Every year, tens of thousands of pages are published in the Federal Register, with a good chunk of them detailing what banks need to deliver in serving their customers. In the past decade, the Dodd-Frank Wall Street Reform and Consumer Protection Act came in at the equivalent of nearly 1,000 pages and prompted several thousand more pages of rules and regulations, including, as just one example, the TILA-RESPA Integrated Disclosure (TRID) rules. Tack on related regulations published as a result of the Dodd-Frank Act, other more recent regulatory amendments like those made to the Fair Debt Collection Practices Act (FDCPA), as well as state-specific requirements, and you’ve got enough paperwork to fill a library.
I’m probably in the very small percentage – along with my risk management and compliance peers across the country – of bankers who read every page of these new and amended regulations. Previously, I did that to understand what changes needed to be applied at the Top 5 bank where I worked; today, I need that insight to counsel clients strategically on their practices.
To be candid, you must dive deep into any regulation to get to the heart of what it’s telling you to do. From my perspective, your bank’s front-line employees – which include everyone from contact center agents to product owners – understandably are more focused on the daily business than squeezing out time to read every new regulation.
Serving as liaisons between regulators and the business, as well as fostering relationships between the first and third lines of defense, your second-line risk management and compliance teams are often responsible for digesting every bit of information in a new regulation, ruling or supervisory guidance. While the business needs to own its processes and understand the risks they present, it often looks for guidance from the second-line risk teams, who are the experts who help navigate the thousands of pages of regulatory change in a given year. We become those experts by reading every word in every ruling and supporting material. We distill the key elements. And we translate that legal language, summarizing it in plain English to help the first line understand what it really needs to worry about.
Keep in mind that these regulations are drafted by government professionals with specialized skills in writing laws, and they even have rules to follow when writing rules. They aren’t trying to lure you into a best-selling novel where you can’t stop turning pages, because their focus is on detailing new requirements and the fine print behind them. In nearly every paragraph, you’ll find legal jargon that can be intimidating if you’re not accustomed to reading this kind of documentation. That language can be even tougher to understand if you haven’t been following the action in Washington, D.C., leading to new banking requirements.
And while second-line risk management and compliance teams play a critical role, everyone at the bank – all three lines of defense – should be part of your broader risk management approach. Regulatory change is just one variable and one type of risk in this complex puzzle. The first line should be identifying, measuring, controlling and monitoring the risks brought on by their business activities. They can help identify gaps in existing processes as new regulatory change comes along. The second line (inclusive of compliance risk and the broader enterprise risk management teams) should provide oversight and help assure the first line is adhering to best practices and delivering as expected. The third line provides assurance as to whether the first and second lines are operating effectively, independently assessing whether controls and governance processes are adequate and operating as intended.
It’s essential to have open communication and transparency between the first and second lines to limit the potential of different teams within your enterprise implementing new operational requirements in disparate ways. And let’s not forget: It’s equally important for your second-line teams to maintain open lines of communication and collaborate to ensure silos aren’t built across the various risk types. After all, regulatory change and ensuing process changes also tie back to operational and other risk types.
In their simplest form, regulations are the rules you must follow to stay in business, and they’re designed to protect consumers from unfair and deceptive practices. If you don’t play fairly in that sandbox, you’re ultimately not going to be able to play anymore.
When I read through regulatory language, my focus is typically on looking for key provisions and calls to action, where the bank must block and tackle strategically. During any implementation process, I’m also watching for updated regulatory interpretation or guidance – which can come at any point – that might require adapting in the moment.
The requirements in some regulations are fairly clear, but there is often quite a bit that falls into the gray area. This is where the unique experiences and proven expertise of your compliance team become essential. If you can’t quite reach alignment on the true intent of the regulation, you want to always err on the side of caution – which is on the side of protecting consumers.
After all, this cultural shift is more about risk and cost avoidance since this early-stage investment can ensure you’re taking the right action. Leveraging the knowledge base of your risk management and compliance teams can also help reduce time and money spent by the business on pursuing the wrong work if they don’t truly understand the requirements.
Before you swing into action, it’s critical that your compliance team takes the necessary time to interpret any new regulation and its application for your organization. They’ll help you think about the new regulatory challenge in terms of audiences: Where is the risk? And what does any proposed change mean for your three lines of defense?
Between our Spinnaker team’s personal experiences, as well as our work with Top 30 banks, we’ve identified several best practices, which begin with understanding your processes, the risks they present, and what the regulations are asking of you:
Create a solid foundation that enables change: Before you act on any regulatory or business changes, take time to create a process inventory that includes risk and control assessments. You should also have an inventory of existing regulatory requirements applicable to your bank’s operations. Once you have these two inventories, be sure to tie them together by mapping regulatory requirements to applicable processes across the organization. By taking the time to create and maintain these process and regulatory inventories, you’ll be better prepared to act quickly when regulatory change occurs. This will also help you easily identify what processes will be impacted, helping you quickly assess scope, where changes need to be made, and complexity.
Engage the right players: Effective implementation involves representatives from your three lines of defense from the beginning. Each brings specific knowledge and perspective that is critical to developing and executing a spot-on plan. During this process, the first line should own educating the second line, not only on what the business does but how it does it, which means detailing the multiple processes, data inputs and other touchpoints that support every product or service.
Identify requirements and explain needs: With a grounding on the business, your second line can identify specific components in a regulation that directly apply to your business. Beyond that, your compliance and risk advisors are looking at the root of those requirements to recommend and provide guidance on what the business must do to deliver on intent. In general, you want to be working backward from the effective date to ensure time to deploy expected technology updates and adequately test changes.
Gain buy-in from the business: Because it’s the one implementing and owning new processes and accepting accompanying risks, your first line must confirm these are the right changes. In this stage, it’s imperative that the second line not make commitments in place of the first line, creating downstream communication breakdowns related to action plans, deliverables and timelines. Bottom line: Communication and alignment between the first and second lines is critical. Organizations should also consider using this stage to begin preparing phone agents, branch, and other customer-facing teams on expected updates and how to respond to customer queries.
Integrate and monitor changes: Put changes into production and assess that new processes deliver against the regulation’s intent. Leverage ongoing monitoring to quickly identify – and resolve – issues when any practice falls out of compliance. This includes ensuring other processes that are affected by any changes remain compliant, as well.
Throughout any project, be sure to document everything, supporting your decision-making throughout every step – from your interpretation of the regulatory requirements to the thought process that went into identifying the policy, process and control changes to be made. This will be an important resource when your oversight regulators come to confirm you’re following those rules. It also becomes another foundational element in building your enterprise risk and compliance culture.
The biggest risk of carrying on business as usual is incorrectly or only partially implementing the regulatory change, which has a waterfall effect, pushing organizations off track and leading to missed regulatory deadlines. Historically, compliance teams have been guilty of sending the business a specific piece of the regulation to implement without any interpretation or context. Instead, banks need to develop the competence for understanding and implementing change, whether in reaction to new regulations or updates to products and services, which can set them apart in the market.
One of the biggest issues we’ve seen is the knowledge gap between compliance and the business. Each of us is the specialist in our area, and we can’t begin to have the same level of knowledge of what’s happening on the other side of the fence. This gap reinforces the need for open, ongoing, two-way communication. This is a time for meaningful collaboration.
Finally, working with a regulation is not a one-time execution. Too often, we see banks work obsessively and diligently to implement a new regulation, then stash it away and never revisit it. Laws, processes, products and technology are constantly evolving, and even the smallest tweak in one place can tilt your operations out of compliance. You must continually assess how every regulation applies to each piece of your business to reduce costly risks – in the eyes of both customers and the agencies that supervise your bank.
Ultimately, every bank should strive to build an inclusive risk and compliance culture, where all associates understand their responsibilities in ensuring sound business practices. That’s a long-term goal for many organizations, but starting to refine how you implement new requirements is a smart first step. This establishes a foundation for how all teams can work collaboratively to understand and implement important rules that protect customers – and, at the end of the day, your bank.
Responding to regulations shouldn’t be a fire drill, where you’re working until 11:59 p.m. on the day before an effective date to get to the finish line. Spinnaker can apply our successful three lines of defense experience to help you begin nurturing an engaged risk and compliance culture, which will help differentiate your bank in a competitive market.
If you’ve spent any time in the last ten years in or around compliance, you’ve likely heard about the “three lines of defense” (3LOD) model – business units are primarily accountable for compliance and are considered the first line; the compliance team is the second line, checking the work for the first line; and internal audit operates as an independent third line assessing the first two lines. While the model has been widely accepted (and in most cases expected by regulators), the approach has been gaining some critics. The growth of the FinTech industry has caused many to question how viable and applicable the 3LOD model is for smaller organizations. While the concept is solid, it’s time to adapt the model to account for the wide array of organizations now operating in Financial Services.
Risk Management & Regulatory Compliance 2 minute read
Late last month, I had the pleasure of attending and facilitating a couple of on-demand panels for the American Banking Association’s (ABA’s) first-ever Risk and Compliance Virtual Conference.
Customer Channels & Operations Management, Business Analytics & Data Management, Risk Management & Regulatory Compliance 4 minute read
The Big Picture Aggressive growth is a great business goal, but to achieve it the smart way, organizations need to have their houses in order first. One Top 25 bank was recently moving forward with a growth plan when it was stopped in its tracks by a consent order. Rather than gearing up for expansion, the company found itself needing to implement and maintain an effective Compliance Management Program (CMP) to meet consumer protection regulations – and the team charged with the effort had limited bandwidth and expertise.
Risk Management & Regulatory Compliance, Compliance 1 minute read
Like how we think? Subscribe to have our articles delivered direct to your inbox each month.
Headquarters: 8000 Franklin Farms Drive, Suite 100, Richmond, VA 23229
©2021 Spinnaker Consulting Group. All rights reserved.