For decades, compliance and risk professionals have been managing regulatory changes, and, wow, have we seen some changes over the past 25 years. Going back to 2003 and the implementation of the Customer Identification Practices rule, 2004 HMDA changes, 2009 reforms to RESPA, and the Dodd-Frank Act as a result of the financial crisis and Great Recession. Oh, and not to mention the Truth in Lending Integrated Disclosure Rule, which gives the industry headaches (and nightmares) even to this day. With all of these landmark regulatory changes, even with some of them going on simultaneously, the industry persevered and adapted and implemented these rules based on their statutory timeline. Because there was a timeline. Ah….the good ol' days!
Fast forward to 2022, and it feels like the regulatory landscape is constantly changing. The expectations of our compliance programs change from exam to exam, year to year, or month to month. Sometimes, it feels like we are expected to adapt even from hour to hour. The unique thing about the cycle of regulatory change that we are in is that by traditional metrics, our "regulatory change landscape" is calm.
Not many final rules from the agencies.
We don't have hundreds or thousands of pages of final rules to digest that impact every line of business in the bank.
To be fair, we are waiting on two regulations that will change the banking industry going forward with CRA modernization and the Small Business Data reporting rule. But those proposals notwithstanding, there is not much in the way of formal, final rules we are implementing. Why are we so busy? And more importantly, how do we capture information on our changing landscape in a quantifiable way to inform our Boards of Directors of the true risks to our institutions?
To answer the first question, we are busy because of the pace and volume of what I'll call "alternative regulatory pronouncements".
We have had things like supervisory highlights and advisory opinions around for years. The number of publications and the frequency of their release has increased, as has the complexity of the issues they contain.
Not to mention the number of agencies that release such information. The other thing that has changed with these communication vehicles is the expectations surrounding our response to the information they contain.
They are no longer expected to simply be informational in nature; we are expected to thoroughly evaluate the information they contain, conduct an analysis of the information they contain, and formally address them as part of our regulatory change program. But it's not just exam highlights. These alternative delivery methods now include industry speeches, blog posts, and, yes, Twitter feeds. While none of the agencies will publicly admit to effecting regulatory change outside of the established change process, there is a definite shift to announce changes or their position on certain issues through informal methods while still expecting banks to make changes to their programs as though they are formal regulatory pronouncements. I think the phrase "junk fees" is enough to make any compliance officer shudder. Banks across the country are evaluating everything they charge and trying to determine whether it could be considered "junk"…and why? Because of a new regulation or law? No. Because of a blog post. The pace of these posts, announcements, and other media is keeping compliance departments and counsel across the country busy for hours on end, working tirelessly to do the right thing for our customers while keeping risk manageable within the organization.
Now the tricky part.
Traditional risk metrics for change management measure final rules and the company's progress towards implementing them. They have deadlines. Statutorily driven mandatory compliance dates we are working to be in line with. Items that are easy to measure. The challenge for compliance professionals and risk managers today is how to measure these alternative sources which have no agenda in Congress we can follow. No publication in the Federal Register. No effective dates. And no true method to determine whether or not we are "in compliance" other than examiner judgement and discretion. To properly capture the risks to the organization, these sources have to be included in the bank's risk metrics and regulatory change management processes, even absent traditional markers and timelines to follow. The rigor that is needed for a new final rule has to be applied now to blogs. To Twitter posts. To Supervisory Highlights. Banks have an absolute obligation now to review these items, assess the risk to the organization, evaluate business processes, and determine the level of complexity for the bank to avoid the pitfalls that have impacted other banks and ensure that practices in place will not adversely impact consumers. What's similar to the offending institution?
What do we have in place to mitigate?
How would we defend similar allegations?
Reactive "change management" has or has to become a part of our way of thinking and standard business processes, and inclusion of these non-traditional channels must be included in regulatory change management dashboards, reported to executive management and the Board of Directors. To fail to do so is a disservice not only to the management and shareholders of the bank but to the consumers we serve.
Managing regulatory change has always been a staple of compliance programs, but managing the uncertainty of change is what will truly separate the good compliance functions from the great ones. Be GREAT!!