Establishing a positive relationship between the first and second lines of defense is critically important to the success of any compliance program. Delivering sound, independent advisory services to the first line of defense — without hampering business strategy — is a critical component of compliance programs that is sometimes overlooked. In this webinar, participants will discover: <ul> <li>Collaboration strategies with the first line of defense</li> <li>Balancing regulatory risk with operational cost</li> <li>How to provide a steady, guided hand to your leadership team</li> </ul> Presenter: Meredith Garland-Hannifin Senior Vice President, Risk & Compliance and Chief Compliance Officer Exeter Finance [toggle title="TRANSCRIPT"] <div class="transcript-scroll-box"> 00:04Good afternoon. My name is Molly Stewart and I'm the Chief Operating Officer at rail media and auto finance news. Today we welcome you to the third and final session of the auto finance risk summit webinar series. We've been thrilled to provide you with the complimentary access to this series through the generous support of defy solutions and live box our series sponsors. Today's session is sponsored by live box, and we will take a brief pause for a welcome from our sponsor. 00:46 Establishing a positive relationship between the first and second lines of defense is critically important to the success of any compliance program, which is why we are excited to hear from Meredith garland Hannifin, Senior Vice President Ruskin Compliance and Chief Compliance Officer at Exeter finance, who will present on effective collaboration between first and second lines of defense. We expect this to be an informative and interactive session and encourage your active participation during the live q&a that will follow Mary's presentation. We hope you've enjoyed this risk Summit Series and view it as a bit of a teaser to the content we will present during the 20th annual auto finance summit which will be held virtually on October 20. The 22nd if you're a lender, we are offering a limited number of complimentary registrations to the event. To register or for more information please visit auto finance summit calm. Now I would like to introduce my colleague Joey is a lotto deputy editor of auto finance news who will moderate this session. Joey is a writer and editor based in New York, his fiction and nonfiction have appeared in a variety of print and online publications. Before reporting on auto finance he covered the Mortgage and Housing industry. You will As a master in fine arts and writing from Spalding University and a Bachelor of Arts and English from DePaul University, Joey. 02:11 Thanks, everyone for joining us. If you want to submit a question, you can do so in the upper right hand corner of the browser in the chat box. Please note that all questions will be privately sent to the moderators and panelists. Now it's my pleasure to introduce our speaker, Meredith garlin Hannifin, who as mentioned is senior vice president risk and compliance and Chief Compliance Officer of Exeter finance. In this role, she leads the maturation of all risk management and compliance programs, compliance advisory, third party risk, exam management policies and procedures, compliance training and regulatory change management. She has been with the company for two years. Prior to joining Exeter Meredith served as the chief executive officer of J. Gallagher consulting where she built compliance programs for to clients Before that, she was Senior Vice President of mortgage compliance its city and 03:06 excuse me 03:07 at City and assistant vice president of government initiatives at caliber home loans. She also held loss mitigation compliant handling, underwriting and client relationship relations positions at Morgan Stanley and Bear Stearns, man, welcome. 03:24 Thank you. Thank you auto finance news. Thank you, Joey for that kind introduction. It's an absolute pleasure to share my favorite topic today 03:39 with the audience, 03:45 effective collaboration between the first and second line of defense. This is my 21st year in finance and in compliance. I started my career as a college intern for legal and compliance at EMC more Bear Stearns. Since then we have been through the financial crisis, the CFPB has been formed and compliance programs have been in some phase of constant change. Now we're in a global pandemic. I remember when I graduated college from Oklahoma State University, thank you and I don't ever want to be bored or stagnant in my career. Well, mission accomplished. In the Weisberg's of Socrates, the secret to change is to focus all of your energy, not fighting the old, but on building the new Acura finances and nonprime auto finance company based in Irving, Texas. And as previously mentioned, I've been with me for a little bit over two years. Let's review why the line of defense model is so important and why it needs to be effective. Most of the audience knows this slide. Quite well, as you know, the CFPB exam cut guide very well, the CFPB mentioned the need for independence for different times throughout the exam guide. And they've also released information about it for many years on through advisory guidance. So let's jump in. First, stop, collaborate and listen Maris back with a brand new invention, I'm sorry, you will definitely be singing that song for the rest of the day. So it's not exactly a brand new invention, but it's the most important and critical skill to master as a compliance professional listening. Let's review some best practices. When the light first line of defense brings a new product and idea or a resolution to an existing issue, I tried to refrain from immediately Moving to problem solving mode. And I take time to ask questions and to listen to those responses. This is really hard for me personally, because I love to problem solve, I love to jump in and immediately move to the resolution. So I physically stop and force myself to be quiet and silent and only to speak when I'm asking questions, and then actively listen. So let's go through my top questions that I asked the first line of defense when we're working through an issue or compliance topic. But first, what are you trying to accomplish? 06:47 Second, why do you want to do this? 06:52 Third, what will you gain or lose by implementing this product or service Are resolving the compliance issue in this manner. Fourthly, how does it affect people process? and technology? How soon do you want to implement this business partner yesterday, today? Or one month, three months, a year from now? 07:25 Is there another option 07:29 that accomplishes the same? And that's when I asked the business partners to tell me about what that other option might be? One of my favorite topics, tell me about the controls you plan on establishing. Do these controls prevent the risk or do they merely detect the risk? After asking some important questions, it's time for a basic risk assessment. This doesn't have to be a lengthy exercise. It's not as in depth as your annual compliance risk assessment or some of your more full formal risk assessments you do throughout the year. I normally do a one page, PowerPoint, simple document that I can provide to the first line of defense. And it, it will include what does the regulations say? What are the operational requirements that need to go in to meet the threshold of the regulation? Lastly, I'll give Next I'll give an opinion on what's the reputational risk? What's the headline risk? What what could a consumer complain about? And then I'll give it I'll give a my opinion and some of my experiences with the regulatory community what the way how will the examiner view this product or this service or this this resolution Resolution 10 issue. And we're going to talk a little bit more about it in a few slides, but also talk about cost benefit analysis and try to explore cost versus benefit. Now it's time to discuss those options after we've asked questions. We've listened and we really have an idea of where we stand on a risk perspective. Always remember your role in the second line of defense, we advise based on risk, we do not dress the business to perform option one, option two, option three. I find though that these options serve two main purposes. First, they get your first line of defense buy in or stake in the decision. Second, it eliminates the times common sound bite of compliance told me to do it. And here I give, I give the most conservative approach the middle of the road, and then the least conservative approach. But talk about some best practices for improving collaboration. First, and one of the absolutely most important, you've got to get out of the granular details. Get out of the weeds, you cannot see the forest down there. minutiae clouds, your compliance, a judgment and it really limits your perspective. Establish a risk culture and appetite at all levels of the organization that starts at the top of your organization. It moves across and down the organization. We do this effectively building our compliance brand. And by practicing collaboration, very active and effective collaboration. create harmony among the group. It's a relationship with the first line of defense. Make sure you're nurturing that relationship. Make sure you're spending time on it. It's never an it should never be a bus throwing contest back and forth on who's the most right, or who has the best ideas. We love to train the lines of defense together. We invite other groups from the first line of defense like operational support to our compliance cross training. We do side by side, we often in often in fourth, the why, and the how of our how our department worked. How we conduct compliance work. We of course, also implement a very formal and consistent compliance training program throughout the year. 12:15 Emphasize office hours. This is one of my favorites. office hours have changed a bit during the pandemic. But we love hosting regular times whether it's physical or virtual, where our business partners can just simply drop in. And we utilize this most in our policy and procedure program as well as our third party risk oversight program. It's a set time where the first line of defense can just drop by, again right now it's virtually and they can sit with our compliance professionals we can help with crafting a policy and procedure crafting a controlled statement and eliminate additional meetings and it fosters B Spirit of the teamwork and it just helps to overall drive the collaboration. And, as they say, teamwork makes the dream work. 13:17 We give our partners a glimpse into compliance reporting. I think this is so critically important. The advance compliance reports and compliance memos. We never attempt to release any findings or memos or reports. Without first discussing it with the first line of defense and getting approval and buy in from the first line of defense. Nobody likes to be surprised and nobody likes to be the first to know that there's an issue or problem. Think about how that feels. When that occurs when that happens to you. It definitely doesn't feel like collaboration. And it certainly hinders the trust and the brand that compliance is trying to build, and probably the opposite of effective collaboration. This method takes much more time. And those times we get frustrated with the amount of time it takes to get everyone on board, and to get everyone supportive of the compliance memo or the finding or the report, but it's time well spent, because it just makes us overall much more effective. Always have your business partners that give balanced compliance advice and weigh the frequency and the impact analysis on likelihood into your decisions. Not only to benefit with risk is so critically important, taking a costly resolution, when a less expensive resolution, get to the same amount of compliance with regular like the regulation If not the best solution for your organization. Always balanced your compliance advice is given to the first line of defense with the overall organization strategy. Don't ever forget to bring your entrepreneurial spirit to the work you do as a compliance professional. last topic, these are some of my tips for one of the most important parts of my job, which is to say balanced and calm and steady and not hit the panic button on each and every item that might come into my email inbox or through my team or through policies and procedures. The first one is the most critical I think you have to frame compliance issues mentally as opportunity, opportunity to discuss In the control, to strengthen the process, or possibly both. And you have to constantly have that perspective and run that mental real through your mind that this isn't a, this isn't a huge problem that can't be solved. It's an opportunity for the organization to get better. And for you to mature your compliance program, which is really, at the end of the day, your objective as a compliance professional. Always remember there are very few unsolvable compliance issues. So the next time you're ready to hit the panic button, or you're filling a lot of anxiety over a compliance topic. Just remember, frame it up with the right perspective. There's very few unsolvable issues, stay calm. One of the practical ways I do this is I manage my time really well. I am absolutely the administrator of my Calendar of my time and where I spend focused on one of the things I do, and I'm certainly certainly taking them many, many years to get highly skilled at. But I prepare in advance for my day to be absolutely hijacked by something I had not had on the calendar. One way I do this is I never have more than 10 to 15 emails in my inbox at any time. I will pause for the mental what in the world and yes, it's true, I still belikin internal process. And again, I postponed it over the years, but I keep my email traffic, very well organized, and very clean. I mean, the reality is, there's risk in your email box and if you're, if you're not responding to those in a timely manner, you could be putting your organization at some sort of Rep. so plan accordingly. Use those time blocks on your Calendar and really be a good steward of your time and protect that calendar. 18:08 Another one of my absolute favorites and I have many of my many of my colleagues on today is to attract and retain compliance talent that just remains highly focused and are highly tolerable of change. I started with we've been in change for as long as I can remember, in the risk and compliance sector, attracting teaching and coaching and training, compliance callate to really be tolerable, tolerable have changed and have reacted well to change it it will absolutely be a component to your compliance program that will continue to turn results for many many years and I'm super blessed to have some of the most amazing credible compliance talent that I've ever encountered in my career on my team at Exeter laughs maintain, preach and show demonstrate every chance you get work life balance. We are now at our home offices all the time and not working on site anymore. So at least for the near future. So I encourage the use of PTO on a regular basis. I really encourage the team in myself to have to have mental breaks and to really focus on the hours of the day where they're the most, the most sharp for me that's early in the morning and that's certainly not 435 o'clock, six o'clock in the evening. And then to get up and stretch and you know, if you're Exercise, go for a run, clear your head and take time off, take time off to unplug and to charge your batteries back up. And I think it's just so critically important to your overall happiness and health as a compliance professional. 20:22 With that, I'd be happy to take some questions. 20:29 Thanks so much. 20:31 We do have some questions. So I figure I'll just jump right in. If that's all right with you. Don't ever look in my my inbox, it will it will, it will give you anxiety that you can't believe. Yeah, so your first question is, um, you know, what sort of advice can you offer to help compliance and risk executives in changing the mindset of the rest of the organization? 20:57 Yeah, I think it's Practical Approach 21:04 establishing a really strong committee structure, establishing a strong compliance reporting process, where you report compliance findings at at throughout the organization to Vice President level, then at the senior vice president level and then roll that up into a periodic we do a quarterly Enterprise Risk committee presentation, in really, really practice full disclosure with all your lines of defense into what you're doing, why you're doing it and what you're what you're finding, and I would say from just a best practice, just lean in and be be very cognizant of feedback from if you're going to give that full disclosure. Your lines of defense, just be very welcoming of the feedback. And sometimes that means you got to get a tough skin on and, and be ready for some really strong feedback, but just lean and embrace it. And I think Thirdly, it's the training and establishing the culture at the top. And you do that by having a line of independence to the board and to your executive team. The CFPB put together that, that prescribed model and I think those are really the three best practices I'd offer at often my colleagues. 22:39 Fantastic, great. Our next question is a timely one. Mmm hmm. Excuse me. How does the compliance landscape change in a post COVID post work from home environment? 22:51 This is great. I love this question. Thank you, Joey. And wow, canes right. You know, I eat it. Breakfast is served up all day long. It's what you know, springs me out of bed. Every day it's going to happen every single day changes, change is going to be around to, of course, the regulatory change in flow during COVID has been, has been quite quite a large body of work, the cares Act, the state requirements that have come out, we, we have a very strong regulatory change process. And so that that sum is not something that we had to build on the fly. It's been in our compliance program for quite some time. So just working through that change and working through those changes really efficiently and effectively. You know, we we like to have really aggressive SLA s for responding to our business when it comes to regulatory change in change in general. So I think I think that's the, that's the first one. And as far as day to day, while I love the face to face aspects of the office, I'm an extrovert. So this certainly had a had a little bit of personal time adjustment for me. I, you know, be in, in home work from home environment has really helped communication in so many ways you know, what used to be the first line of defense or my legal partner is just dropping by my office, you know, has now turned into phone calls and we actually use the phone, we dial the numbers on the phone, we pick it up, and we talk on the phone, and that has really turned into, you know, almost a daily brief. We certainly have a lot of items that say, Hey, can you just jump on the phone and can we just talk this out and hash it out? So in many ways, while while I do miss the commodity, around the office and, and seeing my exit or family every single day. I love the communication paradigm shift we have had, and I think it took brought on even more effective and open lines of communication. 25:22 You are on mute. 25:35 You are on mute. 25:41 Time, we'll get to the important stuff. Our next question is, as you mentioned, risk and compliance are really a problem solving role. So I'm wondering if you can give us an example of one instance, where you were particularly proud of the creative solution you came up with. 25:58 Yeah, thanks for that question. than 26:02 the one most recently, we're always looking for ways to bring efficiency, to compliance and to really, really find ways to get better get fast or get stronger, while not sacrificing quality. Of course, one of the things that we've recently done is we have we have transitioned the daily issue management tracking, resolution remediation to the first line of defense. This is allowed for the second line of defense becomes so focused on providing thousands by three guidance and robust post validation testing and monitoring. 26:49 And 26:52 the first line of the first one is defense is really focusing on that fault and really focused it focus on the oversight and advisory aspect just brought a tremendous amount of synergy for us, and a tremendous amount of efficiency. 27:16 That's fantastic. You know, thinking about compliance departments and how they're structured, everyone has their own way, in your experience, you know, in different different, you know, industries. Have you found that there's a structure for compliance departments that inherently work better than others? 27:36 You know, I, I just love the model and the structure that the CFPB has laid out. And I, I think that regardless of who reports to who or if compliance is within legal or not within legal that I have found both of those organizational reporting structures to be highly effective, but the most important thing is to have that line as a dependency. I opened with the slide where the CFPB, you know, enforces several times and the exam guide can have brought it up through advisory guidance throughout the years that need for independence. So, regardless of how the chart may look, it's the most critical component is that I have access to the board into our Executive Committee. And I have that on a consistent, consistent basis. So that's really to me the the model that I like the most. Okay, that makes sense. 28:38 So I have a personal question or not, it's very personal question of you, but it's a question for me. We like to ask our compliance and risk risk executives this all the time. I think it's very telling to the problems that you guys deal with on a day to day basis. But what keeps you up at night? 28:59 I've been asked this question. So many times over the years on, you know, I've been to many conferences over the years and I hear I hear this question get asked and answered. And I love it. And I think I might have a little bit of a unique and different response to it. So it is a resounding nothing. Nothing at all keeps me awake at night, I sleep on average between nine to 10 hours a night. And, you know, I trust the model that I built. Most importantly, that's prescribed by the CFPB but that I've built over and over and over again, and have had amazing mentors that have helped me along the way. And then when I had my consulting company built it over and over again, but I trust that I know that through effective compliance testing and really strong issue management And through everything we do on a day to day basis, and most importantly, the talent that I have on my compliance team, and just absolutely amazing, brilliant human beings. All that added together Joey, nothing keeps me awake at night. I sleep nine hours, just fine. 30:28 hours a night Even if I wanted to. Okay, so I do have one one last question for you. Before before we wrap up, given the environment and you know, all the best practices that you've kind of laid out for us today. Is there maybe one or two that you found to be particular importance in our current in environment with the pandemic or from home that you know our attendees can can really take away with them back to their organizations? 30:57 Yeah, I think it's a talked about perspective and really having a perspective of framing up compliance issues as an opportunity, versus as a problem. I think you just have to stay really focused on that, as you're sitting there and asking, Well, how do you stay focused on that, you know, I talked about time management. I talked about getting out of the weeds and really, really taking a higher level look at problems and, and, and to really stay calm in the moment and to not get on the train of it's all falling apart. It's all coming down. This is terrible. I can't believe this. It's so I think that's probably the most important and just from a practical perspective, just getting and driving that collaborate collaboration for the first line of defense. And one thing that If I'm just absolutely completely jammed up wrapped around the axle on something, you know, I'll reach out to my colleagues and whether it's my legal colleagues or my business colleagues, and I'll say, hey, I want your perspective on this. You know, I want your ideas. You know, I want your thought. And I think that's really seeking feedback, through collaboration, listening to that feedback. And really being strong and resilient in times of change is is absolutely the top best practice. 32:42 Care. pleasure. And thank you everyone for joining us. And thank you to live box for sponsoring this session. Please remember to join us for the auto finance summit, which will be presented as a virtual experience on October 20. Through the 22nd. You can visit auto finance summit calm For more information or to register thanks, you Everyone </div> [/toggle]