Abstract concentric light ring orbits
ComplianceAugust 18, 2022

Reg Change and Bob Dylan: You don’t need a weatherman to know which way the wind blows

(As published in ABA Bank Compliance magazine)

As a compliance professional of a certain age, this familiar line from Bob Dylan’s hit song, Subterranean Homesick Blues, really speaks to me about where we are inexorably headed when it comes to Compliance Program Management (“CPM”) in general, and Regulatory Change Management (“RCM”) in particular, within the financial services industry.

First, an interesting personal tidbit about that song.  I can recite every verse—but I have trouble recalling what I had for breakfast this morning.  Be that as it may, here is the connection.  You have seen and heard in publications, speeches, and actions by banking industry regulators that financial institutions are expected to mature their CPM processes using artificial intelligence and automation, especially as they grow in size and scope. 

That is where the wind is blowing.  And emerging risks related to Environmental, Social and Governance (ESG) issues, the digitalization of everything, cryptocurrencies, third-party oversight, and others beg the question of whether your compliance staff will be able to keep your institution up-to-date with all that may apply to your products, services, locations, and customers.

For example, a financial institution is no longer going to be easily forgiven for spending lavishly on improvements to customer-facing apps while their compliance department relies on using spreadsheets, free apps, and emails to ensure the institution is properly protecting those same customers and the institution itself.

But where to focus first?  In my experience, RCM.  Identifying and maintaining a library of laws, rules, regulations, standards, guidance, and internal obligations that apply to your business model is of primary importance.  Why?  Because all the other elements of your Compliance Program should be mapped to and driven by them.  If you have made those critical connections, when a reg change event occurs, you will know immediately where and how it might affect your institution.

The goal then, especially if your institution is growing in size and scope, is to persuasively inform the people controlling the purse strings at your institution of the risk, inefficiency, and cost of your current manual processes to manage regulatory change versus automation.  This is especially true if your institution is subject to various state obligations, as it is getting more challenging to keep up with the fast-moving, complex regulatory activity at the state level, including from state mini-CFPBs.

What are the risks?  The primary risk would be failing to address an applicable regulatory compliance obligation—particularly one that negatively impacts your customers.

And what are some of the inefficiencies and potential costs related to manual regulatory change processing that your Board or Compliance Committee should know about to help you get the funding or other resources you need for automation?  As it turns out, there are several, and quantifying the problem is fairly simple.

  • Manual processing of regulatory change makes ineffective use of your most skilled personnel.  That is a real risk today, as experienced compliance personnel are in high demand, and there are greater strains on limited resources.
    • The manual gathering of potentially applicable regulatory change events, guidance and other important releases for your institution using webscraping, RSS feeds and email pushes from law firms, regulatory bodies, industry associations and others cannot continue to keep up with the quantity of releases that your institution is subjected to and needs to be aware of today. This is true especially as it grows in size and scope, and if it is subject to state obligations.

      If you want to better quantify your exposure to regulatory change risk, simply visit the websites of the regulators, agencies, and others you rely on for regulatory change events and horizon scanning and count the number of releases over the previous quarter.  That means counting not just the regulatory change events, but the guidance, litigation releases, speeches, enforcement actions, exam manual changes, interpretive letters, press releases and many other developments that your institution needs to be aware of and that your compliance staff review today. That will be an eye-opening metric when compared to your resources.

    • Think about the human resources you have processing regulatory changes at your institution today.  What will happen to the process when those resources retire or otherwise move on, and are replaced by compliance professionals who are more accustomed to leveraging and integrating technology solutions?  Is the process efficient and easily transferred to new employees?

  • Use of spreadsheets can cause myriad, potentially costly problems that automation solves, especially as your institution grows in size and scope. Consider these challenges:
    • Version control for tracking when changes occurred.
    • Access control to identify who made changes.
    • Formula or human errors that may go undetected.
    • No ability to associate related regulatory releases.
    • No connection to your Regulatory Library.
    • Limited reporting capabilities; and
    • Complicated workflows—which means:
      • Need for a central repository of assignments related to a regulatory change event.
      • Need for documentation for the future about who was informed of and/or worked on a regulatory change event; and
      • Need for robust data to generate reporting for regulatory change-related activities and milestones.
  • Automation of RCM will never replace the mind of trusted, experienced, issue-spotting compliance personnel.  However, it can significantly reduce workload and allow compliance professionals to concentrate on the more essential elements of their position by:
    • Gathering applicable regulatory intelligence releases from federal and state sources into one central location.
    • Separating those releases into actionable or informative categories.
    • Connecting those releases to policies, procedures, products, services, risks, controls, testing and other elements of your Compliance Program—if you have taken the time to map the applicable citations in your Regulatory Library when you implemented your automated solution (highly recommended!). 

So where does one start when choosing an automated RCM solution? In my experience, the best path forward is first to research. Speak to peers and review industry ratings of the established RCM content providers. Engage procurement. Be realistic about what you want or need automation to do. For example, if you want to receive releases in a timely manner, they may not be curated, or may just be summarized by the issuing body. So, determine what features are most important to your institution.

When creating your criteria for RCM automation, strongly consider:

  • Requiring flexible technology for the regulatory content data feed—as your institution may change GRC (governance, risk management and compliance) platforms;
  • The depth and breadth of the coverage you need—particularly if you are now or may become a global institution;
  • Requiring that solution providers exhibit their commitment to growing their content—so as your institution’s regulatory scheme changes through new products, services, or acquisitions, new regulatory bodies can be added; and
  • Ensuring that as part of the implementation process, all who need to be trained are trained, including leaders and business team members who may be accessing the solution.

Remember that automation will only take you so far—for example, most  solution providers will not write your obligations related to a regulatory change or  be able to map elements of your Compliance Program to your Regulatory Library. While all that work can be done on most technology platforms, it typically requires the institution itself, or additional consultants, to provide the connections that will be made during the implementation of an automation process. That is where the spreadsheet records you use today will come into play—they will not go to waste, and they will likely form the basis of your automated solution.

Include your vendor procurement group early in the process to perform due diligence so that there are no surprises later regarding your institution’s third-party service provider requirements.  Also, consider a Request for Information and/or Request for Proposal process where you can clearly state what you want in your RCM automated solution and weed out any providers that do not measure up.

A word of caution though: even where an institution’s RCM process is automated, you may have the firehose problem— if the content coming into the automated process is not properly configured, to wade through the irrelevant content can consume your expert compliance resources as much as the manual processes.  Keep that issue in mind as you venture down the road to automation.  Ensure that automated solutions you may be considering provide you with the means to help control the firehose.

And finally, ensure you understand how any automated solution you are considering works, including its use of artificial intelligence and whether it is augmented by human experts in any way.  You may need to explain how it works, at least generally, to your Board, Compliance Committee, regulators, or others.

Knowing which way the winds of regulatory change are blowing is only part of the solution in addressing the onslaught. Take action now to include emerging technology augmented by human expertise to bolster your regulatory change management program and avoid finding yourself—as Bob Dylan says, “…on your own, with no direction home.”

Best wishes on your continuing regulatory change management journey!

Eaine Duffus
Senior Specialized Consultant
Elaine F. Duffus is a Senior Specialized Consultant with the Financial Services Compliance Program Management solutions team at Wolters Kluwer. 
Back To Top