Remarks by John D. Hawke, Jr. Comptroller of the Currency Before the ABA Regulatory Compliance Conference Washington, D.C. June 28, 1999 According to the latest report from the U.S. Bureau of Labor Statistics, the nation's fastest-growing occupations today are -- again -- byproducts of the microprocessor. Data base administrators, computer engineers, and systems analysts rank first, second, and third. Of course, not all of our new professions have high-tech roots. For example, back in the 1970s, few financial institutions employed people with the title of "compliance officer." Since then, however, compliance has become a major focus for banks -- and a major responsibility for bank supervisors. That's the result of the proliferation of laws governing banks' relationships with their customers. Truth in Lending, Truth in Savings, Fair Credit Billing, Electronic Funds Transfer, Expedited Funds Availability, and Real Estate Settlement Procedures are examples of the many and complex laws enacted since the 1970s to address consumer concerns. And, for reasons I'll discuss in a minute, I think it's safe to say that these won't be the last laws of their kind. These laws not only have created a demand for your specialized skills. They've also fundamentally altered the nature of the bank examination process and, indeed, of bank supervision itself. At the OCC and the other federal banking agencies, compliance has become, and will remain, a significant component of our mission. There's a paradox here. When the economic history of the United States during the last quarter of the 20th century is written, it will undoubtedly take as one of its main themes the triumph of deregulation in key sectors of the economy. Some regulatory structures erected in earlier times, such as those applying to the airlines and the trucking industry, have been totally dismantled. Others have been appreciably modified. In banking, for example, we've seen the elimination of deposit interest rate ceilings and geographic limits on expansion. At the same time, however, I know of no other industry where the progress toward deregulation has been so largely offset by new regulatory measure. Despite the fact that we have seen some deregulation in banking, I think most bankers would agree that the hand of government has, if anything, become progressively heavier. Why are compliance issues so prominent today? Why has banking been subjected to such a profusion of regulatory legislation when deregulation has triumphed nearly everywhere else? And, looking to the future, what can we do -- you as compliance specialists and we as bank supervisors -- to turn compliance functions and controls into positive enhancements to banks in their quest for safety, soundness, customer service, and competitiveness? Of course, there would have been no consumer protection laws if consumers of financial services hadn't been able to make a persuasive case that they were needed. Although never involving more than a small minority of financial providers, market abuses have not been uncommon. Too often over the years, bankers and their trade associations have passed up opportunities to address these abuses through their own codes of conduct or self-regulatory mechanisms. That's left Congress with very little choice but to adopt legislation to address consumers' concerns. A related factor has been the vastly increased empowerment of consumers over the last three or four decades. "Consumerism" has become a movement of formidable proportions, as consumer advocacy groups have grown in experience and sophistication, and have become more adept at using the political process to redress consumer grievances. Consumers have learned that through concerted action they can bring about change, not only in laws and regulations, but in the marketplace, as well. It's a simple but profound fact that, in conducting the business of banking, financial institutions touch the lives of their customers in ways that no other business does. Banks serve as a repository for savings, as a means of making payments, as a source of financing for cars, homes, education, and the myriad durable goods essential to our modern quality of life. But more than that, they are the custodians of people's money and the bearers of their trust. When that special relationship breaks down -- when customers feel that their trust has been betrayed -- they tend to react passionately and volubly. Was is inevitable, one might ask, that these laws -- and the burdens to which they have given rise -- should have multiplied so fast? In one sense, that question was answered when Congress chose regulation as the method for correcting abuses in the banking system. Compare, for example, the system of bank compliance regulation with the means chosen to protect competition in the marketplace. Our nation's antitrust laws empower the Department of Justice and the Federal Trade Commission to initiate enforcement actions, and they created private rights of action for injunctive relief and damages. But they generally leave the responsibility for interpreting and applying the law to the federal courts, rather than to a regulatory agency. As a consequence, while corporate America has clearly understood the need to comply with the antitrust laws -- and the consequences of noncompliance -- it has not had to deal with voluminous regulations in the process. In the area of depository institutions, however, Congress has repeatedly and unfailingly chosen a regulatory remedy. It has enacted corrective laws, and vested in one or more of the banking agencies the responsibility for writing rules to implement the mandate, with the expectation that the rules will be enforced through regular examinations. As you know well, the banking agencies have been diligent over the years in using the examination process to carry out the intent of Congress. At regular intervals, banks are visited by compliance examiners whose job it is to assure that you are doing your job. To put a somewhat different perspective on it, Congress is likely to choose a regulatory remedy in the area of banking because banks are already subject to formal regulation. One might argue that the existence of the bank examination process has been an invitation to add additional tasks to those already performed by examiners. And Congress has repeatedly made clear that it intends that process to be used to ensure compliance. There are at least three important implications of this history. First, bankers are much more likely to be subject to new regulatory legislation than their nonbank, nonsupervised competitors. Insurance companies and securities firms -- while subject to their own regulatory schemes, to be sure -- are not subject to routine examination in the manner of banks. The government's scrutiny of finance companies and mortgage companies is even less comprehensive and exacting. It seems certain that future statutory consumer protection measures -- privacy is a likely subject -- will again have a much heavier impact on banks than nonbanks. Second, Congress's choice of remedy has significantly altered the nature of bank examination. To be sure, safety and soundness is still the major focus of the examination process. But today, safety and soundness examiners are accompanied by highly skilled and well trained compliance examiners, whose task it is to assure that banks are fulfilling their responsibilities under the various consumer protection laws. Third, history suggests that your role as bank compliance officers is likely to become even more important as time goes on. In short, you're in no imminent danger of working yourselves out of your jobs. Banks operate today in a fishbowl, and their compliance is closely and continuously monitored -- by the regulatory agencies, the banking public, the investing community, and elected officials. In this environment, there's a growing recognition that compliance slip-ups can be every bit as harmful to a bank's long- and short-term prospects as mismanaged credit risk. Time and again, we've seen what the consequences of inattention to compliance requirements can be: lawsuits, social stigma, reputational damage, and lost customers. Given what it costs to replace a customer these days, financial institutions may incur a heavy price indeed if they fail to take their compliance obligations seriously enough. The multiplication of consumer protection laws has raised challenges for us as regulators, too. We, too, have had to learn to work smarter; to manage our compliance resources more efficiently; and to maintain the proper balance between compliance examinations and all the other activities we conduct to maintain a safe and sound banking system. To do that, we have taken a page from our own approach to safety and soundness supervision. Since the 1980s, the OCC has been targeting its supervisory resources to those institutions and banking activities that seemed to pose the greatest systemic risk. While all national banks continued to receive supervisory attention, they no longer receive the equal attention implicit in a calendar-driven examination schedule. Today, the OCC supervises non-complex community banks very differently than its population of megabanks -- exactly as logic would dictate. When our formal compliance program was launched in 1987, the OCC adopted what amounted to a "one size fits" all approach to compliance examinations. Our original procedures were designed to test the effectiveness of banks' compliance systems irrespective of asset size. But the growing number and complexity of consumer and community protection laws forced some hard choices on us -- just as they have on the banks we supervise. And so, in 1995, we modified our program to take account of the different ways that community and large banks control compliance risk. Community banks -- those with total assets of $250 million or less -- generally have less formal compliance mechanisms in place; so, for those banks, we take a transaction-based approach, focussing on the results of operations rather than the methods used to achieve them. The results of this transaction testing enables examiners to derive conclusions about the quality of an institution's compliance risk management, and take appropriate follow-up action. By contrast, compliance examinations of our large banks -- with $1 billion or more in total assets -- are process-driven. Our examiners evaluate the bank's compliance management systems, selectively drill down to make sure systems are working as intended, and make recommendations for improvements where these systems are found wanting. For banks between $250 million and $1 billion in assets, examiners themselves make the determination as to which of the two approaches to take, based on, among other things, the complexity of the bank's structure and its history of compliance management. \ This risk-focussed approach to compliance continues to undergo expansion and refinement. Last year, the OCC launched a pilot program targeting high-risk national banks for more intensive Bank Secrecy Act examinations, including extensive transaction testing by a cross-functional team of BSA specialists. The banks selected for this more intensive scrutiny included a number of institutions already under suspicion with law enforcement agencies. To that pool was added four other banks, one each from the nation's four most active drug trafficking areas. Three of the four were found to have serious BSA deficiencies, which led to corrective action. Next year, we plan to expand this program to include banks from each of the Justice Department's 21 High Intensity Drug Trafficking Areas. Expanding this targeted approach to other compliance areas requires that we first identify the relevant risk factors. That work is already underway. For example, in the future, we might target fair lending exams to institutions displaying particular risk factors: significant management turnover, or a large number of consumer complaints; where loan officers have unusual discretion in underwriting and pricing; or where there are conspicuous gaps in geographic lending patterns on the basis of race or ethnicity. As it's fleshed out in the coming months, this risk-based approach promises to reduce regulatory burden on banks that are meeting their compliance responsibilities and to help us better identify -- and correct -- deficiencies at those institutions that are falling short. I believe that this approach to compliance management is the wave of the future -- for the industry as well as for regulators. Bank compliance officers have a lot to offer their institutions beyond the scope of existing laws and regulations. They should be considered members of the bank's total risk management team. In my experience, the most successful financial institutions are those in which a culture of compliance is embedded in the institution. By that I mean an atmosphere in which employees up and down the organization not only understand the specific provisions of the law as they apply to their own functions, but where they have internalized the spirit of the law, as well. That calls for a conservative approach to customer relations even in those areas where no specific regulatory guidelines currently exist. Most importantly, it means anticipating the kinds of problems that can lead to new compliance requirements if they're not corrected first. If all banks were to adopt this kind of cross-functional, pro-active approach to compliance, the industry might finally win real regulatory relief -- from both existing and future requirements. So the next time your boss asks you to sit down and review your performance goals, I suggest that you propose to add the following line to your job description: "works to inculcate a compliance consciousness throughout the organization." And when you're asked how you propose to accomplish that, emphasize the importance of having a voice in the process of designing new products and marketing strategies. Do that, and you'll be making a major contribution to the safety, soundness, and competitiveness of your institution. Our ability to adopt the risk-based approach to compliance I have just described depends on the extent of the industry's success in meeting its own compliance obligations. The better you do in upholding the letter and spirit of these laws -- and making new laws unnecessary -- the less that we in government will have to do.