Change is constant, so risk identification for banks should be an ongoing process.
By Walt WilliamsRisk identification traditionally has been a periodic exercise of checking off a list and then putting it on the shelf until you had to do it again. But as banks transition to a risk-based approach, it is no longer that simple for bank compliance officers. Risk assessment needs to be an ever-evolving process with participation from across the organization, and one that understands where your data is coming from and what it is telling you.
“If we only do it as a once-a-year exercise, we wind up adding new products with substantial risk and we haven’t updated the risk assessment around those new products,” says Jim Bedsole, chief compliance and risk officer at BankSouth in Greensboro, Georgia. “We may have gaps that we haven’t appropriately addressed from a risk-control standpoint.”
Timeliness is important because change generates risk, and there are three areas of constant change banks should monitor, Bedsole says.
The first is regulatory change, from change in laws and regulations to interpretive guidance put out by regulatory agencies. The second is product change as banks debut new products and services. The third is process change, which occurs whenever an institution switches up IT systems, tweaks its internal processes and makes staffing adjustments.
“One of the things to recognize is the risk assessment needs to be a regular part of your process … Maybe it’s not an everyday thing, but certainly several times a month going back and revisiting the risk assessment and just looking to see if there anything that needs to change here,” Bedsole says.
Be a team player
Compliance officers don’t operate in a vacuum, and as their institutions transition to regular risk assessment, they should not behave like they do. Thomas Williams, senior compliance manager at United Bank in Griffin, Georgia, says it is critical compliance officers look enterprise-wide and integrate risk identification into an institution’s business units.
“It’s no longer compliance setting the pace for what happens with the organization,” he says. “It’s understanding what’s happening throughout the enterprise by talking to the other business unit leaders: What challenges are they facing? Where do they need assistance? And then also pairing into that what is the institution’s risk tolerance level.”
It is up to compliance officers to facilitate those lines of cross-departmental communication, according to Williams. They need to understand where different business unit leaders are coming from and be able to give clear explanations when they must shoot down a request. The compliance office can’t just be one of saying “no,” he says.
“It’s interacting with these leaders at meetings, getting in front of them from time to time to understand what’s going on in their world, and offering to help but also creating an inviting environment,” he says.
“It’s: ‘Hey, I’m going to come over and take you to lunch because I want to find out what’s going on in your division.’
“Those conversations and those meetings build up that rapport that you’re not there to throw sand in the gears of the business units. You’re there to see how we can do things efficiently and achieve the end result because, at the end of the day, we’re all on the same team.”
Know your data
When it comes to identifying risks, any data that compliance officers have access to has value, Ann Marie Tarantino, chief compliance officer for Esquire Bank in Jericho, New York, said during a session on risk assessment at the American Bankers Association’s Regulatory Compliance Conference in June. The challenge comes when there is too much data that must be sliced and diced to get meaningful input, or when there is a small amount of data, which may be very precise but can lead down the wrong path.
“So you have to make sure you really understand what it is you’re looking at,” she said. “If you open accounts online, for instance, and you have a rate of acceptance and then you have a rate of abandonment, take a look at the rate of abandonment and take a look at why these applications are being abandoned. Is it because people can’t answer the questions? . . . We launched an online product where one of the questions that was asked—and for some reason it was asked frequently—was, ‘What’s the closest hospital to you?’ And a lot of people scratched their heads: ‘I don’t know what the closest hospital to me is.’”
Compliance officers should always be on the hunt for any potential gaps in your data. Complaint databases, for starters, are a wealth of information about risk, Tarantino says. Complaint data “can be read one way or read another way depending on how you look at it, but it can point to systemic issues—miscalculation of interest, fees posting when they shouldn’t be posting, things like that,” she said.
Ryan Rasske, SVP for risk and compliance markets at ABA, points to other data sources that are sometimes overlooked: information from the bank’s “change management process” that could identify changes to existing products and services or introduce new bank offerings; consumer data to identify trends in behavioral changes, such as higher usage of ATMs or digital products or trending fraud losses in a specific product; employee turnover/open positions in key risk and compliance areas or core operational areas at the bank; or correlations that come about because an increase in one type of risk causes an increase in another.
Still, data collection only gets you so far. One of the best sources for identifying new and emerging risks is networking with peers across the banking industry, Rasske notes. “Establishing a strong network throughout your career (i.e., while attending local banking events, ABA schools and/or conferences) allows you to hear from others who might be experiencing a specific risk that you haven’t seen yet,” he says.
Rasske also recommends frequently reviewing publications from regulatory agencies that provide updates on new or expanding risks identified across the banking industry. For example, the OCC publishes a Semiannual Risk Perspective that monitors the condition of the federal banking system and emerging threats to the system’s safety and soundness. “Most agencies such as the Fed and FinCEN publish trending reports and industry alerts which can be a good source for identifying potential new risks,” he says.