Approaches to managing compliance risk

Four compliance officers--at institutions ranging from $3 billion to $95 billion--talk about their programs, their backgrounds, and compliance training. They also present their wish lists for the coming year and offer advice to other institutions seeking to strengthen their responses to compliance risk.

In a recent "West Wing" episode, Chief of Staff C.J. Cregg is presented with two solutions to a problem with termites, while she also grapples with the prospect of major repercussions from Leo McGarry's secret meeting with Fidel Castro--not to mention the usual array of critical issues. With equal parts exasperation and exhaustion, she asks, "Can't we just get rid of the damn bugs?"

Compliance officers must feel like that. Not that long ago, compliance was a part-time job at many institutions; now there are compliance departments with multiple personnel, and the task still seems overwhelming. Everyone knows that examiners are looking at some issues with greater scrutiny than others, but no one's telling them which ones aren't critical. It might make sense for a compliance risk manager to pass along over-the-top mitigation demands to a bank's business line managers to ensure enough bug spray to kill the bugs several different ways. However, that's just not realistic. So they must help the business lines figure it out.

Compliance leaders front two community banks and two regional banks stepped out of the fray long enough to answer some questions from The RMA Journal on how their institutions are managing compliance.

The Programs

Responses from all four participants reflect the changing focus of the regulatory environment by stressing the importance of risk-based practices. Michael Matossian, chief compliance officer at Fifth Third Bancorp, says that when managing compliance risk it is imperative to "ensure the risk taken is the risk intended." Pacific Capital Bank's Compliance Department begins its mission statement, "To promote an effective risk control environment that ensures all protections and benefits adopted by lawmakers are extended to each customer of the bank, thus allowing the bank to better serve its communities." Banner Bank's risk-focused program is based on the requirements of its primary regulator, the FDIC, as well as best practices seen at other commercial banks, and is complemented by separate programs addressing BSA/Anti-Money-Laundering (AML), OFAC, and Community Reinvestment Act compliance.

[ILLUSTRATION OMITTED]

Fifth Third Bancorp and PNC both are migrating toward enterprise-wide compliance programs, Fifth Third is enhancing its "reputation capital" by helping to ensure the bank's ongoing adherence to laws, regulations, and internal controls. An interesting second part of Pacific Capital Bank's mission statement is to minimize the level of regulatory expenses to the bank and its shareholders; the Compliance Department particularly prides itself on expertise in consumer protection regulations.

Not unlike the other institutions, the front end of PNC's process is a partnership with the business lines to help them identify emerging risks, advise them of changes in the regulatory environment, and work with them to develop compliant operating procedures and processes; the back end of the process includes compliance testing prioritized by risk in each business, using the results to work with the business lines on solutions to address any issues. "We maintain very open communication," says Jack Wixted, chief compliance and regulatory officer for PNC. "The stakes are much higher today for maintaining a robust compliance program. As has been seen, failure to do so, especially in anti-money-laundering, can be franchise-threatening. We want issues to surface immediately, so we can help our business lines address them; however, they all know that each line owns the compliance risk and must assume ultimate responsibility."

Fifth Third's compliance program generally consists of decentralized accountability for compliance at the affiliate level, centralized line-of-business direction, periodic compliance risk management (CRM) risk evaluation and assurance monitoring, and independent audits. In many ways, the basic program sounds similar to the enterprise approach used at PNC. Matossian sums it up by saying, "CRM sets the strategic direction, provides corporate oversight, manages bank-wide programs, assesses bank compliance, addresses identified compliance issues, enhances existing practices, and facilitates employee awareness and education."

Pacific Capital Bank's reviews of its compliance program may vary in frequency, scope, and detail, depending on risk and objectives, according to Sharon C. Prihoda, vice president and compliance manager. "The results of the reviews are communicated to the responsible business unit manager, senior management, and the board of directors," she says. In addition to directing the review process, the Compliance Department is responsible for:

* Overseeing compliance with the Community Reinvestment Act (CRA) through analytical reviews, periodic updates of a CRA program, and CRA self-assessment, and taking a leadership role in community development activities.

* Coordinating the enterprise compliance training program.

* Serving on task forces to advise on the compliance components of new products and services.

* Communicating changes in the regulatory environment.

* Reviewing forms, disclosures, and marketing materials.

* Reporting the status of compliance efforts to senior management and the board of directors.

* Contributing to written compliance policies and procedures.

* Answering employee questions regarding compliance issues.

* Maintaining the compliance library.

Wixted pulls together the compliance efforts of three compliance areas: retail, wholesale, and corporate and investment banking. Officers in charge of those areas are independent of the business lines and report directly to him. As chief compliance and regulatory officer, then, Wixted also oversees PNC's Corporate Compliance Centers of Expertise, including anti-money-laundering, privacy, Reg O, Reg W, and so forth. The goal is to provide a more centralized effort for these corporate concerns.

The compliance managers of smaller banks sometimes must function as their own centers of expertise. Tyrone Bliss serves as Banner Bank's principal BSA/AML officer with the attendant duties and responsibilities; serves as advisor to the bank's CRA officer and internal auditors; and serves as Sarbanes-Oxley Section 404 program coordinator, working closely with the CFO and Banner's Disclosure Committee on the design, development, and testing of the bank's Internal Control Program for Financial Reporting and Disclosure Controls.

As compliance manager, Prihoda supervises two compliance specialists and collaborates with the bank's compliance officer and compliance training analyst (see box, Pacific Capital Bank's

[ILLUSTRATION OMITTED]

Pacific Capital Bank's Compliance Structure Associate Director of Risk Management Compliance Structure). The three compliance positions report to the associate director of risk management.

Matossian's objective is one that is being adopted by many forward-thinking institutions moving toward an enterprise-wide approach to risk management: to develop and exercise a risk-based approach to compliance that balances the institution's business needs with its regulatory requirements.

One of the four chief compliance officers--Bliss--reports directly to the CEO and the board on matters of compliance risk. In addition, Bliss regularly participates in Audit Committee meetings. At Fifth Third, Matossian reports to the chief risk officer; he has access to the Risk Compliance Committee of the board, as needed, and provides the board with an annual compliance plan. Prihoda reports to the associate director of Risk Management, who prepares written reports to the Audit Committee of the board and also gives an annual presentation to the Risk Council; members of the Risk Council come from executive leadership. The director of Risk Management reports directly to the Audit Committee of the board and reports on compliance as well as all other risks. At PNC, Wixted reports to a vice chairman and also is a member of the Executive Risk Management Committee and reports directly to the Audit Committee on compliance as well as fiduciary risk and business conduct and ethics.

The Compliance Manager's Background

Bliss says that after 27 years in banking, he feels like he's always been in compliance. "But my career began in 1978 as a management trainee for a $100 million South Florida community bank," he says. "Not long after I'd been promoted to 'most junior lending officer,' I was sitting at my desk and noticed our EVP frowning as he read something. Suddenly, he called me over, handed me an official-looking document and ordered me to 'Read this over, write up an analysis, and tell me what we've got to do.' That document was Regulation O. After that, every new rule seemed to end up in my in-basket, and in January 1981 the board appointed me compliance officer. The trouble was, I learned about the significance of this role one unforgettable afternoon that July when a tall, determined man stood at my desk, announced he was an FDIC examiner sent to conduct our first comprehensive compliance examination! Things did not go well, but some years later, after many lessons learned, my bank achieved the FDIC's highest compliance rating."

Most of Prihoda's 30 years in banking have been in branch operations and branch management. She's been through three mergers and found that the key to merger survival is diversification. "My introduction to compliance began when I was a branch manager for a small community bank, where every bank officer wears many hats," she recalls. "After a successful outcome to an MOU [Memorandum of Understanding] at that bank, I found that I had a real affinity for compliance management and was positioned for a transition from branch management to compliance after I joined Pacific Capital Bank."

A diversified background is what brought Matossian to his position as well. He has held key risk management positions--including director of Regulatory Risk, director of Privacy and Anti-Money-Laundering, and general auditor--at several leading financial institutions over the past 14 years. He also spent 10 years at a Big 4 public accounting firm and two years with the Comptroller of the Currency.

Wixted may have the most heavy-duty compliance background, however, having served as a regulator with the Fed for 25 years before joining PNC three years ago. He focused on safety and soundness and compliance and notes that a number of people taking jobs as compliance managers at financial institutions have served time with regulatory agencies and Big 4 firms.

Most Policies Are Separate

Compliance departments at all four banks maintain their own complement of policies and procedures. Fifth Third's enterprise compliance policies are reviewed and affirmed by a management compliance committee before being presented to the board for approval. Matossian says each line of business is responsible for understanding and implementing appropriate procedures to comply with the policies.

Prihoda's department at Pacific Capital Bank maintains its own departmental policies and procedures for performing self-assessments and compliance reviews, but each business unit maintains its own policies and procedures into which compliance-related subject matter is integrated.

Wixted's department at PNC coordinates closely with Legal when developing policies and procedures and also maintains a close link with Operational Risk Management. "Tom Whitford [chief risk officer, member of the Operating Risk Committee, and chair of the Executive Risk Management Committee] and I are almost joined at the hip," says Wixted. "At the beginning of this year, Tom asked me to chair the bank's Operating Risk Committee to capture operating, compliance, and technology risks in a more focused, enterprise-wide approach."

While his department has its own operating procedures, Banner Bank's lending and operations policies and procedures are the primary source of guidance to employees on how to perform their jobs, says Bliss. "Compliance requirements are built into those documents, and our automated loan and deposit systems to the extent practical, and compliance officers serve as advisors on their development and maintenance."

Program Changes

None of the compliance programs are standing still. Wixted is not alone when he describes the current regulatory environment as far more aggressive and confrontational than it was a few years ago. "It's a tough job to stay on top of the known while trying to understand the unknown," he says. "A sales practice that was acceptable and considered common practice last year may be viewed as a criminal practice today with harsh ramifications for the institution." The line between honest mistake and negligence or deliberate transgression has grayed considerably, and "last year's clean bill of health doesn't mean anything this year." PNC's enterprise approach to risk management clearly has become the wave of the future, and being "joined at the hip" with Operational Risk is not only desirable--it's essential.

Programs of the other institutions also have responded to a more highly charged regulatory environment:

* Significant progress has been made in the past year to build a corporate CRM group at Fifth Third as well as to develop a compliance program across the enterprise. "Specifically, we've made efforts to improve compliance within CRM, by line of business, and by affiliate, through such initiatives as strengthening governance, establishing accountability, developing compliance key risk indicators, and creating consistent reporting and trending analysis," says Matossian. The key risk indicators and quantifiable metrics will enable Fifth Third to be more efficient and add value and at the same time provide a more comprehensive review of compliance from a risk perspective.

* Pacific Capital Bank has given additional focus and resources to BSA/AML compliance, resulting in a separate Financial Intelligence Unit, which reports directly to the director of Risk Management.

* Banner Bank's most significant change was its formation of the Compliance Oversight Team, whose members represent lending, deposit, and community banking managers as well as Risk Management and Internal Audit. "The team meets regularly to discuss current and emerging compliance challenges and issues," says Bliss. "Importantly, members possess the know-how to contribute practical and creative ideas to help improve the effectiveness and efficiency of the compliance program. This is helping us move toward an enterprisewide, rather than myopic, form of risk management.

Training

Bliss says that all new employees at Banner Bank are required to complete a suite of seven courses, including BSA and CRA. Employees involved in deposits or lending must complete additional job-related courses, such as Electronic Fund Transfers (Regulation E) or Fair Lending Policy, within 90 days of hire. After this, all employees are subject to annual compliance training requirements. Most training is conducted in-person, using supervisor-led small group sessions. The bank subscribes to an online compliance training service, but it is used as a secondary resource. In addition, Banner takes advantage of low-cost Web-based training and teleconferences facilitated by regulators, trade associations, and consulting firms to help stay up-to-date.

Pacific Capital Bank offers instructor-led courses that cover some of the regulations, such as AML, Privacy, and Regulation CC. The schedule for those classes is available to all employees over the bank's intranet site. Personal training on any of the regulations also is available on an as-needed basis. Prihoda says her bank also offers computer-based training courses, some of which are designed by the bank and others licensed from an outside vendor. The Employee Development department maintains a comprehensive library of additional courses in either video or CD-ROM format for all the regulations that affect deposit, lending, and operations departments. Employees can browse the online course catalog and then contact Employee Development.

At Fifth Third, new employees receive compliance training and all employees receive additional compliance training through curricula that are set up by job families. Training is delivered through three channels: 1) about 80% is through e-learning; 2) 15% is through educational Web casts; and 3) 5% is provided in-person.

PNC is moving to an enterprise-wide compliance training program developed within the Corporate Compliance unit. "A few individuals have taken on the responsibility for delivery of all compliance training," says Wixted. "Again, the goal is to help the businesses and to let them know what they're accountable for." PNC uses classroom, intranet, and streaming video training. Ethics training is delivered centrally and uses video vignettes that require employee reaction to situations. "We try to anticipate where there may be emerging risk issues," he says. "We also use testing as a feedback mechanism to design training that is delivered by line of business.

Wish List and Advice

The top two wishes of all banks are probably those voiced by Bliss: 1) regulatory relief that genuinely reduces industry costs while preserving vital, substantive consumer protections; and 2) a level regulatory playing field for all institutions.

Wixted, too, is hoping for much clearer guidance from regulators as to acceptable tolerance levels. Another of Wixted's wishes is on its way to becoming a reality, as PNC tests ways to better leverage technology. "Traditionally, there are many processes involved in the monitoring and testing for compliance, and this is quite labor intensive," he says. "We're looking to create more intelligent monitoring and testing situations and to use technology at the front end as we build in processes to ensure we get it right from the first point of customer interface." Another wish in the making is the development of key risk indicators to measure compliance risk management performance. And PNC will continue to work toward holding people accountable in the business areas and tying incentives to compliance. "It's important to set the tone at the top in order to create a culture of compliance," he says.

Matossian and Prihoda are looking for more automation in the risk assessment process as well. "Technology enhancements to front-end controls that would allow for more compliance steps to be embedded into the process and the development of an executive dashboard would both be on my wish list," Matossian says. Prihoda echoes that, saying she'd like to have turn-key compliance dashboard software that incorporates all the internal control systems needed to ensure compliance--policy, procedures, process, training, monitoring, accountability, and testing. Her dream software "would have a home page for each business unit with links to their policies and procedures, training content and attendance documentation, compliance reviews and internal and external audit findings, management responses, and follow-up testing," she says.

As for advice to other institutions working to improve their compliance efforts, Wixted again offers that "It starts at setting the culture and getting compliance risk management to be part of the institution's DNA, just as credit and market risk management are. Everything must be reinforced through performance." Matossian believes that compliance excellence combines well-thought-out strategy with passion and focus. "I would encourage compliance officers to always do the right thing," he says. These include:

* In addition to identifying short-term fixes, invest in and implement long-term solutions.

* Seize instances of errors that have been identified and view them as opportunities to create positive change.

* Never lose sight of the overall business objective and the impact on the costumer's experiences.

* Take into consideration the realities of running a business to ensure that the risk taken is the risk intended.

Bliss says that to survive and thrive in today's environment, compliance officers must:

* Carefully craft the scope of their programs, being certain of what business units are accountable for, and be willing and able to stand up and say that not everything is a compliance issue.

* Perform meaningful risk assessments and get them in front of executive management and the board. Use them to negotiate for adequate resources to accomplish program goals. Don't be a martyr: It accomplishes little, and you won't last long!

* Learn to enjoy the fact that tomorrow will bring something new.

Two tips from Prihoda are to 1) create report templates for each regulation that includes regulatory citations and 2) spend more time planning and scoping reviews to focus resources on the highest risk. "Meet with the business unit well in advance of your arrival date and provide the documentation request list so that you can achieve the timetable established in your review calendar," she says. Prihoda's advice ends with telling compliance officers to remember that their job is not compliance; rather, compliance is everyone's job. "Your job is program management," she says. "You manage the compliance program by promoting accountability within the business units."

Time Allocation within the Compliance Department

                                                           Pacific
Activity                                         Banner    Capital
                                                  Bank      Bank

Policy and procedure development                   10%       10%
Monitoring and testing                             20%       30%
Training                                           10%       20%
Providing advice on an ad hoc basis                25%       20%
Reporting (internal, to other units, to board)     10%       15%
Managing                                           25%       5%

                                                  Fifth
Activity                                          Third      PNC
                                                  Bank      Bank

Policy and procedure development                   10%       10%
Monitoring and testing                             25%       30%
Training                                           5%        10%
Providing advice on an ad hoc basis                25%       20%
Reporting (internal, to other units, to board)     20%       15%
Managing                                           15%       15%

PNC's Wixted notes that certain staff may perform several
functions, and percentages may vary by division. In AML,
for example, one group of people is doing testing 100% of
the time. Likewise, Pacific Capital Bank has a separate
department for AML.

The Participants

Michael Matossian Chief Compliance Officer Fifth Third Bancorp

Fifth Third ($94.5 billion, 1,088 banking centers in the Midwest and Florida) is a diversified financial services institution operating four main businesses: retail, commercial, investment advising, and Fifth Third Processing Solutions.

Jack Wixted Chief Compliance and Regulatory Officer PNC Bank

PNC ($80 billion, 776 branches) is a diversified financial services company that includes a five-state regional banking franchise and leading asset management and global fund processing businesses.

Sharon C. Prihoda Vice President and Compliance Manager Pacific Capital Bank, N.A.

Pacific Capital ($6 billion, 45 branches) is the largest independent banking company headquartered on the Central Coast of California. Differentiating products include successful electronic income tax refund programs, indirect auto finance, commercial equipment leasing, and the largest trust and investment services operation headquartered in its markets.

Tyrone J. Bliss, CRCM Senior Vice President & Senior Risk Management Officer Banner Bank

Banner ($2.9 billion, 50 branches and 12 loan production offices) is a commercial bank located in Washington, Oregon, and Idaho, with specialties in commercial real estate, construction, residential real estate, business, and agricultural loans.

Contact Beverly Foster by e-mail at [email protected].

Beverly Foster is editor of the RMA Journal

COPYRIGHT 2005 The Risk Management Association
COPYRIGHT 2005 Gale Group