<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Bank Compliance: If It Isn’t Documented, It Didn’t Happen

author
5 min read
Jul 12, 2022

Every profession has an unofficial motto.

For doctors, it’s “First, do no harm.”  

For astronauts, it’s “Ad astra per aspera” (translation: to the stars through hardships).

For compliance professionals, it’s “If it isn’t documented, it didn’t happen.” 

Documentation is at the heart of every good compliance management system (CMS). It’s more than a regulatory expectation—it’s a regulatory requirement. If this requirement isn’t met, it can result in enforcement actions, fines, and expensive lawsuits.  

Just consider this recent cease and desist order for a bank’s BSA (Bank Secrecy Act) program from the Office of the Comptroller of the Currency. It includes 12 mentions of documentation and requires the bank to:  

  • Provide for maintenance of adequate documentation to support the disposition of alerts and case investigations 
  • Ensure the Bank has an effective SAR (Suspicious Activity Report) decision-making process and that it documents individual decisions on whether to file SARs, and the key facts and circumstances supporting each decision to not file a SAR 
  • Ensure maintenance of documentation supporting the Bank’s methodology for establishing and adjusting thresholds and filters; 
  • Write and enforce provision requiring maintenance of appropriate data and information used to support the risk assessment’s conclusions. The supporting documentation shall be readily accessible 
  • Draft and enforce policies and procedures to outline ongoing high-risk account review expectations to provide meaningful analysis and documentation of information, 
  • Maintain documented explanations for changes in account activity. 

That’s a lot of callouts for missing documents and documentation processes.  

Related: ABA Conference Highlights: 5 Takeaways for Promoting Risk Culture at Your Institution

Documentation: What bank examiners want 

When examiners visit a bank, they are not going to take your word for it that a policy exists or that employees comply with it. They want the receipts. It’s a matter of ensuring safety and soundness, and examiners don’t mess around.  

They will believe your bank when they can see the proof for themselves.  

Picture1-4

Just look at what the Office of the Comptroller of the Currency says about regulatory reporting: “Banks should retain work papers and other records used in the preparation of regulatory reports. Work papers should meet the bank’s documentation standards. Preparation of appropriate work papers provides not only a logical tie between report data and the bank’s financial records but also facilitates accurate reporting and verification. Work papers should allow for a proper audit trail…” 

And that’s just for regulatory reports, including call reports. 

Examiners also want to see compliance documentation for change management, ongoing compliance, vendor management, business resiliency and continuity, cybersecurity, fair lending, and many other areas.  

This includes documents such as (but not limited to): 

  • List of key persons, organizational charts, committees, and governance structures  
  • Policies and procedures
  • Board of directors or designated board committee meeting minutes
  • Risk assessments
  • Risk-rated inventory of third-party relationships (and related subcontractors)
  • A listing of each product, process, system, and service supporting critical activities
  • Sample contracts or written agreements with third parties
  • Complaint log, and responses to complaints, related to products, processes, systems, and services
  • Internally prepared reports (e.g., risk reports and incident reports)
  • Internal or external audit reports
  • Quality assurance, monitoring plans, testing plans, and related reports
  • Project plans and timelines
  • Training and awareness activities 

It explains why compliance officers repeat “If it wasn’t documented, it didn’t happen” like a mantra to everyone who will listen. It’s not just a motto. It’s words to bank by. 

What causes poor documentation at banks

Compliance documentation is a headache for many banks. It boils down to four main challenges:

  1. Volume. First, there’s the sheer volume of documents that must be created, collected, tracked, and maintained. When documents are needed, a compliance officer must be able to access the most recent version quickly. It’s a huge lift for any compliance professional.

  2. Collaboration. By now every bank should know that a culture of compliance is a must and that compliance isn’t just the responsibility of the compliance officer. From training to risk assessments to complaint management and test results, employees from different areas of the bank all play a role in completing and documenting compliance activities. There needs to be a way to ensure visibility into compliance activities throughout the bank.

  3. Active maintenance and monitoring. Policies, procedures, and other compliance documentation need to be regularly reviewed and audited to ensure everything is functioning as it should. With so many pieces requiring attention, banks need to quickly determine when documents were last reviewed and which documents will require attention shortly. They also need to know if someone hasn’t completed a necessary task. Documentation also makes it possible for management to demonstrate that repeat issues have been addressed proactively.

  4. Reporting. Examiners expect the board and management to stay on top of important compliance issues. Whether it’s updating the board about compliance challenges or having them sign off on a new policy, it’s important to be able to show the board, management, and examiners exactly what has been done and prove leadership was involved in crafting policies.
Volume. First, there’s the sheer volume of documents that must be created, collected, tracked, and maintained. When documents are needed, a compliance officer must be able to access the most recent version quickly. It’s a huge lift for any compliance professional.

Collaboration. By now every bank should know that a culture of compliance is a must and that compliance isn’t just the responsibility of the compliance officer. From training to risk assessments to complaint management and test results, employees from different areas of the bank all play a role in completing and documenting compliance activities. There needs to be a way to ensure visibility into compliance activities throughout the bank. 
 
 
Active maintenance and monitoring. Policies, procedures, and other compliance documentation need to be regularly reviewed and audited to ensure everything is functioning as it should. With so many pieces requiring attention, banks need to quickly determine when documents were last reviewed and which documents will require attention shortly. They also need to know if someone hasn’t completed a necessary task. Documentation also makes it possible for management to demonstrate that repeat issues have been addressed proactively. 
 
 
Reporting. Examiners expect the board and management to stay on top of important compliance issues. Whether it’s updating the board about compliance challenges or having them sign off on a new policy, it’s important to be able to show the board, management, and examiners exactly what has been done and prove leadership was involved in crafting policies.  
How to fix documentation problems at banks 

Compliance documentation is too important—and too cumbersome—to be managed casually. Many banks rely on centralized compliance management software to solve these challenges.  

They make sure their bank’s compliance activities are documented so examiners know it happened. 

It makes it easy to find records when examiners request them, showing that your bank is on top of compliance management. It’s also more efficient and cost-effective approach to compliance and document management, saving hours and hours of work and freeing up employees to focus on big picture activities.

Want to learn more about how your bank can better manage internal controls, policies, practices, and procedures and other compliance documents?
Learn more: Four Ways to Streamline Your CMS

Subscribe to the Nsight Blog