We have another meaty enforcement action from the banking world today, a $65 million civil penalty against City National Bank for systemic failures of corporate governance, risk management, and internal controls. The case includes a laundry list of compliance reforms the bank needs to implement, with plenty of lessons for the compliance profession as a whole.
The Office of the Comptroller of the Currency announced the sanction on Wednesday. In addition to the $65 million penalty, OCC also directed the Los Angeles-based bank to take “broad and comprehensive corrective action” on pretty much everything: operational risk management, compliance risk management, internal controls, anti-money laundering compliance, and more. Technically this all falls under what’s known as Appendix D of OCC guidelines, which established safety and soundness practices for large banks; City National has $93 billion in assets, so it qualifies.
Even for compliance professionals outside the banking sector, this enforcement action still offers plenty of insight because the settlement order walks through what OCC wants to see for effective risk management and internal control practices, and walks through them in extensive detail. That can be an excellent source of inspiration as you ponder what the risk assessment, internal control, and compliance procedures should look like at your own organization.
For example, City National must now adopt written risk assessment methodologies for AML compliance (overseen by FinCEN and other banking regulators) and sanctions compliance (overseen by the Office of Foreign Assets Control). Those methodologies “shall be designed to provide a comprehensive analysis” of the bank’s risks, “address known deficiencies in current methodologies, and include strategies to control those risks and limit any identified vulnerabilities.”
Taking a disciplined approach to risk assessments is a challenge for every compliance officer. So what can we learn here? Let’s take a look.
Step 1: Gathering the Data
First, the OCC said, City National’s risk assessment methodology should pay lots of attention to the data involved in its risk assessment. Specifically, the assessment should include processes to assure “the quality and reliability of data collection, and provide for the accurate identification and inventory of specific risk categories to ensure coverage in the risk assessment.”
In other words, City National needs to be certain that its risk assessment evaluates all the risks that the bank actually faces. The OCC even gave a helpful list:
- Products and services offered;
- Customer types and entities served;
- Transaction types;
- Countries or geographic locations of customers and transactions;
- Methods the bank uses to interact with its customers.
That’s a list of risks any compliance officer could use in your own risk assessment. For example, imagine you want to assess your company’s FCPA risks. Working off the above list, you’d ponder questions such as:
- Do we offer products or services to foreign governments?
- Do we know which of our customers qualify as state-owned companies?
- Which transactions would carry high corruption risk?
- Where in the world are we doing business, that we might encounter high levels of corruption?
- How do we actually interact with our customers? Through intermediaries, or on-the-ground sales offices, or via online interactions based here at home?
OCC then includes one more gem of a requirement. The risk assessment process should include processes so that compliance officers can “credibly challenge the qualitative and quantitative data provided by the First Line of Defense and across compliance functions.”
“Credibly challenge” is a wonderful phrase. Any time you’re talking with the board or senior management about the authority you need to do your job well, you should try to work it into the conversation: “I’m not just here to write policies and procedures; I need the power to credibly challenge the sales team when they give me information that’s baloney.”
Still, this concept begs a few questions. Exactly how would you credibly challenge the qualitative and quantitative data? Presumably you should have access to the same databases as those First Line business functions (as recommended by the Justice Department’s guidelines on effective compliance programs, we should note). What about your ability to validate questionable data through some independent means? What about your personal stature to call out data that’s incomplete or erroneous? That depends on your support from management.
Step 2: Assessing Risks
The OCC order also talked extensively about how to analyze all that data once it’s been gathered. It started with the rather generic requirement for “a detailed analysis of all pertinent data obtained regarding the specific risk categories” — which isn’t terribly helpful, except to tell us that you should assess the risks within each risk category you’ve identified. Um, no kidding.
But wait, OCC then gives us something more useful! City National’s risk assessment should also look at (1) volumes and types of transactions and services by country or geographic location; and (2) the number of customers that typically pose higher AML risk, both by type of risk and by geographic location.
That helps compliance officers understand the holistic view of risk your assessment should be able to provide. For example, you might want to look at the volume of transactions that qualify as high FCPA risks, sorted by country; or the number of third parties that pose higher fair-labor risk, both by type (modern slavery, human trafficking, wage withholding, and so forth) and by location. The risks are different from those of City National, but the characteristics of your risk analysis are essentially the same.
The OCC order also talks about aggregating risks so that you can evaluate them at the enterprise level. For example, it directs City National to assess risks individually within the bank’s business lines, and on a consolidated basis across all bank activities and product lines. It also calls for an assessment of all affiliate relationships and shared services to identify and analyze their impact on City National’s overall AML compliance posture.
Again, if you just strip out the AML part, the rest of those requirements make sense for any company and any risk profile. You want to see how Risk X manifests in each line of business, and the total amount of Risk X for the whole enterprise. That’s exactly what any risk assessment should deliver. It’s an especially useful framing for, say, cybersecurity or fraud risk posed by third parties. Those risks are sprinkled throughout your enterprise, and you’ll need to total them up somehow. This is how.
And Don’t Forget Internal Controls
That’s the last big part of the OCC directive on risk assessments. City National must compile an inventory of its internal controls designed to address the risks found through the risk assessment, plus an evaluation of the adequacy of those controls. That adequacy evaluation should incorporate findings from regulatory examinations, Second Line testing, and independent audit reviews.
That’s precisely what every compliance team should be doing for FCPA, privacy, human trafficking, financial reporting, and other risks — for any risk, really, You need to match the risk to internal controls, and determine how well that internal control does or doesn’t address the risk in question.
Then all you need to do is put all that in writing, and do it all over again next year.
Anyway, that’s enough for today — and we’ve only scratched the surface of this City National settlement order. We’ll have more analysis next week, since it lends itself to all sorts of useful lessons on issues any compliance officer would face.