Regulatory Avalanche
By Jack Milligan
A tide of new regulations is forcing banks to build a true compliance culture.
Bank compliance officers are accustomed to red tape, but the avalanche of new regulations from Washington has them feeling swamped. Since 2001, legislation such as the Sarbanes-Oxley Act and the USA Patriot Act has sparked an exponential increase in the banking industry's compliance burden, piling ever more work on the desks of legal staff.
The burden will probably grow even heavier, given the likelihood that several additional regulatory initiatives will be coming down the pike. Along with new rules for the mutual fund industry, there will be changes to the Real Estate Settlement Procedures Act and a possible crackdown on purported "predatory" lending.
"We have clients turning themselves inside out trying to cope," says Brian W. Smith, a partner at Washington-based Mayer, Brown Rowe & Maw and former general counsel at the Office of the Comptroller of the Currency.
These developments have exposed a weakness in the traditional approach to regulatory compliance, which tended to be splintered across various provisions and regulatory agencies. A more cohesive approach is now needed, both to meet all of the requirements and to deal with compliance as efficiently as possible. And experts say there is little choice in the matter.
As much as bankers might decry what many see as an unfair burden, there's little to be gained by taking their complaints public. Recent well-publicized corporate scandals, at the former Enron Corp. and WorldCom Inc., for example, and now in the mutual funds industry, have created a political environment that promotes regulatory zeal. Bankers probably have no choice but to hunker down and improve their compliance procedures.
And many institutions are doing exactly that, by hiring more staff, boosting their training efforts and taking a more proactive approach to compliance by trying to anticipate likely changes in regulatory policy.
More fundamentally, some banks are integrating compliance with their overall risk management function by having their top compliance officers meet regularly with senior business line managers to make sure legal and regulatory issues are properly explored. Such an "enterprise risk management" structure is designed to view all risk — market, credit, operational, and compliance — from a comprehensive rather than siloed perspective.
The key to making all this work is a compliance culture that permeates the entire organization. Compliance officers stress the importance of building an effective partnership with the company's business managers, beginning with the chief executive officer. Banks that lack such a culture may have a difficult time adapting to the current regulatory environment.
"If you're not in a culture where compliance matters to the top dogs — get out," advises Mary Faith Floyd, senior vice president and corporate compliance manager at Memphis-based First Tennessee National Corp. "Without that, you won't get results."
"C-1" Risk
It's a truism that financial regulation is often born of crisis, and the current situation is no exception. Recent corporate scandals, for example, begat Sarbanes-Oxley, which imposed tough new accounting and financial controls on all public companies, including banks and thrifts. The Sept. 11, 2001 terrorist attacks, meanwhile, led to provisions in the USA Patriot Act designed to combat money-laundering activities, as well as renewed emphasis on compliance with the Bank Secrecy Act, another major anti-money laundering law that has been on the books for several years.
Most recently, unethical practices at several large brokerage firms — some owned by commercial banks — resulted in an agreement with the Securities & Exchange Commission that imposed new restrictions on their research and investment banking departments. Even legislation that wasn't originally focused on financial services must be factored into the picture, such as the recently enacted Can-Spam Act, which purports to cut down on unsolicited e-mail. "You still have to read it and you have to understand it," Floyd says.
The public's disgust with the surfeit of corporate wrong-doing has given all public companies a heightened awareness of what Jack J. Wixted, chief regulatory officer at Pittsburgh-based PNC Financial Corp., calls "C-1 risk," or the risk of reading about your company one morning on the Wall Street Journal's C-1 page, which often covers regulatory matters.
PNC knows firsthand. The bank got into trouble when it transferred $762 million in substandard loans from its balance sheet to a special purpose entity in 2001 and took a gain that, according to regulators, improperly inflated its earnings by a reported 52%. The company was slammed with an enforcement action by the OCC and Federal Reserve, and also had to restate its 2001 earnings. "We can't afford another reputational body blow," Wixted says.
Although conclusive data is difficult to come by, it's probably safe to assume that most large banks have been forced to add staff to their compliance departments in response to the flood of new regulations. PNC, for example, has had to increase its compliance budget over the past 18 months, although Wixted declines to provide specific numbers. Floyd, who oversees the compliance audit process at First Tennessee, has seen her staff more than double — to a total of 15 — in just two years. Although Floyd believes she is sufficiently staffed at the moment, she adds, "It's not going to be sufficient for long, at this rate."
Catherine M. Brown, the chief compliance ethics officer at Charter One Financial Corp. in Cleveland, has thus far avoided adding new staff to her small four-member department by simply assigning more work to everyone, herself included. This is in keeping with Charter One's strategy of being a low-cost operator; the company reported a lean-and-mean efficiency ratio of just 42.34% last year. "Right now it's okay," Brown says, while at the same time expressing concern that the explosion in new regulations — combined with the bank's own growth — will require more compliance employees eventually.
Along with the hiring, banks are placing renewed emphasis on training as they try to educate their employees about the new regulations. Brown works closely with Charter One's training department, which maintains nearly 40 different compliance modules that are updated regularly. Many of the training modules are function-specific, so only certain employees are required to take them. But all 8,000 Charter One employees must receive training on the Bank Secrecy Act, along with various anti-money laundering restrictions, identity theft and suspicious activity reporting.
Enterprise Risk Management
New staff and training are helpful to a point, but some more fundamental initiatives also are needed, such as according a higher status to compliance and integrating it within the institution's overall risk management function.
At First Tennessee, for example, Floyd reports to the bank's senior risk management executive rather than to its general counsel. The company also maintains a compliance committee that meets regularly as part of its overall risk management effort. Members include Floyd and senior line managers throughout the highly diversified organization, which includes a national mortgage company, a mutual fund business and a discount brokerage operation.
"All of the various components of risk are affected by legal and regulatory issues," Floyd says. "To leave out that chunk of it would leave you exposed. The compliance committee is one of the ways that we educate, and in turn are directed by, management."
This policy of viewing major risk exposures (market, credit, and operational) from a holistic rather than siloed perspective is known as enterprise risk management. In a survey last year of 30 leading financial institutions around the world that have adopted this strategy, First Manhattan Consulting Group found that virtually all of them had added compliance to the mix.
The advantage of this approach is better decision making across the corporation, says Alden L. Toevs, an executive vice president at First Manhattan. He cites the theoretical example of a bank that thought it could gain a competitive advantage by promoting itself as being stronger on matters of client privacy than its peers. "If you developed a set of policies without consulting the compliance people, you might not do all the things the regulators want," Toevs says.
Compliance pros also see a need to be more proactive in anticipating changes that might come out of Washington. Congress remains focused on the corporate scandals so new legislation is likely. Also, no bank can afford to wait patiently for the federal banking agencies to issue new regulations through their formal — and lengthy — rule-making process.
For one thing, there's been an increase in what Smith characterizes as "regulation-by-policy statement," whereby the banking agencies come out with so-called "policy guidance" which has the effect of regulation but doesn't require the drawn-out public comment period that's necessary when they formally promulgate a new regulation. "There's a lot of jawboning going on and it has the effect of regulation," Smith says.
The director of regulatory affairs at America's Community Bankers, a trade association for community banks, echoes this concern. "Over the past three to five years, there has been a significant step up in guidance issued by all the regulators," says Charlotte Bahin, who is based in Washington. As an example, she cites the guidance that federal banking regulators issued for subprime lending in July 2002, which forced some institutions — including some credit card companies — to boost their loss reserves.
The advantage of such regulation-by-policy statement is that it allows the regulators to react quickly to changes in the industry, particularly during times of economic uncertainty. The disadvantage is that banks may be caught flat-footed by these changes unless they've been conducting what amounts to regulatory reconnaissance.
Day-to-Day Defense
In times like these, it's also crucial to have a strong compliance culture because ultimately a bank's business managers — rather than attorneys in its legal department — will determine its compliance performance. So their attitude toward the process is crucial. "The best defense is your day-to-day procedures," Wixted says.
Given its own problems with federal regulators in recent years, PNC has worked hard to strengthen its compliance culture by looking closely at the regulations that have come out of the SEC and the banking agencies and building those into its compliance policies. The bank's senior management team also has tried to send a clear message that regulatory compliance is of vital importance. "Setting the tone at the top is crucial," Wixted says.
But that tone must also penetrate to lower levels. A strong compliance culture can only exist where there is a sense of partnership between compliance officers and business managers. Charter One's Brown believes that it's up to the compliance department to foster a partnership mentality and avoid being viewed as obstructionists. For example, she says, compliance people should participate in new product design discussions so that line units don't later run afoul of the regulators to the detriment of the entire institution.
Charter One uses a "push-down model," where Brown works closely with a team of "compliance designees" who are scattered throughout the company and report directly to business managers in the field. Even though Brown has responsibility for the compliance audit function at Charter One, she really can't dictate to line managers on regulatory matters. "The key is making sure our goals are aligned with theirs," Brown says.
Beyond understanding the scope and magnitude of regulations that affect a commercial bank, and staying abreast of changes as they occur, much of Brown's job is given over to education and communication. She chairs a corporate compliance committee that meets monthly and draws a mix of compliance, legal and senior line managers. She uses these meetings to provide updates on key regulatory issues facing the company.
Compliance experts expect the regulatory environment to worsen before it gets better, even though the Federal Deposit Insurance Corp. is leading an inter-agency effort to reduce the industry's regulatory burden. The Economic Growth and Regulatory Paperwork Reduction Act of 1996 mandated that federal banking regulators examine their rules every 10 years "to identify outdated or otherwise unnecessary regulatory requirements imposed on insured depository institutions." Some of these rules can be pruned back by the agencies themselves, while others require an act of Congress. Although bankers generally believe that the agencies are sincere in this effort, they question whether it will result in a meaningful reduction in red tape.
Meanwhile, there are regulatory initiatives on the horizon that will complicate the picture even further. The Department of Housing and Urban Development is expected to release its long delayed amendments to the Real Estate Settlement Procedures Act, which will have a significant impact on mortgage lenders like First Tennessee and Charter One. The SEC, meanwhile, is considering a new set of rules for the mutual fund industry following discovery of widespread abuses in trading practices at many funds, and bankers expect that Congress may take up the issue of mutual fund reform as well.
And on top of all that, New York Attorney General Eliot Spitzer, who played a leading role in cracking down on unethical research practices at many Wall Street brokerage firms, has signaled his interest in the purported predatory lending practices of some commercial banks. "Spitzer has no regulatory authority, but by his actions, he regulates," says former OCC general counsel Smith.
With the likes of Spitzer and the United States Congress on the prowl, there will surely be no rest for weary compliance officers. But unifying the pieces of the compliance puzzle will help.
Mr. Milligan is a freelance writer based in Charlottesville, Va.