Measuring compliance risk protects your institution from financial, legal, and reputational damage. When you know how much compliance risk exists, you can decide if you are comfortable with that risk or need to adjust internal controls to mitigate it. This is true whether you’re quantifying risk for the first time or monitoring for changes to your risk exposure.
Quantifying risk isn’t optional. If you wait until external auditors or examiners uncover issues, it’s already too late.
Institutions need a firm grasp of their Key Compliance Indicators (KCIs).
Table of Contents
What are KCIs?
Compliance key performance indicators
Compliance key risk indicators
The importance of measuring KCIs
Examples of KCIs
Technology solutions for managing compliance
What are KCIs?
KCIs are benchmarks that measure compliance and forecast risk. They enable banks, credit unions, and other financial institutions to grow sustainably by identifying potential issues and ensuring adherence to laws and regulations.
Using KCIs is about more than avoiding regulatory trouble. When institutions track KCIs, they make better business decisions, improve operational efficiencies, and enhance the consumer experience.
Like the more familiar Key Performance Indicators (KPIs) or Key Risk Indicators (KRIs), financial institutions (FIs) can leverage the intelligence gathered from KCIs to strengthen strategic initiatives and boost profitability.
Compliance Key Performance Indicators
FIs use KPIs to evaluate their effectiveness in achieving strategic objectives. Compliance KPIs quantify an FI’s compliance risk so they can determine how much risk is acceptable to meet business goals and if they are falling within those thresholds.
Every FI must decide if the compliance risk of an undertaking is worth the reward.
Compliance Key Risk Indicators
Compliance key risk indicators help financial institutions decide when to take corrective action – before a compliance review or exam reveals an issue. FIs set their compliance thresholds measured with compliance KRIs and monitor them so they know when there’s a material change in compliance risk.
When does a change in a compliance KRI justify a response? How much compliance risk are you willing to assume? FIs should consider their risk appetite, regulatory requirements, industry standards, and other factors when setting compliance risk targets. Some compliance issues will require a more urgent response than others. Merging your KCIs with KRIs enables you to create a holistic control environment for realizing performance objectives.
The importance of measuring KCIs
KCIs identify compliance risks before they become a problem requiring immediate remediation. They are essential when regulatory burdens grow, and bankers must continually assess compliance systems and staff.
Early identification of compliance risk lets FIs:
KCIs identify compliance risks before they become a problem requiring immediate remediation. They are essential when regulatory burdens grow, and bankers must continually assess compliance systems and staff.
Early identification of compliance risk lets FIs:
Meet regulatory expectations: Times of regulatory uncertainty call for FIs to pay closer attention to compliance laws and guidance.
Manage strategic goals: Understanding the regulatory risks of a new product launch or the expansion of banking services ensures that business decisions align with compliance requirements.
Protect against financial loss: Financial losses may arise from penalties and fines, legal actions, or a loss of consumer confidence.
Enhance operational efficiencies: Recognizing compliance weaknesses empowers FIs to streamline processes, improve controls, and reduce the likelihood of failure.
When used correctly, KCIs proactively address compliance risk, saving your FI from expensive remediation efforts.
Examples of KCIs
Given our understanding of what KCIs are and why FIs need them, let’s examine some your institution should measure.
1. Consumer Complaints – Consumers may feel that their complaints disappear into the void, but regulators vehemently disagree. The CFPB has referred to consumer complaints as their regulatory “lifeblood” because they offer agencies direct access to potential compliance violations.
So, how does your FI track consumer complaints? Should you simply count the number of complaints and call it a day? Absolutely not. FIs require metrics to track complaints by branch location and product or service. Adequately addressing consumer complaints means knowing why consumers are dissatisfied – not simply that consumers are dissatisfied.
You must also define a timeline for resolving complaints as an internal policy and by regulatory expectations. The CFPB expects responses to consumer complaints in their system in 15 calendar days.
Consumer complaint KCIs can include:
- Number of complaints per location/product/service
- Response time
- Resolution time
- Demographics of complainants
- Customer satisfaction (such as NPS scores)
Related: 5 Factors Your Consumer Complaint Management Program Needs to Succeed
2. Findings Resolution – When your FI uncovers a compliance issue – either during an internal compliance review, external audit, or exam – how quickly is the problem resolved? Did you identify the root cause of the issue?
FIs must pinpoint the underlying causes of their compliance issues rather than addressing the symptoms. When your findings uncover the same compliance problem repeatedly, this indicates that you’re failing to identify the root cause. Findings management is about taking corrective actions that prevent future compliance issues – don’t just patch the tire, change it.
Findings KCIs include:
- Number of findings (fewer isn’t necessarily better – there is always something wrong)
- Number of repeat findings
- Resolution time
- Past enforcement actions (Memorandums of Understanding, agreements to take corrective action with regulators, and other informal enforcement actions – remember that informal enforcement actions are still enforcement actions)
3. Compliance Training – Equip your employees with the tools to comply with applicable regulations and laws. Compliance training should be an institution-wide effort, with training based on employee responsibility and job function.
Some KCIs to consider:
- Frequency of employee training
- Completion rates
- Assessments of training effectiveness
- Number of new vs. existing regulation training
Related: 9 Fair Lending Compliance Training Essentials
4. Third-Party Compliance Monitoring – The recent Interagency Guidance of Third-Party Relationships: Risk Management clarifies that banks are responsible for their vendors.
Third-party KCIs include:
- Number of critical or high-risk subcontractors
- Vendor consumer complaints
- Past legal or regulatory enforcement actions
- Number of foreign-based subcontractors
5. Regulatory Change Management Indicators – This KCI seems especially pertinent given the regulations coming down in 2024. How smoothly regulatory changes are implemented in your policy and reflected in updated training materials and system updates is critical.
FIs should examine:
- Frequency of policy/procedure review and updates
- Reports to Board and management
- Implementation time
- Deadlines missed
Related: What is Regulatory Change Management at Financial Institutions?
6. HMDA and CRA Reporting – Does the information in your LOS match the data submitted in LAR? Financial institutions should scrub HMDA data and resolve any reporting errors long before submitting it to the CFPB.
KCIs can include:
- Number of inaccuracies in reportable data
- Frequency of demographic “information-not-provided" (Did applicants not provide the data or did your lenders fail to collect it?)
- Missed filing deadlines
7. Number of Exceptions – Giving special treatment to select loan applicants may result in fair lending violations.
Some KCIs to monitor:
- Frequency of exceptions
- Failure to report reason codes
- Number of personnel documenting the exception (The larger the exception, the more signoffs you’ll need)
- Number of exceptions offered by indirect lenders
Related: 6 Tips for Managing Exceptions and Lowering Your Fair Lending Risk
8. Fair Lending/Fair Banking Access – FIs must ensure that banking services are available to all consumers in their facility-based assessment area.
KCIs for fair lending/banking access can include:
- Different pricing of loan products to prohibited basis groups (You can isolate for factors such as race, ethnicity, age, and gender with a regression analysis)
- Volume of loan applications, originations, and rejection rates in majority-minority and LMI census tracts
- Branch location, hours, and availability of services in majority-minority and LMI neighborhoods
- Number of loan officers assigned to majority-minority and LMI tracts
- High-priced loan spreads (May be indicative of predatory lending from the perspective of regulators)
9. Marketing Materials – Marketing to some groups and not others can cause disparities. This is true for both traditional print and online advertising. Targeting specific demographic groups can violate ECOA protections.
FIs must monitor their marketing program to ensure mailings to specific zip codes, imagery and language used, and online algorithms and geographic filters do not create a disparate impact.
KCIs to pay attention to include:
- Distribution rates of marketing materials in high-income v. low-income neighborhoods
- Advertising materials for non-English speaking consumers
- Representation of diverse groups in marketing collateral
Technology solutions for managing compliance
Given the number of KCIs financial institutions must measure, relying on manual processes simply doesn’t make sense. The stakes for failing to comply with regulations and laws are too high.
Enterprise-level compliance management software gives banks, credit unions, and lenders a sophisticated toolkit for compliance governance, policy, and regulatory change management.
Waiting until an external auditor or examiner identifies compliance deficiencies puts your institution at a terrible disadvantage. When this occurs, your FI will scramble to correct costly compliance mistakes that could have been managed earlier at a fraction of the price.
With compliance risk categories tailored to your specific institution, daily regulatory updates, and streamlined tracking software, embracing compliance management technology enables you to devote more time to growing your institution.
Check Out Our Whitepaper: Compliance Review Roadmap for Financial Institutions
Subscribe to the Nsight Blog
Share this
How to Build a Strong Fair Lending & Redlining Compliance Management System
What Is Compliance Risk Management?
