Bank auditing and compliance management system (CMS) testing (collectively, “testing”) play key roles in identifying existing or potential risks and addressing them early.
That said, testing is only as good as its accuracy, coverage and currency. Failure to keep up to date with external and internal changes weakens the management chain and exposes the bank to heightened risk.
Before getting started with testing, it’s important to ask questions like:
What does your bank’s change management process look like for the testing process?
Who keeps your bank’s testing procedures up to date?
What sources are used?
What is the process for changing and then approving the revised procedures?
Internal or external changes must be managed effectively and a meaningful testing frequency and scope implemented. The change management process should comprise assignments of responsibility, change detection, impact analysis, effective implementation and documentation.
In the realm of testing, internal auditors, compliance officers and external auditors should most likely be held responsible to identify targets for change; however, depending on the size and structure of the organization, others may also be identified.
In the case of external auditors or outsourced testing sources, someone in the bank should also be assigned to oversee that the process is consistent with third-party risk management.
Elements of CMS testing
Responsible stakeholders: Banks should assign responsibility to help identify changes across business and support functions to ensure coverage and identify one overall point of contact (POC) to monitor the entire change process from start to finish.
Detection: Community banks must have means in place to identify potential and confirmed regulatory and business process changes as part of risk-monitoring practices.
Banks need to monitor changes in external laws, policies and regulations. The rise in electronic means to receive regulatory announcements and issuances has greatly increased banks’ ability to receive that information in a timely manner. The federal regulatory agencies, state bodies for governance and most legislative offices offer electronic subscriptions that can be directed to any contacts in the bank.
Internal bank products, processes and practices can change frequently and may not be successfully captured for testing. It’s important that responsible stakeholders across the business communicate regularly with POC(s) in the testing functions to ensure a business decision does not bring unintended regulatory, legal or operational implications.
Unique risks are involved when a bank engages in new or changed activities through a third-party relationship that may be at arm’s length to day-to-day in-house activities. In the case of outsourced bank functions, such as an outside party that processes account statements for the bank, the oversight by bank management must seek to identify any changes to that process early and communicate them in a timely manner. An effective change management program would ensure that a knowledgeable staff member reviews any changes to determine if they require a change to testing. Management should then ensure that appropriate testing staff at all levels updates the parameters to include the elements that have changed.
Research and impact analysis: Each change should be evaluated for the impact on the bank’s policies and procedures, software, vendors and internal controls. What aspects of testing will be affected by the change(s) or what additional testing will be required to capture elements of the change(s)? Is more frequent testing needed and is an initial test of the changes prudent to ensure there are no unintended consequences?
Implement testing changes: Testing procedures, timing and documentation need to be adjusted to properly evaluate new or modified operational systems, processes and technology. As with other aspects of change management, the revisions to testing procedures should be annotated to catalogue and track the history of testing processes. Testing should assess whether the activities meet operational and strategic expectations and legal requirements, are within the bank’s risk appetite, and measure the effectiveness of operational controls and safeguards.
Taking stock of changes
What changes have been made or need to be made to your bank’s testing process to capture recent regulatory changes? For instance, does it cover:
Recent heightened supervision regarding ‘surprise’ overdraft fees, including unanticipated overdraft fee assessment practices?
Guidance issued by the FDIC and OCC regarding risks associated with assessing multiple nonsufficient funds (NSF) fees arising from the re-presentment of the same unpaid transaction?
The FDIC final rule to increase initial base deposit insurance assessment rates by 2 basis points? The revised rate schedules were effective Jan. 1, 2023, and applicable to the first quarterly assessment period of 2023 with an invoice payment date of June 30, 2023.
Apart from external rule changes, what changes have been made or need to be made to your bank’s testing process to capture recent changes, such as a new product or service or changes to existing products or services? Whether the source of changes occur internally or externally, community banks must employ change management methods to test the accuracy, coverage and currency of their implementation.