| 
Ben Giumarra
Too many lenders view compliance as something that they just need to get over with, and that attitude prevents them from seeing risk assessments for what they really are – an opportunity.
Currently, many institutions just check the box on compliance risk assessments. Sure, they have something to provide to satisfy regulators when requested. But rarely are they used for anything beyond that. That’s a shame, because risk assessments can be a key driver for increasing employee accountability and awareness about their compliance responsibilities, and adjusting monitoring efforts to best focus compliance resources.
A good process for risk assessments is an important part of any effective compliance management system. (How we define “good” is addressed below.)
But first things first: Compliance risk assessments are actually required. The CFPB examination manual instructs examiners to review all risk assessments and ensure that monitoring efforts are designed to react to risk assessments. For example, if your mortgage sales department risk assessment identifies disclosing APR on Loan Estimates as one of the highest risk items, then this should be accounted for as part of some form of compliance monitoring. This is normally as simple as adding a few checklist items to a file review that’s already occurring, but sometimes it requires creating a new form of monitoring, or even adding a technological tool.
Quick side note: What exactly is a “risk assessment” in this context? Unfortunately, even important words and phrases used in the compliance world demonstrate a lack of imagination (for another example, think of “application”). So the term “risk assessment” is recycled and has different meanings in numerous contexts; for example, an FDIC examiner will refer to a risk assessment that examiners themselves create. But in this article, I’m referring to what I’ll more specifically call compliance risk assessments – by which I mean reports a company performs on a recurring basis (often annually) to decide how best to allocate its compliance resources and sometimes to guide it in strategic matters, such as whether to work with a new vendor. Based on the risk assessments completed in December 2017, programs and resources are allocated for compliance training, independent auditing and internal monitoring for 2018.
In trying to understand what compliance risk assessments are, I think the following quote is helpful:
“In today’s rapidly changing regulatory environment, regular consumer compliance risk assessments are important and beneficial. They can help a financial institution measure and mitigate the risks inherent in its consumer products and services, identify possible weaknesses in its controls and processes, and make any necessary changes to its consumer compliance management program in light of the assessment. Because risk assessments are risk focused, they place more weight on products, services, and processes that entail greater risk. The resulting assessments help management and the board know where the increased compliance risks reside so they can respond appropriately.” “Managing Compliance Risk Through Consumer Compliance Risk Assessments,” by Dorothy Stefanyszyn and Joe Detchemendy, 2014, published by the Federal Reserve Bank of St. Louis.
Assessing Your Assessment
Back to discussing what makes for a good compliance risk assessment (beyond just what will satisfy regulators):
First establish “inherent risk” ratings, which is the risk if no controls at all were in place. For example, what if we completely failed to deliver a loan estimate within three days? I would say that’s a high inherent risk. Why? First, it’s a severe harm to the consumer and institution if it occurred. Second, if there were no controls in place to avoid this, I believe there’s a high likelihood that it would happen on a sizeable number of transactions.
The second step is to evaluate controls that are in place. A simple example would be a system trigger that alerts users to the three-day deadline for delivering the loan estimate. Perhaps your system is designed so that sales officers cannot input an application without starting the clock on this trigger. Note: “Controls” include efforts to avoid mistakes in the first place – many compliance monitoring and auditing efforts aren’t able to catch mistakes beforehand, and therefore don’t count as “controls.”
Finish by establishing “residual risk” rating. These are the risks that remain despite controls in place to prevent them.
All risk ratings should include both the severity and likelihood of occurrence. Risks include consumer harm, regulatory sanctions, reputational damage or financial loss. So for example, the severity of harm if an employee murdered a customer is high, but the likelihood of that occurring is extremely low. So this wouldn’t rank high on the list (indeed, not high enough that it will ever even be included in an institution’s risk assessment).
This may be personal preference, a personal opinion, but for what it’s worth, I believe that good risk assessments should be pushed down and completed by the applicable business area owner. I believe this contributes to a culture of quality by empowering business areas to take responsibility for compliance-related risks and by involving them in the process. But if you’re going to take this approach, it is critically important for the compliance team to give strong guidance and easy to use templates to help business areas with this. What could be a good idea could turn ugly if business areas are frustrated trying to craft some form of risk assessment without clear guidance.
Finally, just recognize that this is more art than science. Don’t sweat perfection in the logic behind all this – focus more of that attention to giving these practical value to your institution. Just make sure to have the basics down and support any conclusions with documentation. You’ll be fine!
The consumer finance industry is in an interesting state of change. Everyone refers to the “pendulum swing” and wonders whether it will “swing back” after Dodd-Frank. But we as an industry need to realize one simple fact – it’s never going to swing so far back that having compliance management practices and habits in place is going to hurt. Using and understanding how things like risk assessments work only allows an institution that more effectively and efficiently ensure a culture of quality. And while our definition of quality may evolve, it’s always going to be a worthy goal.
Ben Giumarra is director of legal and regulatory affairs at Embrace Home Loans; he may be reached at bgiumarra@embracehomeloans.com.
