AMERICAN BANKERS ASSOCIATION
March 18, 2001
COMPLIANCE MANAGEMENT IN A CHANGING INDUSTRY - ADDRESSING NEW CHALLENGES
Good evening. It is a pleasure to be here with you. I'm glad to have this opportunity to tell you how important I think the work is that you're doing. And it's great to see you all here, working to further improve your skills.
No one has to tell you that compliance is very important today. The forces of change - such as the convergence of financial services, technological development and globalization -- are transforming the financial services industry. They are increasing the complexity of financial institutions and, at the same time, generating new legislation and regulation. These changes are introducing sources of risk that put a renewed emphasis on compliance risk assessment and compliance management.
No one has to tell you that your actions as a compliance manager have a direct and lasting affect on the success of your institution. You contribute to a safe and sound operating environment. You improve efficiency. You minimize the potential for unexpected liability. You enhance customer service. You strengthen your institution's reputation.
During difficult economic times, financial institutions often look to reduce costs. Since a bank's compliance function does not generate profit per se, the function is often targeted for budget and resource cuts. While there may be some "short-term" cost savings, the longer term implications are troubling.
The costs of noncompliance are far greater than the costs of compliance.
For example, the costs to correct problems can run quite high - such as costs for new forms, changes to computer systems, retraining personnel, redisclosures to borrowers, searching files to identify customers affected by problems - not to mention the costs related to improving a damaged reputation, or dealing with bad publicity. And, how can you even put a cost on the loss of customer and market confidence?
And no one has to tell you that compliance is good business.
It goes to the heart of your institution's reputation in the communities it serves. A damaged, or even tarnished reputation can certainly hinder your ability to successfully launch new products and services, retain customers, and attract new ones.
We often forget the power of consumer expectations and reactions. Consumers want and expect to be treated fairly. There is real risk here. When you fall short of consumers' expectations, there are repercussions such as complaints to you, federal or state authorities, or the media. Consider the attention around ATM fees, privacy, and predatory lending. And who can forget the "know your customer" proposal from a few years ago! Consumers often find powerful champions on their side, like state Attorneys General and the United States Congress. Today, unhappy customers can hurt your bottom line and your market position.
Let's consider a current, real world example using a topic that I know is on your minds. The importance of sound compliance management and the concepts I just discussed will be no more evident as your institution deals with consumer privacy.
You need to know the privacy rules inside out. Your command of the privacy rules, and the spirit of the law, can create new value for customers by assuring them through your actions that your financial institution respects their privacy. This could very well give your institution a competitive advantage.
The statute and regulation establishes certain requirements and rights pertaining to when and how institutions may share nonpublic personal information about consumers with nonaffiliated third parties. There are two principal requirements in the privacy rule:
First -- all financial institutions must provide privacy notices to customers.
Second -- all financial institutions must provide customers with opt-out notices and an opportunity to opt-out of the bank's sharing of their personal, nonpublic information -- If -- the institution intends to share the information with third parties who are not affiliated with the bank. Limited exceptions are specified in the rule.
The scope of your privacy policies and procedures will vary depending on the complexity of your institution and its information sharing practices. Engage representatives from each department within the financial institution to ensure that your compliance policies and procedures are comprehensive. Their involvement will assist you in creating an inventory of information collection and information sharing practices, and identifying existing groups of customers, consumers, and former customers. The information you gather will help you decide how to structure your privacy and opt-out notices.
The compliance officer often has the responsibility for providing compliance training to the institution's employees. You have to educate employees on new concepts and new standards in the privacy rule. You also have to explain the interaction between the new privacy rule and other federal and state statutes that bear upon information handling practices, most notably the Fair Credit Reporting Act. Or FCRA.
You may recall that last October the FDIC, along with the other federal agencies, issued proposed regulations to implement FCRA's notice and opt-out provisions, which govern the sharing of certain information among financial institution affiliates. The public comments we received in response to this notice reminded me of the arcane interaction -- and confusion -- between the provisions in this law and the Gramm-Leach-Bliley Act privacy law. Let me explain.
Your institution can, without condition, share transaction and experience information about its customers with nonaffiliated third parties under FCRA. However, under the privacy law, your institution may not share that same type of information with nonaffiliated third parties -- unless customers are given privacy and opt-out notices, and an opportunity to opt-out.
Also -- under the privacy law, if your institution provides customers with the appropriate notices and opportunity to opt-out, and customers do not opt-out, your institution is not restricted from sharing information from a consumer report. However, FCRA does not permit you this option. FCRA says that if your institution shares consumer report information with nonaffiliated third parties it could be considered a "consumer reporting agency" - which brings a plethora of other obligations.
The federal regulators tried to respond to these complexities on our proposed rule last December -- and sought ways to minimize the differences to make it easier for banks to comply with both rules and to provide appropriate disclosures to consumers. However, the comments we received exemplified how difficult this task is -- and we don't expect to be finished by July 1 of this year.
For this reason, last Wednesday, we issued a statement saying that the form and content requirements that will be in the final FCRA regulation will not apply to any privacy notices issued prior to January 1, 2002 -- or the effective date of a final FCRA regulation, whichever is later.
Therefore, you should not delay the preparation and delivery of your institution's privacy notices. You should prepare privacy notices using your current understanding of the opt-out notice requirements of the FCRA, which have been in place since 1996.
In the meantime, conveying to your employees the fact that information sharing under one statute may be prohibited or subject to different conditions under another statute will serve to minimize compliance risk and liability.
The FDIC's "Privacy Rule Handbook" issued in January, which can be found on the FDIC's Web site, takes a closer look at the rule and offers helpful suggestions for implementing and maintaining an effective compliance management program.
I imagine that you have many questions about what examiners will be looking for during their review of the new privacy rule. First let me say that we expect to have interagency exam procedures ready very soon, and we'll begin the next phase of our interagency exam training sometime next month. We want to ensure that all federal financial institution examiners are consistent in their interpretation and application of the privacy rules.
Every FDIC regional compliance officer will be fully trained and able to answer any questions you may have. The other agencies will also be prepared to respond to institutions that they supervise.
But let me offer a preview of what the exams will be like:
The primary objective of the examination will be to assess the quality of your compliance management program for implementing the privacy regulation. The scope of our examinations will depend on whether, and to what extent, your institutions shares information with affiliates and nonaffiliates. To address the fact that the regulatory requirements may differ depending on an institution's information sharing practices, we structured the examination procedures into modules. For example, an institution that shares nonpublic personal information only within the exceptions will have a more limited scope examinations, and be evaluated under a set of procedures appropriate to its practices, than an institution that shares outside of the exceptions.
The idea here is to minimize burden and confusion for both our examiners and the industry. We wanted to develop an examination product that could be used by examiners and industry compliance practitioners alike to measure compliance.
You should expect examiners to do several things during the examination process. They will conduct interviews with institution officers about privacy practices and the use of customer information. This is a very important step in the process. A comprehensive understanding of any uses and sharing of information is essential to performing an accurate examination.
Examiners will also look for an effective internal control program, employee training initiative, monitoring program, consumer complaint resolution process, and management oversight.
They will go over privacy policies and notices, and consumer opt-out directions. They will look for information sharing agreements, service agreements, and joint marketing agreements.
Our interests are the same as yours. We want to ensure that your institution is in compliance with the privacy regulation. We also want to make certain that what your institution tells consumers about its information handling policies and practices is what your institution actually does.
Before I conclude my remarks, I would like to commend the American Bankers Association for its leadership at encouraging their members to get an early start on complying with the privacy rule, and providing outreach and guidance on the issue in various forms, including the Financial Privacy Toolbox.
I also want to commend all of you for the work that you do every day to minimize risk at your institution and ensure that consumers of financial services enjoy the rights afforded them under the consumer laws.