C is for Compliance: Top 10 Compliance Challenges for Banks

As the worst effects of the COVID pandemic subside and we move into a “new normal” of business processes, there is little relief when it comes to easing both real and anticipated regulatory change — and the concomitant rigors of compliance within the financial services industry.

The pressure for banks and other financial service providers to demonstrate effective and sustainable risk management remains high as regulators demand greater levels of accountability and impose stricter enforcement measures. Meanwhile, the effects of the pandemic, with its evolving unpredictability, continues to contribute to the pace of change in the banking industry, with other significant global events further adding to that unpredictability. In Q1 of 2022, there are already a range of initiatives underway that could present major risk challenges for financial institutions.

With so many moving parts, where should one focus their efforts? A theme from childhood comes to mind. Remember Sesame Street, where every episode centered around a letter and a number? It might help to compare the current banking regulatory landscape to a Sesame Street episode — minus the catchy theme song.

So, this regulatory outlook is brought to you by the letter “C” and the number 10.

1. Climate

Climate risk management is receiving significant attention in the regulatory community. While we are still in the early stages of fully understanding how climate change imposes risks to banks and other financial service companies, it will remain a front and center topic for the Biden Administration, Congress, and regulators now and moving forward.

The SEC is expected to propose mandatory Environmental, Social, and Governance (ESG) disclosures sometime in 2022, and climate change will be part of that disclosure scheme. There is also engagement on climate change issues across the U.S. government and regulatory community. The federal prudential bank regulators are considering how, for example, the financial effects of climate change should be factored into banking supervision. We are likely to see more guidance on how climate change exposures should be addressed in risk management practices.

We can also expect climate change activity at the Financial Stability Oversight Council, at the global level from the Basel Committee’s Task Force on Climate-Related Financial Risks, and at the state level. Additionally, the impacts of climate change on low- and moderate-income communities have been raised in the context of the national discussion to modernize the regulations that implement the Community Reinvestment Act.

2. Community Reinvestment Act (CRA)

We are preparing for a uniform interagency proposal to modernize the regulations that implement the CRA. One of the key issues is how to adapt the CRA regulations to a digital world where banks increasingly serve their customers online rather than at physical branch locations. Modernizing the CRA regulations offers new opportunities to address community needs and embrace change, but it also presents challenges, including different evaluation methodologies, revised performance expectations, and changes in data collection.

3. Compliance and Consumer Protection

Regulators are increasingly devoting significant examination time and resources to fair lending issues such as redlining, pricing, use of artificial intelligence in credit determinations, and appraisal bias. The DOJ recently announced its “Combatting Redlining Initiative,” calling it one of the most aggressive and coordinated efforts to combat discrimination in lending. While the use of artificial intelligence to make credit decisions offers opportunities to promote inclusion, it carries real and potential fair lending risks.

The CFPB’s rule implementing Section 1071 of the Dodd-Frank Act is expected to have a tremendous impact once finalized. This rule would impose new data collection and reporting requirements on lenders for credit applications made by women or minority-owned small businesses. Covered institutions will be required to compile, maintain, and submit extensive data to the CFPB and analyze that data to determine ECOA compliance. Respondents to the Wolters Kluwer 2021 Regulatory & Risk Management Indicator survey listed this rule as one of their most pressing regulatory challenges for 2022, making it one to watch.

We also anticipate greater clarity soon on Bank Secrecy Act (BSA) and anti-money laundering (AML) compliance. Several initiatives emanated from the 2021 National Defense Authorization Act, including rules requiring certain companies to provide FinCEN with information about their beneficial owners, a new whistleblower program, and increased penalties for BSA/AML violations.

The OCC is also weighing in on BSA/AML compliance. In their supervisory priorities for 2022, the OCC states that examiners are placing “… emphasis on evaluating the effectiveness of BSA/AML risk management systems relative to the complexity of business models, products and services offered, and customers and geographies served; evaluating technology and modeling solutions to perform or enhance BSA/AML oversight functions; and determining the adequacy of suspicious activity monitoring and reporting systems and processes in providing meaningful information to law enforcement.”

The CFPB is sharpening its supervisory scrutiny on other consumer protection initiatives, including overdraft fee policies and “junk” fees in the banking industry. The CFPB director has raised concerns about the effect these fees have on consumers’ ability to shop for credit. And one last area banks should be mindful of is the continuing review of potential compliance issues arising from the CARES Act and the Paycheck Protection Program. This includes measures put in place during the pandemic, such as mortgage forbearance or payment deferral arrangements and the administration of the PPP loan application and forgiveness processes.

4. Cybersecurity

In Wolters Kluwer’s latest Indicator survey, cybersecurity ranked as the risk garnering the most concern and attention looking forward. And the threat of ransomware attacks led the list of factors in organizations’ enterprise risk planning. Sixty-three percent of respondents gave it “significant consideration,” and 22 percent marked it for “some consideration” in their planning.

Computer incident notification rules from regulators become effective on April 1, 2022, with a compliance date of May 1, 2022. The rule requires a bank to notify its regulator (FDIC, OCC, FRB) as soon as possible and no later than 36 hours after the bank determines that a computer-security incident that rises to the level of a notification incident has occurred.

In response to an increase in cyberattacks and data breaches, the Federal Trade Commission (FTC) recently amended the federal Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act (GLBA). The updates put pressure on financial institutions to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe. Financial institutions will have until January 10, 2023, to review their operations and ensure compliance with the amended Safeguards Rule.

We can also expect to see other announcements from bank regulators and an examination emphasis on operational risk, resilience, incident response, data recovery, and business resumption.

5. Cryptocurrency

The Securities and Exchange Commission’s Chairman, Gary Gensler, recently testified that the cryptocurrency asset class was rife with fraud, scams, and abuse and compared its proliferation to a “Wild West” environment. It is hard to imagine we won’t see regulatory and other developments here that provide more investor protections.

The Federal Reserve Board, OCC, and FDIC recently announced a series of interagency “policy sprints” focused on crypto assets. As supervised institutions seek to engage in crypto-asset-related activities, the agencies recognize the importance of providing coordinated and timely clarity, where appropriate, to promote safety and soundness, consumer protection, and compliance with applicable laws and regulations.

6. Change management

Although on the other side of the spectrum from Sesame Street, Mad Men’s Don Draper offers some wise words, “Change is neither good nor bad. It simply is.” The velocity, frequency, and some might say ferocity of regulatory change will necessitate banks implement a robust regulatory change management program. Advancements, such as digital lending transformation and AI, are bringing about changes in how products and services are delivered, opening new markets, and advancing inclusion. Conversely, risks need to be identified and managed. Regulators, including the CFPB, are looking at those risks and determining how best to manage internal and customer-facing operational changes due to disruptive events like the pandemic.

7. Competitive changes

Innovation is a necessary component of an organization’s ability to effectively compete, grow, and survive. We’ve seen the banking industry embrace this need to innovate. However, innovation needs to happen in a compliance environment integrated within a risk management framework.

Financial technology will continue to invigorate the banking world. There has been an increasing presence and influence of fintechs and regtech on product design and delivery. We expect to see bank partnerships with fintechs continue to proliferate as traditional banks become more comfortable with digital lending and AI. We are likely also to see more transactions involving fintechs acquiring and merging with banks.

These changes highlight the importance of effective compliance management systems and third-party risk management. In fact, third-party risk management will be a focal point for regulators, and interagency guidance on this topic is expected sometime during 2022.

8. Consolidation

Industry experts forecast an increase in bank merger and acquisition activity, especially in the smaller bank segment. However, President Biden’s Executive Order on Competitiveness issued in July 2021 encourages more robust scrutiny of mergers. Regulators will review the Bank Merger Act. That review could bring changes that will either bolster existing requirements and standards or identify new ones. Evaluation factors under the Bank Merger Act standards that could receive additional scrutiny include “convenience and needs,” which ties in CRA and fair lending, among others, and management factors that encompass compliance and risk management.

9. Continuing effects of the pandemic

While we are certainly not in the same place in our nation’s response to the pandemic as we were in March 2020, it is not over. Continued vigilance in managing the fallout from the pandemic is still in the regulators’ bullseye. Operational and credit risks continue to be concerning to regulators and the industry. There are also economic pressures, most notably the rise in the inflation rate, anticipated interest rate increases by the Federal Reserve Board, and, most recently, the effects of the invasion of Ukraine by Russia.

10. Cannabis Banking

According to BankDirector.com, the cannabis industry is growing exponentially, and nationwide sales are estimated to exceed $30 billion in 2022. Will we see federal marijuana legislation pass this year? It isn’t clear, but something may happen. There are two proposals currently at play — the Secure and Fair Enforcement Banking Act (SAFE Banking Act) and the Cannabis Administration and Opportunity Act (CAO Act). While the House of Representatives has passed the SAFE Act six times, the bill has not gotten similar traction in the Senate. Prospects for something happening in an election year are low. However, until legislation passes, the cannabis industry must rely on agency policy pronouncements and clarifications as issues arise.

The 10 C’s

Based on what we’ve seen from the regulators, one can expect substantive activity in key areas of risk and compliance. While this regulatory outlook highlights some of the most regulatory movement anticipated, it is clear that the banking industry is rapidly changing. And if we’ve learned anything during the pandemic, it is to expect the unexpected.

Overall, to manage the significant amount of regulatory change on the horizon, financial institutions need to be vigilant about having a robust regulatory change management program and fully functioning Compliance Management Systems with updated policies and procedures. As the ripple effects of the pandemic, the economy, and other industry factors continue to burden financial institutions, developing a disciplined, automated approach to regulatory change will provide the consistency and transparency that regulators expect.

About the Author:
Timothy R. Burniston joined Wolters Kluwer in December 2011 to lead the company’s Risk and Compliance consulting practice. Under his leadership, the practice grew significantly in scope and now enjoys a national reputation for excellence. In July 2017 he was named senior advisor, regulatory strategy. In this role, he advises the Wolters Kluwer Governance, Risk, and Compliance executive leadership team and clients on emerging issues, legislative and regulatory developments, and regulatory strategy.