A compliance committee without a charter is a meeting. A compliance committee with a vague charter is a meeting with an attendance sheet. Neither satisfies examiners, and neither provides the governance structure that actually reduces compliance risk at the institutional level.
The compliance committee charter defines what the committee exists to do, who serves on it, what authority it holds, and how it reports to the board. Examiners review this document, and compare it against actual committee behavior, to evaluate whether board-level compliance oversight is substantive or performative. Getting the charter right is the foundation; operating consistently against it is what matters at exam time.
Key Takeaways:
- A compliance committee charter is a governance document, not a formality, examiners evaluate it and hold the committee to its own commitments
- The charter must define purpose, membership, authority, meeting frequency, reporting obligations, and scope of oversight
- The compliance committee and audit committee have distinct roles; conflating them creates independence problems
- Committee effectiveness is measured by what changes as a result of committee action, not by meeting frequency alone
Why the Charter Matters to Examiners
The FFIEC Compliance Management System framework evaluates board and management oversight as the first element of an effective compliance program. Examiners look for evidence that the board, or a committee operating under board authority, provides meaningful oversight of compliance risk.
The charter is the starting point. Examiners use it to set expectations for what the committee should be doing, then compare those expectations against board minutes, committee reports, and evidence of follow-through. A charter that promises quarterly risk assessments and monthly meetings creates an obligation. If the committee met twice last year and didn't discuss risk assessments, the charter itself becomes evidence of a governance failure.
This is why the charter must be both ambitious enough to satisfy regulatory expectations and realistic enough to be consistently followed. Overpromising in the charter and underdelivering in practice is worse than having a modest charter that the committee executes faithfully.
Required Charter Elements
Statement of Purpose
The purpose section establishes why the committee exists and what it oversees. This should be specific enough to define scope while flexible enough to accommodate evolving regulatory requirements.
Effective purpose statement: "The Compliance Committee oversees the institution's compliance management system, including regulatory change management, compliance risk assessment, consumer protection, BSA/AML program oversight, and the adequacy of compliance resources. The Committee ensures that compliance risk is identified, measured, monitored, and controlled in a manner consistent with the institution's risk appetite and regulatory obligations."
Ineffective purpose statement: "The Compliance Committee oversees compliance matters and reports to the board."
The difference matters because examiners use the purpose statement to evaluate whether the committee's actual activities match its stated mandate. A broadly defined purpose with no specificity provides no governance framework and no accountability.
Membership and Composition
The charter should specify:
- Minimum number of members, typically 3-5 for community banks
- Qualifications, at least one member with compliance or regulatory expertise; board representation is expected
- Chair designation, who leads the committee and is accountable for its effectiveness
- Management participation, the compliance officer typically attends as a non-voting participant and primary presenter; other management (BSA officer, risk manager, internal auditor) attend as needed
- Independence requirements, at least some members should be independent of business line management to avoid conflicts
A common mistake at community banks: the compliance committee consists entirely of management with no board member participation. Examiners view this as a management working group, not a governance committee. At minimum, one board member should serve on or chair the committee to provide the board-level oversight that regulators expect.
Authority and Responsibilities
This is the core of the charter. It defines what the committee can and must do.
Typical responsibilities include:
- Review and recommend board approval of compliance policies
- Receive and evaluate the compliance officer's periodic reports
- Monitor the status of compliance examination findings and remediation
- Review compliance risk assessments and risk ratings
- Evaluate the adequacy of compliance staffing and resources
- Oversee the compliance training program
- Review regulatory changes and assess institutional impact
- Monitor consumer complaint trends and resolution
- Receive BSA/AML program updates (unless a separate BSA committee exists)
- Review compliance testing and audit results
- Escalate issues to the full board when warranted
Authority provisions should include:
- Access to any institutional records, personnel, or systems necessary to fulfill oversight responsibilities
- Authority to engage outside counsel or consultants
- Authority to direct compliance resources toward identified risk areas
- Direct reporting line to the full board
Meeting Frequency and Quorum
The charter should specify minimum meeting frequency. Quarterly is the minimum that examiners typically accept for compliance committees at community banks. Monthly meetings are common at institutions with elevated risk profiles, active remediation efforts, or recent enforcement actions.
Define quorum requirements, typically a majority of voting members, with at least one board member present. Specify whether meetings can occur by telephone or video conference and how emergency sessions are called.
Reporting Obligations
The charter must define how the committee communicates with the full board:
- Frequency of board reports, after every committee meeting, at minimum
- Content requirements, summary of topics discussed, decisions made, issues escalated, and actions assigned
- Escalation triggers, specific conditions that require immediate board notification (e.g., MRIAs, regulatory enforcement actions, significant compliance failures, material regulatory changes)
Annual Self-Assessment
Include a provision requiring the committee to evaluate its own effectiveness annually. This review should assess whether the committee fulfilled its charter responsibilities, whether meeting content was substantive, and whether the charter itself needs updating. Examiners increasingly ask for evidence of committee self-assessment as part of governance evaluations.
Relationship to the Audit Committee
The compliance committee and audit committee are not the same thing, but at community banks they're frequently merged or confused. Understanding the distinction matters for examiner expectations and for organizational independence.
The compliance committee oversees the compliance program's design and operation, are policies current, is testing being conducted, are findings being remediated, are resources adequate?
The audit committee provides independent assurance that the compliance program (among other functions) is working effectively. The audit committee oversees internal and external audit, reviews audit findings, and ensures management is responding appropriately.
The independence issue: When the same committee serves both functions, the body responsible for overseeing the compliance program is also responsible for independently evaluating it. This circularity undermines the three-lines-of-defense model. Examiners recognize that community banks may not have separate committees for every function, but they expect the charter to address how independence is maintained, for example, through use of third-party compliance auditors who report directly to the audit function.
If your institution uses a single committee for both compliance oversight and audit oversight, the charter should explicitly address the independence conflict and describe mitigating controls.
Sample Committee Meeting Agenda Structure
A well-structured agenda signals to examiners that committee meetings are substantive. The charter can include a standing agenda framework:
1. Previous Meeting Follow-Up (10 minutes)
- Review action items from the prior meeting
- Status updates on outstanding items
2. Compliance Officer Report (20-30 minutes)
- Regulatory change updates and institutional impact assessment
- Compliance testing and monitoring results
- Examination finding remediation status
- Training completion metrics
- Consumer complaint summary and trends
3. Risk Assessment Update (10-15 minutes)
- Changes to compliance risk ratings
- Emerging risks identified
- Risk appetite alignment
4. Policy Review (10-15 minutes)
- Policies due for annual review
- Policies requiring update due to regulatory changes
- Recommendation for board approval
5. Special Topics (as needed)
- Upcoming examination preparation
- New product or service compliance review
- Regulatory enforcement trends relevant to the institution
6. Executive Session (as needed)
- Discussion without management present
- Compliance officer performance evaluation matters
What Makes a Committee Effective vs. Performative
Examiners don't just check whether the committee exists and meets. They evaluate effectiveness, whether the committee actually influences compliance outcomes.
Indicators of an effective committee:
- Meeting minutes reflect substantive discussion, not just report acknowledgment
- The committee asks questions, requests additional information, and challenges management assumptions
- Action items are assigned, tracked, and completed
- The committee has directed resource allocation or policy changes based on risk findings
- Board compliance reports reflect committee input, not just compliance officer summaries
Indicators of a performative committee:
- Minutes consist of "the compliance officer presented the report; no questions were asked; meeting adjourned"
- The same standing agenda is repeated verbatim each quarter with no variation
- No action items are generated
- The compliance officer creates and presents all content with no committee direction
- Material compliance issues first appear in exam findings rather than committee discussions
The charter sets the standard. The minutes prove whether it's being met.
How Canarie Supports Committee Effectiveness
The compliance committee's ability to provide meaningful oversight depends on having current, accurate information about the compliance program's status. When the compliance officer spends two weeks assembling a committee report from scattered sources, the information is already stale by the time it's presented.
Canarie maintains a real-time view of compliance task completion, policy status, finding remediation progress, and training metrics, the data the compliance committee needs to do its job. Instead of reporting on what happened last quarter, the compliance officer can show the committee what's happening now and where attention is needed.
See how Canarie keeps compliance committees informed →
Frequently Asked Questions
Is a compliance committee required by regulation?
No federal regulation explicitly requires a separate compliance committee. However, the FFIEC CMS framework requires board-level oversight of the compliance function, and examiners evaluate how that oversight is structured. For institutions with elevated risk profiles or complex operations, a dedicated compliance committee is strongly expected. For smaller community banks, compliance oversight may be incorporated into an existing board committee (such as a risk committee or audit committee), provided the charter and meeting agendas specifically address compliance topics with adequate time and attention.
How often should the compliance committee meet?
Quarterly is the minimum frequency that examiners typically expect. Monthly meetings are appropriate for institutions with active remediation efforts, elevated risk profiles, new product launches, or recent examination findings. The charter should specify minimum frequency and allow for special sessions when warranted. More important than frequency is substance, a committee that meets monthly with no meaningful discussion is less effective than one that meets quarterly with thorough agenda coverage and documented follow-up.
Who should chair the compliance committee?
Ideally, an independent board member with some regulatory or risk management experience. Having a board member as chair ensures the committee carries board-level authority and provides a direct conduit for escalating issues. At some community banks, the CEO or another senior officer chairs the committee, this is acceptable but creates potential independence concerns that the charter should address. The compliance officer should not chair the committee, as this conflates the oversight function with the management function being overseen.
What should compliance committee minutes include?
Minutes should document attendance, topics discussed, information presented, questions asked, decisions made, action items assigned (with owners and deadlines), and any items escalated to the full board. Examiners review committee minutes as primary evidence of governance effectiveness. The minutes should reflect genuine discussion, not just a record that reports were presented. If the committee challenged a risk assessment conclusion, directed additional testing, or questioned the adequacy of remediation efforts, that should be documented. Minutes that consistently show passive reception of reports raise governance concerns.