Picture Perfect! Your Regulatory Change Management Program—in Technicolor | Wolters Kluwer
  • Insights

  • Picture Perfect! Your Regulatory Change Management Program—in Technicolor

    by Barbara Boehler, J.D., LL.M., CCEP

    Published January 12, 2018

    (as published in ABA Bank Compliance Magazine, January/February 2018 issue)

    We’re not just in Kansas anymore.

    Some years ago, a sales executive for whom I provided compliance support called me from the airport right before boarding an international flight.  The conversation went something like this: Sales Exec: “I forgot to tell you that we’re looking to do business in China. I’m about to fly to Beijing.  Are there any regulatory issues I should be concerned with?”

    My response: “I don’t know, Chinese prison, maybe?”

    The gap between this colleague’s expectations for doing business in China—and actually having a passing familiarity with the Chinese regulatory environment—was striking. Yet it’s a phenomenon we see all too often, given the growing number of regulations impacting the banking world these days. Nostalgia for the good old days is simply that—nostalgia. We have entered a new world of regulatory compliance. In today’s highly regulated banking industry, there are approximately 1,200 regulatory agencies overseeing banking on a global basis that deliver an output of about 2,000 regulatory changes daily. Or, to paraphrase Dorothy in her transformation from drab black-and-white into a Technicolor-enhanced Land of Oz, “our business isn’t just in Kansas anymore.” Instead, it is wherever the business takes us. That statement holds true for an increasing number of banks as they expand in multiple jurisdictions and, accordingly, become beholden to the laws and regulations of each, whether local, state, federal, or beyond.

    “If We Walk Far Enough, We Shall Sometime Come to Someplace.”

    The Need for a System

    Compliance officers are required to be specialists in all of the various businesses that a bank encompasses.  That means we’re responsible across multiple jurisdictions, sometimes representing seemingly innumerable regulators. In the last few years, our responsibilities within the Compliance Department have grown exponentially. And if we represent a global organization, we need command of the laws and regulations that affect bank commerce in all of the countries where we operate.

    In order to be compliant, we need to help ensure our bank has a dependable methodology that continuously monitors and captures the ongoing flow of new regulatory information and updates. That methodology should incorporate the fundamental elements of a regulatory change management program.  It should also include—not least of all—a rigorous staff training component. Training can go a long way in giving you confidence that you have the right strategy in place and this will help empower you to deal with whatever additional regulatory considerations your sales team may spring on you!

    The key to developing and maintaining a regulatory change management program is through establishing a shared methodology that is consistently applied—and which is repeatable—throughout all lines of the business. 

    This article will:

    • Highlight some key considerations for the development and continuing growth of a regulatory change management program;
    • Introduce the concept of a regulatory library;
    • Examine the most common methods for managing regulatory change workflows;
    • Look at some of the new technological advances in this area; and
    • Identify some best practices that you might consider for your bank.

    The Regulatory Library: Creating Your Yellow Brick Road

    If you have been in a compliance role for any length of time, this will not come as a great shock to you—there are very few shortcuts in compliance. The first step in establishing a regulatory change management program—or any program—at your bank should be a thorough regulatory compliance assessment of your business. This assessment should take into consideration the entire business, its affiliates, customers, locations, people, departments, and products.

    The question that we’re looking to answer with all of those areas in mind is: Do we have a complete list of all of the jurisdictions, regulations, and underlying laws to which we are beholden? Once this assessment is complete, you will have an inventory of all of the jurisdictions, regulations, and underlying rules with which your firm is required to comply, down to the citation level. This inventory is your bank’s regulatory library.

    The regulatory library forms the foundation of your regulatory change management program. A regulatory library that is kept up to date helps ensure that you will firmly have your arms around all of the regulations that are your responsibility. Once you have established this foundation, then all new regulations and amendments should be vetted through that inventory and mapped to the applicable business unit, product line, or even policy/procedure. It would be inefficient for the Compliance Department to track and evaluate new rules and rule changes that were not applicable to the business. A regulatory library helps you to establish a fence around those rules you care about.

    Forks Along the Yellow Brick Road

    Once your bank’s regulatory library is established—and you are confident that you’ve included the appropriate rule book for every product, regulator, and jurisdiction—the next step is to consider how you will keep your regulatory library current, and determine how future regulatory changes will be monitored and assessed throughout the organization. Ensuring that you are effectively managing regulatory change remains in the top three risk assessment concerns of banks. [1]Every bank, large and small, worries about and struggles with implementing change.

    Given the increasing role that technology is playing in helping banks manage their regulatory compliance obligations, there are a broad range of approaches that can be used to implement regulatory change management programs. These shall be referenced as No-RegTech, Low-RegTech, and High-RegTech. It is also common for banks to use some combination of all three approaches. And a single bank with different lines of business and affiliates might employ multiple processes.

    So where does your bank fall on this spectrum? If your answer as to how your bank manages regulatory change is along the lines of, “We’ve got in-house staff that take care of that,” you may very well fall under the No-RegTech (or manual) approach to managing regulatory change. The compliance (or legal) team in charge of regulatory change for this type of approach typically keeps up to date by subscribing to multiple regulatory email updates, proactively visiting regulators’ websites, and monitoring for industry group and law firm alerts. The team then takes these updates and:

    • Drafts a synopsis;
    • Tracks the change on a spreadsheet;
    • Reaches out to other groups within the Law and/or Compliance departments (as well as the business groups that might be impacted) for 1) an analysis of whether the change might affect business operations, and 2) whether the changes might necessitate changes to the business or to the bank’s policies and procedures. 

    All of this work is accomplished manually through spreadsheets, along with verbal and email communications.

    The No-RegTech approach to regulatory change management is extremely workable for many banks, especially smaller ones. This approach also works best for banks with limited jurisdictions and product lines, and ones with few stakeholders within Compliance, Law and the business units to evaluate change.

    The inherent danger in the No-RegTech method is that the manual nature of finding regulatory change makes it easier for changes to be missed. Larger banks may find it difficult to manage multiple workflows and ensure that changes were captured, reviewed and analyzed, and that appropriate action was taken to amend policies and procedures. It is typically more difficult to develop reports using this No-RegTech approach and your regulatory library would need to be established and updated manually, which can often be a daunting task depending on the size of your business.

    The Low-RegTech approach to regulatory change management is a mostly manual process with the addition of some technological enhancements. These enhancements may take the form of a subscription to a content provider to help a bank ensure that all changes are captured. Banks might also employ a document-sharing platform for use across the regulatory change management team. This platform could be used to keep and share an up-to-date version of the regulatory library, the spreadsheets evidencing change, or a database for tracking updates.

    There are other benefits in adding some technology to your regulatory change management process. An automated, central point for receipt of regulatory changes helps ensure that all changes are captured. Additionally, the ability to share documents across a consistent platform helps to limit the possibility of duplication of efforts, or that multiple spreadsheets or documents exist for the same issues. Also, a shared platform will help with the management of your regulatory library.

    Perhaps the biggest pitfall inherent in the use of a Low-RegTech approach to regulatory change management is that it remains essentially a manual process. Although the spreadsheets, databases, and regulatory library are shared, they must be populated and updated manually. While content delivered directly to the Compliance Department would help to ensure that changes were not missed, those changes would need to be imported into a spreadsheet or database.  Additionally, much like the No-RegTech solution, it may be difficult to develop reports from a shared platform.

    Pay No Attention to That Man Behind the Curtain: The High-Tech Approach

    Another common method for managing regulatory change, particularly at larger banks, is what we might call the High-RegTech approach, which might include both content and software components. Banks might choose to implement either a homegrown or vendor-provided software solution into which they can import changes that would be connected to their regulatory library. Under this approach compliance officers evaluate changes and initiate workflows to help ensure that the regulatory changes are reviewed and evaluated by the appropriate stakeholders. Compliance officers are then able to implement changes to the regulatory library, as well as initiate changes to policies and procedures, based on their review.

    One of the benefits of a High-RegTech solution includes the fact that regulatory updates are imported directly into the system that refer specifically to the banks’ regulatory library, thereby reducing the “noise” of regulations that are not applicable. A High-RegTech solution provides a consistent approach and helps to ensure that regulatory changes are not missed. Another major benefit is the ability to distill reports via information imported into the system, so that the evaluation of the regulatory change is demonstrable to senior management, the board of directors, internal audit, and to regulators.

    Perhaps the biggest challenge in implementing a High-RegTech solution is with internal adoption. The compliance and business users of these tools must be ready and willing to make the software a part of their everyday work. In order to help encourage user adoption, banks might consider establishing a training program, as well as sharing written processes for all users. 

    No matter what level of tech used in your approach to regulatory change management, the best approach is one that is able to be applied consistently and is repeatable.

    Block Chain, Bitcoin and AI… Oh My!

    It’s an exciting time to be in banking compliance. Admittedly, the words “exciting” and “compliance” (and maybe even “exciting” and “banking”) are rarely coupled as a concept! However, new and emerging technologies promise to transform our way of managing almost every part of the industry—including our compliance departments themselves. In fact, the transformation has already begun: Deutsche Bank made the news in 2017 by announcing it is piloting the use of artificial intelligence for some of its regulatory compliance tasks. [2]

    Perhaps the most immediate impact of technological advances such as big data, bitcoin, and block chain to your regulatory change management program, may be in the assessment of any new regulations surrounding them and the accompanying changes to policies and procedures. However, artificial intelligence (AI), may be particularly transformative in terms of the management of regulatory change. While we’ve identified No-, Low-, and High-RegTech methods of managing regulatory change, we might consider some of the work in this space as RegTech 2.0. 

    The Oxford Dictionary defines AI as “…the theory and development of computer systems able to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages.” 

    Compliance departments staffed solely by robotic compliance officers is not necessarily an anticipated use of AI. Rather, within AI, Natural Language Processing (NLP) and Machine Learning are particularly adept at the administrative acquisition of and review of data. In short, this is the visual perception and translation-focused use of the technology.

    AI technologies will be able to gather and sift through vast amounts of data quickly, saving time and greatly reducing the administrative burden on compliance officers. In fact, software vendors are already developing these alternative methods of gathering and evaluating data. I mentioned earlier the roughly 1,200 unique regulators across all jurisdictions globally generating about 2,000 regulatory change events daily. By employing AI technologies, (including pattern recognition to extract data and methodologies that would classify the documents and extract facts and metadata), we enable the (traditionally) human compliance officer to focus instead on the actual work of compliance (such as the review, evaluation and assessment of the impact of the regulatory change to the business), rather than just data acquisition.

    You’re Out of the Woods…Step into the Light

    The theory and importance of a regulatory library is a key foundation of your bank’s regulatory change management program. And. the most common approaches to managing regulatory change—No-RegTech, Low-RegTech, and High RegTech, as well as new technologies, are poised to transform and streamline the work of the modern compliance office. 

    Regulatory change management is not a one-size-fits-all proposition. The particular methodology that you employ for managing change will depend upon your bank’s size, jurisdictions, products, people, and their ability to adapt to process change. The good news is that where you are now does not dictate where you will remain. This is an evolving process. 

    Through thorough self-assessment, your bank can determine what tools are needed to enhance your regulatory change management program and thereby meet the ultimate goal of having sustainable, repeatable processes. With these pieces in place, you will have confidence knowing the regulations needing compliance, and you’ll be fully ready when Internal Audit, the Board, or a regulator stops by for inspection. So, click your ruby slippers three times—you’re on the way home!

    About the Author

    Barbara Boehler, J.D., LL.M., CCEP, is a compliance consultant and securities subject matter expert at Wolters Kluwer. She is an attorney and compliance officer with over 16 years of experience in the financial services sector, where she has developed, monitored and assessed both broker-dealer and investment advisor firms’ ethics and compliance programs. She formerly served as global chief compliance officer for Arete Research, a limited-purpose, FIRA-registered broker/dealer specializing in equity research. Before that, she held compliance leadership roles at Fidelity Investments, JP Morgan Invest, Standish Mellon Asset Management, and Babson Capital Management.

    She holds a Juris Doctor degree from Suffolk University School of Law, and a Masters of Law degree from Boston University School of Law. A certified compliance and ethics professional, she currently serves as an adjunct lecturer on the practice of compliance at the law schools of both Suffolk University and Boston University.

    Quotes within this article were taken from the movie, The Wizard of Oz, 1939, or the book The Wonderful Wizard of Oz, by L. Frank Baum.


    1Please refer to regulatory and risk concerns of banks as measured in Wolters Kluwer’s 2017 Regulatory & Risk Management Indicator survey.

    2“Deutsche Bank Deploys Artificial Intelligence to Help Meet Demands of Regulatory Compliance” The Wall Street Journal, April 18, 2017.

  • Please take a moment and tell us what you think of our content.