(Published in ABA Banking Journal, July 8, 2021)
Are we all ready to move forward? Following a year where COVID-related developments disrupted traditional banking practices, bank compliance officers are looking at establishing a new normal as they navigate continued regulatory change in a world of evolving customer behaviors, rising fintech competition, and shifting regulatory priorities signaled by the new Administration. What can you do now that will have the most positive impact on your bank without breaking it?
Consider the judicious use of artificial intelligence to automate key elements of your Compliance Program Management (CPM) processes. CPM is an integral part of your bank’s DNA. It drives decisions about what products and services your bank offers; who they offer them to; where they can offer them, and how they want to deliver them. The problem? Traditional approaches to CPM no longer meet the expanded obligations that regulators require; nor do they provide the level of insight and transparency that stakeholders demand today.
These antiquated processes, such as the over-reliance on spreadsheets, manual gathering of regulatory updates, lack of connections between CPM elements (e.g., mapping policies, procedures, training, risks, controls, testing, products and services to address your regulatory obligations) and reporting capabilities, are being stretched to the breaking point to keep up. As a result, banks are under increasing pressure to adapt to a new banking paradigm that demands agility.
The question is, which CPM process improvements would provide the most bang for your budgetary buck? According to the 2020 Regulatory & Risk Management Indicator survey conducted by Wolters Kluwer, 54 percent of the 665 U.S. banking respondents expressed they were “concerned” or “very concerned” with their bank’s ability to keep track of new and changing laws, rules and regulations.
Every element of the CPM ties back to your regulatory library (e.g., policies and procedures, regulatory change, risk assessments, monitoring and testing). If your regulatory library is not kept current and used to drive changes to all the other elements of your CPM, it quickly becomes outdated or worse, it can become a source of harm to your customers.
That’s where the most bang is—the automation of your regulatory change process. Automation provides the compliance team with the technology, the content, and the ability to holistically and collaboratively analyze regulatory changes and their potential impact. The good news is that pursuing automation of one’s regulatory change management process can help you successfully weather the myriad changes we have come to expect from regulators, and help your bank establish a more sustainable, scalable, and defensible compliance program.
Your regulatory library—The backbone of your compliance program
Every banking organization has one thing in common—the need to look across their organization and tie regulatory compliance-related activities back to their regulatory library, which is kept up to date by their regulatory change management process.
A successful CPM process begins with a comprehensive regulatory library containing an up-to-date listing of the laws, rules, and regulations that your bank must comply with. And in an increasingly global economy, this might mean maintaining your library for jurisdictions outside of the United States. Further, the regulatory library may relate to just your banking institution, or it may cover multiple affiliated legal entities if you’re approaching CPM from an enterprise-wide perspective. Regardless of its scope, the library will quickly grow stale if not kept current by an automated, connected and robust regulatory change management process.
Think about the regulatory change management process at your bank today. Is it properly connected to the rest of your compliance program processes so that when a new law, rule, or regulation is released, you can readily see its potential impact on your regulatory library, policies, risks, controls, and testing? A big part of the goal when automating your regulatory change management process is to help ensure that your program includes these critical connections that are simply not possible using spreadsheets or other manual processes.
Automation is key—Look for judiciously applied AI, validated by human experts
According to the Wolters Kluwer’s 2020 Indicator banking survey, of the top obstacles cited in implementing an effective compliance program, 46 percent of respondents ranked manual compliance processes as a “7” or higher concern on a 10-point scale. So whether you are just getting started on the path to automation, or your resources are approved and you are contemplating the next steps, you will get to where you need to be faster with some preparation and planning.
For those beginning the process, the best starting place is quantifying the risks presented by manual regulatory change management and other compliance program elements. The goal is to ensure that your decision makers understand the critical roles that regulatory change management and the regulatory library play in your overall CPM process (hint: they are the linchpins!). Share with them how regulators are also adopting technology solutions, including artificial intelligence (AI), and are encouraging supervised institutions to do the same. Consider formally presenting your request for resources to automate at a meeting of the board or compliance committee. Regulators often review such meeting minutes when conducting bank examinations, which the board and compliance committee are well-aware of, so taking this route to obtain resources may give your request more traction—and credibility.
Consider, too, the way in which automated solutions apply AI to the regulatory change management processes. While the use of AI these days is almost a given, be sure to ask what is done with the machine-derived results. Best practice would be to consider a solution that includes a human-expert validation step. There are far too many nuances in regulatory compliance change events to leave it entirely to the machines.
You’re automating! What now? The critical, the necessary and the nice-to-haves
You have your funding! Now what? First, a little level-setting. A “regulatory body” is a broad term that refers not only to actual regulators, but also to those lawmakers, industry associations, exchanges, self-regulatory bodies, and agencies that provide guidance and other important information that helps frame your compliance program and horizon-scanning efforts. Determine which regulatory bodies your bank needs to monitor, as well as all of the jurisdictions and releases from those regulatory bodies that are in scope for your bank (e.g., the Federal Reserve’s Supervision & Regulation letters, rule filings, enforcement actions, speeches, etc.). Most automated regulatory change management solutions provide their content subscriptions by regulatory body, so it is essential to keep a good list.
Returning to data from Wolters Kluwer’s 2020 Indicator survey, about 30 percent of the total, financial services-related regulatory releases issued between August 2019 to July 2020 related to regulatory change, averaging approximately 24 releases per week. In 2020, COVID-19 pandemic-related regulatory releases added another eight releases each week for a 32 percent increase. Consider, too, that if one’s banking footprint includes non-U.S. jurisdictions, these numbers would be significantly higher.
While this information may not be very surprising, managing the full scope of regulatory change relevant to your bank is unsustainable if you don’t have a solid regulatory change management process in place.
Whether your CPM process is manual or automated, consider identifying and stratifying the regulatory bodies you monitor into the critical, the necessary, and the nice-to-haves. For example, a critical regulatory body for a U.S. bank would be its primary regulator, whereas a necessary regulatory body might be the FFIEC, and a nice-to-have might be something like the PCI Security Standards Council. Also, be aware of the number of releases issued by each of the regulatory bodies on your list. You don’t want to pay to subscribe to content from a regulatory body that only releases two to three items per year. There are less expensive ways to manage those infrequent releases, like manual entry of them into your automated solution.
Keeping it relevant—Turn off the fire hose
A word of caution. Even when your regulatory change management process is automated, if the content coming into that automated process is not properly configured, your expert compliance resources may take just as much time as a manual process to wade through all the irrelevant content. Keep that consideration in mind when venturing down the road to automation. Ensure that the automated solutions under consideration provide the means to help control the fire hose of regulatory changes
The welcome news here is that all the apparent problems with using spreadsheets or other manual processes for establishing solid CPM, including one’s regulatory library and regulatory change management processes, are addressed through automation. Any service provider worth their salt will train your personnel to make the best use of their content and technology to focus or further refine your compliance program.