Addressing Risk

Addressing risks identified as a threat to the achievement of the company’s goals is typically the responsibility of risk management. Options for minimizing or eliminating these risks include transferring the risk to another party (such as using MI or FHA insurance), avoiding the risk (electing not to offer certain products), reducing the likelihood of a threat occurring (such as using technology to calculate APRs), or even accepting some or all of a particular risk. Mortgage lenders most commonly utilize policies, operational processes and technology in the origination and servicing environments to minimize or eliminate risks associated with operations. These policies and processes are designed to minimize risks that will impact the efficiency, effectiveness and profitability of the company.

Finally management must maintain a strong control environment. A control environment is one in which there is a systemic approach by management to compare actual business performance to previously established standards and/or objectives to determine whether they are being met by the organization’s operational processes. Management must then determine if it is necessary to take any remedial action to see whether corrective actions including human and other corporate resources are required or are being used in the most effective and efficient way possible in achieving those objectives. It is an important function because it helps to check the errors and to take the corrective action so that deviation from standards are minimized and stated goals of the organization are achieved in a desired manner. Examples of these controls are financial reporting, quality control and customer feedback.

The complexity of the management system dictates to a great extent, the number of individuals and separate functional units involved, but at the end of the day, executive management of the company should be knowledgeable about the goals of the company, the risks that can impact the ability to meet those goals and the control results which are telling them how well the company is achieving the goals and managing the risks.

Compliance Management System

So what does it mean to have a Compliance Management System? Do lenders have to have another management structure that focuses on nothing but regulatory compliance? Or does compliance in this sense mean conformance to all the company policies and procedures? If it does, does this mean lenders already have a compliance management system in place? There are several answers to these questions and several ways to establish that a lender is meeting this requirement.

First, management must have some type of methodology in place to provide governance, risk management and control of the organization. If this is not clearly defined and documented, it should be done. This documentation must show that management, or the management group, oversees how the organization is operating. While well established companies most likely have some approach to this, many times it is not formal nor the results of decisions documented. Management meetings should be held on a regular basis and the results recorded.

Within these meetings, issues concerning all areas of responsibility should be addressed. These may be organized around the stated goals and objectives of the company and include operational issues, risks to the organization, identification of the controls and the results of these monitoring functions.

Optional approaches

Determining the approach to take in meeting this CFPB requirement most likely depends on the size of the company as well as its complexity. If a lender chooses to incorporate the compliance function into an existing system, it must make sure that the current policy statements include all regulatory requirements. The corresponding processes must clearly show how these regulatory requirements are implemented within the organization. Finally, the control functions, specifically the quality control and if separate, the regulatory review function must be reporting on a regular basis. If they are to be used to meet the regulatory requirements, the report should include more than lists of issues of the overall findings of the review. The results should clearly identify the level of non-compliance while isolating contributing factors if warranted. In other words, it is not enough to say I looked at 10% of the loans and of that 10%, 8% had a problem with disclosures. More specific information is necessary if management is going to address this issue.   Finally, the management team minutes should reflect any decisions about how any unacceptable level of risk is going to be addressed. This issue should then be part of the management meeting discussions until it is resolved.

The management system should also include general regulatory issues, such as Fair Lending, which should be incorporated into the policy, risk and control discussions and updates for the management committee meetings.

If the company decides to implement a separate compliance management system, the same requirements apply. One thing that must be kept in mind is that this system must involve the same people that are involved in the other management system if it is going to be effective. All too often compliance groups involve only legal staff and control units. As a result, the issues identified in this meeting are minimized in the larger management meeting. This management group must also incorporate the governance, risk and control elements that are found in all management systems. The group’s meetings must be documented and issues resolved.

Where we stand today

Since the announcement of the requirement for a compliance management system, lenders have initiated various approaches. One of the most frequent is the development of a separate compliance group to manage all the new requirements. In many cases these groups are implemented at the urging of a consulting group that has been retained to assist companies. Unfortunately many of these have been delegated to “sub-committees” of the larger management committee and their output is no better than what was happening previously.

There are two main causes for this. The first is that the committee is most likely run by an attorney or someone in the organization more familiar with the requirements than the company’s policies and procedures. As a result they tend to focus on “How can I implement this requirement so that everybody does it.” And less on imbedding the requirement into the process. Many times there are no production people involved and the result is something that cannot be implemented.

Also, the control environment has not been updated to accurately determine the level of non-compliance risk. The same type of sampling and reviews are done that produce the same type of data leaving a gap in the level of information available to management. Take for example, Fair Lending. The HMDA data is reported once a year and is tested for accuracy and validity based on FFIEC standards. Once the report is generated, how many management systems include the requirement for the data to be analyzed against the data for other years. How many companies obtain the entire report when it is released and compare themselves to other lenders? Very few if any. As a result, these control findings are not effectively used to update policies and procedures to meet the compliance requirements. Furthermore, there is no evaluation of the entire operational system to determine if the Fair Lending Policy imbedded in the organization’s value system is actually working.

At the end of the day, despite the requirement for a Compliance Management System, the efforts to date have not met that objective. Only when we truly understand how a well-run management system can improve performance will we be focused on meeting the standards. The companies that take this seriously and makes the necessary changes in the functions required will be the ones who succeed and survive any future crises that come our way.

About The Author