While participating on a panel discussion recently, the following question was posed to panelists: “If you could identify the single most effective compliance tool that you have seen work successfully in an institution, what would it be?” My reply identified not just a periodic internal compliance monitoring program, but one where the value is maximized by certain features. Those features are:

• The monitoring program is risk-based and the topics that are monitored (and how) are reviewed annually.
• Those who perform the monitoring are trained sufficiently to recognize an exception.
• The monitoring results culminate in a report to the department head who oversees the area monitored. The report is copied to the Compliance Officer. The report addresses the exceptions found in the monitoring review, plus the recent trends or patterns over time.
• Department heads respond to significant exceptions or trends/patterns with reasonable corrective action. Typically, “reasonable corrective action” involves the implementation of additional controls and/or retraining of staff. The corrective action should be tracked through completion.
• The Compliance Committee discusses the effectiveness of the monitoring program and any significant issues.
• The institution’s training program is modified based on the results of its monitoring program; just as it is modified based on the results of audits and exams.
• Where results of monitoring reveals significant control weaknesses, the situation is brought to the attention of the Audit Committee.

The above methodology will maximize the value the institution receives from the effort put into performing the monitoring because continuous improvement will take place at the department level, long before the auditors or examiners arrive.  In departments that perform monitoring, but not under the methodology described above, I frequently find the same exceptions being revealed month after month. Perhaps a results memo is generated, but not acted upon. In this situation, one could almost argue that the effort put into performing the monitoring is of no value.

Even the smallest of institutions can implement a risk-based monitoring program.  Although in today’s environment the lending area has the most need for robust monitoring, I frequently see monitoring programs begun in the deposit and e-banking areas – possibly because these areas are more transactional in nature and are perceived to be easier to monitor.  However the program is begun, it’s important to put a program in place and perfect it over time. A program with small sample sizes performed quarterly – in accordance with the methodology above – is a better program than no monitoring program at all.

By: Sharon A. Blanchette, CPA, CIA, MBA
Assistant Director, New England, ICS Compliance