Picture a tidal wave of regulatory change rolling across banking, leaving each institution changed, in its wake.
The wave carries more than the obvious elements--new rules, rising penalties, and a new regulator, the Consumer Financial Protection Bureau. It also brings much deeper challenges that are demolishing the industry’s long-time compliance management structures and forcing creation of new ones.
Some banks were hit by the front edge of this wave. They are now well underway in building a new approach. Many others are in the midst, struggling to stay afloat.
Still others have not yet felt the change.
And they are, therefore, underestimating it.
Wave you can’t duck or dodge
There are two drivers for the required compliance overhaul: regulatory risks and regulatory costs. Both keep rising on a curve that is simply unsustainable.
Banks everywhere are hiring compliance people and buying new systems, and yet they are losing, rather than gaining, ground. Much of the industry is experiencing organizational exhaustion. Staff keeps working long hours to implement new regulations while simultaneously managing defensive efforts arising from enforcement and litigation over past activities.
And these challenges have barely begun. CFPB has issued only a comparative few of the new regulations it will write. Litigation and enforcement actions by all the supervisory agencies are escalating.
To remain competitive, banks have no choice but to find an improved model that will profoundly alter the roles of nearly everyone.
But two people will especially see life change: the chief compliance officer and the chief executive officer.
As often happens with disruptive change, today’s challenges can eventually bring something better--compliance processes that are leaner, cleaner, and better for both banks and customers.
That’s tomorrow. Today, though, everything will get harder before it gets easier.
Here are the most critical things to understand about the transformation that is underway, and how best to optimize it for your bank.
The fundamental shift to risk management
The core challenge is to transform the banks’ compliance program from being technically-focused, reactive, and siloed to being principles-driven, proactive, and deeply integrated with the rest of the bank, especially the business lines.
The word “compliance,” itself, reflects the problem.
It suggests an obsolete mindset focused narrowly on technical rules. Instead, banks today need a broad-scale “risk management” approach that combines technical excellence with an ability in the senior executive team to make sophisticated subjective judgments, together, paralleling the way they manage other kinds of risk.
These shifts are needed because the top compliance risks no longer flow from the technical rules, but rather from a rising regulatory focus on subjective or “principles-based” standards, mainly aimed at assuring “fairness” to consumers.
Consumer fairness issues center largely on three kinds of laws.
The traditional fair-lending laws (the Fair Housing Act and the Equal Credit Opportunity Act), along with the Community Reinvestment Act, are areas that most banks learned to handle well decades ago. However, they are now being re-thought by the regulators in ways that are catching banks by surprise.
Even more critical is the emergence of UDAAP--the ban on unfair, deceptive, and abusive practices--as the top compliance risk.
Traditional compliance is designed to “check the boxes” on prescriptive, technical rules. It is simply not designed to produce, and cannot reliably create, a subjective outcome like “fairness.”
Fairness also cannot be produced through reactive systems that are built to wait for and respond to regulatory requirements and guidance or to examiner criticism. The new fairness standards include conceptual guidelines but offer no clarity on how specifically to apply them--where to draw the line on what practices or products or pricing may be deemed deceptive, abusive, unfair, or discriminatory due to “disparate impact” on protected customer groups.
Banks are finding themselves in severe regulatory difficulty over practices that had been fully reviewed and cleared by their lawyers (and even by past examiners), and that are suddenly the source of serious regulator criticism.
When a practice is found to be a violation of UDAAP, it will be considered to have been illegal all along. Only a proactive focus on fairness can prevent this kind of damage.
Unsustainable costs of modern compliance
Accompanying the above risk transformation is a corollary shift in the nature of compliance costs, which are rising on a curve that cannot be sustained.
One regional bank says nearly 30% of its personnel now work in risk management roles. Many large banks are hiring hundreds of compliance people, on top of the thousands some of them already employ. Banks are buying new technology, outsourcing functions where they can, and paying for independent reviews and training. Many are purchasing GRC systems (governance, risk, and compliance) to capture, integrate, analyze, and report enterprise-wide data that can transcend traditional compliance risk metrics.
Small banks are creating new compliance positions and spending more on systems and outside experts, but still finding their needs outstripping their investments. Some banks are exiting whole business lines and markets where the likely compliance risks and costs exceed the profit potential. Even among banks that are cutting staff overall, the compliance function is almost always growing.
One driver for the rising costs is, of course, the escalating scope and pace of change, with all the agencies constantly issuing new and changed regulations and guidance (and with much more to come as the CFPB tackles the Dodd-Frank mandates to overhaul Truth in Lending, RESPA, and HMDA, among others).
Another driver is the emerging fairness focus described above, which has been placed on top of all the technical rules as an additional layer of risk.
A third cost escalator is that banks of all sizes are diverting massive resources into defensive and corrective regulatory activities. High levels of Matters Requiring Attention, enforcement actions, litigation, pressure to “get to strong” compliance performance ratings, and informal examiner criticism are all triggering major projects involving self-investigation, file review, remediation to affected customers, special reporting, and the like.
Performing these backward-looking tasks while also building go-forward processes to meet new mandates is exhausting internal staffs and consuming large budgets for outside help. Informal estimates suggest that ten to fifty percent of bank compliance costs are being absorbed by these defensive kinds of activities.
Another key cost problem is weak technology. I have never encountered a bank that considers its compliance program efficient, especially in using technology. Despite their high expense, compliance functions have been typically starved for IT resources for decades.
Personnel use inefficient home-made Excel spreadsheets or one-off compliance tools to collect and analyze data, and go through burdensome processes to create and update reports. They also impose unnecessary costs on the business lines by having to make redundant requests for information, using separate processes and formats that should instead be integrated with other routine and automated monitoring and testing functions.
Meanwhile, few banks have real early-warning technologies that spot and correct potential problems before they trigger high-cost problems.
Again, most banks are losing ground on both fronts--they are spending far more, and their risks are rising anyway. It will not be possible to solve this simply by hiring more and more people to tackle the growing workload.
The traditional compliance management model is being crushed by these realities. It will need to be rebuilt in a new form. The keys to cost management are the same as those for risk management: design a new approach that is proactive, principles-based, and integrated with the rest of the bank in terms of information handling, decision-making, and collaborative cultures.
Getting there will require a new kind of leadership from the CEO, the chief compliance officer, the executive team, and the board.
New role—and expectations—for compliance officers
We are in the early stages of a shift that will require compliance officers to develop very different skills. Most of these professionals are in their jobs mainly due to subject matter expertise--their deep knowledge of the regulations. This expertise is more valuable today than ever, as evidenced by the fact that bank and non-bank financial companies, regulators, and others are fiercely competing for it.
However, the traditional expertise is no longer enough. The industry is full of compliance officers who know the rules, but who lack the positioning, confidence, and skills to lead their organizations forward through the difficult times ahead.
They were not selected for their jobs based on leadership traits. Few banks have invested in helping them develop such strengths.
Leadership (as opposed to management) is about getting people to follow you even if they don’t necessarily have to. Today’s compliance leader must be able to sit down at the table with the bank’s top executives and boards to marshal the needed resources, guide good decisions, and work collaboratively with business line heads to design products and practices that avert high risks.
Except at the largest banks, most compliance officers currently are not in a position to do this.
The new role requires sophisticated skills in organizational change-management, cultural transformation, integrated project management, persuasion, negotiation, presentation, and technology. Compliance today requires process mapping and data analysis, with knowledge of concepts like LEAN and Six Sigma management, that can cut through layers and wasteful functions so as to get things done in two steps instead of 25.
Compliance officers need access to “integrators.” These are people who understand both compliance and business processes and who can build compliance solutions that work efficiently for the business as well as the regulators. They need this same ability to integrate with operations risk functions, which deeply overlap their own and are the source of a large share of UDAAP danger.
Compliance leaders also need the ability to create new, more meaningful metrics that assess actual risk and quality, not just the numbers of technical mistakes.
Some banks have been hiring chief compliance officers from other fields. They do so hoping it will be easier to teach them compliance than to teach leadership skills to their current compliance people.
Others, though, are investing in training and skill-building for their compliance professionals. Banks are also transforming the goals and performance standards for their compliance leaders, and tasking them with executing multi-year strategic plans and change-management projects that will not only update systems to meet new rules, but will build entirely new and better regulatory risk management programs.
Compliance officers everywhere are embracing this new challenge and are undertaking it in concert with their most important new partner in the bank--the CEO.
The CEO’s new role
The CEO is going to have to make all this happen.
All bank leaders want their institutions to comply, but few want to devote much personal time to the effort. CEOs have typically seen consumer compliance as low-risk, non-germane to the real business of banking, and of course, boring.
For decades, they didn’t need to feel or act differently. It worked well to delegate these complex tasks to specialized compliance personnel, leaving the CEO worrying only about the cost and the routine errors that examiners inevitably find despite best efforts.
This mindset, however reasonable in the past, is today creating serious regulatory failure. Compliance risk management and cost management have become, together, a strategic priority. Like every strategic priority, they call for changes that can only be driven from the top. The CEO must spend time on them, must grapple intellectually with them, and must use all the tools of leadership to harmonize them fully with the bank’s culture, strategy, goals, metrics, performance standards, technology, and all the other keys to success.
A side bonus in this effort is that CEOs who engage this way usually find that, while Regulation Z might be boring, UDAAP is not. And, importantly, UDAAP is tightly tied to other things that matter, from strategy to building morale to winning and keeping customer loyalty.
The new approach can be thought of as “regulatory excellence”--a phrase one never heard in the past. The old-style habit at some banks of aiming for a regulatory “B-minus,” devoting just enough resources to avert serious problems, is giving way to the reality that reaching higher, striving proactively for excellence, is the only way to avoid likely failure.
It has the double benefit of saving money too. The old dichotomy between compliance risk and cost--that banks have to spend more money to get less risk--is being replaced by a realignment in which optimized efforts can both reduce risks and contain growing costs, at the same time.
Some CEOs are even viewing compliance excellence as a competitive edge. They plan to watch competitors get mired down in regulatory penalties and corrective work, while their own companies enjoy a position of strength that enables them to do mergers, innovate, run lean, and win market share.
Acknowledge the real world
In a better world, regulatory performance would not loom so large. In the world we have, it does.
And when it is well-integrated with the bank’s core mission and strategy and customer commitment, led from the top, and combined with smart investments in IT and process-efficiency, banks today can minimize their costs, manage their risks, and leverage their regulatory efforts toward building a winning institution.
Smart banks, in other words, can ride the crest of this compliance tsunami instead of being crushed by it, if they have the foresight, skills, and balance to keep them on top.
And while you are pondering these issues, one word of advice here: Give your compliance officer a raise.