(As published in Scotsman Guide)
An authoritative source library is essential for managing compliance risk
Let’s face it: Complying with regulatory requirements can be complex and challenging. The landscape is not getting any easier for banks, credit unions, nonbank lenders, and other financial institutions such as securities and insurance companies.
Not only are regulations evolving at the federal and state levels, but many financial institutions are now doing business all across the country. If a company has a footprint in all 50 states and, in some cases, even if they have clients residing in states where they are not located, they may be subject to any number of state-level compliance obligations. Mortgage companies and financial institutions are also well aware that laws and regulations at the state level can vary widely in the ease of their public availability, the requirements they impose, and the forms and manner of publication. Keeping on top of all these regulations adds up to a potential nightmare for compliance teams.
But there are ways to keep your company’s head above water when it comes to compliance. One critical component to ensure that your company has a connected end-to-end compliance program is an authoritative source library (ASL).
Structured foundation
Simply stated, an ASL is a comprehensive inventory of a company’s compliance obligations. These may include federal and state laws and regulations. This library can also include rules and guidance that might be published by industry associations, interagency bodies or self-regulatory organizations.
A key piece to any ASL is robust regulatory change. Ingesting regulatory changes that are connected to your library drives the compliance program for your organization, allowing you to map obligations to specific business units within your company, and to manage and control regulatory compliance risk.
The benefits of keeping your library complete and up to date include providing a structured foundation for your compliance program. Compliance teams without a content repository worry about saving emails from subscription lists, bookmarking webpages for regulators or associations to track the latest releases, and even maintaining paper registers. This only leads to lost data and uncertainty.
An appropriately curated ASL means that a compliance professional can rely on the essential information they need being in one place and, just as importantly, that the information is being consistently structured. This allows for informed analysis because they will be able to compare like items across content types, jurisdictions and lines of business.
The connections you make, in turn, allow you to pull back and form a comprehensive view of your overall compliance program. You can determine the overall program impact of a regulatory change because you can clearly see the relationships among your library items.
Competing priorities
It is important to remember that one size does not fit all when it comes to setting up an ASL. Each company has to determine its compliance obligations based on where they do business, what types of business they engage in, their corporate structure, and attendant responsibilities for subsidiaries, affiliates and vendors.
No two institutions have identical ASLs as a result of these differences. In fact, curating the right content set is an essential element of creating a connected ASL. Doing so requires an upfront commitment to make sure that you have identified the resources you will need, and it’s a vital component for the long-term success of the project.
Every company faces competing priorities, so why should this type of compliance program management get a place at the head of the line? Well, there are a variety of negative outcomes for failing to maintain this library. Banks, credit unions and mortgage companies can faces fines, corrective action plans and consent orders, all of which can be costly and publicly embarrassing, eroding the confidence of your clients, business partners and even other regulators.
There have also been recent examples in which a record of poor compliance has caused regulators to place limitations on expansion into new geographic locations or lines of business, and to carefully scrutinize proposed mergers and acquisitions. In other words, if the organization cannot prove compliance with its current obligations, it may not be entrusted with new ones.
Delivering proof
Let’s assume that your company has created an ASL of the applicable laws, rules, regulations and guidance, and it is being maintained through a robust regulatory change process. You still need to be able to answer whether you are compliant and offer proof. Being able to demonstrate, document and report compliance — whether to a regulator, an internal audit team or other stakeholders— is achieved through the following tasks:
- Identify the requisite laws, rules, regulations and guidance within your ASL, and establish a sustainable regulatory change management system.
- Validate the continued, connected completeness of your compliance program.
- Develop a comprehensive approach that allows you to report on the integrity of these systems.
A well-documented risk register and controls serve as sources of proof for your compliance program. Failure to perform risk and control assessments may result in these being done for you in a public manner by a regulatory agency.
You may be unsure who is responsible for a particular piece of the compliance program, or you may not have a reliable method to hand off work items within a specific team and across other business units. A spreadsheet that is edited by multiple people may have version-control issues.
Generally speaking, manual processes result in a high volume of busywork for skilled personnel and may not enable them to be able to see through the weeds. If manual processes are problematic, it’s time to think about automation.
Business sense
Effective management of your organization’s key risks, as well as its assessments and controls, is a must-have. It is supported by and through a dynamic ASL. This also makes good business sense and provides the owners of compliance risk management with daily risk intelligence.
A connected ASL provides your institution with documented decision making, task assignments and implementation steps, and it is centrally available to be monitored and reported on year after year. This can occur regardless of changes in leadership or other impacts to the organization.
In other words, you’ll know the laws, rules, regulations and guidance your institution needs to comply with because these are located in your ASL. You’ll know that your institution is in compliance because you’ve made the connections between your regulatory obligations and the elements of your compliance program that manage the risk, and you can prove you are in compliance through the recordkeeping and reporting capabilities of automation.