Financial institutions are increasingly seeing the need for an increased focus on investments in technology and data governance that can provide standard-yet-granular and high-quality data to support financial stability, and help with monitoring their safety and soundness. The right kind of data must also be easily accessible and malleable enough to be re-purposed as needed, and provide actionable insights and analysis. Beyond regulatory compliance, executives understand that their firms stand to reap other business benefits that can provide competitive advantages. This was echoed in a recent survey where CFOs were asked:
Nearly one month after the New York State Department of Financial Services issued a proposal to establish prescriptive cyber requirements for New York-domiciled financial institutions,1 three three federal banking agencies—the Federal Reserve Board (FRB), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) (collectively, the “agencies”)—issued an advance notice of proposed rulemaking (ANPR) on enhanced cyber risk management and resilience standards for large banking organizations.2
Specifically, the enhanced standards would apply to US bank holding companies, the US operations of foreign banking organizations, and US savings and loan holdings companies with more than $50 billion in total assets, as well as nonbank financial companies and financial market utilities designed for FRB supervision by the Financial Stability Oversight Council (FSOC), among others.
Compliance would be easy—well, easier—if the Chief Compliance Officer controlled all of the business processes that create compliance risks for the organization.
In the real world, the decisions and actions that add up to compliance happen all over the organization. Business leaders make decisions while balancing multiple concerns and competing objectives. It isn’t a surprise to any seasoned CCO that compliance isn’t always the top priority. As a result, it’s up to the CCO to understand the business and to exert influence over those decisions that drive critical compliance risks. And if that isn’t hard enough, CCOs also need effective processes to identify and measure those risks on an ongoing, real-time basis.
In today’s challenging regulatory environment, a new corporate role of regulatory liaison with staff to support it is emerging to provide a central point of contact for the regulatory community. This role known by different names effectively is a liaison for an organization in their management of their regulators, and assists together with other support functions, e.g., legal, risk and compliance, to manage a organization’s regulatory issues. Historically, this role was assigned to a single executive dedicated to regulatory risk management, or as a part-time responsibility of that executive who usually was a member within the C-Suite of the bank, e.g. the chief operating officer (COO) or chief administrative officer (CAO). However, as the complexity and impact of regulations continued to develop and capture significant amounts of management’s time , many organizations began to recognize the need for a more comprehensive Regulatory Liaison Office (RLO) outfitted with staff consistent with other functions within the risk and compliance organizations.
On June 26, 2014, the Federal Reserve (Fed) published answers to a list of frequently asked questions (FAQs) from foreign banking organizations (FBOs) that face enhanced prudential standards — including formation of an intermediate holding company (IHC) for non-branch U.S. operations and submission of an Implementation Plan. Many of the questions were generated from a town hall meeting the Fed conducted in May 2014 to help selected FBOs understand the planning requirements and timing associated with the enhanced standards.
The fourth anniversary of the Dodd–Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) is a perfect opportunity to reflect on the progress that has been made since the Act’s passage in 2010 and to look forward to the required regulations that have to be implemented. The law was a direct response to the financial downturn, and was specifically designed to prevent a similar crisis from happening again. So how are things going so far?
Overall, it’s a mixed bag. Considerable progress toward implementation and reform has been made in some areas, while others are just getting warmed up.
On September 2, 2014, the Office of the Comptroller of the Currency (OCC) finalized new standards that formalize “heightened expectations” for risk governance on the banks over $50 billion it regulates — and in turn, impose new levels of responsibility on the board and executive leaderships of those institutions for the risk decisions they make.
Now, banks must codify “strong risk management practices” at the bank legal entity level, including governance policies, procedures, structures and even board composition. What some banks have had to do as the result of individually targeted Matters Requiring Attention (MRAs) is now applicable to all, albeit on a phased basis according to size. All banks with more than $50 billion in assets must comply with the new rules within 18 months. Those whose assets total between $100 billion and $750 billion have six months and those with more than $750 billion must comply within two.