The chief compliance officer may never hold the same sway as other C-suite executives, but industry observers agree his star has risen dramatically in banking over the last decade. "We're seeing a continuation of a trend that's been present for the last decade," observes Richard R. Riese, director of the Center for Regulatory Compliance at the American Bankers Association. "No longer is he seen as someone who simply checks the boxes and confirms that legal obligations are met. Now he's viewed as a risk-management officer, an integral part of a risk-management team."
Large and regional banks have already elevated the CCO. "In larger institutions that have the ability to make a division of labor, they're more likely to create an overall risk officer and have compliance reporting through that structure," he says.
Bill Barrett, who heads Ernst & Young's Technology and Security Risk Services' practice, agrees. "We're seeing a convergence of the compliance and regulatory risks into security technology, which has made the job of compliance officer a much bigger one," he says. The firm's recent survey of banking executives showed that 76 percent of respondents cited regulatory compliance as the primary driver of information security in the bank.
The compliance officer's role is particularly critical at the community bank, where "he is more often also the CFO or general counsel," Riese points out. "There are resource constraints that small institutions have, even if they have more simplified operational profiles. Nonetheless, there's so much happening in the field that just paying attention to developments can be itself a big challenge."
Compliance is such a headache for community banks that some are delisting their shares from stock exchanges so they will no longer be subject to the high costs of complying with section 404 of Sarbanes-Oxley as mandated by the Securities and Exchange Commission. One such bank is NorthWest Indiana Bancorp, a holding company for Peoples Bank, a state-chartered bank in Munster, IN, which has $580 million in assets and an annual compound rate of return for investors since 1984 of 23.2 percent. It realized its external auditing costs would soar to $185,000 from $94,000 and internal costs would rise to $100,000 from $75,000, in part because another person would be hired in the compliance department. "The board grappled with how we could justify these costs to our investors and what the burden of 404 would mean overall for our institution," noted CEO David Bochnowski this summer in testifying before the Securities and Exchange Commission. "Our board was looking at a company that has been very well run, returning over 20 percent on an annual compound basis to shareholders. The bank already was testing internal controls on a regular basis and internal control effectiveness was subject to review by internal and external audit and our banking examiners. And yet we are going to be subject to this significant increase in costs which may not be justified."
However, other community banks are simply rising to the challenge, says Riese. "Banks are evolving their training to accommodate it and the industry is honing its professional-development approach to support this evolution of the growing role of the compliance officer."
Barrett says the compliance officer's role is becoming much more integrated with that of the chief technology officer, pointing out that only 46 percent of banks surveyed "have an integrated risk framework that considers regulatory, corporate and security requirements, and 35 percent of banks told us that they have separate compliance and information security organizations which separately address regulatory and security functions."
