Regulatory Compliance Expectations for Regional & Community Banks

Given the recent emphasis on culture and conduct risk, regulators have raised the bar on reporting expectations for compliance functions within regional and community banks. Banks are now challenged to look for ways to improve their compliance culture and reporting while balancing and aligning regulatory responsibilities and compliance initiatives.

As it relates to compliance program reporting and oversight, the board is primarily responsible for the following:

  • Ensuring that the bank has a comprehensive, effective compliance program and that oversight framework is designed reasonably to confirm compliance with applicable rules and regulations, as well as address consumer protection exposures.
  • Setting an appropriate compliance and consumer protection culture.
  • Adopting compliance risk management policies that are consistent with business strategies and risk appetite.
  • Overseeing the structure and management of the bank’s compliance function.
  • Establishing clear policies regarding the management of key compliance and consumer risks and adhering to these policies in practice.

The board must determine that leadership within the bank is capable and resourced properly to manage the compliance risks arising from its business activities. Bank leadership must do this while demonstrating authority within the bank to effectively conduct its activities. Corrective actions, including disciplinary measures, may be taken when a material breach of policy occurs, or when a serious compliance and consumer protection failures are identified and reported.

An increasing compliance focus is reporting on emerging risks by identifying current and relevant risk factors, such as industry hot topics or specific areas of regulatory scrutiny. Emerging risks can be defined as current and anticipated changes to the business and regulatory environment, which could create the potential for failures in identifying, quantifying and mitigating risk, within a short-term (under one year) to long-term (greater than one year) time frame. Emerging risks may be captured when there is a high probability of occurrence and severity of impact if realized.

Regional and community bank compliance officers should be completing and maintaining a compliance risk assessment identifying low, moderate and high risk areas of potential noncompliance, including relevant risk factors. Periodically, the bank’s business unit management should be providing a selfassessment of the state of compliance within their business units. The first line of defense business unit reporting to the board on compliance risks is often combined with a more holistic overview of business risks.

Many banks empower the chief compliance officer to provide an independent assessment of the bank’s compliance program effectiveness, including a status of the compliance program within the first line of defense (for specific business units). In board meetings, banks often use a compliance program scorecard as an agenda point to illustrate the current progress of each key element of the compliance program, action plans in the business and related training. These scorecards often provide ratings (e.g., poor, satisfactory, meets standards, etc.) for each element of the program across business units. Color coding scorecards to highlight weaknesses is another way to determine actions that require remediation.

Compliance reporting should provide sufficient detail to the board on significant gaps in the bank’s compliance program and actions needed or taken to address those gaps. Given the recent issuance of the Office of the Comptroller of the Currency’s (OCC) Bulletin 2017-43, it is incumbent to report the impact of new and expanded or modified initiatives within the compliance program. Compliance considerations should be incorporated into product/system development and modification processes, including changes made by third parties. Compliance reporting can include targeted deep dives on emerging risks or topics that allow the board to understand the compliance program and its oversight from a safety perspective.

Following best practices from peers, banks typically report to the board on the top three to five compliance risks that have a higher degree of probability and impact on the bank: Bank Secrecy Act/Anti-Money Laundering (BSA/AML); privacy/information security; unfair, deceptive or abusive acts or practices (UDAAP); Fair Lending; and the Community Reinvestment Act (CRA). Reporting on the top compliance risks to the board should include the most significant inherent risks impacting the bank. These risks may vary depending on the bank’s current environment and could include key strategic initiatives that have substantial regulatory risk impact (e.g., outsourcing, off-shoring, acquisitions, significant changes in management positions, new regulations, etc.).

The report to the board should include a summary about why these risks are considered significant to the bank, the financial and non-financial exposure to the bank, and the mitigation of these risks in terms of corrective actions. Board reporting should include whether these top risks are concentrated in certain business units or applicable across the enterprise. Last, but not least, compliance reporting should address whether the bank has the appropriate resources to address these risks. Control systems should identify violations or compliance system weaknesses effectively and confirm that corrective action is prompt and reasonable.

There is a need to drive more effective reporting for the board on a bank’s top compliance risks and to include training inclusive of consumer risk topics or industry trends. As risk management is reporting to the board, compliance reporting should focus on informing the board of key compliance risks. For the board, compliance reporting metrics should be linked to the bank’s risk appetite statement and provide a good understanding of the compliance program’s progress and effectiveness. Reporting should provide clarity about management’s actions to mitigate compliance risks, consumer risk exposures and/or actions required by the board. Regulators are focusing their attention on determining that the board and bank management maintain high standards with regard to culture and conduct. Additional focus is placed on bank employees being empowered to report wrongdoing, so that remedial actions can be implemented.

About DHG Financial Services

DHG Financial Services professionals provide you with in-depth industry knowledge and a wide range of advisory, assurance and tax services to address issues facing your industry in today’s challenging environment. For more information, visit