As published in ABA Bank Compliance magazine
Many complex systems can be better understood through the lens of Chaos Theory. This mathematical concept generally proposes that unpredictable or random events can result from seemingly normal circumstances, and small alterations in initial conditions can lead to consequences of a greater, unexpected magnitude. Given the number of regulatory frameworks, operational systems, and overall strategic initiatives in play at any given time at a financial institution, it is critical to identify, track and validate regulatory change to try to mitigate risk and minimize any unexpected occurrences. A Regulatory Change Management Program is critical to create predictable order out of chaos.
Post Dodd-Frank and the financial crisis of 2008, change seemed to be a constant in compliance with new and expansive regulatory activity. With the current administration, many perceive that regulatory roll-back means that the overall compliance effort is somehow reduced. However, any regulatory or business change for financial institutions, either expanding or pulling back, are changes that need to be proactively managed. Therefore, it is important to communicate to executive management that regulatory “relief” creates change, and small errors in properly identifying the scope of the change initially, such as what is or is not actually changed, may result in potential unexpected consequences of significant magnitude in the future.
Perhaps unsurprisingly, the most difficult task of regulatory change management is that of identifying changes that in some way impact your particular financial institution (FI). There is the risk that there are nuances to regulatory change that could be overlooked or not anticipated by any technology solutions that some banks—particularly larger ones—might rely upon. And generally, institutions of all sizes must compile an inventory of upcoming regulatory changes manually. The challenge, for both large and small institutions alike, is to ensure that all applicable regulatory changes that could potentially impact the FI, are identified and tracked. Changes at the federal level are often more high profile, and thus, tend to be more readily identified. Additional regulatory changes may be found at both the state and municipal level. Institutions may want to consider maintaining an electronic inventory of all regulations, including federal, state, and local, along with their applicability to the institution.
If identifying and tracking regulatory change is a manual process, an institution may want to consider utilizing web alerts to remain apprised of upcoming changes. Federal regulatory agencies allow email alerts via their web sites. Many states offer similar functionality. Additionally, compliance officers can set web alerts via a search engine, such as Google. This would allow an institution to receive an email alert whenever a certain key term, such as TRID or HMDA, shows up in a web posting. Those with regulatory change management solutions should verify that they are receiving all applicable content via their system. Federal regulations are often standard in such systems, but state and municipal content may not be.
Whatever the source of the regulatory change, it is critical to identify the full scope of the impact of any regulatory change on your particular institution. Your FI consists of a unique interplay of systems and controls which constitute part of your Compliance Management System framework. In an era of regulatory pull-back, dismantling a key control for a regulation that no longer applies may dismantle a key control for regulations that also rely upon that control for risk mitigation. Therefore, include all relevant perspectives in your impact analysis, such as from Compliance, Legal, Risk and Human Resources. You need to be concerned about any changes you are making today, no matter how small or seemingly inconsequential. Anything that you are turning off today may have major unforeseen consequences in the future.
Whether change is externally driven, in the form of regulatory change, or internally driven, in the form of a business change, there are logistical considerations. Initially, any Regulatory Change Management Program should include an organized system (automated or manual) to be used as an inventory of applicable regulations, and for tracking any change status. Specifically, with regulatory change, there should be an understanding of whether changes are in a “final” rule status, and the expected effective date. Regulatory changes subject to additional modification or interpretation will need to be monitored and then reassessed in the context of the initial analysis and associated assumptions. Also consider adding additional information relating to any dependencies, such as third-party vendor timelines for software updates.
While not an exhaustive list, here are some data points to consider when tracking regulatory change:
- Applicable regulation
- Area of responsibility
- Status (i.e., proposed, in process, testing, complete)
- Timing, such as implementation deadlines and effective date
- Detailed Project Management, including designated milestones
- Potential customer impact
- Potential impact on systems and controls
Validating change is often overlooked, but it is a critical part of a successful change management program. It is risky to assume that change has been implemented properly, and proactive validation can help to avoid spending more time on corrections and potential remediation in the future.
At a minimum, use test environments and then immediately test live output. For example, changes made to the Loan Origination System (LOS) or other core systems should be validated in a “test” environment prior to full implementation. Next, validate all permutations of system changes, such as various calculations or loan disclosures, upon implementation. Thereafter, apply enhanced quality control (QC) process for a period of time after implementation, and monitor complaint data closely as an indicator that system changes are working as intended.
Chaos stresses systems—and most people. Rapidly advancing technology and a steady stream of change in the regulatory landscape can make it seem like chaos is inevitable. Proactive planning with structured systems and processes as part of a Regulatory Change Management Program can help to create order. And while you can’t get rid of chaos, you can at least drive more predictable results going forward.