Liza Warner
Partner

As published in ABA Bank Compliance (now ABA Risk and Compliance), May/June 2019

“It is not the strongest nor the most intelligent who will survive but those who can best manage change.” While Charles Darwin initially made this reflection, it continues to ring true in today’s business world. Today’s compliance officer must possess the skills to manage and implement change. The amount of change we are experiencing is greater today than ever before, and yet it may never be this slow again. With the ever-evolving technological advances in product delivery and transaction processing, changes in competitive landscape (from non-bank financial services companies), and advent of artificial intelligence, our world will likely change at a pace faster than ever in the next few years. Banks that are readily and effectively able to adapt to change—including compliance change—will be the best fitted to survive.

Change comes in many shapes and sizes and can be categorized into the expected, strategic, and unexpected. Expected changes are planned with ample notice and result from new or revised regulations, laws, guidance, operational processes, systems, products, and services. Strategic changes are typically planned, but because of the nature and sensitivity, they may not allow as much time for planning and implementation. These changes result from mergers and acquisitions, outsourcing of key business processes, or new business models. Lastly, unexpected changes may arise from self-identified compliance issues or regulatory examination feedback. A strong compliance management system (CMS) should prevent or detect compliance issues in the normal course of business. However, there may be times when an unanticipated event results in compliance impacts that require a swift change in a product feature, a process or a procedure.

Managing Change

Compliance officers deal with a multitude of expected, strategic, and unexpected changes. As compliance professionals, we are more than “go-to” people for regulatory questions and interpretations, and we are more than the monitoring arm of management. We are change leaders, and it is important that we understand how to manage change effectively. Change is a process, not a onetime event. Once introduced, a change is more likely to become successful when it gives employees ample time to develop the awareness and desire to accept the change, the knowledge and ability to make it happen, and the right follow-up to sustain it.

Ideally, business lines will include compliance in discussions about anticipated changes during the developmental phase, prior to presentation to senior management, and certainly before implementation. If the compliance department has a solid working relationship with the business lines, being invited to participate early in the process should not be an issue. A keen understanding of the business will help a compliance officer phrase questions and concerns both relevant and understandable to business lines. In other words, avoid saying “no” without offering solutions. Communications such as, “the regulation does not allow…” or “no, this is not in compliance with the regulation” should be used when necessary, but compliance officers should also seek and suggest compliant alternatives to facilitate the change. For example, try an approach which explains an issue and offers a solution, such as: “Only offering discounted product pricing to on-line customers will negatively impact customers who sign up for the product in a branch. Can it be offered across the board to all customers?” This approach is preferable to: “Only offering discounted pricing to online customers could be a fair lending issue, so you can’t do that.” It is important to set the guardrails, but also allow the car to keep moving down the road.

Bank management expects changes to be implemented effectively, within budget, and in a compliant manner. Regulators expect a compliance management system to include active senior management and board oversight of change management that includes responding in a timely and satisfactory manner to any change, internal or external, to the bank. Evaluation of change and its impact should be performed across all inter-dependent lines of business and address a broad array of risks. Analysis in advance of the change should consider the:

• Life cycle of the new product or business change;
• Risk that the change may result in potential consumer harm;
• Assessment of new third-party relationships;
• Assessment of related management expertise; and
• Creation of documented procedures for new or revised processes.

In many organizations, the risk management department establishes a committee charged with monitoring, reviewing, and approving business changes and related risks. The committee is typically comprised of representatives from the various risk disciplines including information security, financial intelligence (Bank Secrecy Act/Anti-Money Laundering), credit risk management, operational risk management, legal, and compliance. Internal audit may also participate as a non-voting committee member.

In a small bank where there is not an operational risk function, the head of operations may participate. And where there is not a formal committee for this stated purpose, there could also be a product development and improvement committee that considers the changes that result from new/changed products. Intranets often allow for staff to ask for compliance assistance beyond products, and for a list of changes to rules and regulations for department managers to consider and manage.

The make-up, details and reporting lines of the committee may differ by bank or bank size, but essentially the committee is responsible for review of the business case, sales, operations and systems impact, addition of new third-party relationships, legal ramifications, and compliance risks. Committee activities should be reported to the appropriate management committee, usually an enterprise risk committee, and ultimately significant changes or high-risk changes should be escalated as needed.

Compliance officers must be prepared to vet changes thoughtfully to ensure organizational success. To do this, a structured program that outlines the compliance considerations for evaluating change will guide the analysis, provide documentation, and articulate the compliance guidance and feedback provided to both bank management, the board, and the regulators, thereby providing effective challenge regarding the change.

Compliance shares the responsibility with other risk functions and business lines for reviewing changes and providing guidance on alignment with the bank’s risk appetite, and compliance with applicable regulatory requirements. A formal compliance change management program, including a framework of questions, will help ensure the compliance assessment is thorough and any concerns or risks identified are communicated to appropriate levels of management. Making sure the program is executed properly is imperative. A more senior compliance officer with deep compliance and operations knowledge is best positioned to evaluate compliance risks and business impacts. The individual must be comfortable escalating risks to senior levels of management and responding to challenging questions.

A formal compliance change management framework should:

• Help facilitate effective challenge;
• Assess the impact of the business change;
• Identify the potential compliance risk it may bring to the bank; and
• Provide the documentation needed to support management reporting and regulatory expectations.

And, including the following items should help accomplish this goal.

New or amended rules or regulations

Responsibility for identifying new rules/regulations, changes to rules/regulations, or review and evaluation of consent orders and regulatory guidance falls on the compliance and/or legal department. Regulatory changes are driven by a mandated regulatory timeline and implementation is ultimately reviewed by the bank’s regulators in the examination process. It must be done well. At a minimum, regulatory change management should include the following:

1. Monitor regulatory changes through various news feeds, regulatory websites/email subscriptions, or industry publications. Some institutions may also subscribe to governance, risk, and compliance (GRC) software products that offer regulatory change modules that provide updates and summaries. Advances in regulatory technology or “regtech” promise to make the regulatory change process more efficient and transparent.
2. Review, understand, summarize, determine, and communicate applicability of the regulatory changes to business lines and functions impacted. Consider starting this review and communication when proposed rules are issued.
3. Determine accountability within both the business line and compliance department.
4. Ensure all interdependent business lines and operations functions are identified and active in the change project. If third parties are involved, be sure to include them as well.
5. Establish a project timeline for implementation that outlines key milestones. Depending on the magnitude of the change, the bank’s project management office may also be engaged.
6. Assess changes required to policies, procedures, disclosures or agreements, systems, training, marketing materials, compliance monitoring, and internal audit programs.
7. Determine appropriate reporting and escalation within the business line and senior management for updates to the regulatory change project.
8. Ensure system testing protocols occur, if applicable, prior to roll-out of the change.
9. Review and monitor the regulatory change post-implementation to ensure processes are operating as expected.
10. Monitor complaints post-implementation to address any negative customer impacts.

New products/services, changes to existing products/service, and other business changes

Managing the implementation of products, services, or business changes is primarily the responsibility of the business line. If the change will introduce a new product or service, or materially modify an existing internal process with direct consumer impact, compliance should be consulted. Compliance will need to assess potential compliance risks including the need to:

1. Understand how the change will impact the bank and its customers.
2. Obtain a detailed understanding of the change to assess risks related to consumer financial regulations, including Bank Secrecy Act/Anti-Money Laundering, fair lending, and unfair, deceptive, or abusive acts or practices.
3. Review recent enforcement actions and regulatory hot buttons to ensure the change does not pose compliance risk to customers and the bank.
4. Review product design to ensure the features and benefits of the new product or business change do not pose unintended risks to the consumer or unintended fair lending risk.
5. Review the marketing plan for the change and determine whether any segments of the bank’s market area are being excluded on a prohibited basis.
6. Ensure the sales team understands how to sell the new product or service. Be sure to review sales scripts to ensure fair and responsible presentation of the new product or service, and make sure sales incentives do not potentially lead to undesired behaviors.
7. Consider delivery channels (on-line, branch, loan production offices, etc.). Access to the product or service should typically be available across channels and not lead to potential steering risk.
8. Ensure the appropriate compliance due diligence and risk assessment has been performed on new third parties. Contracts should include required adherence to consumer financial regulations, compliance training, and the right for the bank to audit the third-party’s compliance program.
9. Review procedures for closing and onboarding new accounts and ensure the operations function can accommodate the anticipated transaction volumes and understands how to set up new customers. Pay attention to introductory rates and similar features that require special instructions.
10. Ensure customer service and call center personnel are trained and prepared to respond to questions regarding the new product, service, or change.
11. Understand system changes required to implement a new product, service, or business change. Ensure necessary user acceptance testing is performed prior to roll-out and system changes do not cause other issues within the system that may impact customers.
12. Ensure proper safeguarding of consumer non-public personal information (NPPI) is addressed when applicable.
13. Identify compliance program changes required to monitor compliance on the new product, service, or change.
14. Perform a post-implementation review of any related con summer complaints to assess compliance performance related to the change.
15. Highlight compliance issues or lack thereof in compliance reports until the change and revised procedures become ingrained in daily operations.

Compliance Evaluation of a Business Change

The examples on pages 6 and 7 illustrate some of the specific questions that compliance should consider when evaluating bank management’s decision to outsource lockbox processing.

Change Management Success Factors

Change is a process, and successful change is dependent on how the change is communicated and implemented. It’s helpful to use a framework to facilitate change since individuals go through the stages of change differently and at their own pace. One framework for managing business change is described by Jeffrey M. Hiatt in ADKAR, A Model for Change in Business, Government and Our Community. Hiatt uses the acronym ADKAR to describe a goal-oriented change management model that guides individual and organizational change. ADKAR is an acronym that represents the five tangible and concrete outcomes that people need to achieve for lasting change: awareness, desire, knowledge, ability and reinforcement. By outlining the goals and outcomes of successful change, the ADKAR Model is an effective tool for planning change management activities, equipping your leaders facilitating change, and supporting your employees throughout the change.

Hiatt notes that the secret to successful change is rooted in facilitating change at an individual level first. Hiatt states that by engaging individuals at all stages of the change process, each individual develops a sense of ownership for implementing and sustaining business improvement initiatives. In turn, the likelihood that organizations reap the benefits of organizational change increases.

Starting with a clear, supportive tone from the top is not only desirable but is necessary for successful change. The amount, type, and timing of management communications will depend on the audience and the magnitude of the change. Keep in mind that even small changes may require substantial change management efforts. Once those impacted by the change understand and accept the it, they must know how to change and have the skills to make the change happen. Thus, on-the-job supervision and monitoring of performance will reinforce the change until the new procedures become ingrained in daily operations.

Tailoring “change” training to job responsibilities is always an effective approach since it is natural for individuals to want to know how change impacts them.

Clearly documented policies and procedures supporting the training and implementation of change is especially important in mitigating any potential compliance risks that may result from improper execution. Monitoring of performance and consumer complaints during the transition period and immediately after, will confirm whether implementation was successful or if processes or procedures need to be revised and re-implemented.

One thing we all know for sure is that nothing remains constant except change itself. As the business of financial services and banking changes, regulations will change, business processes will change. Most learning and development functions provide change management training. If training is not provided internally, outside training providers could be a worthwhile investment for the compliance department. Because compliance officers are change leaders, change management skills are important to continue adding value to the organization and support its compliance performance and strategic objectives and goals.