The Do’s and Don’ts When Preparing for a Regulatory Exam Part 2

In my last blog, I discussed exam preparation. Now comes the part where I remind banks, and hopefully inform some fintechs, of the more candid aspects of readying for a regulatory exam. The key to each of these items is transparency.

Review the Interagency Examination Procedures and Handbooks

This is an open-book test. The exam scope, questions, request items, and transaction testing exercises should not be a surprise. Are there examination handbooks for BaaS programs or bank-fintech partnerships? No. Are there examination handbooks for payments, deposit products, credit products, and third-party risk management? Yes. Are there examination handbooks for BSA/AML, consumer protection law and regulation, and safety & soundness expectations? Yes. The examination procedures are public intentionally. This isn’t a gotcha game. Be thoughtful and understand where the components of your bank-fintech relationship align with legal and regulatory requirements as well as how the regulators will investigate the program.

Review current public Enforcement Actions and Consent Orders

Understanding the deficiencies and issues identified within similar programs should inform your organization and program. I’m not saying to adjust your program or controls based on an EA for another institution since we all know that each EA is facts and circumstances based, and most regulators are discreet regarding the level of detail provided in the public document. That said, there is still valuable information that can be gleaned from these documents. What were the criticisms or deficiencies noted? Are there similar components within your program? If yes, take some time to review your program to identify any potential gaps or areas that could be “shored up”. Doing so also demonstrates to the regulators that you understand where your program (both bank and fintech) fits within the ecosystem.

Understand that NOTHING is outside of the Examination Scope

Examination scopes are influenced by several factors including previous findings, new laws, regulations and supervisory guidance, new technology and product offering developments, the overall risk profile of the program and its customer base – and yes, examiner experience or expertise. As the regulators become more familiar with bank-fintech relationships, particularly within the community bank portfolio, these program examinations will continue to develop and be more comprehensive. Don’t get caught up with, “But, that product, process, or line of business wasn’t included in the scope of the previous exam.” Or, “But, the examiners didn’t criticize that process during the last exam.” Neither of these are valid “push back” on an exam scope or findings. Understand that no aspect of your program is off the table for review. Also, nothing is “proprietary” or “confidential” (I’m looking at you fintech folks).

Don’t Play the Deflection Game

As a former regulator, industry consultant, and fintech CRO, if I hear one more time, “X Bank doesn’t require [fill in the blank] or Y Fintech doesn’t prohibit [fill in the blank]”. . . I’ll scream! Remember when your parents would say, “I don’t care what’s Jimmy’s curfew – this is our house?” – keep that in mind. I could remind folks that most examination findings are not public. But that doesn’t mean that violations or deficiencies were not cited, or program behavior isn’t being influenced. I could remind folks that assumptions should not be made regarding other bank or fintech programs. But I won’t. Why? Because at the end of the day, the examination process is about your organization, your program, your shareholders, your relationship with your sponsor bank, and your responsibilities to your customers and the financial industry.

Communicate and be Transparent with your Regulator

Don’t hide identified issues or concerns. Be honest and transparent. If you found a control gap, program deficiency, violation, or potential consumer harm, say something. Share it with your examiners. Depending on the issue, it is in your organization’s and your customers’ best interest to coordinate with the regulators on appropriate remediation efforts. This communication and transparency also demonstrate that your internal program controls and oversight is working. And, it goes without saying – don’t wait for an upcoming examination for this communication. During the exam process, respond candidly to questions raised, no matter how painful. Be honest and don’t attempt to obfuscate. If the discussion raises compliance or operational issues that weren’t previously considered, acknowledge it and work with your regulator to address the gaps. Even if it results in the citing of a violation or other findings, hiding issues will not make them go away. And, as noted above, hiding issues doesn’t mean they won’t or can’t be cited by your regulator at a future exam. Finally, transparent communication with your regulator shouldn’t be limited to identified issues. As you update your program and expand product/service offerings or customer base there’s bound to be “unknowns” that aren’t specifically addressed in current law or regulation. Touching base with your regulator should be commonplace. Before anyone gets worked up thinking that I’m suggesting pre-approval before program development – I’m not. This is an exercise in knowing when to engage the “ask for permission” vs. “ask for forgiveness” directive. Depending on the potential risk impact of the proposed change combined with the “unknown”, it’s good to have a “phone a regulator friend” option.

I hope this gentle (or not so gentle, depending on your perspective) reminder is helpful.

Kimberly Hebb is Co-Founder and Chief Risk Officer at BalancedTrust