ComplianceOctober 01, 2019

Automating regulatory change: Tips for increasing your financial institution’s success

(As published by National Mortgage Professional Magazine, Oct. 2019)

Regulatory Change Management (“RCM”) has become one of the hottest of hot topics in the last few years for the financial services industry. Why? There are thousands of reasons in the form of new or changed laws, rules, and regulations. For example, in a recent 12-month period, U.S. federal banking, AML and state regulators released over 3,800 publications. Of those publications1, around 1,100 were related to new or changed laws, rules, or regulations. Not all 1,100 publications became law, but that is an incredible amount of material to monitor for potential impact.

This new regulatory reality is one of the primary reasons for the RegTech2 revolution. For most institutions, monitoring regulatory change manually is simply no longer an option and the search for an automation partner must be considered. There are many ways to approach this task, but it may help first to think about where financial institutions—and mortgage lenders in particular—are today relative to their regulators.

Based on years of my advising clients on regulatory compliance best practices in the banking industry, following are some basic conclusions:

  • Financial institutions in general are:
    • Becoming more complex in their products, services and distribution channels, exposing them to increased regulatory scrutiny;
    • Broadening their footprints outside the U.S., which requires compliance with foreign regulatory schemes;
    • Grappling with sometimes overlapping or inconsistent standards across multiple regulators;
    • Required to consider sometimes controversial regulatory hurdles when looking to innovate (think regulatory oversight of cannabis funding, or digital currencies);
    • Structuring their organizations using Bank or Financial Holding Companies, thereby creating new downstream regulatory requirements for certain subsidiaries.
  • Financial service industry regulators in general are:
    • Becoming more adept at understanding financial institutions’ risk exposure;
    • Enacting substantially more, new or amended regulations;
    • Requiring financial institutions to provide more and more data to document their compliance;
    • Expecting financial institutions to consider automation and the use of artificial intelligence technologies like machine learning, natural language processing and robotic process automation to increase efficiency and effectiveness, and to reduce the chances of human error;

Expecting financial institutions to fully vet and continuously review for risk the third parties on whom they rely, including those supplying RCM automation services.

So where does all this leave your organization in looking to automate its RCM process, and what steps can be taken to increase the chances of success? Before you begin vetting vendors in the automated RCM space, consider conducting a Request for Proposals (“RFP”) process.

An RFP process provides the opportunity to create a checklist of your organization’s needs that includes all the right stakeholders—and to compare vendor responses in a more efficient and effective way.

When undertaking an RFP process for an automated RCM provider, consider the following suggestions:

  1. Assign ownership of the RFP process centrally (e.g., to Compliance, Legal, or Procurement);
  2. Require engagement by representatives of all stakeholder areas such as Compliance, IT, Legal, Senior Leadership, and the business;
  3. Solicit stakeholder representatives to identify and/or provide:
    1. Pain points in the RCM process for their areas, and ideas on how automation may help to address them;
    2. Resources in their respective areas that would handle elements of a new automated process, including workflows and managing implementation; and
    3. Ratings (for internal use) of their requirements by importance (e.g., must have now, nice to have, and must have but can wait for a later phase of development).
  4. Determine what tools and systems you have today that may be leveraged in a new, automated RCM process, and ask RFP responders if their solution is compatible;
  5. Catalog what your financial institution has already done in support of an automated solution such as:
    1. Creation/maintenance of an inventory of laws;
    2. Creation/maintenance of a list of regulators, agencies, or other bodies whose standards are applied to your institution;
    3. Mapping of the inventory of laws to institution-specific departments, products, services, themes, distribution channels and/or other elements;
    4. Tagging or mapping of the inventory of laws to institution-specific risks and/or controls, policies, and procedures.
  6. Assess available metrics of where the institution’s regulatory burdens are now. Understand what regulatory content needs automated monitoring and which (if any) may continue as a manual process (e.g., if your institution is only following one or a few regulations from a regulatory body, consider manually tracking in lieu of buying access to the entire feed for that regulator);
  7. Understand and document the different stakeholder needs regarding current and potential RCM reporting requirements that an automated solution would need to address;
  8. Determine which vendors will be receiving the opportunity to respond to your proposal after conducting some preliminary vetting through:
    1. Peer group experiences;
    2. Industry association recommendations; and/or
    3. Research firm reporting.
  9. Be realistic. Do not expect third parties such as RCM automated solution providers to take on the supervisory or decision-making obligations for your organization (e.g., Does your solution tell us how a new regulation applies to our products and services?);
  10. Ensure RFP responders can supply any credentials, attestations or other requirements related to your third-party service providers’ oversight process.

Once you have taken steps such as those suggested above, development of the actual RFP should become a straightforward process. Through the RFP, a financial institution will be clearly articulating to participating vendors what it needs in the way of regulatory content, system operability and timing. Be aware that it is unlikely that your organization will find all that it needs through one vendor. However, the chances of meeting most of your financial institution’s RCM requirements should increase significantly using the RFP process.

Some of the key capabilities of leading RCM automated solutions today that your organization should be aware of during this process include:

  • Structured content that supplies a common view of all regulatory releases, regardless of jurisdiction, regulator, or release type (e.g., ANPR, Enacted Regulation, Enforcement Actions, Guidance, Speeches, etc.);
  • Dynamic linking of regulatory updates to authoritative source libraries within the solution;
  • Highly configurable features such as the ability to:
    • Assign updates automatically to certain people or departments;
    • Suppress or receive regulatory releases, while keeping the ability to recall them;
    • Create new reportable fields and/or rename existing fields;

    • Assign items to multiple workflows and to create template workflows;

    • Map updates to institution-specific themes, products, legal entities, services, policies, or other elements;

  • Tag the inventory of laws to financial institution-specific topics;

  • Robust, out-of-the-box reporting with the ability to create institution-specific reports using any data field.

Engaging the business and other stakeholders in the RFP process provides the added bonus of ownership throughout the organization, which should positively impact your implementation experience.

So, consider using an RFP process to find an RCM automated solution provider that is the best fit for your financial institution. It requires a little more work, but the rewards should far outweigh the extra investment of time.

One final note: Whether you decide to use an RFP is not as important as formalizing your RCM process in some way that is reasonable for your financial institution and meets applicable regulatory obligations3.

Good luck on your automation of regulatory change management journey!

1 Generic examples of regulatory body publications include enforcement actions, speeches, notices, guidance, advisories, manual updates and new or changed law, rule or regulation announcements.
2 RegTech refers to the use of innovative technology to manage regulatory obligations in the financial services industry.
3 E.g., In 2016 the FFIEC specifically incorporated an evaluation of an institution’s RCM process into the consumer compliance rating for federally regulated institutions. See the Uniform Interagency Consumer Compliance Rating System, 81 Fed. Reg. 79473, 79481 (November 14, 2016)  

Eaine Duffus
Senior Specialized Consultant
Elaine F. Duffus is a Senior Specialized Consultant with the Financial Services Compliance Program Management solutions team at Wolters Kluwer.