Financial institutions also face challenges that are less prescriptive than others we have profiled in this series. One example is governance and culture. In the last year, many regulators have discussed corporate governance considerations and compliance practices, not only in light of enforcement actions addressing incentive compensation and sales practices, but also in light of specific guidance on how institutions can establish a broader culture of compliance. Financial institutions’ considerations should begin with the board of directors and senior management and make their way down throughout the organization. Creating the right “tone at the top,” effective communications, and solid incentives can help institutions navigate the labyrinth of aspirational guidance from federal and state regulators.
Financial institution regulators have outlined some of their expectations in recent guidance. For example, the Financial Crimes Enforcement Network (FinCEN) issued an “Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance” in August 2014; the Federal Reserve has issued SR Letters 08-08 and 16-11 focusing on risk management expectations for institutions of all sizes; the OCC updated its Handbook on Corporate and Risk Governance in July 2016; and the FDIC outlined corporate governance expectations in a special edition of its Supervisory Insights publication in April 2016. Each piece of guidance demonstrates increasing levels of attention paid to corporate governance practices and the regulators’ commitment to making compliance a priority within financial institutions.
This is why it is important for institutions to establish effective corporate governance practices and foster a culture of compliance as part of their risk management program. For banking institutions, examiners review their corporate governance and culture of compliance when they assess the bank’s management – i.e., the “M” in the bank’s CAMELS rating. For other financial institutions, corporate governance is a key driver for the broader risk management and compliance review conducted by the applicable regulator. Typically, when regulators conduct these assessments, they are generally looking for board of directors and senior management oversight, or “tone at the top”; adequate policies, procedures, and practices; proper alignment of incentives; risk monitoring; and internal controls.
“Tone at the top” is a catch phrase in the risk management context and implicates the board’s role and responsibility to set the risk appetite and risk level appropriate for the financial institution. The board is also “responsible for creating a culture that places a high priority on compliance and holds management accountable.” Regulators want to see that compliance is embedded in the daily operations of the financial institution and that the three lines of defense – frontline business units, compliance teams, and internal audit – are developed and operating effectively.
So what can financial institutions do in light of the regulatory guidance and expectations in this area? We suggest conducting an internal assessment in at least the following five key areas to assess culture of compliance:
Board Integration. How is the board involved in demonstrating a “tone at the top” with respect to compliance?
Open Communication. Are communication channels effective up and down the institution regarding risk and compliance issues?
Accountability and Incentives. Are there incentives, monetary or otherwise, that compromise compliance? Are there clear lines of responsibility?
Testing and Measurement. Has the institution engaged an independent party to test the risk management program? Is the institution measuring its response times to regulators, consumer complaints, or internal audit?
Awareness, Training and Support. Is the institution devoting adequate resources to the compliance function? Are trainings conducted addressing new or exceptional compliance challenges?
An internal assessment in these five areas will provide a useful starting point to understanding what regulators are looking for with respect to a culture of compliance and effective risk management. Governance and culture are hot-button issues for financial institutions. Having strong corporate governance structures and a solid culture of compliance can give an institution a substantial competitive advantage.