Data analytics has become an essential tool in the field of compliance and risk management. It allows compliance officers to assess the effectiveness of their programs and identify potential risks before they escalate into major issues. In a recent episode of the podcast “Compliance into the Weeds,” Tom Fox and Matt Kelly, discussed not only the importance of having data analytics in a compliance program but actually using the data in a risk management strategy.
The Consumer Financial Protection Bureau (CFPB) recently fined Bank of America $12 million for mishandling data analytics, specifically around accurate data about home mortgage applications. The bank had all the necessary data to assess its compliance risks, but it failed to maintain continuous monitoring, leading to compliance issues. This case serves as a reminder of the need for ongoing data analysis for proactive risk management.
The CFPB found that Bank of America violated the Home Mortgage Disclosure Act, a law on the around since the time I graduated from High School, that being 1975. The law itself requires mortgage lenders to collect demographic data about home loan applicants and report that data to various federal agencies. Bank of America settled the matter without admitting nor denying the allegation and agreed to the aforementioned $12 million fine.
As Matt noted in his Radical Compliance blog post, “Dig into the details of the settlement order, and you can see how data analytics, auditing, and monitoring all play a crucial role in assuring compliance with a regulation like this. Given that so many other business sectors have similar obligations to collect and report lots of data to regulators, maybe this case isn’t so obscure after all.”
The enforcement action drives home the clear lesson that data analytics is not a one-time tool to determine violations or identify risks. It should be used as a monitoring device that runs continuously to provide early warnings when risks enter the red zone. Bank of America’s mistake was treating data analytics as a one-time solution to a problem, rather than a long-term monitoring tool. They implemented analytics in 2013, found the error, introduced a control to correct it, and then switched it off when the problem seemed to be solved. However, the problem recurred, leading to the CFPB penalty.
As noted, is the high level of importance around surveillance and monitoring in the banking and financial services industry. These sectors have extensive monitoring and surveillance practices, recording every email and phone call to prevent improper messaging and manage risk. While this level of monitoring may seem draconian to other industries, it has proven effective in ensuring compliance and preventing fraud in those arenas.
The Bank of America case demonstrates that compliance officers often already have the necessary data for analysis; they just need to identify which information to study. In this case, the bank had all the data it needed to assess the compliance risk of information not provided in home loan applications. They implemented a monthly report to crack down on the abuse, resulting in a significant drop in the information not provided group. However, when they ceased the report in 2016, the rate started to increase again, ultimately leading to the violation and penalty.
The use of data analytics to monitor the effectiveness of controls was also a key lesson from the enforcement action. When Bank of America instituted monitoring to determine who was filling out the reports, they obtained significant information and saw a drop in the information not provided group. This strategy raises the stakes around the question of whether being watched or monitored can influence individuals to follow controls and do the right thing.
Data analytics should not only be used to analyze the effectiveness of compliance programs but also to analyze overall activity within an organization to identify compliance risks. Compliance officers should strive for analytics that run continuously, providing insights into the state of affairs over the long term. This approach allows for early detection of risks and enables business units to manage their own risks effectively.
The Bank of America case serves as a valuable lesson for compliance officers in any industry. It highlights the importance of ongoing data analysis, continuous monitoring, and the need to consider data analytics as a long-term risk management tool. By leveraging data analytics effectively, organizations can proactively identify and mitigate compliance risks, ultimately avoiding costly penalties and reputational damage.
Data analytics plays a crucial role in compliance and risk management. It enables compliance officers to assess program effectiveness, identify potential risks, and monitor activities for early warnings. The Bank of America case underscores the importance of continuous data analysis and monitoring in proactive risk management. By embracing data analytics as a long-term risk management tool, organizations can enhance their compliance efforts and safeguard against potential violations.