A Modern Approach to Regulatory Change Management in Banking and Financial Services sector – (Part I)

For complex businesses that are heavily regulated, keeping up with the multitude of regulatory changes is a constant struggle. Large legal entities like banks and financial services sector companies, having global footprints are always challenged more than ever to comprehend and manage regulatory requirements directly affecting their business. Especially in the pandemic and post-pandemic scenario, there has been an unprecedented change in business and operating models. There has been increasing pressure and demand on these organizations to manage and maintain compliance with new regulatory requirements continuing to escalate, as scrutiny intensifies from multiple fronts such as investors, counterparties, regulators, and even other stakeholders and participants as a result of multijurisdictional COVID-19 responses. Compliance personnel in these organizations have the burden of determining the impact of regulatory changes, to make changes or additions to their existing obligations. This process keeps on repeating itself with every change in regulations.

What is Regulatory Change Management?

Regulatory Change Management (RCM) is a multi-step process involving identification, interpretation, and applying changes in the regulatory environment to the risk and compliance framework, respective programs, operational environment, and the day-to-day business activities of organizations to stay compliant. Some of the heavily regulated industries include finance, insurance, health care, aviation, among others where regulatory changes can create a huge impact on all aspects of an organization from servicing client requests, disclosing information, marketing, how data is utilized, execution of client requests, and others.  Banks, fintech and financial services companies need to ensure that the changes are updated in the necessary controls, policies, and procedures and socialized and implemented.

RCM involves incorporating the regulatory changes and obligations in the impacted areas. This may not be only about the new laws and regulations. Changes in the existing laws and regulations, or when laws and regulations are relaxed or overturned, even in such scenarios Banks and financial services enterprises should go through the regulatory change management process.

For managing the changes in the regulatory ecosystem, an organization must initially establish a baseline, referring to the existing obligations. This can be implemented through proper documentation of policies, procedures and guidelines that have been established to satisfy an organization’s business objective. For instance, if we consider the customer onboarding process in banks and financial services companies, they need to establish a set of supporting procedures such as collecting personally identifiable information (PII) from customers for satisfying the Know Your Client (KYC) obligations (which is another regulatory requirement). If we take this example, the bank or financial services company had an existing obligation to satisfy KYC, but now that they are also collecting the PII information from the customer, as a result, there are several privacy rules they are now subject to such as GLBA, CCPA, GDPR, among others. This way there can be several regulatory obligations they should meet to satisfy their business objectives.

On identifying the regulatory requirements associated with business objectives and associated operational processes to support it, organizations should create a list of the obligations along with the processes or controls in place to make sure they are compliant. This helps in creating a baseline for the regulatory change management process. Any changes in the regulatory requirements would result in an analysis to determine the impact, necessary changes needed to the internal processes, and risk assessment, among others.

Most importantly banks and financial services companies should document the analysis along with approval, comments and keep it archived for audit requirements. As far as auditors and regulatory examiners are concerned, they will want to see all the evidence concerning the necessary steps taken as part of an organization’s regulatory change management process. This gives them a clear picture of how effectively the company is meeting its regulatory obligations, what changes were incorporated, and who approved the steps.

Major Challenges to regulatory change management

However, the problem is that all the relevant changes must be reconciled with the bank or financial services company’s controls, policies, and procedures. This is a tedious, complex, and manual process and the siloed pockets of knowledge throughout the enterprise make the business vulnerable to errors. Another major reason compliance teams get overwhelmed is the fact the economic turmoil spurred by COVID-19 has affected many organizations in the banking and financial services sector, forcing them to rein in their budgets. Those teams tasked with regulatory change management are now being asked to do more with a lesser number of resources. So, the Risk and Compliance teams face a confluence of challenges.

It is crucial for banks and financial services enterprises to enable a change management framework that centralizes and synthesizes all present and future regulatory requirements. This way enterprises can improve coordination across silos and glean useful and actionable insights that enhance overall compliance risk management performance. Apart from the real-time, always-active identification and assessment of global regulatory obligations, these companies should incorporate IT enablement, a subject matter experts pool, and a thorough process to facilitate a flexible and adaptable framework for managing regulatory changes. Some of the objectives include defining a clear lineage of regulatory requirements and that too for a proper business operating model and process, considering the potential risk and required control frameworks and elements.

The regulatory ecosystem should meet local and global regulatory expectations and for that to happen seamlessly, large enterprises would have to streamline the end-to-end global compliance management process across data management, collection and listing of regulatory obligations, compliance review and testing, report generation and integration. In this digital era, compliance operations, especially regulatory change management is particularly ripe for automation, because there are millions of pages of regulatory documents published globally, and there can be several crucial and subtle implications to carefully consider. Unless the process is streamlined and automated this would mean countless hours of manual work.

The Way Forward

In most banks or financial service enterprises, regulatory change management is managed by a team of compliance and legal subject matter experts leveraging purely manual processes. After a baseline is obtained, the team would monitor changes to the inventory of regulatory obligations using relevant external source data. This whole legacy approach is manual, tedious and error-prone. If we consider the rate of change to laws and regulations, there is no way it will decrease over time. Moreover, for large, complex multinational organizations, having global transactions, and the trend toward a global regulatory convergence across multiple regulated industries, things look very difficult if the legacy approach is continued. The only way to have control, stay on top and manage all the necessary regulatory obligations is to make use of the latest emerging technologies such as hyper-automation, intelligent automation, machine learning, artificial intelligence, advanced analytics, among others.

In the next article of this series let’s see how the emerging technologies can streamline regulatory change management to comply with changing regulatory obligations.