As a risk and compliance engagement manager, Kirsten Furlong provides direction and support to various members of executive management to ensure legal and regulatory requirements are met, and follow best practices across all business areas. Additionally, Kirsten serves as a catalyst for technology management and business integration as a systems administrator with a primary focus on strategic information technology planning, GLBA training, IT steering committee facilitation, IT budget planning and overseeing IT examinations and audits.
You are hereResourcesOur ViewpointsCompliance and the Community Banker
The specter of pending regulation like Dodd-Frank and the expansion of the existing Gramm-Leach Bliley Act (GLBA) regulation have heightened the need in community banks for connected governance, risk, and compliance well beyond the internal audit and compliance departments. Executives, corporate boards, risk managers and business managers are all under increased oversight and scrutiny by regulators, shareholders, and external auditors alike. As a result, internal audit and compliance professionals are faced with ever increasing information requests, new compliance requirements, and constant pressure to do more with less. If you haven’t felt that increased pressure of late, don’t worry: you will.
That the community bank’s compliance professional has to wear many different “hats” facing expanding regulation and increasing threats is nothing new. That individual has had to bridge compliance knowledge in disciplines as disparate as deposits, loans, and the Community Reinvestment Act, while also owning responsibility for highly specialized and sensitive areas like information technology and Bank Secrecy Act/Anti-Money Laundering (BSA/AML). However, the scope and depth of that responsibility has never seemed greater. While serving hundreds of community banks nationwide, we are seeing the lines blur between compliance, audit, and overall corporate governance functions while the breadth and depth of expertise expected of the compliance professional continues to expand. What was distributed to multiple department managers in compliance and audit seems to now be trending towards centralization, and what that individual is expected to know and own is broadening daily.
An excellent example is how the compliance professional is now expected to know “best practices” that are followed in the industry, typically something that would have neither been expected of nor directed to this function. Instead, it was formerly aimed at the line or senior management of an institution. Rather, we have now witnessed examiners question the compliance officer at community banks on the basis for setting up specific controls and offer “suggestions” on where that professional can tap into other banks’ solutions to regulatory mandates. This is evident as it relates to Corporate Account Takeovers and the Authentication Guidance supplement issued in June 2011.
Why have examiners drawn community bank’s attention to best practices as it relates to the above? The answer is simple: Banks have thus far had an inadequate and muddled response to that new mandate and account takeovers are growing in frequency and complexity. Regulators have begun examining institutions for conformance to the FFIEC Authentication Guidance, which at its core prescribes just two minimum requirements for layered security programs: the ability to detect and respond to anomalous activity, and enhanced controls for system administrators. Yet, nearly a year after the supplement was issued, many banking institutions still are not prepared to meet the two very basic requirements of the guidance: that the "security and confidentiality of customer records and information…protect against any anticipated threats or hazards to the security or integrity of such records," and "protect against the unauthorized access to or use of such records." This lack of preparation will be problematic when the IT examiners next examine the Bank; that is, of course, if the criminals don’t get there first.
So against this backdrop of increasing pressure and complexity, what is the community banking compliance professional to do? While many institutions may find fraud threats and compliance mandates too complex and great in number to focus on, the alternative to ignore them is not an option. Instead, compliance professionals should indeed focus on meeting those regulatory mandates, since doing so can pay excellent dividends by: 1) improving security and compliance, and 2) protecting the bank against the very real technical and financial threats growing in an increasingly technology- based industry. There is also excellent potential to help improve both security and compliance and meet regulatory guidelines by leveraging knowledge outside the institution. However, the first step in taking control is to be proactive, not reactive.
Proactive Steps for the Community Banker
- One significant step the community banker can take is to reach out for supplemental resources to address those compliance areas that are highly specialized or technical in nature. While the bank may have core expertise in all the many deposit-related regulations, the compliance specialist will be seeking to enhance that expertise in specialized areas like information technology, BSA/AML, or business continuity and recovery. Many compliance firms offer such expertise, but the community banker needs to evaluate such firms carefully and ensure that they have depth, and focus, and remain current with this rapidly evolving landscape. It is also critical that compliance firms and their programs be assessed as to their appropriateness to the size and complexity of the community bank itself. With the right compliance partner, a community bank can bolster its internal programs considerably to both meet regulatory demand and improve its ability to prevent and/or detect fraud and unauthorized access.
- A second important step can be putting into place automated solutions that can simplify meeting current regulations already in force while preparing for those that are still emerging or expanding. From those banks we encounter across the country, we are being asked daily for solutions that automate and integrate the IT-related risk and compliance programs the community banker is expected to maintain.
- Finally, the community bank can engage an independent third-party to audit the institution’s current programs and overall governance to assure they are constructed with the appropriate scope and depth, and personnel are informed about current threats, regulations, and best practices being used by other community banks throughout the country. The collective intelligence gained by exposure to numerous community banks in your state and throughout the nation can represent considerable value above and beyond the specific deliverables at hand. Taking these steps in a proactive manner will not only improve your bank’s security and compliance, but also put you ahead of the regulatory curve.
D+H, in conjunction with your financial institution’s team, can assist you in any of these three ways:
- Offering consultation on current IT-related regulation
- Delivering an automated solution, such as Risk Director to integrate IT risk management, business continuity, audit/vendor management programs, and reduce your compliance burden
- Reviewing and assessing your current IT control structure to ensure your controls are sound
As a final point, a risk and compliance professional engaged with your community bank can help you meet the growing regulatory demand, gain the benefit of highly specialized expertise, and automate your existing programs while positioning your institution for the emerging threats and regulations ahead.