When someone asks, “what did you do over the weekend?” they don’t really expect you to give them every single detail. You’d tell them anything interesting, funny, or out of the ordinary, or if nothing much happened, you’d just say, “the usual.” For financial institutions awash in a sea of regulations, compliance issues are part of what you deal with day in and day out. So when it comes time to present to the Board of Directors, deciding which issues to present and how to present them is a bit tricky. Do you give them every single compliance detail, or do you give them just a broad, basic overview (“Everything’s great!”)? There’s a delicate balance between not wanting to alarm the board while making sure the board is aware of the need to devote sufficient resources to address potential compliance concerns.
More specifically the questions financial institutions should ask are: What level of concerns should be brought to the board’s attention and what can be handled at a management level? And if an issue does merit presentation to the board, how can you present the information in a way that helps the board appreciate your institution’s compliance risks and decisions?
Telling the Board
The quick answer to the first question is that you should definitely tell the board about compliance issues that are likely to receive regulatory attention before your regulator does. A system of regularly identifying and addressing compliance deficiencies necessitates acknowledging them early on in the process. The list of enforcement actions is filled with violations that started out as small items or aberrations that were not appropriately acknowledged and addressed, leaving them to grow to become costly issues. That said, many issues can be handled on a management level and don’t require board attention.
In determining which issues rise to the level of board attention and which don’t, it becomes a matter of assessing the degree of the potential concern. One way to do so is to assign identified issues to one of three levels of potential violations:
- Level 3/High Severity: Potential issues that may result in significant negative consequences to consumers or members or that have a basis, pattern, or practice of discrimination issues, including redlining or discouragement. These concerns, if proven, typically result in a request or a requirement for restitution in excess of a given dollar amount (for example, $10,000 in aggregate).
- Level 2/Medium Severity: Potential issues that may reflect systemic or chronic issues. If proven, they represent a failure of the bank/credit union to meet the requirements of part or all of a regulation or statute. These concerns, if validated, may prove to have had a small negative impact on consumers/members or have the potential to do so if uncorrected. These issues may result restitution in an amount below that of Level 3.
- Level 1/Low Severity: Potential issues that are likely isolated or sporadic, or systemic concerns that are of such marginal negativity that they are unlikely to affect consumers/members. These concerns are typically due to individual failures to follow established procedures or minor errors in the implementation of procedures to meet obligations of a regulation or statute.
Informing the Board of Level 3 concerns is, of course, vital, as are most Level 2 concerns. Conversely, Level 1/Low Severity potential concerns are likely unnecessary to have a material impact on the financial institution. While these may not require board attention, these concerns, if proven, should nonetheless trigger appropriate response efforts and post-action notification, and would likely be presented to a committee rather than the board (i.e., Supervisory, Compliance, Audit, etc.).
Helping the Board Appreciate Compliance Risks
After identifying the level of risk posed by the potential issue, you may then determine that presentation to the Board is advisable. This is when a compliance officer faces the second portion of the balancing act: How can I help my Board understand, or at least appreciate, our compliance risks or our current compliance situation in a way that doesn’t unnecessarily sound the alarm, but helps ensure that the institution is devoting adequate resources to address the issue?
As with most misunderstandings, a common pitfall here is a lack of context. When it comes to a Board’s understanding of its institution’s compliance risks, it is worthwhile to take the time to provide context and trend. It is easy to say, for example, that your institution’s Fair Lending is experiencing a rising risk as is the industry in general, but what is the direction of risk relative to your institution, its products, services, personnel, regulatory factors, etc.? Presenting this context cannot be overstated in importance if you wish the Board to understand the reasons for decisions and actions taken to mitigate risks.
To illustrate, one financial institution recently made the decision to disconnect the CIP/CDD/EDD module of its AML System, because, after much thought, it considered it to be a duplication of effort. Did the Board understand and accept the aggregate risk created by the decision? In cases presented void of context, this is unlikely.
Sometimes, despite our best efforts to the contrary, the full appreciation for an “uncontexted” decision isn’t realized until it’s too late, if at all. The institution then experiences an imbalance between the Board and the decision. At that point the Board might ask the question: Did the Chief Risk Officer or the Compliance Officer do his or her job? However, by appropriately filtering those concerns that merit presentation to the Board and by providing appropriate and adequate context to help the Board understand risks and decisions, it is far more likely that your Board presentations will achieve that perfect balance.