Top 10 Compliance Initiatives in 2018 for small to mid-sized Banks and Financial Institutions

Transcription

1 Top 10 Compliance Initiatives in 2018 for small to mid-sized Banks and Financial Institutions Risk and Compliance in the Banking and Financial Services Industry

2 Overview Based on feedback 360factors received throughout 2017 from talking with various clients in the banking and financial services industry, our team found that mid-sized banks and financial institutions are faced with working towards transforming their risk and compliance functions into a single enterprise-wide framework. They need to protect strategy and business goals against a volatile economy, disruptive regulatory changes, competition and globalization - as well as mitigate the threat of poor culture, conduct and cybersecurity risk. In this whitepaper, we will discuss in detail why compliance management has become a fundamental component of banks' day-to-day routines and long term strategic planning processes. Here are the top compliance trends for banks in 2018: Cost of Compliance Finding ways to streamline and reduce the cost of compliance...3 Building a compliance culture to maximize earnings and minimize risks...3 Regulatory Change Improving how regulatory changes are tracked along with the impact of those changes...5 Understanding the changes from the CFPB, other regulatory agencies and de-regulation...6 Driving Efficiency Eliminating manual, redundant processes across the institution...7 Driving a more Proactive vs. Reactive Compliance Management program...7 Providing real-time visibility into all compliance management activities...8 Where Compliance and Risk Intersect Turning Compliance and Risk management into competitive differentiation...10 Managing Vendors and Third-Parties...10 Maximizing value through managing risks

3 Cost of Compliance Finding ways to streamline and reduce the cost of compliance Throughout 2017 a common theme among many mid-sized banks and financial institutions is to augment their current workforce with tools that drive efficiency. Risk and compliance management is often approached from a departmental perspective by many banks instead of from an enterprise-wide perspective. The result is redundant and disparate processes, resources and tools scattered throughout the organization. This disjointed approach naturally results in wasted time and dollars as each department struggles with the same problems in different ways. Historically, integrated governance, risk and compliance (GRC) systems were only available and affordable by the largest banks and financial institutions. Now the trend has shifted as many smaller and mid-sized banks and financial institutions are looking at the next-generation GRC systems that are more cost-efficient and less complex to implement. Their goals are simple: reduce the number of applications and manual tools used within the bank while ensuring a consistent process is followed and increasing the efficiency of their employees. Building a compliance culture to maximize earnings and minimize risks Risk & Compliance has become one of the biggest ongoing concerns for financial-institution executives. Costs to ensure regulatory compliance have dramatically increased relative to banks' earnings and credit losses, especially as the scope of regulatory requirements continue to change. Mortgage servicing was a learning opportunity for regulators that, following the crisis, resulted in increasingly tight scrutiny across many areas of a bank s operations. These risks resulted in numerous financial institutions taking significant blows to their bottom-line. 3

4 Over the past year, we hear our customers continuing to explore how to change their approach towards the culture of compliance. Rather than a separate department and cost center responsible just for ensuring compliance to regulatory standards, banks in 2018 are moving ownership of a department or product risks and regulatory compliance requirements to the actual business units/functions and employees. Compliance and risk management staff are no longer tasked with completing the compliance activities; they are instead tasked with ensuring that the business units complete their own risk assessments, manage their own compliance activities and ensure that compliance to their specific regulatory requirements are being met. By pushing these responsibilities to the business units, banks are hoping to maximize earnings from their product offerings while minimizing regulatory compliance risk. Compliance and risk management thus becomes part of the company culture. 4

5 Regulatory Change Improving how regulatory changes are tracked along with the impact of those changes Today's business climate is more complex and more challenging than ever before. New regulations or changes to existing regulations naturally increase ambiguity and inherent risk, thus increasing the probability of operational breakdowns and becoming non-compliant. The impact and probability of the risks associated with those regulations depends on how well you understand the intent of the law, how well you interpret the law, how you implement the law and how well regulatory change management is institutionalized within your firm. While many banks and financial institutions may view de-regulation as a positive step in helping to reduce costs, these same banks are also struggling to understand the impact these changes have within their operations. The problem is compounded since instead of one big bang, these changes are happening one-at-a-time and at a fast clip. Unless a bank has effectively mapped their risks, policies, procedures, training plans, assessments, audit templates and compliance calendar to their associated regulatory requirements, the bank s compliance staff is often scrambling to understand the impact a regulatory change creates, what needs to be done and managing the timely completion of those activities. The result is often non-compliance and/or a high probability that the business will not meet their regulatory requirements on time. As such, one of the top trends in 2018 for mid-sized banks is to start mapping all their risks, policies, procedures, training plans, assessments, audit templates and compliance calendar to the associated regulations and regulatory requirements. While this can be done in spreadsheets, a more integrated GRC tool will typically be implemented to allow the visualization of these links and to easily capture all this data across the various departments and locations in the bank. 5

6 Understanding the changes from the CFPB, other regulatory agencies and de-regulation Depending on who you talk to, Republicans have made limited progress on President Trump's pledge to "dismantle" the Dodd-Frank Act, which the GOP had hoped to gut by the end of But the GOP and independent regulators could still make critical changes to key parts of the law's legacy. With a conservative new director for the Consumer Financial Protection Bureau, bipartisan interest in amending parts of Dodd-Frank, and the GOP focused on pulling back a few key rules. Office of Budget and Management Director Mick Mulvaney has made sweeping changes as the acting chief of the Consumer Financial Protection Bureau (CFPB), a once-aggressive watchdog created under Dodd-Frank. Appointed by President Trump in November to rein in the agency long loathed by the GOP and financial industry, Mulvaney has steered the agency towards deregulation. Banking activity is characterized by a multitude of risks that affect the performance of banks. Additional risks have emerged because of actions such as deregulation, re-regulation or increased competition. Because risk opportunities have increased, banks and monetary authorities have assimilated new techniques and instruments for risk management. The experience of the recent financial crisis has led banks to be more careful with the activities and tasks they perform to manage risks. Central banks and other competent authorities have become more concerned with understanding the vulnerabilities of banking systems and the techniques that help prevent systemic crisis. 6

7 Driving Efficiency Eliminating manual, redundant processes across the institution A majority of mid-sized financial institutions still use standard office tools like Excel and Word due to their familiarity, and ease of access to these tools, as their primary system to store data. However, these methods don't offer effective traceability, never mind providing an accurate audit trail for content entry. As such, many financial institutions are finding that spreadsheets have become the source of the problem rather than the solution. Another common theme in 2017 among small to midsized banks and financial institutions is to look for solutions that can be easily integrated into their current work environment, as well as provide shared functionality for common compliance tasks. Additionally, Risk and Compliance officers/managers are asking for a solution that eliminates countless spreadsheets, reduces data entry, and enables collaboration across departments and cross-functional teams. Ideally, firms wish to have all their compliance monitoring activities in a single integrated system that delivers consolidated enterprise reports, rather than a multitude of manual solutions deployed to manage the respective business area. Driving a more Proactive vs. Reactive Compliance Management program When it comes to risk and compliance, we found that banks and financial institutions generally have two different kinds of approaches to implementing a compliance plan within an organization: proactive and reactive. Reactive - Many companies have used a reactive compliance process for many years. We hesitate to call a reactive approach a plan because it really isn't a plan beyond the mechanics of scheduling an audit and remediating identified issues. A simple and common example would be: Purchase an audit checklist, perform an audit against that checklist in some fashion either internally or by leveraging a consultant, correct any deficiencies (hopefully updating your policies, procedures and other controls to accommodate the changes), and then wait a year or more and then rinse and repeat. 7

8 The advantages to a reactive approach is lower upfront cost and simplicity. However, the disadvantages would be higher incremental costs, incompleteness, lack of real-time visibility and increased risk. Why increased risk? The possibility of fines is much higher due to long periods of time between audits where you might be in non-compliance. Rules and regulations change constantly and when you are measuring compliance at such wide intervals, you will very likely be managing to non-compliance at some point. Proactive - A proactive approach is fundamentally different, allowing changes in the regulations and standards to drive compliance and changes throughout an organization. How is this accomplished? Every control, audit, policy, procedure and task related to compliance are linked back to the rules and regulations they were derived from. Why? When the regulation changes, you can proactively reevaluate all the above to ensure they can reflect the changes in the regulation and standards. The advantages to a proactive approach are numerous. One of the highlights is that you are always compliant, hence, you can clearly demonstrate that you always have been compliant. This approach helps you manage and reduce financial, legal, reputational and regulatory risks. Another benefit is that executive management has up-to-the-minute visibility into the current compliance state of the organization instead of relying upon data that is months or years old. Providing real-time visibility into all compliance management activities Keeping with the theme of Driving Efficiency, banking and financial Institutions have cross-functional departments which make it difficult to streamline and standardize the workflow across the organization without an automated system to manage compliance activities. With constant changes across multiple rules and regulations, it is becoming increasingly difficult for management to have real-time visibility into all the compliance activities across all these departments. Sometimes rules are broken due to negligence, but often are due to lack of information about a newly created or changed rules. It has become almost impossible to be compliant when using manual rudimentary systems like spreadsheets and SharePoint. Management wants to have real-time visibility on all compliance matters instead of quarterly reviews. These reports are typically a cut and paste from numerous spreadsheets and could potentially include inaccurate data. There is a growing demand for an integrated solution that ensures data is accurate and up to date which also provide notifications to relevant compliance team members of changes and updates. 8

9 There is also an increased need for a system that provides auto notifications to compliance tasks/activities, and which is attached to a compliance calendar that notifies the relevant department/function on an assigned task. Automating the enterprise risk and compliance management system helps in achieving optimal visibility into all risky compliance-specific aspects of the organization and ensures that compliance does not become a stumbling block as the organization grow. Compliance Management System 9 Policies Standards Rules Regulations Requirements Risk

10 Where Compliance and Risk Interset Turning Compliance and Risk management into competitive differentiation Risk management has been around for decades in large financial services organizations, using highly evolved risk modeling and analysis to manage market and credit risk. As mid-sized banks and financial institutions contend with geographical expansion, the increased use of outsourcing, and the operational and financial demands of regulators, it is more important than ever for the organization to take a strategic approach to effective risk mitigation and management. CEOs and CROs today are looking for ways to differentiate their companies. One integral way is to manage their risk profile as it helps identify the risks and threats faced by an organization. It may include the probability, negative effects and an outline of the potential costs and level of disruption for each risk. Automating risk and compliance impacts the business immensely. As elaborated earlier, real-time visibility on accurate data helps the organization remain ahead of the curve. It greatly minimizes the repercussions on being negligent to regulatory compliance, avoiding fines/penalties and reputational damages. Managing Vendors and Third-Parties Another common trend throughout 2017 was to find ways on improving the management of third party vendors or vendor risk management. While vendors often provide value through their solutions, expertise and experience, ultimately the responsibly for all spects of the bank's operations, including products and services provided by their vendors, fall on the bank. As such, an effective risk and compliance management process is required to mitigate the risks associated with the loss of control and close oversight that often occurs with a vendor relationship. 10

11 Below are some common challenges as well as some best practices on how to address each. A. Due diligence. Before selecting a vendor, banks and financial institutions should conduct due diligence. This includes obtaining references, particularly from other financial institutions, reviewing financial statements, and researching the background, qualifications, and reputations of the vendor's principals and the vendor's overall reputation, including lawsuits filed against it. It also includes ensuring that the vendor has data back-up systems, continuity and contingency plans, and proper IT security and management information systems to remain in compliance. B. Risk assessment. A detailed risk assessment should be developed based on the initial due diligence review. It should be provided to senior management and the board of directors prior to engaging in a new activity. The risk assessment should identify all categories of potential risk faced by a vendor's activity, including compliance, reputational, operational, credit, and transaction risks. It should also identify all applicable consumer laws and regulations to ensure compliance. C. Clear contractual expectations. Contract provisions should be based on identified risks, contain expectations for complying with applicable consumer protection laws and regulations, and contain the right to request information that demonstrates compliance, such as audit and monitoring reports. Important provisions that a vendor contract should address include but are not limited to: the scope of outsourced services; the procedures the vendor must follow; the bank s service-level expectations; the bank s approval of a vendor s use of subcontractors; the bank s right to conduct audits or request third-party reviews; the confidentiality of data; the vendor s warranties, liability, and disclaimers; dispute resolution mechanisms; default and termination provisions; and customer complaints and responsibility for responses. 11

12 D. Comprehensive monitoring program. Real-time visibility and monitoring derived from the risk assessment developed during due diligence is very important. Monitoring of vendor performance should incorporate a review and tracking of complaints related to the vendor's activities. E. Board oversight. Keeping the board of directors up to date on the vendor management program is key to ensure proper oversight on the risks inherent in third-party relationships. The board should have real-time visibility to review the vendor management policy, due diligence reports, risk assessments, and monitoring results. Maximizing value through managing risks Another emerging trend in 2017 is how to find ways to maximize value through minimizing risks. In most cases, banks and financial institutions need to transform the role of their compliance departments from that of an adviser to one that puts more emphasis on active risk management and monitoring. In practice, it means expanding beyond offering advice on statutory rules, regulations, and laws to becoming an active co-owner of risks and providing an independent oversight of the control framework. Compliance functions are looking to integrate the applicability of laws, rules, and regulations across businesses and processes and how they translate into operational requirements. Developing and managing a robust risk assessment process that incorporates developing and enforcing the right policies and procedures for an effective risk-mediation process while establishing training plans/programs and incentives and managing the overall qualifications required of each type of job or work environment. As the regulatory environment evolves, in order to maximize value, banks and financial institutions are looking to evolve their compliance culture, thus delivering a better quality of oversight while at the same time increasing its efficiency. Banks and financial institutions that successfully make this shift will enjoy a distinctive source of competitive advantage in the foreseeable future, being able to deliver better service, reduce cost, and significantly de-risk their operations. 12

13 Conclusion We can conclude that many organizations still retain manual systems that lack a company-wide transparent view of enterprise risk and compliance, and continue to struggle using a siloed approach. Hence, organizations can incur high losses due to inefficient collaborative processes, disparate enterprise risk management initiatives and fast-changing regulatory compliance demands. Consolidating disparate activities has the potential to accelerate and drive down the cost of noncompliance and deliver real competitive advantage. Banking and financial services institutions must think strategically about the long-run, embracing new technologies and improving operations to better monitor risk and compliance. Strengthening risk & compliance is the key in a highly regulated environment. How we can help About 360factors 360factors, Inc. helps companies improve business performance by reducing risk and ensuring compliance. Predict360, its flagship software product,integrates regulations and requirements, policies and procedures, risks and controls, audit, assessments, controls and employee qualifications, certifications and training in a single cloud-based platform powered by artificial intelligence. Predict360 helps clients reduce their efforts in managing compliance and avoid the need to hire additional headcount by providing a complete risk and compliance software solution in a single integrated cloud-based SaaS platform developed specifically for community and mid-sized banks and financial institutions. Why 360factors Artificial Intelligence Automates and reduces the ongoing effort in managing your compliance requirements Affordable! With monthly and annual SaaS payment options Cloud-based Managed Service Get more value from your relationship with your consultants 13

14 Contact Us Call today. Schedule a FREE TRIAL and DEMO online at Headquarters 5910 Courtyard Drive, Suite 170 Austin, Texas Contact Info: Phone: (866) info@360factors.com Web: tm 14