<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=552770&amp;fmt=gif">

Risk Management & Regulatory Compliance, Issue Management, Compliance Testing, Risk Identification

3 minute read

COMPLIANCE TESTING: You can't afford not to!

Feb 27, 2023

Written by: Cara Williams

I was talking with a Chief Compliance Officer the other day who said they were finding it very hard to build and maintain their compliance testing program.   This isn’t the first time I’ve heard similar concerns.   It always comes down to resources – people, time, budget, and competing priorities for all of the above. I’ve been there and experienced the same thing first-hand – making a business case for why I need more money to hire more people, to maintain various elements of my compliance program. Ultimately, the question should not be “how can we afford to do this?”; the question really should be – “how can you afford not to…?”

My teenage son recently came to me asking for money to purchase something (a common occurrence these days – this boy has expensive taste and what seems like a new request for funding every week). When I asked him how much he was looking for me to invest in this latest endeavor, he didn’t lead his answer with how much it was going to cost me; he led with how much I would be saving in the long run.

Ironically, I could apply the same logic for justifying the cost of a compliance testing program. Yes, establishing a sustainable compliance testing program and staffing it with well-qualified, attention-to-detail compliance experts is not an easy task. It’s a very labor-intensive endeavor. However, think of how valuable it is to proactively self-identify compliance breakdowns before your internal auditors or, even worse, regulators uncover those issues. Think about the competitive advantage this investment could bring to your bank as you ensure your bank is adhering to consumer protection requirements as well as internal bank policies and procedures.

After all, early identification of areas of non-compliance and the ability to take corrective action before a regulatory agency becomes involved, can ultimately lead to significant cost savings by avoiding/minimizing costly fines, expensive business disruptions, customer service break-downs, customer restitution, and/or reputation impacts. When making a business case for why it’s so important to establish a compliance testing program, commensurate with your bank’s size, complexity, and risk profile of course, it’s important to remember the cost of non-compliance will likely be much costlier than establishing and maintaining a testing program to proactively identify deficiencies.

As you reflect on your existing compliance testing program and evaluate its effectiveness, here are some common pitfalls to avoid:

  • Insufficient documentation. Perhaps one of the favorite mantras of a compliance professional – document, document, document. If it isn’t’ documented, it didn’t happen. Make sure you get credit for all of your efforts by adequately documenting your compliance testing activities. Keep accurate and complete records, to avoid inconsistencies or gaps in your coverage. This starts with documenting an overarching methodology for your program and follows through the entire testing lifecycle – ensuring you are adequately documenting your testing scripts, testing memos, related reporting, remediation efforts, etc.
  • Inadequate scope. Take time to ensure you have a comprehensive regulatory applicability matrix, which identifies all regulatory requirements (and related internal policies and procedures) applicable to your business processes. Then, take it a step further and map those requirements to business processes and associated controls to ensure your scoping is comprehensive and covers all areas of your business.
  • Lack of independence. This can be tricky, particularly for smaller banks. It’s important that individuals conducting the testing maintain a level of independence so the testing process remains impartial, objective, and unbiased. Failure to maintain appropriate independence can compromise the integrity of your testing program and potentially lead to inaccurate findings.
  • Not taking a risk-based approach. A compliance risk assessment, and the resulting residual risk ratings should drive your testing schedule. This will help you prioritize your already limited resources.
  • Inadequate remediation. If your testing efforts identify a weakness, the work doesn’t stop there. Ensure that you are conducting sufficient root cause analysis to inform remediation efforts. Once you have a remediation plan in place, be sure to incorporate into your bank’s issue management program to address timely, track, and fully close.
  • Lack of collaboration and communication – in most cases compliance testing is going to require business resources to provide information and input. Ensure you provide adequate advance notice to these business partners so they can properly plan. No surprises. Additionally, ensure that testing results are communicated to all relevant stakeholders, promoting transparency and accountability of compliance risk.

So, remember, don’t get overwhelmed by the amount of effort that goes into maintaining an effective compliance testing program. Instead, draw your attention to all the time and hassle you are ultimately saving yourself and your bank. If you need help, Spinnaker’s experienced team of compliance professionals can assist with:

  • Compliance Testing program development and design (all the way from program methodology to testing scripts), commensurate with your bank’s size, complexity, and risk profile
  • Review of risk assessment results to inform and build annual testing schedules
  • Testing execution
  • Reporting for senior management and board of directors
  • Remediation planning and follow-up to address any identified issues
  • Ongoing training