Navigating Compliance in Turbulent Times
The governance, risk management, and compliance (GRC) capabilities lenders have in place today face new challenges from turbulence in the economy and the industry. Let’s look at some of the issues confronting lenders and detail how to tackle them as they mature their organization’s ability to build a stronger compliance, risk and governance roadmap for 2023 and beyond.
Clear policies and standardization is critical to compliance, but it takes more to be audit ready. Informed enables you to be audit ready with no extra work. In addition to providing real-time, no-touch loan processing capabilities, Informed’s AI software enables lenders to comply with regulatory requirements and be audit-ready. All of our policies are clear and standardized. We provide definitions for all of our logic. And, we guide you through model governance compliance for internal audits and provide expert advice and sample documentation, if necessary. Our lenders have been very successful in leveraging our data during CFPB and compliance exams.
The Fed and The CFPB
Model documentation includes a qualitative assessment of the potential for disparate impact risk in the model. Our third-party auditor performs quarterly, quantitative disparate impact assessments. The analyses are based on race, ethnicity, gender, and age (62+). As Informed doesn’t collect race and ethnicity data, our third-party auditor employs the Consumer Financial Protection Bureau’s (CFPB) BISG proxy method for race, ethnicity, and gender using 2020 census data. Race and ethnicity proxy methods rely on borrowers’ last names and addresses. Gender proxy methods rely on borrowers’ first names. Our third-party assessor performs the disparate impact analysis on an ongoing basis as part of our k-fold cross-validation work.
Collecting and analyzing accurate, high-quality data is hard. In And, it’s challenging to extract and verify the data – it may not always provide meaningful insights. Informed simplifies this process by making data collection, extraction, and verification seamless and conducting analysis to provide actionable insights and decisions. You unlock the power of data and make informed decisions based on accurate, reliable information.
We’ve known for a while that FICO only provides part of the story. And what about those borrowers with a “thin file?” Accurate data is even more critical in the highly competitive environment we’re currently experiencing. Accurately calculated income, combined with our contributory database insights and fraud indicators, better position our lenders to determine a borrower’s likelihood of repaying a loan without increasing risk. Further, we take minimum business requirements, explain risk, and the business selects requirements based on its risk appetite.
To manage compliance risk, lenders typically leverage internal controls and processes supplemented with compliance software and tools. Equally important, practices and controls targeting or identifying common regulatory changes can be leveraged to limit exposure before audits.
Understanding the Impact of Regulatory Non-Compliance
Non-compliance with audit standards and requirements is detrimental to an organization. For standards such as PCI, non-compliance can result in financial penalties or in an organization being unable to process credit card payments. The CCPA assesses civil penalties of up to $7,500 for each intentional violation. Additionally, some standards require public disclosure of violations and incidents. Such disclosures result in reputational harm and public impact.
While it is difficult to quantify the impact of non-compliance accurately, it is clear that it has far-reaching effects beyond monetary damages. Reputational risk is a significant concern for companies, as a negative reputation leads to lost customers, decreased revenue, and overall harm to the company’s standing in the marketplace.
In addition to potential penalties and fines, a company found to be non-compliant or not following accepted practices may face civil or criminal litigation. In such cases, a company knowingly failing to comply with regulations and standards may be subject to punitive damages and significant fines. To avoid these negative outcomes, companies must take proactive steps to ensure compliance and manage risks effectively.
Documents such as internal audit scorecards, communications, and assessments are legally discoverable in these matters. They can be used to demonstrate an organization’s negligence or prior awareness of potential issues. Informed has retained a leading global consulting firm that offers economic, financial, and strategic expertise to major law firms, corporations, accounting firms, and governments worldwide to provide attorney-client privileged assessments to mitigate our partners’ risks and become more compliant.
Be Proactive in Protecting Yourself
To protect yourself from audit, regulatory, and reputational risks, you can implement various strategies. A combination of controls and monitoring, software-driven analysis, and awareness of penalties and their impact help organizations manage and reduce risk. By taking proactive steps to ensure compliance and address potential risks, companies can protect themselves and their employees from negative consequences.
- Strict controls and monitoring: Enhanced visibility through operational security practices, spot checks of manual and automated processes, and enhanced authentication controls can reduce or eliminate residual risk.
- Software-driven analysis of multiple standards: Many software applications take the hard work out of compliance, providing an intuitive, cost-effective interface capable of managing multiple requirements.
- Crosswalks: Identification of standards and commonality enable a company to improve audit outcomes.
- Awareness of penalties and impact: Non-compliance and disregard of requirements can severely impact organizations and their officers and employees. Public awareness of breaches and other incidents usually results in increased oversight and accountability.
Governance Trends to Watch
Throughout 2022, we’ve seen mounting pressure on risk, legal, and compliance teams to improve coordination with line-of-business and other teams in the operations function. The three lines of defense – front-line business activities, risk and compliance, and internal audit- remain a strong governance model. However, the recent siloing of functions limits the ability of controls to be fully integrated throughout the organization.
Risk reduction results from IT and the business taking appropriate actions. Analysis is not action. Compliance capabilities must shift from reporting to achieving outcomes. This is critical as organizational risk will likely be re-scoped in 2023 to include the broader partner channels and third-party vendors, increasing demand for this capability. Organizations should increase integration and collaborate to reduce risk in measurable and cost-effective ways. To improve overall risk management, teams must emphasize risk reduction outcomes over risk reporting, for example, by prioritizing the time to remediate risk over assessment frequency.
Compliance requirements continue to evolve. Privacy regulations such as the California Consumer Privacy Act (CCPA) and industry-specific regulations such as the New York Department of Financial Services (NYDFS) and Cybersecurity Regulation (2018), are raising the bar. We see indications this pace will continue and accelerate. And, the systemic risks identified in 2022 will likely result in increased oversight and obligations.
So, in 2023, legal and compliance teams should:
- Prepare to scale up to meet compliance requirements and obligations.
- Increase the use of automation and orchestration to enforce the policy.
Start shifting from Reporting to Demonstrable Risk Reduction. Legal and compliance teams often excel at auditing, identifying, and reporting on risk. If this is not the case, focus on these areas. And continue working towards the shift from analysis to action by collaboratively reducing risk with other teams. To do this:
- Bring legal and compliance objectives and key results (OKRs) into alignment with the business.
- Integrate legal and compliance services, such as classification and service management.
- Develop a business case process for risk reduction – by addressing concerns over increasing costs or reduced performance, for example.
- Improve program metrics and executive reporting.
As an industry, we have the opportunity to transform the lives of millions of people. Informed has the power to drive industry collaboration and financial wellness for all. To learn how Informed can help you unlock your data and help meet your compliance challenges, contact us or request a demo.
With more than 15 years’ experience in the financial services industry, including tenures at Santander Consumer USA and Visa, Jessica Gonzalez is now the Director of Lending Strategies at Informed.IQ.