Staying Ahead of the Compliance & Risk Management Curve Fran M. DeMaris Executive Vice President

Supervisory Focus

What do FIDUCIARY examiners typically focus on What do FIDUCIARY examiners typically focus on? FIRMA Annual Conference 2018 Bank Management’s evaluation of AM Risk Fiduciary Audit – scope, staffing, expertise Conflicts of Interest Collective Fund Risk Management Third Party and New Product Oversight Model Risk management Retail Nondeposit Investment Products Internal Control Weaknesses Account Administrative Reviews Unique and Hard to Value Assets Delegated Investment Responsibility SEC MMF Rules

What do FIDUCIARY examiners typically focus on What do FIDUCIARY examiners typically focus on? FIRMA Annual Conference 2018 Continuing pressure on Risk Management, Compliance, and Audit Oversight functions Growing importance of Vendor Risk Management Supervision and Control Account Review Process - Balance of automation with human judgement

Supervisory Focus Asset Management

Supervisory Focus Internal Control Weaknesses Account Administrative Reviews Unique and Hard to Value Assets Delegated Investment Responsibility and Monitoring SEC MMF Rules (OCC Bulletin 2016-17)

Supervisory Focus Asset Management

Macro-Supervisory Strategies-2018 Cyber-security and operational resiliency Business model sustainability, viability and strategy changes Change management to address new regulatory changes and new product offerings Bank secrecy act/anti-money laundering compliance management

Investment Risk Market Volatility Interest Rate Risk Use of complex products Liquidity Increased Litigation and Reputation risks

Retail Nondeposit Investment Products Principal risks include Aggressive sales practices Improper use of complex products Weaknesses in determining suitability and proper use of higher-risk products Areas of Focus Banks’ initial & ongoing due diligence Effective governance and bank oversight of RNDIP sales processes “Retail Nondeposit Investment Products” booklet of the Comptroller’s Handbook (January 2015)

Conflicts of Interest Conflicts of interest pose legal, reputation and compliance risk Banks need effective processes to identify and address all types of conflicts of interest Unless authorized by applicable law, placing client funds for which the bank has investment discretion in proprietary products is, by definition, self-dealing Even when self-dealing is authorized, bank fiduciaries must still demonstrate how proprietary products are appropriate for that client and establish how those products meet the bank’s fiduciary obligations for its clients Proprietary products should be subject to same due diligence standards as third party products

Operational Risk Cyber risks Third party service provider oversight External fraud – Distribution requests/authentication Client e-mail account take-over Third party service provider oversight Legacy systems Emerging systems Interconnectedness New Product Bulletin (OCC Bulletin 2017-43) Understanding of risks associated with new product On-going focus on value added (if any) of new product Service provider consolidation/concentration AM outsourcing – effective oversight Internal Controls – fundamental risk management

Other Risks Overall bank AM asset accumulation is slowing and revenues are flat. Earnings compression appears to be due to competition. Passive investment strategies Digital advisers Other asset managers (Banks and RIAs) Emerging state laws introduce new capacities, some limiting liability for bank fiduciaries. Core requirements of a fiduciary remain regardless of whether a bank has investment discretion or is merely a directed trustee. Fiduciary powers; documented pre-acceptance account reviews; custody of fiduciary assets; annual fiduciary audits; policies; record keeping; and self-deposit pledge requirements While state laws may permit banks to rely on a third-party investment manager for valuations, banks remain responsible for accuracy of Schedule RC-T and IRS reporting

Supervisory Focus: Third-Party Relationships OCC Bulletin 2017-7, (January 24, 2017) – “Third-Party Relationships: Supplemental Examination Procedures” Tailored to risk and complexity of bank’s third-party relationships Procedures to assess a bank’s quantity of risk and quality of risk management, especially over critical service providers Includes consideration of Service providers’ use of subcontractors Bank’s due diligence and ongoing monitoring of financial market utilities Reg W compliance for affiliated service providers Conflicts of interest Focus on risk management throughout the lifecycle of third- party relationship

Supervisory Focus: Third-Party Relationships OCC Bulletin 2017-21 (June 7, 2017) – “Third-Party Relationships: Frequently Asked Questions to Supplement OCC Bulletin 2013-29” Risk management practices should be commensurate with risk and complexity of third-party relationship, adjusted for risk, and should be periodically reviewed and updated as needed Highlights bank collaboration for oversight, including user groups Provides guidance for Fintech relationships Addresses use of third-party compliance management systems Addresses use of SSAE 18 Service Organization Control Report, especially with respect to third party’s oversight of subcontractors to assess whether additional audit or review is required Addresses bank access to Service Provider ROEs

Supervisory Focus: New Products OCC Bulletin 2017-43 (October 20, 2017) – “New, Modified, or Expanded Bank Products and Services – Risk Management Principles” Adequate due diligence and approvals before introducing a new activity Policies & procedures to properly identify, measure, monitor, report, and control risks Effective change management for new activities or affected processes and technologies Ongoing performance monitoring and review systems Management and board limits on risk exposure Specific objectives and criteria to evaluate whether the new activities are successful Testing for compliance and effectiveness of operational controls and safeguards Exit strategy for activities that fail to achieve projections

Supervisory Focus: Asset Management Investment Issues/concerns Anxiety for income/improved investment performance – increased risk taking Ineffective due diligence processes in selecting, retaining, and monitoring investment managers and funds (UPIA) Lack of independent risk management function over investment area Inadequate model risk management (OCC 2011-12) Improper oversight and controls over delegation of trust assets to affiliated broker’s financial advisors Performance related litigation risk Program/algorithmic trading activities

Supervisory Focus: Oversight Board & Management Oversight Committee Functions Risk Management Risk Appetite Statements

Supervisory Focus: Investments Investment Issues/concerns: Unique Assets Stale valuations/valuation practices Stale reviews of unique assets Hedge Funds Lack of financial transparency Lack of product knowledge and expertise Client suitability

Supervisory Focus: Operations Operational Risk Concerns Impact of earnings pressure on Internal controls Staffing Compliance/Risk Management functions Audit Coverage Third-party service provider oversight (OCC 2013-29) Asset controls On-premises/off-premises/all locations/all assets Accurate reporting of losses and settlements Fee rebates and concessions Oversight Committees/Schedule RC-T of Call Report Reg. R-Calculations

Supervisory Focus: Audit Fiduciary Audit Committee Oversight Fiduciary Audit Committee must ensure proper oversight of fiduciary audit function, whether performed by internal or external auditors Committee membership must meet independence requirements of 12 CFR 150.470 (FSAs) When fiduciary audit is outsourced to a third-party auditor: Trust company must not be overly reliant on third-party auditor to develop audit scope Committee should consider internal risk assessment to assess the proposed scope should ensure that it includes all significant fiduciary activities and an assessment of all key controls at appropriate intervals Committee should have processes to ensure that third-party auditor completes procedures as outlined in the engagement letter or that internal audit program is completed as planned

Supervisory Focus: Conflicts of Interest Umbrella for other Handbooks-Appendices Need comprehensive policies and procedures to identify, mitigate, and report conflicts of interest Board and management should periodically review all activities to determine if conflicts exist in current practices due to changes in the trust company’s activities, legal environment, or regulatory environment Audit Committee should ensure the audit scope includes an evaluation of the trust company’s conflict of interest risk management systems, including testing of transactions Board may need to engage third-party providers (e.g., outside legal counsel) to conduct a review of existing or proposed activities

Supervisory Focus: Retail Nondeposit Investment Products New Handbook

Supervisory Focus Asset Management

Supervisory Themes… Continuing pressure on Risk Management, Compliance, and Audit Oversight functions Growing importance of Vendor Risk Management Supervision and Control Account Review - Balance of automation with human judgement

Risk Management, Compliance & Audit Sound risk management systems and processes assist the firm in identifying, measuring, monitoring, and controlling risk Elements of a sound risk management system include: Active board and senior management oversight Adequate policies, procedures, and limits Adequate risk measurement, monitoring, and management information systems Comprehensive internal controls and independent audit

Risk Management Control Functions Risk management control functions include: Risk Management Compliance Internal Audit Each control function has differing responsibilities; however, each is equally important to a sound risk management system

Risk Management Board retains ultimate responsibility Continuing need for current and well-conceived policies and procedures Need for effective testing against policies and standards, exception reporting, escalation, and follow up

Compliance Day-to-day monitoring and testing conformance with Policies and processes Laws, regulations, and rulings Reporting exceptions to the Board and senior management Providing staff training to facilitate adherence to policies and processes

Internal Audit Serves as the independent eyes and ears of the Board and senior management Identifies deviation from established policies, procedures, and standards Evaluation of Compliance and Risk Management processes Assesses program adequacy and effectiveness Affirms findings Validates corrective actions are effective

Vendor Risk Management Growing reliance on third party vendors for trust accounting and middle and back office functions Firm can delegate authority (function) but not responsibility Overall Vendor Risk Management processes should include: Comprehensive Risk Assessment Thorough Vendor Selection/Due Diligence Comprehensive Contract Review Service Monitoring/Oversight

Account Review Process Increased use of Automated “Reg 9” Review Processes May not adequately consider all account assets such as Hard to Value, Real Estate, Mineral Interests, etc. May not include the “human factor”/judgement including narratives describing unique or complex situations May not provide mechanisms for exception follow-up and remediation Reviews only account assets – does not consider supplemental information or administrative components Factor in supplemental information such as client discussions, tracking systems and periodic meetings and other discussions of account needs

Recent Examination Issues and Findings

Examination Issues and Findings Review of fiduciary accounts – failure to comply with 12 CFR 9.6/150 - pre-acceptance, initial post-acceptance, annual review Inadequate account acceptance Not including all assets in review Adequacy of assets in meeting investment objective Not meeting requirements of OCC Bulletin 2008-10 Audit requirements – failure to comply with 12 CFR 9.9/150 Inadequate scope of audit – failure to include all significant fiduciary activities at appropriate intervals Ineffective audit program Failure to adhere to requirements for Fiduciary Audit Committee independence

Examination Issues and Findings Account Administration Adequacy of administrative review process (failure to detect issues and coding errors) Discretionary distribution process (inadequate documentation to support decision-making) Self-directed IRAs (inadequate documentation for directed investments, including prohibited transactions) Internal Controls - Asset/Money Movement Free deliveries Disbursement controls (lack of dual controls noted—some trust companies have experienced fraud) Vendor Management Inadequate monitoring of third-party service providers

Thank you!