GLBA, CRA, HMDA, ECOA... The alphabet soup of compliance acronyms grows ever spicier. Banks have been complying with fair lending laws and regulations-such as the Fair Credit Reporting Act-for years. This year, regulations regarding consumer privacy-the Gramm-Leach-Bliley Act (GLBA)-were enacted, opening up a new frontier in compliance.
GLBA requires banks to give customers the opportunity of opting out of cross-marketing efforts, and to ensure the safeguarding of customer data. Waiting in the wings of this federal act are numerous state regulations that take the regulations even further, in some cases mandating an "opt-in" marketing preference for customers.
Needless to say, the job security of bank compliance officers is assured for many years to come. However, as institutions have come to rely on information technology to manage accounts and deliver products, the impact of laws and regulations goes beyond the administrative function and reshapes banks' approaches to customer relationship management. As a result, institutions may have to re-examine the way they build and deploy CRM and other systems.
Few other industries must justify and track their transactions and interactions with customers the way banks and financial institutions do. In 2000 alone, legal analysts at Bankers Systems Inc., a compliance software vendor based in St. Cloud, MN, tracked more than 5,000 federal and state bills across the nation that directly impact banking compliance, according to Kris Stewart, director of compliance technology. "There's been an increase in regulatory activity," she notes. "States are becoming very active in privacy legislation, for example." Plus, the rise of Internet banking has opened up a whole new can of worms for regulators and lawmakers.
Until recently, compliance could be handled with a pen. Satisfying federal, state and local requirements meant manually filling out reams of forms. Now, many compliance officers turn to software packages and services to track and generate a myriad of required reports. While compliance software packages have been offered for a number of years, many packages, running on Windows-based PCs and servers, are now available and affordable to small to midsize institutions. Compliance content and updates are also now distributed via CD-ROMs and are available over the Web. Solutions on the market typically fall into two categories: those that provide checklist-driven administrative details on laws and regulations, and applications that provide calculation and analytical capabilities, such as geocoding.
The approach of many financial institutions to date has been to cobble together a variety of approaches to meeting compliance-from manual processes to writing their software. "A lot of institutions have their own in-house legal departments, and own in-house-developed systems," says Christine Pratt, senior analyst with TowerGroup of Needham, MA. "Other organizations are perfectly happy to buy a whole package."
Still, in some cases, paper continues to reign. "I'm often surprised to still see the largest banks in the country still purchasing paper documents," says Stewart of Bankers Systems. Often, she adds, these are for niche businesses such as vehicle leasing or IRAs, "where it's just more convenient to have paper on the shelf."
The point closest to the customer-the branch-is typically ground zero for the handling of much of this compliance information, says Tower's Pratt. "You need to enable the person who's on location at the branch to actually change the documentation. The biggest issue is trying to get it to the branch level, and to make sure that the branch people have control of the documentation." Effective workflow is the key link to this process, Pratt adds. "The biggest problem is providing people with the appropriate documentation, depending on where they might be," she says. "If your lender has a operation that is in one state, and the customer's in a another state, the other state might have different rules, and different disclosures."
Banks need to do more than simply install software to enable a smooth compliance process, according to Paul Reymann, a former regulator from the U.S. Department of Treasury's Office of Thrift Supervision and a key author of the GLBA regulations. What matters is both the software vendor and bank's ability to follow through with upgrades and regulatory updates, information, as well as training, says Reymann, now president of Compliance Coach, Washington, DC.
Reymann and other industry experts agree that in order to build compliance into operations, banks' processes and management practices must also be realigned. "Technology is great, and most packages run well," says Jay Kassing, president of sales and marketing for The Centrax Group of Dallas. "You have to be motivated to use it, you have to teach yourself how to use it, you have to actually use it," he says. "Software is software is software. Excel, Lotus, doesn't really matter. Your ability to get the training, the support [is what really counts], and the consulting to satisfy the needs of what you are required to do under a regulation."
Such post-deployment work and management may strain the resources of many financial institutions. "Larger financial institutions have a lot of work to do, but generally they have experienced legal resources, internal training programs and formal compliance systems," says Alan Dombrow, regulatory liaison for Harland Financial Solutions of Atlanta. The loan closing stage is also fraught with potential liabilities. Initiatives such as the Community Reinvestment Act (CRA), Equal Credit Opportunity Act (ECOA), Fair Credit Reporting Act, Home Mortgage Disclosure Act (HMDA) and Bank Secrecy Act (BCA) require meticulous tracking and reporting on lending practices.
GLBA and other privacy initiatives open new challenges in terms of IT capabilities as well. Burgeoning privacy laws and regulations will require new systems that can handle various customer preferences. Institutions currently manage customer data with two disparate databases that need to be better integrated, says Pratt. Typically, marketing data has been developed and maintained separately from customer files. When institutions initiate marketing programs, they typically go to their database marketing system, campaign management systems or outside agencies to create their lists-not their core processing and customer information file (CIF) systems, according to Pratt. As a result, she sees vendors moving to create solutions that better manage the customer privacy choice process. "New regulations encourage the creation of a privacy database to house customer choice and manage requests for non-public information acting as a catalyst for creating more centralized customer data and true customer relationship management across all accounts."
Unfortunately, she continues, "opt-out management technology is the least developed IT solution available at this time, but may require the greatest level of IT expenditures in the near future."
Solutions will need to address three areas-policy and database development, disclosure generation and privacy data management. Pratt predicts that the cost of developing these specific databases "could approach the levels associated with processing consumer loan applications." She estimates that "at the low end, the cost of disclosures alone top $400 million for the 100 largest banks."
Along with fair lending and privacy, industry experts foresee new regulation down the road in terms of electronic signatures, identity theft prevention, and information security.
"With the amount of regulations that are placed upon the financial services industry, there's a clear need to build a bridge between the intent of that regulation over to the institution's day-to-day application of this mandated requirement," says Reymann. "Regulations or laws identify a high-risk area that needs oversight and regulation. The issue is converting that into a day-to-day application at the institution so they can not only comply with that, but also integrate it into the entire process of delivering products and services to the customers. Every time you make a change to your system, you have to be sure that you haven't weakened the controls that you have in place."
Joseph McKendrick is a freelance writer based in Doylestown, PA.v.