Podcast Listener
Regelefterlevnad2020-09-10 00:00:00

Episode 8: Regulatory change management: Navigating the pandemic, politics, and policy

Banking Compliance Insights is a podcast series created to deliver insights on compliance trends and provide strategies for navigating today’s regulatory and risk environments.


Episode 8 titled, “Regulatory Change Management: Navigating the Pandemic, Politics, and Policy,” focuses on how to approach your regulatory change management process, whether automated or manual. Our experts also address the challenges financial institutions are facing as they keep pace with regulatory change during the COVID-19 pandemic.

Our experts, Wolters Kluwer® Vice President, Banking Compliance Solutions, Samir Agarwal and Elaine F. Duffus, a Senior Specialized Consultant, discuss strategies and resources to help manage the onslaught of federal and state regulations to ensure your institution remains informed and compliant with emerging standards.

Podcast solution spotlights:

Transcript: 

Greg Corombos, News Director at Radio America  00:06
Hi, I'm Greg Corombos. Welcome to Banking Compliance Insights, a podcast series from Wolters Kluwer. This series was created to deliver insights on compliance trends and strategies for navigating today's regulatory and risk environments. Today's episode, “Regulatory Change Management, Navigating the Pandemic, Politics and Policy,” will focus on ideas about how to approach your regulatory change management process, whether your process is automated or manual. Here to lead our discussion on this subject is Wolters Kluwer Vice President of Banking Compliance Solutions, Samir Agarwal. He is joined today by Elaine F. Duffus, a Senior Specialized Consultant with Wolters Kluwer, to provide expert insights on these challenges. Samir, let me pass the conversation over to you.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  00:54
Thank you, Greg. Today's topic is regulatory change management, or as some of you refer to it, RCM. Several new consumer-oriented regulations have been put in place to address economic issues. We're going to focus on them today and revisit the fundamentals for monitoring regulatory change. Today, we've invited Elaine Duffus, a Senior Specialized Consultant with Wolters Kluwer, to share ideas on how to approach regulatory change management in process and operation, whether your process is automated or manual. What we intend to do is help listeners identify and quantify how their institutions will manage regulatory change management during this period of time. Elaine, welcome. Tell us a little bit about what you do for Wolters Kluwer and how critical it is for the clients that you have?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  01:46
Thanks, Samir. I appreciate it. Thanks for having me here today. My role within Wolters Kluwer is to provide regulatory content support within our financial services compliance solutions. What that means is that I work with our customers to understand their business model and their regulatory content needs. Developing a list of regulatory bodies for them to monitor using our library and regulatory updates data feed. This data feed is then ingested for workflow purposes into our OneSumX proprietary software or into a third-party platform, such as our partner providers, RSA Archer or IBM Open Pages, or another platform capable of ingesting an XML feed. Having a solid RCM process is more critical now than ever. I've been in the compliance function of the financial services industry for many years and have never witnessed an era of such rapid regulatory change. It didn't start with the pandemic, but the pandemic-related changes in guidance have substantially added to the burden.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  02:46
How important is today's regulatory change management process in the overall compliance program at institutions?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  02:54
Well, Samir, it's really the linchpin. At its core, an RCM process must have a regulatory library, which contains the laws, rules, and regulations that apply to that institution's business model—considering elements such as their products, services, locations, and customer types. At Wolters Kluwer, years of market research within the financial services community revealed that there are seven primary elements to a sustainable, scalable, and defensible compliance program. Starting with that library, the RCM process, compliance and ethics governance, risk and controls assessments, compliance testing, complaint management, and examine inquiry management. Financial institutions need the ability to analyze, interpret, and address their regulatory compliance obligations related to all these elements. We call these elements the Seven Pillars of CPM, and each pillar is important. But all should map back to the firm's regulatory library and their RCM process to provide a complete picture of their program.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  03:57
Let's say we're just starting out. We're a small company that has now gone into a larger phase. And now regulations are getting a little bit stricter with frequency and with how many that we have. How do we start? Is it something that we can do with a manual process and a check sheet? How many different flavors are there to really have effective regulatory change management?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  04:18
The process has to be owned by the whole organization. This can't be something that's just accomplished by the compliance or legal department, for example. If you don't have a formal RCM process, or you simply want to explore improvements to your current process, start by getting a representative at the table from each area that has a role in regulatory change at your institution—for example, legal, audit, risk, senior leadership and other areas of the business.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  04:47
So, checkbox number one is to make sure that the compliance and regulatory change management tower stands on its own?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  04:55
Absolutely. Then once you have all those people together, you want to explore the needs of all those stakeholders that are involved in the process of identifying and implementing regulatory change. This helps support ownership within the organization and considers more than just the needs of the compliance or legal department. Developing this holistic view of what your RCM process should be helps the institution hone in on, for example, what jurisdictions and regulators do we really need to monitor, which bodies of law or regulation? You can distinguish them by what you must know versus what your organization may need to know, or would be nice to know, versus what may have no or minimal impact on your institution. You want to determine when and why other parts of the organization will be brought into the process.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  05:44
That's huge, right? That's a really big task to have. How do you start taking an assessment? What's the first step that somebody does to say, "Okay, I need to have this role? I accept it, and understand why, and now I need to understand what policies I need to build."
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  06:02
In a perfect world, and you know, no RCM process starts out with that. I think you're probably referring to the business leadership and people in the business, maybe the second line of defense people. It would be to really see that and help you build. Here's the regulation that we must comply with and here are the obligations related to that regulation. And here are the policies, procedures and controls that we have in place to manage that risk related to that in order to protect our customers, our shareholders, and our institution.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  06:41
Let's talk about this in the manual form. What happens? And are there any risks?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  06:47
I think the most obvious risk of a manual regulatory change process is missing an update that applies to your institution—particularly one that may result in customer harm if it's not implemented. Another common risk of a manual process is the maintenance of your historical record, especially if you have had a change in personnel that handled the process. Pulling together emails, spreadsheets, and meeting notes or other indicia of a decision for a regulator, or worse in response to some formal inquiry, is not a position any institution wants to find itself in. As for what can happen if an institution can't recreate a decision or produce evidence that an obligation is being complied with, there's a number of outcomes, and depending on the severity of the item, none of them are good. MRAs or Matters Requiring Attention, MRI as Matters Requiring Immediate Attention, Civil Money Penalties, Cease and Desist Orders, and Written Agreements are a few of the ways in which regulators can respond to such a deficiency.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  07:54
Have they been responding in that way recently? Or has there been a bit more leniency with institutions today?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  08:02
It's been my experience, and the experience of some of our customers that are shared with us, I would say it depends on the significance of the item. Obviously, as I mentioned earlier, things that may result in consumer or customer harm are really probably the most important to keep an eye on. Good examples right now are things that may come as a pandemic-related release, some guidance is shared that maybe your institution doesn't even consider, and later on, a regulator wants to know why. Maybe you wouldn't be sanctioned for that, but it's really not worth the risk, honestly. And again, it would depend on the severity of what was missed.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  08:07
If there is leniency, it's short term, and you need to be whole no matter what. Keep paying attention to this area and this risk management. Let's talk about on the automated side of it—the same kind of questions. But let's first go through and understand what's an automated regulatory change management practice looks like?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  09:05
When automated RCM processes are in place, the institution simply has a lot more control. The regulatory library and related updates are all in one place. And their upkeep doesn't depend on whether someone had the time to go out and find the applicable material to your institution. As far as the risks associated with an automated process, one risk is overreach, where an institution has subscribed to every conceivable regulatory body and agency instead of concentrating their resources on their primary regulators, resulting in a lot of irrelevant content coming through their data feed that someone would still need to review for applicability.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  09:52
There has to be a balance, right? I was going to ask you if there needs to be human review, with smart tools, to really have complete management. Give me a feeling or an inkling of how does that occur? Once you know that you're in regulatory change management, what's an applicable way to balance it?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  10:15
You're absolutely right that there does need to be a balance. And one way in which we help institutions that we work with visualize that manual versus automated question is to think about the four high-level steps involved in the RCM process. The first is horizon scanning and content acquisition, then taking that information that you've gleaned and reviewing it, evaluating it, and assessing it for impact. Then your action plans and task management, to get those things implemented that need to be implemented, and finally, performance management and reporting. Now picture those four steps within a triangle. If your process is manual, the chances are that the triangle is inverted. Meaning that your highly trained compliance personnel are spending the bulk of their time on horizon scanning and content acquisition and the least amount of time on the other important aspects of the RCM process.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  11:14
When you say horizon scanning, what does that mean?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  11:24
An example of horizon scanning may be reviewing speeches, industry association releases, or pending or proposed legislation. Keeping your eye on what sort of new regulations may be coming down the pike, even before they're ever thought about by the regulators.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  11:49
It's really about awareness of potential change.
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  11:52
Absolutely, and keeping your senior leadership informed of that. There's a whole process around that. It hasn’t always been called horizon scanning. I know I've been in the industry many, many years in compliance and it's been called different things. But today, and I think it's apt title for the process, because it is indeed looking out there and having people on your team doing that horizon scanning, who understand what they're looking at when they see it because it's not always obvious. And it could be something that's buried in a speech by a regulator, that I call it throwing a shot over your bow, to say, "Hey, you know, we're thinking about regulating this aspect of your activities, and they'll be sent back to you later about that."
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  12:35
That's why it's a high cost, high experience individual that's connecting the dots.
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  12:41
Generally, yes.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  12:42
All right, let's go to the next rung on the triangle ladder.
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  12:45
I was explaining about the inverted triangle for a manual process. So, why do your compliance personnel need to take so much time to do that, or the bulk of their time, to do that horizon scanning and content acquisition? It's because they generally do this by reviewing multiple websites for a relevant matter, reading lots of emails from industry associations, regulators, law firms, and reviewing things like RSS feeds. This results in, as I stated, the bulk of their time being used just to gather the intel that they need to do the rest of their job. And then once they've identified the applicable changes, they've got to be reviewed, assessed for impact, operationalized for implementation, and reported on. In the manual model, the time allotted for the most important steps in the RCM process are really upside down even where an institution's RCM process is automated if the content coming into the automated process is not properly configured. The compliance resources can take just as much time as a manual process to wade through all that irrelevant content. With properly configured automation, the goal is to turn that process right side up and make the gathering of the applicable regulatory changes and horizon scanning the least time-consuming part of the RCM process.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  14:09
Is that really effective with modern tools?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  14:13
It's of critical importance when one is automating their RCM process to ensure they're signing up with the correct regulatory bodies and agencies. Of course, I don't think that's a difficult part of the process. But once you've subscribed to the content that's being released by those regulatory bodies, it's almost impossible to miss anything because everything that they're releasing is coming into your data feed, with the exception of things that aren't relevant to your organization, like the administrative bylaws of FINRA or something like that. That's really something internal to the regulator, but yet still they release it. But anything that would be impactful to your organization will come through your feed. It's not like a human going out there and looking at content and trying to determine should we push this into the workflow. Is this something that really affects our institution? If you're with the proper solution provider, you're going to get all the content you should have coming into your feed.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  15:18
Let's talk a little bit about the next step. Let's say data gathering comes in. We've got a pretty accurate sense of the changes that we need to pay attention to. At what point do we look at the review? And now you've got your experts looking at the aggregated view. How much is weeded out when you look at automated versus manual? So, manual, you're looking at everything and trying to figure that out. In the automated way, you've got some smart tools to weed out. Do you think 50 percent of the content gets weeded out and relevancy is given to the reviewer, or is it less or more than that?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  15:53
It's difficult to put a percentage on it. But what I recommend to customers, and what I did personally over the years, and as a compliance officer, is to automate then calibrate. And what I mean by that is once you're monitoring the right regulatory bodies and agencies for your business model and for your institution, you want to then look at the different types of releases that are issued by those regulators and agencies and review them for applicability or importance to your business. So, that even though you're automated, and you've got this great process where everything you need is coming into your solution or your tool, you still want to weed out those things that really don't need to go into your workflow. There may be some administrative bylaw releases that come out, and you can suppress those if you have the right automated solution provider. You're going to have a way to do that calibration where just those things that are critical, like changed or new regulations, rule filings, rulebook changes, things that you know must get pushed into the workflow. And even those things that you don't put into workflows, such as speeches or administrative announcements, you can suppress those. But they can be consumed later if you do need to look back on them. Because as I mentioned earlier, there may be some nugget of information in a speech that is of importance to you, that you hear about later from someone at a conference or something, and you may want to go back and review that. You want to have access to all those things. But you don't necessarily want those things pushed and assigned to somebody into the workflow, if that makes sense.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  17:40
That makes absolute sense. But we shift gears just a little bit when we talk about the structure for how resources are devoted to RCM. What's the recommended approach of identifying who's going to do what?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  17:55
As I noted a little a little earlier, once you get that right team at the table, you want to have those conversations about what your RCM program is going to look like and how it's going to function. One of the biggest questions is whether it should be centralized or decentralized and to determine how much you really need to monitor, as I also went over a little earlier. You want to consider things like are you operating in multiple states or just a few? Is there any international exposure to your program? Will the program just cover consumer banking, for example, or should we also bring in anti-money laundering and counter-terrorism financing, or securities, or insurance? These are some of the big decisions that have to be made. Once you have made those decisions, you can begin to measure the problem or the burden that it will be. And you can begin by determining how many people you need and what level of expertise they need to have once you've measured that problem. It's important that there be people on the RCM team with the requisite experience or training to spot issues, as I mentioned earlier, and to recognize the potential impact for the institution when they're doing their horizon scanning and determining the applicability of regulatory changes to the institution.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  19:16
Are there many third-party services, and I'm not sure if your service also does this for clients, but that do a health check of where their RCM program is or the capacity needs for an RCM program?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  19:29
Yes. What we do at Wolters Kluwer, and this is actually part of my charge, is when we meet with customers, I've already in most cases, and almost all I would say, I've already done a review of their 10K Filing, for example, if they're public, or I've reviewed an Annual Report of some kind if they're not. Maybe I’ve also done some due diligence on their website, if I'm not already somewhat familiar with them, to get a sense of their business model and some of the things I mentioned earlier, like their customer types, their locations, their products and services, and all that. I can then look at our body of regulatory organizations, agencies, and associations, and all those things that we monitor at Wolters Kluwer globally, look at all those regulators and say, “OK, who would be the obvious list of regulatory bodies we'd need to provide to this institution?” Then we'd come to the table with that. From there, they would add some, remove some, and help us help them calibrate what needs to come into the institution. And that's where a lot of those decisions, as I mentioned earlier, come into play. They may say, you know what anti-money laundering that's a separate group within our institution, and they've already got a separate way that they do this, so we're going to carve that out of what we're looking to Wolters Kluwer for. It's different for every institution but that's sort of how that plays out.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  21:01
My next question related to that is, let's say I don't have a strong RCM program\ but need one. What are some common threads used to make cases where it appeals to the administrative bodies of our institutions to say, "Hey, these are the things that are at risk and these are the things that we need to pay attention to?"
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  21:22
Sure. Many times, I had to go before a board or some other body to loosen the purse strings for humans or other types of resources for my compliance organization. And in my experience, the most effective way to make your business case for RCM program resources is to speak with data and metrics. I think of this as a three-legged stool. And that first leg is to present the metrics. What is it that we have to review as an institution? Because that body of regulatory information can be quantified by how many regulators and agencies, as well as the number of releases requiring review that those regulators put out in a typical year. We can measure that, and that's easy to provide those numbers.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  22:13
Think about an example of that. You've got some criteria. Can you give me one example that's pretty common?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  22:19
Let's say the Federal Reserve, or OCC, I can really pick any major regulator and we can look at what the Federal Reserve puts out. I'm going to say it's around 30. Don't hold me to it, but it's a pretty large number. They have 30 different flavors, if you will, of regulatory releases. And perhaps a third of them are really related to regulatory change, rule filings, updates or changes to regulations, guidance, examination, manual updates, things like that are really critical. There's a way to look at that regulator, the number of releases that we have to pay attention to as an organization, how many of those releases they issued last year, for example, if we use that for our benchmark, and then determine how long does it take our compliance person that we have or people that we have relegated to do this. How long does it take them to review and what is the average time to review one of those releases? You can start to put some numbers around it. How many FTE do you need to manage the Federal Reserve's releases in a year? That's really where the metrics come in. Does that make sense?
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  23:43
Makes sense. Makes sense. And it's very methodical and logical of how you approach it. Thank you for that. Let's talk about the second leg.
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  23:50
The second leg is when you're bringing your case to the board, or whomever, to get your resources. It presents the guidance of your primary regulators because they all have expectations of the institution to provide the appropriate resources to the compliance function. It's really not difficult to find these references. They make them not only in their guidance documents, but you'll find them in supervisory letters and things like that. And if you need to provide those to the board, or whoever else you're making your case in front of. I think it's helpful and bolsters your case when a regulator is coming in to examine you. They don't want to see that you're not resourced correctly and that you maybe can't even produce their documents that they're asking for in a timely manner because you don't have the resources you need. You don't want that to be the first impression for a regulator. So, that's the easy second leg. And the third leg, of what I think of as the three-legged stool, presents the decision-makers with the experiences of some similarly-situated institutions that did not properly support their compliance function, and as a result, were fined, sanctioned, or worse. Many times you'll see that things like charging documents, or cease and desist orders, or different things that are publicly available, documents that will tell you this bad thing happened at XYZ institution because there simply weren't enough people to manage those controls or whatever the situation had to be. And it wouldn't be difficult to find some examples of that to share with the decision-makers. And of course, overarching all of this is the message of what our ultimate goal is, and the ultimate goal of the whole institution, not just the compliance department, which is the protection of our customers, our shareholders, and the safety and soundness of our institution.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  24:36
You talk a little bit about creating controls and implementing policies and procedures once the regulatory changes are identified. What about when there's an industry event that senior management or the board should be aware of? Does an RCM program have a method that includes communication to that level or what are different ways that it's applied today? How does that function operate with business administration?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  26:28
That's a very good point to bring up. Thank you. There absolutely should be a documented workflow in place within the RCM program to inform upper management and the board when, for example, there's an enforcement action in the industry that could have happened at your institution, but for the regulatory compliance policies, procedures, controls, or training in place. It's also a good process for informing senior leadership of issues on the horizon that may be impactful to the institution. Something's been proposed by one of your regulators, and it's maybe not going to happen for a year or more. But when you think in terms of budget-making and all that, you need to tell the people in charge that, "Hey, this thing may be coming down the pike, it may crash and burn, but it may not." We want to have them informed of what may be happening and may be impactful in their next budgetary consideration or something else. Another important part of having that in your RCM processes is there can be an acknowledgment step baked in as well. In short, you'd have a record of when they knew and how did they know it, related to an institution, RCM process. It can be very helpful, particularly if there's an issue down the line later that regulators and others are trying to see who the decision-makers really were around this item.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  27:56
I was just going to ask you that. Do regulators look at communication between levels of management?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  28:04
Absolutely. I saw a recent enforcement action against a well-known bank, where there was an exception made several years ago in their own internal process for controlling an anti-money-laundering risk. An executive at that time made some decision, which he documented in the way he felt was appropriate at the time. For years after that, compliance, risk, and different people would dust off this email from this executive from years ago and say, "This is why it's OK to ignore this again," because this person in leadership said it was okay back then, without circling back and looking at that whole process anew each time. You can find yourself in some really difficult situations, where you may have some area of your organization that might be relying on some old guidance or an old decision by someone who may or may not even still be with the institution. You definitely want to have that centralized where you've got control over it. You can see where if there was a precedent made, you can track it and see that this is how we handled that back then. And if there is a change, now let's document why we are making that change, or why we're doing something different than the way our policy says we will handle certain things.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  29:31
The opposite of that is so true where if it's absent. Let's say it's not about this old memo that is sitting on my desk and I refer to all the time. The result is about the impact to clients or consumers. If there's no impact, they just get a matter requiring attention, or is that the same?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  29:53
From the regulator?
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  29:55
Yes, from the regulator.
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  29:57
Well, as we talked about a little earlier, I think it all depends on the true impact of whatever it is and if you've missed something as an organization. If I'm understanding you correctly, that's what you mean. You're not doing something the way you should be. You missed something that came along. Was anybody harmed as a result, or could it be your institution? Was the institution exposed to a safety and soundness type of risk, or was this a compliance failing that resulted in no harm to anyone? But indeed, there's a gap in your process, and that would be a situation where you may even just have an observation or something like that. And likely would be if it wasn't something impactful. We all know, in the industry, what are the things that are more kryptonite that you have to pay close attention to and ensure that your organization is up to date?
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  30:57
Let's talk about trends. What's the evolving trend or emerging trend in RCM as an industry?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  31:05
Since we included the terms “pandemic,” “policies” and “politics” in the title of our podcast, I'm going to touch on each one of those briefly. With the pandemic, institutions should be on the lookout for regulatory protections for consumers and keep good records on how they're handling the guidance that they're being provided by their primary regulators. Again, we've got to get the right people at the table to make those decisions on how our institution may apply that guidance, as it's very often not clearly defined how to apply it. That's something you want to document well, and likely, you may not want to completely change a policy or procedure related to that item. You may want to consider creating something temporary because you're basing it on guidance and not on an actual changed rule or regulation. That's something that the institution would have to consider, but it's something I would probably recommend that they come up with some process to where we're dealing with things that are really pandemic-related and those that aren't, and might go away once we've got a vaccine and things return to some sense of normalcy. Then you can go back. You can strip away these temporary policies and procedures, and then go back to your original policies and procedures that were in place pre-pandemic.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  32:36
What about the political ramifications?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  32:38
I think we're all aware of how politics have become so intertwined with our regulations over the last several years. For example, who gets appointed to lead the various agencies and what are their marching orders from the White House that looms large for our industry. And currently, for the last few years, there's been a movement afoot to reduce some aspects of the federal regulatory burden. But in my view, we should be prudent in our response to these changes, as that lowered bar can just as easily be raised back up by the next administration. You want to be judicious with your response. And some states, for example, are creating mini CFPB's in response to the changing expectations on the federal level. I think of it as a balloon being squeezed at one end. It's going to have some effect of increasing the size on the other end.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  33:39
That makes it really hard to regulate across the states, right? Every state will have a different ruling for how they want to administer financial services organizations.
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  33:52
You're absolutely right. The real problem is that when we're looking to federal regulation, and that's what we're complying with, that's one rule, one regulation. To your point, if we've got to deal with 50 different regulations or more, it becomes pretty unmanageable for organizations. It’s even more important to have that process automated, so you don't miss anything.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  34:17
I recently had an experience with this while I was managing it in an appraisal management company. It's broken down in a very similar way with the regulations at the state level more so than at the federal level. It's quite a daunting task to manage, especially if you're a firm that does business in many different states. Do you feel technology or other types of groups will emerge if this continues to be our path, where it's regulated at a federal level but also regulated at a state level?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  34:49
That's a tough one. A lot does depend on the political will of whoever's in charge at that time. If we continue along this path of deregulation regardless of who's in the White House if that's the path that we continue on, then yes. I mean, frankly, if you're a governor of a state, and you see that your citizens are potentially losing some protections on the federal level, what's going to be your response? You're going to say, "You know what, we're going to have to do something in-house here because we can't have people potentially harmed in that way.” But just because that protection has disappeared.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  35:33
That makes sense. I think where we're headed is the governors of different states banding together, with how they're dealing with the pandemic. There's a lot of noise around what's the proper way to deal with it, letting kids back to school, etc. I think that's how the blend of politics and action are coming together. Let's think about it in terms of the third one that you were mentioning around policies. What's happening inside the policies of the institution? Do they relate to the state, or will they relate more to the firm itself?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  36:09
By policy, I was referring to what is happening at the financial institution itself. And given the impact on the institution's policies as a result of the pandemic, for example, regulators have given guidance on how to conduct your business. And, as I mentioned a little earlier, you want to be judicious about modifying any of your policies related to any of this state or federal guidance that's coming out as a result of the pandemic. As I said, I think a firm would be wise to consider putting temporary policies in place to respond to the to the guidance. And then when the emergency or the pandemic is over, and we've gone back to some sense of normalcy, you can go back to the policies that you had in place pre-pandemic.
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  36:59
That's very interesting. Very insightful. I want to understand a little more. Let's talk about the policies a little bit further and how do they relate to the core operating view from the firm?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  37:13
Some of the guidance that regulators are putting out is going to be handled differently by different institutions based on the risk they present to the institution. One size does not fit all. Some specific examples of that might be the CARES Act. There are forbearance options that have been suggested by the regulators. But, as I mentioned earlier, they don't say exactly what that looks like. As an organization or an institution, you have to determine what that may mean for you. FEMA released a bulletin recently regarding the effect of the pandemic on Force-Placed Flood Insurance requirements under the Flood Disaster Protection Act. These things are mays, not musts. It’s something for your organization to consider. How much, or how little, do we want this to really affect our day-to-day work?
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  38:09
You touched a little bit about temporary policies being put in place and the need to revamp or revisit even older ones. What would you suggest is the right context to remove policies or change them?
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  38:24
I think there are two parts to that. There should be an annual review of your policies. Whether you know of any known impacts or not, that's pretty standard at any financial institution, so that's in place. Also, any policy you have in your organization should be connected in some way. If you're automated, there probably will be a way to do this. That policy should be connected to regulations that caused its creation, if you will, or that it impacts. If a change comes through either your automated or manual process that modifies that regulation, or parts of that regulation, then you absolutely want to look at your policy to see what just changed with Reg. C or Reg. B, whatever have you. Now, let's review our policy in light of that and see if we need to make some changes in a mid-year cycle to that? Policies could be reviewed any time, or it could be guidance. It doesn't have to necessarily mean a regulatory change in a newer change regulation. It might just be some new guidance came out that your firm determined, "You know what, we're going to do it the way they suggest, and so let's go revisit that policy and change the way we address that issue."
 
Samir Agarwal, Vice President, Banking Compliance Solutions, Wolters Kluwer  39:52
It sounds like we have a whole episode that we could dedicate to just the pandemic policies on their own. It's a real pleasure speaking with you today. We've provided some truly excellent considerations for how to build and maintain a regulatory change management program. Listeners here today will be grateful and truly appreciative of some of the guidance that you've provided, as well as the heads up on some of the emerging trends for regulatory change management. Thank you, Elaine.
 
Elaine F. Duffus, Senior Specialized Consultant, Wolters Kluwer  40:22
Thank you. It was a pleasure to be here.
 
Greg Corombos, News Director at Radio America  40:24
That's Wolters Kluwer Vice President of Banking Compliance Solutions, Samir Agarwal, joined by Elaine F. Duffus, a Senior Specialized Consultant with Wolters Kluwer. Wolters Kluwer is the host of this podcast and a market-leading provider of advisory services and technology solutions for optimizing compliance and risk management programs. For more information and additional guidance, please visit WoltersKluwer.com or call 1-800-397-2341. Please join us for future podcasts focused on navigating emerging trends in regulatory compliance.
Solution

Regulatory Change Management

Learn how to enhance your compliance program.

OneSumX® for Regulatory Change Management
Back To Top