No financial institution ever plans to get hit with an enforcement action or cease and desist order, yet it still happens. Strong risk management, compliance management, and audit are meant to protect an institution from major regulatory missteps, but inevitably some institutions fall short.
What’s an institution to do when the worst happens? Here’s what to do (and how to plan ahead) should regulators take action against your institution.
Talk to counsel. If your institution was hit with an enforcement action, your first step is to talk to counsel to understand the legal implications of the EA. It’s also smart to contact counsel if your institution is hit with a lawsuit or cease and desist order.
Activate your compliance response team and conduct a root cause analysis. Just like your institution has a business continuity plan, it should also have a compliance response team that can be called upon immediately in the event of a finding or other regulatory issue. The goal is to conduct a root cause analysis and figure out the weakness or weaknesses that lead to the finding. Most findings are the result of multiple problems, whether it’s a defective compliance management system or risk management program, or poor reporting mechanisms.
Your institution needs to understand what led it down the path of wrongdoing so it can perform remediation. The more significant the finding, the quicker the team should gather.
Clean up your reputation. Depending on how serious the trouble, it may be helpful to engage with a firm that can help you repair your reputation. Your institution needs to identify every single party that was harmed or could have been affected and decide how the institution is going to reach out to them.
Depending on how much attention the action gets, it’s possible to have thousands of customers calling to understand what happened. It may be helpful to have a special customer service line with staff specially trained in how to answer questions about the action, including why it happened and how it might personally affect them.
It’s also important to have a media response since local newspapers and media are likely to report on it. It’s helpful to set up negative news monitoring on Google so you get an email when your institution is mentioned and find out what people are saying about you so you can craft a plan for responding.
Have a team dedicated to fulfilling every obligation of the enforcement action. It’s always necessary to follow up and remediate any finding, but when you’re dealing with an enforcement action, it should be your institution’s number one priority. Whether it’s creating a committee, training staff, or improving policies and procedures, you must meet every single obligation laid out in the enforcement action. Think of it as findings management on steroids.
Figure out how to pay the fine. Enforcement actions may mean thousands or millions of dollars in fines. Your institution needs to figure out how to promptly pay that fine while staying well capitalized. It may need to move capital or investments or pull out of planned initiatives to find the necessary funds.
Bolster internal controls. Speaking of money, this is not the time to skimp on things like strengthening your internal controls framework. Once regulators have issued an enforcement action, expect to remain on their radar for the foreseeable future. Everything from exams to complaints will be heavily scrutinized. Now is the time to run a pristine operation. Make sure you invest in compliance management and internal control frameworks. All compliance frameworks need to be tightened up and in the best shape possible.
Increase internal testing and oversight. It’s time for your institution to begin conducting more internal testing. Something clearly went wrong in the area of the violation, and it wasn’t caught internally—or it was caught and ignored.
Make sure the right committees are set up to review reports from all lines of defense, especially your second and third lines.
Now that you know what to do in the event of a regulatory action, make sure you’re doing everything you can to prevent one from occurring—including tracking audit and exam findings to identify and mitigate compliance issues.