Rutledge, Executive Vice President
Remarks at the Conference of State Bank Supervisors and the Institute of International Bankers, New York City
Thank you, Larry. Let me add my welcome to those of you coming from abroad. I am sure that the people who are here for an extended tour of duty will find New York City an exciting and engaging place to live and work. And in particular, your area of professional concentration—compliance—has never been more challenging and important. I am sure that message has been evident in the presentations already today and will be a clear point coming through in my remarks.
This afternoon, I will offer various observations on the development and nature of supervisory expectations for compliance, particularly as they relate to international banks. I will speak about what I view as the drivers of compliance challenges, and about the implications of these challenges for the supervised firm, for supervisors and, very importantly, for communication between us.
Drivers of compliance challenges
Let me begin by singling out two types of drivers of compliance challenges today. First, the dynamics in the global financial services markets have unequivocally led to an increase in inherent compliance exposure. And second, policymakers and regulators are clearly focusing more strongly on compliance risk management, because of recent developments in the corporate and political arenas. So, we have a situation where banks have growing exposure to compliance risk, at the very time that scrutiny of compliance management is intensifying.
Inherent compliance exposure
With respect to the former, inherent compliance exposure is clearly being affected by factors such as financial innovation, globalization and the impact of deregulation within individual countries. I will say a few words about each.
New products (including structured products) are constantly being introduced, and are being used by an expanding set of market participants, as technology has improved and various market forces have incented behavioral changes. This has led to a number of compliance challenges:
Questions for example can arise on how new instruments fit within existing legal and regulatory regimes,
Suitability issues can come up, given that new players entering the market may be less sophisticated than the historical set of market participants, and
Accounting and disclosure practices are likely to be lagging behind the rapid product innovation.
Globalization and cross-border expansion present additional challenges, as firms become subject to a broader array of regulatory regimes. An immediate challenge is for the firm to assess whether conducting certain types or levels of business activity in a new country would cause it to become subject to various laws of that jurisdiction. If so, then the firm becomes subject to more legal and regulatory requirements, some of which may be inconsistent with those applicable elsewhere. The result of the geographic expansion then is to increase the risk of possible compliance problems and to make the management of a global business that much more difficult.
Deregulation within individual countries is also something of a two-edged sword. Clearly it affords greater business opportunities to a firm, but it also raises challenges in managing compliance risk across a firm’s business units. For example, as a result of the passage of the Gramm-Leach-Bliley Act in the US, a single firm can now engage in commercial banking, investment banking, and insurance activities. The implication for the compliance function is that it must not only keep on top of issues within each of these diverse business lines but also the interactions between them—for example, in policing potential conflicts of interest across the firm.
Somewhat similarly, the overall compliance challenge for the firm is more than just the sum of the challenges from financial innovation, from globalization and from deregulation. There are interplays between these developments that add additional layers of complexity to the compliance challenge.
Level of scrutiny
The second broad consideration I mentioned is the increased level of scrutiny of compliance in the U.S. and in other major financial markets—scrutiny that is driven by major industry and political events that have changed the legal and regulatory environment over the past five years.
The start of this decade saw a number of high-profile corporate scandals involving misconduct at the highest levels and breakdowns of internal control and compliance processes. In the U.S., extensive accounting fraud at Enron and WorldCom contributed to the passage of the Sarbanes-Oxley Act, which clearly places new obligations on covered firms. Other countries have not been immune to instances of accounting mismanagement, as evidenced by the example of Parmalat in Italy.
The events of September 11, 2001 and subsequent emphasis on terrorism were the impetus for the USA Patriot Act, which substantially increased the compliance obligations of banks and other financial services firms. In particular, while firms have long been expected to have knowledge of the people that they do business with, Title III of this act—which focuses on international money laundering—puts an even stronger onus on financial firms to “know their customers” and keep a close watch on how they use their accounts.
A combination of these new legislative initiatives and increased public scrutiny has led the supervisory community to place greater emphasis on compliance enforcement.
Some of this is coming from relatively new sources—for example, the Financial Crimes Enforcement Network (or FinCEN), after it was upgraded to bureau status at the Treasury Department, has become more active in addressing financial abuses. And various State Attorneys General, such as in New York State, have been particularly aggressive in recent years in pursuing cases in the financial services industry.
And of course, the various financial services supervisors have pursued a number of cases in the public arena. I will say a bit more about the approach of the banking supervisory agencies in a minute.
What does this mean for the individual firm?
But first, what do these developments mean for the individual firm? The single strongest message I would leave is that compliance risk management needs to be heavily reflected in each firm’s governance structure and approach. Let me mention a few elements of a strong firm-wide compliance program, most of which are longstanding supervisory expectations.
To begin with, active board and senior management oversight is, of course, critical. It is extremely important to have the right tone at the top, communicating that compliance is a firm-wide priority and that business lines, along with compliance professionals, are responsible for ensuring compliance. Incentive structures should be in place to encourage appropriate performance.
Second, the firm should establish and maintain sound compliance risk policies, procedures, and internal controls—based on risk assessments of its businesses, and incorporating limits as needed. These components have often been embedded within dynamic and proactive enterprise-wide risk management processes that look at compliance in broader terms than adherence simply to various specific laws and regulations. A strong compliance and reputational risk management program includes that employees meet corporate standards for doing business. It should also include a mechanism to ensure critical review of high risk transactions.
In any event, compliance processes should clearly spell out the roles of independent control personnel and provide for appropriate separation of duties. A key point to make is that, regardless of the compliance risk management framework employed, business line managers continue to "own" the compliance risk in their areas and should suffer real consequences in the event of compliance failures. This responsibility cannot fall just on the independent compliance functions. Emerging practices—such as when firms explicitly factor internal compliance metrics into management compensation or into the allocation of capital among business areas —will underscore compliance accountability even further.
Rounding things out, management information systems should be in place to adequately monitor and assess compliance risks. For example, the sophistication of monitoring for money laundering is rapidly increasing. Institutions are using specialized software and MIS reports to detect patterns of transactions that warrant investigation, to identify accounts that are the subject of repeated suspicious activity reports, and to build better escalation protocols. A key take-away from this is that compliance professionals must be on top of technological advances that would allow them to do their jobs more effectively.
Turning more specifically to the operations of foreign banks in the US—a question we are sometimes asked is whether there is, from our perspective, a best way to structure the relationship between the locally-based compliance functions and the rest of the organization. In my view, this is not an area for regulatory prescription—there is not a unique organizational model that would be most effective for every bank. Rather, we look to see whether a compliance function achieves certain goals in addressing a firm’s specific compliance risk challenges.
First, is it structured so that compliance staff can carry out their responsibilities with appropriate independence? Compliance staff may be embedded within business lines or have reporting lines to branch management or to country heads. But whatever the reporting line, they must have the capacity and incentives—monetary and otherwise—to critically evaluate operations, and they must have resources and support when problem areas are identified.
A second, and related, question is: do local compliance staff have strong linkages to, and the backing of, head office compliance…and through head office compliance to global senior management and the board of directors?
Third, does the structure support the development and implementation of sound monitoring and testing programs? Testing of course is a “point-in-time” event, but monitoring is very much an ongoing process. We have generally found that monitoring and testing tends to be one of the weaker components of many firms’ compliance risk management programs.
A fourth question is whether the volume and quality of compliance resources is appropriate. This is obviously more than just a body count, but an assessment as well of whether the firm has staff with the appropriate technical skills to carry out the necessary sophisticated analysis. This may involve a degree of reliance on head office compliance or the bringing in of outside support—both of which may be necessary, but both require care in how they are used. What are the implications for ongoing monitoring, when technical experts fly in and fly out? If certain compliance tasks are outsourced, is bank management providing effective oversight? Vendors must be scrutinized and, very simply, outsourcing cannot diminish, in any way, the firm’s accountability.
These objectives may be met through a variety of organizational models, depending on factors such as the size and nature of each bank’s businesses, its geographical scope, its culture and existing reporting lines, and the legal and regulatory framework in which it operates. There is no “one-size-fits-all” organizational model that we require or even expect.
Implications for supervisory authorities
Let me now offer a few key principles for the way in which supervisors should be carrying out their responsibilities.
First, supervisory authorities have a responsibility to establish clear regulatory requirements, supported by industry and examiner guidance. The goal is to have well-structured rules that implement legal requirements, supplemented by guidance outlining where and how discretion may be exercised.
Second, supervisors should employ judgment in how they deal with problems that are found. Depending on factors such as the severity of the problems and the responsiveness of management, the Federal Reserve uses the range of methods at its discretion—from offering recommendations in an exam report, to entering into confidential supervisory actions, to the taking of formal public enforcement actions.
Third, we need to continue to increase coordination among regulators, both internationally and within the U.S. This will lead to a greater consistency in the overall supervisory approach that is followed, as well as more consistency in the messages conveyed to individual firms.
Coordination in development of policy is important. As an example, in 2005, the Basel Committee published a high-level paper on compliance risk and the compliance function in banks that supervisors around the world are making use of.
On a more firm-specific level, we, as a host supervisor, look to have effective coordination and communication with the home country supervisor—particularly when we find a serious problem, such as a significant compliance issue. It is our policy to share our concerns with home country supervisors, so that they will not be surprised and, even more importantly, will be able to make judgments on the implications of our US findings for the global organization. In certain circumstances, this could lead to very explicit and public coordination of enforcement actions with home country supervisors. In several recent cases, the Federal Reserve has taken action to deal with a specific US compliance problem, while the home country supervisor has taken a leadership role in a broader action to address compliance issues across the consolidated firm.
The Federal Reserve of course not only coordinates with financial regulators in other countries, but with other U.S. supervisors as well—both in terms of policy development and in terms of individual institution supervision. An excellent example of the former is last year’s release of the BSA/AML exam manual by the Federal Financial Institutions Examination Council.
A fourth principle is that we should continue improving collaboration between the industry and supervisors. From the supervisors’ perspective, this can take a variety of forms. We have participated in formal and informal public consultations and we have supported industry-led efforts—such as the case of CRMPG II. At times, we have also brought firms together to address issues requiring collective action—as the New York Fed has done with the back-office problems faced by credit derivatives dealers.
A final principle I will mention is the importance of regulatory agencies developing specialized expertise to carry out supervisory efforts, with a focus on the hiring, training, development and retention of examiner staff. Specialized examiners can, and should, be exposed to a cross section of firms, so that they can develop a perspective on state-of-the-art industry practices. At the New York Fed, we have created a number of specialized examination teams, including some that are focused on various sets of compliance requirements, such as AML.
Given the critical importance of communication, I would like to finish by highlighting some of the key obligations for supervised institutions and for supervisors in communicating effectively with one another. Some of these points are intended to reinforce principles I touched upon earlier.
First, as representatives of supervised institutions, it is critical that you maintain a strong channel of communication with your regulators, particularly when problems arise. From our perspective at the Federal Reserve, we do not like to be surprised. If you find a serious problem, let us know about it when you find it, rather than either 1) assuming you should hold off telling us anything until you have completed what might be a multi-month investigation and figured out exactly how you will deal with it—or even worse—2) assuming you can sweep the problem under the rug and we will never find out. It is much better that you advise us of a problem, rather than having us discover an issue that you have been aware of for some time but have chosen not to share with us.
Our mindset is not to play “gotcha” on the problem, but rather to weigh the severity of the specific problem with the effectiveness of how your control processes worked. Did you discover the problem yourself? Did you communicate with us at an early stage? Did you set in motion a careful effort to fully understand the issue and its ramifications? Did you learn from a specific problem to make broader changes that would allow your organization to be more proactive, rather than reactive, going forward? While the onus is clearly on the firm to carry out these various steps, our awareness of what is taking place often makes the process work much more smoothly and effectively.
In turn, the Federal Reserve should aim to become more transparent in our conveyance of supervisory expectations.
Through the exam process, we provide feedback to specific institutions, including comments directed at areas where we would expect continuing compliance risk management improvements. Most of this communication is, of course, a highly confidential dialogue between the supervisor and each supervised institution.
As I mentioned when firm-specific problems are severe enough, we may take a public enforcement action. Professionals in the compliance risk management arena will find it valuable to keep track of actions issued by the agencies. Although a public action is levied on a firm-specific basis, it could hold a larger implication for the rest of the industry about issues where supervisors may be particularly focusing their attention. It could also signal an area where other banks may find similar weaknesses.
When a fundamental change is expected on a widespread basis, we don’t convey our expectations by using public actions against individual firms. In these cases, the Federal Reserve will disseminate information by issuing written guidance, or by communicating its high-level findings from horizontal reviews of bank operations which may help the industry adjust its practices.
I will leave you with two brief final points.
First, we all need to assume that managing legal and reputational risk will remain a challenge going forward. It is highly unlikely that the rapid pace of innovation and cross-border expansion will slow down, and further legal and regulatory changes are always to be expected.
But second, and to end on a positive note, I do think that the interests of the private sector—in maintaining the long-term integrity of franchises—and the official sector—in ensuring integrity of market practices—significantly coincide. This should encourage continued collaboration and dialogue and a more transparent and effective approach to the setting of expectations and developing of standards.
Thank you very much.