2021: The Real Test Begins
Radar sits down with global regulatory expert, Amy Matsuo to discuss why the real test for the rapidly-assembled COVID-19 risk management foundations are only just beginning.
What were some of the biggest challenges that COVID-19 posed to compliance departments in 2020?
COVID-19 caused an almost untenable pace of change to operations and risk within our client’s enterprise compliance departments. Among the biggest challenges:
- Impacts of reprioritization and redeployment: Redeployment of resources to immediate operational needs/demands and a high degree of waivers/exceptions led to an immediacy of operational needs, which put a strain on compliance staff and governance processes. Companies quickly needed to reprioritize compliance activities, due to emerging and evolving disruption risks coupled with resource constraints (e.g. delayed accelerated training, testing/auditing schedules).
- Increased risks arising from disruption: Risks created by the disruption included enhanced compliance and misconduct risk such as insider trading, personal identification use and phishing. Emerging risks rendered some risk assessments obsolete, requiring new ways to assess risks and leverage data and technology to enable real-time risk analysis. COVID-19 attracted bad actors; organizations must remain diligent as people will look to capitalize on the complications from the pandemic.
- Maintaining compliance amid new expectations: New and emerging compliance risks meant that additional communication, training and altered monitoring/data analysis were needed to help maintain compliance. Enhanced reporting of decisions, waivers, etc., helped compliance teams provide robust documentation. Collaboration with regulators during COVID-19 also helped clarify expectations and prioritization.
What are some of the key elements of a successful COVID-19 strategy? Conversely, what mistakes or errors of judgment did banks make at the onset of the pandemic?
The COVID-19 event has caused unprecedented disruption to nearly every aspect of business activity. Successful bank strategies have clearly involved an agility of risk and compliance in many cases not seen pre-COVID-19. Key areas of focus have included:
- Operational resiliency: While capital and liquidity requirements have improved banks’ ability to absorb financial shocks, more work is needed to strengthen their ability to absorb — that is, respond and adapt to and recover and learn from — operational risk-related events (e.g. pandemics, cyber incidents, technology failures, etc.), which could cause significant operational failures or wide-scale disruptions in financial markets.
- Fraud and cybersecurity: As attention is diverted to areas most impacted by disruption, there is an opportunity for fraudulent actors to take advantage. Organizations must be aware of these increased risks and determine if the existing fraud risk management program is ready. Banks should have a documented information and communication technology (ICT) policy, including cybersecurity, stipulating governance and oversight, risk ownership and accountability, information security, periodic testing and monitoring and plans for incident response, business continuity and disaster recovery.
What changes do you see happening to the world of compliance in 2021?
Compliance risk of stimulus funds will present new 2021 challenges, including the need to ensure that funds in such areas as Paycheck Protection Program (PPP), emergency credit facilities, forbearance and accommodations are allocated with both efficacy to the programs and underlying regulations, as well as to quality in the underlying files and processes.
At the same time, compliance leaders face a mandate that continues to include a strengthening of preventative compliance controls in areas such as culture, conduct, data privacy and financial crimes.
In 2021, expect the world of compliance to be driven by:
- Data governance and analytics: Guidance on effective compliance programs (e.g., DOJ, COSO) includes the expectation that compliance programs should show continuous improvement and be linked overall to a company’s enterprise risk management. Leveraging data and technology is essential and a focus in building both proactive monitoring and assurance analytics and can provide real-time analysis.
- Compliance investments: Overall, organizations generally expect to keep the status quo for their compliance program headcount. Given 2020 impacts, the biggest drop in spending will be in travel-related expenditures (including training, onsite reviews, etc.), but the largest investments are expected to be in data and technology.
- Increasing regulatory risk: Shifts in public policy due in part to an Administration change may significantly change prior regulatory accommodation, as well as regulatory expectations in both specific areas of risk and compliance (e.g., ESG/climate), but overall compliance management systems as well. Regulatory supervision and enforcement due to changes in agency leadership and direction are also likely to intensify within financial services and cross-industry in 2021.
What regulatory challenges do you foresee in 2021?
The key areas of regulatory challenge are likely to include:
- Change management: Sound change management amidst continued remote workforces, use of flexible operating models, expanded digital platforms, etc.
- Credit risk and LIBOR change: Pressure from persistent low-interest rates, allowance for loan and lease losses (ALLL), current expected credit losses (CECL) methodology, concentrations, exposures and the LIBOR transition.
- Climate and ESG: ESG is actively promoted by the FS industry and increasingly seen as a driver of value, risk and opportunity.
- Core risk management: The rapid and significant response to COVID-19 demanded immediate attention in 2020, but a strong risk management foundation and culture will be tested in 2021.
- Operational resiliency and cybersecurity: The expanded cyber and vulnerability threats resulting from increased use of digital platforms will require ongoing demonstration of resiliency and control effectiveness.
- Compliance risk: Stimulus-related funds must be shown to have been allocated with both efficacy and quality in the underlying files and processes.
- Fraud and Financial crime: Fraud, insider threats, conflicts of interest and anti-money laundering (AML) compliance are all areas of expanded risk.
- Customer protections: Regulatory attention will refocus on such areas as unfair, deceptive, or abusive acts or practices (UDAP/UDAAP), fair access, servicing and lending, antitrust, privacy and fiduciary regulations.
- Payments: Digital transformation has accelerated with a significant impact on payment channels and platforms.
- Expanding regulatory authority: Growing numbers of mergers and alliances and partnerships will expand licensing and chartering activity.
Do you predict any significant changes to regulatory policy following the election of US President Joe Biden?
For financial services, efforts to mitigate the economic impacts from COVID-19 will dominate the regulatory conversation throughout 2021. Regulatory and public attention will be focused on the role of financial services companies in delivering stimulus funding, emergency credit facilities and programs and consumer/investor protections.
However, regulators will also focus on the ability of financial services companies to maintain operational resiliency and strong risk management as they adapt to new operating models and changing consumer preferences driven and even accelerated, by efforts to contain the COVID-19 health crisis.
Policies and priorities set out by an incoming White House will add a further dimension to the discussion and many see regulators as able to execute (and increase) their jurisdictional authority without the need for substantive new regulations that may require bipartisan Congressional support.
These policies and priorities could include:
- Introducing ESG requirements and disclosures related to climate change and/or social issues.
- Reinvigorating the Consumer Financial Protection Bureau (CFPB), with increased enforcement and focus on consumer protections, including access to services, consumer fees, fair lending, student loans and UDAAP.
- Implementing housing finance reforms that address access and affordability (but without necessarily involving government-sponsored enterprise reform).
- Advocating new financial services policies, such as postal service banking, banking access for cannabis businesses, the central banking approach to payments and the creation of a public credit reporting agency.
What role will technology play in compliance and regulatory supervision in the future?
Although regulators have largely looked to existing laws and regulations to define the parameters, or set the “guardrails,” by which they evaluate the application of new technologies, the accelerating pace of change across developing technologies, business practices and consumer expectations is prompting public policymakers to consider changes to the current supervisory framework.
Multiple legislators and regulators are acting at the state, federal and global levels. Given the multiple and differing laws and regulations that organizations may be subject to, compliance risk will likely increase. Furthermore, as new protections are introduced by individual states, the policy expectations for a federal framework in the United States increases in complexity and likely extends the timeframe for debate. Ultimately, lawmakers will be faced with determining whether national standards will preempt, match, or expand on state protections.
In anticipation of future changes, institutions need to assess their innovation, AI, cloud and related data strategies with agile incorporation of controls to address technology, security and compliance risks. They should also be looking to supplier and third-party procurement and vendor risk management from due diligence and throughout ongoing monitoring.
The use of data analytics, modeling, and technology will also play a big role in compliance programs. Automation can be used in compliance programs to:
- Develop a dashboard of risks across an organization;
- Aggregate critical data elements for analytics into a single source
- Assess underlying data for completeness, accuracy, quality, and integrity via a data quality rules engine; and
- Automate test or validation data feeds, data lineages, and report submissions. Ultimately, automation can be used to build more predictive analytics.