Blog » 2016 » September » Regulatory Exam Readiness: Where to Start?

Posted on Sep 29, 2016 2:15pm PDT

As a firm that has completed many OCC and CFPB compliance consulting engagements, we are often asked by clients, “We have an upcoming exam and are not sure where to start – what do we do?” There are certainly some common standards but our answer often varies by client based on a number of factors that must be considered before planning readiness activities. These factors include:

  • Who is the examiner (e.g. CFPB, OCC)?
  • What functions (if known) are being reviewed during the exam?
  • What is the context for the exam (the first exam conducted or the fourth)?
  • What is the maturity of the individual client’s Risk and Control infrastructure?

We often pose these questions before beginning to construct an exam readiness plan. However, while the most logical starting point always varies, there are several steps that can be taken to best prepare. Start by identifying a set of high risk functions that are likely to be the focus areas of the exam, and comparing the current state against known regulatory expectations for compliance and control.

Identifying high risk functions is an essential first step as it will guide all readiness activities. When an organization becomes aware of an upcoming exam, there often just isn’t time to check, double-check, and triple-check every last process – so prioritization is a must. In addition to any exam materials or bulletins made available by the respective examiner, the activities listed below enable an organization to identify an initial list of functions to focus its readiness efforts.

Four rows of information covering 1) regulatory applicability and where to start, 2) complaints analysis 3) enforcement action review and 4) internal audit or regulatory exam re-examination.

Once complete, this exercise will likely result in a prioritized list of impacted processes where you can focus your exam readiness efforts. Depending on the context for the exam, priorities may take on different meanings, but generally a “surface level” review will be sufficient for some functions while a “deep dive,” transaction-level review will be required for others. These reviews should be completed as part of an independent risk assessment, which will identify the required operational changes that will need to be designed, implemented, and staffed.

While risk assessments should be completed on a regular basis irrespective of an upcoming regulatory review, this extra level of targeted diligence pays dividends in advance of an exam – whether it is the CFPB, the OCC, or the FDIC. As the old saying goes, “an ounce of prevention is worth a pound of cure.”