FINANCIAL SERVICES

Effective Compliance:
Community Banking’s Latest Challenge

July 2004

By Christopher C. Gallagher*

“Nothing bonds people like sharing a foxhole,” they say, which is one way to describe the relationships forged between community bank directors and senior management during the regulatory crackdown following the S&L crisis. In those days, while OCC’s Comptroller Clark termed himself, “The Regulator From Hell,” regulators from all agencies descended on New England’s banks searching first for capital and later for victims to blame for bad loans. The foxholes may fill again soon, but this time bank regulators are not the culprits. In fact, trends in regulatory circles point to increasing efforts on their part to act more like resources than tormentors from Hades. (See: “Resource Regulation: The Road to Relevance,” by Christopher C. Gallagher, September 30, 2003. Today’s danger is posed by the latest realignment of the regulatory process itself. Coupled with a new emphasis on “effective compliance,” it could push bank management and directors back into foxholes. But foxholes won’t cut it. Hunkering down won’t help. This time, directors and management need to go on the offensive. Indeed, failure to take the right steps will expose not only bank management and directors, but the bank itself to significant peril.

The Problem

In the wake of Enron, WorldCom, and September 11, Congress overwhelmingly passed Sarbanes-Oxley, capping a blizzard of legal and regulatory initiatives that changed the compliance world forever, while imposing on banking organizations a new duty to self-police for regulatory compliance.¹ “SarbOx Syndrome,” described in depth in an earlier paper, explains this important phenomenon, outlining in depth its threat to community banking’s traditional business model. (See: “Community Banking’s New Regulatory Burden: SarbOx Syndrome,” by Christopher C. Gallagher, July 2004.) In a nutshell, “SarbOx Syndrome” puts substantial new onus on bank directorates and senior management. It holds them accountable for the success of systems established to carry out their new responsibilities and controls established to ensure “effective compliance.” To be sure, FIRREA introduced the self-police concept to banking following the S&L debacle, but today’s elevated focus on organizational self-policing is much more intense. It will no doubt blindside senior management and directors who are unaware of its significance. Mere conversion from traditional apathy to an intensified commitment to compliance is not enough. SarbOx Syndrome has been magnified by a new and different method of examination. For virtually all community banks, therefore, there must be substantial change in the way compliance is structured and carried out, particularly at the top. The new approach must be comprehensive as well, integrating both the management of traditional compliance and financial risk.

Two specific regulatory developments are now converging as bank examiners carry the now effective compliance doctrine into their daily work. Both must be fully understood by community bankers. The first is the FDIC’s recently aligned, risk-based examination process. The second, and even more recent, is the package of amendments to the federal sentencing guidelines for organizations, which address in detail what is meant by the words, “effective compliance.” These amendments, drafted in response to the express directives of Sarbanes-Oxley, apply directly to corporate noncompliance as well as to criminality. More important however, their philosophy and content are certain to be applied by all federal authorities in any area where “effective compliance” is required. These two changes must be absorbed and fully understood by top leadership, then infused into bank compliance structures.

Community Banks

With their historic and cultural roots firmly planted in the geographies they serve, community banks have matched the evolving economic needs of their constituents through awareness, agility, and customer focus. Banks still standing have successfully survived smash-mouth competition in financial services by offering products and services to meet continually evolving customer demand. By now they have adjusted their business model to reflect their size and services as well as their geography. Now they face a new challenge. Size continues to matter, because scale is needed to support the costs of proliferating new regulatory demands, but beyond today’s proliferating regulatory burden, a deeper danger looms. It is the absolute requirement for a compliance-educated and proactive directorate who with management are fully engaged in the bank’s systems of ethics, compliance and internal controls. Such top-down involvement is the first required for “effective compliance.” Effective compliance structures have now become a core business function for which management and directors are responsible, accountable, and must implement.

Community banks’ governance model has traditionally featured a directorate reflecting more the community served, rather than expertise in financial services. Such venerable bank boards in particular must change themselves quickly, either by elevating their collective knowledge of their banks’ systems for compliance and risk management, or by finding new, more knowledgeable members fast. For sound institutional and practical reasons, significant board change can occur only over time. Realignment required for effective compliance, however, is needed now. Thus, it is incumbent on senior management to act now to educate their bank’s directors, to get them involved in the systems now required for effective compliance.

FDIC Realignment

Building on compliance examination changes begun in 1996, in July of 2003 the FDIC initiated a new top-down, risk-focused examination process designed and built around an in-depth evaluation of the banks’ “compliance management system.” This mandated structure is defined at the FDIC as “the confluence of directorate and management oversight, internal control and compliance audits.”² The new, realigned approach begins with an examiner-configured “risk profile” reflecting the examiner’s impression of the quality of the banks compliance system, which is defined as, its “effectiveness.” More traditional transaction testing is directed later at areas of the system deemed by the “risk profile” most likely to fall short of failsafe. The new regulatory emphasis is on the internal systems installed to ensure compliance, not upon transactional analysis and subsequent discovery of noncompliant conduct. Under the old transaction testing approach to examination, a finding of “no violations” could produce a perfect score. In this new systems approach, the only way to a perfect score is to prove that such infractions are not possible. Moreover, it follows that any noncompliance discovered demonstrates conclusively that the “system” is faulty. And since it is bank leadership who must ensure that bank compliance is “effective,” directors and senior management will both be held accountable. As the FDIC’s Jackwood put it:

Effective compliance program management at a bank starts at the top—with the board of directors and senior management, who are responsible for the bank’s management and control. The top-down, risk-focused approach to compliance examinations complements the importance of directorate and senior management accountability for a bank’s compliance risk management system.³ (Emphasis Supplied)

This new emphasis on top-down responsibility and accountability has produced a whole new order of director vulnerability. Enron’s Ken Lay will be the last board chair to assert as a defense that he was “not aware” of what was going on below. In a SarbOx Syndrome world, Ken Lay is strictly liable for all failures wherever they occur simply because they happened.

USSCGO⁴

On April 30, 2004, the United States Sentencing Commission issued new guidelines for organizations found guilty of criminality or other noncompliant conduct. They are scheduled to become effective on November 1, 2004.⁵ The existing sentencing guidelines⁶ offered favorable consideration at the time of sentencing of a defendant organization that had an “effective program to prevent and detect violations . . . .” “Effective compliance” could be demonstrated under the old guidelines by showing that the corporation’s ethics and compliance programs had elements of seven specific criteria. After November 1, 2004, these elements or factors, so-called, will be required as a part of a director’s supervisory responsibility to the corporation. This new characterization of compliance will set the standards for all “effective compliance” wherever they are established. The way Washington “group-think” operates, these definitions of effective compliance will be carried over and applied wherever “effective compliance” is at issue.⁷ The guidelines themselves make this point, but the sentencing factors will extend beyond federal sentencing to all government applications of the appropriate compliance measures. In short, “effective compliance” referred to by the FDIC in its explanation of its new approach to examination will assume the shape of the new sentencing factors until they squarely reflect the findings and recommendations laid out by the Sentencing Commission.⁸

Significantly, these amendments require that an organization establish “standards and procedures . . . that are reasonably capable of reducing the likelihood of noncompliance.”⁹ For directors and senior management, the responsibility is clear.¹⁰

Specifically, the Commission has determined that the organization’s governing authority must “be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.” ¹¹

The use of the word “reasonably” above leaves room for scalability, but query whether typical examiners will use it to impart true flexibility to their oversight.

The newly amended Guidelines state further that:

If authority is delegated, the governing authority must receive reports from such individuals at least annually, according to the commentary in Application Note 3. In order to carry out such responsibility, the new guideline mandates that such individual or individuals, no matter the level, must “be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.”¹²

Another factor requires effective communication of delegated standards and procedures, including full responsibility for training employees in the culture of compliance.

Fourth, §8B2.1(b)(4) makes compliance and ethics training a requirement, and specifically extends the training requirement to the upper levels of an organization, including the governing authority and high-level personnel, in addition to all of the organization’s employees and agents, as appropriate. Furthermore, subsection (b)(4) establishes that this communication and training obligation is ongoing, requiring “periodic” updates.¹³

There can be no doubt that these training requirements must apply first to the directors and senior management.

Accordingly, as bank examiners conduct their new risk-based examination process, by constructing their risk profile then testing its applicability in various aspects of bank operations, they will be searching for “effective compliance.” Effective compliance means compliance that works, i.e. that ensures that noncompliance is not possible. The FDIC risk profile process will begin with a search for senior management and director participation in the bank’s compliance and asset quality structure. Any noncompliance discovered will prove conclusively that the system is not effective. Since directors and senior management are each responsible for the reliability of the system (even if they have educated themselves and have become involved in it), they will be held accountable for the system’s failure.

Conclusion

Community banks support our nation’s economy in important ways, including
“ . . . their ability to form the relationships necessary to lend to informationally opaque borrowers—an advantage widely viewed as important in small-business and small-farm lending.”¹⁴ Their leadership, directors and management, have demonstrated true resilience over the years, weathering the winds of steady change in financial services and the occasional tornados triggered by regulatory response to various crises. Government’s response to 9/11, Enron, and pressures to reduce bureaucracy have now impacted banking. They have assumed the form of new, self-policing requirements to be enforced by holding top management strictly accountable and responsible, not only for infractions but for directing a system of ethics and compliance in which such infractions cannot occur. The financial cost of the new compliance to community banks is disproportionately high. The cost to community bankers and their directors is even greater, because it asks so much of directors, whose service is often motivated more by a desire to serve their community than to receive whatever minor compensation is offered. Most significantly, this new regulation can easily lead to MOUs and other regulatory straitjackets that can cripple a community bank’s business model. Once such measures are put in place, they are very hard to remove.

Effective compliance is now a core line of community banking business. Anything short of that is bound to be “defective” compliance, and will be blamed on the bank’s senior management and its board of directors. The time for community bank leadership to act, therefore, is now.

---

Notes

1. The USA PATRIOT ACT, Bank Secrecy Act, Gramm-Leach-Bliley, and new standards of acceptable risk practices inherent in Basel II all reflect the new emphasis on self-policing.

2. See: John M. Jackwood, “Compliance Examinations: A Change in Focus,” Supervisory Insights 1, No. 1 (Summer 2004), Federal Deposit Insurance Corporation, p. 16.

3. Jackwood, p. 17.

4. United States Sentencing Commission Guidelines for Organizations (amended April 2004). (Readers should note that references herein to the utilization by banking regulators of the USSCGO’s analytic paradigm for “effective compliance” is not meant to suggest that bank examinations now serve as a prelude to criminal liability and sentencing.)

5. By law, the amendments take effect November 1, 2004, unless Congress acts to modify or disapprove them (pre-election conduct generally believed to be highly unlikely).

6. The May/June 2004 issue of ABA Bank Compliance includes an interesting article (Richard R. Riese, “ADApT to Working SMAART”) tying the existing federal sentencing guidelines to the OTS SMAART program for compliance. This article and its approach will no doubt be updated to accommodate the proposed amendments.

7. “While Chapter Eight derives its authority and content from the federal criminal law, an effective compliance and ethics program not only will prevent and detect criminal conduct, but also should facilitate compliance with all applicable laws.” (“Amendments to the Sentencing Guidelines” (Reader-Friendly Version), United States Sentencing Commission, May 10, 2004, p. 109.)

8. On June 24, in a 5-4 decision, the U.S. Supreme Court found in Blakely v. Washington that a state sentencing guidelines system was unconstitutional since it allowed judges to use information in sentencing that was not heard by a jury or admitted by a defendant. It is logical to assume that its reasoning would apply to federal sentencing guidelines. This finding, however, should not influence the impact on Beltway “group think” regarding “effective compliance.” The sentencing guidelines will likely continue to provide an arena for the Congress and the federal judiciary to squabble over sentencing minimums and inconsistency, but amidst this turmoil, the concept of effective compliance will no doubt survive.

9. “Amendments to the Sentencing Guidelines for United States Courts” (as published in the Federal Register on
May 19, 2004), United States Sentencing Commission (2004). p. 157.

10. “Section 8B2.1(b)(2) provides that it is the organizational leadership, defined in the guidelines as ‘high-level personnel,’ who must ensure that the organization’s program is effective.” (“Amendments to the Sentencing Guidelines” (Reader-Friendly Version), p. 110.)

11. “Amendments to the Sentencing Guidelines” (Federal Register Version), p. 173.

12. Ibid., p. 174.

13. Ibid., p. 175.

14. Tim Critchfield et al., “Community Banks: Their Recent Past, Current Performance, and Future Prospects,” FDIC Paper FOB-2004-3.1, Executive Summary, p. 20-21.

* Christopher C. Gallagher is admitted in New Hampshire.

 

Return to top of page

Return to Financial Services Articles
Return to Firm Publications