Brian Kostek

Managing Director

Brian is a Managing Director with Protiviti and is part of the Risk and Compliance team located in Tampa, Florida. Brian’s experience and expertise focuses on regulatory risk and compliance, Third-Party risk management, and operational risk. Prior to joining Protiviti, Brian had worked as an Associate National Bank Examiner with the Office of the Comptroller of the Currency from 2006 - 2010.

Major Projects

  • Compliance Risk Assessment – Developed an enhanced compliance risk assessment methodology for a large North American financial institution based on available, objective data, to ensure the methodology aligned to the organization’s OSFI E-13 program framework. Supported the execution of the assessment across the organization, and completed alignment reviews with the applicable compliance teams to ensure results were defensible, supported by objective data, and consistent across the organization’s risk profile. The results of the effort were the elimination of redundant compliance activities and an enhanced, well-documented compliance risk assessment and Chief Compliance Officer opinion process.
  • Compliance Management System (CMS) Readiness Assessment – Led a CMS readiness assessment for a specialty consumer reporting agency in preparation for the institution’s first CFPB exam. The assessment resulted in detailed observations across each element of the Protiviti Compliance Framework, which aligns to the CFPB CMS examination procedures, and Protiviti developed prioritized recommendations, including a roadmap of possible actions the institution could take prior to the CMS exam. Supported the CMS readiness assessment through additional transaction testing focused on Fair Credit Reporting Act (FCRA) file disclosures, FCRA dispute handling, call monitoring, and consumer complaint handling.
  • Compliance Risk Assessment – Managed a multi-year, international compliance risk assessment effort for a large multi-national financial institution. Provided subject matter expertise that supported the Compliance organization in creating a detailed mapping of regulatory requirements to the client’s products, processes, and legal entities, and third parties. Completed analysis and mapping of existing operational controls, policies and procedures, training, and monitoring and testing for specific business units, and provided oversight to other business process and control mapping teams for their mapping activities. The results of the enhancements to the compliance risk assessment methodology drove improvements to the organization’s monitoring and testing program, compliance action plans, and the overall compliance governance framework.
  • Third-Party Risk Management Assessment – Provided subject matter expertise and managed a project team that was responsible for conducting an independent assessment of a bank’s designated vendor population, including a review of the overall vendor management processes and assessment of the inherent consumer compliance and reputation risks of the vendors in scope. Project required a review and assessment of the due diligence, ongoing monitoring and testing functions of the vendor management program and required the design and implementation of an inherent risk tool based on current bank procedures while incorporating industry leading practices. The resulting review provided the bank with several design recommendations to enhance the overall oversight of its vendors from a consumer compliance and reputation risk perspective in addition to providing a stratification of vendors in scope of review based on the results of the tool developed.
  • Targeted Third-Party Assessments – Developed a review work program, oversaw the review of twenty six (26) third-Party vendors in accordance with OCC 2013 – 29  and FR 13-19 expectations, and provided subject matter expertise feedback to the applicable business line personnel and compliance staff, when applicable. Developed recommendations based on risks identified to ensure current gaps were remediated and ongoing oversight would be enhanced to ensure compliance with regulatory expectations moving forward. Lastly, our team helped develop tools and templates to be implemented across the enterprise to ensure enhancements were consistently applied across the organization.
  • Third-Party Regulatory Compliance – Managed the assessment of regulatory compliance requirements for third-Party vendors for a top ten US bank, including listing the required regulatory requirements for more than 250 vendors, and assisting the supplier managers in developing applicable controls to mitigate associated risks.
  • Third-Party Remediation – Oversaw an independent validation of the actions taken by a bank’s vendor who was identified as not providing the full extent of the services advertised to its customers, including a validation of the customer base requiring refunds, testing the associated refund processes, and partnering with bank management to ensure the actions taken met the requirements of the regulators.
  • Foreclosure Lookback Review - Managed a team of 15 professionals as part of a special purpose foreclosure review project, focusing on loss mitigation requirements set forth by the OCC, private and public investors, and state requirements.
  • HMDA Quarterly LAR Testing - Developed a review protocol and oversaw a team of 15 professionals reviewing Quarterly HMDA data for accuracy for a top ten US Bank. The team focused on HMDA and HMDA+ data points for the institution, and our results were leveraged to develop enhanced operating definitions, improve first line processes and technology controls in the institution’s underwriting platforms, and implement second line testing capability in alignment with the new HMDA rules.
  • Mortgage and Home Equity Lookback Review
    • Led a 5-year lookback review (2010 – 2014) on originated mortgage and home equity loans for compliance with the following regulations: Home Owner’s Protection Act, Flood Disaster Protection Act, Equal Credit Opportunity Act, Fair Credit Reporting Act, Fair and Accurate Credit Transaction Act, Truth in Lending Act, and Gramm-Leach-Bliley Act. The purpose of the review was to proactively self-identify past issues and to help inform the Bank as they were implementing a new Loan Origination System (LOS). For this effort, Protiviti managed approximately 60 resources and reviewed approximately 7,300 loans.
    • Led a 4 year look-back review related to the Home Mortgage Disclosure Act (HMDA). Various Loan Application Register (LAR) fields were reviewed as part of a 4 year LAR re-filing effort (2011 – 2014). For this effort, Protiviti managed up to approximately 150 resources and reviewed approximately 100,000 application records (for various LAR fields).
    • For both reviews, Protiviti developed the resource model, team structure, overall project plan, production and error benchmarking and reporting, and standardized training. Protiviti also developed a customized review tool within SharePoint with automated reporting that was utilized for weekly standard status and trend reporting.

Areas of Expertise

  • Regulatory & Risk Consulting
  • Internal Audit Services
  • Third Party Management
  • Credit Risk and Loan Review
  • Asset Management and Trust
  • Regulatory Reporting

Industry Expertise

  • Banking
  • Asset Management


  • M.B.A. – Global Management, Thunderbird School of Global Management
  • B.B.A. – Business Economics, University of North Dakota

Professional Memberships and Certifications

  • Certified Regulatory Compliance Manager (CRCM)
  • Member, Global Association of Risk Professionals (GARP)
  • Member, Association of Certified Anti-Money Laundering Specialists (ACAMS)