Toiling amidst all the debate and political posturing that has surrounded Dodd-Frank and other new financial regulations are the people inside the banks who actually have to make sure their institutions are following all the rules.
The sheer volume is staggering - analysts estimate there are more than 250 specific new rules for banks to follow - not to mention the accompanying testing, auditing and systems updating to ensure compliance with the rules. The burden on the executives responsible for compliance is disruptive, and not in the good way that tech pros usually mean when they use the word. For many banks, following the new rules will necessitate an enterprisewide compliance testing infrastructure that spots compliance shortfalls or exceptions, and tracks and tests the updates that are executed to fix those exceptions - spelling a boom for the core banking vendors and specialists that automate compliance testing.
"Having a systematic way to test for compliance is critical," says Julie Conroy McNelley, a research director for Aite. She estimates there are 253 incremental regulations that will be added as a result of Dodd-Frank. "A lot of big banks have a platform in place to help with this. But with small banks, you have one or two people to handle compliance, and oftentimes the compliance and audits come with a huge paper trail."
Chris McClean, a senior analyst at Forrester Research, says reporting is getting more complicated because the number of auditors and regulators is increasing. "It's not just one person with 200 new rules - it's a larger group of organizations looking into what you are doing," he says.
With all the mergers, acquisitions and takeovers of distressed banks the past few years there are more stress points where a policy or procedure may be out of compliance, making manual testing more difficult, McClean says. There is simply more to test and fix than before, making existing methods of testing obsolete. "There may be claims management or other platforms that may not be working right together right away."
Smelling a chance to lure new clients and expand relationships, technology companies are all over this trend, with companies such as SAP and Oracle touting compliance engines that include testing and tracking updates.
The larger core banking companies, such as Fiserv, FIS and Jack Henry, have substantial compliance and testing solutions. "That's the silver lining for all of this regulation. It creates a lot of opportunity for folks," McNelley says.
Some specifically target rules testing and workflows. Continuity Control in New Haven, Conn., offers Web-enabled compliance testing and has been accumulating technology for the coming battle to capture testing share.
The firm recently acquired Compliance Services Group and Kirschler Peterson & Associates, additions that will extend its reach in the Midwest and South. Continuity Control also recently acquired My Compliance Info, leading to the creation of RegWatch, a workflow platform to feed regulatory updates and analysis directly into Continuity Control's process management system, as well as an onboarding process that includes an initial risk assessment and recommendations.
The new rules and huge paper trail mean compliance can't be handled by one or two people in a single office, as has been the case for small banks in the past.
The new testing responsibility falls to a much larger group of people, namely, those who run departments within the bank and their immediate reports. By automating testing, the reporting of glitches and shortfalls can be distributed to a larger group of people, lightening the load of the executives in charge of compliance and audits
"You need to have some sort of platform in place that allows people to track and facilitate compliance," McNelley says. Once the automated internal testing is complete, it's easier to deliver to outside auditors that a bank may hire on a consulting basis, or to the actual regulators. McClean also says that by automating audits, those tests can be reused for subsequent audits.
BIG TEST FOR SMALL BANKS
The impact is particularly acute at smaller banks, which are more likely to have small compliance staffs. While Dodd-Frank doesn't directly affect small banks, it is expected that smaller banks will have to comply to achieve a similar posture as larger banks.
"As far as what we were using before for testing and compliance, there was no technology. So it was a lot of spreadsheets and a lot of physical documents stored in a room somewhere taking up space," says Travis Colquett, vice president and compliance officer at the $100 million-asset First Citizens Bank in Luverne, Ala.
To fix the testing resources problem, the bank has licensed a downloadable compliance management module from Continuity Control.
The application manages workflow for regulations, enabling the bank's compliance workflows to be assigned to different departments, with subtasks and reporting also automated. This way, the bank can fix compliance glitches that show up in tests and track the progress of those updates to make sure they have been completed successfully.
Compliance management is centralized at the bank, though much of the actual work can be delegated to people closer to the activity being examined or tested.
"This spreads out the workload - there's not one person doing everything. As compliance officer, a lot of the work fell on my shoulders," Colquett says.
The bank has a regulatory exam every 18 months, with internal audits every few months.
All this testing - the internal audits, the reports to regulators, and the location and updating of exceptions - will be automated. For example, an audit that tests the accuracy of disclosure forms and how long it takes for a new loan to be processed may find that title searches are taking too long to get included in the loan's files.
The module can also spot quick fixes for processing of individual transactions. For example, a loan origination that is missing a signature on a specific document can be spotted, returned to the loan department and then sent to the borrower - all electronically.
"We can identify that exception through automated tests, and track how that exception is getting fixed. We can send reminders to the staff to make the fix, and check back in to make sure it's been done properly," Colquett says.
The heavy burden on compliance teams can be lightened via automated testing.