Every year, tens of thousands of pages are published in the Federal Register, with a good chunk of them detailing what banks need to deliver in serving their customers. In the past decade, the Dodd-Frank Wall Street Reform and Consumer Protection Act came in at the equivalent of nearly 1,000 pages and prompted several thousand more pages of rules and regulations, including, as just one example, the TILA-RESPA Integrated Disclosure (TRID) rules. Tack on related regulations published as a result of the Dodd-Frank Act, other more recent regulatory amendments like those made to the Fair Debt Collection Practices Act (FDCPA), as well as state-specific requirements, and you’ve got enough paperwork to fill a library.
I’m probably in the very small percentage – along with my risk management and compliance peers across the country – of bankers who read every page of these new and amended regulations. Previously, I did that to understand what changes needed to be applied at the Top 5 bank where I worked; today, I need that insight to counsel clients strategically on their practices.
To be candid, you must dive deep into any regulation to get to the heart of what it’s telling you to do. From my perspective, your bank’s front-line employees – which include everyone from contact center agents to product owners – understandably are more focused on the daily business than squeezing out time to read every new regulation.
Serving as liaisons between regulators and the business, as well as fostering relationships between the first and third lines of defense, your second-line risk management and compliance teams are often responsible for digesting every bit of information in a new regulation, ruling or supervisory guidance. While the business needs to own its processes and understand the risks they present, it often looks for guidance from the second-line risk teams, who are the experts who help navigate the thousands of pages of regulatory change in a given year. We become those experts by reading every word in every ruling and supporting material. We distill the key elements. And we translate that legal language, summarizing it in plain English to help the first line understand what it really needs to worry about.
Keep in mind that these regulations are drafted by government professionals with specialized skills in writing laws, and they even have rules to follow when writing rules. They aren’t trying to lure you into a best-selling novel where you can’t stop turning pages, because their focus is on detailing new requirements and the fine print behind them. In nearly every paragraph, you’ll find legal jargon that can be intimidating if you’re not accustomed to reading this kind of documentation. That language can be even tougher to understand if you haven’t been following the action in Washington, D.C., leading to new banking requirements.
And while second-line risk management and compliance teams play a critical role, everyone at the bank – all three lines of defense – should be part of your broader risk management approach. Regulatory change is just one variable and one type of risk in this complex puzzle. The first line should be identifying, measuring, controlling and monitoring the risks brought on by their business activities. They can help identify gaps in existing processes as new regulatory change comes along. The second line (inclusive of compliance risk and the broader enterprise risk management teams) should provide oversight and help assure the first line is adhering to best practices and delivering as expected. The third line provides assurance as to whether the first and second lines are operating effectively, independently assessing whether controls and governance processes are adequate and operating as intended.
It’s essential to have open communication and transparency between the first and second lines to limit the potential of different teams within your enterprise implementing new operational requirements in disparate ways. And let’s not forget: It’s equally important for your second-line teams to maintain open lines of communication and collaborate to ensure silos aren’t built across the various risk types. After all, regulatory change and ensuing process changes also tie back to operational and other risk types.
In their simplest form, regulations are the rules you must follow to stay in business, and they’re designed to protect consumers from unfair and deceptive practices. If you don’t play fairly in that sandbox, you’re ultimately not going to be able to play anymore.
When I read through regulatory language, my focus is typically on looking for key provisions and calls to action, where the bank must block and tackle strategically. During any implementation process, I’m also watching for updated regulatory interpretation or guidance – which can come at any point – that might require adapting in the moment.
The requirements in some regulations are fairly clear, but there is often quite a bit that falls into the gray area. This is where the unique experiences and proven expertise of your compliance team become essential. If you can’t quite reach alignment on the true intent of the regulation, you want to always err on the side of caution – which is on the side of protecting consumers.
After all, this cultural shift is more about risk and cost avoidance since this early-stage investment can ensure you’re taking the right action. Leveraging the knowledge base of your risk management and compliance teams can also help reduce time and money spent by the business on pursuing the wrong work if they don’t truly understand the requirements.
Before you swing into action, it’s critical that your compliance team takes the necessary time to interpret any new regulation and its application for your organization. They’ll help you think about the new regulatory challenge in terms of audiences: Where is the risk? And what does any proposed change mean for your three lines of defense?
Between our Spinnaker team’s personal experiences, as well as our work with Top 30 banks, we’ve identified several best practices, which begin with understanding your processes, the risks they present, and what the regulations are asking of you:
Create a solid foundation that enables change: Before you act on any regulatory or business changes, take time to create a process inventory that includes risk and control assessments. You should also have an inventory of existing regulatory requirements applicable to your bank’s operations. Once you have these two inventories, be sure to tie them together by mapping regulatory requirements to applicable processes across the organization. By taking the time to create and maintain these process and regulatory inventories, you’ll be better prepared to act quickly when regulatory change occurs. This will also help you easily identify what processes will be impacted, helping you quickly assess scope, where changes need to be made, and complexity.
Engage the right players: Effective implementation involves representatives from your three lines of defense from the beginning. Each brings specific knowledge and perspective that is critical to developing and executing a spot-on plan. During this process, the first line should own educating the second line, not only on what the business does but how it does it, which means detailing the multiple processes, data inputs and other touchpoints that support every product or service.
Identify requirements and explain needs: With a grounding on the business, your second line can identify specific components in a regulation that directly apply to your business. Beyond that, your compliance and risk advisors are looking at the root of those requirements to recommend and provide guidance on what the business must do to deliver on intent. In general, you want to be working backward from the effective date to ensure time to deploy expected technology updates and adequately test changes.
Gain buy-in from the business: Because it’s the one implementing and owning new processes and accepting accompanying risks, your first line must confirm these are the right changes. In this stage, it’s imperative that the second line not make commitments in place of the first line, creating downstream communication breakdowns related to action plans, deliverables and timelines. Bottom line: Communication and alignment between the first and second lines is critical. Organizations should also consider using this stage to begin preparing phone agents, branch, and other customer-facing teams on expected updates and how to respond to customer queries.
Integrate and monitor changes: Put changes into production and assess that new processes deliver against the regulation’s intent. Leverage ongoing monitoring to quickly identify – and resolve – issues when any practice falls out of compliance. This includes ensuring other processes that are affected by any changes remain compliant, as well.
Throughout any project, be sure to document everything, supporting your decision-making throughout every step – from your interpretation of the regulatory requirements to the thought process that went into identifying the policy, process and control changes to be made. This will be an important resource when your oversight regulators come to confirm you’re following those rules. It also becomes another foundational element in building your enterprise risk and compliance culture.
The biggest risk of carrying on business as usual is incorrectly or only partially implementing the regulatory change, which has a waterfall effect, pushing organizations off track and leading to missed regulatory deadlines. Historically, compliance teams have been guilty of sending the business a specific piece of the regulation to implement without any interpretation or context. Instead, banks need to develop the competence for understanding and implementing change, whether in reaction to new regulations or updates to products and services, which can set them apart in the market.
One of the biggest issues we’ve seen is the knowledge gap between compliance and the business. Each of us is the specialist in our area, and we can’t begin to have the same level of knowledge of what’s happening on the other side of the fence. This gap reinforces the need for open, ongoing, two-way communication. This is a time for meaningful collaboration.
Finally, working with a regulation is not a one-time execution. Too often, we see banks work obsessively and diligently to implement a new regulation, then stash it away and never revisit it. Laws, processes, products and technology are constantly evolving, and even the smallest tweak in one place can tilt your operations out of compliance. You must continually assess how every regulation applies to each piece of your business to reduce costly risks – in the eyes of both customers and the agencies that supervise your bank.
Ultimately, every bank should strive to build an inclusive risk and compliance culture, where all associates understand their responsibilities in ensuring sound business practices. That’s a long-term goal for many organizations, but starting to refine how you implement new requirements is a smart first step. This establishes a foundation for how all teams can work collaboratively to understand and implement important rules that protect customers – and, at the end of the day, your bank.
Responding to regulations shouldn’t be a fire drill, where you’re working until 11:59 p.m. on the day before an effective date to get to the finish line. Spinnaker can apply our successful three lines of defense experience to help you begin nurturing an engaged risk and compliance culture, which will help differentiate your bank in a competitive market.
Late last month, I had the pleasure of attending and facilitating a couple of on-demand panels for the American Banking Association’s (ABA’s) first-ever Risk and Compliance Virtual Conference.
Customer Channels & Operations Management, Data & Analytics, Risk Management & Regulatory Compliance 4 minute read
The Big Picture Pick up recent copies of The Wall Street Journal or American Banker, and you’ll see headline after headline about consent orders and hefty fines issued by the Consumer Financial Protection Bureau to mortgage companies caught using deceptive advertising practices. This summer alone, eight have been issued. Two things immediately strike me when I see these stories: Many of these cases didn’t have to happen. And while these particular consent orders were concentrated in the mortgage sector, similarly problematic issues are most certainly occurring in other lending segments across the financial services industry. After a hundred years or so, you’d think we would know how to follow regulatory rules –particularly those put in place to protect consumers. Indeed, the first such laws were framed by the states before World War I – although the first meaty federal law, the Truth in Lending Act, wasn’t passed until 1968. Every new regulation layered in since then largely continues to further shield consumers from unfair practices – which often start with glossy ad campaigns designed to get them in the physical or digital door. The reasons why we’re still struggling with compliance aren’t too difficult to understand: turnover within organizations, competing priorities, a lack of sound controls, new staffers who are unfamiliar with existing regulations, and a never-ending list of new ones, including Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) and the Mortgage Acts and Practices (MAP) – Advertising Rule. There’s also often a gap between the intent of any new regulation and how marketing teams interpret it. The risks of not crossing every “t” and dotting every “i” are significant, as evidenced by these recent consent orders. Doing things the wrong way also can mean costly penalties, time-consuming regulatory remediation, and loss of customer trust – which can translate into higher complaint volumes and even lawsuits. Let’s explore some long-lingering myths about how banks advertise their lending products – and, more importantly, what your financial institution should be doing. MYTH: Legal and Compliance don’t need to review my ad since I’m the expert in marketing. FACT: This is the biggest myth that persists in financial services marketing and advertising. Every word you use to communicate has specific and nuanced meanings, and your legal and compliance teams have a responsibility to protect your company and consumers alike. No external ads or marketing materials should be released until you get signoff from your legal or compliance team. It’s not any more complicated than that. MYTH: Our marketing team knows what Legal and Compliance have told us. We get it, but we need leeway to make our ads eye-catching and even a bit sexy so we can get business in the door. One little word change doesn’t really make a difference. FACT: Remember how former President Bill Clinton faced legal drilling over his interpretation of the word “is”? You’d be surprised at exactly what a bank must validate before it advertises anything as “free.” That word “free” – and countless more – are triggers, often requiring specific disclosures on how they apply to what you’re advertising right at that moment. Ideally, your marketing and advertising teams should collaborate almost daily with your legal and compliance teams. Of course there’s going to be some friction between the advertising folks, who see in every color of the rainbow, and the legal and compliance folks, who typically only see in black and white. The important thing is to build processes and procedures that enable effective and efficient reviews of all advertising and marketing materials, and that begins with concepts. When you involve those responsible with compliance up front, they can help rethink an approach in ways that ensure the final ad meets regulatory requirements. Also, try taking their early “no” to mean “not yet” and be open to ideas on what could translate into an easy reframing. But go to them at the end with an ad that fails on every compliance front, and their “no” will be just that. When I was at a bank that now has more than $30 billion in assets, my compliance team worked diligently to become a strategic partner to the marketing team. It took some time, but our peers came to see that we never aimed to derail their vision. As our relationship evolved, so did our interactions. In fact, we created a desktop resource that allowed marketers to easily look up the latest laws or match sales terms with the necessary disclosures, delivering a self-service tool that also empowered them to create responsibly and expedite the review process. Rest assured, the goal of your bank’s lawyers and compliance officers is not to thwart creativity, but to ensure that amazing ad concepts give consumers precise, clear information about the company’s products and services, allowing them to make smart financial decisions. Believe me: Compliance teams want powerful, compelling and even award-winning advertising that brings more revenue in the door, because when you have that, everyone benefits. MYTH: Our market competitor ran an ad just like that. If they got away with it, then it’s OK and the legal and compliance team is overreacting. FACT: This is the corporate version of your mother asking you, “If everyone was jumping off a cliff, would you do it, too?” The only truth here is that your competitor ran an ad. You don’t really know if that financial institution “got away with it.” In fact, you might learn not too far down the road that your competitor actually got caught red-handed with a compliance violation. After all, the underlying premise of advertising is to spread the word, and regulators are paying close attention. Frankly, you should be analyzing what your competitors are doing, but I’m not talking about their advertising. Take a good look at every consent order or other regulatory action you hear about and compare it to what’s happening in your shop. Are you doing things the right way? Are you identifying and avoiding the possible risks in your process? In other words, consider that the teacher has given you every answer to the test, and you don’t want to fail down the road. MYTH: The bank’s advertising agency developed that campaign – not our internal team – so we’re not going to get in any trouble. FACT: Time and time again, oversight organizations stress that any third-party vendor – whether it’s an ad agency or a cross-sell phone queue – is a seamless extension of your financial institution. If they get it wrong, so do you. You don’t outsource the compliance responsibility along with the work. MYTH: All of that applies to my bank or mortgage company – not to me as a loan officer. I’ll post a special offer on my social channels just for my customers. FACT: Your very title of “loan officer” means you’re an officer of your financial institution, and the same exact requirements apply to you. Without question, the growing influence of social media makes consumer outreach easy, but the brevity and ease of these same platforms also make it more difficult to keep your team members from going rogue. The same compliance standards apply to all of your advertising, including any unsanctioned materials. Every employee needs to understand this responsibility. (BTW, don’t forget about old-fashioned tactics, such as a quick sales flyer that a teller might create and post in a branch. Whether that flyer meets your advertising brand standards is the least of your worries, because you’re most likely out of regulatory compliance.) MYTH: Getting an internal review takes so much time that we’re losing competitive advantage. FACT: Doing it right takes a fraction of the time needed to fix things – particularly if you’re cited for a regulatory infraction – and maintains your institution’s reputation. Yes, a legal or compliance review is another step in your marketing process, but it’s a short blip in the lifetime of a successful business. In my previous role, I was intentional about building interactions with the marketing team that served everyone’s needs as efficiently as possible. If a federal agency comes at you with a consent order or Matter Requiring Attention, you’re going to spend significantly more time finding the root issue, solving for your misstep, gaining regulatory signoff and getting back to work. You also can’t rebuild consumer confidence overnight – even with the most attractive offers in your marketplace. After all, if your customers know you’ve been under scrutiny before, do you think they’re going to trust that you’re being straight with them this time around?
Risk Management & Regulatory Compliance, Compliance, Risk Management 5 minute read
We all like to think we have our credit-scoring models in check. But do we? When was the last time you reviewed the modeling data and validated the performance? I mean really reviewed it – not just checked the annual review box before audit season?
Risk Management & Regulatory Compliance, Change Management, Governance & Policy 3 minute read
Like how we think? Subscribe to have our articles delivered direct to your inbox each month.
Headquarters: 8000 Franklin Farms Drive, Suite 100, Richmond, VA 23229
©2022 Spinnaker Consulting Group. All rights reserved.