Risk Based Compliance Management – Making It Work for Banks

With the constantly increasing chaos and uncertainty, banking compliance has been going through a continuous overhaul. Regulatory bodies are twisting arms and introducing new compliance requirements at frequent intervals. Banking institutions are racing to gear up to face the new age challenges and create modern compliance to eliminate risk and invest in cross-functional controls.

Risk-based compliance management has emerged as a crucial approach for banks in navigating the complex and evolving regulatory landscape while optimizing resources and operational efficiency. In an era where financial institutions face ever-increasing regulatory demands, heightened scrutiny, and the constant need to protect their reputation, adopting a risk-based compliance framework has become not just a strategic choice but a necessity.

This approach prioritizes the allocation of compliance resources according to the level of risk inherent in various business activities, ensuring a more effective and tailored response to regulatory requirements. In this discussion, we will explore the principles and practices of risk-based compliance management, shedding light on how banks can make it work to their advantage in achieving both regulatory compliance and business objectives.

Introduction

Since 2009, regulatory fees have increased dramatically relative to banks’ earnings. In addition, the scope of the regulatory approach and scrutiny are continuously expanding. Non-compliance can result in heavy penalties.

In 2022, banks and various financial institutions faced penalties totaling nearly $5 billion due to violations related to anti-money laundering, sanctions breaches, and shortcomings in their “know your customer” systems. These fines contribute to a cumulative penalty tally of almost $55 billion since the global financial crisis.

While most regional and small-scale entities and major banking enterprises have some form of compliance framework in place, there are still a number of questions related to banking compliance that go unanswered.

Banks such as Goldman Sachs, Wells Fargo, and JP Morgan Chase paid more than $7.5 billion for non-compliance-related fines which suggests that even top players are constantly dwelling with risks and compliance factors. Regulators such as the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve Board of Governors (FRB), the Consumer Financial Protection Bureau (CFPB) the Committee on Banking Supervision of Basel, and the Office of the Comptrollers (OCC) are constantly screening banks against compliance risk management policies. In several cases, they’ve initiated compliance actions for an underlying weakness when it becomes an uncertain condition, practice, or violation of regulations. Even a minor non-compliance issue can cause havoc and put a dent in the banking organization’s reputation. Banks need a more structural and extensive approach to risk and compliance management and governance which allows them to proactively and efficiently create robust and sustainable compliance and governance frameworks.

The traditional banking compliance methods

The traditional banking compliance model was developed at a different time and for a different purpose, primarily as a compliance arm for the legal department. Compliance organizations used to publish internal bank guidelines and regulations largely in an advisory capacity with a narrow focus. It was mostly attributed to the identification and management of real risks. However, the traditional approach provided a limited understanding of the underlying business operations and risks, as well as very little insight into the regulatory requirements from the business perspective. Banks back in the day played safe and tried to constrain risk management within the parameters of the 20th-century playbook. Being so accustomed to the siloed approach and archaic processes, many banks even now are still struggling with fundamental front-line control environment issues as compliance activities are typically isolated. Also, there is no clear connection to the broader framework of risk management, governance, and processes.

The state of compliance in banks

Banking regulations in the United States are highly fragmented compared to other countries, which typically have only one banking regulator. Banking and financial services in the US are controlled at the federal and state levels. Depending on the charter and structure, a bank would be subjected to numerous regulatory bodies and regulations. Different countries around the world have their own rules, regulations, and reforms. This increases the challenge for global banks and financial institutions. A BCG report shows more than a third of all banks report to 10 or more regulators and more than 75% of all banks report to four or more regulators.

Source The costs of compliance and risk mitigation have become the most challenging factor over the past eight years. Operating compliance costs for retail and commercial banks have increased by more than 60% compared to pre-financial crisis spending. Regulators and shareholders expect banks not only to meet new regulatory requirements but also to ensure their effectiveness. That mounting cost pressure associated with compliance, coupled with low-interest rates and flat top-line growth, hasn’t resulted in significant growth for banks. Compliance management is no longer just the domain of the Chief Compliance Officer or the Chief Revenue Officer. Other CXO roles such as CISO, chief conduct officer, CFO and CDO, and executives play a critical role in the planning and compliance implementation. Many CXOs across institutions are looking for ways to dramatically improve regulatory productivity to avoid penalties.

Additional Read:  Role of compliance officer and chief risk officer Focusing on traditional cost-cutting options such as process reengineering, lean, location-based strategies, and automation has brought some relief, but now many CXOs are looking to new technologies for transformation and getting an edge on risk and compliance management. As compliance has evolved, three main organizational models have emerged.

• The first maps compliance to the risk function where the CCO reports directly to the chief risk officer
• The second is deputizing for the board of compliance, and
• Third, compliance departments report directly to the CEO and board members.

The need for streamlined compliance risk management for banks

With new regulations knocking on the doors of banking institutions at regular intervals, it is crucial to ensure continuous compliance to keep things under control. Many regulatory compliance practices in banking are new and evolving, with stringent implementation deadlines putting further pressure on banks. Banking institutions face the challenge of keeping up with the proliferation of regulations regarding risk and compliance management. Banks must have a strong infrastructure and highly skilled staff for compliance management to ensure the new standards. The existing risk management framework will help to manage risks of different types and levels. A streamlined risk management process would enable the bank to identify, monitor, and control compliance risks proactively. Routine risk management solutions and ad hoc practices need to be replaced with a robust risk management system. The merging of different risk factors, the reference to different compliance standards, and the integration of different audit processes are only possible through an integrated company-wide architecture. In addition to facilitating regulatory compliance, it tracks potential violations to avoid legal penalties and business opportunity restrictions. Connected banking includes end-to-end process automation to mitigate risk. Efficient digital integration with partners, customers, regulators, and government agencies facilitates proactive risk and compliance management. Gartner cautions that performing typical compliance activities individually is an unsustainable approach. Compliance programs must function as integrated steps in banking operations rather than being a separate and siloed process.

Risk-based compliance management

Traditionally, risk management and compliance management have been treated as separate disciplines. Risk managers dealt with risk identification and mitigation, while compliance managers dealt with compliance verification. However, this approach is no longer cost-effective or efficient. The need of the hour is a holistic strategy that is integrated with risk management and business goals. Risk-based compliance management enables compliance auditors to first identify key compliance risks and then propose controls to mitigate those risks. So the focus is only on the risks and compliance regulations that are crucial for banking institutions. The compliance and risk management lifecycle is critical to a profitable and efficient banking system and it consists of:

• • Risk assessment and prioritization of controls – Banks should systematically assess compliance and risks across all functions. Risk assessment tools such as risk calculators and risk heat maps can also be used.

• • Determining the right control – Selecting the right control can help you avoid or identify risk. The control should be evaluated on the basis of its operational effectiveness, meaning that higher risks require a more thorough evaluation, while lower risks generally do not require as much analysis and improvisation.

• • Easy and powerful compliance reporting – It is necessary to report the bank’s compliance risks and controls status at regular intervals. A powerful reporting tool should be used to proactively track metrics for better decision-making. The compliance reporting platform is instrumental in proving the bank’s compliance with regulations and in deciding if there is a need for internal reports or for reports to external auditors and regulators.

• • Risk mitigation and elimination – Consistent compliance and risk tracking is an essential step in the risk management lifecycle and helps align with compliance needs and eliminate discrepancies and errors. A regular review helps to identify redundant activities and at the same time discover the scope for more efficient processes.

VComply’s regulatory compliance management software for banks automates the banking compliance process so that they can keep up with the regulatory changes.

Importance of GRC for banks

As more organizations in the banking and financial services industry rely on technology to complete transactions, GRC is more important than ever. GRC in banking and financial services is about:

• Managing risks to sensitive stakeholder data and maintaining the confidentiality and privacy of financial transactions.
• Compliance with industry regulations on fair practices, safe banking, and financial services activities.
• Implement governance at all levels of a banking or financial institution to meet the organization’s specific needs.

Source Although in the banking industry, GRC is designed to mitigate risk to stakeholder data, the GRC requirements may vary based on geographic location and banking and financial ecosystem. GRC is also vital to keep banks and financial services organizations fully operational to support the day-to-day needs of businesses and individuals. For example, the United States government classifies financial systems as critical infrastructure. If left unaddressed, the risks to the banking industry could disrupt the operations of many institutions and affect the livelihoods of US citizens. The importance of a GRC platform for the banking industry:

• Protect privacy for sensitive digital transactions.
• Identify cybersecurity threats before they can affect entire organizations and ecosystems of banking and financial services.
• Fix banking and financial services management gaps that could lead to fraudulent transactions.
• Monitor data processing of sensitive cardholder data to mitigate data risks from cybercriminals.

When it comes to sensitive banking and financial services transactions, earning customer trust is crucial to sustaining your business. A GRC platform like VComply can help you demonstrate your commitment to keeping transactions fair and secure to meet the needs of your customers.

Simplifying the key governance and compliance strategies for banks

An expanded compliance role and active responsibility for the risk and control system

In most cases, banks need to transform the role of their compliance officers from mere consultation to laying more emphasis on management and active risk controls. The role crosses beyond the routine advice on legal rules, regulations, and laws and becomes an active co-owner of the risks to ensure independent oversight of the control framework. In light of this development, the responsibilities of the compliance function extend to:

• Generate practical insights into the applicability of laws, rules, and regulations to businesses and processes and how they translate into operational requirements.
• Create standards for risk materiality.
• Develop and maintain a robust process for risk identification and assessment.
• Set standards for compliance training programs.
• Ensure that the frontline is effectively applying processes and tools designed for compliance.
• Approve customers and transactions and products based on predefined risk-based rules.
• Perform a regular assessment of the status of the entire compliance program.
• Understand the risk culture of the Bank and its strengths and weaknesses.

Implementing a risk culture has a special place in the compliance playbook for a banking institution. The elements of a strong risk culture are relatively clear and include:

• Timely information sharing,
• Rapid escalation of emerging risks, and
• Willingness to challenge practices; however, they are difficult to measure objectively.

Using tools like the structured risk culture surveys a can provide a deeper understanding of the nuances of risk culture across the organization, and your results can be benchmarked against similar institutions to uncover critical gaps. It provides a detailed view regarding the organization’s risk appetite, management’s point of view, decision making process, risk governance and control strategies along with risk management accountability. Risk culture can be actively shaped, monitored, and maintained by committed leaders, management, and the stakeholders of the organizations and helps organization and the respective stakeholders to align and integrate risk culture with the values and purpose.

Take a holistic view

The concept of governance, risk, and compliance management (GRC) is not new. Ever since banking regulations were introduced, banks have had to comply with them in order to continue doing business. Over time, GRC management has grown to encompass multiple aspects of a financial institution’s business, including compliance, risk, business continuity, audit, 3rd party risk management, incident management, operational risk, and many more. Typically all these components are managed separately on different business sources and applications. To obtain information on multiple areas of compliance practices, financial institutions often use a mix of technologies: a combination of spreadsheets, email, documents, and shared drives and files. While this approach is quite handy, it’s imperative to look at compliance and risk management from a holistic perspective. Otherwise, risks can arise in the gaps between these business silos. A centralized compliance management platform would be the best way to navigate the situation.

Transparency on residual risk and effectiveness of controls

One of the traditional industry practices has been to identify high-risk processes and then to identify all controls that relate to each of them. However, this approach does not provide true and complete transparency regarding material risks and often becomes a purely mechanical exercise. First, the lack of an objective definition and a clear recognition of a high-risk process is quite subjective and at the discretion of respective business units. This can result in the omission of risks that are critical from a compliance risk perspective but are considered less important from a business perspective. The process may seem like an insignificant part of the overall business portfolio, but can be a critical area for regulatory compliance. This approach also suffers from inconsistencies. The new focus on residual risks and critical process breakpoints ensures that no significant risk is left unaddressed and forms the basis for monitoring activities and efficient and truly risk-based remediation. Address these challenges by directly linking regulatory requirements to processes and controls. There are numerous internal controls associated with each regulatory requirement.

Leverage data effectively

Even with a holistic level view, you’ll need data to support conclusions. If you’re not leveraging data effectively, it’s hard to interpret risks and this could result in missed opportunities. Having multiple documents and technologies in place creates bottlenecks when it comes to analyzing data, but having such data is critical to measure the effectiveness and efficacy of GRC frameworks. There are two ways to ensure your institution is fully utilizing its data:

• Having a proper technology solution in place that can pull data and
• Setting technology for reporting and analysis of said data.

A GRC platform for banking compliance management helps build strong data governance oversight that is backed with credible real-time insights.

Integration with risk management, overall governance, regulatory affairs, and problem management processes

The benefits of an integrated risk management framework cannot be overstated. They include:

• Ensuring the organization has a truly comprehensive view of its risk portfolio and insight into all systemic issues and that no material risks are left unaddressed.
• Mitigating the burden on the organization and on control functions.
• Facilitating a risk-based allocation of corporate resources and management actions to eliminate risk and invest in cross-functional controls.

The following best practices can help a bank integrate regulatory matters and risk management processes:

• Develop a single integrated inventory of operational and compliance risks.
• Develop and centrally maintain standardized risk, process, product, and control taxonomies.
• Align methodologies and timelines for risk assessment, remediation, and reporting.
• Define clear roles and responsibilities between the risk and control functions at each risk layer to ensure there are no gaps or overlaps, particularly in gray areas where disciplines converge ( e.g., third-party risk management, privacy risk, AML, and fraud).
• Create integrated training and communication programs for all the relevant stakeholders.
• Establish clear governance processes and structures with distinct mandates.
• Consistently involve and align high-level compliance stakeholders in setting action plans, target dates for completion, and prioritizing issues that require attention.
• Establish formal liaison and coordination processes with government affairs.

Foster greater internal collaboration

Fostering cross-department collaboration can be tricky in any organization. But this becomes especially important for financial institutions when it comes to governance, risk, and compliance. Institutions that prioritize the breaking down of organizational silos will see the benefits reflected in a better risk management and compliance program. Greater internal collaboration significantly improves:

• Engagement of multiple areas for risk assessments
• Incident management
• Fraud prevention and control
• Policy review

When a financial institution develops a new policy, the impact on IT, training, HR, and legal must be taken into consideration. All these areas will look at the document and they will have their respective suggestions and amends. How does an institution collate the feedback, manage it, and then disperse it again? To cut down on data redundancy, an institution should invest in a GRC technology that comes with a collaboration component. VComply’s GRC platform makes the process easier to manage rather than taking a manual approach and drives efficiency, cuts time, boosts collaboration, and provides a central repository to archive policy versions.

Properly map risk to control

The best defense against breaches in your governance, risk, and compliance program is to properly map each risk to control. Risk is easy to recognize, but associating the right controls with it is another ball game altogether. Here is an example of how to map risk with controls: Risk: People (like tellers, loan officers, and underwriters) have access to sensitive information like account details and social security numbers. Checks:

• Identify people handling sensitive data and ensure there are no reputational risks.
• Lead background checks of all new hires.
• Ensure employees are not exposed to over-information by security protocols or facilities.
• Establish dual control policies and procedures.
• Establish separate control procedures.
• Ensure email and other technologies are not vulnerable to data theft.
• Ban smartphones/camera technology on the floor.

Ideally, financial and banking institutions would conduct this exercise for every risk they identify in their business.

Integrate technology to facilitate innovation

Technology is the best way to implement and simplify the best practices outlined above. In addition to facilitating day-to-day GRC management, technology can drive innovation in two other areas of institutional compliance: third-party risk management and process automation. Regarding third-party risk management, banking institutions must gather evidence to demonstrate the proper management of the partner or provider. Technology systems can be automatically configured to request specific documents that require yearly maintenance, such as SOC1 (Service Organization Controls Report), contract review, on-site verification of the supplier, complaint management, and supplier risk assessment. Learn more about  SOC2 assessment. Once an issue has been appropriately mapped and assigned to a control that is successively tested, then check for residual risks.

Leverage AI / ML for streamlining compliance management

Artificial Intelligence (AI) is becoming increasingly important for regulatory compliance as it addresses common operational challenges and systematic problems that regulators face every day. There are myriad potential benefits from technological advances in AI for bank compliance management:

• Effective regulatory change management To successfully deal with regulatory change management, financial services have to combine and compare content from thousands of regulatory documents. Financial services reporting also involves countless documents and repetitive tasks. This is where Natural Language Processing (NLP), OCR (Optical Character Recognition), and Intelligent Process Automation (IPA) are valuable to meet compliance requirements. In addition, NLP can analyze and classify documents and extract useful information such as customer information, products, and potential processes affected by regulatory changes which keep the financial institution and the customer informed of regulatory changes. AI’s ability to recognize patterns in large amounts of text allows it to proactively understand the ever-changing regulatory environment and steer clear of fines and associated costs.
• Reduction of false positive alerts Financial institutions experience large amounts of false positives generated by their traditional rules-based compliance alert systems. Forbes reported that with false positive rates sometimes exceeding 90%, there is something wrong with legacy compliance processes. Large banks are experiencing alarmingly high rates of false positives in their compliance systems. Using AI and machine learning to collect, extract, and analyze various key data elements can help streamline compliance alert systems almost seamlessly, addressing the problem of false positives.
• Faster, safer transactions AI-powered banking solutions use advanced ML techniques to extract and standardize data, including payment amounts, accounts, history, and other transaction details, to enable automated bank transfers without inconvenience. For example, AI ​​can suggest specific amounts in ATM transactions for quick withdrawals or suggest a credit card to use for a specific transaction. With AI, banks can optimize various calculations and reduce network latency for faster transactions.
• Enhanced fraud prevention The adoption of AI for fraud prevention is now widespread and will only increase over time. AI can monitor transaction history in combination with other structured and unstructured information to identify anomalies that could indicate fraud, such as money laundering, credit fraud, cyber-attacks, and terrorist financing. Identifying anomalies in data is an important task in understanding data. By exposing large datasets to ML tools and statistical methods, normal patterns in the data can be learned. When inconsistent events occur, anomaly detection algorithms can isolate abnormal behavior and flag any events that don’t match learned patterns.
• Human error mitigation Human errors cost banking and financial institutions billions of dollars each year. For example, in 2020, Citigroup’s credit department employees made a misspelling that sent nearly $1 billion to Revlon Inc. There are multiple sources of human error in asset management: ineffective processes, outdated technology, and sheer neglect, to name a few. As regulatory compliance becomes increasingly technology-driven, AI and ML applications can be invaluable in mitigating the impact of human error. AI and ML technologies can shed light on blind spots, finding out mistakes, and other insights that humans may not necessarily spot. In addition, good AI and ML programs can recognize trends and patterns which aren’t visible to the naked eye.

What should you know while implementing a GRC platform for banks?

Naturally, implementing new technology is challenging and highly dependent on the nature of the business. But with the right steps, you can get the best possible outcome from the implemented technology. Here are some recommendations that will help you get the most out of your GRC platform, improve risk management and maximize the return on your investment.

• A thorough analysis of the organization’s situation From mapping its processes and the degree of maturity of the company; you should think about what the first steps might be and what processes you should use to start the implementation. Conduct an internal assessment to determine the true value to the organization of centralizing the GRC programs. A review of all existing GRC-related functions and processes should be conducted to determine which processes will continue to add value to your organization when a centralized program is implemented. This analysis will help you identify areas where duplicate data can be managed, redundant technologies can be eliminated, and main inventories of critical data storage can be saved.
• Specify the scope of the project and the objectives Once the pre-analysis is completed, the goals, the implementation time, and the growth forecast must also be defined. The scope and the objective needs to be properly mentioned and documented before proceeding to the next steps.
• Identify operational gaps to prioritize areas for improvement Once you have gathered relevant information and data on existing GRC processes, you can assess the maturity of each process, and data quality and pinpoint operational gaps. When completing this assessment, be aware of the following:
  • Missing data,
  • Duplicated processes,
  • Redundant data, and
  • Manual steps that can be eliminated or upgraded.
• Acquisition of software adapted to the needs Having set goals and defined processes, you need to implement a GRC platform to automate and centralize the information. It is important that purchasing decisions are taken according to the real needs of the company at that time; not to spend on an oversized tool for business operations, nor one that does not provide a solution for all the intrinsic needs. Due diligence of product-need fit must be done before the purchasing decision.
• Monitoring Monitoring is the key to implementing new improvements and perfecting existing systems. By monitoring all compliance processes and devices, you create better communication channels, improve your response time, and generate business-relevant data.

The role of a GRC platform like VComply in the bank’s compliance and governance strategy

A GRC platform can help you streamline compliance processes and establish strong governance, security, risk, and compliance management framework across the banking enterprise. VComply is a no-code cloud-based GRC platform that allows banks and financial institutions to create, manage, track, and monitor GRC programs. It allows you to streamline GRC processes with a focus on collaboration and smooth user experience. With VComply, you can automate alerting, monitoring and reporting, and analyze compliance gaps to create corrective action plans across devices. VComply for banking compliance management The VComply suite is primed to meet the needs of next-generation financial and banking institutions with the following regulatory compliance management features. VComply’s compliance solution for banks helps them stay current and compliant by implementing measures, processes and policies. It helps banking specific business areas to assess their risks, implement internal controls and eliminate inefficiencies.

• Centrally track and manage regulations and compliance standards
• Collaborate on compliance reviews from compliance officers and other stakeholders with the all-in-one compliance management tool
• Assign internal controls and compliance tasks to owners guided by workflows
• Perform risk assessments to assess the likelihood of compliance violations
• Map risks, controls and policies in an integrated manner
• Track and monitor compliance Tasks effectively

Also, VComply features have been designed for smooth and streamlined banking operations. Navigation It is crucial to give potential customers access to the desired information in the simplest possible way. VComply keeps the navigation and user experience simple, reducing friction and making the experience enjoyable. For example, it’s quite easy to create or monitor a control that links to a SOC2 or GDPR framework. Security GRC platforms store critical information and any data breach can threaten the organization. VComply comes with a strong security system, role-based access rights, and data encryption to safeguard your confidential and sensitive information. Scalability Legacy GRC tools and spreadsheet-based compliance management are not equipped or efficient enough to keep up with the pace of user requirements or the rising complexity of modern banking and financial institutions. This is where VComply helps simplify compliance and governance for banking and financial service organizations.

Conclusion

Banks are constantly under pressure with regulatory bodies and huge fines and penalties often levied on them. A systematic and methodical approach backed by technology can be the savior here for banks and can save the banking institutions from hefty fines and lawsuits for non-compliance with regulations and compliance policies. Organizations need to develop and implement the right approach to keep the risk and compliance factors under control. A GRC-focused approach would be the best weapon in the arsenal of banks for effective and integrated risk and compliance management as it allows for compliance, risk management, and assessment activities to be systematically coordinated across multiple departments and stakeholders of the organization, assisting in breaking silos and bottlenecks, and making more informed business decisions.