The past decade has required the financial services industry to engage in change management at an increasingly accelerated pace to respond to customer demand for digital services, the challenges of the pandemic, conflict-driven sanctions, economic forces, and technologies such as artificial intelligence. All this is in addition to the ever-increasing regulatory scrutiny we are witnessing in both the United States and abroad.
Within financial institutions, the compliance function (Compliance) has traditionally played a well-understood role in managing changes required by new regulatory demands. Apart from these situations, though, Compliance is not usually considered a key player in change management but an imposition and impediment to change. However, Compliance can actually act as an accelerant by assisting in the removal of speed bumps rather than becoming one. A prime example is early identification of compliance issues in change management projects that would otherwise go unnoticed, requiring triage at the 11th hour.
Put simply, financial institutions can manage change more effectively—whether in products, services, technologies, or acquisitions—by integrating a safety and soundness perspective from the start, in line with regulatory expectations. The examples and recommendations below, supplemented by links to related Treliant articles, show how to use Compliance to accelerate change.
Opportunities to Minimize Risk and Accelerate Change by Including Compliance
Some changes that would benefit from Compliance’s involvement are obvious, even required, while others may not have been considered previously by many financial institutions. Areas where Treliant has seen such missed opportunities to involve Compliance, with subsequent negative results for the financial institutions, include the types of change we describe below.
- New Products and Services: At times, enthusiasm for new products and services can cause a compliance review to be overlooked, though one is required by the financial institution’s compliance management system (CMS). Sponsors and project managers should instead involve Compliance at the start, rather than at the end of the development process. Compliance contributes not only regulatory knowledge and credible challenge, but also industry knowledge of acceptable tools that may solve regulatory risk. An example of this could be knowledge of reliable vendors of “Know Your Customer” (KYC) solutions to screen new products and avoid exploitation by bad actors.
- Anticipatory Change: Highly risk-averse financial institutions may rush to respond to legal or regulatory changes by adjusting policies and products in ways that are not technically required. These changes are often initiated by internal legal departments looking to avoid potential litigation or other issues, and then rapidly implemented to demonstrate responsiveness to regulators. While laudable, anticipatory change like this may lead to unintended consequences. Without Compliance’s involvement, the risk of breaching another applicable regulation is high. An example of this might involve a credit policy where adjustments have downstream compliance impacts on approvals and denials, customer-facing communications, and product availability in certain markets.
- Strategic Change: Financial institutions make organizational changes that may not seem to require the involvement of Compliance at inception but may develop compliance-related implications upon delivery. Examples include changing organizational direction and reallocating resources; rebranding and developing new customer materials; revamping a product to target a certain demographic; or expanding into new countries. All of these pose inherent compliance risks that financial institutions need to address as part of the strategy.
- Transformational Change: Today, business transformation is on the minds of almost every leader in financial services. Typically this relates to changes in the technology and digital space and how financial institutions deliver products and services to their clients, while meeting their regulatory obligations. Establishing a change management process that involves Compliance from end to end allows for incremental adjustments during the transformation process, rather than having to implement massive, expensive corrections upon delivery. An example may be the development of new internal enterprise software to manage fee collection. Failing to involve the compliance function raises the likelihood of incomplete project execution. Take this scenario: There is an initiative to update the fee collection software. The project plan does not include participation by Compliance until the later stages of the design and implementation. Compliance identifies a missing regulatory requirement that is critical to the software. The worst-case outcome is that the project has to redesign the software and retest its implementation, losing valuable time and money. This rework can impair the financial institution’s fee collection, which in turn could impact the financial institutions’ safety and soundness, which in turn could lead to regulatory enforcements.
- Changes in Systems of Record: Revising systems of record for issue management may seem to be a benign operational change. However, if the new system does not capture the same information as the previous one, downstream reporting that draws on the system may be impacted and compliance risks may emerge. Further, extracting data for reporting purposes can be a stumbling block for many financial institutions transitioning between data management platforms. An example of this challenge is the production of data during audits. Involving Compliance in selecting and configuring the new system of record will ensure that all needs are considered, including mandated retention schedules, and that data necessary for compliance tracking is captured in the new system.
- Break/Fix Changes: Break/fix changes typically occur in the technology space and are fast-moving implementations to address critical weaknesses. Crisis management might not seem the time to involve Compliance. However, advance planning to identify a subset of break/fix changes requiring the involvement of Compliance is advised. It will ensure that solutions do not cause more problems than the original issues—and that compliance-related upstream and downstream impacts will be considered.
- Third-Party Changes: The ownership of third-party relationships often rests with business units, as the first line of defense in risk management and compliance. However, implementing change management processes that involve Compliance in changes driven by, or occurring within, a financial institution’s third-party service providers is not just a sound practice. The level of compliance when conducting due diligence of a third party should be determined by the product or service the third party will be providing to the financial institution. Recent regulatory guidance clearly states the responsibility of financial institutions for third parties’ actions. Third parties, while efficient and cost effective, must be included in change management practices that are inclusive of compliance reviews. Examples of third-party activities that could impact financial services include changes in a third-party’s data storage solutions for customer data, particularly if that third party or its “fourth-party” vendor interacts with consumers.
Identifying Where Compliance Brings Value in the Change Management Process
The dynamic nature of financial services can make it difficult to prioritize where the compliance function should be involved when it comes to change management, even if all stakeholders agree that involvement would be beneficial. Gap assessments can be one approach, however, to ensure that the involvement of Compliance is strategic. Here, financial institutions may consider using business process management. The approach utilizes process and control mapping coupled with the results of risk and control self-assessments (RSA) and governance, risk, and compliance (GRC) tools to visually illustrate and identify:
- Existing formal change management processes.
- Informal change management processes.
- Changes that are currently unmanaged by any process.
- Existing controls that may be impacted.
- New controls that may be needed for the changes.
- Inflection points where Compliance’s involvement would be useful to managing risk.
Once this process is complete, several steps can help identify where Compliance should get involved, as follows:
- Holding data-driven discussions about where in the change management process Compliance can contribute the most value.
- Determining whether currently informal or unmanaged processes would benefit from formalization and Compliance’s contribution to those processes.
- Identifying Compliance’s role, whether as developer, reviewer, approver, and/or stakeholder.
- Developing a more comprehensive risk inventory.
- Building a more comprehensive control framework.
- Increasing onboarding and ongoing performance benchmarks for third and fourth parties to manage their risk.
In addition to these steps, clients often discover benefits during business process management for the enterprise, such as opportunities to increase efficiencies or identification of previously unknown risks. For more information on business process mapping, please see Treliant’s article titled “Using Business Process Management in a Regulatory Environment.”
Defining ‘Involvement’
One of the factors that might limit the value derived from involving Compliance in change management is the lack of role clarity. To fully utilize the compliance function’s knowledge to accelerate change management, the following actions are also recommended:
- Establish a partnership relationship with Compliance.
- Identify the roles and responsibilities of key project team members, including Compliance (who does not love a good Responsible, Accountable, Consulted, and Informed chart!).
- Involve Compliance in the initial and ongoing stakeholder meetings.
- Provide planning documentation for Compliance to review and offer insights into potential compliance challenges.
- Include a risk and compliance review and signoff by Compliance in the change management documentation.
- Provide customer-facing communications to Compliance before deployment.
- Engage Compliance in third-party vendor selection.
- Provide third-party service agreements to Compliance if these entities are a part of the changes being managed, for review of third-party and potentially fourth-party risks.
- Have Compliance review documentation used to obtain leadership approvals, preferably before presenting to leadership.
Compliance can contribute a great deal without having signatory roles, which is why only one of these recommendations involves signoff by Compliance. In its work with clients, Treliant has seen that greater attention to the role of Compliance—beyond that of regulatory change manager—results in benefits to the process overall and risk mitigation in particular.
Compliance as a Service (CaaS)
Change management is involved in every aspect of financial institutions, and understanding where Compliance can accelerate the delivery of compliant changes provides benefits across the enterprise. Though independent, Compliance can be a powerful internal resource in accelerating business plans and implementations. Understanding the appropriate point in the change management process and the right role of Compliance can ensure that change management is not slowed, but accelerated. Finally, involving Compliance in change processes beyond responding to new regulations mitigates the risks of unintentional compliance breaches, regulatory actions, and reputational and financial harm.