October 02, 2003

Every Regulatory Cloud Has a Silicon Lining

Today's successful Chief Compliance Officer not only understands the law, but also knows how to apply technology to meet the challenges of regulatory compliance.

To keep up with the regulatory environment, compliance officers need all the help that they can get. To begin with, they have to adapt to wide-ranging legislative initiatives such as the USA PATRIOT Act and the Sarbanes-Oxley Act. But if national regulations weren't enough, there's also the trickle of strict state-by-state initiatives, such as California SB 1386, which requires notifying customers upon a breach of security involving their personal data.

And it's not just the volume of regulations, but the scope of responsibility, as well. And there's no guidebook for CCOs on how to manage such a concentration of compliance responsibility.

In some respects, technology created the problem: For example, without low-cost, enterprise-quality databases, it would be harder to steal or misuse customer information, and it would be next-to-impossible to monitor transaction patterns for terrorist activity.

That's why it's important for compliance officers to both understand the impact of applicable regulations, and also to gain a grasp of the technology underlying the trends shaping the financial world.

Fortunately, technology can also solve the problems it creates. But in order to do so, technology providers and IT departments have to work together with their compliance departments to build solutions that comply with existing regulations while remaining adaptable to what may come. By doing so, IT can become the compliance department's blessing, rather than its bane.

This special section on compliance, from the editors of Bank Systems & Technology, focuses on the regulatory trends faced by banks and the technology that many use to remain ahead of the curve.

Compliant, Not Complacent

Agnes Bundy Scanlan, Esq., managing director and chief compliance officer at FleetBoston Financial since September 2002, is responsible for making sure that each line of business throughout the entire corporation complies with national, state and local laws.

As a former Congressional staffer who joined the bank in 1994, Bundy Scanlan brings first-hand knowledge of Capitol Hill to the position. That's useful experience in today's regulatory environment, with Congress quick to pass legislation designed to solve deep-seated problems such as terrorism and corporate malfeasance. "With Sarbanes-Oxley and the other issues that have occurred in the last year, the scrutiny on compliance and risk issues has never been higher," she says.

On top of having to cope with wide-ranging initiatives such as the USA PATRIOT Act and the Sarbanes-Oxley Act, compliance officers at diversified financial institutions also have to grapple with what it means to run a financial holding company as defined in the Gramm-Leach-Bliley Act. So far, there's no established guidebook for such a concentration of responsibility.

Indeed, the topic has become a key issue for the American Bar Association, which recently formed a compliance management committee chaired by Robin Warren, compliance executive at Bank of America, and vice-chaired by Bundy Scanlan. "People are really thinking about compliance and risk management more than ever," she says. "It's trying to keep on top of all the issues, and even more than that-trying to be proactive and not just reactive."

Compliance officers have to know the impact of the applicable laws and regulations. Plus, they should understand how information technology continues to shape legislation and regulation. Indeed, regulators have been increasingly sophisticated in their response to new financial services, customer channels and oversight requirements. For compliance officers at financial institutions of all sizes, this shift calls for greater vigilance in monitoring technology trends and their potential impact on the legal, regulatory and operating environment. Technology has an ever-present impact on compliance management, in that it has the promise to solve as many problems as it creates.

That's why Bundy Scanlan's prior three-year stint as chief privacy officer for FleetBoston was a helpful one. Privacy regulations, for the most part, are strongly rooted in information technology. "The whole reason why we have privacy laws is because of the information that's shared on the Web, and the flow of that information," she says.

Bundy Scanlan describes FleetBoston's privacy policy as "very conservative," in that it does not allow third-parties to use customer information for marketing purposes without a customer's specific consent. "We do share information-all financial institutions do it-within the family," she says. "But we don't share it with third parties, and that's conservative."

PRIVACY BANKER

There are exceptions. "Within our policy it does state that we would provide information to the government upon subpoena or according to law,"she says. "You have to balance the protection of customers' information along with the request of the government to require information to ensure that we don't have another 9/11."

Privacy issues continue to crop up in state and national legislation. For instance, if Congress allows the Fair Credit Reporting Act to "sunset" at the end of the year, each state would be free to craft its own privacy regulations. For FleetBoston, with 20 million customers-including credit card customers and Quick & Reilly users-that would have a substantial impact. "In a state like California, we have three million account holders and we don't have any branches there," Bundy Scanlan says.

The bank has already responded to another privacy-related initiative from the Golden State, California SB 1386, which requires disclosure of security breaches to affected customers. "We've done a great job of communicating with our lines of business, prior to July 1, about this legislation," she says. "We have a plan in place if indeed one occurs."

That's just one example of how the compliance organization serves the bank. Beyond a basic compliance plan, each line of business requires a dedicated person with whom the compliance organization can confer on a daily basis about compliance strategies and approaches. "Now, do they have self-monitoring in place? Do they have record-keeping? Are they taking all the steps they can to adhere to new regulations?" asks Bundy Scanlan.

Having deep insight into each of the 36 business lines within Fleet pays off each quarter, when the compliance department presents its compliance assessment to the audit committee of the board of directors. Each business line is rated as either "green" (fabulous job), "yellow" (needs improvement), or "red" (not in compliance). "In order to put together such an assessment...you have to have strong relationships with the lines of business," says Bundy Scanlan. "Constant communications-that's the most important thing right now."

The compliance department also participates in a vendor management steering committee. First, each of tens of thousands of vendors has been classified as high-risk or low-risk. Those risk ratings are stored in a database, along with factors including contract status, safety and soundness risk, and privacy risk. For the high-risk vendors, further questions are asked about how they protect customer information, information security practices, management involvement, decision-making process and disaster-recovery procedures. "We have delved into our third-party vendors more than ever," reports Bundy Scanlan.

SHARING THE BURDEN

Of course, hers is not a one-woman show. Within the compliance organization, there are four directors reporting to Bundy Scanlan, each with responsibility over a specific area:

Day-to-day regulations and examinations. Compiles a weekly communication summarizing new regulations that might impact the organization. "On any given date, I can assure you that somewhere at Fleet, we're being examined-by the OCC, the Fed, the OTS, or some other regulatory agency," says Bundy Scanlan.

Core banking issues. Each line of business and regulation is assigned to a subject matter expert. "We take every single banking regulation and assign a person, in some part of corporate compliance, to have responsibility for that regulation," says Bundy Scanlan.

Capital markets and securities regulations. "Even though the Quick & Reilly team does have a couple of compliance people in it, we still, from a corporate perspective, have responsibility for these lines of businesses," says Bundy Scanlan.

Financial intelligence unit (FIU). Responsible for OFAC, Bank Secrecy Act, anti-money laundering, and investigations. "That's probably the area that most uses technology within our compliance organization," says Bundy Scanlan.

The FIU's investigators use whatever information sources they can to protect the bank. "They, at any given time, can immediately find out whether there was nefarious activity through a Fleet bank account by an alleged or suspected terrorist," says Bundy Scanlan.

For example, immediately after the suspects were named in the October 2002 sniper attacks in Washington D.C., the FIU jumped into action. "I didn't have to call anyone from this team to see whether or not there were money transactions through Fleet-they had already checked," she says.

And that's what it takes to run the compliance organization at a major financial institution.

---

A Tech Checklist for the Compliance Office

Steven M. Roberts, national product leader, regulatory & compliance services, in the Washington, D.C. office of KPMG LLP (Montvale, N.J.) highlights the regs having the greatest tech impact on banks.

  • Anti-Money Laundering. The new technology pushes existing systems to their limits. "Databases weren't constructed for the type of activities that this software needs to do," he says. "You have to bring together lots of data from lots of different places."
  • Predatory Lending. For those that lend in the sub-prime market, "there are software programs that are designed to look at transactions, and to make sure that transactions at least are in compliance with internal rules," based on what the regs are, he says.
  • Privacy. Many banks missed an opportunity when GLBA first passed, by not designing flexible databases that can adapt to the potential permutations of opt-in/opt-out under malleable privacy regs. Don't make that mistake twice. "Compliance ought to be involved in the design of every new product within an organization."
  • Identity Theft. In line with the California SB 1386 security breach law, along with the Fair and Accurate Credit Transactions Act (FACT Act) draft legislation now in committee, banks should work on developing a fraud alert system "to get in touch with individuals quickly, so that they can do something to protect themselves when their information is threatened," he says.
  • Basel II. Compliance takes a back seat on Basel II, which will "fall squarely on the shoulders of the risk management apparatus. People need to be aware of it...but it's mostly an exercise in creating and modifying existing risk management procedures."
  • Compliance Management. How about a dashboard that measures compliance risks across a bank? "For those organizations that want to hold themselves out as having top-flight corporate governance, they're going to have to start making that investment," says Roberts. "Now's a very good time for corporate CCOs to begin asking for that type of information."

Prior Warnings

Most community banks have fewer employees in total than the compliance department alone at a large commercial bank. Nevertheless, both organizations are subject to the same regulations.

The compliance burden at Prior Lake State Bank (Prior Lake, Minn.; $125 million in assets, 40 employees) falls upon Jolene Johnson, chief technology and compliance officer. That's why Johnson relies upon outside help.

Along with participating in industry trade groups, such as the Independent Community Bankers Association (ICBA) and the Minnesota Bankers Association, Johnson relies upon Bankers Systems for regular compliance updates and for documentation management software in both lending and deposits.

Although Johnson can't ask the company's 100-member staff for legal advice, Bankers Systems provides compliance insights for virtually every regulation that touches a financial institution. "Our organization somewhat mirrors that of a large financial institution," according to Peggy Wilson, director of corporate communications, Bankers Systems (St. Cloud, Minn.). "They tend to have large legal departments and compliance staffs, and so do we."

Following the lead of the diversified financial institutions, Bankers Systems' parent company Wolters Kluwer (Amsterdam) intends to place all of its compliance-related subsidiaries serving the securities and insurance markets under the management of Bankers Systems' president and CEO Robert White. "Lately there have been a number of regulations that have crossed the verticals," says Wilson.