Overview: To offer Financial Services Company Directors and risk managers some insights into identifying and managing regulatory risks. This article will identify the several categories of regulatory risks, offer suggestions for assessing the companies’ risk profile for each and recommend techniques for managing and ameliorating the risks identified.

Since 2008, regulators, policy makers and the financial institutions themselves have been assiduously adapting their prior policies and practices to the “new normal” regulatory environment of: tighter more proscriptive rules, less flexible regulatory policies and practices, stressful economic circumstances and, vulnerable balance sheets left in the wake of the recent worldwide financial crisis. These institutional - level remedial actions have been precipitated by both a belief that prior standards of practice failed the institutions in adequately assessing the risks in the business portfolios as well as demands from Boards of Directors and Regulatory Authorities alike to provide some assurances that a best in class risk management system is in place at financial institutions.  

Critical to any effective risk management system in a financial services environment must be a institutionalized mechanism to: a) identify regulatory-oriented risks, b) assess those risks and their potential for impact on the business of the company and, c) manage or ameliorate these risks by implementing processes/ fomenting actions designed to remove or dramatically alter the projected potential impact of these risks. This article offers some insights into several of the critical regulatory risk areas facing financial institutions and makes some recommendations for Directors and risk managers of those institutions to consider implementing to achieve best in class risk management programs.

Several areas of regulatory – oriented risks facing financial institutions are compliance risks, governance/internal control risks, and policy/reputation risks. Addressing each of these areas requires an in-depth understanding of the business of the Company and an ever-deepening grasp on the evolving regulatory environment and requirements facing the Company. Typically, this means a team oriented approach with Board oversight of risk professionals teamed with key business operations and regulatory compliance and/or legal personnel.

Taking a brief look at each of these three areas –

Regulatory Compliance Risks.

Perhaps, for the reader, the most obvious of the three categories, this focuses on understanding the precise and ever changing regulatory requirements facing the day to day operations of the financial services Company. To properly handle this task, the company has to have personnel deeply familiar with the business’s applicable regulatory burden and constantly monitoring developments in the regulatory requirements for their applicability to the operations of the business. To make this work, a mechanism for passing along upcoming regulatory changes and working as a ‘team ‘ with the operations and risk professionals to assess the possible impact of these changes – while they are still in the proposal and not in the effective stage – is critical. This bespeaks a careful and effective monitoring effort which entails frequent interaction with the leading regulators to establish lines of communication, a basis for trust and , hopefully an early warning system of policy shifts which then will inexorably lead to regulatory changes. Often, the regulatory winds start to blow in a new direction without the formality of written regulations or policy guidance and manifest themselves in the ongoing interactions and requests the regulators make of the institution’s management as part of day to day monitoring. Its worthy of note that these days the regulators are a good deal less willing to be expansive or creative in their views of new, ‘questionable’ practices than they might have been before the crisis. Often it’s not just how a particular practice hits the specific financial institution but also how the regulator’s experience with that practice at other institutions that informs the regulators’ judgment about the practice. Financial institutions will never know this unless they are on “top of the monitoring game”. Also, it almost goes without saying – but we’d be derelict if we did not – that this Compliance Team has to be involved with the assessment of regulatory complaints about the business’ compliance, i.e., regulatory enforcement actions, complaints or other challenges to business practices as non-compliant with regulatory requirements. The compliance Team may not be part of the actual defense effort but it should analyze how these “enforcement” challenges are likely to alter business practices.  

Team dialogue, collaboration and direct communication to senior management – legal and operational – are necessary to make this effort an effective part of risk management. Our experience would suggest that with the plethora of new legislatively mandated regulations coming like waves on the shore but with less regular timing than the tide, a formal process of identification and assessment ( indeed, triage ) of those regulations and the timely development of impact statements to alert management is needed. As we will describe in more detail later, a periodic audit of the performance of this function is needed to better assure that necessary changes to improve timely and effective effort are made. This has an internal control aspect to it as well – after all, if you are unaware of what to do or that something new from the regulators has impacted your business or, you fail to recognize a practice that has resulted in regulatory ire, you can hardly claim effective internal controls over that risk. As part of this effort the institution should establish lines of reporting to confirm the smooth flow of information but those lines need to run two ways – up ( from the Team to management) with info and down ( from management to the responsible parties) with instructions/empowerment. Throughout, Board oversight is expected and essential.

To sum this point up: effective compliance risk management requires: a dedicated team of regulatory, business operations and risk specialists; a formal yet adaptive process that guides the monitoring, identification and analysis of the changing regulatory environment, the timely production of impact statements which offer some approaches to achieve a compatible resolution, two-way communication between the risk team and senior management and a periodic audit of how this function is performing.

Governance/Internal Control

Risks for Financial Institutions. This area of emphasis concentrates on the identification and assessment of changes in requirements for management and board functioning. This first stems from the requirements of the organization’s governing documents – requirements for meetings, roles and responsibilities as well as qualifications for service in management or Board and the like but also flows directly from legal and regulatory requirements impacting the organization, as well as the public and regulatory reporting and exercise of authority by management and Board. For readers from companies with public shareholders, awareness of the burgeoning landscape of regulations and formal requirements began anew in the “post Enron” era of Sarbanes-Oxley compliance. Post SOX, and, as a direct result of the current financial crisis, we see even more attention being given to the roles of the Board and Management, their responsibilities to: their shareholders and depositors/customers, the public at large and, the regulators overseeing their institution. While this aspect clearly involves the more mechanical functions, it encompasses the policy as well and an effective system must be in place as an early alert and to facilitate a quick response to significant developments which reflect a failure in one aspect of the business or another and which promise to instigate serious regulatory or public scrutiny and criticism.

Critical to these roles are: the information flow - formal and informal – within the organization, the internal control processes set up to assure timely identification and remediation of issues and the periodic reporting – again formal and informal - required by the applicable laws and regulations. Similarly, ongoing assessment of the qualifications, performance and compensation of management and Board, their respective attention to the rules applicable to their roles – particularly as directors and board committee members - and their oversight of the Company processes for filing regulatory reports on time and without error. Supervision of auditors, relations with internal audit staff and reliance on the advice of professional advisors feed into this picture as well.  

Our experience again suggests that a team approach is warranted, if not downright necessary! The team might well be composed of internal legal, Office of the Secretary, public/shareholder relations personnel, internal audit and financial executives, with the involvement of each shifting with the nature of the subject matter at hand. A constant throughout is Board oversight and involvement. Moreover, a formal – yet flexible – process for defining the roles of each constituency and identifying and analyzing any issues that emerge and communicating the impact of such to the appropriate manager or board is needed and should be memorialized in policy documents. The efficacy of these policies should be assessed periodically by internal audit and compliance/legal staff and others as needed to afford an opportunity to refine and improve the functioning. Here, the failure of the required processes can be dire. As failure to file regulatory reports or to properly disclose an event or to document a important decision or to correct a glaring defect in some aspect of the governance process can bring with it liability and public opprobrium. The reader is, we are sure, observing that such a problem will have public reputational and policy implications.

By way of closing this segment, I note that the team of qualified collaborators combined with a formal process will provide an environment for a timely and effective management of the identified risks if communicated to the right people and those people authorize corrective and decisive action in a thoughtful and timely manner.

Public Policy/Reputation Risks for Financial Institutions.

These days, Senior Management and Boards of Directors of financial institutions have become increasingly aware of the risk of public policy shifts which can leave the institution ‘hanging out’ like a sore thumb on the wrong side of an issue the institution thought was well settled. The current economic crisis and the regulators’ ( and Congress’s) response to the perceived causes give eloquent examples of abrupt shifts dislocating ongoing business practices and fomenting public ire over a financial institution’s mode of business. I think of ‘a customer’s ability to pay’ in the credit card world, mortgage disclosure and pricing practices – and now foreclosure practices – and credit risk practices in securitizations or derivatives trading, as ready examples of how fast and sharp a policy turn can occur. Somewhat with the benefit of hindsight, the policy makers view a practice from the perspective of its aftermath and posit that practices that led to an undesirable result should never have occurred in the first place, despite the universality of and regulatory sanction for those practices and, the intervention of serious and adverse economic events distorting the outcomes.  

Irrespective of the cause, the economic crisis points toward a new paradigm in which financial institutions are embroiled in public disputes, criticism and even litigation – official and private – challenging long held business practices. The woes the institutions’ customers have suffered in the crisis are often viewed as manifest proof of the ‘bad behavior’ of the institutions. This requires deft and decisive handling by the institution facing these challenges. A team of legal, operational, compliance, public relations ( often shareholder relations as well ) and liaison with senior management and Board are essential to respond to and manage the public image / reputational aspects of this situation. Reputation risk is a central theme for regulatory focus. How the institution manages such risks – which directly impact business and revenues – is a line of inquiry regulators have a great deal of interest in. Taken to its extreme, poor relations with the customer base can, and often does, lead to runs on the bank, lawsuits, regulatory enforcement, and more and more stress on the balance sheet of already stressed banks. Recent pointed examples of this syndrome include major breaches of consumer account data security and how the marked differences in how each institution chooses to respond.  

So, to repeat the mantra stated above, early detection of issues, trends, compliance foibles, operational miscues and the like followed by concrete actions to address the causes and effects of the problem and to ‘control’ the public impression of both the problem and the institution’s response are essential. This can take as granular an approach as the collaborative generation of press statements about the institution and its problems. Communication, coordination of the team, decisive action and follow up ( all periodically ‘audited’ to see how well the institution is doing ) will save the day.

Throughout all the above discussion, the possibility that a given institution needs to outsource some of these responsibilities, in whole or in part, by engaging outside experts is both usual and expected. But policies, set by Board and Senior Management, reviewed periodically to adjust as needed to changing circumstances have to be in place so that outside expert input can be fitted into the whole fabric of compliance and risk management. Our experience is that no one size fits all and that personalization of the risk management process to fit the specific institution is critical. Of course, the regulators do have check lists of what they look for, what works for them and what they might expect to see. So, major departures from those norms will have to be explained and justified as part of the regulatory examination process, in the first instance, and as part of the crisis review, in the immediate aftermath of a problem.

We conclude this is a manageable ‘problem’ so long as it is taken seriously and the Board is comfortable that management has the process well in hand and that all hands are provided the appropriate training and support to achieve the desired result.