| Regulatory
Avalanche
By Jack Milligan
A tide of new regulations is forcing
banks to build a true compliance culture.
Bank compliance officers are accustomed
to red tape, but the avalanche of new regulations from
Washington has them feeling swamped. Since 2001, legislation
such as the Sarbanes-Oxley Act and the USA Patriot Act
has sparked an exponential increase in the banking industry's
compliance burden, piling ever more work on the desks
of legal staff.
The burden will probably grow even heavier,
given the likelihood that several additional regulatory
initiatives will be coming down the pike. Along with new
rules for the mutual fund industry, there will be changes
to the Real Estate Settlement Procedures Act and a possible
crackdown on purported "predatory" lending.
"We have clients turning themselves
inside out trying to cope," says Brian W. Smith, a partner
at Washington-based Mayer, Brown Rowe & Maw and former
general counsel at the Office of the Comptroller of the
Currency.
These developments have exposed a weakness
in the traditional approach to regulatory compliance,
which tended to be splintered across various provisions
and regulatory agencies. A more cohesive approach is now
needed, both to meet all of the requirements and to deal
with compliance as efficiently as possible. And experts
say there is little choice in the matter.
As much as bankers might decry what
many see as an unfair burden, there's little to be gained
by taking their complaints public. Recent well-publicized
corporate scandals, at the former Enron Corp. and WorldCom
Inc., for example, and now in the mutual funds industry,
have created a political environment that promotes regulatory
zeal. Bankers probably have no choice but to hunker down
and improve their compliance procedures.
And many institutions are doing exactly
that, by hiring more staff, boosting their training efforts
and taking a more proactive approach to compliance by
trying to anticipate likely changes in regulatory policy.
More fundamentally, some banks are
integrating compliance with their overall risk management
function by having their top compliance officers meet
regularly with senior business line managers to make sure
legal and regulatory issues are properly explored. Such
an "enterprise risk management" structure is designed
to view all risk — market, credit, operational,
and compliance — from a comprehensive rather than
siloed perspective.
The key to making all this work is
a compliance culture that permeates the entire organization.
Compliance officers stress the importance of building
an effective partnership with the company's business managers,
beginning with the chief executive officer. Banks that
lack such a culture may have a difficult time adapting
to the current regulatory environment.
"If you're not in a culture where compliance
matters to the top dogs — get out," advises Mary
Faith Floyd, senior vice president and corporate compliance
manager at Memphis-based First Tennessee National Corp. "Without that, you won't get results."
"C-1" Risk
It's a truism that financial regulation
is often born of crisis, and the current situation is
no exception. Recent corporate scandals, for example,
begat Sarbanes-Oxley, which imposed tough new accounting
and financial controls on all public companies, including
banks and thrifts. The Sept. 11, 2001 terrorist attacks,
meanwhile, led to provisions in the USA Patriot Act designed
to combat money-laundering activities, as well as renewed
emphasis on compliance with the Bank Secrecy Act, another
major anti-money laundering law that has been on the books
for several years.
Most recently, unethical practices
at several large brokerage firms — some owned by
commercial banks — resulted in an agreement with
the Securities & Exchange Commission that imposed
new restrictions on their research and investment banking
departments. Even legislation that wasn't originally focused
on financial services must be factored into the picture,
such as the recently enacted Can-Spam Act, which purports
to cut down on unsolicited e-mail. "You still have to
read it and you have to understand it," Floyd says.
The public's disgust with the surfeit
of corporate wrong-doing has given all public companies
a heightened awareness of what Jack J. Wixted, chief regulatory
officer at Pittsburgh-based PNC Financial Corp., calls
"C-1 risk," or the risk of reading about your company
one morning on the Wall Street Journal's C-1 page, which
often covers regulatory matters.
PNC knows firsthand. The bank got into
trouble when it transferred $762 million in substandard
loans from its balance sheet to a special purpose entity
in 2001 and took a gain that, according to regulators,
improperly inflated its earnings by a reported 52%. The
company was slammed with an enforcement action by the
OCC and Federal Reserve, and also had to restate its 2001
earnings. "We can't afford another reputational body blow,"
Wixted says.
Although conclusive data is difficult
to come by, it's probably safe to assume that most large
banks have been forced to add staff to their compliance
departments in response to the flood of new regulations.
PNC, for example, has had to increase its compliance budget
over the past 18 months, although Wixted declines to provide
specific numbers. Floyd, who oversees the compliance audit
process at First Tennessee, has seen her staff more than
double — to a total of 15 — in just two years.
Although Floyd believes she is sufficiently staffed at
the moment, she adds, "It's not going to be sufficient
for long, at this rate."
Catherine M. Brown, the chief compliance
ethics officer at Charter One Financial Corp. in Cleveland,
has thus far avoided adding new staff to her small four-member
department by simply assigning more work to everyone,
herself included. This is in keeping with Charter One's
strategy of being a low-cost operator; the company reported
a lean-and-mean efficiency ratio of just 42.34% last year.
"Right now it's okay," Brown says, while at the same time
expressing concern that the explosion in new regulations
— combined with the bank's own growth — will
require more compliance employees eventually.
Along with the hiring, banks are placing
renewed emphasis on training as they try to educate their
employees about the new regulations. Brown works closely
with Charter One's training department, which maintains
nearly 40 different compliance modules that are updated
regularly. Many of the training modules are function-specific,
so only certain employees are required to take them. But
all 8,000 Charter One employees must receive training
on the Bank Secrecy Act, along with various anti-money
laundering restrictions, identity theft and suspicious
activity reporting.
Enterprise
Risk Management
New staff and training are helpful
to a point, but some more fundamental initiatives also
are needed, such as according a higher status to compliance
and integrating it within the institution's overall risk
management function.
At First Tennessee, for example, Floyd
reports to the bank's senior risk management executive
rather than to its general counsel. The company also maintains
a compliance committee that meets regularly as part of
its overall risk management effort. Members include Floyd
and senior line managers throughout the highly diversified
organization, which includes a national mortgage company,
a mutual fund business and a discount brokerage operation.
"All of the various components of risk
are affected by legal and regulatory issues," Floyd says.
"To leave out that chunk of it would leave you exposed.
The compliance committee is one of the ways that we educate,
and in turn are directed by, management."
This policy of viewing major risk exposures
(market, credit, and operational) from a holistic rather
than siloed perspective is known as enterprise risk management.
In a survey last year of 30 leading financial institutions
around the world that have adopted this strategy, First
Manhattan Consulting Group found that virtually all of
them had added compliance to the mix.
The advantage of this approach is better
decision making across the corporation, says Alden L.
Toevs, an executive vice president at First Manhattan.
He cites the theoretical example of a bank that thought
it could gain a competitive advantage by promoting itself
as being stronger on matters of client privacy than its
peers. "If you developed a set of policies without consulting
the compliance people, you might not do all the things
the regulators want," Toevs says.
Compliance pros also see a need to
be more proactive in anticipating changes that might come
out of Washington. Congress remains focused on the corporate
scandals so new legislation is likely. Also, no bank can
afford to wait patiently for the federal banking agencies
to issue new regulations through their formal —
and lengthy — rule-making process.
For one thing, there's been an increase
in what Smith characterizes as "regulation-by-policy statement,"
whereby the banking agencies come out with so-called "policy
guidance" which has the effect of regulation but doesn't
require the drawn-out public comment period that's necessary
when they formally promulgate a new regulation. "There's
a lot of jawboning going on and it has the effect of regulation,"
Smith says.
The director of regulatory affairs
at America's Community Bankers, a trade association for
community banks, echoes this concern. "Over the past three
to five years, there has been a significant step up in
guidance issued by all the regulators," says Charlotte
Bahin, who is based in Washington. As an example, she
cites the guidance that federal banking regulators issued
for subprime lending in July 2002, which forced some institutions
— including some credit card companies — to
boost their loss reserves.
The advantage of such regulation-by-policy
statement is that it allows the regulators to react quickly
to changes in the industry, particularly during times
of economic uncertainty. The disadvantage is that banks
may be caught flat-footed by these changes unless they've
been conducting what amounts to regulatory reconnaissance.
Day-to-Day
Defense
In times like these, it's also crucial
to have a strong compliance culture because ultimately
a bank's business managers — rather than attorneys
in its legal department — will determine its compliance
performance. So their attitude toward the process is crucial.
"The best defense is your day-to-day procedures," Wixted
says.
Given its own problems with federal
regulators in recent years, PNC has worked hard to strengthen
its compliance culture by looking closely at the regulations
that have come out of the SEC and the banking agencies
and building those into its compliance policies. The bank's
senior management team also has tried to send a clear
message that regulatory compliance is of vital importance.
"Setting the tone at the top is crucial," Wixted says.
But that tone must also penetrate to
lower levels. A strong compliance culture can only exist
where there is a sense of partnership between compliance
officers and business managers. Charter One's Brown believes
that it's up to the compliance department to foster a
partnership mentality and avoid being viewed as obstructionists.
For example, she says, compliance people should participate
in new product design discussions so that line units don't
later run afoul of the regulators to the detriment of
the entire institution.
Charter One uses a "push-down model,"
where Brown works closely with a team of "compliance designees"
who are scattered throughout the company and report directly
to business managers in the field. Even though Brown has
responsibility for the compliance audit function at Charter
One, she really can't dictate to line managers on regulatory
matters. "The key is making sure our goals are aligned
with theirs," Brown says.
Beyond understanding the scope and
magnitude of regulations that affect a commercial bank,
and staying abreast of changes as they occur, much of
Brown's job is given over to education and communication.
She chairs a corporate compliance committee that meets
monthly and draws a mix of compliance, legal and senior
line managers. She uses these meetings to provide updates
on key regulatory issues facing the company.
Compliance experts expect the regulatory
environment to worsen before it gets better, even though
the Federal Deposit Insurance Corp. is leading an inter-agency
effort to reduce the industry's regulatory burden. The
Economic Growth and Regulatory Paperwork Reduction Act
of 1996 mandated that federal banking regulators examine
their rules every 10 years "to identify outdated or otherwise
unnecessary regulatory requirements imposed on insured
depository institutions." Some of these rules can be pruned
back by the agencies themselves, while others require
an act of Congress. Although bankers generally believe
that the agencies are sincere in this effort, they question
whether it will result in a meaningful reduction in red
tape.
Meanwhile, there are regulatory initiatives
on the horizon that will complicate the picture even further.
The Department of Housing and Urban Development is expected
to release its long delayed amendments to the Real Estate
Settlement Procedures Act, which will have a significant
impact on mortgage lenders like First Tennessee and Charter
One. The SEC, meanwhile, is considering a new set of rules
for the mutual fund industry following discovery of widespread
abuses in trading practices at many funds, and bankers
expect that Congress may take up the issue of mutual fund
reform as well.
And on top of all that, New York Attorney
General Eliot Spitzer, who played a leading role in cracking
down on unethical research practices at many Wall Street
brokerage firms, has signaled his interest in the purported
predatory lending practices of some commercial banks.
"Spitzer has no regulatory authority, but by his actions,
he regulates," says former OCC general counsel Smith.
With the likes of Spitzer and the United
States Congress on the prowl, there will surely be no
rest for weary compliance officers. But unifying the pieces
of the compliance puzzle will help.
Mr.
Milligan is a freelance writer based in Charlottesville,
Va.
Copyright © 2004 by Banking
Strategies, published by BAI.
back
to top |
