Money is central to how modern societies and economies operate. So with banks, the management of clients’ money and the bank’s own finances are interconnected. Mismanagement of one can spell disaster for the other. That’s why banks are subject to such strict industry regulations.
It takes a lot of work to become compliant when starting a bank, not to mention maintaining compliance throughout the bank’s lifecycle due to constantly-changing regulations. That’s why we’ve devised this banking regulatory compliance checklist to break down some of the core elements that go into meeting legal and regulatory requirements for running a bank.
We’ll start our bank compliance checklist with the essentials a bank needs to get off the ground.
From a regulatory perspective, starting a bank requires two things. First, it requires trust from regulators that a bank has both the intention and capacity to act in accordance with its obligations. Second, it requires cooperation with regulators to ensure the bank is actually following the rules in practice.
- Obtain proper licensing: Because of the banking industry’s importance to economies and overall societies, it requires special licensing to operate within. Licensing differs between countries, and even jurisdictions within countries in some cases. In general, though, it involves assessing if a bank is capable of—and intent on—being managed and operated according to regulations, including maintaining its financial integrity.
- Register with a regulatory agency for supervision: Just because a bank is judged to be willing and able to comply with regulations doesn’t mean it necessarily will. That’s why a bank also needs to register with one or more government regulatory agencies, such as a central bank (like the Federal Reserve System in the US). These bodies monitor reports—and, when necessary, conduct in-person audits—to ensure the bank is adhering to guidelines for record-keeping and other operations.
Following banking regulations in practice requires a bank to put together a plan for how it will be achieved. It needs to consider what threats the bank is trying to defend against, who’s responsible for the safeguards, and what they need to do.
- Perform a risk assessment: In order to keep a bank running smoothly, its managers need to know how, where, and how likely things could go wrong. They need to evaluate a bank’s inherent and operational risks and decide which ones should be avoided, mitigated through controls, delegated to third parties, or accepted with sufficient justification.
- Get buy-in and guidance from executives and management: Compliance starts at the top. Executives and managers are often blamed for a bank’s failings, so it’s in their interest to be as involved in the compliance process as possible. That includes clearly outlining the bank’s corporate governance system: who is responsible for overseeing which employees and tasks—in this case, for carrying out the bank’s compliance program.
- Establish clear policies and procedures for team members to follow: Bank employees should understand what’s expected of them—and what to expect—in their roles. Management should establish good working relationships with employees to help them comprehend what they need to do for compliance, and why. This should include a feedback loop that lets employees ask questions if they need clarification.
- Write out these policies and make them accessible to team members: A bank’s compliance policies should be spelled out and put in a place where they are easily accessible. This serves two purposes. The first is to reduce the chance that an employee violates them by simply not knowing what they are. The second is to be transparent with auditors and regulators about how the bank is practically carrying out its compliance program.
Since banks are money services businesses, they need to have their own funds as a backup in case money is mismanaged—either by the bank itself or its clients. This also includes insurance so the bank can fulfill its obligations to clients in the worst-case scenario of a failure.
- Meet capital and reserve requirements: A bank must maintain a certain percentage of its equity as liquid assets in order to guard against operating and investment losses, as well as the risk of customers defaulting. It must also maintain a certain level of its assets as cash, to be able to honor withdrawals by depositors.
- Obtain adequate deposit insurance: A bank also has to protect its customers’ assets with deposit insurance. This reimburses clients for a portion of their money should the bank fail. In the US, banks must register with the Federal Deposit Insurance Corporation (FDIC) and provide up to $250,000 worth of insurance for each customer.
As banks are responsible for safeguarding other people’s money, they need to be transparent with how their own finances look. That includes making periodic reports and safeguarding the independent integrity of those reports. It also involves disclosing how risky a bank is to do business with and working to keep this risk low by avoiding overly-risky investments.
- Disclose bank finances through financial statements: A bank must submit periodic financial reports to regulatory agencies such as the US Securities and Exchange Commission (SEC). Laws such as the Sarbanes-Oxley Act outline the specific requirements of these reports, including management and a public accounting firm evaluating the independence of the bank’s financial reporting operations.
- Obtain a credit rating and disclose it to investors: A bank should also obtain a credit rating from an approved agency, and let both investors and customers (both current and prospective) know what it is. It gives a general indication of how often the bank makes risky moves, and how often it succeeds in those ventures. This, in turn, lets investors and customers know how relatively risky it is to do business with that bank.
- Restrict disproportionate exposure to high-risk investments: Another of a bank’s obligations should be to use indicators like credit ratings as guides for avoiding overly-risky investments. Like with capital and reserve requirements, this may involve a ratio of potential risk relative to a bank’s equity and/or assets. This helps to avoid needless losses that could put the bank in jeopardy of failing.
In the high-speed internet era, actions happen—and information moves—faster than ever. That’s why it’s critical that banks take the necessary steps to safeguard client data from falling into the wrong hands. It’s also why banks need to make customers aware of stipulations around buying the bank’s products and services—so clients know the pros and cons of each option before choosing one.
- Protect customers’ financial information: As money is virtually a societal necessity, clients’ financial credentials must be guarded with the utmost care. Thefts and leaks can not only ruin individuals financially but can also undermine trust in a bank and even an entire financial system.
- Use clear messaging for financial products, including interest rates and fees: The Truth in Savings Act requires banks to plainly spell out terms and conditions associated with opening accounts or purchasing other financial products. These include interest rates, as well as any fees for maintaining or taking action on accounts or other instruments. This helps to promote financial stability by allowing bank customers to make informed decisions about their money.
- Follow limits on check holds: The Expedited Funds Availability Act restricts how long deposited checks can be held by banks for investigation, or because of other potentially suspicious financial activity by a client. It also requires the bank to inform customers of its check hold policies. A bank with an efficient FRAML system can have shorter time limits on check holds to retain customer satisfaction, while still having adequate time to investigate suspicious activity.
Money laundering and terrorist financing are serious financial crimes that can threaten the integrity of entire financial systems, and even people’s lives and livelihoods. That’s why banks have to do their part to be on guard against these offenses and prevent them from happening.
- Develop an AML program as part of your banking regulatory compliance framework: In the US, the Bank Secrecy Act outlines five fundamentals for creating an effective system against money laundering at a bank. These are: selecting a specialized officer to oversee AML efforts; implementing procedural controls inside the bank to avoid non-compliance and leaks; establishing organization-wide compliance training programs; conducting independent audits; and investigating clients for signs of risk or suspicious activity.
- Perform customer due diligence: Customer due diligence is the process of verifying a client’s identity (i.e. they’re a real person truthfully representing themselves and/or a real company) and assessing their background for signs of risk. This can include their financial situation, political position, media coverage, criminal history (if they have one), and overall transaction patterns.
- Perform enhanced due diligence: If customer due diligence determines a client is sufficiently risky (or meets certain risk criteria), a bank needs to be prepared to conduct enhanced due diligence. This can include looking deeper into the customer’s financial activity or relationships with other entities for anything suspicious. It may even necessitate visiting the individual or company in person to check if they or their credentials actually exist.
- Perform sanctions screening: Part of customer due diligence is to check for an entity’s presence on sanctions lists or other financial regulatory lists. These indicate individuals, groups, or jurisdictions that either have insufficient compliance regimes or are being penalized by regulators for dangerous activity. Banks need to be aware that dealing with these entities comes with a higher degree of risk, or may be outright illegal.
- Monitor transactions and other customer activity: Due diligence allows for estimating the risk a particular customer will commit financial crime. But actual proof requires looking directly at customer activity for oddities and suspicious patterns. High-risk clients may stay on the straight and narrow, while those who initially flew under the radar may turn out to be bad actors.
- Submit suspicious activity reports (SARs): If a bank has sufficient reason to believe a transaction or pattern of activity is out of the ordinary—at least for a specific customer—it needs to file a suspicious activity report with the proper authorities (such as the Financial Crimes Enforcement Network, or FinCEN, in the US). Doing so promptly helps authorities investigate cases quicker, including stopping malicious actors and making other FIs aware of the risk. It also helps a bank avoid regulatory penalties.
External threats to a bank are often made possible by internal lapses, or intentional bad actors inside the bank. So it’s important for a bank to establish proper compliance procedures, and to periodically check how well those procedures are being followed and are working overall.
- Establish internal controls for team members to follow: A bank needs to set certain rules and restrictions for how it operates. The goal should be to avoid putting employees in situations where they create unnecessary risk, such as delegating too many responsibilities (especially related to accounting) to a single employee. A bank should also have procedures in place if an incident happens so employees can identify it, correct it, and limit the damage it causes.
- Conduct internal audits: A bank should also have a department removed from its daily operations to independently evaluate how well internal controls are working. That includes the integrity of the bank’s bookkeeping practices, how well procedures conform to the letter of regulatory obligations, and how closely employees have been following proper protocol.
- Have external audits conducted: Sometimes internal auditing teams are still too close to a bank’s compliance program for a completely objective assessment. That’s why a bank should also have outside auditors to give a second opinion, especially concerning how easy or hard the bank is making it for its own auditors to do their jobs.
Like any other business, a bank may choose to expand or streamline its operations through third parties. But because of the socioeconomic importance of banks, they need to do this with utmost care.
- Establish a vendor approval and adoption process: A bank should vet vendors in much the same way as it performs Know Your Business (KYB) checks. That includes verifying the business’s location, operating credentials, and beneficial owners. Then the bank should check the backgrounds of the business and all of its beneficial owners for signs of risk (e.g. fake identities, involvement in crime, negative media coverage, or political exposure). Finally, the bank should create an ongoing monitoring framework if it decides to partner with the chosen business.
- Ensure all vendors meet the regulatory requirements of the bank: If third-party vendors are going to work with banks, they should have similar regulatory compliance programs in place. These should include elements such as adequate risk assessment, due diligence, safeguarding customer information, financial accountability, and regular auditing.
Regulatory compliance works best when it’s made part of a bank’s culture. That includes creating and using training materials to instruct and inform employees—both prospective and current—across the bank’s operations on the importance of compliance. It also includes complying with regulations that discourage discriminatory lending practices.
- Develop training and reference materials: Instructional documents should outline the regulatory standards the bank must adhere to, as well as practical steps for meeting them in everyday operations. These documents should be made accessible for training and re-training employees, as well as for auditors to judge the effectiveness of the bank’s compliance efforts.
- Perform training at onboarding and refresh training periodically: It’s critical for a bank to instill the importance of regulatory compliance in their employees right from the get-go. It should instruct new employees on proper compliance procedures, including explaining why they are needed and answering any questions employees may have. The bank should also update and re-conduct training for all employees every so often, as regulations tend to change somewhat frequently.
- Community Reinvestment: The Community Reinvestment Act mandates that banks provide services to all neighborhoods in their communities, including low-income and moderate-income ones. A bank’s consistency in this regard is considered during audits to assess its eligibility for expansion, mergers, or acquisitions. It does not, however, supersede any other requirements for the bank to operate in a safe and sound manner.
Get a Helping Hand from Unit21 in Completing your FI’s compliance checklist
Banking compliance can seem like a lot—as it probably should be for such key institutions as banks. Remember, though, there are Regtech tools—like Unit21’s Transaction Monitoring and Case Management products—that can automatically execute and manage facets of compliance. This can save a bank a lot of time and money in the long run, in terms of both human resources and penalties for non-compliance.
Book a demo today and let us show you how our solutions can make compliance easier.