Cybersecurity, CECL, BSA and Change Management Top the List
As we start the final year of a decade defined by extreme regulatory mood swings, financial institutions still suffer compliance fatigue, despite the most recent shift toward regulatory reform. Although a welcome psychological relief after the Dodd-Frank Act, the reality of deregulation does not come without financial burdens and logistical challenges. The 2018 mid-term elections further complicate matters with Democrats taking control of the U.S. House of Representatives, thus portending a partial shift back toward more regulatory oversight.
No matter the direction of the political wind in 2019, regulators are sure to focus on the most risk-consequent regulatory compliance issues, notably these four.
Another year, another massive data breach! And they keep getting bigger and more consequential for infiltrated organizations and compromised consumers. According to the IBM Ponemon Institute 2018 Cost of Data Breach Study, the number of mega breaches (more than 1 million records) “has nearly doubled—from just nine mega breaches in 2013, to 16 mega breaches in 2017.”
Just look at the recent Marriott breach, which to date is estimated to have exposed up to 500 million people. It dwarfs the 2017 Equifax breach, considered massive just one year ago. Though the numbers differ, the commonality between the two is a lackluster corporate response.
This latest case began with an intrusion in 2014, prior to Marriott’s 2016 purchase of the Starwood brand. However, the hotel chain failed to identify and contain the unauthorized access into the acquired brand’s reservation database until this past September. The International Association of Privacy Professionals says public reaction to the belated discovery has been “strong and swift,” with lawmakers citing it as further proof of the need for stronger privacy laws and consumers filing class-action lawsuits.
Banking regulators are eyeing this trend as well. Direct consequences of a system breach are troubling, but an inadequate response exponentially magnifies a breach’s initial damage. The Ponemon study estimates that a mega breach costs between $40 million and $350 million, and it cites the hidden costs (lost business, reputational impact and recovery expenses) as particularly “difficult and expensive to manage.”
As a result, expect continued intense regulatory scrutiny of cybersecurity. Examiners will likely zero in on these aspects of cybersecurity in 2019:
- Incident Response Plan (IRP): Make sure a written IRP is on file and that it is routinely tested and updated based on changing conditions.
- Vendor management: Conduct appropriate due diligence and routine monitoring of all third-party vendors and their cybersecurity measures. In addition, if such vendors are used to performing cybersecurity tasks, such as vulnerability patching, monitor and assess their timeliness and effectiveness at fulfilling these responsibilities.
- Cybersecurity training for board of directors: Boardroom technology provider Diligent says that, “the complexity and interconnectedness of cyber risk will soon require discussion about cybersecurity to become a standard item on board agendas.” Boards should understand that cybersecurity is an enterprise level risk for which they are ultimately responsible.
Current Expected Credit Loss
In 2018, angst grew over the coming Current Expected Credit Loss (CECL) standard, and it will only increase in 2019.
CECL was issued in 2016 by the Financial Accounting Standards Board (FASB) with an effective date of January 1, 2020, for SEC registrants and January 1, 2021 for all other banks. As the ABA Banking Journal explains, once CECL goes into effect, banks will have to “calculate future losses using an ‘expected loss model’ that considers forward-looking information such as current economic conditions and reasonable and supportable forecasts.” This is very different than the current Allowance for Loan and Lease Losses (ALLL) standard, which books losses only after they are incurred.
Throughout 2018, advocacy groups argued for a delay in the effective dates, as well as for an exemption for smaller institutions. A group of 50 of the largest U.S. institutions went so far as to form the Banking Policy Institute (BPI), which Compliance Week says made an appeal this fall to the U.S. Department of the Treasury to study the potential negative economic impacts of CECL.
BPI argues that, “CECL will undermine financial stability in a future recession because the requirement to book losses even on fully performing loans will act as a disincentive to banks to lend to any but the most qualified borrowers.”
Regardless of this debate, financial institutions still need to prepare for CECL. Even if delayed, it will impact capital and investment strategies. Institutions should plan to dedicate time and resources now to ensure a smooth CECL implementation.
In fact, prudential regulators will expect to see CECL preparation in action during 2019 examinations. According to Accounting Today, John Reiger, the Federal Deposit Insurance Corporation’s (FDIC) chief accountant, has indicated that, “community banks can expect that examiners will be interested in and asking about how institutions are progressing in their preparation for CECL.” At this point, ABA Banking Journal suggests that institutions should be somewhere on the following implementation continuum:
- Data gathering phase: Pull all loan and lease data together into one repository.
- Loan categorization phase: Group and categorize loans and leases based on risk level.
- Parallel modeling and methodology selection phase: Run parallel models of categorized loans against the current ALLL model to determine the best expected loss methodology to use.
If not already done so, banks should also weigh the cost/benefit analysis of using a third-party service provider to implement CECL. “Many banks still use spreadsheets for their ALLL calculations, and while this may continue for smaller institutions, for those that require more flexibility, third-party vendors may provide an efficient method to analyze methodology options.”
Bank Secrecy Act
In addition to the preceding two regulatory priorities, the Office of the Comptroller of the Currency (OCC) calls Bank Secrecy Act compliance another key risk area for 2019. Specifically, the OCC said it will focus on “determining whether AML compliance programs keep pace with changing risk environments and regulatory developments.”
After the 2018 implementation of FinCEN’s Customer Due Diligence Rule—which added beneficial ownership and a fifth pillar to BSA compliance programs—it follows that in 2019 regulatory examiners will test how well institutional policies, procedures and actual practices are meeting the new regulatory requirements. Expect that focus to follow two tracts:
- Staff adherence to policy: The burden of completing many initial BSA compliance tasks—i.e., completing Currency Transaction Reports and noticing suspicious activity—falls on branch staff because they handle daily transactions and open new accounts for customers. The high turnover rate within this employee segment requires management to continually train staff on BSA policies and procedures, and monitor their adherence to them.
- Tech tools: Although prudential regulators recognize and even encourage the use of technological innovation to combat financial crime, they expect institutions to test and validate the assumptions of such BSA tools and models.
The fourth significant regulatory priority in 2019 is change management. Federal banking agencies are putting greater emphasis on this issue because it impacts the effectiveness of all other compliance areas. Indeed, an institution’s ability to meet its cybersecurity, CECL and BSA regulatory requirements—all of which come with ever-changing directives and environments—directly correlates to how it implements effective change management.
Other regulatory changes on the horizon will also require a dedicated focus to ensure that systems, policies and procedures are updated on a timely basis to reflect new regulatory rules. This includes the Economic Growth, Regulatory Relief, and Consumer Protection Act, which has numerous sections going into effect at various times, some of which are still undetermined. Proposed changes to Regulation CC, an offshoot of that law, will also need to be closely monitored. Not to mention, the need to watch for developments in privacy protection laws at the state and federal level.
No matter the size of your institution, your prudential regulator will expect to see some type of change management apparatus in place, be it a dedicated role or as part of the compliance or risk management function.
Recipe for Success in 2019
Now that deregulation is replacing years of increasing regulations, it can be tempting to devote less time and effort to regulatory compliance. But in reality, the regulatory landscape is changing, not necessarily lessening. The Deloitte Financial Services Regulatory Outlooks 2019 describes an atmosphere where “attention is now more acutely focused on culture and governance, the challenges of new technology, and emerging economic, market and operational risks.”
To help financial institutions navigate the new year, Deloitte suggests that, “Firms need to be prepared to respond to this shifting focus and the new demands that it will place on them.” In short, to be successful in 2019, institutions need to be flexible enough to handle ongoing change and disciplined enough to meet their regulatory obligations.
Keith Monson serves as CSI’s chief risk officer. In this role, Monson maintains an enterprisewide compliance framework for risk assessment and reporting, as well as other key components of CSI’s corporate compliance program. With nearly 25 years of banking experience, he has a wide range of expertise in the compliance arena, having served as chief compliance officer for both large and small financial institutions.