Day of the geek: after decades in banking's basement, Compliance has arrived. The once-wide...

"Oh, East is East, and West is West, and never the twain shall meet ..."

Rudyard Kipling penned those lines while living in India in 1889, but the poet could have been writing about the history of bank compliance.

For decades, Compliance lived in banking's basement, often

literally. It was a byproduct of consumer banking, the realm of alphabet-soup regulations, and suffered from some of the same second-class-citizen status that consumer banking once suffered. The commercial lenders and marketing types who typically rose to the top of banks in those days weren't even reading from the same book, let alone from the same page, as compliance officers. In a business where growth and profitability targets reigned, compliance was seen as a cost center that "real" bankers begrudged.

So, for many years, two separate cultures existed: the "banking culture" and the "banking compliance culture."

At industry meetings, "real bankers" talked about fresh new ideas for bringing in business, reaching up, out, and beyond as conditions grew more competitive. To them, regulators were impediments--people devoted to creating roadblocks and wallet drains. Regulator jokes often ended with the line, "I'm from Washington and I'm here to help you."

At their meetings, compliance officers held semi-religious conversations about Regs A, C, D, Z, et al. At compliance meetings, regulators were colleagues--high priests with whom one could reason out ways to keep the bank in the faith. (Even the jokes were different, and frequently were about management's compliance gaffes, i.e., : "FDICIA? She works in Accounting, doesn't she?")

It was not surprising that, out of all bank employees, compliance folks latched onto the internet first, flocking to the old Money Page, and later to bankersonline.com and ABA's Compliance Center site. Suddenly there were ways to share the daily frustrations of basement life--and solutions--with other basement dwellers.

Seismic shift

But while all that was happening, the industry's tectonic plates were moving. The distance between banking and bank compliance, once a gap rivaling the Grand Canyon, began shrinking.

We reached this conclusion after discussions with senior regulators and banking managers, compliance heads at banks of all sizes, trade association staff, and headhunters.

"The gap was bigger than it is today," agrees Raymond P. Davis, president and CEO at $5.3 billion-assets Umpqua Holding Corp., Portland, Ore., who came into the business from the accounting world. "It has narrowed."

Davis says that in his own bank's case, a philosophical decision has been made about compliance and regulatory burden.

"I don't whine about it and I don't moan about it," says Davis. "It's the hand I've been dealt. Our attitude around here is all about staying in compliance. We're a growth-oriented company and we never want a compliance issue to be the thing that stops the train."

"The possibility of potential reputational damage from compliance missteps is much greater today, and you can't afford to take the risk," says Charles Bowman, an attorney who became Bank of America's Principal Compliance Executive in 1999. "The bar has been raised and regulators are less tolerant, and, in fact, responsible managers are less tolerant. And we don't want to be embarrassed."

Soon after promotion to the compliance leadership spot, Bowman wanted a way to punch through to all employees the message that compliance isn't just for compliance officers anymore. Thus was born a tagline that he and all his many staffers use on e-mails: "Compliance: It's Everybody's Business At Bank of America."

Sometimes Bowman caught flak about that line, he says, with other executives telling him he was diffusing responsibility for his own area's duties through the rest of the bank. Not so, Bowman shot back. With 200,000-plus banking associates around the world, how can a behemoth like Bank of America hope to keep its nose clean unless everyone accepts their piece of the compliance challenge?

Making "gray zone" judgments

Indeed, that's come to be an increasingly common attitude. And that's because what compliance is has evolved considerably. The discipline used to be mostly about "checking the boxes" and was very hands on, says Christopher T. Spellman, vice-president, compliance officer and internal audit manager at $195.4 million-assets savings association American Sterling Bank, Sugar Creek, Mo. You hear this from practitioners at institutions of all sizes.

"Judgment is becoming a bigger part of the equation," says Ann F. Jaedicke, Deputy Comptroller of the Currency for Compliance. She notes that more and more of the compliance challenge involves gray zones, things that don't neatly follow a formula. "Is this loan program idea predatory?" "Does this customer's action warrant a Suspicious Activity Report?"

"It takes judgment by high-level people in a bank" to decide such questions, says Jaedicke.

Compliance people themselves have widely adopted a new mindset. In some combination, they have moved towards the perspective of customer service, in the form both of considering how a compliance effort will affect the customer's experience, and also, thinking of the internal business units advised by Compliance as "customers."

"Every regulation that's added seems to be another burden to the customer," as well as to the banks, says Jeanne Uphouse, executive vice-president-organizational support group, at $6.1 billion-assets Provident Bank of Maryland, Baltimore.

These are symptoms of the compliance function's change in status.

"Compliance was a backwater for the banking business, historically, but now it is coming to be a top tier part of the industry. It's not your grandfather's compliance department anymore," says Eugene Ludwig, CEO of Promontory Financial Group, LLC, Washington, D.C.-based financial consultants, and former Comptroller of the Currency.

What closed the gap?

Trouble. Clearly, many banks got the compliance religion by watching the sufferings of others who made major mistakes. And the compliance stance of several of the institutions represented in this article reflect the results of their own trouble. At PNC Financial Services Group, Pittsburgh, for instance, John J. Wixted, Jr., a career Federal Reserve System regulator, owes his current position as PNC's Chief Regulatory Officer to a major 2002 settlement between PNC and both the SEC and banking regulators. Citigroup, which has made several high profile compliance-related hires in recent years, has had a string of black eyes in the press arising from compliance missteps overseas and domestically. CEO Charles O. Prince III, himself an attorney, has been working through a five-point plan for improvement that incorporates, as point five, the goal of strengthened controls "including the separation of compliance from the businesses as a truly independent function along with an increase in budget and headcount for compliance and audit functions of more than 20%."

Enron and other cases have focused boards' attention on compliance. Boards that once went into "MEGOland" [my eyes glaze over] when the word "compliance" came up suddenly feel ownership.

"The Sarbanes-Oxley Act clearly has raised the apprehension level of boards and CEOs toward compliance," observes Federal Reserve Board Governor Susan Schmidt Bies, "because it raises their personal responsibility. Sarbanes-Oxley has made this somewhat personal. SOX also reminds them that compliance is not a project, but part of the bank's approach to how business is done."

Bies advises that, "the board should have periodic reports on the effectiveness of compliance, since it is one of the critical control areas of the organization." She says the others are Audit and Risk Management.

Causes beyond trouble

But trouble observed or experienced has been only one cause of the closing of the gap, and, though SOX has caused a renewed emphasis on controls, it isn't considered the prime mover in closing the gap. Other reasons falls into two areas: changing philosophies of compliance and specific laws and regulations.

Evolutions in how compliance risk is considered by banks have certainly played a big part.

"Enterprise Risk Management" and much talk about operational risk has wrought changes in how compliance viewed, regulators say. "Good compliance and risk management people take the enterprise-wide view," says Fed Governor Bies.

Tim Marrinan, who has been part of the compliance business one way or another since 1978, today is executive vice-president in the Enterprise Risk Management Group for the Home and Consumer Finance Group at Wells Fargo. He believes being encompassed within such a broad designation helps demonstrate that compliance is now a mature discipline within banking.

"It would be hard to picture any executive management team operating today without a well-staffed, well-equipped compliance function," says Marrinan.

Harking back to an earlier comment, reputation risk plays a big role. BofA's Bowman points out that speed of information flow in modern society ensures that a compliance misstep will have egg on top management's face nearly instantaneously.

And, in the reputation area, image among consumers can't be denied. OCC's Ann Jaedicke, for instance, points out that her agency's emphasis on avoiding unfair and deceptive acts and practices--the "UDAP" issue-underscores the importance of Compliance keeping the bank's messages to customers straight.

And longtime compliance consultant Jo Ann S. Barefoot, head of her own firm in Columbus, Ohio, notes that "competition and information technology have put consumers in the driver's seat in financial services. If they perceive a financial company as unfair or deceptive or as flouting the law, they can exact a harsh penalty in myriad ways--through regulators, litigation, activism, and taking business elsewhere. Businesses have never been as vulnerable as they are today to customer dissatisfaction. This has fused compliance with basic business goals."

The arrival of specific laws and regulations is another factor mentioned in regard to raising the status of compliance. Of these anti-money-laundering rules and practices are a prime motivator. The heavy-duty penalties suffered by banks that didn't measure up to FinCEN and regulatory requirements commanded top management attention in a hurry.

And, then, the changing nature of what banking is has changed the role of compliance. Practitioners say that so much more of the interaction with customers is electronically oriented that the issues of data security and privacy have also crowded onto the "compliance" plate. Add on aspects of business continuity and even avian flu, now, and that's one big platter.

From shunned to sought after

That banks are generally spending more on compliance is a given, with the difference being a matter of degree. "The large banks are finding the money," says ABA's Richard Riese, "while community banks are making efforts to apply more resources and funds to these challenges." However, says Riese, director of the Center for Compliance, "there isn't a blank check there."

Compliance officers say one of the most significant changes of the last few years is the movement towards training employees specifically for compliance work, developing that talent internally and intentionally. Doris Waldman, senior vice-president, Salem Five Cents Savings Bank, says this pattern represents a big change from her own 16-year history in compliance. When she started in that position at the $2 billion-assets thrift based in Salem, Mass., she was told, "You are now the compliance officer. Find out what that means, and get it done," Waldman recalls. Today's compliance officers, she says, have greater knowledge and ability than did those of even ten years ago.

Another change has been the need for experienced compliance people who can also run staffs of compliance employees, notes Carolyn J. Book, vice-president and director, regulatory risk management, at $155 billion-assets Citizens Financial Group, Providence, R.I.

The result is a growing cadre of compliance types who bring a trio of talents to the boardroom or management meeting, according to Jo Ann Barefoot: technical skills of their own; the ability to manage people and their compliance specialties; and the ability to advocate for compliance in a corporate atmosphere. No mean combination, that, but they need it. "Now," says Barefoot, "they are working head to head with other aggressive frontline managers who all argue for their point of view."

As a result of these trends, compliance practitioners are enjoying something many never thought to see in their careers--they are sought after, even clamored for. There is a depth of knowledge that simply takes time to develop.

"It is certainly harder now for banks to find an experienced compliance professional when they lose one," says Waldman of Salem Five"

This has been reflected in the job market. Compliance officers are hot, increasingly hard to find, and garnering higher salaries.

Mike Jensen is an executive recruiter with Adams Inc., a banking specialist based in Omaha, Neb. Jensen says for many years he'd see one or two assignments come through for compliance officers each quarter. Now, that number has skyrocketed.

Besides the many trends already recounted in this article, Jensen says another factor is the growth of banks. When a bank passes the $200 million mark, various aspects of regulations kick in and volumes of compliance work develop such that the institution finds it needs a full-time compliance officer--and not a beginner.

Not only is the supply of them not quickly grown, but Jensen says that they aren't a very mobile crowd. "If you can find one willing to relocate, they're gold," says Jensen.

One client of Jensen's found that it had to double the salary of its compliance position before it could attract a candidate willing to replace the predecessor.

Putting dollars at stake

Increasingly, the theme of compliance being everyone's job is being given more than lip service. Compliance accountability is being emphasized through a tender spot--the wallet.

At Bank of America, for instance, the heads of each principal business unit make an annual presentation to the CEO concerning their units' compliance approaches, record, and all relevant statistics. But accountability goes a step further; the top 100 or so leaders at BofA are given a compliance rating--"Exceeds," "Meets," "Does Not Meet," and "Needs Improvement."

"And that rating factors into their incentive comp," says compliance head Charles Bowman. "We don't grade on a bell curve, but it's very hard to get an 'A.' There are always a few who trail the pack, but they don't trail more than once. These are very competitive people."

At Baltimore's Provident Bank, a three-grade system is used, with managers' ratings being measured on the basis of critical factors for the particular area they run. And Provident's Jeanne Uphouse says that in 2007, top management hopes to push this system further down the food chain, such that all managers, including branch managers, will have a stake in compliance performance.

At PNC, Wixted says a "Risk Management Scorecard" is maintained on business units and that these affect not only the units' top employees, but everyone down the line in those units.

"We cover the chiefs and the indians," says Wixted.

Destination? "Embedding"

Many agree that as much change as the compliance has gone through, the evolution marking it in recent years isn't over yet.

With technology playing such a large role in compliance today, BofA's Charles Bowman, for instance, believes compliance must become even more comfortable with technology, in the sense of being better able to evaluate what vendors bring to the table for each compliance challenge.

And while there has already been much effort made towards anticipating the next challenge, rather than simply reacting to the current one, practitioners think they must grow much better at that. "We have to learn to address hot spots before they become a problem," says PNC's John Wixted. "Taking a strategic view in compliance, today, is not a nice-to-have, it's a need-to-have," says Tim Marrinan of Wells Fargo.

Part of the solution to both challenges, but also to the larger, overall compliance challenge, is going to be further outreach so that compliance is no longer an overlay on banking practices, but something built into the business units. The term most often used to describe this shift is "embedding." Somewhat like the process the military had of placing various journalists among American fighting units in the present Gulf War, banks will in time stick compliance people or functions closer to the bank business unit that needs them.

"We're near a tipping point now," says PricewaterhouseCoopers' John Garvey, partner and leader of the Financial Services Technology and Data Services Advisory Practice. "Banking companies are frequently still adding compliance to their existing processes, rather than fundamentally changing the way that they do business."

"Compliance professionals must better understand how their organizations operate, and how they can embed compliance in the day-to-day activities of the bank," says Fed Governor Susan Bies, herself a former banker (EVP for risk management and auditor for what was then First Tennessee National Corp.)

BofA's Bowman agrees. He says more expertise will reside, in the future, with the front-line employees actually doing the work that must be kept in compliance. Where actual compliance talent must be deployed, rather than transmitted to business unit employees, "they are going to be closer to the front lines," forecasts Bowman.

Is talk of embedding an overreaction to the rapid change that's been seen?

Bowman and others think not.

"The pendulum," he says, "never swings fully back. I think you're seeing a systemic change."

It's true. Compliance people really are certifiable

A contributing factor to the rise of the compliance profession is the ABA-sponsored Institute of Certified Bankers' "Certified Regulatory Compliance Manager" rating.

The program began in 1992 and current membership stands at 1,302 bankers, regulators, and consultants who have passed the rigorous certification exam and maintained their continuing education requirements. Up until 2005, the Institute ran about 100 exams a year, but thus far in 2006, more than 200 have been administered.

While 12% of CRCMs are from the nation's ten largest banks, their employees are not alone. About 15% of the CRCMs come from banks with assets of less than $1 billion. (About 9% of CRCMs are regulators.) A banker must have at least three years of compliance management experience plus 80 hours of compliance education just to be able to take the test.

As the main article notes, what compliance is has evolved over the years, and so too has the CRCM exam, according to Howard Walseman, ABA's Group Director, Learning & Development, and longtime staff director for the program. The industry's expanding focus on new issues such as privacy and data security have been reflected in the ongoing revisions to the 200-question, four-hour exam, which is adjusted by a committee of bankers and regulators.

"It really is an exam built by practitioners," says Walseman.

Headhunters looking to fill compliance positions do look for the CRCM designation, according to Walseman, who fields calls from them sometimes. Mike Jensen, an executive recruiter for Adams Inc., Omaha, Neb., says he's had several clients specify that they wanted CRCMs for their slots, in fact, every one of the candidates he placed held the designation. And he says bankers with the designation typically draw higher salary offers.

For more information about the program, contact Walseman at HWalsema@aba.com