Pictured: Tim Burniston

TSL Express’ senior editor sat down with Tim Burniston, senior advisor, Regulatory Strategy for Wolters Kluwer Compliance Solutions to discuss Wolters Kluwer’s Regulatory & Risk Management Indicator survey.  Burniston joined Wolters Kluwer in December 2011 to lead Compliance Solutions’ Risk and Compliance consulting practice. Under his leadership, the practice grew significantly in scope and has built on an international reputation for excellence. In July 2017 he was named senior advisor for regulatory strategy. In this role, he advises the Wolters Kluwer Governance, Risk, and Compliance executive leadership team and clients on emerging issues, legislative and regulatory developments, and regulatory strategy.

This year’s Regulatory & Risk Management Indicator Survey was conducted between August 4 and September 6, 2021, with 391 responses received. Respondents are primarily from bank management/executive and compliance roles with strong representation from those in lending functions.

To learn more about the survey, click here.

TSL: Please provide some background about the Indicator Survey. Why did Wolters Kluwer initiate it and what insights has it yielded over the past nine years?

Burniston: We started thinking about a survey in the fall of 2012, with the idea of finding a consistent way to identify and measure  regulatory and risk concern in the U.S. banking industry. This was shortly after Dodd-Frank, and regulators had hundreds of regulatory initiatives underway. The industry was dealing with an awful lot. So, we thought that if we had a tool  that could help us measure  concern about the regulatory environment in a consistent way over time, it would provide good insights into industry challenges and  pressure points.

The first administration of the survey was in January 2013, and we used the scores from those results  to compute a baseline index of 100 and then pegged everything off of that from every survey administered going forward.

Over the last nine years, different things have come about that have given a good indication of the industry’s pulse on the degree of concern about managing risk and compliance issues. Every year something arises that we didn’t quite anticipate, but it really helps us understand what the industry is concerned about. It helps us as a service provider to the industry to make sure that we’re delivering on what the industry needs most.

TSL: The overall Main Indicator Score rose to 128 this year from 103 in 2020 and marked the third consecutive year it increased.  What does this mean?

Burniston: Managing risk across all lines of business, navigating significant regulatory changes, and an increase in fines imposed by regulators drove the rise in the score. Contributing factors include the increase in rules, policies, regulations, and new guidance documents that the industry had to absorb, and the frequency and velocity of that regulatory change.

Looked at in the context of previous scores, it tells us whether the level of concern about the various issues we asked about is increasing or decreasing. We saw a fairly sizable bump from 103 last year to 128 this year. Over time, the contributing factors include the increase in rules, policies, regulations and guidance documents that are issued by the regulators, and varying levels each year in terms of enforcement actions, not only the number of enforcement actions that the regulators impose that are public, but the dollar amounts of the fines that may accompany those enforcement actions.

There’s been a consistent concern over many years about the ability to manage risk across an institution. In some years respondents are less concerned about it, and there are not as many new rules or regulations to try and absorb. But in other years, the anxiety level increases along with an increase in new requirements and other issues that place pressure on a risk management program.

So, what 128 tells us is that the industry is concerned, more so than it was last year, and more so than it has been for the last couple of years.

TSL: What would you say are the key takeaways from this risk Indicator survey? Are there any results, in particular, that surprised you this year?

Burniston: We start with trying to get a sense of the overall level of concern. If you look at those scores, they’ve improved over time, but there are still more than 50 percent of survey responders who are very concerned about compliance and risk in general. 

So, while on one level we see the numbers improving, and that’s a good thing because the results show that over time, the respondents are becoming more confident in the ability to manage risk. Nonetheless, they still have a high level of overall concern. Keeping current with changing regulations continues to be a significant challenge. It’s not easy to implement a new regulation across an organization and do it the right way and on time. We also see other risks at the top of the list. Cybersecurity, for example, is a risk that will receive the highest priority in the next 12 months, at least among this group of respondents.

We saw a change in credit risk, dropping from last year’s high of 61 percent who were very concerned to 43 percent. The 2020 higher score was likely influenced by the pandemic. This year, things are a bit more settled despite the pandemic and its fallout on the industry. I didn’t expect to see that much of a drop, however, so that’s a little bit of a surprise.  

Compliance risk inched upwards a little bit. We anticipated that given the new administration, changes in government, and new leaders coming in, many indications show that compliance will receive more attention than it has in the last couple of years.

Operational risk edged downward a little and that surprised me somewhat. It could be because institutions are feeling more confident in their ability to operationally manage through a disruptive time over a prolonged period. 

One thing that I would say really surprised me is that I had fully expected concerns about third-party risk management were going to be higher than they were. Many organizations are increasingly more reliant on the use of third parties to help manage their business. 

The forthcoming 1071 Small Business Reporting Rules came out fairly high on the list of regulatory concerns, even though they are only in proposed form. The 1071 rules are expected to be formidable for both small and large institutions involved in small business lending. It’s going to take a lot of resources to implement from a systems standpoint and from a people standpoint. [Editor’s Note: SFNet’s Advocacy Committee has submitted comments to the CFPB on 1071. To view the letter, click here]

We also asked respondents for the first time to rank the importance of regulatory change management and automation components to support the large scope and volume of regulatory change.  The importance of maintaining a regulatory library was the most frequently cited component by a substantial margin. That reflects the challenges that institutions continue to face in keeping pace with evolving and continuing regulatory changes.

We also asked for the first time about digital lending capability, and we saw that 47 percent of the respondents indicated they were making progress in that direction and 24 percent saying that they’ve made either significant progress or were fully digitized. We didn’t define “fully digitized,” so it strikes me that 24 percent may be a little bit high, but it is really encouraging nonetheless.  We did see an acceleration during the pandemic of institutions finding new ways of using new technology to be able to deliver loans and services.

On the digital side, 63 percent of the respondents said they anticipated significant or some acceleration in investments in digital lending capability.  That tells us that there is a good deal of momentum here.   I was surprised to see that the level of expected investment acceleration in artificial intelligence and machine learning wasn’t higher.

Among environmental factors, ransomware attacks are weighing very heavily as a concern. The pandemic is still right up there at number two. I was surprised, though, that climate risk didn’t score higher, but I believe we’ll probably see that next year. At the time we did the survey there was a lot of uncertainty about what the regulators might be doing, and now they’re talking a little bit more. The Financial Stability Oversight Council (FSOC) Report was released, and each one of the agencies has a number of initiatives underway, some on an interagency basis.

Lastly, the big jump that we saw was in connection with reduced regulatory burden. Seventy-two percent said that reduced regulatory burden was very unlikely or somewhat unlikely over the next couple of years.  That could be an indication of the sentiment that the industry is feeling from the change in administration, from their examinations and interaction with bank regulators, and what they’re seeing from the regulators in terms of new policies, requirements, as well as other issues on the horizon

TSL: What were 2021’s noteworthy banking regulation and compliance trends?

Burniston: I can mention a few themes, not all of which are picked up in our survey, and many themes will likely carry over into 2022. In looking at what I’ve read or heard most about, pandemic-related compliance issues will be something regulators will continue to focus on in 2022. We still have issues that the agencies and law enforcement community are dealing with in connection with the Paycheck Protection Program as well as CARES Act requirements and the measures that were put in place on loan servicing.

Business and operational resiliency is another theme, not only in terms of internal challenges, but the challenges that organizations have faced in not having everybody in the office and working from home. Resiliency in a time of continuing disruption is on every regulator’s radar screen.

There was also elevation in fair lending and consumer protection issues in terms of the level of supervisory intention that flows from the diversity, equity, and inclusion agenda that the administration has prioritized  since its very first day. The acceleration of digitization of lending, and new ways of doing things that brought widespread customer acceptance is another.  There’s been an increase in government supervision at both federal and state levels, and we’ve seen more activity at the state level than we have in recent years. We’ve seen a reinvigorated CFPB, for example, and new leadership there.

There’s been a lot of attention to climate change as a supervisory issue, which is something that we didn’t hear much about in 2019 or 2020. I’ve also been following potential activity on Environmental and Social Governance (ESG) reporting, particularly from the SEC. There is the prospect of a uniform and standardized reporting scheme that would include key metrics on all elements of ESG.

Competitiveness is another theme, and not only in terms of promoting more competition in bringing new entrants into the marketplace but in providing  more services and access.  I’ve spent time looking at the effect of FinTechs and FinTech partnerships and what banks need to do to adapt and remain competitive.

TSL: With manual compliance processes and inadequate staffing topping the list of the “Top Obstacles to Implementing an Effective Compliance Program” part of the survey, how do you think lending institutions can work towards addressing these obstacles?

Burniston: A companywide, well-documented, holistic enterprise risk management (ERM) framework that integrates technology is a key part of a framework that regulators expect institutions to have in place to be able to identify, assess, control, measure, monitor, respond and report on risks across their enterprise. The complexity, the volume of regulation, and the velocity of change makes it apparent that managing that by way of spreadsheets or manual approaches or word of mouth is just not enough, even for smaller organizations. That ERM framework also has to tie to a very robust compliance management system that includes a very well-developed regulatory change management component.

I also think it’s very likely that the weaknesses in manual systems or manual processes became more acute during the pandemic. More people are working from home and they’re not able to collaborate in the usual manner.

Those asking about these kinds of processes are usually bank regulators and they weren’t onsite either to an appreciable extent during most of the pandemic. They were conducting a lot of examinations offsite and asking institutions to compile information from different, disparate sources and get it all in one place for them, which is a really big challenge. So that’s why looking at this from the standpoint of an integrated automated framework is really essential.

On the inadequate staffing side, it is an issue that will probably become more critical. Over time we had seen compliance staffing ramp up significantly in the first few years after Dodd-Frank took effect, in particular. There was a lot of growth in regulatory functions in banks, and an increased number of compliance personnel.

Staffing levels have probably stabilized to a large extent since then or even decreased as people leave and are not always replaced.  At the same time, regulations, examinations and supervision did not change or de-escalate. If you ask any compliance officer if they’re doing less of anything than they were 10 years ago, they’ll look at you and laugh; the answer is no.

So, couple that trend with changes associated with retaining qualified people and recruiting in a transitioning workplace environment. A lot of people are moving out of the jobs they’re in and into a different career—or looking for a better opportunity in an organization that can provide what they are looking for right now. Recruiting qualified compliance professionals in the current environment is challenging and doing that while staying on top of compliance isn’t easy. Flexibility, aggressive recruitment, and a better understanding of what today’s workforce is looking for is essential.

TSL: How can asset-based lenders and factors not only secure their own systems and networks, but ensure that their clients are doing the same?  What would you say that they need to be aware of looking ahead into 2022?

Burniston: Well, we’ve already seen that bank regulators have been focusing extensively on third-party risk management. A very effective third-party risk management system is essential, and I recommend that institutions review the guidance from their regulators to develop programs consistent with that guidance.

On the cybersecurity side, for example, operational risk, resilience, incident response programs, data recovery, business resumption, business continuity -- these are all things that will be supervisory focal points for examiners.  They’re expecting that banks will have effective systems in place to respond to and be able to recover from malware attacks or distributed denial of service attacks, for example.   

In connection with examination preparedness, you can gain a lot from looking at what the regulators indicate are their priorities and then reverse engineer them. When regulators say that they’re going to be emphasizing threat vulnerability and detection, authentication, access controls, network management, and managing third party access to systems, it raises the need for institutions to do aggressive and comprehensive self-assessments of their own systems to find out where the issues may be and where their soft spots may be so they can strengthen those in advance.

TSL: What does the Indicator tell us about areas of lenders’ regulatory focus in 2022 and what banks might be doing to prepare for these challenges?

Burniston: Climate risk management is going to be get a lot more attention in 2022. Community reinvestment compliance—particularly interagency regulatory modernization­—is going to pick up. The regulators are working together on a proposal that will modernize the 1995 CRA framework and all indications are that will happen in 2022.

Compliance issues in general, such as the continuation of the PPP and other CARES Act compliance matters, fair lending, 1071 data collection, BSA and AML are some of the bigger compliance issues. Cybersecurity and concerns about ransomware attacks, computer incident notifications, third-party risk exposure should also be areas of focus.

We’ll probably add a question to our survey next year to get a little more sense of what lenders are thinking about cryptocurrency. The regulators just recently provided a roadmap of things they’re going to be looking at in the cryptocurrency space over the next year or so in issuing either regulation or guidance.

Lenders may focus on more accelerated consolidation in M&A, particularly in the smaller bank segment and the continuing effects of the pandemic on matters such as credit risk, inflation, and economic pressures. I’ll also go out on a limb and throw cannabis banking into the mix. We might see something happen on that topic in 2022.

Those are probably the most critical things that k we’re going to see from the regulators and Congress. There will be a lot to absorb.