While wrapping up one of the most unusual years in recent history, a large group of bankers shared their thoughts on a range of industry topics in our annual Banking Priorities Survey.
The responses from bankers, plus our analysis, provide important clues to help your financial institution strengthen its compliance programs and improve its overall regulatory posture for the year ahead.
The Effect of Regulatory Change
According to the 2021 survey data, 17% of bankers ranked regulatory change as the top issue that will most affect our industry this year. Only cybersecurity threats (34%) and meeting customer expectations (20%) earned more votes.
As for the other response options, the anticipated effect of regulatory change far outranked them. These included the perennial issues of recruiting/retaining employees (10%) and mergers and acquisitions (5%), along with the emerging areas of APIs/open banking (9%) and artificial intelligence/machine learning (6%).
The Relative Importance of Specific Regulatory Issues
Given the broad range of financial laws, regulations and guidance that institutions must comply with, we also wanted to get bankers’ specific take on some key regulatory areas. Therefore, the survey presented six regulatory issues for 2021 and asked bankers to rank their relative importance on a scale of 1 to 5, with 5 being the highest.
Based on the following responses, bankers’ priorities appear appropriately aligned with current regulatory hot button issues and account for existing environmental factors, such as the lingering pandemic and a new administration.
1. Data Privacy (4.6 out of 5): The amount of consumer data under financial institution control continues to grow with every step toward full digital transformation. Given their responsibility for protecting and securing that data’s storage, access and use, it was not surprising that data privacy led the list. Almost 41% of bankers identified it as the most important regulatory issue and 22% said it was the second most important. Just over three-fourths ranked it in the top three.
2. BSA/AML Modernization (4.1 out of 5): According to a recent report from the Government Accountability Office (GAO), financial institutions spend as much as 2% of their operating expenses on Bank Secrecy Act and anti-money laundering (BSA/AML) compliance. Therefore, it makes sense that modernizing the BSA is important to bankers. Although fewer (19%) identified it as the most important, over two-thirds listed it in the top three with 23% ranking it second and 25%, third.
3. Vendor Management (3.8 out of 5): As institutions grow reliant on third-party vendors to handle key bank functions, process customer transactions and store consumer data, prudential regulators are scrutinizing vendor management programs. That reality likely influenced the 11% of bankers who thought this regulatory issue was the most important, along with the 26% and 23% who, respectively, ranked it second and third most important.
4. CECL (3.4 out of 5): Non-SEC public companies and private firms have until January 2023 to fully implement the Current Expected Credit Loss (CECL) standard. They will need that extended timeline to convert to this new way of accounting for loan loss reserves, which explains why 13% of bankers indicated that CECL was the most important regulatory issue and 14% said it was second.
5. Sanctions Compliance (2.6 out of 5): Between 2016 and 2020, OFAC enforcement actions totaled over $1.5 billion in penalties for compliance violations. So far in 2021, a financial institution has already been fined $8.6 million. These figures are reason enough for more than 25% of bankers to view sanctions compliance as either first (2.2%), second (11%) or third (16%) in importance.
6. Marijuana Banking (2.5 out of 5): With more states legalizing marijuana every year, a little over 14% of bankers said this subset of BSA/AML compliance was most important, although only 5% and 7% ranked it second or third, respectively.
A Stronger Regulatory Compliance Posture
The banker responses to this year’s survey make it clear that regulatory compliance is a constant priority, even if the particular variables change based on prevailing circumstances. Here are five critical things to keep in mind this year in order to maintain compliance programs at the level expected by your prudential regulator and other agencies.
Paper and Digital Share the Same Rules
The coronavirus pandemic accelerated the push for digital banking. As a result, financial institutions now face a serious risk: The rush to meet the rising consumer demand and current environmental urgency for digital products, services and channels could lead to significant compliance failures.
Just because regulations haven’t fully caught up to the technology that makes digital banking possible doesn’t mean institutions have a free pass. On the contrary, regulations written for a paper-based financial world still apply and institutions must comply even as the transition to digital creates more exposure, especially in these areas:
- Know Your Customer (KYC)
- Customer Due Diligence (CDD)
- Advertising and marketing
- Bank fraud
- Money laundering
- Cross-border transactions
Data Is Everything
Utilizing customer data to its fullest extent is essential to digital transformation. Complying with data privacy regulations is the first part of that challenge, which is complicated by the fact that institutions must contend with various laws, such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), depending on where they do business.
The second part of the challenge is consumer concern about their data privacy, which can inhibit their willingness to share the very data that could improve their digital banking experience.
A recent Deloitte study suggests that this conundrum actually provides an opportunity to stand out from the competition. Although its survey showed that the pandemic has increased consumer concern about data privacy, it also “revealed that under the right conditions, some consumers would be willing to share data with their financial providers—if they receive some additional benefit in return.”
Therefore, institutions have a vested compliance and profitability interest in developing strong privacy programs that include the following:
- Privacy policies that consumers can easily understand
- Disclosures that consumers will actually read
- Motivation for consumers to allow their data to be strategically used and shared more often
BSA/AML Compliance Still Matters
There are growing reasons to hope that the BSA will undergo a much-needed overhaul. Among them, the recent passage of the National Defense Authorization Act, which calls for a number of updates to the 50-year-old law, including the creation of a national registry listing beneficial owners. However, there is no excuse to ease up on BSA/AML compliance. In fact, the opposite is true.
Just last month, the Financial Crimes Enforcement Network (FinCEN) issued a $390 million BSA enforcement action against a major U.S. financial institution for its failure to implement and maintain an effective anti-money laundering program. In particular, FinCEN found that the institution neglected to file thousands of suspicious activity reports (SARs) and currency transaction reports (CTRs). As a result, suspicious activity related to organized crime, tax evasion and fraud allegedly continued unabated.
As part of this enforcement action, FinCEN also had a sharp warning to the entire financial industry about BSA/AML compliance: “These kinds of failures by financial institutions, regardless of their size and believed influence, will not be tolerated.”
Information Security and Information Technology Compliance Violations Are Costly
It is important for institutional boards and senior management to realize that financial regulators are more closely scrutinizing information security and information technology compliance and imposing steep civil money penalties (CMPs) when deficiencies are found.
In October 2020 alone, the Office of the Comptroller of the Currency (OCC) punished two different banks for unsafe and unsound practices related to information security by issuing an $80 million CMP to one and a $60 million CMP to the other. In August, the OCC hit another bank with an $85 million CMP due to unsafe and unsound practices in its information technology risk governance program.
A New Administration Means New Priorities
The Biden administration acted quickly to reassert the federal government’s regulatory power. In one of the President’s first executive orders, he revoked the previous administration’s order to repeal two regulations for every one proposed.
In particular, financial institutions need to keep in mind how focused the new administration is on strengthening fair housing and fair lending laws. On Jan. 26, a presidential memorandum made it clear that, “The Federal Government has a critical role to play in overcoming and redressing this history of discrimination and in protecting against other forms of discrimination by applying and enforcing Federal civil rights and fair housing laws.”
More of Bankers’ 2021 Priorities
CSI’s sixth annual survey yielded the above perspective from bankers across the United States. They also shared their views on a range of other issues, including their initial pandemic response, market share strategies, technology and cybersecurity tactics for the year ahead. Find out what they had to say about all of these topics by reading the full 2021 Banking Priorities Executive Report.
Keith Monson serves as CSI’s chief risk officer. In this role, Monson maintains an enterprise-wide compliance framework for risk assessment and reporting, as well as other key components of CSI’s corporate compliance program. With over 30 years of experience, he has a wide range of expertise in the compliance arena, having served as chief compliance officer for both large and small financial institutions.