- Interview with Seth Benefield, Head of Bank of America Business Capital and Asset-Based Financing
- Trade Credit Insurance – More than Insurance
- How Diverse Teams Make Successful Companies
- What a Lender Needs to Know: Key Loan Document Terms in a Time of Crisis
- SFNet Advocacy Alert: CFPB Section 1071 Rule Could Place Burden on Financial Institutions—ACTION REQUIRED
Wolters Kluwer’s Regulatory & Risk Management Indicator Survey – Key Takeaways
February 13, 2024
By Eileen Wubbe
In December, Wolters Kluwer released the results of its 2023 Banking Regulatory & Risk Management Indicator survey. The online survey, now in its eleventh year, was administered from July 20, 2023 to September 22, 2023, covering the period from August 1, 2022 to July 31, 2023.
The Indicator collects trend information on the depth of regulatory and risk concerns; determines regulatory impact (realized or anticipated) on institutions; assesses the sophistication of financial institutions’ risk management efforts currently in place and gathers data inputs that are used in calculating a regulatory and risk management “pain index” score, which is tracked and reported annually.
TSL Express’ senior editor sat down with Tim Burniston, senior advisor, Regulatory Strategy, for Wolters Kluwer Compliance Solutions to discuss the results of Wolters Kluwer’s Regulatory & Risk Management Indicator survey. Burniston advises Wolters Kluwer’s Financial & Corporate Compliance divisional leadership team and clients on emerging issues, legislative and regulatory developments, and regulatory strategy.
TSL: What are the biggest differences in this year's findings versus last year's results?
Burniston: The most significant differences that we observed were increases in the dollar amount of the fines and penalties imposed by regulators as part of enforcement actions, and the level of concern about compliance challenges and obstacles in general. We also saw elevated concern about third-party risk, which is not surprising given that the banking regulators released major policy guidance, the Interagency Third Party Risk Management Guidance, issued in June 2023.
There were fewer newly changed regulations in sheer numbers from last year. However, one that got picked up in the survey time period was the small business lending reporting rule (Section 1071 of the Dodd-Frank Act) that had been released just a few months before we conducted the survey. Right after the survey closed, we also saw the release of the modernized Community Reinvestment Act regulations. Those were not picked up in the survey results per se, but, nonetheless, the release of final rules were long anticipated and will be impactful.
What common themes are you seeing in viewing the past few years of this survey, and what does it say about the state of the U.S. banking industry?
I looked back at prior Indicator results and the overarching theme I observed ties back to navigating through what can be characterized as a very difficult three, now almost four-year period punctuated with many weighty issues. If we think about where we were three years ago today, we were about a year into a deadly pandemic. As we all know, that had highly destructive effects on our nation, our businesses, our workforce and, most importantly, on human lives. We also experienced a prolonged period of interest rate increases, associated economic downturns, and associated regulatory changes.
But through all the nation has faced in that period, what stood out to me was how the industry responded and how it consistently demonstrated a high degree of resiliency. That’s a tribute to its overall strength and ability to rapidly absorb a lot of change effectively. When you pack that much change into such a short period of time and look at how the banking industry responded, I continue to believe it was pretty impressive.
There were other common themes that I picked up, and one of them was the management of regulatory change and risk. Three years ago, we had the pandemic and associated increases in loan default risk. Those issues topped the list of compliance and risk management concerns raised in past survey results. Today we are seeing interest rate increases and ransomware attacks as key concerns. But in 2020, as well as in our latest Indicator, we also saw staffing challenges and manual processes as key concerns.
What would you say are the key takeaways from this risk Indicator survey? Are there any results that surprised you this year?
One takeaway is in looking at the levels of regulatory enforcement activity. What that speaks to is that the consequences of noncompliance and the failure to manage risk continue to be very steep. Those consequences include not only direct costs, but they manifest in other ways such as in limiting or disrupting future growth and merger plans. Reputational damage is another fallout from enforcement actions. It’s clear that the regulators are not shying away at all about using the enforcement tools available to them. Of course, the data on enforcement actions we have only includes matters that regulators are required to publicly disclose. There are many other, non-public enforcement activities.
Managing regulatory change also continues to be a key challenge. The management of risk, particularly compliance risk, continues to become more complicated, and that, of course, points to the need for the application of technology to help manage it.
The surprises for me included the degree to which the CFPB’s small business lending regulations implementing Dodd Frank Section 1071 were identified as a major challenge. Seventy-four percent of our respondents are either “Very” or “Somewhat Concerned” about those rules. This tells me a couple of things. One, the industry is paying attention, which is great. Two, people are concerned that Section 1071 rules are going to be a major implementation challenge for them.
We also saw an uptick in concern about third-party risk management, and I think that reflects the growth in partnerships between banks and other organizations such as fintech firms or providers and the need to manage those relationships carefully. (Editor’s Note: See SFNet’s 1071 analysis here.)
Another surprise was a jump in perception about examiner scrutiny of fair lending during examinations. The results indicated that 48 percent of the respondents perceived either a considerable or slight increase in examiner scrutiny of their fair lending compliance. That’s the highest percentage we’ve seen since we started the survey. And it was also an 8 percent point jump over last year’s score on this issue.
With regard to managing risk across business lines, we learned that 74 percent of our respondents rated this as a high or moderate risk, compared to 59 percent last year. That was also a big jump. And, finally, one surprise that we also saw was a decline in cybersecurity as a concern, at least in the survey results. In 2019, for example, 78 percent noted this matter was receiving escalated priority in their business planning; in the 2023 survey, that percentage declined to 58 percent.
I doubt the industry is less concerned about cybersecurity in 2023 than it was in 2019. I believe the industry is likely just as anxious about it, but it is doing a better job of managing it and that progress is reflected in the survey responses. The regulators have certainly not de-emphasized cybersecurity risk. Their concern is clear from their presentations and in their advisories to the industry. We see news reports of breaches and other concerns across all different lines of business. So I don’t think overall concern about cybersecurity is going down as much as the percentage might suggest, and I am also confident that financial institutions are devoting a significant amount of time and attention to it.
The overall Main Indicator Score rose back to a score similar to 2021’s of 128. Some of the reasoning cited behind this included a three-fold increase in the dollar amount of regulatory fines imposed over the past 12 months, from $1.3 billion for the 2022 survey period to $3.9 billion in 2023. Can you explain more about this? Were there any specific regulatory fines that added to this large increase?
Some of this relates to the timing of the survey and the unpredictability of when enforcement actions are completed and made public. In looking behind the numbers, we are seeing through our other work with the industry that regulators are taking aggressive action to address non-compliance and safety and soundness issues. One area, for example, is in fair lending, particularly with regard to redlining, where the Department of Justice has reached several settlements in the past year with lenders and has upwards of 20 more cases that they’re reviewing now. So, that’s one example that supports the notion that regulators are taking more aggressive action.
There was one enforcement action that caused the 2023 dollar amount number to bump up considerably. If we were to remove that one very large enforcement action, the numbers would be more closely aligned with last year’s results.
Given the challenges to the CFPB’s Sec.1071 final rule (such as Judge Crane of the Southern District Court in Texas broadening the injunction to include all covered financial institutions), do you think these rules will ever be implemented?
When the CFPB issued its final rule at the end of March 2023, it included a tiered or phased implementation schedule based on volume. Those in the Tier One category, comprised of the largest lenders, were to begin collection in October 2024, with other tiers to follow in 2025 and beyond.
The institutions that have October 2024 on their radar screen have all been working very steadily towards that date, with the understanding that the date will be extended by the injunction. The injunction calls for an extension of the implementation period for as long as it stays in place. The implementation dates will be recalibrated once the U.S. Supreme Court issues its opinion, sometime between now and June, in a different case involving a different rule and a different issue. That case involves the CFPB’s payday lending rule and a challenge to the constitutionality of the CFPB’s statutory funding mechanism.
The industry has been looking at the extension of the October 2024 date as a gift of additional preparation time, not as an excuse to stop work. Most are optimizing and taking advantage of the additional time, which could be several more months. I do think that the rules will ultimately be implemented.
With 74% respondents expressing their concern as high for small business lending rules, do you think this will drop as time goes on, as compliance teams undergo more training and become more familiar with rules?
The overall level of concern will diminish over time, but concerns about certain aspects of the implementation process are going to grow before that happens, namely with the ability to accurately capture data and data analysis. The survey asks questions about different steps in the implementation process, and as the implementation process proceeds, we expect to see certain things take on more importance, then trail off, and then return later. That’s what we saw with the implementation of the revamped Home Mortgage Disclosure Act regulations several years ago, which bear many similarities in concept to the small business lending regulations.
Right now, we are seeing the industry ramping up to train their team members to get them more familiar with the rules, as well as preparing for collecting the necessary data and getting systems ready.
With the implementation starting in October 2024 for larger lenders, and 74% of Indicator respondents ranking the small business lending rules among their concerns, including accurately capturing new data fields, system upgrades, and staff training for compliance, what steps can be done to prepare?
Given that it has been close to a year since the final rule was issued, I would hope that people have taken the time to read it and have also looked at the materials issued by the CFPB designed to facilitate compliance. That is the critical first step. Second, I hope institutions are taking full advantage of the entire implementation period and have mapped out a plan and strategy for being ready when the compliance dates arrive. Third, it is critical to look at the small business lending rules as more than an exercise in collecting data. It is much more than that. You have to understand why it is that the CFPB is collecting this information. This is a fair lending regulation. And that information is going to be used for fair lending purposes to look at small business lending, and credit access and availability, much in the same way HMDA is used for mortgage lending access and treatment issues.
Fourth, given the breadth and importance of the regulation and how the data will be used, fully and effectively operationalizing it requires an enterprise-wide regulatory change management program. That means an institution needs to have all the right people assembled across the organization, with compliance, legal, IT, credit, and financial reporting groups working together with clarity of purpose and responsibilities.
There are many operational challenges that must be addressed in just capturing the data. There are also complications with the collection of race and gender data of a small business. Much of this involves new information that institutions have never collected before, and the rule requires institutions to have reasonably designed procedures for the small business application process which many probably have not had before. Those procedures will help ensure consistency in the collection and reporting of the data as well as in facilitating staff training and setting up controls and monitoring. All of this ultimately ties back to the fundamental imperative to having a comprehensive compliance management system in place that’s guiding the implementation process.
Did many of 2022’s noteworthy banking regulations and compliance trends continue in 2023?
A few of them did. Keeping current with changing regulations is one of those common themes that we see from year to year, and that showed up again this past year. The small business lending regulations also carried through from 2022. Other things that carried through included the most significant obstacles to managing a compliance program – too much reliance on manual processes, too many competing business priorities, and staffing.
Finally, interest rate increases and concerns about ransomware carried through to 2023. Everyone is watching for what the Federal Reserve does in 2024 and beyond with interest rates. There have been certain signals that the country is turning a corner, and we will see some welcome interest rate decreases in 2024.
What can banks do to overcome the top obstacles reported in the Indicator?
The results show that enforcement actions are costly. So, the question becomes what can we learn from the experience of others? Reverse engineering each one of those actions to determine whether a similar issue exists in your institution is one way. What are the risks that you see that resulted in enforcement actions and what are you doing to manage those same risks?
Another step is enhancing the compliance program management of the institution. A place to start is with a comprehensive risk assessment that is kept current. Technology can be very helpful in monitoring—and tailoring that monitoring activity to the areas of highest risk identified in the risk assessment.
I would also say manage regulatory change wisely, and that means making full use of implementation time periods. There is often a tendency to sit on a new regulation for a few months and not want to open the book just yet. My advice is to open the book and find out what’s in there.
Looking at data governance as a regulatory and business imperative goes to the issue of accurately capturing and using information. Regulators have been spending a lot more time on making sure the information that they’re using for examination and supervisory purposes is accurate and can be relied upon. I think that institutions owe it to themselves to take a look at that and make sure that they can use that data and they’re making decisions based on good information.
Third-party risk management is an area that everyone needs to be looking at. The uptick in the fair lending program or fair lending scrutiny in examinations has got me thinking about the need to look closely at your fair lending program, especially in connection with the management of third-party relationships.
And, lastly, on the compliance management side, look at staffing models and talent management, particularly in tough times where resource management becomes most challenging.