Over the past six months, banking and financial institutions have adjusted to the wide-ranging impacts of COVID-19 on business priorities and operations. There are likely to be changes to compliance requirements for a number of reasons: some businesses have had to pivot in how they offer products and services; others have banking compliance requirements that newly apply to them. Some impacts have accelerated changes that were already occurring: the automation of manual processes such as payments and invoices processing; enabling a 100% remote workforce; or accommodating the new requirements of external auditors including changes to how they will perform physical inventory counts. In addition to changes to previously existing processes, there is also the need to consider the impacts of new regulations such as 13 CFR Part 120 (Paycheck Protection Program loans).
As compliance teams at banking and financial institutions deal with rapid changes to the business, it’s important to consider the overall structure of your compliance program. Many organizations view compliance as a “checklist” exercise, a prevailing mindset that is all too common within small and large companies alike. However, compliance is not a check-the-box activity that is meant to be performed once per year: it requires continuous monitoring and review/revision of documentation, policies, and procedures throughout the year. When you consider that an update to a regulation can sometimes introduce scores of new requirements along with dozens of new controls, it is easy to see how the checklist approach can quickly become a bigger beast to manage than originally anticipated.
Additionally, maintaining separate checklists for common security and compliance frameworks — such as ISO 27001/27002, PCI/DSS, the NIST cybersecurity framework, NIST 800-53, and the Secure Controls Framework — can be highly inefficient, as many frameworks have overlapping control requirements and activities. Without a systemic approach for developing a common control set, this can quickly lead to large and inevitably redundant control environments. Centralizing all information in a purpose-built platform you can trust as a system of record will shorten the time required to document and maintain the processes, risks, and controls of existing and new regulations, and make it easier to adapt in the future and share any resulting changes across the organization.
Considerations for Approaching New Banking Compliance Regulations
Any lender will be familiar with how loans are usually treated, but Paycheck Protection Program loans differ from traditional loans in a number of ways: the risk profile of the applicants of the loans, the documentation that must be obtained from the intended borrowers, etc. Given how much the processing of PPP loan applications will vary from traditional loans, it would stand to reason that this process might require unique controls to be newly implemented in your control environment so that all of the special conditions of this regulation (such as unique borrower qualifications and extra documentation to verify those borrowers are affected by COVID-19) are accommodated for.
But when any new regulation such as 13 CFR Part 120 is announced, there will likely be an overlap between some of the new processes and controls required with those from similar existing regulations. There are two ways to approach this overlap. One is to attach new requirements and test them independently. The other is to determine what is net new in this requirement and create efficiencies.
To use the same PPP loans as an example, there are certain new requirements for PPP loan applications to have extra COVID-related documentation be obtained and reviewed. However, the bank may already have an existing control that requires that each loan application’s documentation be retained for a certain minimal period of time. This same control may be applicable to all loan applications that the bank processes, not just PPP loans — and therefore, the bank may be able to gain efficiencies by testing the population of loan applications holistically across the bank, rather than testing the same control for each type of loan within the organization.
The above example highlights once again why having a purpose-built platform to centralize your processes, risks, and controls is key to taking advantage of any efficiencies that your organization might gain from this type of process/control “overlap.” Managing multiple frameworks by utilizing spreadsheets, email, and shared drives introduces a number of challenges and risks. These range from losing track of a piece of evidence needed for an audit, to an unremediated compliance gap.
Manually tracking compliance activities may also lead to inefficiencies, including:
- Audit burnout due to testing of the same controls or control evidence multiple times.
- Stakeholder burnout from repeat requests for the same documentation.
- Inefficient issue management due to time spent on issue followup over duplicative management activities addressing the same issues.
The Alternative to Checklists: Taking a Holistic Approach to Banking Compliance
Businesses that take a holistic approach to compliance become more efficient and effective in managing compliance. This is accomplished by centralizing your compliance controls data in a platform that allows you to see across all controls and which regulations they map to. While there are many products on the market, a purpose-built solution will:
- Serve as the single source of truth for all of your requirements, controls, and risk data. This is a core requirement. If you are not managing your requirements reliably in a single location, it becomes impossible to find real-time, accurate information from which you can analyze and make informed decisions. If your core data source lacks integrity (i.e., completeness, accuracy) or is too rigid to complete simple tasks such as data extraction, then you will not have a reliable foundation to perform real-time reporting or analytics.
- Allow you to view, manage, and update the relationships between risks, controls, and compliance framework requirements. This is crucial for understanding how related data fits together holistically, where you have overlapping strengths, and where you have true gaps or weaknesses that require specific actions from multiple stakeholders to remediate. This also helps you answer the question “So What?” when you are driving risk treatment and corrective action decisions with executive stakeholders.
- Enable seamless collaboration with stakeholders. A purpose-built GRC will centralize collaboration with compliance stakeholders in one place, eliminating version control issues and lengthy email chains. Evidence collection, surveys, control certifications, and email reminders can all be automated to help save significant time currently spent following up with stakeholders.
- Help you efficiently prepare for a formal audit. A purpose-built solution will empower your team to centralize and manage its policy management processes as you develop them and assess your audit readiness — as well as serve as an evidence repository and a history log of your compliance activities.
- Enable compliance to integrate its data with the internal audit and risk management functions if desired. Organizations at a higher level of compliance maturity demonstrate greater coordination among the three lines of defense.The more these business groups can leverage cross-functional data and share insights, the more they are empowered to deliver value to the business in their respective areas of expertise.
A solution with the above capabilities is critical for helping compliance teams simplify and manage their workloads by centralizing compliance activities across multiple frameworks and across the organization. In doing so, this saves time and improves collaboration between the compliance team and their stakeholders.
One key role audit departments can play in helping banks and financial institutions weather uncertain conditions and increase the bottom line is by boosting efficiencies to save costs, and reducing fines that are levied against the organization. When a new regulation comes out, a checklist approach makes it a goal of the organization to become compliant with a daunting list of dozens to hundreds of new requirements. Leveraging a purpose-built solution to organize and centralize the information enables you to identify gaps, reveal overlaps where you can rely on existing controls, and yields a manageable number of new control owners and controls. By going beyond the checklist approach to assist the business in identifying net new requirements and the tactical actions needed to respond to them, internal audit will create these efficiencies and demonstrate its value as a strategic partner of the business.