Since the financial meltdown of 2008-09, regulatory scrutiny across the banking and financial services industry has reached unprecedented heights. Regulators are taking no chances with the safety of the financial system, as they pull up an increasing number of banks for reckless risk-taking behaviors, control failures, fraud, and other improprieties. As a result, regulatory investigations and examinations, once limited in scope and number, have rapidly expanded.
Today, it is no longer a matter of if a regulator will come knocking at your door, but when. Be it the OCC in the U.S. the OSFI in Canada, the PRA in the U.K., or the HKMA in Hong Kong1, a range of regulators are continuously issuing requests, meetings, and exams to evaluate a bank’s safety, soundness, and compliance with regulations. The larger the bank, the more complex and numerous the regulatory engagements are. Some can stretch up to a year with multiple offsite and onsite reviews, meetings, interactions, and requests for information.
Against this backdrop, regulatory engagement managers at financial services institutions have a challenging mandate: to manage and address regulatory requests in a timely manner, coordinate regulatory meetings and exams, and guide institutions on how to prepare and respond to their regulatory interactions. Engagement managers also need to support the management and board in proactively correcting risks or issues that may adversely affect the institution’s credibility with regulators.
Ultimately, the quality of an institution’s regulatory relationships - like the quality of their customer relationships - can make all the difference to their success or failure as an organization. If a regulator issues an unsatisfactory review of the institution, or if they find that a request for information has not been met on time, the repercussions can be unfavorable, to say the least. On the other hand, an institution that is committed to managing their regulatory engagements effectively, and maintaining a spirit of cooperation with examiners, is well positioned to earn the trust and confidence of their regulators which, in turn, translates into improved economic and brand value.
Typical Types of Regulatory Engagements
Regulators conduct a thorough examination of the bank’s current processes, policies, and procedures based on safety and soundness, capital adequacy, compliance, and other parameters
Regulators initiate a systematic inspection program that is either planned or in response to a particular incident or event
Regulators ask for specific information from the bank
Regulators meet with the bank to inform them about discrepancies in their current processes, or to remind them to make the appropriate corrections after a warning letter has been issued
“We need a regulatory engagement management system that is capable of being used by key people in compliance and quite widely in our counterpart functions like finance, risk, and legal, but also actually in the business - either as an information delivery tool, or as a way to share information back to compliance. We also need to create a central repository of what’s going on with regulators - which we can’t do with our current technology limitations. That really impairs the efficiency of what we do, as well as the organization’s ability to see what’s going on in the whole piece.”
-Global Regulatory Compliance Head at a Leading Bank
The following is an account of how a leading bank strengthened and simplified their approach to regulatory engagement management with the help of technology.
Being one of the world’s largest financial institutions, the bank has one of the most complex regulatory environments. Their vast global reach (they have operations in multiple geographies) requires that they deal with hundreds of different local regulators, ranging from the PRA and FCA in the U.K., to the OCC and FRB in the U.S.A., to the OSFI in Canada.2
In a single year, the bank’s regulatory engagement managers in the U.S. alone could end up juggling more than 75 regulatory exams and 2,000+ regulatory meetings. Meanwhile, their colleagues in another global region might have up to 15 regulatory exams the same year with different requirements than those in the U.S.
The responsibility of coordinating and overseeing these various interactions can be a Herculean task. Not only do regulatory engagement managers have to keep track of numerous mails and requests from different regulators, but they also have to ensure that tasks are initiated, document submission deadlines are met, meetings and exams run as scheduled, and the right information reaches the right regulators at the right time. In addition, they have to keep executive management informed about the progress of each regulatory engagement, as well as areas of concern that arise.
2. Exam Fieldwork
3. Findings Management
With their traditional, manual approach to regulatory engagement management, Alan and his colleagues faced multiple challenges:
Juggling numerous exams, meetings, and other interactions with regulators was overwhelming, to say the least. When a single regulatory engagement could have thousands of tasks and sub-tasks, it was challenging to map all these activities, and effectively determine which document needed to be submitted, by when, and against which regulatory request. Typically, Alan and his team tracked all regulatory requests via email, logged the task details in another system, and then uploaded the documents separately in folders for the regulators to access. There was no integration between these systems, and shifting between them was neither efficient nor sustainable, especially as the scope and number of regulatory exams grew.
“We have massive variety in our user base ranging from the sophisticated end of the spectrum such as the U.S., to the other end where the teams might have just half the number of people, and where regulatory interactions are limited to, say, once a month. Our regulatory engagement system has to be able to support all these users. It has to have a light model at one end of the spectrum, all the way up to a heavy model at the other end.”
- Global Regulatory Compliance Head
Regulatory engagement managers at the bank needed to have comprehensive visibility into the progress and status of various regulatory exams and interactions not only at the local level, but also at the regional and broader global level. However, challenges arose because each region used their own processes, reports, and systems to manage their respective regulatory engagements. In the U.S., where regulatory exams are numerous and complex, Alan and his team needed far more sophisticated forms and workflows than his colleagues in other countries. Alan used an in-house developed application to track all engagements, along with a folder system to manage and submit exam materials. Meanwhile, his colleagues in other countries relied on simpler solutions to manage engagements, and used the in-house developed system mainly for reporting.
The bottom-line is that there wasn’t a single, unified system in the bank to meet the requirements of users at both ends of the spectrum. This drawback made it difficult for the bank to unify and compare information from multiple regions, or slice and dice data to understand where the real risks lay.
The bank’s in-house developed system for tracking regulatory engagements had multiple drawbacks. For one, user access was limited to the regulatory engagement and compliance groups due to the system’s lack of provisional access controls. Therefore, other business functions such as Finance or Legal could not use the system to independently manage their tasks, or upload their files, or track the status of a regulatory engagement.
Moreover, while the system was useful for gathering and reporting information, it did not have the ability to manage or track workflows. Neither was it scalable - documents of more than 10MB in size could not be attached. For regulatory engagement managers, who often had to send regulators massive amounts of information, these limitations were a significant challenge.
“What we want is a tool that people will use something that isn’t overly complex and bureaucratic. Bear in mind that the CRO, CFO, and other top people all need to find this a useful tool….Apart from ease of use and utility, we have to remember that this system is where we keep some of our most sensitive information. So we have to factor security in. It is critical.”
- Global Regulatory Compliance Head
Every month, Alan and other regulatory engagement managers at the bank, put together a series of management reports which summarized and tracked various regulatory engagements. The quicker these reports were created, the faster management could respond to issues, gaps, or trends. However, since most reporting was done manually, it took time to communicate the required insights to stakeholders. Alan had to first enter all the required data into a spreadsheet, format it appropriately, convert it into a PowerPoint presentation, and thereafter mail it to the required stakeholders. Not only was this process time-consuming, but also complex, especially when there were so many regions from which the reporting data had to be pulled.
When Brexit happened, a number of regulators raised specific requests, wanting to know how the event would impact the bank’s operations. Ideally, the global regulatory exam management team should have been able to go into one system, and filter for a report on the number of Brexit-related requests that had come in from across the globe. However, with each region using different systems, spreadsheets, and document folders to track their regulatory interactions, it took considerable time to piece the required information together.
Security: Regulatory engagements often involve highly sensitive information. Therefore, state-of-the-art security and access controls were needed to ensure that this information didn’t fall into the wrong hands.
Lack of Integration with Microsoft Outlook: Alan and his team needed a way to manage meetings, initiate tasks, and track deadlines in Outlook from within the regulatory engagement management system.
SOX Obligations: One of the bank’s SOX compliance controls is to demonstrate a sound relationship with regulators, and provide updated and accurate information when requested. This requirement made it all the more important to have an effective regulatory engagement management system in place.
The bank wanted a system that would simplify, automate, and integrate regulatory engagement management activities across their global operations. MetricStream already had a successful track record at the bank, having implemented its internal audit management and regulatory change management solutions, both of which were benefiting the bank in multiple ways.
Based on the success of these implementations, the bank selected the MetricStream Regulatory Engagement Management App. Today, the app enables the bank to successfully manage and coordinate multiple types of regulatory engagements, including exams, meetings, and information requests. The app is built on a unified and scalable platform, providing a “single source of truth” for regulatory engagements across the bank’s global operations.
The app streamlines and automates multiple engagement management workflows – right from the time a regulatory notification is received by the bank, till the response is submitted to the regulator, and the findings are addressed. A range of interactive dashboards and reports provide comprehensive visibility into all regulatory engagements, enabling the bank to proactively identify trends, areas of concern, and opportunities.
Here is a look at the benefits of the MetricStream app:
Instead of shifting between multiple different systems to manage regulatory engagements, the bank now has a unified app to coordinate and track engagements across the globe. The app helps document various regulatory exams and meetings, manage tasks and sub-tasks, assign roles and responsibilities, track findings and action plans, report engagement data, and more all from one system.
Regulatory engagement management workflows are clearly defined and systematic, thus minimizing inconsistencies or redundancies. Moreover, each engagement is mapped to the associated tasks, sub-tasks, dates, owners, and other key details in an integrated data model, thereby enhancing transparency and accountability.
The MetricStream app provides the flexibility to support the needs of various regulatory engagement managers at the bank, ranging from one end of the spectrum where numerous and sophisticated forms and fields are required to enter data, to the other end where the data requirements are much simpler.
The app also facilitates consistency in the way regulatory engagements are captured, managed, and reported. Therefore, it becomes easy to consolidate and track data at the local, regional, and global levels. A central repository helps organize and store all data effectively, while robust, multi-level authorization and access controls keep the data secure.
The MetricStream app’s centralized database makes it simple for regulatory engagement managers at the bank to share information, and coordinate tasks and assignments. Authorized users from other business functions such as Finance and Legal can also use the system to track delays in a particular exam, as well as other key information such as the task owner accountable for delivering certain data.
The app integrates with Microsoft Outlook, enabling regulatory engagement managers to create tasks and meetings in the app, and view the same in their Outlook calendars as appointments. Managers can also use the Outlook integration capability to send notifications to stakeholders, schedule pre-exam meetings, and trigger calendar invites from within the app.
The MetricStream app has given the bank a range of intuitive and interactive dashboards and reports that deliver in-depth and real-time visibility into the progress of regulatory engagement management processes. Users can view the status of various engagements, tasks, findings, and action plans. They can also slice and dice the data from various perspectives to derive critical trends and patterns. Apart from these capabilities, the app provides built-in business intelligence analytics with the ability to create various types of reports, and export them into formats such as Microsoft Excel and Adobe PDF.
With MetricStream’s help, the bank is well on its way towards transforming the complex and often difficult process of regulatory engagement management into a simpler, stronger, and smoother practice. The institution is now well positioned to respond to regulatory requests and notifications in an effective and timely manner. Tasks and meetings can be scheduled efficiently.
Regulatory findings can be addressed swiftly. And each regulatory engagement, as well as the associated issues or concerns, can be tracked and dealt with better from a single platform. All these benefits roll up to help the bank build stronger and more sustainable relationships with regulators based on trust and credibility.