banking world, as well as how KeyBank’s
program is structured?
KA: Over the years, I have observed a
fairly consistent approach to bank compliance
structures. For example, it is common for
banks to have distinct Bank Secrecy Act/
Anti-Money Laundering functions within
units are made up of
that impact all areas
of the organization.
In addition, banks
department to focus
on particular lines of business or products.
This targeted approach is necessary, given the
volume and complexity of the various banking
regulations. It is also common for there to
be a testing team within the Compliance
department. The compliance testing function
is separate and distinct from the bank’s
Internal Audit department, and its purpose
is to test the effectiveness of the bank’s
compliance policies, procedures, and practices
against the various banking regulations. Many
bank Compliance departments also have
teams that are responsible for organization-wide compliance programs and functions.
For example, KeyBank has a distinct Fair and
Responsible Banking team, but it also has
separate Privacy, and Ethics groups that roll
up under an enterprise compliance officer.
With respect to the reporting structure,
KeyBank’s chief compliance officer reports
directly to the organization’s chief risk officer,
who in turn reports to the chief executive
officer. This is a fairly common framework.
However, I have also seen structures where
the Compliance department is part of the
bank’s Legal department.
AT: What are the key risk areas? I’m
assuming anti-money laundering and know
your customer issues are at or near the top of
the list. What else are typical for banking?
are a variety of
areas outside of
significant risks exist.
For example, banks
risk, market risk,
model risk, credit
risk, strategic risk,
and reputational risk.
Each of these “risk
pillars” is highly specialized and focuses
on targeted areas and activities within
the bank. Failure to closely monitor each
individual risk pillar could pose a significant
threat to the overall safety and soundness
of the bank. In addition, there are other risk
groups that work to mitigate risk across the
organization, including legal, internal audit,
information security, and fraud. It is essential
for Compliance team members to regularly
and actively engage with their risk partners to
share information that can help the bank more
quickly identify and mitigate risk.
AT: One area of responsibility for you
is third-party reviews. These days, that’s
generally seen in the corporate world as a big
part of the FCPA risk management process. I’m
guessing it’s something else for banking.
KA: All banks, regardless of their size,
geography, product offerings, or client
base, contract with third parties in order to
make their products and services available
to customers. The only difference is how
Many bank Compliance
have teams that
are responsible for