2021 Compliance Review and Tactics for Staying Ahead of Regulators in 2022
With 2021 in the rearview and 2022 well underway, it’s a good time to consider some compliance issues from last year, and current trends and tactics for keeping ahead of regulators this year. In 2021, we saw a number of compliance-related changes from the Federal Financial Institutions Examination Council’s (FFIEC) and Federal Deposit Insurance Corporation (FDIC). One important development, especially for smaller community banks and credit unions, was the FDIC’s new Office for Supervisory Appeals. The office—launched in December to operate independently within the FDIC—considers and decides appeals of material supervisory determinations. It replaces the existing Supervision Appeals Review Committee.
The Office of Supervisory Appeals will “enhance the independence of the FDIC’s supervisory appeals process and further the FDIC’s goal of ensuring consistency and accountability in the examination process,” according to the FDIC. There’s a broad range of material supervisory determinations that institutions can appeal through the office, including CAMELS ratings under the Uniform Financial Institutions Rating System; IT ratings under the Uniform Rating System for Information Technology (URSIT); and Trust ratings under the Uniform Interagency Trust Rating System. This new appeal process isn’t a guarantee that supervisory findings will be changed but may prove useful as a last resort for FDIC institutions facing downgrades in scores where there is a material disagreement between the FI and the FDIC.
Another significant FFIEC development last year involved amendments to the Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations. The BSA amendments included certain provisions to the USA Patriots Act to detect, deter and disrupt terrorist financing networks. This would appear to be an area of focus going forward, as 3 of the 10 most substantive (i.e., non appointment-related) FFIEC releases in 2021 were related to BSA/AML.
In June, the FFIEC issued a new Architecture, Infrastructure and Operations (AIO) booklet as part of its Information Technology Handbook. With this logical move, the FFIEC replaced its July 2004 Operations Handbook with a single booklet that merges three interconnected areas. In August the FFIEC also enhanced its guidance on authentication and access to services and systems—advocating for the widespread use of multi-factor authentication (MFA)—and released guidance on conducting due diligence on fintech companies.
One additional item of note in 2021; the FDIC’s tech lab, FDITECH, launched an initiative to challenge institutions to measure and test bank operational resiliency. Ultimately, a set of metrics may be applied to financial institutions—perhaps community banks in particular—to determine whether they are adequately resilient against operational disruptions. We’re keeping a close eye on this as it may lead to a universal formula for grading or ranking resilience. Anything that reduces subjectivity also reduces uncertainty, and that is a good thing when it comes to regulations.
Tips, Tricks, and Tactics
One of the main tactics to apply now to enhance compliance is to focus on the concept of resilience in all areas of the financial institution. Incorporate this concept into your business continuity management plan, vendor management program, third-party supply chain management, and information security. The key is to prepare in advance for a disruption—to put processes in place to reduce the possibility of disruption, and to minimize the impact of disruption should it occur.
Here’s another way to stay ahead of regulators: Financial institutions can connect the concept of risk appetite to the acceptable risk in their risk assessments. This goes beyond merely asserting that whatever residual risk you may have is deemed acceptable, which is highly subjective. Inherent risk less controls establish residual risk. However, residual risk levels must be compared to pre-determined risk appetite levels to determine acceptability. Only if the residual risk is less than or equal to their risk appetite can residual risk be considered acceptable. This process also reduces subjectivity and uncertainty—which should leave examiners and auditors much less room for interpretation, and result in a better audit/exam experience for you.
What to Consider in 2022 and Current Trends
Another area we’ll definitely be watching in 2022 involves the new incident notification rules that were issued late last year. All financial institutions will need to update their incident response plan and possibly their vendor management program and business continuity plans to accommodate these new regulations. These changes, while not necessarily difficult, can be pervasive in that they will cross over into multiple policies and procedures. In short, the rule requires institutions to notify their primary federal regulator as soon as possible—no later than 36 hours—after they determine that a notification incident has occurred. There are also new requirements for third parties to notify you if they experience a similar event, which could require changes to the vendor contract. The effective date of the new rule is April 1, 2022, with compliance expected to begin on May 1, 2022. There may be a grace period, but financial institutions should be prepared for examiners to ask questions about your adherence to these new rules at your next Safety and Soundness exam.
Regarding trends, we believe the focus on third-party risk management will continue in 2022 and into the future. Currently, there’s growing support for the idea of having the FDIC, Federal Reserve, National Credit Union Administration (NCUA) and other agencies coalesce around a single set of standards for third-party management. This would create more consistency with the rules concerning how regulators and others define third parties and vendors, and expectations for effective risk management. The outcome of the discussions around this topic may not manifest until Q3 or Q4 of this year, but institutions should work on formalizing their process for conducting due diligence when dealing with fintech companies and other critical vendors.
Safe Systems has been serving financial institutions for more than 25 years. To get more of our experts’ views on this topic, listen to our webinar on “Compliance Review and Tips, Tricks, and Trends for Staying Ahead of Regulators in 2022.”