As technology advances-inevitably creating more risks for financial institutions, as well as creating new ways to control risk-banks are transforming traditional ways of preventing fraudulent activity and complying with legislation with improved software and better business objectives. Loring Muir, senior vice president and director of compliance of Regions Bank, ($49.5 billion in assets, Birmingham, Ala.) and John Ehrensperger, corporate compliance officer, SunTrust Banks, Inc., ($120.9 billion in assets, Atlanta) recently spoke with Bank Systems & Technology Associate Editor Cynthia Ramsaran about the challenges of regulatory compliance and how their institutions are meeting the new guidelines.
Bank Systems & Technology: Describe your backgrounds and how long you have been in your current positions as a compliance officers. What is your mandate from your bank?
Loring Muir, Regions Bank: I have been with Regions for 22 years and spent my first 12 years with Internal Audit. I have served as director of compliance since December 1993. My role at the bank can be summed up in our department's vision statement "Minimizing Risk-Maximizing Efficiency." Our group is responsible for ensuring that policies and procedures are implemented to minimize the risk of regulatory violations and to protect our reputation.
John Ehrensperger, SunTrust Banks, Inc.: I started out as an examiner and later supervisor with the NASD. I came to SunTrust as the broker/dealer compliance officer about 17 years ago, and moved over into consumer compliance and CRA (Community Reinvestment Act) about 12 years ago. My role today is to administer a comprehensive corporate compliance program that covers all compliance issues related to our core financial services businesses. Some of this, like consumer compliance, broker-dealer compliance, privacy and CRA, reports directly to me. Other issues, like Reg O (governing lending to insiders of member banks-executive officers, shareholders, directors) and security, are assigned to specific managers in the line, and they provide me with periodic reporting about their compliance programs. I roll all of this up into regular reporting to our top management and Audit Committee.
BS&T: What are your top priorities concerning regulatory compliance at your bank? What are you doing to address these issues and what are some of the initiatives under way?
Ehrensperger, SunTrust: Our company has moved to a single state charter and a more line-of-business-driven operating model over the past few years, and has undergone a significant transformation that is still playing out to some extent. So a lot of what has occupied us has been getting our compliance function properly aligned with the new model, and dealing with all the new products, new systems and other changes that naturally occur in that process. Overlayed on that, we're trying to respond to the push for a more comprehensive, rigorous and well-defined risk management structure brought about by things like Sarbanes-Oxley and the Basel Accords. That has led us to formalize and better document some risk management activities. And, of course, it has also highlighted a few gaps that we're in the process of filling. I think that's a healthy process and we'll be a better company for it, but it's not easy or cheap. In terms of hot-button compliance issues, I'd have to list anti-money laundering and PATRIOT Act issues, privacy and the related Do Not Call rules, the new HMDA (Home Mortgage Disclosure Act) reporting requirements, CRA, and the ever-growing SEC/NASD/NYSE analyst independence and investment sales practices arena. It seems like nothing ever stays static long enough to get comfortable with it.
Muir, Regions Bank: At the moment, my top priority is the USA PATRIOT Act. Specifically, we are in the process of redesigning and enhancing some of our systems to address the new customer identification requirements effective Oct. 1. Our project team has been working very closely with our internal technology group to ensure that all system issues are resolved well in advance of the Oct. 1 deadline.
BS&T: What role does technology play in developing/completing/managing these initiatives, and in addressing compliance issues in general? How are you working with the CIO and IT in general to deal with these changes and requirements?
Muir, Regions Bank: Regions technology has assigned us a senior technologist, known internally as a business information officer (BIO), to assist us with obtaining the resources we need to manage compliance issues from an IT perspective. We have been able to automate a number of compliance-related processes, which has significantly enhanced our overall compliance program.
Ehrensperger, SunTrust: We spend an awful lot of our time working with IT people and others on new products, and changes to existing products or problem-solving. And as is probably the case everywhere, the demand for IT services far exceeds the capacity, so we're involved in the process of setting priorities. In our company, a regulatory issue automatically goes to the head of the queue, which is nice. I try to make sure that policy doesn't get abused and that everything that goes to the top of the stack in the name of compliance really is a regulatory requirement.
Apart from the application systems that drive our various products, technology also plays a huge part in how we do our own jobs in compliance. I find myself in the position of being an owner or sponsor of a number of technology projects that are driven purely by regulatory requirements, like the HMDA changes, enhanced anti-money laundering monitoring systems, and improved e-mail retention/review systems for the broker/dealer subsidiary. And I oversee our process for tracking and reporting our CRA lending in every market, which is a significant database management issue. As a technophobe, I'm fortunate to work with a lot of talented people, both on my own staff and in our IT area, who are able to translate our business needs into systems that meet those needs.
BS&T: What types of technology (tools, systems, etc.) are being used to keep your bank up to date and in compliance?
Ehrensperger, SunTrust: We've made huge strides in recent years in the use of IT to help us monitor accounts for money laundering and other illicit activities. Our AML area is able to spot and investigate activity that never would have come to our attention without automated systems. Also, in CRA we manage a database of loan data that enables us to compare ourselves to to other lenders versus our goals down to the individual business units.
Muir, Regions Bank: We use several automated systems and processes to collect data for use in our compliance monitoring process. Most of these systems were acquired from third-party vendors. For example, we recently implemented the Atchley (Dallas) KYC (Know Your Customer) and Atchley Comply Wire systems to assist us with USA PATRIOT Act compliance. Both systems sift through thousands of transactions to identify suspicious activity that could involve wire fraud or money laundering. The volume of transactions would make doing that manually nearly impossible. Although we set the parameters and do the research, our technology group has played a critical role in getting the systems implemented, as well as providing ongoing support.
Another example is a new system we have installed to assist in compliance with Sarbanes Oxley Section 404. In this case, we must assert the controls and business processes for critical balance sheet and income and expense accounts. We have an internal, SQL Server-based system called Rave that helps with reconcilements, and have just implemented the Risk Navigator system from Paisley (Cocato, Minn.) that automates the documentation and tracking to keep us within compliance.
BS&T: What kinds of benchmarks/metrics can the bank use to determine if the goals of these initiatives have been achieved? Do you view regulatory compliance as a "cost of doing business," or can banks achieve any kind of competitive advantage as well?
Muir, Regions Bank: Regulatory compliance is a cost of doing business. However, our goal is to implement efficient processes and procedures that will relieve the regulatory burden from our front-line bankers. We are constantly evaluating our processes for additional automation opportunities, and Regions Technology plays a key role in that process.
Ehrensperger, SunTrust: We track things like error rates in customer loan disclosures and the accuracy of our HMDA data, and we have thresholds that trigger additional management attention. But probably the most important measures I look at are the presence or absence of consumer complaints or litigation resulting from some compliance failure, and what the Fed finds when they come in to look at us. If we're doing our jobs and pushing good regulatory compliance through the organization, those two measures will reflect it. At one level, compliance is clearly a cost of doing business, and our business folks would just as soon not have to worry about all these rules and requirements. But in a broader sense, I think that having a strong compliance program helps us promote a culture that values doing the right thing by the customer and our communities, and there's nothing more important to a financial institution than having that reputation.