During the ABA’s recent Regulatory Compliance Conference, Spinnaker’s Cara Williams, our Risk Management and Regulatory Compliance practice lead, moderated a discussion on “Defining Conduct and Culture Risk for Your Organization.” The panel featured Stephanie Bowers, senior regulatory analyst with USAA, and William Walsh, chief compliance officer for First Citizens Bank. In this blog post, Holly Higginbotham offers an analysis of the key issues covered.
How have your conduct and culture risk management programs evolved from the unprecedented changes over the last few years?
Our ABA Regulatory Compliance Conference session generated a robust discussion on where we are in the evolution of conduct and culture risk, how bankers are aligning conduct and culture risk within their governance framework, and leading practices for strengthening oversight and misconduct controls.
Here are a few takeaways for organizational leaders:
1. Recognize that conduct and risk go hand in hand.
In a mature and proactive risk culture, employees have no fear of raising issues or concerns, but they must trust their leaders if they’re going to point out problems. In turn, leaders must be engaging in regular informal interactions with their teams to maintain the rapport and trust they’ve developed over time (or need to build with new staff). Remember, your culture really drives conduct, which is decision-making and action, and your employees need to understand your governance rules and how to nurture a strong risk culture and mitigate associated conduct risk. In other words, culture is about what your people do every day when no one is watching them.
The “open door” policy that most inspiring leaders promote doesn’t function as originally designed when there’s no physical office. Leaders need to explain to their employees how that policy works virtually. Risk culture has to be part of business as usual (tone should come from the top) and not reactionary. You need to encourage your people to raise their hands when something isn’t right (and not punish them when they do), link conduct to compensation, and clearly demonstrate that the wrong actions carry consequences. When analyzing mistakes in risk culture, always drill down to the root cause. For example: Was there a disregard of controls, or a misunderstanding or lack of awareness of risk appetite? Don’t underestimate the information that can be gleaned from the ethics line and/or customer complaints, as early indicators of areas that need to be addressed related to conduct and risk culture.
2. Communicate. And then communicate even more.
Although some businesses are returning to the office, many team members are continuing their careers – or beginning new ones – as fully remote employees. With 86% of our industry’s knowledge workers logging in from outside the office at least twice weekly, it’s easy for them to feel left out when they can’t have a water cooler chat with their co-workers.
To keep everyone engaged and working toward the same goals, update them regularly about company news and information, including expectations around conduct and culture risk. Leverage tools used during the pandemic, such as virtual townhalls and coffee chats, as well as skip-level meetings (meetings with team members who aren’t your direct reports) to maintain contact with all employees, including those who work remotely. Send written follow-ups after video meetings to ensure everyone leaves the meeting with the same expectations. Transparency and communication can go a long way in mitigating conduct and culture risk.
3. Keep up best practices that worked during the pandemic.
One thing that we sharpened during COVID-19 was making personal connections and being empathetic with our colleagues. We no longer see each other in offices or cubicles; we see each other at home with our kids and pets running around behind us. Some organizations even capitalized on that atmosphere by rolling out more casual dress codes or fun competitions to determine who had the best work-from-home setup.
Our approach to working remote shouldn’t be one size fits all. Let’s retain our talent and improve our work-from-home culture by caring for one another and recognizing that we all work differently. The more casual remote work environment actually helped break down communication barriers, as leaders came to be seen as more personable and less intimidating. That led to more open paths for talking about risks and raising concerns.
Back in early 2020, as the pandemic unfolded, many of us expected the overnight transitions to how we worked to be short, temporary solutions. As quarter by quarter passed, those interim operations evolved and became the new normal for how we work and serve our customers.
But not every organization ensured that its documented conduct practices, which shape the responsibilities your team members must own to manage risk, and cultural shifts aligned to the new realities. After all, the banking industry as a whole never predicted that so many of its operations would turn into broad off-site capabilities.
The challenge can be tough, but a focus on developing a risk-aware culture can ensure your stability and even become a market differentiator for you. Because we have hands-on experience with companies just like yours, Spinnaker experts can guide you in developing the policies and products that can put you on sound footing going forward. Find out how today.
The Big Picture Pick up recent copies of The Wall Street Journal or American Banker, and you’ll see headline after headline about consent orders and hefty fines issued by the Consumer Financial Protection Bureau to mortgage companies caught using deceptive advertising practices. This summer alone, eight have been issued. Two things immediately strike me when I see these stories: Many of these cases didn’t have to happen. And while these particular consent orders were concentrated in the mortgage sector, similarly problematic issues are most certainly occurring in other lending segments across the financial services industry. After a hundred years or so, you’d think we would know how to follow regulatory rules –particularly those put in place to protect consumers. Indeed, the first such laws were framed by the states before World War I – although the first meaty federal law, the Truth in Lending Act, wasn’t passed until 1968. Every new regulation layered in since then largely continues to further shield consumers from unfair practices – which often start with glossy ad campaigns designed to get them in the physical or digital door. The reasons why we’re still struggling with compliance aren’t too difficult to understand: turnover within organizations, competing priorities, a lack of sound controls, new staffers who are unfamiliar with existing regulations, and a never-ending list of new ones, including Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) and the Mortgage Acts and Practices (MAP) – Advertising Rule. There’s also often a gap between the intent of any new regulation and how marketing teams interpret it. The risks of not crossing every “t” and dotting every “i” are significant, as evidenced by these recent consent orders. Doing things the wrong way also can mean costly penalties, time-consuming regulatory remediation, and loss of customer trust – which can translate into higher complaint volumes and even lawsuits. Let’s explore some long-lingering myths about how banks advertise their lending products – and, more importantly, what your financial institution should be doing. MYTH: Legal and Compliance don’t need to review my ad since I’m the expert in marketing. FACT: This is the biggest myth that persists in financial services marketing and advertising. Every word you use to communicate has specific and nuanced meanings, and your legal and compliance teams have a responsibility to protect your company and consumers alike. No external ads or marketing materials should be released until you get signoff from your legal or compliance team. It’s not any more complicated than that. MYTH: Our marketing team knows what Legal and Compliance have told us. We get it, but we need leeway to make our ads eye-catching and even a bit sexy so we can get business in the door. One little word change doesn’t really make a difference. FACT: Remember how former President Bill Clinton faced legal drilling over his interpretation of the word “is”? You’d be surprised at exactly what a bank must validate before it advertises anything as “free.” That word “free” – and countless more – are triggers, often requiring specific disclosures on how they apply to what you’re advertising right at that moment. Ideally, your marketing and advertising teams should collaborate almost daily with your legal and compliance teams. Of course there’s going to be some friction between the advertising folks, who see in every color of the rainbow, and the legal and compliance folks, who typically only see in black and white. The important thing is to build processes and procedures that enable effective and efficient reviews of all advertising and marketing materials, and that begins with concepts. When you involve those responsible with compliance up front, they can help rethink an approach in ways that ensure the final ad meets regulatory requirements. Also, try taking their early “no” to mean “not yet” and be open to ideas on what could translate into an easy reframing. But go to them at the end with an ad that fails on every compliance front, and their “no” will be just that. When I was at a bank that now has more than $30 billion in assets, my compliance team worked diligently to become a strategic partner to the marketing team. It took some time, but our peers came to see that we never aimed to derail their vision. As our relationship evolved, so did our interactions. In fact, we created a desktop resource that allowed marketers to easily look up the latest laws or match sales terms with the necessary disclosures, delivering a self-service tool that also empowered them to create responsibly and expedite the review process. Rest assured, the goal of your bank’s lawyers and compliance officers is not to thwart creativity, but to ensure that amazing ad concepts give consumers precise, clear information about the company’s products and services, allowing them to make smart financial decisions. Believe me: Compliance teams want powerful, compelling and even award-winning advertising that brings more revenue in the door, because when you have that, everyone benefits. MYTH: Our market competitor ran an ad just like that. If they got away with it, then it’s OK and the legal and compliance team is overreacting. FACT: This is the corporate version of your mother asking you, “If everyone was jumping off a cliff, would you do it, too?” The only truth here is that your competitor ran an ad. You don’t really know if that financial institution “got away with it.” In fact, you might learn not too far down the road that your competitor actually got caught red-handed with a compliance violation. After all, the underlying premise of advertising is to spread the word, and regulators are paying close attention. Frankly, you should be analyzing what your competitors are doing, but I’m not talking about their advertising. Take a good look at every consent order or other regulatory action you hear about and compare it to what’s happening in your shop. Are you doing things the right way? Are you identifying and avoiding the possible risks in your process? In other words, consider that the teacher has given you every answer to the test, and you don’t want to fail down the road. MYTH: The bank’s advertising agency developed that campaign – not our internal team – so we’re not going to get in any trouble. FACT: Time and time again, oversight organizations stress that any third-party vendor – whether it’s an ad agency or a cross-sell phone queue – is a seamless extension of your financial institution. If they get it wrong, so do you. You don’t outsource the compliance responsibility along with the work. MYTH: All of that applies to my bank or mortgage company – not to me as a loan officer. I’ll post a special offer on my social channels just for my customers. FACT: Your very title of “loan officer” means you’re an officer of your financial institution, and the same exact requirements apply to you. Without question, the growing influence of social media makes consumer outreach easy, but the brevity and ease of these same platforms also make it more difficult to keep your team members from going rogue. The same compliance standards apply to all of your advertising, including any unsanctioned materials. Every employee needs to understand this responsibility. (BTW, don’t forget about old-fashioned tactics, such as a quick sales flyer that a teller might create and post in a branch. Whether that flyer meets your advertising brand standards is the least of your worries, because you’re most likely out of regulatory compliance.) MYTH: Getting an internal review takes so much time that we’re losing competitive advantage. FACT: Doing it right takes a fraction of the time needed to fix things – particularly if you’re cited for a regulatory infraction – and maintains your institution’s reputation. Yes, a legal or compliance review is another step in your marketing process, but it’s a short blip in the lifetime of a successful business. In my previous role, I was intentional about building interactions with the marketing team that served everyone’s needs as efficiently as possible. If a federal agency comes at you with a consent order or Matter Requiring Attention, you’re going to spend significantly more time finding the root issue, solving for your misstep, gaining regulatory signoff and getting back to work. You also can’t rebuild consumer confidence overnight – even with the most attractive offers in your marketplace. After all, if your customers know you’ve been under scrutiny before, do you think they’re going to trust that you’re being straight with them this time around?
Risk Management & Regulatory Compliance, Compliance, Risk Management 5 minute read
Every year, tens of thousands of pages are published in the Federal Register, with a good chunk of themdetailing what banks need to deliver in serving their customers. In the past decade, the Dodd-Frank Wall Street Reform and Consumer Protection Act came in at the equivalent of nearly 1,000 pages and prompted several thousand more pages of rules and regulations, including, as just one example, the TILA-RESPA Integrated Disclosure (TRID) rules. Tack on relatedregulations published as a result of the Dodd-Frank Act,other more recent regulatory amendments likethose made to the Fair Debt Collection Practices Act (FDCPA), as well as state-specific requirements, and you’ve got enough paperwork to fill a library.
Risk Management & Regulatory Compliance, Compliance, Operational Efficiency 6 minute read
Within days of the international declaration of the pandemic, federal leaders tossed a lifeline to small businesses in the form of the Paycheck Protection Program. But before the ink was dry on the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which offered forgivable loans to help eligible American companies keep their lights turned on and pay their employees, banks were stepping into a minefield of risk.
Risk Management & Regulatory Compliance, Issue Management, Compliance 6 minute read
Like how we think? Subscribe to have our articles delivered direct to your inbox each month.
Headquarters: 8000 Franklin Farms Drive, Suite 100, Richmond, VA 23229
©2022 Spinnaker Consulting Group. All rights reserved.