Yesterday the CFPB released the following statement: “CFPB Orders First National Bank of Omaha to Pay $32.25 Million for Illegal Credit Card Practices.” As I read this press release several things came to mind and maybe yours as well. I will break them down into 4 areas. Before I do let me state that the 18% hit to net income was derived from the stated last 4 quarters of net income beginning with June 30, 2015 and ending March 31, 2016 as posted at the US Bank Locations website for First National Bank of Omaha ‘Quarterly Net Income’ Historical Data. Now I don’t know if the bank intends to fund the entire $27.75 million in relief to roughly 257,000 consumers harmed and the $4.5 million civil money penalty to the CFPB from net income but in either case it represents 18% of their last 12-month rolling net income of $179,612,000.
So the first area I thought about was naturally Compliance. I have no doubt that the bank has a sizeable compliance team. However, simply having a large number of staff responsible for compliance obviously doesn’t mean you will always maintain compliance. In any organization having a systematic process and efficient way to track, monitor, assess, remediate and report compliance will be a huge benefit even to the smallest of organizations. Having a system that can be utilized across the various functional areas within the organization is also a tremendous advantage since compliance is not just reserved for lending and operational functions.
The second thought I had was how the Internal Audit (IA) team at the bank is taking this news. All institutions have some sort of internal audit function and again I’m sure the bank has a sufficient team in place. The question becomes how effective is IA at determining the compliance risks faced by an institution and working in concert with management to track, monitor, assess and remediate compliance related findings. IA also can benefit from a systematic process that can be easily documented, replicated and produce relevant reports needed to not only maintain their independence but also ensure that management is meeting their required compliance requirements. Even better is the ability to have the IA system interface with management’s compliance system to produce quality cross-discipline reporting that ultimately will benefit the institution as a whole.
Enterprise Risk Management
The third thought that came to mind was the level of ERM at the bank. With a credit card portfolio as large as theirs one has to think that an effective risk assessment was completed and monitored at least annually to determine the compliance risks related to the process. In turn these compliance risks would have been shared with the compliance and IA teams to help them in their specific responsibilities as well. If their ERM software interfaced with their Compliance and IA software, then the chance that one department overlooks the risk is lessened because the risk may show up in one of the other disciplines. This is the benefit of breaking down traditional silos within an institution that today still exist and can be effectively reduced or eliminated with the proper processes and tools.
Risk Appetite and Tolerance
Lastly, I thought surely the bank has all of these functional areas in place and is effectively utilizing their Compliance, IA and ERM departments to their fullest extent. That left me thinking that possibly the assessments by management determined that all these risks were well within their risk appetite and tolerances. That’s not to say that any institution would blatantly disregard regulation, but that the costs associated with complying and continually monitoring simply far exceed the institution’s ability to do so. Therefore, a certain amount of it is built into their appetite and tolerances. Now this repayment and fine may have exceeded them, but it is possible that at some level the risks were acknowledged and the costs were discussed. If you simply look at it in terms of the fine, $4.5 million, that only accounts for 2.5% of their rolling 12-month net income. What we don’t know is how much reputation damage this will cause and/or how that was factored into their appetite and tolerances.
It goes to show that even the largest institutions are susceptible to missteps that ultimately lead to compliance violations and fines. The reputation damage from this is unknown and may not be quantifiable to the bank anytime soon or if ever, but there will surely be some impact from it. The case can certainly be made though that in the absence of Compliance, IA and ERM working together to help safeguard the institution the impact most certainly would have been worse. Having processes and systems that integrate your data from these functional disciplines is the key to effectively track, monitor, assess and remediate compliance issues within your institution. Will it keep you from taking an 18% hit to your net income? I don’t know, but who would want to find out how much worse it could have been?