3 steps to effective monitoring and testing for credit card issuers

Internal audit is not enough to ensure regulatory compliance

Jan 25, 2016
Internal audit Financial services Financial institutions Regulatory compliance

For credit card issuers, monitoring and testing is a vital first line of defense for controlling regulatory compliance risk. Yet too many issuers assume that their current internal audit measures are enough. Monitoring and testing should serve a separate yet complementary role in your compliance program. Banking regulators have accepted a three-lines-of-defense approach as a best practice.  The three lines of defense are: monitoring and testing in the business line, compliance, and internal audit. This type of segregation in compliance risk management programs is now the required approach.

1. Understand monitoring and testing’s role

Unfortunately, most credit card issuers and servicers do not have a well-developed and functional compliance and testing program to serve as their first line of defense. Because of increased regulatory scrutiny, credit card issuers often need to develop this area quickly. Though monitoring and testing is often confused with, and is developed similarly to, internal audit, there are distinct and important differences. Compared to internal audit, your monitoring and testing function should provide more timely oversight over a broader array of regulatory issues.

Monitoring and testing should:

  • Function outside of compliance and have its own issue management that is owned by the line of business (LOB); in effect, monitoring and testing serves as a compliance program within each LOB
  • Maintain adequate internal controls over the originating, servicing and marketing of credit card products
  • Focus solely on regulatory compliance with applicable credit card regulations regardless of bank policy and procedure; gaps in bank policy and procedure are often identified as a result
  • Be performed frequently, sometimes monthly depending on the regulation being tested and the associated risk
  • Allow for rapid remedial action before either internal audit or examiners identify areas of concern
  • Identify any barriers to the business reaching its overall objectives, allowing the business to surpass regulatory scrutiny while still growing the credit card portfolio

By comparison, internal audit is:

  • Designed to assess your overall adherence with your policies and procedures, not your compliance with applicable credit card regulations—it is more focused on employee behavior than on product compliance
  • Usually performed far less frequently than monitoring and testing, most commonly annually
  • Set up to advise the entire financial institution of regulatory risk management and response, not just a particular LOB
  • Not comprised of members who are subject matter experts specifically on applicable credit card regulations; internal audit observes, inspects and traces any regulatory risk to the entire financial institution
  • Designed to test the level of regulatory compliance within each LOB as well as the other two lines of defense

While their roles differ, your monitoring and testing and internal audit functions should work together. A collaboration from all three lines of defense, along with an embedded process, will improve your credit card business, products, services and operations. Internal audit should review findings and remediation suggestions from the monitoring and testing team and report them to the board. In addition, at least annually, internal audit should assess the monitoring and testing function and report those results to the board as well. This diversity in data, review, stakeholders and business line support leads to greater risk oversight and insight.

2. Establish effective policies and procedures

In order for your monitoring and testing program to work, there has to be something to monitor and test. Therefore, the first step is to develop and implement written policies and procedures to help ensure compliance with all regulations designated as high risk in your institution’s risk assessment. Effective policies will:

  • Specify the sample size, frequency, scope and depth of monitoring and testing
  • Indicate when to expand sampling when monitoring detects potential violations of applicable laws and regulations
  • Establish a uniform testing methodology to ensure consistent procedures

These policies and procedures should be developed independently from the areas of the business responsible for marketing, servicing and fulfilling your credit card products. Train appropriate personnel to identify and report violations of applicable laws, regulations or bank policies; providing a channel for reporting that is independent of business function encourages more timely and complete disclosure of compliance issues. Though policies and procedures at the business line level should be separate from corporate compliance, as compliance is independently responsible for oversight of your credit card portfolio, they should serve as companion documents and coordinate with your institutions’ risk management.

While the right policies and procedures for your organization will be driven by your unique circumstances and risk assessments, areas for remediation often uncovered during this process include:

  • Customer reimbursement issues
  • Control or program weaknesses that compromise the entire system
  • Areas where additional oversight from management or the board are required
  • Change management opportunities within specific lines of business

3. Pick the right team and give them the tools to do the job

Your monitoring and testing team should consist of experienced professionals trained to identify and report violations of applicable consumer protection laws as well as bank policies and procedures. This should be an independent unit tasked with reporting all findings to a specified risk executive each month. Your monitoring and testing team must have the authority and status within your institution to be able to perform their work, report their findings and remediate identified issues without interference. They must be backed by both management and the board as necessary to effect the cultural changes that may be required within specific LOBs. Compliance expertise at the LOB-level will not only minimize regulatory risk, but create deep subject matter experts on applicable credit card regulations which will in turn further strengthen the business line.