Banks and credit unions across the country are rejoicing at the passage of the Economic Growth, Regulatory Relief and Consumer Protection Act. This much-awaited law rolls back many provisions of the Dodd-Frank Act, reducing regulatory burden at some financial institutions.
Now that some banks and credit unions can roll back compliance efforts in a few areas, many are wondering if they can also do less when it comes to risk management.
Sorry, but the answer is no.
Compliance vs. Risk Management
Compliance and risk management are separate activities.
Compliance is having policies, procedures, and programs in place to ensure an institution doesn’t knowingly or accidentally violate a law, regulation, rule, or an institution’s own internal policies.
Compliance activities are influenced by what Congress does or doesn’t do. When a new law is passed, whether it increases or decreases regulation, it impacts compliance. At first, it creates more work as the institution must adjust policies and procedures and train staff to adopt the new rule. Once implemented, deregulation should result in less compliance burden.
For instance, Congress’s new law will provide qualified mortgage status for many financial institutions and expand eligibility of the 18-month exam cycle to more community banks. That means less paperwork and fewer exams for some institutions, which directly impacts compliance.
Risk management is the process of identifying, assessing, measuring, monitoring, and controlling the many risks an institution faces on a daily basis. These include credit risk, concentration risk, operational risk, compliance risk, transaction risk, cyber risk, IT risk, and reputation risk, among others. Risk management is an essential and ongoing process that constantly seeks to evaluate potential threats and opportunities so that the institution is prepared to best handle them.
While regulators provide guidance and best practices for risk management, it’s not something any smart financial institution would abandon, even if no one was looking. Monitoring risk is a natural part of running any business. Ignoring risk is equivalent to stumbling around in the dark. There is no way of knowing what hazards and rewards lay in wait until you bump into them.
The law doesn’t reduce the need for risk management, but it does impact a financial institution’s risk assessments. For example, compliance risk, or the risk that an institution won’t meet its compliance responsibilities, should be reassessed in light of potentially reduced burden. It may also impact credit risk. Several banks exited the mortgage market due to the added compliance and financial risk of a crop of new regulations. Perhaps a review will determine that the changes make the mortgage market a more viable business line.
Thus, risk management is a tool that helps an institution understand the impact of this and other new laws and developments in a way that goes far deeper than the compliance department. It helps institutions know when new controls are needed and when outdated controls can be eliminated. It helps it understand its strengths and weaknesses and respond to changing conditions. It reduces the likelihood of unwanted outcomes.
When it comes to risk management, there is no rolling back. We can only roll forward.