4 Steps to Succeed in Your Next Regulatory Exam With the Help of Technology
The last few years in the banking and financial services industry have been marked by numerous incidents of corporate fraud, market downturns, and disastrous operational risk failures with implications rippling across the globe. In the wake of these incidents, regulatory scrutiny has steadily increased. According to the PwC Global Economic Crime Survey 20161 ,1 in 5 financial services respondents have experienced enforcement actions by a regulator. In fact, the rise in compliance violations and the emergence of regulations and rules such as the Dodd-Frank Act, Consumer Protection Act (CPA), and Anti-Money Laundering (AML) have prompted regulators to reshape their examinations. Many of them are imposing increasingly demanding requirements on financial services firms - especially those firms that are classified as “too big to fail” or Systemically Important Financial Institutions (SIFIs).
As the complexity of regulatory exams grows, it isn’t surprising that compliance teams often panic when they receive an exam letter from their regulatory supervisors announcing their next visit. After all, unsatisfactory reviews from the investigations could have far-reaching consequences. An organization’s credibility with the sentinels of the financial system could be jeopardized. What’s more, the organization could be slapped with heavy penalties or fines, lose face with investors and clients, or even worse, be barred or suspended from the industry. This makes it imperative for financial firms to up their game, and do their homework before facing an examination review.
Investigations should be given due importance with sufficient resources and time dedicated to preparing for an exam in a structured manner, detecting issues in compliance and risk management processes, and designing a robust action plan. However, this can often be easier said than done. Financial services firms are engulfed by myriad challenges when preparing for regulatory exams, especially in the context of the regulatory complexity that marks the industry today.
The purpose of each regulatory exam - be it a “Routine,” “Cause,” “Sweep,” or “Desk” exam - varies for each firm. Usually, the objectives are to ensure the safety and soundness of business operations, analyze the firm’s regulatory risks, scrutinize issues arising from investor complaints, focus on a particular area of interest or concern, or study the firm’s compliance with applicable laws and regulations.
The frequency, scope, type, and timeline of the exams will differ for each firm. Regulators have shifted from a general purpose examination approach to a more tailored approach based on a firm’s size, risk profile, complexity of operations, and responsiveness to regulators. This can often make it challenging to prepare for an exam. The complexity is compounded when firms have multiple regulators - for example, two different federal regulators governing the parent company, and other international regulatory bodies governing its subsidiaries. Another key challenge in preparing for regulatory exams lies in managing and retaining the extensive documentation created throughout various stages of the exam such as exam scoping and planning, exam management, exam closure, and regulatory reporting. Most organizations resort to manually capturing data on spreadsheets or paper-based systems – an approach that is not only cumbersome, but also prone to errors and incomplete data that could be questioned by examiners.
The other drawback of a manual data management approach is that crucial exam materials often end up scattered across multiple spreadsheets or systems. Without a centralized database, organizations find it difficult to track, retrieve, and deliver information to regulators as and when needed during the review. This only prolongs the exam process. It also poses critical data security risks if sensitive corporate information is distributed in and around the organization without secure access.
In some cases, firms are subject to multiple complex exams simultaneously. As a result, compliance managers may not be able to devote ample attention to each exam, or have productive interactions with examiners. Senior teams are often so occupied with the nitty-gritties of the exam process that they are unable to spend the required time and effort in tracking and resolving the compliance gaps identified in the exam. The completion of the exam also comes with its own challenges - firms have to provide written responses to deficiency letters and, more importantly, take corrective measures to address the identified issues.
Getting a clean bill of health from regulators may be taxing, but is not impossible to achieve in today’s digital world. Banking and financial services companies have transformed the way they deliver services to customers by embracing technology. Similarly, designing a structured and streamlined approach to regulatory exam management with the help of robust technology, can yield significant benefits. Technology improves regulatory exam process flexibility. It also enhances data quality by minimizing human errors in reporting, and decreasing the risk of non-compliance.
The outcome of a regulatory review is largely dependent on the level of uninterrupted and collaborative communication that examiners have with the firm’s senior management, as well as legal and compliance personnel. Hence, it is essential to have a robust technology-backed process that aids in the smooth, secure, and well-tracked exchange of information at every stage of the exam. Technology also helps firms respond promptly and accurately to examiner requests, providing appropriate resolution plans in the right format, driving down the internal costs and time involved in the exam process, and freeing up resources to focus on their core business activities.
An integrated regulatory exam management platform can provide the ability to unify exam work-papers, interim status reports, exception sheets, and other key findings, thereby enabling stakeholders to flag any issues before the inspection is completed. This way, firms will be in a better position to clarify crucial information before it becomes part of the exit interview. Firms need a comprehensive system that can streamline and automate their regulatory exam management processes, enable policies to be managed in a centralized manner, and enhance accountability through clearly defined roles and responsibilities. The system should also be able to help firms manage all issues that arise, track them to closure in real time, and implement corrective action.
Based on the strategies adopted by leading financial services firms, here are four best practices to strengthen regulatory exam management:
Here’s the good news. A firm can control the outcome of an exam, to a large extent, through diligent planning, constant vigilance, and focused efforts. While achieving a passing grade in the exam is a pre-requisite, a firm can do better by building relationships with regulators based on trust. In fact, by combining proactive preparation with committed resources and innovative next-level technology, firms gain the edge they need to go the extra mile in boosting their credibility with regulators.
Given that the root problem of various financial failures often arises from a poor organizational culture, many regulatory supervisors begin their regulatory exam by scrutinizing the “tone at the top” and culture of compliance. FINRA’s recent Annual Examination Priorities Letter2 emphasizes this view by highlighting “firm culture” and its impact on risk and compliance management. A firm can’t be compliant if it doesn’t fully comprehend these regulatory expectations.
As part of the pre-examination process, it is imperative to thoroughly analyze and understand the “regulatory ask” in detail, depending on the type of exam the firm is subject to (the scope and documents differ for each exam type). Firms need to be prepared with their written supervisory procedures, proof of supervision, and company code of ethics. They also need to familiarize themselves with the annual examination priorities letters issued by various regulators, as well as risk alerts and topics or issues of focus. Since these documents come from a multitude of sources, it is useful for organizations to consolidate and archive them in a central location where they can be accessed quickly and easily.
A cyclical review should be conducted on all earlier exam records, including exam memos, historic email records, internal audit trails, and records of internal disciplinary actions. A customizable technology system can help by curating and centrally storing all these documents, as well as laws, procedures, and existing compliance policies and procedures that demonstrate that previously highlighted areas of weakness, customer complaints, and deficiencies have been addressed. This centralized approach to document management makes it easy for exam managers to coordinate activities with examiners and other stakeholders involved across the organization, irrespective of where they are situated.
Automated alerts provide further assistance by informing senior management, as well as legal and compliance departments about an upcoming examination. Another benefit of technology is its ability to help in scheduling interviews with management and compliance teams, and arranging onsite exams for the specified business units.
Unannounced calls from regulatory authorities are unlikely, but they can arise based on warnings, complaints of offenses, or information received from other sources. Therefore, it is important to have an exam handling team - comprising competent individuals from the risk, compliance, and audit departments - who are well versed with the firm’s organizational structure, business model, and compliance program, and who are ready at all times to handle surprise regulatory visits and investigations.
A large part of the compliance conundrum can be solved by educating employees on the company’s code of ethics and compliance, and inculcating these values consistently among employees. In the event of an exam, a wave of regulatory readiness must permeate throughout the organization. It is advisable to involve senior compliance executives in various levels of discussions with examiners to showcase a culture of compliance. All employees, especially those who may engage with the regulatory exam team, should undergo rigorous training on the laws, regulations (existing and changing), and company policies that apply to their daily responsibilities. Compliance training can no longer be approached as a once-a-year exercise.
A robust technology solution with user-friendly training functionalities can make it easier to set up and manage meticulous compliance training programs with targeted curricula across different business teams in multiple countries. Through such a system, employees can be assessed and reported by their respective managers on course completions. They can also stay abreast of new regulatory developments and relevant policy implementations through trigger-based notifications.
If a firm wants to present themselves to regulators in a good light, it is recommended that they carry out regular self-examinations or mock self-assessments to identify potential internal and external threats and vulnerabilities. As part of these self-assessments, the audit committee should conduct reviews of the compliance and risk management program on a recurring basis to demonstrate ongoing compliance. The challenge lies in collating recorded findings of risk assessments, compliance audits (both internal and external), issues identified, and control testing results that are usually spread across business units in multiple geographies. For this reason, adopting a technology system can be beneficial, especially if it simplifies the storage and retrieval of self-assessment findings and other data needed by examiners to evaluate the firm’s business and methods of operation.
Reporting is a particularly important aspect of regulatory exam preparation. Comprehensive reports showcase to the executive board, senior management, and regulators how well policies and procedures are being implemented for new or existing regulations. Reports also serve the purpose of providing documented evidence of the firm’s focus on governance and internal controls. A technology solution with powerful reporting engines and analytics can simplify and expedite reporting. In addition, graphical and custom built dashboards can help compliance officers, senior management, and board directors keep track of the status of compliance in real time across different areas.
The manner in which each regulatory exam is closed will vary for each firm. If an exam is concluded without any findings, the firm will not have to take any further action. This is the best-anticipated outcome, but is rare in most cases. Often, firms have a few but decisive hurdles to overcome before “All’s Well that Ends Well.”
In most instances, once the exam comes to a close, the regulatory staff communicates the findings through a “deficiency letter” that highlights the deficiencies or flaws in the firm’s compliance and supervisory procedures and controls. Firms would do well to proactively respond to the letter, typically in 30 days, by outlining steps on how the issues will be addressed. Managing and responding to regulatory findings can be resource-intensive and onerous if carried out using traditional, paper-based systems or spreadsheets. A technology-enabled approach can help by allowing firms to track, analyze, and manage the key examination findings or results in a consistent and systematic manner. An effective regulatory exam management solution can facilitate a prompt review of the preliminary regulatory report among senior management, enabling them to determine the appropriate remedial actions for the issues identified. The system can also make it easy to draft a response letter that lists out, in a sequential order, issues raised in the deficiency letter followed by a thorough description of the resolution of each issue. Additional supporting documentation such as new or revised procedures can be attached to the response letter, circulated to management for review, and shared with the regulatory staff.
The other advantage of technology is that it enables descriptive corrective action plans to be created rapidly, assigned with specific timelines, escalated to senior stakeholders for faster responses, and tracked to closure through intuitive reports and dashboards. It can also simplify assessments of recently implemented policies and procedures, while supporting internal control testing prior to the next examination, to confirm that deficiencies are not being repeated.
Rather than viewing regulatory exams as a perfunctory drill, firms would do well to approach them as a window of opportunity that can help them operate their business better, and build a stronger competitive advantage. Technology plays an important role in this regard. In fact, with enterprises going digital, many firms require data to be centralized, as a result of which federated technology systems have gained significant momentum. These systems have become invaluable in organizational endeavors to meet regulatory commitments, and maintain trustworthy relationships with examiners.
At the end of the day, financial institutions that have a sustainable and efficient regulatory compliance and exam management process will be more likely than others to build credibility and goodwill with regulators. Make no mistake - regulatory demands are only going to increase. Therefore, investing in the right technology is critical, as it will empower organizations to demonstrate consistent compliance, and thereby preserve their integrity and brand value.
Watch this on-demand webinar to learn more on how you can prepare your organization to be “examination-ready”.