Trust-related activities expose financial institutions to many of the same risks encountered in traditional banking activities.
For example, operating (transaction), strategic, legal, compliance, credit, settlement, market, liquidity and reputational risks may be present both for trust departments and financial institution operations. Some risks may result directly from trust department or financial institution processes, while other risks may be inherent in the products and services offered at the financial institution.
The duty of a fiduciary and the importance of effective controls
Financial institutions with trust departments are subject to other risks, as well. The primary duty of a fiduciary is the management and care of property (assets) for customers. This responsibility requires the duty of loyalty, the duty to maintain clear and accurate account records, the duty to preserve and make trust property productive and a myriad of other responsibilities. These responsibilities also bear risk, and management's ability to control these risks is of paramount importance.
Effective controls include proactive oversight by the board of directors. Senior management should identify, measure, monitor and address the risks inherent in fiduciary activities; however, effective control also involves the ability to respond appropriately to changing business conditions, applicable regulatory pronouncements, changing fiduciary laws and regulations, unique or unusual fiduciary assets or changes to personnel and department structure.
Ultimately, the financial institution’s reputation may be damaged if management is unable to identify and properly manage these risks.
Implementing a formal risk assessment
Financial institutions should design internal policies, documented procedures and other controls to address the risks facing the trust department. The size and complexity of the trust department will dictate the depth of such policies, and the institution should implement a formal trust risk assessment should to augment the control structure for trust department risk.
A well-designed risk assessment should cover multiyear periods and be used to guide audit testing to measure controls and compliance with internal policies and procedures. The risk assessment should be updated at least annually and reviewed and approved by both the trust committee and the board of directors to ensure the continued effectiveness of the control structure. As risks change, the risk assessment is a great resource to ensure resources are allocated to address the areas or functions that present the greatest risk to the trust department.
An effective risk assessment should identify those areas that could potentially expose the financial institution to liability that results from lawsuits or ineffective administrative practices. Strong internal controls, sound policies and procedures, appropriate management information systems, and adequately trained employees provide the basis for an effective risk assessment. Risk tolerance levels should be clearly set and monitored by both senior management and the board of directors.
What regulators are looking for
Financial institution regulators are actively looking to determine whether a risk assessment is in place, and examinations often include a review of the risk assessment to confirm that audits are being completed in accordance with the timing as set forth in the risk assessment.
According to the FDIC’s Trust Examination Manual, at a minimum, an effective risk assessment should:
- Establish the level of risk that management is willing to assume. Examiners will review the planning process, policies related to the process and underwriting standards of accounts and new products.
- Identify the various risks associated with the financial institution's key products and services, as well as the operating environment. This includes an analysis of methods employed in determining fiduciary insurance coverage, loss reserves and the impact of fiduciary risk on capital adequacy. Litigation concerns should also be analyzed.
- Implement adequate controls and monitoring systems. This includes establishing a system of checks and balances and reviewing audit coverage, the compliance management system and the overall scope and reliability of existing management information systems.
- Include supervision of operations and the implementation of procedures when new accounts are originated. Guidelines should provide information on day-to-day management of fiduciary activities, operating systems and internal controls.
A financial institution that uses a continuous audit process instead of an annual audit process for its trust department is able to perform audit testing on an activity-by-activity basis, at intervals commensurate with the level of risk associated with each activity. The audit frequency should be defined in the risk assessment; however, audit intervals should be reassessed periodically to ensure continued appropriateness given the current risk environment and volume of the activity being audited.
A trust risk assessment is an ongoing tool that should be used to measure and report risks associated with the trust department in relation to the financial institution as a whole. By leveraging this effective tool, the financial institution’s board may demonstrate to regulators that it is meeting its fiduciary responsibilities by being proactive, having a process in place to evaluate risk and allocating resources and personnel to areas of greatest risk.
Do you need assistance with your risk assessment? Wipfli provides flexible, customized solutions to satisfy regulatory requirements and support trust and fiduciary internal audit programs. Click here to learn more about our trust and fiduciary services.