controls.
Quantity of Compliance Risk Indicators
The following indicators should be used when assessing the quantity of compliance risk.
- Violations or noncompliance issues are insignificant, as measured by their number or seriousness.
- The institution has a good record of compliance. The Bank has a strong control structure that has proven effective. Compliance management systems are sound and minimize the likelihood of excessive or serious future violations or noncompliance.
- The frequency or severity of violations or noncompliance is reasonable.
- The institution has a satisfactory record of compliance. Compliance management systems are adequate to avoid significant or frequent violations or noncompliance.
- Violations or noncompliance expose the company to significant impairment of reputation, value, earnings, or business opportunity.
- The institution has an unsatisfactory record of compliance. Compliance management systems are deficient, reflecting an inadequate commitment to risk management.
Quality of Compliance Risk Management Indicators
The following indicators should be used when assessing the quality of compliance risk management:
- Management fully understands all aspects of compliance risk and exhibits a clear commitment to compliance. The commitment is communicated throughout the institution.
- Authority and accountability for compliance are clearly defined and enforced.
- Management anticipates and responds well to changes of a market, technological, or regulatory nature.
- Compliance considerations are incorporated into product and system development and modification processes, including changes made by outside service providers or vendors.
- When deficiencies are identified, Management promptly implements meaningful corrective action.
- Appropriate controls and systems are implemented to identify compliance problems and assess performance.
- Training programs are effective, and the necessary resources have been provided to ensure compliance
- Compliance management process and information systems are sound, and the Bank has a strong control culture that has proven effective.
- The Bank privacy policies fully consider legal and litigation concerns.
- Management reasonably understands the key aspects of compliance risk. Its commitment to compliance is reasonable and satisfactorily communicated.
- Authority and accountability are defined, although some refinements may be needed.
- Management adequately responds to changes of a market, technological, or regulatory nature.
- While compliance may not be formally considered when developing products and systems, issue are typically addressed before they are fully implemented.
- Problems can be corrected in the normal course of business without a significant investment of money or management attention. Management is responsive when deficiencies are identified.
- No shortcomings of significance are evident in controls or systems. The probability of serious future violations or noncompliance is within acceptable tolerance.
- Management provides adequate resources and training given the complexity of products and operations.
- Compliance management process and information systems are adequate to avoid significant or frequent violations or noncompliance.
- Bank privacy policies adequately consider legal and litigation concerns.
- Management does not understand, or has chosen to ignore, key aspects of compliance risk. The importance of compliance is not emphasized or communicated throughout the organization.
- Management has not established or enforced accountability for compliance performance.
- Management does not anticipate or take timely or appropriate actions in response to changes of a market, technological, or regulatory nature.
- Compliance considerations are not incorporated into product and system development.
- Errors are often not detected internally, corrective action is often ineffective, or Management is unresponsive.
- The likelihood of continued violations or noncompliance is high because a corrective action program does not exist, or extended time is needed to implement such a program.
- Management has not provided adequate resources or training.
- Compliance management processes and information systems are deficient.
- Bank privacy policies are nonexistent or do not consider legal and litigation concerns.