Compliance management meets fintech

“Compliance is not designed to be the place you get a ‘no.’ It’s the place designed to show you how to get a ‘yes’.”

In some banking organizations, that’s an enlightened attitude, and not one everyone would believe. In fact, it is fair to say that historically Compliance and Product Design (or Marketing) in banking have regarded each other with suspicion, if not outright mistrust.

Can the relationship be more productive?

There has been movement in this area in recent years, and the urge to make it better has grown among banks as the need to think in terms of “fair banking” has increased. Urging this along are factors such as the expanded UDAAP standards implemented by the Consumer Financial Protection Bureau and put in motion by the Dodd-Frank Act.

The words at the opening of this article come not from a compliance officer nor from an optimistic marketer, but from a CEO. Richard Holbrook, chairman and CEO of $9.6 billion-assets Eastern Bank, Boston, made the statement as a matter of his institution’s philosophy, just after his top compliance officer had spoken at the recent Mutual Community Bank Conference of the American Bankers Association March 14.

That official has a particularly interesting perspective on bank compliance. Steven Antonakes, senior vice-president and chief compliance officer, came to Eastern Bank after serving in several senior posts at CFPB. When he left the bureau he had risen to the position of deputy director. Before his federal service, he had spent a long career chiefly in state supervision in Massachusetts, rising to the post of Commissioner of Banks.

His presentation to the mutual bankers, followed up with an onsite interview with Banking Exchange, illustrates the challenges and opportunities for synching compliance with financial technology and other critical banking evolution. Antonakes’ high-profile hiring came at a time when the bank was expanding its financial technology efforts. Dan O’Malley, chief digital officer, joined the bank to head its Eastern Labs in 2014. (You can read more about O’Malley from the premier issue of Banking Exchange, in “Entrepreneur. Data nerd. Banker”) 

Ties versus jeans

The intersection of compliance and financial technology at Eastern is part of an overall meeting of traditional banking and the leading edge. In a separate part of the program, during a CEO panel on compensation issues, Holbrook discussed how the industry needs to attract employees who are not initially attracted to bank jobs.

“The problem we’re having is making ourselves seem more exciting,” said Holbrook. He spoke of how O’Malley started the labs effort with a core of data experts from other companies. The rules in the labs, reflected Holbrook, are different from the rest of the bank, and the contrast is quite visible to the public.

The labs are headquartered on the ground floor of Eastern’s main office, occupying a third of the floor plan there, and the staff that heads into the bank dress, well, like bankers. Those who report to the labs dress like techies—jeans, no ties, the full fintech gig.

“It’s a completely different look and it’s right in our headquarters,” said Holbrook. “They are making a difference in the corporate culture. Their dress is more sloppy, but that’s OK—our customers aren’t dressing like us either. They [labs staff] are making us think about our business differently.”

Does “differently” apply when it comes to compliance, though? Can an advanced product development effort coexist with compliance headed by someone who only recently was helping to set major new rules?

Fintech and compliance face challenges

Banks face increasing competition from fintech companies and have to find ways to compete without falling out of compliance.  Antonakes traced the advantage of disruptive fintech players versus those of banks.

Nonbank fintech players typically don’t have legacy branch networks or IT systems: they are in the position to leverage post-crisis distrust of banks; they face little or no regulation on their nonbank sides; and they can tap technologies that provide the high-tech experiences that many customers crave.

Banks, on the other hand, have the customer bases that fintech players want to reach. Inertia—the product of both bank tradition and regulation—can make it complex for customers to break certain longstanding relationships. (Think of the many inbound and outbound automatic flows that may involve a single checking account, for example.)

Banks have a rich source of historical data from years of customer relationships, if they can reach it—something that O’Malley said appealed to him about taking on a bank position. And certain bank facets, such as deposit insurance, are not readily accessible to fintech players.

Fintech competition keeps growing. Antonakes noted that over 100 nonbank online lenders offer direct loans to small businesses. While there are complaints about these lenders, including high interest rates, businesses really like the speed of approvals, Antonakes pointed out.

Banks have partnered with such companies in various ways, but Antonakes said that regulators often express concern about the due diligence done before deals are struck. Sometimes, too, they are concerned about how well banks understand how their partners’ businesses work.

How the fintech foray into lending works out remains to be seen. Antonakes said that the nonbanks’ credit models had not yet been tested by economic reversals.

Will fintech get bank-style regulation?

Antonakes said that one of CFPB’s roles is to level the playing field among bank and nonbank players in various areas of finance. A criticism of the bureau has been that this hadn’t been happening, with the bureau instead going after traditional players.

Antonakes said in his presentation that many don’t appreciate that CFPB has a very small examiner corps—the smallest among federal agencies—and thus tends to prioritize attention by where it perceives the greatest risks to be.

He also explained that CFPB has different types of jurisdiction. The bureau has direct authority over larger depository institutions as well as over nonbank participants in the residential mortgage business, the private education loan industry, and payday lending.

The bureau has an additional type of jurisdiction, Antonakes explained. It has direct authority that it is empowered to assert over large players in other parts of consumer finance. To do so, it must identify them in so-called “larger participant rules.” The bureau has issued a number of these rules bringing elements of such businesses as auto finance, consumer credit reporting, consumer collections, and student loan servicers under its umbrella.

To date, Antonakes said, CFPB has not issued any larger participant rule for the marketplace lending industry.

“I see it [CFPB attention] ratcheting up,” said Antonakes, “but it’s not going to be a cure for the unlevel playing field.” Further, he said as current law and rules are written, players such as Kabbage and On Deck, specializing in small business finance, not online marketplace consumer lending, don’t appear to come under clear CFPB jurisdiction. Some change would have to be made.

(Asked about such competitors by ABA Chairman Dan Blanton, a Georgia banker, during ABA’s Government Relations Summit the next day, House Financial Services Committee Chairman Jeb Hensarling (R.-Texas) said he would prefer to ease regulation of banks than rope marketplace lenders and other such players under banks’ current regulatory burden.)

Functions working together

In conversation with Banking Exchange, Antonakes said that he sees a bank’s compliance function as more of an internal consultancy, much in the spirit of the quote from Holbrook at the beginning of this article.

Earlier in the program a moderator referred to an article in The Wall Street Journal discussing Eastern’s brand-new online Small Business Loan Express, which Antonakes said can fund a loan within three minutes of the bank’s receiving a completed application.  (Offered to existing customers, initially with a small pilot group, the program is going to be rolled out to other prospects.)

Antonakes said the involvement of his group in the labs’ development of this product “was a real partnership model.” Compliance had regular meetings with developers, to review punch lists of issues and to track completion of compliance-oriented tasks.

Overall, said Antonakes of compliance and product development, “I’ve been trying to embed my team in a spirit of collaboration.” He acknowledged that periodically Compliance does have to say “no” to something, but that’s not intended to be the final word. Antonakes said he believes further discussion can add value to the business unit’s efforts and potentially find a way leading to a “yes.”

Asked what kinds of people he has been recruiting, Antonakes said, “Lawyers who like math.” While this is somewhat tongue in cheek, he said it’s not really so much. Today compliance takes a range of skills, far beyond merely being able to read, understand, and apply regulatory pronouncements. He sees the job as much an analytical one as a regulatory one. While costs have been increasing for compliance, he said one means of containing those expenses is determining priorities for maximum concentration of resources—not unlike life at CFPB.

“There’s always a degree of triage necessary,” said Antonakes.

Three lines of defense at Eastern Bank

In his presentation Antonakes spent some time discussing the “state of the art” of compliance in general. Increasingly, even for smaller institutions, this is coming to include at least aspects of the “three lines of defense” approach that both the Comptroller’s Office and the Federal Reserve have applied to the largest institutions.

Basically, the three lines consist of the front-line, the business unit, which in this approach bears first responsibility for compliance and risk management; the second line consists of functions like Compliance; and finally, the third line of defense is Internal Audit. Antonakes described these, respectively, as risk ownership; risk control and compliance; and risk assurance.

Using the three lines approach has its challenges, according to Antonakes. Among them:

• Roles and responsibilities are not always clear, resulting in both overlaps as well as the potential for gaps.

• Lack of individual and shared accountability that can lead to complacency.

• A false sense of security arising from multiple teams assessing and managing risk.

• Tension between the lines, given the choices of collaboration versus independence.

• Maintaining compliance expertise in the front-line, given increasingly complex compliance duties and scope.

At Eastern, Antonakes explained, front-line business units have embedded “compliance administrators.” These staffers are part of the business unit staff, but they do take some direction from the compliance group. Their compliance training generally also comes from the compliance group or outside trainers engaged by the bank.

The bank’s compliance program covers the entire product lifecycle, he said, from conception through to revisions later on, as well as monitoring at all stages. One area that Eastern will sometimes outsource are analytical functions taking expertise that is better to “rent” than to develop and maintain in-house.

In his presentation Antonakes said that assigning various levels of “decision rights” to each line could help create ownership and increase clarity and accountability.

“Decision rights are not intended to replace chain of command or limit collaboration,” Antonakes’ presentation stated. “Those involved in key decisions should keep supervisors abreast of decisions and collaborate, as needed.