Compliance officers are holding the proverbial ball when it comes to managing regulatory compliance examinations. Those who have experienced consistent, positive outcomes typically attribute their success to the fact they have a plan that they stick to, year after year, to help ensure there are no surprises and to portray their organization in the best possible light.
Before your financial institution begins prepping for a federal, state or SRO regulatory compliance examination, consider these commonsense but oft-forgotten ABC’s that many successful regulatory compliance examinations have in common.
Whether you have automated your examination process or not, these principles will help reduce some of the stress associated with regulatory compliance examinations at your institution. If you are a seasoned compliance professional, it is likely that all or most of these steps will be familiar—but this is a great primer to share with newer compliance professionals whom you are mentoring. If you are new to regulatory compliance in the financial services industry, welcome aboard and please take note.
While some of these ABC’s may seem almost too basic, it has been my experience that when strict protocols are not required, especially in the heat of an examination, corners can get cut: suddenly, one’s records of production are incomplete, or other problems arise that can come back to haunt your institution.
A is for advance work
Always ensure you are prepared to discuss with your regulator what is new or changed at your institution since your last examination by keeping regulators’ expectations in mind when:
- Conducting regulatory change management;
- Assigning compliance training;
- Incorporating regulatory compliance requirements into business processes;
- Monitoring operations for adherence to compliance requirements;
- Considering material new or changed products, customers, locations and services;
- Taking internal corrective action; and
- Updating Compliance Program materials[1].
B is for before the exam
Before your institution’s next regulatory exam, be prepared to respond knowledgeably to questions related to items noted during the previous examination cycle, even those identified by other regulators. This is especially important if you are new to the institution. You never want to hear an examiner say, “How could you not know we were going to ask you about that?” But what can you do to avoid this dynamic? Here are a few best practices:
- Review the last few examination records and make sure your institution is not repeating a finding—even a small one.Be particularly wary of items resolved during a previous exam that may have fallen off everyone’s radar. No item that made its way into an examiner’s report is too small to pay attention to and ensure the item was addressed—especially if it could have a negative impact on customers. Do not rely on every item making its way to a spreadsheet maintained by the institution—review the actual examiner’s report.
- Read and acknowledge your regulators’ Examination Priorities or similar release every year by understanding each item as it applies to your institution and if you have not done so already, conduct testing or monitoring in those areas.
- Educate supervisory and senior leadership about current regulatory compliance issues facing the industry. Include recent actions by your institution’s regulator(s) such as new or changed laws, rules, regulations, and guidance—and where relevant to your institution, enforcement and disciplinary actions.
- Be prepared to demonstrate adjustments to policies, procedures, risks, and controls made to account for new or changed laws, rules, or regulations.
C is for centralizing the process
Consider centralizing the documentation and examination process to safeguard against having an incomplete record or other issues. Best practices include assigning a reliable resource (Exam Manager) to own the examination record. This will make the examiner’s life easier and ensure the institution responds timely to inquiries. Consider having all exam matters and documentation flow through this resource.
D is for documentation best practices
Scrutinize the initial and any subsequent production requests, including instructions provided as to type of document(s) accepted, submission process, or other elements of the exam process particular to that regulator. If you are not certain or have questions, contact the examiner. Best practices related to documentation include:
- Deliver only what the regulator requests. Avoid producing any artifact without a thorough review by senior compliance personnel.
- Clearly mark each item to its corresponding naming convention used by the regulator. The institution’s record does not have to mirror the regulator’s taxonomy, but it must include it to avoid confusion. Best to mirror if possible.
- Documents and reporting produced should look the same year over year; otherwise, explain the reasons for any substantive changes (e.g., new system).
E is for examiners are people too
Let your examiner know through your words and actions that you understand and apply their guidance. Use the “magic words” your examiner uses—avoid using internal jargon to explain how your institution functions.
Take advantage of all the exam prep materials and guidance your regulator provides.
Seek out your examiner’s opinion on thorny compliance questions (after vetting with your Law Department). They are unlikely to give you hard and fast answers, but the examiner may help you frame how your institution should handle an issue or respond to an inquiry from the business.
Ensure your examiner understands who the Exam Manager is and how they will interact during the exam.
F is for first impression
If possible, at or prior to the examination, create and deliver a compelling but brief story of your institution, its products and services, customers, footprint, and strategic vision. Include how you plan to deliver more value to your customers (e.g., improved authentication methods, etc.). Share a copy of the presentation with your examiner(s) for reference during the exam.
Remember to have the presentation fully vetted by Compliance, Legal and Senior Leadership to ensure it is factual and to ensure they are familiar with how the elements of the institution’s business model are framed.
You may also want to share in your introductory meeting, at a high-level, those issues that your type of institution has identified as the high-level risks associated with your business model and how they are addressed.
G is for gaps identified
Consider apprising your examiner of identified gaps in your regulatory compliance program related to their scope of inquiry, along with an appropriate-level explanation of mitigation efforts. Examiners will appreciate your candor and have a healthier respect for your risk assessment process.
Ensure that a robust process is in place to show how your compliance policies are operationalized where appropriate by procedures and managed for effectiveness by controls. Consider conducting a mock examination or have one conducted by a third-party. To be effective, do not cut corners during a mock exam.
H is for handling the exam
Remember to apply your institution’s data protection and on-site security protocols.
Be on time with production items or give notice of the delay prior to the due date or time. Explain the delay honestly in a way that does not point to problems with your institution’s recordkeeping. Let the examiner know when they can expect the item—then deliver it by or before that time. Avoid tardiness at meetings with your examiner by all personnel.
Help reduce the number of follow-up documentation requests from your examiner by ensuring that the initial material your institution provides is completely responsive to the question(s) asked and does not require a lot of explanation. Senior compliance personnel should review and approve all items prior to production.
Require all requests to be in writing and use the regulator’s taxonomy for tracking. Often, an examiner will ask the institution to produce something already produced for another purpose. Only proper recordkeeping by your Exam Manager will ensure that connection is made, and the right artifact provided again.
It is okay to respectfully question the need for production items that may not apply to your business model or to suggest alternate records once you fully understand the purpose of a request.
Retain a copy of every communication related to the examination, particularly those between the institution and the examiner(s), the Exam Manager, and anyone related to exam production and those that explain an exception, anomaly or material decision made related to the examination.
I is for innovative examination management solutions
Following a consistent process, whether automated or manual, will reward institutions, especially over time. Automation of the regulatory examination process will further ensure consistency by utilizing workflows, calendaring, checklists, and other tools that will provide robust monitoring, tracking, and reporting on your examination(s).
Innovative, automated, compliance solutions are becoming more user-friendly, reliable, and affordable. If you have not done so already, seriously consider automating to the extent possible the examination process for your institution.
J is for judicious recordkeeping
When the onsite examination has ended, take time to go through the record of the examination and judiciously organize. Where necessary, appropriate, and permissible, revise the record such as cleaning up hastily taken notes to ensure their meaning will be apparent to a reviewer. Include senior leadership in this review to facilitate understanding and to ensure that compliance, legal and business personnel are on the same page as to the handling of the exam, how the institution responded, and any expectations regarding results.
K is for kick off remediation
You were likely apprised of potential findings by your examiner in the exit interview or at times throughout the examination process. Ensure appropriate committees and senior leaders are informed and involved in determining ownership and supervision of remediation efforts. There should be clear ownership, supervision, documentation and tracking of each finding to remediation. Once complete, appropriate controls should be assigned and monitored for effectiveness.
Once you receive the official examination results, review them carefully to ensure your institution is addressing all findings including those considered “observations.” Respectfully question the application of findings to your institution if you have a well-reasoned argument as to why the finding is not warranted.
L is for last words
You have survived an examination of your institution and now have a robust record of the event and any continued handling that is required. So, no need to continue with the alphabet, as you have this process under control. Now just lather, rinse and repeat!
Best of luck on your next regulatory compliance examination.
[1] Based on the FDIC Consumer Compliance Examinations - Compliance Management System Part II-3.1 available at: https://www.fdic.gov/regulations/compliance/manual/index.html
