Compliance officers hold the proverbial ball when it comes to managing regulatory compliance examinations. Those who have experienced consistent, positive outcomes typically attribute their success to the fact they have a plan they stick to, year after year, to ensure there are no surprises and to portray their organization in the best possible light.
Whether you have automated your examination process or not, following certain principles will help reduce some of the stress associated with compliance exams. If you are a seasoned compliance professional, it is likely that all or most of these steps will be familiar — but this is a great primer to share with newer compliance professionals whom you are mentoring. If you are new to regulatory compliance in the financial services industry, welcome aboard and please take note.
While some of these ABCs may seem almost too basic, it has been my experience that when strict protocols are not required, especially in the heat of an examination, corners can get cut. Suddenly, one’s records of production are incomplete, or other problems arise that can come back to haunt your institution. So before you begin prepping for your next exam, consider these commonsense but oft-forgotten ABCs that many successful examinations have in common:
Always ensure you are prepared to discuss with your regulator what is new or changed at your institution since your last exam. Keep regulators’ expectations in mind when:
- Conducting regulatory change management;
- Assigning compliance training;
- Incorporating regulatory compliance requirements into business processes;
- Monitoring operations for adherence to compliance requirements;
- Considering material new or changed products, customers, locations and services;
- Taking internal corrective action; and
- Updating compliance program materials, based on regulatory agency guidance.
Before the exam
Before your institution’s next regulatory exam, be prepared to respond knowledgeably to questions related to items noted during the previous examination cycle, even those identified by other regulators. This is especially important if you are new to the institution. You never want to hear an examiner say, “How could you not know we were going to ask you about that?” What can you do to avoid this dynamic? Here are a few best practices:
Review the last few examination records and make sure your institution is not repeating a finding — even a small one. Be particularly wary of items resolved during a previous exam that may have fallen off everyone’s radar. No item that made its way into an examiner’s report is too small to pay attention to and ensure the item was addressed — especially if it could have a negative impact on customers. Do not rely on every item making its way to a spreadsheet maintained by the institution. Review the actual examiner’s report.
Read and acknowledge your regulators’ examination priorities or similar release every year by understanding each item as it applies to your institution. If you have not done so already, conduct testing or monitoring in those areas.
Educate supervisory and senior leadership about current regulatory compliance issues facing the industry. Include recent actions by your institution’s regulator(s) such as new or changed laws, rules, regulations, and guidance, and how they relate to your institution, enforcement and disciplinary actions.
Be prepared to demonstrate adjustments to policies, procedures, risks and controls made to account for new or changed laws, rules or regulations.
Centralize the process
Consider centralizing the documentation and examination process to safeguard against having an incomplete record or other issues. Best practices include assigning a reliable resource (exam manager) to own the examination record. This will make the examiner’s life easier and ensure the institution responds timely to inquiries. Consider having all exam matters and documentation flow through this resource.
Document best practices
Scrutinize the initial and any subsequent production requests, including instructions provided as to the type of document(s) accepted, submission process, or other elements of the exam process particular to that regulator. If you are not certain or have questions, contact the examiner. Best practices related to documentation include:
Deliver only what the regulator requests. Avoid producing any artifact without a thorough review by senior compliance personnel.
Clearly mark each item to its corresponding naming convention used by the regulator. The institution’s record does not have to mirror the regulator’s taxonomy, but it must include it to avoid confusion. (It might be best to mirror it, though.)
Documents and reporting produced should look the same year over year. If not, explain the reasons for any substantive changes (e.g., new system).
Examiners are people too
Let your examiner know through your words and actions that you understand and apply their guidance. Use the “magic words” your examiner uses — avoid using internal jargon to explain how your institution functions.
Take advantage of all the exam prep materials and guidance your regulator provides.
Seek out your examiners’ opinion on thorny compliance questions (after consulting your legal team). They are unlikely to give you hard and fast answers, but the examiner may help you frame how your institution should handle an issue or respond to an inquiry from the business.
Ensure your examiner understands who the exam manager is and how they will interact during the exam.
If possible, at or prior to the exam, create and deliver a compelling but brief story of your institution, its products and services, customers, footprint and strategic vision. Include how you plan to deliver more value to your customers (e.g., improved authentication methods, etc.). Share a copy of the presentation with your examiner for reference during the exam.
Remember to have the presentation fully vetted by compliance, legal and senior leadership to ensure it is factual and that they are familiar with how the elements of the institution’s business model are framed.
You may also want to share in your introductory meeting, at a high-level, those issues that your type of institution has identified as the high-level risks associated with your business model and how they are addressed.
Tell your examiner about any gaps in your regulatory compliance program related to their scope of inquiry. Include an appropriate explanation of mitigation efforts. Examiners will appreciate your candor and have a healthier respect for your risk assessment process.
Ensure that a robust process is in place to show how your compliance policies are operationalized where appropriate by procedures and managed for effectiveness by controls. Consider conducting a mock examination or have one conducted by a third party. To be effective, do not cut corners during a mock exam.
Handle the exam
Remember to apply your institution’s data protection and on-site security protocols.
Be on time with production items or give notice of any delays ahead of time. Explain the delay honestly in a way that does not point to problems with your institution’s recordkeeping. Let the examiner know when they can expect the item — then deliver it by or before that time. Make sure all personnel come to meetings with your examiner on time.
Help reduce the number of follow-up documentation requests by ensuring the initial materials your institution provides is completely responsive to the question(s) asked and does not require a lot of explanation. Senior compliance personnel should review and approve all items prior to production.
Require all requests to be in writing and use the regulator’s taxonomy for tracking. Often, an examiner will ask the institution to produce something already produced for another purpose. Only proper recordkeeping by your exam manager will ensure that connection is made, and the right artifact provided again.
It’s okay to respectfully question the need for production items that may not apply to your business model or to suggest alternate records once you fully understand the purpose of a request.
Retain a copy of every communication related to the examination, particularly those between the institution and the examiner(s), the exam manager, and anyone related to exam production and those that explain an exception, anomaly or material decision made related to the examination.
Innovative exam management
Following a consistent process, whether automated or manual, will reward institutions over time. Automation of the process will further ensure consistency by utilizing workflows, calendaring, checklists, and other tools that will provide robust monitoring, tracking and reporting on your examination(s).
Innovative, automated, compliance solutions are becoming more user-friendly, reliable and affordable. If you have not done so already, consider automating your institution’s exam process to the extent possible.
When the onsite exam has ended, take time to go through the record of the examination and judiciously organize. Where necessary, appropriate and permissible, revise the record such as cleaning up hastily taken notes to ensure their meaning will be apparent to a reviewer. Include senior leadership in this review to facilitate understanding and to ensure that compliance, legal and business personnel are on the same page as to the handling of the exam, how the institution responded, and any expectations regarding results.
Kick off remediation
You were likely apprised of potential findings by your examiner in the exit interview or at times throughout the examination process. Ensure appropriate committees and senior leaders are informed and involved in determining ownership and supervision of remediation efforts. There should be clear ownership, supervision, documentation and tracking of each finding to remediation. Once complete, appropriate controls should be assigned and monitored for effectiveness.
Once you receive the official examination results, review them carefully to ensure your institution is addressing all findings including those considered “observations.” Respectfully question the application of findings to your institution if you have a well-reasoned argument as to why the finding is not warranted.
You have survived an examination and now have a robust record of the event and any continued handling required. So, no need to continue with the alphabet, as you have this process under control. Now just lather, rinse and repeat!
Best of luck on your next regulatory compliance examination.
Elaine Duffus, CSCP, CFCS, FLMI, JD, is a senior specialized consultant on the financial services compliance program management solutions team at Wolters Kluwer. She can be reached at [email protected]