The regulatory examination: Few combinations of words are so effective at inspiring a cold sweat in even the most prepared credit union.
Increased regulatory oversight is the new normal in the post-financial crisis age. And along with new rules and regulations comes an increased focus on the methodology employed by institutions. For a credit union just trying to succeed in the business of banking, the increased scrutiny can add up to a lot of extra work. Oh, and by the way, regulators still expect financial institutions to be profitable, too.
But the process doesn’t have to be a nightmare. Remember, exams are a part of life for financial institutions. Instead of an intrusion in your daily routine, they can serve to validate your efforts as well as management’s commitment to your corporate culture. Of course, no two regulatory bodies, or examiners, are created equal. Nevertheless, there are a few preparation steps common to all examinations.
In this checklist, we’ll cover eight steps to preparing for a better IT exam.
1. Resolve any prior written examination findings
The worst possible thing from an examiner’s perspective is to have to repeat findings from one exam cycle to the next. From an examiner’s point of view, repeat offenses mean one of two things: Either your institution didn’t take the finding seriously the first time or you haven’t put sufficient effort into the remediation process. Either way, it also reflects poorly on management.
2. Resolve any prior verbal observations
Verbal observations might not be as formal as written findings, but they can be just as important. During the exam process, the examiner may suggest certain items that they’d like to see your institution improve or implement in the future. While these things aren’t listed on the final report as a finding, they may still appear in the examiner’s work papers and get carried over to future exams. If it’s worth an examiner’s time and attention to make the verbal observation, it might be worth your institution’s time and effort to address it, even if your response is, “We acknowledge the examiner’s observation, but ...”
3. Complete your IT audit at least 90 days before an exam
Although it’s difficult to pin down an exact date for your next exam, the general rule is that examiners work on a six-, 12- or 18-month cycle. You already know your rotation and the examiner’s approximate return date. Keep this in mind when scheduling an IT audit. One of the first things the examiner will want to see is your last audit. The key is to make sure to leave enough time to address any audit findings before the examiner arrives.
4. Update and board-approve all policies
Nothing says lack of preparation quite like playing by the old rule book. Be sure to check all policies prior to an examination and update them as needed. This includes policies that you simply need to tweak from year to year, as well as the incorporation of any new regulatory changes into existing policies, and the addition of altogether new policies. Be sure to get board approval for all changes prior to the exam, otherwise only your older, last board-approved policies will apply.
Next: Steps 5-8
Whether you need to update your members, your board or your staff on new policies and procedures, it’s good to start that process well in advance of an exam. Even better, conduct any necessary training ahead of the IT audit. This will give the credit union ample time to ensure everyone is on the same page in terms of policy education and awareness. And if an examiner interviews an employee about a particular procedure, they are more likely to remember it. In fact many examination findings are caused by employee unfamiliarity with existing policies and procedures, not any actual policy deficiencies.
6. Show your work
Building on the previous concept, another common category of examination findings is when actual practices deviate from policies and procedures. In other words, you can’t prove that you are actually doing what your policies say you’re doing, even if you are following them to the letter. Make sure all board and senior management minutes and committee meetings (IT, audit, loan, etc.) are fully documented and up-to-date. Regulators expect policies, procedures and practices to be in perfect alignment, and the only acceptable verification for this is documentation. Remember, the assumption is if it isn’t documented, it didn’t happen.
7. Management involvement
This goes hand-in-hand with showing your work. Regulators now expect the board and senior management to take more active roles in the day-to-day affairs of the institution, and routinely ask to see Board and committee meeting minutes. They expect that strategic goals and objectives be clearly communicated from the top down, and that all new and existing initiatives align with those goals. Again, documentation is key here. Furthermore, the ability to identify weaknesses and correct them internally prior to an external audit is one of the hallmarks of a well-run institution. Internal control self-assessments are the best way to achieve this.
8. Complete any testing
Whether its business continuity tests, PEN testing or incident response testing, it is good strategy to conduct it prior to an examiner’s visit. And just as with audits, build a little extra lead time into it in case testing uncovers any potential weaknesses in your policies or procedures that need to be updated. Third-party review of test results prior to the exam is a plus, but not absolutely necessary.
The reality of the examination process is that you will probably never have a perfect exam in the sense that you’ll have zero findings. In today’s environment of increased scrutiny, that’s expected. However, by following these steps and documenting the process, you’ll be better prepared to respond to regulators’ findings if they do occur. In those cases, where you feel compelled to push back on a finding, documentation becomes the foundation of a successful defense.
Recent client survey data indicates that less than one-third of financial institutions challenge an examiner’s findings. But of those that do, two-thirds are successful in amending or removing a finding in the examiner’s final report. In these cases, preparedness and documentation have resulted in direct improvements to those financial institutions’ outcomes.
If your institution is looking to build a stronger compliance program, you might want to consider the sort of reporting, documentation and IT management support you’ll need to add depth to your pre- and post-exam and audit efforts.