In November, we conducted our annual Banking Priorities Survey to help uncover what banking executives across the country foresee as defining factors for the financial industry in 2016. Of the 11 questions answered by respondents, the one regarding top compliance concerns garnered some of the most compelling results.
In last week’s blog, we examined the reasons why 68.8% of your peers named mortgage compliance as their biggest regulatory challenge for 2016. Obviously though, that’s but one in a laundry list of compliance worries for financial institutions. So this week, we take a closer look at the other regulatory burdens respondents called out, including Consumer Protections (52.1%), vendor management (42.7%), BSA/AML (39.6%) and Enterprise Risk Management, or ERM (27.1%).
1. The Consumer Rules the Roost
Since the moment the CFPB opened its doors, the area of Consumer Protections has shot up the regulatory priorities list, as it encompasses a number of complex issues.
Cybersecurity and Consumer Fraud:
Today, cybersecurity and consumer fraud are practically one and the same, as most fraud is perpetrated via cyberattacks. This makes regulators extremely nervous. Speaking at the American Banker Digital Currencies + Blockchain Conference last summer, a former New York bank supervisor warned that, “you are going to see a lot of action around cybersecurity and the regulation in that area.”
What form that action takes is still up for debate. It could mean additional regulatory guidance, like further updates to the FFIEC Information Technology Handbook; or it could mean that regulators make the FFIEC Cyber Security Assessment Tool mandatory for all banks. Even now, some smaller institutions have indicated that local examiners are requiring it. (For tips on navigating this landmine, read What to Expect at Your Next IT Exam.)
EMV and the Customer Dilemma:
The relief financial institutions feel as merchants take on more of the onus for debit and credit card breaches is double-edged. As of last October, retailers who haven’t converted to EMV are responsible for any losses incurred in a breach, but many merchants missed or ignored the deadline. This creates a different issue for banks: reputational risk. The average consumers are unlikely to care about the liability shift, and they will still look to their bank or credit card issuer to cover their losses. Institutions will need a plan for handling such situations.
UDAAP and Uncertainty:
Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) continues to stymie banks. Linda Albrecht, a principal with the CPA and business advisory firm Eide Bailly, attributes this uncertainty to the fact that, “unlike most consumer protection regulations that specifically define how you are to comply, UDAAP is a principal.” She goes on to suggest that banks view UDAAP in a new way: “this underlying principal requires you to deliver products or services that provide an overall benefit to the consumer audience for which it is intended.” She recommends using that lens to review such consumer areas as customer communications, policies and procedures, customer complaints and third-party relationships.
2. Vendors Take on Some of the Onus
The vital relationship between financial institutions and third-party vendors is under significant regulatory scrutiny. Appendix J of the FFIEC’s IT Handbook came out last February, and regulators are expecting institutions to further ensure the resilience of their outsourced technology services. Now that institutions have had almost a year to digest this guidance, examiners will expect business continuity plans that recognize and mitigate the possibility of business disruptions with their technology service providers (TSPs).
In recognizing the third-party responsibility in this equation, the FFIEC updated the Management booklet of its IT Handbook in November. In effect, TSPs are now held to the same standards as financial institutions in terms of risk management and security. But that updated booklet also makes clear that this does not relieve banks of responsibility, and specifically calls for greater board of director focus on IT governance.
3. BSA/AML and ERM Must Not be Forgotten
While your institution is rightly focused on what are arguably more pressing compliance areas, don’t let other issues slip through the cracks. BSA/AML, including OFAC watch list screening, continues to be a key tool in the United States’ war on terror, which is heating up as terrorist attacks escalate beyond the Middle East.
And it is yet to be seen whether the OCC’s heightened risk management guidance will trickle down to smaller banks, but as the 18-month period looms for larger institutions to implement the agency’s ERM framework, all institutions should keep ERM in their sights.
As the survey says, 2016 will have its compliance challenges. But planning how you’ll navigate them now will make for a smoother ride along the way. And download CSI’s 2016 Banking Priorities Executive Report to see what else your peers have in store for the year ahead.
Keith E. Monson serves as chief risk officer for Computer Services, Inc. (CSI). In this role, Keith maintains focus on CSI’s compliance initiatives to establish and build out an enterprise-wide compliance framework for risk assessment and reporting, issue management and other key components of CSI’s corporate compliance program. He also works closely with CSI’s Board of Directors Audit Committee as well as other compliance teams across the organization to promote a culture of engagement and connectivity while implementing and advising on practices and related standards.