Suppose you go to your doctor with a nasty cough or nearly bent over with stomach pain. You wouldn’t be too happy if your provider barely looked at you, jotted off a quick prescription and sent you away. Instead, you’d want your doctor to do a full exam, check your lungs for that cough – maybe run a blood test or order some sort of imaging on your abdomen.
In other words, you would want an official diagnosis of what was wrong and a treatment plan to fix it. You wouldn’t want something to simply ease or mask your symptoms, even if it made you feel a bit better.
In the banking world, financial institutions must look at something that’s gone wrong in their operations the same way. You don’t want to simply address what’s amiss on the surface. You want to take the proverbial lid off the box and look inside to find out what’s causing trouble. Somewhere in there is a breakdown with your people, process and/or technology. Audit and regulatory findings are generally issued as a result of systemic or patterns of breakdowns, such as not having a sound anti-money laundering program in place or failing to define and monitor the organization’s risk appetite.
And if you’re forced into issue remediation after federal regulators give you a lesser finding (a confidential Matter Requiring Attention) or something far worse (like a very public consent order, as witnessed with Citigroup this week, the stakes are even higher. You have one shot to get it right from the start. Take a misstep now, and you’ll find yourself even further behind – and losing even more credibility with the regulators who oversee your business.
In the later years of my career on the front line, I have increasingly seen financial institutions work ambitiously on remediating issues, only to have regulators come back at the end and give that effort a failing grade. While no bank wants to be under the shadow of a regulatory finding, working smart and rejecting shortcuts is the only way to deliver the right solution and minimize future risk.
With compliance costs expected to more than double and reach 10% of their revenue spend by 2022, banks can’t afford to get it wrong. Doing it right the first time actually saves time when you consider the losses in investing significant energy and resources in solving the wrong problem, not passing regulatory review and having to go back to the drawing board. An effective remediation strategy should follow several key steps:
This might seem counterintuitive, but don’t just jump into fixing things when you’ve been told there’s a problem. After all, do you know exactly what you’re fixing? Too often, companies fix what they think is the problem, only to learn that they’ve missed the mark – not to mention broken other things along the way. Not understanding the crux of the issue wastes time, energy and resources, as a business acts too quickly because it’s anxious to get out from under the regulatory thumb.
You also should engage your risk partners, including your legal and compliance teams, to review any regulatory finding language to make sure you understand and solve for exactly what the problem is – especially for an issue with broader scope and breadth. Oftentimes, it’s helpful to get expert insight from an outside partner, like Spinnaker, which can keep you from being myopic in your approach when you think you have the answers because you’re the expert in your own business.
Those leading your remediation plan should dig deeper into the root problem by asking “Why?” up to five times, peeling off another layer with each question as you strive toward the core issue. Consider yourself sitting on the side of the road and your car isn’t running. Why is my car broken down? Because the engine stopped. Why did the engine stop? Because it’s overheated. Why is it overheated? Because I didn’t change the oil. Bring those questions to your business problem and keep asking why until you’re grounded on the precise thing that needs to be fixed to make everything work as designed and expected.
Your action plan will serve as a roadmap to get you effectively and efficiently from identifying the root issue to implementing the solution, which is a common gap for many companies. At this stage, keep in mind that, due to everything from stakeholder engagement to technology resources, any solution won’t help overnight.
From the onset, expect that any regulatory-focused remediation could take a minimum of 12 to 18 months to resolve, particularly if you aim to deploy technology. In general, you’ll have a relatively short period of time – as little as 30 days – to identify the root cause and present your action plan to regulators or auditors.
Nothing can derail a remediation more than not having consensus on its direction and end goal. That doesn’t mean you’re inflexible if obstacles pop up, but you need to remain solidly focused on the actions that will fix your root issue and ease the concerns of your regulators or auditors – not to mention reduce customer complaints and reputation risk.
Engagement is another potential pitfall, as you need to be deliberate who you involve in this conversation. The executive ultimately accountable for successfully remediating the issue cannot do so in a bubble. A successful effort will focus on getting the right number of people in the right roles to offer support and perspective. Too many people water down intent and add risk on top of risk, while too few might mean you miss all relevant insights and commitments. This should be a joint effort between your first and second lines of defense.
Remediation often isn’t sexy work. But it is absolutely essential in ensuring your business is doing right by your customers and living up to every product and service commitment. Invest the time to do things right the first time and document everything.
As mentioned earlier, a comprehensive action plan can easily take a year to execute – usually much more time than that. In the meantime, you’ll likely have people in key roles within your organization and regulatory agency leave, which will create a knowledge gap. Comprehensive documentation keeps you moving forward with clarity, as you eliminate the “guessing game” and interpretation gaps. If it’s worth talking about, it’s worth writing down.
Be sure to also build in solid testing to validate that your solution fulfills on your intent, with no side effects that disrupt other processes. Give your remedy time to work (i.e., a sustainability period), say, for a quarter, and make sure all the kinks are gone before you provide it to your third-line line partner for validation.
Remember, whether you have a third-line audit or a regulatory finding, whoever issues it is going to return to see that you solved the right problem. In nearly every single case of a validation failure, the reason is because the work didn’t solve the root cause or align on intent early.
During these many, many months that you’ve been in the trenches, so much turnover could have occurred that maybe no one is around who even issued the finding or developed your action plan. Maybe your business objective, systems and/or regulations have changed along the way. Of course, you should be checking in with your third-line partners every quarter or when hitting major milestones to discuss progress so there shouldn’t be surprises, but this underscores the value of solid documentation, so that every step you take ties directly back to what your plan said you’d do to fix the problem.
Success comes with both a regulator’s endorsement as well as sustained results from your action plan, as evidenced by the reporting and monitoring you’ve put in place during remediation.
A robust monitoring system should help identify an issue before somebody else does – whether that’s a customer or a regulator. If you discovered that your monitoring process is missing issues, now is the time to analyze its performance, identify gaps and resolve issues. You should also use your recently created action plan to develop a repeatable framework for getting things done so you can move quickly once you either self-identify a problem or are advised by outsiders that you’ve got an issue.
Our Spinnaker team has been on the front lines in successfully remediating tough business challenges. Whether you need outside expert analysis to identify root causes or recommendations for internal monitoring, we have the proven experience to get every piece of your business back into regulatory compliance. We can also develop action plans for addressing a regulatory ruling and even guide you in building an end-to-end framework that minimizes future risks.
Contact us to learn more, because we know that doing issue remediation the right way the first time is your only choice.
AI — artificial intelligence — is all the rage in the world of business analytics. But, focusing on AIGT — all in good time — may serve your organization better, today and tomorrow. Developing and building an intentional analytics progression plan toward AI will not only help your organization now, it will make future jumps into AI and other emerging business analytics capabilities much easier.
Business Analytics & Data Management 3 minute read
Data is at the heart of nearly everything we do in business. From hiring new people to determining future revenue to deciding on the right new product offering how we use data to make decisions drives business value. But what about the data itself? Decision-making is only as strong as the data you’re using. Data quality is essential.
Business Analytics & Data Management 3 minute read
The Big Picture Pick up recent copies of The Wall Street Journal or American Banker, and you’ll see headline after headline about consent orders and hefty fines issued by the Consumer Financial Protection Bureau to mortgage companies caught using deceptive advertising practices. This summer alone, eight have been issued. Two things immediately strike me when I see these stories: Many of these cases didn’t have to happen. And while these particular consent orders were concentrated in the mortgage sector, similarly problematic issues are most certainly occurring in other lending segments across the financial services industry. After a hundred years or so, you’d think we would know how to follow regulatory rules –particularly those put in place to protect consumers. Indeed, the first such laws were framed by the states before World War I – although the first meaty federal law, the Truth in Lending Act, wasn’t passed until 1968. Every new regulation layered in since then largely continues to further shield consumers from unfair practices – which often start with glossy ad campaigns designed to get them in the physical or digital door. The reasons why we’re still struggling with compliance aren’t too difficult to understand: turnover within organizations, competing priorities, a lack of sound controls, new staffers who are unfamiliar with existing regulations, and a never-ending list of new ones, including Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) and the Mortgage Acts and Practices (MAP) – Advertising Rule. There’s also often a gap between the intent of any new regulation and how marketing teams interpret it. The risks of not crossing every “t” and dotting every “i” are significant, as evidenced by these recent consent orders. Doing things the wrong way also can mean costly penalties, time-consuming regulatory remediation, and loss of customer trust – which can translate into higher complaint volumes and even lawsuits. Let’s explore some long-lingering myths about how banks advertise their lending products – and, more importantly, what your financial institution should be doing. MYTH: Legal and Compliance don’t need to review my ad since I’m the expert in marketing. FACT: This is the biggest myth that persists in financial services marketing and advertising. Every word you use to communicate has specific and nuanced meanings, and your legal and compliance teams have a responsibility to protect your company and consumers alike. No external ads or marketing materials should be released until you get signoff from your legal or compliance team. It’s not any more complicated than that. MYTH: Our marketing team knows what Legal and Compliance have told us. We get it, but we need leeway to make our ads eye-catching and even a bit sexy so we can get business in the door. One little word change doesn’t really make a difference. FACT: Remember how former President Bill Clinton faced legal drilling over his interpretation of the word “is”? You’d be surprised at exactly what a bank must validate before it advertises anything as “free.” That word “free” – and countless more – are triggers, often requiring specific disclosures on how they apply to what you’re advertising right at that moment. Ideally, your marketing and advertising teams should collaborate almost daily with your legal and compliance teams. Of course there’s going to be some friction between the advertising folks, who see in every color of the rainbow, and the legal and compliance folks, who typically only see in black and white. The important thing is to build processes and procedures that enable effective and efficient reviews of all advertising and marketing materials, and that begins with concepts. When you involve those responsible with compliance up front, they can help rethink an approach in ways that ensure the final ad meets regulatory requirements. Also, try taking their early “no” to mean “not yet” and be open to ideas on what could translate into an easy reframing. But go to them at the end with an ad that fails on every compliance front, and their “no” will be just that. When I was at a bank that now has more than $30 billion in assets, my compliance team worked diligently to become a strategic partner to the marketing team. It took some time, but our peers came to see that we never aimed to derail their vision. As our relationship evolved, so did our interactions. In fact, we created a desktop resource that allowed marketers to easily look up the latest laws or match sales terms with the necessary disclosures, delivering a self-service tool that also empowered them to create responsibly and expedite the review process. Rest assured, the goal of your bank’s lawyers and compliance officers is not to thwart creativity, but to ensure that amazing ad concepts give consumers precise, clear information about the company’s products and services, allowing them to make smart financial decisions. Believe me: Compliance teams want powerful, compelling and even award-winning advertising that brings more revenue in the door, because when you have that, everyone benefits. MYTH: Our market competitor ran an ad just like that. If they got away with it, then it’s OK and the legal and compliance team is overreacting. FACT: This is the corporate version of your mother asking you, “If everyone was jumping off a cliff, would you do it, too?” The only truth here is that your competitor ran an ad. You don’t really know if that financial institution “got away with it.” In fact, you might learn not too far down the road that your competitor actually got caught red-handed with a compliance violation. After all, the underlying premise of advertising is to spread the word, and regulators are paying close attention. Frankly, you should be analyzing what your competitors are doing, but I’m not talking about their advertising. Take a good look at every consent order or other regulatory action you hear about and compare it to what’s happening in your shop. Are you doing things the right way? Are you identifying and avoiding the possible risks in your process? In other words, consider that the teacher has given you every answer to the test, and you don’t want to fail down the road. MYTH: The bank’s advertising agency developed that campaign – not our internal team – so we’re not going to get in any trouble. FACT: Time and time again, oversight organizations stress that any third-party vendor – whether it’s an ad agency or a cross-sell phone queue – is a seamless extension of your financial institution. If they get it wrong, so do you. You don’t outsource the compliance responsibility along with the work. MYTH: All of that applies to my bank or mortgage company – not to me as a loan officer. I’ll post a special offer on my social channels just for my customers. FACT: Your very title of “loan officer” means you’re an officer of your financial institution, and the same exact requirements apply to you. Without question, the growing influence of social media makes consumer outreach easy, but the brevity and ease of these same platforms also make it more difficult to keep your team members from going rogue. The same compliance standards apply to all of your advertising, including any unsanctioned materials. Every employee needs to understand this responsibility. (BTW, don’t forget about old-fashioned tactics, such as a quick sales flyer that a teller might create and post in a branch. Whether that flyer meets your advertising brand standards is the least of your worries, because you’re most likely out of regulatory compliance.) MYTH: Getting an internal review takes so much time that we’re losing competitive advantage. FACT: Doing it right takes a fraction of the time needed to fix things – particularly if you’re cited for a regulatory infraction – and maintains your institution’s reputation. Yes, a legal or compliance review is another step in your marketing process, but it’s a short blip in the lifetime of a successful business. In my previous role, I was intentional about building interactions with the marketing team that served everyone’s needs as efficiently as possible. If a federal agency comes at you with a consent order or Matter Requiring Attention, you’re going to spend significantly more time finding the root issue, solving for your misstep, gaining regulatory signoff and getting back to work. You also can’t rebuild consumer confidence overnight – even with the most attractive offers in your marketplace. After all, if your customers know you’ve been under scrutiny before, do you think they’re going to trust that you’re being straight with them this time around?
Risk Management & Regulatory Compliance, Compliance, Risk Management 5 minute read
Like how we think? Subscribe to have our articles delivered direct to your inbox each month.
Headquarters: 8000 Franklin Farms Drive, Suite 100, Richmond, VA 23229
©2021 Spinnaker Consulting Group. All rights reserved.