MRIA and Consent Order in Banking

Introduction

MRIA and Consent Orders in Banking: Threat or Opportunity

Banking sector has witnessed a barrage of regulatory intervention ever since global business model came into existence, but a shift to the current level came after 2008 meltdown. The debate has been ongoing about the quantum and jurisdiction of regulatory interventions, but the fact that these interventions are the new norm, is widely accepted in the banking world.

Responding to such interventions is never easy, diverting resources from a committed plan, a ticking clock and bad press is a nightmare for any business leader. In the spirit of the maxim: “Victory comes from finding opportunities in problems." — Sun Tzu, let us see if this adage holds true in the world of MRIA and Consent order.

Structure

Matter Requiring Immediate attention or MRIA is the mechanism the regulator follow to raise a concern, which after getting response or evidences from the banks either is resolved or a legal agreement is reached between the regulator and the banks, binding banks to take a corrective action. This could involve an upfront penalty or a fine if banks failed to follow up. The expectation of regulators

1. Banks take corrective action
2. Banks remediate the past salvageable issues
3. Banks showcase that future occurrences will not be possible given the remedial action

Summarizing above in a more structured manner we can say that a Consent Order involves the following, albeit in different measures:-

1. Non-Admission of Guilt: Often, banks do not admit to any wrongdoing when they agree to a consent order, but they do agree to make the necessary changes and improvements.
2. Remedial Actions: The order outlines specific actions the bank must take, such as improving internal controls, enhancing compliance programs, and addressing deficiencies in risk management.
3. Monitoring and Reporting: The bank is usually required to report regularly to the regulatory agency on its progress in implementing the required changes. Regulators may also conduct follow-up examinations.
4. Monitory Fines/Sanctions: Non-compliance with a consent order can lead to further enforcement actions, including fines and additional penalties.

Similarly MRIA can also be objectively characterised as

1. Identification: MRIA are identified during routine or special examinations by regulatory agencies like the Office of the Comptroller of the Currency (OCC) or the Federal Reserve.
2. Evidencing: The outcome of regulatory audit (in rare cases) can be satisfied by producing the relavant evidences countering the issue?
3. Gap analysis and agreement: Discussions with regulators and identifying the exact nature of concern usually happens in the audit stage, this helps to pin point the issue at hand.
4. Action Plan: The bank must develop and implement an action plan to address the identified issues. This plan is typically subject to regulatory approval.
5. Timelines: Banks are expected to resolve MRIA within a specified timeframe. Delays or failure to address MRIA can escalate to more severe enforcement actions, such as a consent order.
6. Monitoring: Similar to consent orders, banks must provide periodic reports on their progress in addressing MRIA. Regulators will monitor these reports and may conduct follow-up examinations.

In summary, both consent orders and MRIA serve as mechanisms for regulators to enforce compliance and ensure that banks operate safely and soundly. Consent orders are formal agreements often following significant violations, while MRIA are critical issues identified during examinations that require prompt corrective actions.

Types of Consent orders and MRIA

Banks can face various types of consent orders depending on the nature and severity of the regulatory issues identified. Here are some common types of consent orders that banks might encounter:

1. Operational Consent Orders: Drawing out operational deficiencies of the bank the focus usually is on internal controls of a bank which can be seen in operational risk framework of a bank and can be seen as a People, Process, Policy or system deficiencies. This can be addressed by remediating the LOD (Line of defence structure) at the desired level.

2. Compliance Consent Orders: This focuses on breaching the law as applicable (in function or geography). The law in question could be AML (Anti Money Laundering), Consumer laws, data related laws. The resolution also has to focus on checks and controls in the overall process flows, in terms of mechanisms, policies, Audits and Systems

3. Capital and Liquidity Consent Orders: This deals with breach of the governing central bank’s guidelines of capital adequacy and can be resolved by putting Process and systems for liquidity management followed up with control and audit.

4. Risk Management Consent Orders: This is more pre-emptive and emanates from banks’s failure to address new market and business changes. Remediation could be addressed to risk assessment, Credit Risk management or market risk controls.

5. Governance Consent Orders: This addresses the inadequacy in of bank’s corporate governance structure and addressed by filling identified gaps in the corporate governance structure or process.

6. Consumer Protection Consent Orders: This addresses issues originating from customer treatment like unfair or deceptive or discriminatory lending practices, as well as, failure to ensure Customer risk appetite and product risk profile.

7. IT and Cybersecurity Consent Orders: This deals with Data breaches, Service disruption or loss of business for a customer. The remediation is focussed on System adequacy couples with controlling process for the cyber security.

Threat to Opportunity

Remediation of the consent order does places demand on the existing resources and ends up diverting the precious resources into, what may seem like, a necessary drain of resources. However, the remediation does not happen in isolation and there are initiatives and needs within the existing framework of the bank that can be utilised, creating a common goal. Consent order come in various flavours and will need a different treatment of analysis if we want to analyse the tools that can help turning this threat into opportunity.

• Comprehensive Assessment

Evaluate Existing Practices: Use existing mechanism and information to identify the gaps, if possible include the related gaps or deficiencies that can be addressed in Synergy. As a practice do a risk regression to evaluate the impact of the gap.?

Once the gaps are identified, prioritise the gaps and benchmark it to industry standards and evaluate the optimum effort that can address the maximum gaps in the list.

• Strategic Oversight

The regulatory process are often classified as customer Non-value add process , however every process is there to serve the customer better. With this line of thought evaluate the possibility of marrying the customer value with the customer non value add process, using integration approach in either existing initiatives or near future planned initiative, optimising the business and regulatory goals

• Raise your own internal bar for regulatory compliance

This will need some crystal ball gazing skills, with the classic Strategy 101 question, where do we see ourselves in 5, 10 and 15 years. This may result in investing more into the solution but this approach will solve the problem at hand and move towards making the bank better prepared for future.

• Offer the safety as a Customer value add

The key here is to Communicate to the customers in all possible channels, highlighting the regulatory changes and the benefits the customers will get. This will address the obvious anxiety due to change as well as mitigate the bad press gathered due to consent order. The Publicity and branding too should be aligned wherever possible.

• Continuous Improvement

Consent order should not be wished away as a bad dream, accepting the fault is the first step but raising standards to be ready for the next challenge is the next step. All the effort to address a gap should not become an exercise to satisfy the regulator in the short run, but should improve the overall risk culture of the organisation, keeping the bank at the crest of the change, and change we all know is the only constant in this rapidly changing world.