There has been plenty of discussion in recent weeks about risk management at financial institutions. Efforts to quantify and rank those challenges have come in recent reports and guidance from the Federal Reserve, the Office of the Comptroller of the Currency, and the Financial Stability Oversight Council.

Added to these resources is the business consultancy Wolters Kluwer, a global provider of software and services. It recently released the latest edition of its “Regulatory & Risk Management Indicator,” an annual initiative designed to illustrate the overall level of regulatory and risk management pressures faced by U.S. banks and credit unions. A key takeaway from its 2018 survey data that was assessed: “There is a notable easing in the anxiety levels of U.S. banks and credit unions in managing their risk and regulatory compliance obligations as compared to the 2017 survey results.”

Two-thirds of respondents continue to cite risk, compliance concerns as “high,” although they conceded “a notable easing in the anxiety levels” of managing those obligations. The research also found concerns in the ability to maintain and track changing regulations—and demonstrate compliance to regulators—were at their lowest levels in six years.

In more granular detail, this year’s “Main Indicator Score” of 85 represents an 18 percent decrease from the 2017 score. The calculation of that score is based on several factors, including the number of new federal regulations, number of enforcement actions, and the total dollar amount of fines imposed on banks and credit unions during the past 12 months. Additional information and perspective are gleaned from a nationwide survey of 582 banking leaders that was conducted between Aug. 22 and Sept. 12, 2018. More than half those respondents (61 percent) were either vice presidents, C-level officers, or presidents/CEOs.

“While we see a reduction in the Main Indicator Score, more than 60 percent of respondents continue to rate their compliance concerns as a ‘7 or higher’ on a 10-point scale,” says Timothy Burniston, a senior advisor for regulatory strategy at Wolters Kluwer who oversaw development of this year’s survey and its analysis. “It is notable that risk management concerns also remain fairly high, and there is palpable apprehension about several top issues, including cyber-security, IT risk and credit risk that respondents indicated will receive escalated priority and investment in the coming 12 months.”

Burniston attributed the lower overall score to notable decreases in regulations, enforcement actions, and fines. Nevertheless, “persistently high levels of concern shown in six years of conducting this survey reinforces the recognition that compliance with rules and regulations is still very much part of an ever-evolving risk management landscape that continues to challenge institutions.”

Despite President Trump’s much touted and debated deregulation agenda and a related focus on regulatory relief for small- and medium-sized financial institutions, 62 percent of the survey respondents indicated they “do not anticipate a likely reduction” in their regulatory burden in the coming two years.

Respondents from all the market segments surveyed—including banks, credit unions, and savings and loans—consistently cited managing changing regulations as a top concern. Specific regulatory compliance concerns included the looming Current Expected Credit Loss (CECL) impairment standard (identified as the top issue, with 73 percent of respondents “very” or “somewhat concerned”), followed by fair lending (61 percent), and state-issued regulatory requirements (58 percent). Additionally, managing Home Mortgage Disclosure Act (HMDA) obligations and implementing TILA RESPA Integrated Disclosure (TRID) regulations continued to rank among the top compliance challenges. Forty-three percent of respondents indicated they have seen a slight or considerable increase in examiners’ scrutiny of their fair lending programs.

“We had the lowest number of new regulations in several years and that was expected at some point, with most of the Dodd-Frank Act stuff out there, issued by regulators, and left to folks to absorb,” Burniston says. “The fact that managing regulatory change still bubbles up to the top, regardless of the size of institution, really tells me that banks are very much concerned about their ability to operationalize new changes.”

For HMDA rules, which demand an expanded array of mortgage-related data collection intended to better understand fair lending compliance, Burniston points to institutional concerns about accurately capturing additional data fields (cited by 62 percent of respondents), upgrading systems (39 percent), and analyzing data fields (21 percent). Nevertheless, the reported time and cost of implementation and training of staff both dropped from 2017.

“It’s going to be a challenge, I think, for the regulators to be able to use [new HMDA data] and describe to institutions how they’re going to use it. For those reporting it, they will be challenged with being able to self-assess and to have the right analytical models for making sense of all that additional information as well,” Burniston says.

The most recent surveys were wrapped up by Sept. 12, well ahead of mid-term elections that saw Democrats retake a majority in the House of Representatives. Concerns about the pace of regulations is likely to be unabated given that political dynamic and the lead-up to the 2020 presidential election.

“The fact that we’re not seeing new regulations at the same pace as we did before doesn’t mean that anything’s lightened up. Nothing we’re seeing from the regulators suggests that they’ve backed off. The last thing you want to do is take your foot off the gas and lighten up on compliance issues.”

Timothy Burniston, Senior Advisor for Regulatory Strategy, Wolters Kluwer

Direct responses recorded by banking leaders within the survey highlight specific regulatory compliance concerns, such as “balancing the need for compliance oversight/involvement with the impression that compliance is less important under the new administration,” as one executive offered.

“As a small community bank, the challenge of implementing new policies and updating current policies is always a concern,” wrote another. “We provide the same products that ‘big banks’ offer in order to service our small community. It would be such a help if regulations that are outdated could be retired, giving more time to focus on the compliance issues that are relevant to today’s environment.”

“The majority of our compliance is done manually. With new personnel joining our team, training them enough to cover the risk of human error will be critical,” opined another executive. Yet another declared that “enforcing compliance with training and business rules in a fast-growing company” was their main anxiety trigger.

Risk management concerns

The survey responses indicate a continuing concern about compliance risk management in general. Staff and investment resourcing continued to be pressure points, with respondents citing inadequate staffing for compliance (44 percent), manual compliance processes (42 percent), and too many competing business priorities (42 percent) as top obstacles to implementing an effective program. During the next 12 months, surveyed institutions said they are most likely to make “moderate to high” investments in updating policies and procedures (78 percent), strengthening risk assessment and controls (77 percent), and training their staff, board of directors, and senior management (75 percent) as priorities.

“There is still palpable apprehension about several top issues—including cyber-security, IT risk and credit risk—which respondents indicated will receive escalated priority in the coming 12 months,” the report says. Eighty-one percent of respondents indicated their organization will focus on cyber-security risks over the next 12 months, a response down only slightly from 2017.

Also noted is that the risk management efforts of survey respondents have remained at similar levels. Compared against prior survey years, no significant progress was observed being made in “the usage of well-defined, integrated, or strategic risk management programs.” In fact, this year “saw a slight decrease in highly structured programs, which could mean that more resources should be focused on managing risk, or it could reflect a perceived reduction in scrutiny/enforcement measures.”

Compliance management obstacles

Staffing for compliance, manual compliance processes, and “too many competing business priorities” have consistently remained top obstacles to implementing an effective compliance program, according to the survey. Other observed concerns include ineffective coordination of compliance efforts, confusion on the requirements for a compliance program, inadequate funding for our compliance efforts, and an ineffective feedback loop needed to update compliance programs.

Respondents said they are most likely to make investments in strengthening risk assessment and controls and updating policies and procedures, along with training staff. Other reported priorities for the year ahead include training for board, management, and staff; improving compliance audit; expanding compliance testing process; strengthening consumer complaint management; and investing in a regulatory content/research database.

The report notes that bank leaders expect to continue their investments in compliance-assisting technology. Goals and benefits of those investments are prioritized and include improving the ability to keep track of changing regulations and maintain compliance with them and having the ability to demonstrate and document compliance and risk management, across all lines of the business, to regulators.

“There is the whole matter of supervision around the management of technology. It’s something the regulatory agencies have spent a lot of time on over the years, and they expect financial institutions to do so as well,” Burniston says of the push into the RegTech space. “When we talked about those things that cause the highest degree of problems in implementing successful compliance risk management program, one was manual processes and trying to move into a more automated use of technology.”

The laudable goal, however, brings new challenges. “You have to, of course, manage the technology itself,” he adds. “You need to manage the vendor who’s providing the technology. It all raises the need for a lot of compliance testing to be able to make sure things like that data entry are accurate and ensuring that the technology is going to help you achieve your results in a compliant way.”

Better use of RegTech and integrating automation into compliance processes will likely continue gaining momentum and greater importance over time. “The fact that we’re not seeing new regulations at the same pace as we did before doesn’t mean that anything’s lightened up,” Burniston says. “Nothing we’re seeing from the regulators suggests that they’ve backed off. The last thing you want to do is take your foot off the gas and lighten up on compliance issues. That’s only going to come back and cause problems later on. There will be embarrassment and reputational damage.”