Compliance has always been a significant concern for financial institutions (FIs). Still, regulatory fears are increasing following the fallout of Silicon Valley Bank in 2023, an unprecedented number of credit union enforcement actions, and other activities rocking the financial services space.
According to Bank Director and Moss Adams’ 2024 Risk Survey, more than 75% of its respondents worry about regulatory risk, including directors, CEOs, risk officers, and senior executives. Another 39% also cited evolving compliance requirements as a strategic challenge.
While managing compliance risk presents challenges, FIs that properly manage and mitigate this risk can also reap compliance benefits. For example, FIs with mature compliance management programs can experience the upside of compliance risk, from cost savings to better relationships with regulators.
Let’s explore compliance risk in more detail, the role of leadership in establishing a “tone from the top” when managing compliance and other risks, and how your FI can effectively and proactively address the challenges you’ll face this year and beyond.
Table of Contents
Related: Key Compliance Indicators for Financial Institutions
Compliance risk refers to the risks financial institutions face when they fail to meet all laws and regulations, including consumer protection-related laws, ethical standards, and contractual obligations. It also includes exposure to litigation (or legal risk).
Non-compliance can result in penalties, fines, lawsuits, and a decline in customer trust, making it crucial for organizations to implement effective compliance risk management strategies and foster a culture of accountability and transparency.
Regulatory agencies, including the OCC, emphasize governance and oversight's role in mitigating compliance risk. According to the Comptroller’s Handbook: Corporate and Risk Governance, the board of directors is “responsible for complying with applicable laws, regulations, and for understanding the legal and regulatory framework applicable to the bank’s activities,” as well as meeting the bank’s fiduciary responsibilities and establishing a sound compliance program.
When evaluating compliance risk, Office of the Comptroller of the Currency (OCC) examiners consider the quantity of risk and the quality of risk management to determine the aggregate level and direction of compliance risk.
Related: What is Compliance Risk Management?
While the financial services industry is highly regulated at the federal and state levels, compliance requirements vary among different types of financial institutions, including banks, credit unions, mortgage lenders, wealth management firms, and fintech.
Some common causes of compliance risk include:
Handling customer data is a serious responsibility. If the right policies, procedures, and controls aren’t in place and working correctly, your customers’ data could be leaked or breached. According to IBM, the average cost of a data breach in the U.S. is $9.36 million.
Example: A bank failing to secure customer data properly faces a data breach, opening its customers’ personal information and private details to bad actors. The bank must pay for customer credit monitoring and a digital forensic investigation to understand the scope of the breach, and customers file a class action lawsuit.
Moreover, agencies including the OCC, FDIC, and the Federal Reserve, require banks to notify their regulators "no later than 36 hours after the bank determines that a computer-security incident that rises to the level of a notification incident has occurred,” placing even more pressure on the bank to be aware of data privacy and security-related issues.
Related: The Difference Between Data Privacy and Security
FIs have focused on the Bank Secrecy Act and anti-money laundering compliance for decades. FIs have evolved their BSA/AML programs during this time due to evolving regulations and continued enforcement resulting in increasing civil and criminal penalties.
FIs that fail to make changes, update their BSA/AML risk assessments dynamically, or don’t prioritize BSA/AML compliance from the top down are setting themselves up for failure.
Example: Last year, the Federal Reserve issued an enforcement action against a small Montana bank for insufficient BSA/AML compliance. While no monetary penalty was imposed, the bank must quickly pay for enhanced oversight and suspicious activity monitoring while regulators closely watch them, underscoring the importance of maintaining strong, updated BSA/AML programs.
Related: 20 Questions to Risk Assess Your BSA/AML Program in a Post-Pandemic World
Fair lending, the Community Reinvestment Act, HMDA, and 1071 are just a few of the compliance initiatives lenders must adhere to while serving their clients and customers. Without a strong fair lending compliance management system, FIs can miss regulatory changes affecting their lending operations, fail to take corrective action, and address consumer complaints, resulting in multi-million-dollar penalties and reputational issues.
Example: Last year, the Department of Justice (DOJ) announced its first-ever redlining settlement with a credit union, noting the FI’s “pattern or practice of lending discrimination” in neighborhoods in and around Philadelphia. As a result, the credit union must pay more than $6.5 million to settle claims and create more credit opportunities for underserved communities in the area.
Related: The Redlining Wake-Up Call: Lessons for Mortgage Lenders
Third-party risk, also known as vendor risk, is one of the most significant sources of compliance risk. It can also be one of the most overlooked areas. Too often, FIs don’t perform ongoing vendor due diligence, leaving their institutions and customers vulnerable to third-party risk.
Example: If a financial services company’s third-party software provider experiences a data breach or fails to meet regulatory standards, the financial services company will be held responsible by regulators as though it had made the mistake. Remember: your vendor’s risk is your FI’s risk.
Related: TPRM 101: Top Third-Party Vendor Risks for Financial Institutions
Cybersecurity risk is often cited as the number-one risk concern among banks and other FIs. The 2024 Conference of State Bank Supervisors (CSBS) Annual Survey of Community Banks revealed that 42% of bankers expect cyber risk to pose the biggest challenge to implementing new technologies over the next five years. Cyber risk can range from ransomware attacks to artificial intelligence (AI) and third-party vendor relationships.
Example: A 2024 class-action lawsuit against Wells Fargo alleged the bank's AI underwriting system discriminated against Black, Hispanic, and Asian borrowers by wrongfully denying their mortgage applications or offering them higher rates compared to white consumers. Previously, Wells Fargo settled a consumer compliance suit for $3.7 billion in 2022 and faced a $250 million penalty from the OCC in 2021 for abusive mortgage practices.
Related: How Is Your Financial Institution Managing AI Cybersecurity Risks?
Compliance risk can lead to a variety of issues. The more extensive the compliance risk, the more impactful the consequence. Some of the potential damages include:
Related: FDIC Shares Most Common Compliance Violations and Findings
Managing compliance risk isn’t just checking the boxes on a checklist for the sake of an exam. It’s the continuous process of proactively identifying, assessing, mitigating, and monitoring compliance risk.
While every FI’s strategy will look different, these are some of the “do’s” your FI can implement as you reevaluate your compliance risk management process.
Compliance risk management should play a role in your FI’s wider enterprise risk management (ERM). Rather than focus just on compliance risk (or any other risk type), ERM recognizes that risk is interconnected. Compliance risk overlaps with operational risk, financial risk, reputation risk, cyber risk, and many other areas. Treating compliance risk as its own stand-alone risk can lead to unmanaged risks, wasted resources, duplicate work, and other undesirable results.
Good ERM ensures a financial institution’s mission, vision, values, and strategy are aligned and risk is treated holistically. The COSO ERM framework recommends specific procedures for responding to risks, making it a helpful resource for FIs and other organizations.
Key performance indicators measure an FI’s success in meeting its business objectives, while key risk indicators identify and predict risk. Together, these metrics provide insights into past performance and future risk scenarios within the organization.
Related: Key Compliance Indicators for Financial Institutions
A compliance management system (CMS) is the processes and tools a financial institution uses to learn about its compliance responsibilities, incorporate them into business policies, ensure employees understand them and carry them out, and take corrective action as needed.
It’s a substantial job – one that can be made easier by streamlining day-to-day tasks. Here are four areas where a CMS can benefit from streamlining:
Related: What is Enterprise Change Management and How Does It Work?
While compliance is everyone’s responsibility, it’s up to the board and management team to set the tone from the top down regarding compliance and other risks, as William Mark, Lead Examiner at the Federal Reserve Bank of Chicago, emphasized in a recent article. Some financial institutions prioritize innovation over risk, fail to implement proper risk management controls, or ignore emerging compliance risks. Others view compliance as a cost center instead of a revenue protection department and don’t allocate sufficient resources. These actions frequently land an institution in hot water.
Here are some of the most common leadership mistakes and how FIs can avoid these pitfalls:
Key compliance indicators are benchmarks that help FIs measure compliance and anticipate risks by identifying potential issues. Examples of KCIs include consumer complaints, audit and findings, HMDA and CRA reporting results, and training program assessments.
Actionable Insight: Track KCIs to enhance decision-making and operational efficiencies and improve consumer experiences.
Collaboration is vital to maintaining a compliance culture, but what does that mean? FIs with a strong compliance culture ensure everyone has the tools and resources to complete compliance tasks unencumbered.
When outlining the role of board and management oversight in a CMS, the OCC emphasizes that the board and management should oversee and implement a consumer compliance program with “effective resources,” including systems, capital, and human resources that match the institution’s, complexity, and risk profile. The section in the Comptroller’s Handbook: Compliance Management Systems also highlights the need for knowledgeable staff who are well-trained, empowered, and accountable for adhering to consumer protection laws and regulations.
Actionable Insight: Evaluate your FI’s view on compliance and ensure all team members, including frontline employees, have the necessary resources to identify and communicate potential compliance issues. Some examples of tools include transparent reporting, staff training, a compliance management system, and open communication lines.
One of the most common mistakes FIs make when mitigating compliance risk is not acting on new or emerging risks. In 2024, several credit unions faced compliance challenges. While different risks caused the enforcement actions, the FIs shared one commonality: failing to address their compliance problems promptly.
No FI is immune to consequences. Failing to address compliance risks proactively is a disaster in the making.
Actionable Insight: If your FI is slow to address compliance challenges, it may be time to re-evaluate your risk management process. When assessing risks, think outside the box and pose relevant questions. When did you last conduct a compliance review? Have there been any updates or shifts in the regulatory environment?
Board members, as well as other leaders and participants in the financial services space, such as fiduciaries, have a legal and ethical responsibility to act in the FI's and its customers' or members’ best interest. Weak or passive board oversight and governance can lead to problems—including consent orders—down the line.
Actionable Insight: Ensure your board of directors can proactively govern your FI's activities. Directors should have ready access to risk assessments, internal controls, relevant reports, and documents such as operating policies and procedures to address risk areas as needed.
Managing compliance risk is an everyday decision. From navigating regulatory changes to improving your team’s effectiveness, FIs must stay ahead in an evolving landscape. The right automated compliance management solutions can alleviate this process by delivering regulatory updates tailored to your institution, constructing customized compliance checklists, and serving as a central hub for your policies in one integrated platform.
Learn about the key components to look for in a compliance management solution in our Compliance Management Buyer’s Guide.