Community banks are wasting money on compliance. They are spending more than ever, hiring additional risk officers, internal auditors, compliance officers, vendors and consultants. They are checking every box and fulfilling every mandate. And they are doing it all wrong.
A recent study by the supervision division at the Federal Reserve Bank of St. Louis found that spending more on compliance isn’t leading to higher regulatory ratings for the smallest community banks. It isn’t elevating the bank’s regulatory management scores, or positioning banks for success.
That’s because having a compliance mindset is a recipe for mediocrity, no matter the size of the bank. The banks that will earn the most leeway with regulators—and maximize value for shareholders—will naturally implement and utilize the tools and processes that are a prerequisite for compliance as a critical function of their strategic and capital planning processes.
When that happens, compliance becomes a mere afterthought; something that is more icing on a cake that doesn’t need icing to begin with. This type of approach is actually easy to execute. You don’t need expensive, overrated and highly misleading black-box models and software. You don’t need an entire department dedicated toward enterprise risk management.
What you do need is a cultural mindset, which starts with the CEO and the board of directors. They must change the outlook in the bank so that risk management tools are used to play offense, not defense. These proactive and forward-looking tools enable the team to see problems before they materialize. The CEO can then position the bank to gain a competitive edge, while its competitors (from both an operational and capital markets perspective) get blindsided.
I participated in a recent regulatory panel with the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. The topic was how best to manage commercial real estate concentrations. Part of the discussion revolved around the role of stress testing, which can be critical to showing examiners that a bank has enough capital to handle a risky portfolio.
Stress testing is a great tool for the job, but it’s a tool, not the job. Banks that simply submit stress tests to regulators as evidence that they can manage a loan portfolio aren’t going to get what they want.
Instead of viewing stress tests as an end game, bank CEOs need to think of them as tools to provide insights. Reports must be discussed at the board level and understood by the highest levels of management. And then the bank must adjust its strategy if the tests show a potential problem. This lesson applies to much more than concentrations. The results of adequate stress testing offer a strategic guide to capital planning, M&A and more.
The trick to compliance is to not treat it as a compliance exercise. It must be an integral part of strategic planning. A CEO cannot give a stress test to the chief risk officer and say, “Make the problem go away.” CEOs must look at the results, understand them and use them to adjust their strategic thinking. If organic growth is not working, the proper analytics can guide the executive team’s strategic course toward a merger or acquisition.
A funny thing happened when I began talking about this compliance mindset on the recent regulatory panel. The regulators nodded their heads in agreement.