Tag: Dodd-Frank

05 Apr 2012

5 “random” facts

Fact 1 – According to the U.S. Bureau of Labor Statistics, the increasing complexity of financial regulations will spur employment growth of financial examiners.  In fact it is expected to experience the third largest growth of all career paths through 2018:
Fact 2 – According to Rep. Shelly Moore Capito (R-W.Va.), author of H.R. 3461, “The Dodd-Frank Act has added so many new regulations to financial institutions, it has helped boost a 31% projected growth in job opportunities for Compliance Officers.”

Fact 3 – Speaking of H.R. 3461…It is also called the Financial Institution Examination Fairness and Reform Act, and aims to provide “more transparent, timely and fair examinations” by reducing the disconnect between exam results and their regulating agencies.  It now has 154 co-sponsors.

Fact 4 – A related bill (S. 2160) has just been introduced in the Senate.

Fact 5 – The provision in both bills that is getting the greatest push-back from regulators is the one that grants a financial institution the right to appeal an examination finding to an ombudsman at the FFIEC, not the regulator that made the finding.

I’ll let you connect the dots of these “random” facts.

22 Nov 2011

Thankful for…Dodd-Frank?

I made a similar post last year about this time, so I thought I would continue the “Thanks-giving” tradition here…and no, I haven’t completely lost my mind about Dodd-Frank.  Let me explain.  Over the past year I’ve had the opportunity to give several presentations to various groups on the impact of Dodd-Frank (DFA) on community financial institutions, and I know the attitude out there on DFA ranges from cautious optimism to dread, but “Thankful”?!?  Actually so far, overall, the impact had been negligible to slightly positive for community financial institutions (defined as <$1B in assets).  But there is also reason for caution.

Reasons to be thankful

First and foremost among these are lower assessment rates.  Lower deposit insurance assessments mean that the vast majority of community banks will see 30% – 40% decreases in their fees paid to the FDIC.  And at the same time the amount of deposit insurance coverage has increased to $250,000.  Getting more for less is always a good thing.

Although we can’t really credit this to Dodd-Frank, we can nevertheless also be thankful that financial institutions are for the most part healthier than they were last year at this time:

 

Another reason to be thankful is that the provision limiting debit card interchange fees does not apply to institutions with less than $10B in assets.  In fact the vast majority of DFA provisions will only apply to institutions larger than $1B in assets, which as of June 2011 is only 8.9% of all financial institutions:

 

Reasons to be cautious

But as I said, there are still reasons to be cautious.  According to DavisPolk in their latest Dodd-Frank Progress Report, 326 of the 400 rules required by the law have not yet been enacted, which, (regardless of whether or not community institutions will ultimately be affected)  still leads to a climate of regulatory uncertainty. And there are  couple of other more obscure provisions that will affect all institutions, like the Source of Financial Strength provision, and the requirement for risk committees to have outside directors, and of course whatever burdens the CFPB brings…stay tuned!

I mentioned previously that one of the reasons that I’m NOT thankful for DFA is that it raises the threshold for triggering a Material Loss Review from $25M to $200M, so we’ll have fewer post-failure reports to review.  I believe the best way to avoid repeating the mistakes of the past is to learn from them, and the MLR’s were a great way to do that.  I think they can also predict future examination trends…which is a preview of my next 2012 Trends post!

 

(I’d be remiss if I didn’t take this opportunity to express thanks for all the blog readers out there…over 11,000 visits since this time last year!  THANK YOU!!)

22 Feb 2011

Management of IT reflects overall management

(This is an extract from an article written for Bank Technology News.  The full article is here.)

One of the reasons compelling the shift towards increased focus on IT is found in the only non-financial element in the CAMELS ratings: management. Post-mortem reports on the failures of both Washington Mutual and Indy Mac placed the blame equally on management for pursuing overly aggressive growth strategies, as well as on the regulator (OTS) and their inability to effectively identify and assess the risks. The OTS was a regulatory casualty of Dodd-Frank, and I think we can expect (and rightly so) increased focus on all governance issues going forward.  But how does that translate into increased IT focus?

There are twelve factors that go into the CAMELS management rating component, and one of them is a measure of how well the institution manages its information systems. In addition to that, the FFIEC makes it clear in their IT Examination Handbook on Management that

“…effective IT management practices play an integral role in achieving many goals related to corporate governance. The ability to manage technology effectively in isolation no longer exists. Institutions should integrate IT management into the strategic planning function of each line of business within the institution.”

And regarding the relationship between IT and strategic planning;

“…an institution capable of aligning its IT infrastructure to support its business strategy adds value to its organization and positions itself for sustained success.”

Clearly IT is so pervasive throughout financial institutions that no enterprise-wide assessment of management and governance is complete without a thorough review of IT.  It also stands to reason that an institution that can not demonstrate that they can adequately manage technology (and do so at all levels of management, from the Board of Directors down) may have fundamental management issues enterprise-wide.

Bottom line…more scrutiny of management equals more scrutiny of IT, and deficiencies in IT can lead to lower CAMELS scores.  Solution?  Implement a formal IT management process consisting of a dedicated committee.  Use a standardized agenda, assigning follow-up items to responsible parties with specific time-frames for resolution.  Involve ALL functional units in the committee, and regularly report status updates to the Board.

Then take this same model and apply it to the rest of the organization!

30 Nov 2010

5 Key Elements of Risk Management

As a financial institution, it sometimes seems that everything you do requires a risk assessment.  Information security, disaster recovery, ID theft, remote deposit capture, outsourcing, in fact the term “risk assessment” appears 215 times in the FFIEC IT Examination Handbooks.  But a risk assessment is only one step of a five step risk management process…and it’s not even the first step.

I think the regulators unnecessarily confuse the issue by conflating “risk assessment” with “risk management”.  Sure it’s important to assess risk, but unless you’ve correctly identified the assets to be protected, you’re assessment will be off target.  And once you’ve correctly identified the assets, and assessed the risk to those assets, you must design a system of controls to avoid, reduce and transfer the risk down to an acceptable level.  And then, because the environment in which the risks and controls exist is not static,  you’re still not done managing.  You must constantly repeat the process.

The process is further complicated by the fact that there is no one standard for documenting risk management.  Although it would be so much easier for both the institution and the regulator if there were a standard checklist or matrix.  Easier for the institution to implement, and much easier for the regulator to follow.  (In fact, in my opinion a standardized risk management process would have been a mutually beneficial outcome from Dodd-Frank…it would benefit institutions, regulators, and the public.)

So, lacking a universal standard for risk management, how do you proceed? Again, the FFIEC handbooks provide guidance here.  I mentioned earlier how often the term “risk assessment” appeared in the handbooks, but the term “risk management” appears even more often…303 times total.  The essential elements of an effective risk management program are:

  1. Identify the assets to be protected.  What are you protecting (i.e. customer information, critical business processes, etc.), and why (privacy, security, etc.)?
  2. Identify the threats to those assets.  What could happen to the assets identified in step 1?  Rank the threats by both impact and probability.  (This is the traditional risk assessment step.)
  3. Apply controls in a layered, overlapping way until the risks are reduced to an acceptable level.
  4. Test the adequacy and effectiveness of the controls.
  5. Monitor the program and periodically repeat the process.

Remember, exactly how this is documented is up to the institution.  Most choose to utilize a matrix, others use a narrative, but regardless of how it’s done the process should include all 5 of these elements.

So next time you hear an auditor or regulator ask for a risk assessment, what they are really asking for is one step in your overall risk management program.  Deliver it to them as part of the program and you’ll never come up short.

11 Nov 2010

Dodd-Frank and regulatory compliance

In an excellent article by Lori Moore of ATTUS Technologies, she states that there are multiple reasons why bank examiners may be ramping up scrutiny:

“Examiners who may already be on the defensive in regard to criticism about their actions prior to the fall 2008. Examiners who now have the Dodd-Frank Act on their side, giving them more authority. Examiners who in conjunction with Dodd-Frank have been charged with heightening their scrutiny of all consumer protection compliance.

No doubt, examiners are going to get tough. A decree recently stated by a representative from the OCC: “Fair but tough”. In fact many anecdotal reports confirm this is already happening.”

The difference between “tough but fair”, and “fair but tough” is much more than semantic.  It means that “tough” is the operative word.  As the pendulum of regulatory focus swings from credit risk back to regulatory risk, expect regulators (and auditors) to spend more time scrutinizing your information security policies, procedures and practices.