Governance, Risk & Compliance: GRC
What’s on the Horizon for Regulatory Change Management?
Industry experts weigh in on how complex reg change is becoming, and what that means for the workflows and technologies that help organizations maintain compliance and accountability.
In December 2021, we hosted a webinar in partnership with RegTech Associates in which we explored some of the most prominent areas for regulatory change in 2022. The expert panel discussed some of the key challenges firms face when it comes to regulatory change, before evaluating whether technology can provide the key to more effective regulatory change management.
- Dr. Sian Lewin, Co-founder and Head of Client Delivery at RegTech Associates
- Jason Boud, Co-founder and CEO at RegTech Associates
- Kelvin Dickenson, Senior Vice President of Product Management GRC at SAI360
- James Nicholls, Managing Director at Braithwaite
- David Cowland, Head of Operations and Interim Head of Technology at Eliga Services
Dr. Sian Lewin opened the conversation by covering some of the most important themes to watch out for in 2022. Although the themes and conversation were slightly tilted towards financial services, some, if not most of the topics discussed are still relevant to broader industries.
What causes regulatory change?
A common misconception among industry participants is that regulatory change happens in a vacuum; however, in most cases, it is a very reactive process. There are a number of important drivers which can precipitate regulatory change:
- Geo-politics: Regulation is a deeply political activity, and politics not only impacts the types of rules which are passed but also how they are enforced. Brexit, for example, had a big impact on regulatory outcomes for both the UK and EU.
- Innovation: As new innovations emerge, they create new potential risks for firms, customers and industries. These might be related to new products, but also technology and business model innovations. Neo-banks and banking-as-a-service have significantly expanded the risk and regulatory landscape for the financial services sector.
- External shocks: Events that occur outside of the system of the regulated industry such as climate change or the Covid-19 pandemic have an impact on the need to regulate firms.
- Endemic issues: Such issues can arise from the nature of the industry or the market itself, such as market failures like information asymmetry or principal-agent problems, or issues that arise within that industry such as market manipulation or price-fixing.
Key drivers for regulatory change are often heavily entangled due to the globalization of financial markets and the role that financial services play as an engine for growth in national economies.
Areas to watch out for in 2022
It’s simply impossible to cover every aspect of regulatory change within one webinar, so Dr. Sian Lewin focused her attention on three key topics.
Climate change has served up a range of exogenous shocks, and geopolitics is playing an ever more important role in the regulation of climate-related risk and disclosure. Climate-related disclosures act to better inform investors, markets and consumers about the ESG status of firms and the products they sell – in the financial services sector, this is particularly important to avoid greenwashing.
Moreover, there is a growing threat to financial stability from climate risk, and thus, there is a greater need to translate this into a financial risk to enable more effective risk management and mitigation. 2022 sees regulatory efforts focus on rules for disclosure. The EU is leading the way, but the announcement of the ISSB at COP26 signals a global effort to harmonize reporting standards.
2. Pandemic recovery
The Covid-19 pandemic has highlighted the importance of operational resilience, and the use (and risks) of technologies such as cloud computing and remote workforce management. In light of the ongoing disruption, 2021 produced a flurry of activity by regulators across the EU, UK and United States aimed at promoting operational resilience across the financial services sector.
For example, UK Operational Resilience rules and guidance have been finalized and go into effect by the end of March 2022. The EU’s Digital Operational Resilience Act, proposed in 2020 as part of the Digital Finance Package, has now been adopted by the Council and is moving into the tripartite negotiation process between Parliament and the Commission. And in the US, the Office of the Comptroller of the Currency (OCC) republished its Operational Resilience Sound Practices Guidance.
More broadly, firms should consider other areas of concern as we emerge from the pandemic, such as the overhang of debt and customer vulnerability. Although not all of the financial impacts have been realized as of yet due to ongoing government support, regulators such as IOSCO are already undertaking analysis to understand the impact on certain markets and what implications may be for additional standards. Customer protection is a large focus area in the UK, with the FCA consumer duty final rules likely to land on our desks in Q3 2022.
3. Regulating Innovation
Artificial Intelligence (AI) is making its way up the agenda for global regulators, particularly as more firms use AI to make decisions that can impact consumers’ lives. The EU released their draft AI regulation in April 2021 and it is currently undergoing the legislative process so we can expect more clarity on the final rules in 2022. In the UK, the FCA is keeping a watching brief, and focusing on governance and accountability for AI within financial services firms.
Another key area of innovation is digital assets, eye-watering price volatility and sustained attention from large and well-respected investment funds have grasped regulatory attention. In 2022 we can expect global regulators to provide further clarity on activities related to crypto-assets in each jurisdiction.
Challenges ahead in managing regulatory changes
With the panelists in broad agreement as to the key regulatory themes for 2022, the conversation quickly moved onto the main challenges facing firms as they get to grips with the continued pace of regulatory change.
Pace and complexity
David Cowland suggested that compliance teams have historically been over-reliant on using manual processes to identify and react to regulatory change. The pace and volume of change are only increasing, and it’s no longer sufficient for firms to continue with legacy methods like spreadsheets.
The challenges of monitoring regulatory change are worsened for firms with subsidiaries in multiple jurisdictions. In some cases, compliance teams are forced to juggle announcements from 20 to 30 different countries, with regulators constantly making changes, putting in delays and requesting information from the industry.
Cowland points out that it isn’t necessarily the “big stuff” that is giving compliance teams the biggest headaches; after all, most firms are on top of MiFID or GDPR changes. Instead, it’s the small, more nuanced modifications that often catch firms off-guard. Dr. Lewin elaborated by raising the example of the FCA’s recent address change, which formerly changed on July 1, 2018. The FCA advised firms that they should (a) make sure the correct address was included in any communications with clients and (b) take steps to replace references to the old address in any printed material “as soon as reasonable practicable.”
In this instance, the FCA moving from Canary Wharf to Stratford meant that all financial institutions (FIs) had to change the address on any external communication documentation. As a result, compliance teams were required to find any content containing the FCA address and amend it manually, being able to deal with such an event in an organised way can be a great challenge for any firm.
James Nicholls progressed the conversation by focusing on particular challenges in the digital asset space. Players are pushing the boundaries of what is classified as a security, a commodity, and in some cases, money. For example, regulators in the U.S. disagree on how best to categorize crypto-assets. The SEC views these assets as securities, the IRS categorizes them as property, and the U.S. Treasury defines them as currency. This lack of clarity means the U.S. is yet to develop a clear regulatory framework around digital assets.
This makes it extremely difficult for firms trying to keep tabs on regulatory obligations since supervisors lack alignment and clarity. Jurisdictions such as the U.S. need to start to close some of these debates down to produce a usable regulatory framework that firms can utilize to build new businesses. It’s an extremely exciting space, but growth can sometimes be hindered by a lack of regulatory alignment.
The user journey and workflow management
While regulatory monitoring is, as mentioned, a huge challenge for firms, Cowland points out that a lack of understanding of the resulting user journey is hindering success. Regulation takes a long time to be formally signed off, and once it is done so, there is a long process of obligation mapping that has to take place. Once a regulation has been interpreted, it needs to be relayed to whichever team or individual is responsible, these individuals might be spread across different countries, let alone in different teams. This information then has to be fed into policy management, brought up to the front office, and controls have to be transposed into risk systems to effectively control the new risk parameters.
To create efficient risk management and obligation mapping processes, it’s important to remove the silo mentality and think horizontally by joining up teams and sharing information across subsidiaries. Firms need a mechanism that helps them to overlay regulatory changes onto the organizational hierarchy to distill which changes impact which entities, processes and people.
This is not just a one-off process either, Kelvin Dickenson added. Most major regulations almost always include a consultation process, with iterations of the final rules being offered for feedback from the industry. Even when finalized, regulation is often not directly implementable. As a result, having a process that can identify and interpret a consultation paper and get it to the right parts of the business for feedback and amendments is critical.
Dickenson gave an anecdotal example in this case: When the U.S. Patriot Act was first circulated, it required firms to have a physical signature on every credit card application, but as many people know, nobody has applied for a credit card with a physical signature for over 25 years. Dickenson’s team identified the issue and proposed new ways to manage identity without being physically present.
The monitoring of enforcement is also vital. In many cases, enforcement action from regulators will expose hidden details of how regulation is interpreted and how it rolls out in prosecution, and whether processes are deemed to be sufficient or not. Ultimately, leading firms will monitor the birth of new regulation, the enactment of such regulation and its subsequent enforcement.
It’s bigger than just compliance
Having explored the challenges of regulatory change management, the team took a step back and evaluated some of the risks associated with non-compliance. Dickenson suggested that regulatory change should not only be viewed as a compliance challenge. Instead, the compliance ownership stake is pivoting toward becoming more of a risk issue than solely compliance.
Using climate change as an example, typical compliance may involve simple, accurate reporting, but as climate-related risks develop, leading organizations will explore opportunities to identify, quantify and mitigate such risks to the wider business. This transition from pure compliance to a wider business discipline spans every aspect of governance, risk and compliance (GRC). The aforementioned operational resilience regulation requires that firms monitor and mitigate cybersecurity risk, and similarly, EU money laundering regimes place the burden of risk understanding on the institutions, and there is a focus on having controls in place to mitigate such risks.
Dr. Lewin built upon Dickenson’s argument, suggesting that these issues reflect not only risk management but how leaders are managing their entire business. Risk management fundamentally impacts business strategy and business priorities. All of the key themes for 2022 really drill down to the heart of any business, from adopting innovation to promoting operational resilience and reducing climate risk, an organization’s strategy should align with these regulatory outcomes in order to grow sustainably.
Regulation penetrates so many parts of the business, so working out who’s accountable and understanding the full user journey can be true challenges.
Is technology the answer?
Current methods for monitoring regulatory change simply aren’t scalable. They make the process slow and expose firms to risks associated with human error, and the cost of non-compliance is often severe.
Dickenson argued that emerging technologies can certainly help when searching for appropriate solutions. Two key aspects need to be considered:
- Horizon scanning software: the old approach to horizon scanning involved signing up for everything and setting up multiple RSS feeds to monitor regulatory updates. Instead, RegTech firms should leverage RegTech solutions to receive and organize this information. It’s important to consider a software partner that has integrations with regulatory content providers. Overlaying software on these feeds will enable users to pre-filter content by searching by particular jurisdictions or by areas of risk.
- Workflow/obligation mapping: even if you can effectively gather and filter information, it can be extremely difficult to fully understand what it means in practice. Having workflow software that maps certain regulations to your organization is the first step. Solutions such as SAI360 sit amongst a fully integrated GRC suite, therefore enabling users to assign ownership to a different area of risk. This is a key piece of functionality, as regulatory obligations might map to operational risk teams or financial controls.
Such technologies are advancing rapidly. Cowland suggested that we are likely to see the wider application of AI and Natural Language Processing (NLP) so solutions can start to auto-assign certain pieces of regulation to risk functions within your organization, without the need for human input.
Compliance teams often struggle to think proactively about technology. Awareness is a key challenge for industry participants and it’s important that we work as an industry to help people to understand that technology is available and it’s capable of automating a great deal of the processes and challenges we’ve spoken about in this blog.
Watch the full webinar on-demand
Learn more about SAI360 for Regulatory Change Management, or, contact us to see how we’ve helped organizations like yours.