Shakespeare may have coined the phrase “cruel to be kind” in the play Hamlet more than 400 years ago, but its sentiment still rings loud and true in Washington, D.C., today. Financial regulators may believe they’re doing banks a favor by passing a bevy of regulations aimed at preventing another financial meltdown. But the bankers who must administer the new rules are not likely to see the effort as an act of kindness.
The sheer scope of the new rules is daunting, raising a host of operational, managerial, data, cost and even cultural challenges. Banks are addressing the new regulations on a number of fronts. Reg E has them sending out mass mailings and managing opt-in programs, while the CARD Act has them issuing disclosures and revamping credit card statements. And the Dodd-Frank Act-the Big Kahuna of them all-imposes a host of changes in areas as diverse as consumer protection, executive compensation, capital requirements, corporate governance and derivatives. All of this activity is on top of the ongoing legwork required to adhere to resource-sapping laws like the Bank Secrecy Act.
As the volume of change ratchets up to a deafening drumbeat, compliance officers are seeing a need to automate processes that previously could be handled on a manual basis. This connection between compliance and information technology is only expected to get cozier as the many proposed reforms of Dodd-Frank begin to take shape. “The game has changed quite a bit,” says Christinne Johnson, executive vice president at FirstBank, a $10-billion-asset institution based in Lakewood, Colorado.
When Johnson worked in FirstBank’s compliance department in 2002 and 2003, “we worked with IT on a limited basis” when system changes were necessary to accommodate new legislation, she says. Now that she heads up project management in the IT department, she is requesting regular updates of expected rule changes so her department can prepare. “There are so many things coming now, we’ve got to be ahead of it,” she says.
Dodd-Frank mandates the issuance of 387 rules from 20 different existing federal agencies, in addition to creating new agencies that will have broad rule-making authority. The industry will have its hands full just fielding the new rules. “No matter how difficult it is, we the industry must keep track of these rules,” said Steve Bartlett, president and CEO of the Financial Services Roundtable, in a January 2011 speech at Bank Director’s Acquire or Be Acquired conference.
Many banks are devising new techniques to stay on top of it all. For the past two years or so, Leader Bank, a $630-million-asset institution in Oakbrook, Illinois, has been using what it calls a “pipeline report” to track and prioritize upcoming deadlines. “It has been a tremendous lifesaver” in helping compliance respond to questions from the board and senior managers, as well as initiate conversations about funding needs, says Elizabeth Snyder, executive vice president of risk and Leader’s compliance manager. “It allows us to prioritize with the limited resources we have.”
State Farm Bank, a $15-billion-asset institution based in Bloomington, Illinois, has one employee dedicated to keeping up with regulatory change using a tracking tool the bank created. Once Dodd-Frank kicks in, the bank will also have to monitor developments in the 50 state legislatures, says Richard H. Harvey, Jr., director of compliance. It already has begun investigating tools from outside companies that could help with that task.
Rule tracking is just a prelude to the real work of implementing the changes. From a technology perspective, Dodd-Frank will require institutions to collect and report numerous pieces of additional data, including 12 new Home Mortgage Disclosure Act (HMDA) data points. “Data is always a challenge,” Johnson of FirstBank says. Just to handle the new HMDA requirements, institutions will have to map out and extract data from their vendor-supplied systems, internal applications and mainframes in an iterative process likely to stretch out a year or two. “It’s never neat,” Johnson notes.
Banks with more than $10 billion of assets will have even larger data-reporting obligations. They will need to respond to requests from the Office of Financial Reporting (OFR), a newly created agency charged with gathering and analyzing information in support of industry-wide financial stability. OFR is expected to require transaction-level risk and exposure detail that can be reconciled across business entities.
Most institutions will have to greatly improve the consistency, quality, governance and reporting of their data to comply. “In the past when institutions were asked to report at broader levels, you generally would see significant spreadsheet-enabled, labor-intensive data reconciliation efforts,” says Bob Reinhold, principal at Ernst & Young. “The coordinated reporting required by OFR will require an enhanced degree of automation.”
Even though the OFR has yet to define its standards and reporting requirements, banks should not wait for the final rules to be written before starting the work of improving their data quality. “One thing that’s certain is that the requests from regulators will be more frequent, detailed and assume that a common risk data taxonomy already exists within banks to respond,” says Gaurav Handa, director at Oracle Financial Services in Redwood Shores, California.
As an industry, banks still have a long way to go to improve the quality of their data. Fifty-three percent of global institutions rated their own data quality as average or worse, according to the fourth annual survey of enterprise data to support credit risk management from the Risk Management Association of Philadelphia and Automated Financial Systems of Exton, Pennsylvania. More than 70 percent of institutions say they have data clean-up initiatives underway or planned. Study participants say regulatory requirements, along with risk management efforts, are the predominant reasons behind their efforts.
Under Dodd-Frank, banks with more than $10 billion of assets also will have to form a board-level risk committee responsible for enterprise-wide risk management and oversight practices. Many institutions, like State Farm Bank, have been working on enhancing their enterprise risk management routines for years. State Farm started at the end of 2009 by creating a team to assess compliance risk in all the bank’s business lines. Using tools such as spreadsheets, questionnaires, data libraries and checklists, the team mapped out and documented the compliance control environment of every business unit. “Now we can identify areas of strength and weakness,” Harvey says.
Since then, the bank has moved on to begin assessing other functional areas of risk, such as operational, credit, financial, strategic and market. “Don’t think you have to do everything at once,” Harvey notes. “You can incrementally develop your enterprise risk management program and leverage off of existing processes you’ve already done.”
Enterprise-wide projects serve to engage the business units and, in effect, help instill a culture in which every employee has a greater awareness of how their activities affect the risk profile of the bank. While the need to build a strong risk culture does not represent the letter of the Dodd-Frank law, it certainly reflects its spirit. In general, regulators for years have been pushing for compliance activities to become more strategic than tactical, integrated rather than isolated, and proactive instead of reactive.
Banks are working to strengthen their risk cultures in a variety of ways. Wells Fargo runs an informal recognition program to honor employees for their everyday risk management efforts. FirstBank has begun providing computer-based training on compliance to every employee in the bank. “Even our developers get training because they might be touching something that has to do with compliance,” Johnson says.
Engineering a massive cultural shift is one of the hardest things a bank can do. To help banks be successful, Treliant Risk Advisors, a Washington D.C.-based consulting firm, introduced a “compliance methodology” in June 2010 aimed at guiding banks toward a more comprehensive approach toward compliance. “Compliance needs to be completely different from the old way,” says Lyn Farrell, managing director at Treliant. “Banks need to have a more proactive, strategic approach that’s integrated into the business. It’s not ‘check the box’ anymore.”
Banks are also striving to make risk more visible to senior managers and the board of directors. One way to achieve this is to provide timely information about financial and risk operations in simple terms, much like the dashboard of a car operates. “Compliance folks have always understood that if you want non-compliance people to get involved, you have to give them a simple picture,” says Edward Kramer, executive vice president, regulatory programs at Wolters Kluwer Financial Services, a Minneapolis-based software provider.
Though today’s compliance medicine may be harsh, banks cannot deny the beneficial impact that more effective oversight can have on their technology operations, business units and cultures. As Farrell puts it, “If you take your compliance processes and merge them with your business processes, that’s only going to help you be much more efficient and streamlined.” |BD|