Creative business people having meeting in co-working space
ComplianceNovember 07, 2023

Simplifying US state-level obligations to help achieve compliance certainty

As published in Henry Stewart Publications

This paper provides key insights into how expert augmented intelligence helps simplify and refine state compliance obligation management with dynamic technology. Learn strategies to help financial institutions overcome four unique pain points of achieving complete compliance confidence. Readers will learn how top banks are able to reduce reliance on third-party legal firms, connect various components of regulatory change management together and gain a strategic perspective on how that impact is realised.

Introduction

The cost of managing compliance in the US continues to rise, with increasing regulatory requirements and the exponential growth of the accompanying obligations. Financial institutions with regulatory exposure to multiple states face an additional layer of complexity. To help manage that complexity, most have relied on legal counsel to provide surveys for the states in which they operate to help develop and maintain these obligations.

Whether using internal or external legal counsel, this is a time-consuming and expensive undertaking that can require pouring through hundreds of thousands of state and federal laws and regulations to identify those that apply to your institution’s business model. Once relevant changes are identified, financial institutions should conduct a comparative federal/state analysis to determine whether the federal regulation is more restrictive. The remaining obligations should be categorised and mapped to other elements of the institution’s compliance programme, such as policies, procedures, risks and controls, and to the products, services, locations and customers to which they relate. And finally, once the financial institution clearly understands the impact of each obligation on the institution, it should perform a risk assessment to determine the importance of the obligation and if, how and when to test compliance with it.

While all this activity is taking place, the state survey provided to the institution is aging in place as laws and regulations continue to develop. In fact, given the constantly changing nature of state and federal regulations, if there is no process in place to maintain the state survey in a timely manner, it may need to be updated before the institution has even had an opportunity to develop and implement the existing obligations.

The key to success in this challenging environment is understanding and overcoming these obstacles to ensure your financial institution meets or exceeds applicable regulatory compliance obligations and internal standards. With so much volatility in the financial services industry, adhering to the constant influx of regulatory changes in real time is no small task.

The evolving federal pre-emption landscape

Over the last decade, the Dodd-Frank Act1 has muddied the waters of federal pre-emption by establishing that state consumer financial laws can only be pre-empted if they prevent or significantly interfere with the powers of national banks or federal savings associations. As a result, the Office of the Comptroller of the Currency (OCC) and courts must now make pre-emption decisions on a case-by-case basis. The Dodd-Frank Act has also increased regulatory scrutiny of national banks and thrifts and led to a growing number of enforcement actions by state agencies. Many banks are concerned that, with the OCC’s loss of broad pre-emption authority, they will be subject to myriad state regulations that increase the costs and risks of doing business.2

Overcoming state-level compliance pain points

The flow of new or changed state laws and regulations has gone from steady but manageable to a tsunami.3 As states proactively regulate more products, services and areas of risk than ever before in areas such as cybersecurity, privacy and digital assets, the compliance professionals who monitor state-level laws and regulations and identify a financial institution’s obligations are left feeling overwhelmed.4

Pain point #1: Information overload

When it comes to the future of banking regulation, the key watchwords are ‘be prepared’. Information overload is the most serious issue for compliance personnel managing statelevel regulatory change for banking or other financial services organisations. Data compiled for the 12 months ending in mid-May of 2022 show that federal banking regulators in the US issued 130 regulatory updates during that period.5 That’s a significant number if they all applied to your institution’s business model — but not overwhelming (Figure 1).

In those same 12 months, however, US state agencies and legislators issued thousands of regulatory releases that could impact the provision of financial services — enacting or adopting many of them. In just three states, California, New York and Colorado, there were almost 900 releases related to the provision of financial services in those 12 months. Most of these releases were guidance, enforcement actions, notices, introduced laws or proposed regulations. But just over 130 of the releases were related to new or changed laws, rules or regulations that were enacted or adopted. That results in around 11 regulatory changes per month to be potentially processed by an institution. Even assuming only half of them applied to a financial institution’s business model, that still results in at least one regulatory change to process per week from only three states. And for each, the institution must determine its impact and implement necessary changes to elements of its compliance programme like risks, controls, policies, procedures and training. Again, this example highlights the burden produced by just three states. What if your financial institution conducts business in all 50 states?

Another important thing to consider is that many of these regulatory changes come from more than a central regulatory body, such as state banking departments or state legislators. Many US state regulatory changes that may affect the provision of financial services also come from hundreds of separate state agencies and departments across the country, including departments of motor vehicles or treasuries — and that’s a big part of the problem. Having to monitor many disparate regulatory bodies creates an undue burden on compliance staff at a time when good resources are tough to come by. It is an incredible amount of change to manage, particularly if an organisation does not yet engage technology in the process.

Pain point #2: The regulators are coming

In addition to public statements by Consumer Financial Protection Bureau (CFPB) Director Rohit Chopra6 in support of states’ proactivity in consumer protection, the CFPB issued an interpretive rule in May 2022.7 The interpretive rule describes the states’ authority to pursue companies and individuals that violate the provisions of federal consumer financial protection law. While not new, the states have not broadly embraced this authority.8 In addition, many states have now created agencies that resemble mini-CFPBs, with the support of the actual CFPB.9 An example of this is the recent interpretive rule10 where the CFPB reminds states that they can:

  • enforce all statutes and regulations under the Consumer Financial Protection Act, even without the involvement of the CFPB;
  • pursue claims and actions against a vast range of entities.

Additionally, the rule asserts that CFPB enforcement actions will not halt state actions. This new deference toward the states elevates the already important task of being able to prove compliance with applicable state obligations. When reviewing current processes, a financial institution should consider whether it provides end-to-end traceability of state law and regulatory changes. This determination is necessary to facilitate internal audits and demonstrate compliance to state regulators across multiple jurisdictions. If a financial institution’s existing processes cannot do that, it is time to re-evaluate.

Pain point #3: Compliance costs a fortune

Financial institutions operating in many states and national banks have the enormous, ever-present task of state-level obligation management across many jurisdictions. They are subject to thousands of state and federal regulatory obligations, which develop continuously and vary by jurisdiction. Beyond complying with state and federal requirements, financial institutions must also provide proof of compliance across the board to internal stakeholders and regulatory authorities. While some financial institutions may argue compliance costs are too steep, what about the costs of non-compliance with state requirements?

In the last ten years, and during differing political climates, states have imposed over US$5.1bn in penalties on financial institutions for consumer protection-related offences. Multi-state attorney general cases account for almost US$5bn of that amount, and mortgage abuses were the most cited offence by far.

As an industry, financial institutions would benefit from better management of state-level regulatory compliance risk. And what is one of the most typical costs related to compliance with state requirements? For most financial institutions, it is the engagement of outside counsel or other third parties to provide 50- state surveys or other similar material. However, as shared earlier, lists of obligations are costly to produce and can have many drawbacks. Since they are often manually managed in an Excel spreadsheet, they are challenging to keep current and quickly go stale.

Pain point #4: We are partially automated but still cannot produce end-to-end traceability

It is critical for a financial institution to know what obligations they need to comply with and their organisational status of compliance with those obligations, and for them to be able to prove it to a regulator or internal auditor. When information lies in too many systems and areas of record, it is very difficult to manage this with certainty. For many financial institutions, traceability data comes from various sources, including 50-state surveys, multiple internal systems and third-party analysis of various regulatory topics. This information is often managed and delivered in spreadsheets and is not easily traced from the laws to the obligations, to the cross-jurisdictional obligations and finally to the policies, training, risks and controls or other activities developed to manage the risk and maintain compliance. The right technology can help connect the disparate parts of your institution’s handling of its regulatory obligations and provide the necessary end-to-end traceability.

The pros and cons of cuttingedge technologies

Regulatory technology (RegTech) solutions have become a critical component in today’s compliance department,11 providing institutions with the necessary tools to manage regulatory risk. As compliance burdens increase, cutting-edge technologies, such as artificial intelligence (AI) and machine learning-enabled solutions, can drive better insights and outcomes.

Technology also permits financial institutions to deploy human resources more strategically. However, there are two critical things to remember about technology. One, it cannot involve a ‘black box’. A financial institution must be able to understand and explain how the technology they rely on works to regulators, auditors and others.

Second, AI-driven solutions do not always get it right. A human expert review of AIderived data is preferred when available. There can be pitfalls to depending solely on a technology platform to identify, tag and aggregate the full range, volume and frequency of regulatory changes relevant to a financial institution’s business. Technologies such as AI cannot, by themselves, deliver an effective regulatory change management approach. By employing a combination of technology and regulatory experts who can validate the technology output, that is, an expert-augmented intelligence approach, a financial institution will have a complete and accurate picture across the entire enterprise. That clarity will allow the financial institution to oversee enterprise obligation management more effectively and compliantly. For technology solutions that manage regulatory change, this is called ‘expert-augmented intelligence’. It is a key growth and focus area.

Another facet of RegTech solutions is the technology needed to make them work. Financial institutions should strongly consider requiring flexible technology, such as a regulatory content data feed, to ensure continuity as a financial institution may change governance, risk and compliance (GRC) platforms. Successful obligation management solutions enable an institution to reduce regulatory obligations to a more manageable number. It is also critical to ensure that a RegTech solution provider can accommodate all new regulatory changes and offer support across multiple states and territories. This should include an extensive legal library and a mix of expertise and AI to aggregate and analyse requirements across state laws and regulations.

Regulators use technology in many aspects of their oversight obligations and expect institutions to do the same. When implemented effectively as part of a broader compliance programme management (CPM) process, RegTech solutions are invaluable to help control compliance risk, including the large number of regulatory changes that compliance leaders must manage daily. Leveraging RegTech or other compliance technology to ensure success in an increasingly complex and regulated landscape is no longer an option. It is a necessity.

Streamline compliance with clustered citations

Today, financial institutions face mounting strategic challenges, including being subject to a multitude of laws and regulations that vary by jurisdiction. Understanding how to comply with both state and federal requirements involves manually sifting through a vast amount of data.

More importantly, it is essential to maintain full compliance with a growing volume of new rules and provide proactive guidance on those that may impact core business operations. In this context, effective obligation management becomes a mission-critical process, ensuring that rule identification, compliance requirements and operationalisation occur effectively and systematically.

Many financial institutions rely on state surveys conducted by large, in-house teams or third-party providers to help manage state-level compliance obligations. While these surveys are crucial to understanding and reacting to state laws, they are resource-intensive and extremely expensive, costing hundreds of thousands or even millions of dollars. Additionally, they are extraordinarily difficult to maintain and keep current. A best-in-class technology solution would support a financial institution’s need to simplify and prove compliance where state and federal regulations converge. The technology would permit compliance professionals to develop one organisational requirement to explain how the institution will address each cluster of aggregated, similar state obligations to ensure complete and efficient process implementation.

Functionality, such as a comprehensive legal library of state and federal citations and requirements, which logically analyses, groups and clusters relevant legal requirements across multiple jurisdictions, is key to streamlining a financial institution’s process for creating and managing a rationalised set of legal requirements. Ideally, a RegTech solution will cluster citations using cuttingedge machine learning and natural language algorithms to bundle similar legal requirements for financial institutions. As a result, users can focus on only the relevant citations for their jurisdictions or further filter and isolate those that require necessary action, allowing users to view the entire citation or digestible summaries that capture actionable requirements in a single sentence.

The result is a faster, less costly and more efficient process for comprehensively managing a financial institution’s regulatory requirements. End-to-end traceability and reporting to facilitate internal audits can also demonstrate compliance to regulators across multiple jurisdictions.

Conclusion

The reality is that technology accelerates time to value. Machine-aided approaches enable complete rule book coverage and pre-emption guidance. However, state-of-the-art technology still requires human insight. Without expertise, AI presents unexpected costs and can provide a false sense of security.

The goal is to find a solution that allows financial institutions to manage the overwhelming complexity and volume of state and federal regulatory obligations while minimising manual effort. When you begin searching for a solution, consider first those that offer automation, including the best use of AI that is augmented by a deep bench of human expertise. Expert-augmented AI can offer the speed, accuracy and flexibility needed to grow your institution while helping ensure compliance certainty. The solutions you consider should be adaptable to your institution’s footprint, products and services that provide the most relevant content but also offer scalability as your institution grows. Choose a solution that is market-proven with a provider that can meet your financial institution’s unique content needs as well as relate and respond to your third-party service provider’s risk management requirements.

To save your time and resources, and to help ensure solution providers meet the requirements of your institution’s unique state-level obligation needs, consider a request for proposal (RFP) process. Through the use of an RFP process, all your stakeholder needs can be identified and communicated simultaneously to relevant providers and help level the playing field quickly. Good luck on your journey to US state-level compliance obligation certainty.


References and notes

(1) Dodd-Frank Wall Street Reform and Consumer Protection Act, Public Law 203, US Statutes at Large 124 (2010): 1376-2223.

(2) Sykes, J. B. (2019) ‘Federal Preemption in the Dual Banking System: An Overview and Issues for the 116th Congress’, Congressional Research Service, available at https://crsreports.congress.gov/product/ pdf/R/R45726 (accessed 30th June, 2023).

(3) Expert opinion based on numerous conversations with industry professionals and proprietary data. Data source is not publicly available.

(4) Burniston, T. (2022) ‘Wolters Kluwer Indicator “Pain Index” Highlights Significant Risk and Regulatory Compliance Concerns for US Lenders’, Wolters Kluwer, available at https://www.wolterskluwer. com/en/news/wolters-kluwer-indicator-painindex-highlights-significant-risk-and-regulatorycompliance-concerns (accessed 30th June, 2023).

(5) Expert opinion based on numerous conversations with industry professionals, proprietary data and data sources utilised in the course of business. Data sources not publicly available.

(6) Chopra, R. (7th December, 2021) ‘Director Chopra Remarks — December NAAG Meeting’, Consumer Financial Protection Bureau, available at https:// www.consumerfinance.gov/about-us/newsroom/ director-chopra-remarks-december-naag-meeting/ (accessed 30th June, 2023).

(7) Consumer Financial Protection Bureau (2022) ‘Authority of States to Enforce the Consumer Financial Protection Act of 2010’ 12 CFR Chapter X, available at https://www.consumerfinance.gov/rulespolicy/final-rules/authority-of-states-to-enforce-theconsumer-financial-protection-act-of-2010/ (accessed 30th June, 2023).

(8) American Financial Services Association (2020) ‘State Mini CFPBs’, available at https://afsaonline. org/wp-content/uploads/2020/10/Mini-CFPBsFact-Sheet.pdf (accessed 30th June, 2023).

(9) Ibid.

(10) Consumer Financial Protection Bureau, ref 7 above.

(11) Burniston, ref 4 above

Back To Top