United States

4 steps banks should take to strengthen compliance management systems

Focus on compliance culture and approach, not just transactions


Regulators are taking a different approach to examinations at banks and credit unions. Where, until recently, they focused almost exclusively on files and transaction testing, they are now also taking a harder look at each institution’s overall compliance approach. With the Consumer Financial Protection Bureau (CFPB) leading the charge, regulators are now taking a top-down look at the overall compliance effort, looking for evidence that financial institutions have:

  • A strong compliance culture, starting with the right tone at the top

  • Effective compliance policies and procedures

  • Solid compliance training and monitoring programs

Incidents such as the recent scandal at Wells Fargo, in which an overly aggressive sales culture led to wide-spread abuses, underscore the importance of a top-down, risk-focused compliance management approach. Financial institutions need to invest the time and resources necessary to ensure effective compliance throughout the institution. Four steps all financial institutions should take: 

  1. Develop compliance policies and procedures throughout the institution that set very clear compliance goals and that spell out exactly what all employees need to do to help ensure those goals are met. Be sure your compliance procedures are specific and actionable.

  2. Bake compliance into the development of new products and services. Don’t leave compliance as an afterthought that’s addressed after they are in place. Anticipate and address compliance risks during the development process.

  3. Take customer complaints and audit findings seriously. How financial institutions respond to signals of possible compliance issues is a major indictor of the strength of their overall compliance management system. Escalate customer complaints and audit findings to management and ensure that any underlying compliance issues are identified and addressed.

  4. Focus on training, support and testing. Having the right policies and procedures in place doesn’t matter if employees don’t understand them. Be sure personnel at every level of the organization understand overall compliance issues and goals as well as specific compliance tasks that fall within their job description. Regularly test compliance at all levels and hold people at every level accountable for compliance performance. As testing uncovers issues, ensure practices are adjusted to correct for weaknesses. Training is often the weak link. Employees might understand which form to fill out or what actions to take, but if they don’t understand why, then they don’t fully appreciate the associated risks or their role in addressing them. Be sure employees understand their full role in your compliance efforts. Employees should understand their compliance functions as clearly as they understand their operational responsibilities. Consider specifying compliance obligations in their job descriptions.

A more sophisticated and holistic approach to compliance is not just a practice for major national banks. Smaller community banks and credit unions also need to ensure they are taking an effective, top-down approach to managing their compliance risks. Reviewing and strengthening your compliance program now will not only help to control your risks, it will better position you to stand up to the deeper focus that regulators will be taking in their examinations.

How can we help you??

To discuss how our team can help your business, contact us by phone 800.274.3978 or

Events / Webcasts


Enhancing family offices – webcast series

  • September 01, 2020


Enhancing family offices – webcast series

  • September 01, 2020


Proactively managing the LIBOR transition

  • August 20, 2020

How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Receive Risk Bulletin by Email


Cybersecurity Rapid Assessment®

Complete our Cybersecurity Rapid Assessment form to be contacted about receiving our "quick-hit" evaluation of your organization’s overall security risk.




RSM 2020 cybersecurity special report

  • July 14, 2020


Evolution of enterprise resource planning system cybersecurity

  • May 07, 2020