Integrating Compliance and Technology
By Dan Shannon
It’s Friday afternoon, ending a quiet week in the IT Department. As the executive in charge, you anticipate a short presentation to the executive committee on Monday: the usual summary of system reliability, a briefing on new installs and a short discussion on the upcoming regulatory exam.
That’s when one of your line managers ducks his head into your office. It seems the marketing department is requesting another copy of the customer information file you provided them earlier in the week. They are working with a third-party marketing entity that is using the file – complete with the names, addresses and Social Security numbers of the customers – to run it through analytics to provide your bank with a targeted list for the upcoming home equity loan campaign. The problem is that they can’t find the original CD file, and they need to send the information to the third party in order to finish the project before Monday.
On the surface, this may not seem like such a serious situation since there is no financial data on the CD – just names, addresses and Social Security numbers – so the bank and its customers should not incur any financial losses. But make no mistake, this turn of events is serious because it exposes the bank to significant compliance issues and has the potential to impact the reputation of the bank.
You have just read about a “compliance event”: a linked chain of incidents that exposes a bank to regulatory or legal actions that may substantially and negatively impact the organization. This type of event, which may not result in direct financial losses, can be of such impact that the bank may no longer be a sustainable entity.
In today’s financial services environment, compliance events and their multi-faceted repercussions – like the one described above – are more frequent. Compliance has become entwined with technology. In fact, the increased difficulty in separating compliance issues from compliance technology issues has been a major contributor to the growing complexity of the challenges banks face. It has reached the point where improper or incorrectly deployed technology can trigger an event, even in light of increased regulation and scrutiny.
The table below summarizes how the integration of technology has changed the nature of compliance and the approach banks take to it.
With this changing technological environment, financial institutions must take a different approach to maintaining compliance. Important guidelines to remember include the following:
• Make sure that the technology you implement allows data to be captured and structured so that it can be shared appropriately throughout the institution.
• Speed up your implementation of document imaging so that a single graphic can be shared almost instantaneously across the enterprise.
• Eliminate the use of programs like Excel or Access for data analytics, which are vulnerable to errors. Software like this can be changed, too, sometimes without anyone knowing.
• Create a sound, safe and secure archive or data warehouse.
• Ensure the platform you implement is flexible, and can grow and change as the needs of the enterprise grow and change.
• Take the necessary steps to inform the bank’s employees about what you are doing with technology and compliance so the transition goes as smoothly as possible.
• Create a well-reasoned and planned approach to training that gets necessary information across to employees efficiently, while remaining current.
• Maintain an inventory of compliance activities and related software. Ensure the software list is updated.
• Conduct tabletop walkthroughs for compliance events at every compliance committee meeting. Create possible compliance events like the one found at the beginning of this article, and discuss how this might play out at your financial institution.
• When a compliance event occurs, address it immediately.
Let’s replay the scenario introduced at the beginning of this article. This time, instead of being unsure of the seriousness of the situation, you are aware that releasing customer information is a violation of bank policy. Now, you’re going to take action of a different kind, and you are prepared.
You completed a tabletop walkthrough for this very type of scenario a few months before. As a result, you waste no time putting together a plan to identify whose information was on that CD, what kind of data it was and what response is required. And if the CD is not found in the next three hours, you will take the following actions:
• Create a governing document to deal with the situation at hand;
• Prepare a letter to go to the affected customers;
• Work with the CEO to draft a public message;
• Determine if accounts need to be closed, new cards need to be issued, etc.; and
• Contact your insurance provider to determine what kind of coverage you have for this kind of event.
Your preparation for this event has given you a solid foundation to build an appropriate response. No, it won’t be perfect and yes, the bank may suffer from a damaged reputation, lawsuits and fines. The methodology you have established, however, will mitigate the impact of the event – all because you were prepared.
Dan Shannon is senior vice president and general manager, consulting, at Metavante Corp., a banking and payment solutions company based in Milwaukee.