ComplianceFebruary 27, 2023

Wolters Kluwer's Regulatory and Risk Management Indicator survey outlook

(As published in "The Secured Lender")

TSL Express’ senior editor sat down with Tim Burniston, senior advisor, Regulatory Strategy for Wolters Kluwer Compliance Solutions to discuss the results of Wolters Kluwer’s Regulatory & Risk Management Indicator Survey. Burniston advises the Wolters Kluwer Governance, Risk, and Compliance executive leadership team and clients on emerging issues, legislative and regulatory developments, and regulatory strategy.

Now in its tenth year, the Indicator “takes the pulse” of the U.S. banking industry and is based on 10 different factors: compliance, regulatory environmental and risk management factors.  The Regulatory & Risk Management Indicator Survey was conducted between July 27-September 9, 2022, and received 328 responses. Survey respondents are primarily from smaller banks, savings and loan institutions and credit unions. Keeping pace with the volume, scope and breadth of regulatory changes topped the list of key concerns facing U.S. banks, credit unions, and other lenders. To learn more about the survey, click here.

TSL: The overall Main Indicator Score dropped 34 points to 94 in your 2022 survey, after several years of rising (95 in 2019; 103 in 2020 and 128 in 2021). What does this mean? Was there something that caused this decline?

Burniston: Since the Indicator score is a composite of scores derived from 10 different factors, they're weighted in different ways. We noticed the 2022 score was where it was before the pandemic, during which we had two years of high scores over 100. In 2020 and 2021, we noticed an increase in the volume of regulation, a lot of policy statements from the agencies because of the pandemic, guidance from the regulators on different programs, and new rules from the SBA on PPP lending. We also saw some fines and penalties increase and institutions experiencing challenges managing risk across the enterprise during that period.

The main driver for the decrease in 2022 is a reduction in the number of formal enforcement actions and the overall dollar amount of penalties and fines that were imposed as a result of those enforcement actions. The number and the dollar amount of actions and penalties are two of the ten factors that go into the score. We also saw that other factors that make up the main indicator score were generally consistent with 2021 results, or some had some notable increases as well.

Although the overall score dropped, there's still considerable concern about the regulatory environment in 2023, especially when you consider all those factors, such as the economy and forthcoming new regulations. 

TSL: It seemed like small business loan data collection (Sec. 1071) and concerns over banks’ ability to comply were top concerns. 

(Editor's Note: Please see SFNet's January 24 announcement: SFNet Learns the Final Regulations Pertaining to CFPB Section 1071 of Dodd-Frank, Could Prove to be Unduly Burdensome)

Burniston:  This is new ground for many institutions and the proposal issued by the CFPB suggested to the industry that this will present not only an implementation challenge, but an analytical challenge. 

There are a lot of unknowns here – reporting threshold levels, the data elements that need to be reported, the implementation time period – some of which will be answered when the final rule is issued. 

Having those answers will help, but the challenge of implementation is still high. The analytical work needed to understand the data is new ground as well, and the analytical models aren’t in place. Operationalizing these rules in whatever time period the CFPB gives the industry will be challenging.

TSL: What would you say are the key takeaways from this risk Indicator survey?

Burniston:  Tracking and keeping current with regulatory change came up as a major theme, as well as proving compliance to regulators and being able to show regulators you have appropriate systems, procedures, and policies in place to stay on top of risk and compliance issues. Actual compliance with regulatory requirements is another area of considerable concern, along with different issues with compliance management and managing compliance through a bank’s or a financial institution’s programs.

As mentioned earlier, the number of new regulations to absorb, implement and manage on an ongoing basis was another area of concern. We also saw respondents were giving considerable attention to interest rate increases, inflation, the possibility of recession, ransomware, tax and their enterprise business risk planning.

TSL: Are there any results that surprised you this year?

Burniston: I'll start with what I didn't see that surprised me. I had expected to see more of our respondents say that they were experiencing more regulatory scrutiny on fair lending examinations, and we didn't see that. We did have 16 percent of respondents indicate more scrutiny, and that was higher than 2021’s number. I expected to see more because the regulatory focus on fair lending is high.  We'll have to keep watching that one for 2023.

I expected to see more concern about risk management. We had a total of 50 percent of respondents raising some level of concern about it. That number will probably go up.

Another surprise was the score increase for managing risks across business lines. That was our highest number, 59 percent, in the last four years. To put that into perspective, when we began the survey in 2012, that number was close to 70 percent and had come down and now it popped back up again.

One of the other areas where we saw a big change was in third-party risk management going from 15 percent in 2021 to 26 percent in 2022.  These results reflect the growth of partnerships and regulatory attention to the management of third-party relationships.

All the numbers for everything we asked about in terms of increases in compliance management system investments were up from 2021 numbers. Those included investments in strengthening risk management, updating policies and procedures, and managing regulatory content.

The business environmental factors, such as interest rate increases, inflation, and a possible recession, are all weighing heavily on the respondents right now. Lastly, we saw 73 percent of our respondents indicate that they thought a reduction in overall regulatory burden was either somewhat or very unlikely over the next two years.

TSL: Did many of 2021’s noteworthy banking regulation and compliance trends continue into 2022? One area you mentioned in last year’s interview was you expected climate risk management concerns to increase into 2022 but it looked like that came out lower, compared to interest rates, recession and ransomware. Did this surprise you?

Burniston:  It did surprise me. I had expected that number would be a little higher in 2022. At the end of 2021 there was a lot of regulatory activity and announcements about regulators looking at this issue. Once there's more clarity from them on the topic, we may see the level of concern rise for next year.

One thing to think about is there's still 50 percent of our respondents indicating that they were giving it at least some or a significant level of attention in their planning efforts. When you look at the distribution of the survey responses, there’s a lot of smaller institutions, and the fact that it is 50 percent is kind of remarkable. But we are seeing that regulators are looking more closely at the issues and working on setting clear expectations for managing climate-related financial risk.

TSL: How can asset-based lenders and factors not only secure their own systems and networks, but ensure that their clients are doing the same?  What would you say that they need to be aware of now in 2023?

Burniston:  Cybersecurity has been at the top of the list of concerns raised by the survey respondents. A recent FinCEN report that covered 2021 showed that there was roughly $1.2 billion in ransomware payments that year, which was triple the amount from the previous year.  I can offer some perspectives from the standpoint of what the regulators are looking for: risk and vulnerability assessments across the enterprise, reporting systems and investments in talent. I’d also reinforce the importance of establishing clear accountability and responsibilities between an IT function, a chief information officer function, and the chief risk officer function so that everybody understands their role.  Finally, review, update, and test incident response and business continuity plans.

The Federal Financial Institutions Examination Council (FFIEC) issued an update to the FFIEC Cybersecurity Resource Guide for Financial Institutions in Fall 2022. The 2022 guide lists voluntary programs and actionable initiatives that are designed for or are available to help financial institutions meet their security control objectives and prepare to respond to cyber incidents.

TSL: Most survey respondents reported change management as their organization’s most pressing regulatory compliance challenge over the next 12 months. Can you share more on this trend?

Burniston: It tells us that the ability to absorb the breadth and volume of regulatory change is overwhelming and a formidable challenge no matter what kinds of resources you have available in an institution. The lesson to take away from that is regulatory change doesn't discriminate.

It does raise the question, though, about whether something like differential regulation, where you have different kinds of requirements in place for different types and sizes of institutions, makes sense. But in a lot of cases, these requirements involve consumer protection matters and rights, where consumers should be equally protected whether they're working with a smaller organization or a larger one. So, it shouldn't matter who you're doing business with.

A complicating factor is that part of the implementation process that involves operationalizing regulatory changes.  A further complication is that we're in a challenging economic environment.

The other thing that I took away from it is an observation suggesting that institutions are feeling pressure from regulators to ensure that their change management programs are really solid and fully functional.

But I believe you also must consider the several significant regulatory initiatives that are underway right now. One is CRA regulatory modernization, where we're expecting a final rule from the bank regulators as early as the first quarter of 2023. Another is the small business lending data collection requirements that the CFPB will be issuing as a final rule between now and the end of this March. We saw that the respondents are anticipating a lot of challenges arising from implementing this type of regulatory change across the enterprise.

The CRA rule changes and the small business lending data collection regulations could hit at roughly the same time and have an implementation path that's in tandem. Both are very complicated. They are going to require a consolidated effort across an institution to implement. 

These have been on the horizon for several years, but they're getting close now to being finalized for banks. The CRA changes are going to affect all of them in some way, whether that is a new evaluations methodology, new things to learn, new data to collect, new exam processes to adjust to and new approaches for working with consumers or communities and partners. The small business lending data collection rules have to sync with the CRA rules so that you don't end up with dual reporting and complications.

With small business lending data collection there is also concern with the implementation of getting systems ready to collect that information and report it, and once you have this information, how to analyze it. I think that's what may be driving much of the concern about regulatory change.

TSL: What can banks do to overcome the top obstacles reported in the Indicator?

Burniston:  The top three obstacles that survey respondents mentioned about maintaining and implementing an effective compliance program were manual processes, inadequate staffing and too many competing business priorities. The regulatory environment today is too complex to manage compliance without the help of technology or automated processes. Spreadsheets alone don't work. Scores about manual processes jumped this year to 54 percent from 45 last year. Manual processes lead to errors, inconsistencies and disconnects across the three lines of defense. 

Inadequate staffing saw an increase to 44% from 2021’s 41% score, which could reflect the impacts of the so-called great resignation, specifically and, more broadly, banks’ ability to attract and retain good talent. Working from home practices could also be contributing in some way. In looking down the road and anticipating the future, compliance officers see a lot to do, and that could suggest to them that their  staffing is inadequate to handle future  workload.

We see more risk and compliance management employees having to take on more than one role or work outside their areas of comfort and learn new things to help their organizations, placing additional stress on them.

Deployment of technology can help overcome that. Regulators are expecting it, especially in an environment where banks are under remote supervision.  Enterprise-wide risk management programs and fully functioning compliance management systems integrated with the three lines of defense – and making solid business cases for more team members early – are key. Start talking now, particularly when you know what’s coming.

Also important is having a solid regulatory change management program that has an accurate, up-to-date library of regulatory requirements and maps those requirements to not only  risk assessments but also to the products and the people who are responsible to manage those efforts and how they all tie together.

TSL: What themes from the survey in recent years do you expect to carry over into 2023 and what are some new areas of concern?

Burniston: Most, if not all, of the other things I mentioned in 2021 carry over into 2023 in varying degrees. For example, although things are much better than they were in 2020, the effects of the pandemic are not entirely gone, and there are still risks that need to be managed. Regulators are looking at the pandemic issues as an area of examination focus, especially matters such as PPP fraud and various consumer protections and how they were implemented.

Because of what we experienced during the pandemic, business and operational resiliency remains something that the regulators are prioritizing.   Fair lending and consumer protection has only ramped up even more and it will continue to ramp up this year and next.  There has been a continued acceleration of digitizing the lending process and that trend will continue to progress.

The increase in government supervision at the federal and state levels that we saw last year will continue and a re-invigorated CFPB will continue to have a significant impact.  

Climate-related financial risk is rising as a supervisory issue that regulators are sorting out now and we will see more guidance and clarity regarding risk management expectations.  We also expect to see new rules regarding ESG reporting.  Competitiveness is always an issue, and we see the prudential regulators are actively looking at issues associated with the bank merger application process.

We’ll probably see others carry into 2023 that weren’t on my list last year that relate to cryptocurrency-related supervision. Economic conditions will play a large role in how institutions manage their business.  The consequences of noncompliance and concerns about Community Reinvestment Act regulations will be some others that I believe will show a higher score in our 2023 survey.

Back To Top