Promoting Effective Change Management
Changes to federal consumer protection laws and regulations have occurred at a rapid pace since the financial crisis. They have ranged from minor and technical changes, such as updating the inflation adjustment for the higher-priced mortgage loan appraisal exemption,1 to major and substantive ones, such as the TILA-RESPA Integrated Disclosure (TRID) requirements.2 Ensuring that regulations keep pace with industry changes helps promote a fair and transparent financial services marketplace.
In addition, a financial institution may periodically introduce new products or services, which may subject it to new regulatory requirements that were previously inapplicable. Depending on the nature of the changes, a financial institution might choose to engage a new third-party vendor as well. For financial institutions, changes from external and internal sources are inevitable, and creating a change-resilient compliance management program is critical to success.
The importance of change management is reflected in the updated Uniform Interagency Consumer Compliance Rating System (rating system) issued in November 2016, which specifically incorporates an evaluation of an institution’s change management process into the consumer compliance rating.3 The updated rating system recognizes the importance of an institution’s consumer compliance management program and the role it plays in helping financial institutions maintain their commitment to consumer protection.
Creating a change management process can help institutions identify and appropriately respond to changes to consumer protection laws and regulations and help them effectively implement changes to products and services. It is therefore important that the board of directors and senior management have an effective, efficient, and repeatable process for managing change. This article provides a high-level overview of some of the tools financial institutions can use for managing these changes, recognizing that an effective change management system should be appropriate for an institution’s size, risk profile, and the complexity of its products and services. Thus, a small community bank with less complex products may be able to successfully manage consumer compliance with a very streamlined process.
Why It Is Important to Manage Change
Inadequate processes to recognize and manage compliance risks resulting from changing regulations or business strategies can expose a financial institution to a range of potential consequences, including violations of laws and regulations, negative supervisory ratings and sanctions, monetary costs, and reputational risk.
Types of Changes That Can Raise Consumer Compliance Risks
Changes requiring a substantive response from bank management can occur both internally and externally. Some changes are within management’s control, such as introducing a new product, while others are not, such as Congress enacting a new law. Further, some changes may have a domino effect. For example, consumer demands or competitive factors may result in a financial institution offering new products or services.4 The following discussion identifies some of the significant areas in which managing change is important.
Legal Changes
New laws and regulations can affect the compliance requirements for a financial institution’s products and services and the daily duties of its staff. These changes can vary from small, technical updates to larger, more complex changes. Regulatory changes can come from Congress, which can enact new consumer protection laws or amend existing ones, and from federal agencies directed by Congress to enact implementing regulations for these laws. Agencies can also issue supervisory guidance to clarify supervisory expectations and approaches with respect to those laws. For example, the Federal Reserve Board issued guidance in late 2018 to help clarify the key fields that examiners will consider in determining the accuracy of Home Mortgage Disclosure Act (HMDA) data under amendments to Regulation C.
Products and Services Changes
Evaluating and updating product offerings and business strategies is critical to a financial institution’s success. Financial institutions want to be responsive to evolving consumer needs and expectations and be positioned to enter new markets and product areas to further their strategic plans. An agile and robust consumer compliance management program can help ensure the smooth launching and execution of new business strategies, including the effective management of consumer compliance risks associated with these strategies.
Technology Changes
Finally, it is important to highlight the significance of managing information technology changes at financial institutions, such as system conversions or leveraging fintech developments. These changes may also involve new third-party relationships.5 Technology enhancements and innovations are common and important for the current business models of most community financial institutions. Because most financial institution operations and internal controls are based on automated systems, appropriate management of technology updates and changes can help keep the institution running smoothly and complying with laws and regulations. It is important to work with vendors to effectively implement changes. Although a financial institution may hire a reliable vendor, the institution remains responsible for ensuring that the output from vendor-provided systems and services meets regulatory requirements.
Elements of an Effective Change Management Process
Change management is one of the assessment factors under the Federal Financial Institutions Examination Council (FFIEC)’s Consumer Compliance Rating System. This factor notes that effective change management processes involve a timely and adequate management response to changes in applicable laws and regulations, market conditions, and products and services offered, by evaluating the change and implementing responses across impacted lines of business. The factor includes evaluating product and service changes both before and after implementing the changes.
The Federal Reserve’s Community Bank Risk-Focused Consumer Compliance Supervision Program also underscores the importance of the change management process. The program notes that, “Change management should be a structured and disciplined process that is repeatable since change can always be expected.”6
Common elements of an effective change management process are highlighted here. It is important to note that the formality of the process is scalable, and how financial institutions execute the process may vary depending on the size, structure, and complexity of the institution, including the resources allocated by the board and senior management and the magnitude and urgency in making the change. While every financial institution is expected to have an effective process for ensuring a timely and adequate response to change affecting the financial institution’s compliance with consumer laws and regulations, the nature of an effective program will vary.
Identify Changes
The first component of an effective change management system is the ability of the board and senior management to monitor changes and the associated risks to the institution.7 Financial institution personnel, such as the compliance officer and staff and other parties (vendors possessing the necessary subject matter expertise), can assist the board and senior management with (1) identifying statutory/regulatory changes that affect the financial institution’s operations and (2) determining how changes to the institution’s products and services would impact the financial institution’s consumer compliance obligations.
How an institution monitors legal and regulatory change can vary by institution depending on the size and complexity of the organization, the products and services offered, and the available resources. For example, some institutions may engage vendors or use industry tools such as regulatory calendars to keep track of upcoming rule changes, while other institutions may have more robust internal monitoring systems that may be cross-functional, involving business lines, compliance, and legal departments.
When a statutory or regulatory change occurs, the board of directors should help ensure the financial institution complies with the change. Here are some questions that may be helpful for the board and senior management to consider.
What — What is this regulation/guidance? What is the change and the purpose of the change?
Impact — What is the impact on our institution? What products does it affect, if any? Do we require system upgrades? What is the relative level of difficulty associated with this new/changed regulation? What will be needed to update systems and train staff?
Cost — What is the estimated cost to implement the change, including training and changes to systems and forms?
Plan — What is management’s plan for implementing and monitoring compliance?
The repeatable change management process outlined in this article may help compliance management staff respond to these questions.
Sometimes change originates from within the organization. In its First Quarter 2013 issue, Community Banking Connections published the article “Considerations When Introducing a New Product or Service at a Community Bank,” which discussed the important role of management and the board of directors in successfully managing compliance risks when deciding to launch new products or initiatives. In particular, management and the board should consider if a proposed product change aligns with the financial institution’s strategic direction. The financial institution’s capacity to make the change should also be evaluated, including the costs to implement the change, and whether the financial institution has the necessary expertise or will instead need to engage third parties. Importantly, a financial institution should consider the costs and benefits to both the financial institution and its customers. Successful management teams ensure that new products do not benefit the financial institution at the expense of its customers. Both business line and compliance experts should be engaged as these strategic factors are explored. Considering these strategic factors may help ensure a successful implementation.
Establish Responsible Parties
Managing change effectively is a team sport. Depending on the individual financial institution, this could involve management and staff from all affected functions — potentially including compliance, accounting, risk, internal audit, and business line management — to review and recommend a proposal for managing change for senior management and/or board approval that clearly articulates expected results.8 Often an individual or small group will be assigned the lead for managing the change, the particular governance structure often dictated by the nature of the change. Regardless, successful development of a management plan is typically a collaborative effort that includes all functions that have a role in implementing the change.
Create Action Items
The responsible parties could consider creating a road map and timeline for the steps that need to be executed to ensure that the change is implemented effectively. Some actions will need to be sequenced while others may be performed contemporaneously.
Action items could include:
- researching the change (beyond any strategic factors already considered),
- evaluating its impact on specific processes (including software and vendors),
- creating new tools for staff (such as checklists or tip sheets),
- updating policies and procedures as needed, and developing training for staff.
Testing the implemented change, which could include dummy transactions or in-house test subjects, would most effectively occur before the change goes live. This step is particularly important when a change involves technology, to ensure that functionality and disclosures correctly capture the institution’s practices and related regulatory requirements. As action items are created, noting and documenting the party responsible for each item will help avoid gaps. Senior management and the board may want to approve a budget as necessary for implementing the change, including the specific resources needed.
Track Due Dates and Report to Management
Creating and tracking due dates can help promote accountability for staff. Depending upon the magnitude of the change, appropriate approval and signoff may be associated with specific steps and documented as part of the tracking process.
Further, when changes are significant, tracking progress forms the basis for reporting to senior management and the board of directors. Such reporting reinforces accountability and allows management and the board to remain engaged in the process.
Evaluate the Effectiveness of Changes Post-Implementation
The change management process does not end when the change is implemented, because management also needs to ensure the changes were effectively implemented — for example, using internal and external audits or more targeted reviews. The particular approach may vary depending on the particular change but would typically involve timely testing by compliance or audit, or a combination of both. It may also include corrective action by the business lines if the compliance or audit review identifies weaknesses in the implementation process.
Change Management Example
Here is an example of a scenario in which an effective change management process can help the institution manage its risks. The example is illustrative and not intended to exhaust all of the factors or steps to consider in the change management process.
Example: On June 23, 2018, the permanent extension of the Protecting Tenants at Foreclosure Act (PTFA) became effective (the law had expired at the end of 2014).9 The PTFA protects renters whose homes are in foreclosure by allowing them to remain in their homes for the greater of 90 days or the term of their lease. In this scenario, an effective change management process might:
- Identify the Change: The compliance officer would have a month to identify the change through the financial institution’s established risk monitoring processes and implement it because the law was signed by the President on May 24, 2018, one month before its effective date.
- Establish Responsible Parties: Responsible parties could include the compliance officer and business line representation, such as a residential real estate lender or manager. It could also include input by the staff responsible for sending out foreclosure notices.
- Create Action Items: Potential action items include reading the PFTA and understanding its requirements, as well as evaluating how this change would affect the financial institution’s policies and procedures, software, vendors, and internal controls. The financial institution may also want to develop training for financial institution staff and document and obtain approvals for any costs associated with implementing these actions.
- Track Due Dates and Report to Management: In this case, since the implementation date was 30 days after signing, the compliance officer would want to ensure the institution completes research, implementation, and testing prior to June 23, 2018. The compliance officer may want to provide senior management and the board with status updates on the implementation process and whether testing shows that implementation efforts have been successful.
- Evaluate the Effectiveness of Changes Post- Implementation: The financial institution can evaluate the effectiveness of its changes within a reasonable period of time after implementation, with the specific timing dependent on the significance of the change. In this case, the compliance function could incorporate testing of the change once a sufficient volume of transactions allows for such testing. Audit may consider incorporating testing for the change into its audit schedule or reviewing the adequacy of compliance testing.
Conclusion
Consumer banking is a dynamic industry, subject to both external and internal changes, which have occurred more frequently following the financial crisis and advances in technology to deliver financial products and services. To help manage the risks of these changes, financial institution management should recognize the potential benefits of a change management process. We have observed that financial institutions with successful change management programs employ a repeatable process to ensure changes are implemented consistently and appropriately. The complexity of the change management process should be scalable to the size of the institution and commensurate with the risks of its products and services. Any specific issues or questions should be discussed with your primary regulator.
ENDNOTES
1 “Appraisals for Higher-Priced Mortgage Loans Exemption Threshold,” 83 Fed. Reg. 59272 (November 23, 2018).
2 “Integrated Mortgage Disclosures under the Real Estate Settlement Procedures Act (Regulation X) and the Truth in Lending Act (Regulation Z),” 78 Fed. Reg. 80225 (December 31, 2013).
3 “Uniform Interagency Consumer Compliance Rating System,” 81 Fed. Reg. 79473, 79481 (November 14, 2016).
4 See Community Bank Risk-Focused Consumer Compliance Supervision Program (RFS), p. 19.
5 See Carol Evans, “Keeping Fintech Fair: Thinking About Fair Lending and UDAP Risks,” Consumer Compliance Outlook (Second Issue 2017); Teresa Curran, “Fintech: Balancing the Promise and Risks of Innovation,” Consumer Compliance Outlook (Third Issue 2016).
6 See RFS, p. 23.
7 See “Uniform Interagency Consumer Compliance Rating System,” 81 Fed. Reg. at 79473.
8 See RFS, p. 23.
9 See Federal Reserve Board CA Letter 18-4, “Restoration of the Protecting Tenants at Foreclosure Act” (June 22, 2018).