Compliance Blog

Oct 18, 2007

Risk-Based Compliance

Yesterday, the Compliance Guy alerted everyone to the newest FACT Act regulations.  It probably came to no one's surprise that we're all in for another risk assessment.  Deskdude issued an interesting and thought-provoking comment.  He noted:

It appears the forthcoming FACT Act regulations will utilize the increasingly common "flexible risk-based approach" whereby your compliance implementation depends upon "the size and complexity...and the nature and scope of [your institution's] activities". This is an interesting (if controversial) trend worth discussing. Risk-based regulation represents an important acknowledgment that one size does not fit all. It's interesting though that among those who commented on the regulation, "small financial institutions" were highlighted as being likely to desire more clearly prescriptive guidance.

Trend?  You bet.  We now use risk-based compliance programs to tackle security issues (Part 748, Appendix A), Bank Secrecy Act compliance, multi-factor authentication, and OFAC.  And now the trend has spread to identity theft. 

On one hand, risk-based programs allow institutions to design compliance programs that fit their make-up.   Bank A is not like Credit Union B, and risk-based compliance takes this into account.  On the other hand, compliance officers may face burn out if they must continuously design custom-made compliance programs to deal with complex problems.  On one hand, no one likes specific guidance that just doesn't fit.  On the other, we sometimes crave the simplicity and safety of "safe harbor" model disclosures and clear-cut regulatory mandates.

Question of the day: Is the trend of risk-based programs good or bad?  Or is that question too simplistic?  Comment away, friends.

For credit union professionals looking for a good overview of risk and risk management, a good place to start is chapter one of NCUA's Examiner's Guide.  The chapter explores "risk-focused programs."  Readers will gain a good understanding of how NCUA views risk and risk management.


Plenty of folks have asked the Compliance Guy how to set up and receive the "feed" from this blog. (If you look to the left, below the "About" link, you'll see feed subscription link.)  How does this work?  The Compliance Guy is not all that sure.  But you can find some good instructions here, which should be useful.