(As published by American Banker)
The burden on banks to collect, maintain and analyze masses of data will be steep in 2023.
The Community Reinvestment Act is on the brink of substantial reform, with a final rule expected soon and a 12-month implementation period to follow. A final rule from the Consumer Financial Protection Bureau to implement section 1071 of the Dodd-Frank Act, governing the collection and reporting of small business lending data, has a deadline of March 31. The timeline for section 1033 of the Dodd-Frank Act, about open banking, is longer, but the CFPB is expected to issue a proposal later this year with a final rule in 2024.
This potential triple whammy means that financial institutions may want — or need — to get a head start at strategizing what tools they need to acquire, homegrown systems they need to modify, staff they need to allocate and costs they need to account for, even if it is advisable to hold off on actual investments before the rules are finalized.
"There are so many rules proposed that have a digital or data element to them in 2023 that banks will increasingly be challenged," said Peter Dugas, an executive director at Capco, who runs the consulting firm's center for regulatory intelligence.
The CRA Notice of Proposed Rulemaking issued by the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, and the Federal Reserve Board suggests a particularly heavy lift. It will touch multiple business units and processes. The proposed rule adds another type of assessment area, based on mortgage and small business loan activity rather than branch locations; new metrics by which to measure loan distribution; and new tests related to retail lending, retail products and services, community development financing and community development services.
The requirements necessitate that banks, depending on their size, collect and report new categories of data or get further into the weeds on existing categories. That may include information about multifamily loans, open-end home mortgages (which let the borrower take out additional funds in the future) auto loans, small business and small farm loans, digital and delivery systems such as online banking, deposit data on the county level, community development services and a deeper understanding of where their customers are located. The highest burden is on banks with more than $10 billion of assets.
"This will be challenging for institutions because it's not the kind of data they would store in their existing systems in a lot of cases, or they are collecting it differently than the agencies want it reported under CRA," said Tracy Basinger, senior advisor at Klaros Group.
For example, the new community development financing test requires line-level data for every loan and investment the bank makes, compared with current provisions that only ask for loan data in aggregate.
"That will be a huge effort," she said.
The popularity of digital banking is one reason behind these changes to CRA. Many bank customers rely on online and mobile channels in addition to or instead of branches, which means a bank's digital footprint extends beyond its branch network.
The addition of retail lending assessment areas beyond facility-based assessment areas, "could add dozens if not more assessment areas for many large banks that will need to be analyzed to determine performance in low- to moderate-income geographies and in serving low- and moderate-income individuals," said Tim Burniston, senior advisor in regulatory strategy at Wolters Kluwer.
Financial institutions are limited in what they can do before rules are final and they know how their regulatory agencies want to receive data.
Still, "Each of these three rules will require some tech build-out, a tremendous amount of training of internal staff, and checks and balances to make sure you are reporting, collecting and protecting this data the right way," said Basinger.
Moreover, "Banks have to self-assess and figure out what this data says about them before the regulators do," said Burniston.
Experts at Wolters Kluwer and risk performance management software provider Ncontracts, both of which offer CRA compliance software, say they have received many inquiries from bank clients about how they can prepare. Ncontracts says it will update its CRA module but it won't charge for the enhancements; Burniston of Wolters Kluwer says the company will update its CRA Wiz product as well and does not anticipate a change in price to the base solution, although add-on solutions are possible depending on the scope of the new rule.
Dugas encourages banks to start assessing the proposed rule as a final rule, because significant changes are unlikely.
In a document he put together about the impact of CRA modernization on large banks, he advised that banks start analyzing how they might fare against the new metrics based on available information, including how current loan systems could be used for data collection, analysis, and reporting, and whether additional systems or automation would be needed to maintain compliance. He and his coauthors suggest that banks identify their facility-based assessment areas and potential retail lending assessment areas; catalog the major product lines in each assessment area; and gauge the availability of information related to branches, retail services and products, the range of services offered through digital and other delivery systems, line-item data for community development loans and investments and more.
Another way to get the ball rolling is to involve the chief information security officer, chief information officer or other technology executives early on in interpreting what the final rule may look like.
"We see a lack of coordination and a siloed approach by banks to the CRA proposal," said Dugas. "We see that compliance and risk management are prepared for these rules, as well as the product and business lines that may be responsible for reporting and collecting this data, but that technology teams are not typically involved. Because of that, banks may get behind on defining the clear categorization of data they need to collect, the systems they need to process that data, and how it will be accessed, logged and reviewed."
Finally, banks can consider the costs of hiring or upskilling staff.
"A lot of institutions don't have a playbook to implement very large regulatory changes," said Stephanie Lyon, vice president of compliance and regulatory content strategy at Ncontracts. "They kind of take them as they come and figure it out as they go."
She encourages banks to think about these rules in the context of change management, such as how they will affect the information technology department, whether the bank needs to bulk up its compliance department, and how these rules compete with other priorities, such as new product launches.
"There is no compliance department out there that is overstaffed," said Lyon. "Banks will figure out how to do more with the same amount of resources or ask for more resources. Talent management will be a big challenge, not only from a compliance [perspective] but because technology talent is difficult to acquire. Banks need to understand this will cost them money."