Regulation persists as a major challenge for the banking industry and Financial Services Institutions. The sheer volume and the complexity of these updates are often a laborious and up-hill battle. A recent survey polled the responses of 123 compliance professionals across North America & Europe where 19% of the respondents reported taking up to a year to implement regulatory changes!
Over the last few years, banks have had to deal with an ever-increasing number of overlapping regulations established by a diverse, uncoordinated set of regulators across many locations. In short, the pace and complexity of regulatory change significantly hampered banks’ ability to change and grow their business.
It may have been possible to keep a track of regulatory updates using standard approaches earlier, but as regulators continue to bring in more reforms in this age of rapidly evolving and disruptive financial technologies — including Fintech, IoT, and Crypto currencies — standard models are proving to be ineffective.
The need of the hour is to develop a robust and technologically reinforced regulatory change management framework to help manage the next wave of regulatory reforms. A “wait-and-watch” approach is no longer sustainable. Put into practice, the following 5 steps would enable organizations with the right set of tools to manage regulatory changes and stay ahead of the curve.
1. Keeping Track of Regulatory Updates
Organizations have to keep track of regulatory content from global as well as regional regulators from a multitude of sources including regulatory publications, industry associations, national and local media, and specialized content providers such as LexisNexis, Thomson Reuters, etc. With so many sources to keep track of and high volumes of relevant content to analyze, organizations may find this exercise time consuming and resource incentive. To be successful banks should assess the future regulatory landscape across a 2–3 year timeline through comprehensive and thorough horizon scanning by engaging with the experts and regulators that would impact assessments of the business.
One other solution would be a cloud-based content platform which serves as a one-stop shop for regulatory content from various sources. Using this platform, compliance professionals can subscribe to curated content based on predefined rules and keywords, which can be streamed directly as RSS feeds, alerts, or email notifications. Pre-defined rules can be setup based on a variety of regulatory attributes including industry, jurisdiction, topic, state, due-date, etc., thereby ensuring relevant information reaches subscribers in real time and are also mapped to multiple GRC attributes such as risks, controls, policies, etc.
2. Standardizing the Regulatory Taxonomy
Adopting a common methodology can raise efficiency and aim to reduce the size of the change portfolio. Banks can no longer finance an ever-growing regulatory change portfolio, as they need to allocate (or defer) budgeted funds for new strategic transformation initiatives. Banks and their advisory partners should explore regulation overlap and aim to merge regulatory programs and then leveraging precious expertise and resources to address multiple and comparable requirements.
Additionally, a common regulatory change methodology should take into consideration the potential hit to profitability and assess business, operational, financial and customer impacts to help banks make the most strategic choices.
3. Develop a more Balanced-Risk Management Corporate Culture
Defining a risk appetite is essential to developing and embedding a balanced risk culture. Adopting a traditional approach to Risk, Compliance or Internal Audit is no longer enough, as even a slight breach by a single individual or team can threaten the entire organization’s stability. With fines and penalties increasing, banks’ corporate culture must dramatically change to make employees more aware of the risks affecting the business.
While most banks have already succeeded in making employees well aware of issues and objectives, more effort is required to embed a corporate risk management culture aimed at making employees as sensitive to GRC issues as they are to commercial objectives. To succeed, any major corporate culture change needs to be supported by a change in values, appropriate training and effective controls and tools.
4. Assigning Regulatory Responsibilities
In order to ensure accountability, it is important to clarify the roles and responsibilities of the individuals who manage the compliance function. While a cloud-based content platform will ensure the right information reaches the right set of users, each user should be a seasoned compliance professional with the ability to scrutinize these regulatory updates to determine whether they are applicable to the organization. Relevant SMEs need to be identified within the organization who understand the laws/regulations and have sufficient knowledge to analyze these updates in detail. It is important to clearly document these roles and responsibilities, establishing accountability in the complete information lifecycle — from the time a new alert is delivered to the time it is successfully implemented. Additionally, it is recommended that the senior management be actively involved at each stage, and the board has clear visibility into the whole process.
How can organizations achieve this? Ensure that there is a first level of screening or assessment by a centralized regulatory coordinator to determine the applicability of the regulatory updates to the organization. He or she would then pass the mantle on to individual assessors within relevant departments for detailed impact analyses. Finally, collaboration with external stakeholders also becomes important when regulators, customers, business partners, and other parties need to be informed on any changes in the organization’s overall processes, policies, controls, or other factors.
5. Assessing the Business Impact
Every regulatory update needs to be assessed in terms of the business impact it has on the organization. After the initial applicability assessment, each business unit can carry out a detailed impact analysis on an update to identify which risks, controls, policies, procedures, training, and reports are affected and need to be revised.
It is also important to group similar regulatory updates as it will help not only in eliminating duplicates but also in identifying similar trends and patterns in the risks, controls, policies, and other areas that are impacted. This analysis then needs to be rolled up as per the defined organizational hierarchy to provide a holistic view of the impact across the enterprise.
6. Implementing Regulatory Change
As regulation is now central to banking activities, strategies should be closely tied to it. Governance, risk and compliance (GRC) professionals should therefore be business partners involved in each step of business strategy development and implementation. Typically, GRC professionals only deliver advisory opinions. But banks should instead implement a framework or model to encourage a business–risk partnership so as to put business strategies, risk management and compliance at the heart of the organization. Standard workflows need to be defined for the review and approval processes with escalation capabilities when the tasks become overdue. Additionally, to ensure nothing goes amiss, it would help if business users are notified of the tasks that have been assigned to them through standard email notifications and reminders to relevant users.
To make these steps easier and achievable, organizations can opt for a robust and comprehensive regulatory change management solution which leverages a common foundation to facilitate multi-dimensional mappings with other GRC elements. Such a solution can help centralize disparate and manual operations across business units and geographies, and align them with the organization’s overall business goals and objectives. This will not only help them track and analyze the all too frequent regulatory changes but also ensure that these changes are effectively and efficiently implemented.