September 26, 2022 | Amanda Khatri
Estimated reading time: 9 minutes
The Compliance Officer’s role in the digital era
A few weeks ago, I was helping my mom with her online banking. She had just returned from Yoga class and passed up morning coffee with her friends letting them know she had to take care of her “online banking”. One of her classmates said to my mom that she uses mobile banking. When my mom and I met, the first question out of her mouth was “how is mobile banking different from online banking, and then also proceeded to ask me about “Digital Banking” because she had heard that term used on TV. She thought she was cutting edge until her yoga partner busted her bubble…
After a better part of an hour of showing my mom my mobile banking app and explaining that digital banking really was just a big bucket term for online and mobile banking, she was still a bit confused but at least settled down (BTW – not at all interested in using her smartphone for banking!!).
As I drove home, I reflected on how financial services had changed over the few decades. As technology has evolved, there are more and more FinTechs carving their niche out of financial services. And, in tandem, you have more traditional financial services creating their own fully digital banks as separate legal entities to gain some competitive advantage.
I also started thinking about how a compliance officer’s role has changed, especially in the past decade. I remembered the challenges when online banking was rolled out and the new challenges that arose when mobile banking was later introduced. Now, organizations are partnering with FinTechs or going full-on digital and the compliance officers are challenged with providing sound regulatory advice and guidance in a forever faster-paced environment.
So, what are the challenges facing a compliance officer now and how does it differ from ten years ago?
What stayed the same?
- In reality, deposit and lending regulations have not changed significantly since we passed the Dodd-Frank era. We still have the alphabet soup that drives compliance.
- AML and KYC have been pretty status quo. The Office of Foreign Assets Control (OFAC) lists are constantly updated with sanctioned countries and politically exposed persons (PEPs).
- There are still privacy requirements as well as ethics and code of conduct requirements that organizations must manage.
What has changed?
- More financial services are being offered by FinTechs who may not have a fully-fledged compliance team in place.
- Status quo banking no longer works and compliance may get skirted in a zest to stay relevant.
- The biggest change, however, is wrapping compliance requirements into the fabric of product development and customer engagement, while remaining user-friendly.
A big challenge in this era is ensuring that compliance officers are meaningfully engaged. There are business partners out there (you know who you are) who continue to push or leave compliance officers out of the picture and treat them as an afterthought. The value of the partnership is not understood or real until something goes “bump” in the night.
Now don’t get me wrong, there are many organizations that have great partnerships between the business and compliance. For those of you who do—Bravo! But for others, here are a few examples that I have heard about that could have developed into serious issues because of a lack of good compliance in business partnerships.
Confessions of bad behaviour
A product manager pulls the wrong (higher) rate disclosure for a product offering and provides it to the developer for publication. This issue was caught after over 500 accounts had been opened. Let’s compound this issue, with the business wanting to just adjust the rate and only reactively respond to customers who noticed the change (yes, I’m not kidding).
A credit card marketing promotion advertised a low-interest rate without the fine print stating that it was a promotion – and failing to say when it would adjust back to the prevailing interest rate. The logic here was that customers who accepted the offer would be rolled into another promotion after the offer expired, so why confuse them with all that fine print. (Hmm… maybe because it is a regulatory requirement.)
The business wanted to roll-out a new product without KYC in place upfront, instead wanting to address it in an update to the platform in phase II roll-out, in a few months. (We all know how a few months can turn into several months or never.)
The business decided not to set up adverse action notices in the new online loan application process (yet another ‘handle it in future’ phase).
The business wanted to leverage cloud storage for a new product roll-out with a third party, off-shore provider, without completing the risk assessment. Their logic here was the vendor provided documentation and certified their data security processes so they would be liable. (Yeah, try telling that to the customers and regulators if a data breach occurs).
In all of these examples, there was a compliance partner who caught wind of what was going on and stopped it before it spun out of control. However, these conversations often took a nasty turn leaving a great divide in an already tumultuous relationship.
So, what causes the disconnect?
From my observation and dialog with business partners as well as their compliance officers, there are a few things at play in the relationship paradigm:
- The compliance officer is viewed as the villain who just doesn’t understand and is holding up progress.
- The compliance officer doesn’t understand the technology so opts out or is not included in the real-time discussion during the project life cycle.
- The compliance officer is viewed as wedded to the old risk review/assessment process and can’t move fast enough in an agile environment.
- Some compliance officers, based on past experiences, are intimidated and opt not to speak up. They run it up to their senior leaders to address. This then leaves the business feeling a sense of betrayal and lack of confidence to include them in future meetings.
- The compliance officer is viewed as very scripted and sees everything as very black or white with the go to answer of “you can’t…” versus “how can…”
How does the compliance officer get past these challenges so they are considered a reliable and vital part of the project life-cycle?
I don’t see this as just a challenge of a fast-paced and constantly changing technology. I believe there are many new and old compliance officers who can learn enough about the technology and the agile environment to actively participate.
However, I do think that compliance officers have to work on their interpersonal relationships with their businesses. I believe every compliance officer in these roles need to view themselves as trusted advisors and risk consultants. Having confidence in your knowledge and expertise in compliance and the value you bring to the table is a must. If you don’t have that, then maybe you are in the wrong role. A few behaviors I have observed in the compliance officers who carry out the role well are as follows:
- Well-versed in the regulations that are the most important to the business and the projects they are undertaking. Note I didn’t say all regulations. Being viewed as a walking encyclopaedia of regs doesn’t ingratiate you to your business partners. There is nothing wrong with having to reach out to another SME who is more well-versed on a topic.
- Spend time learning the broad strokes of agile compliance and the technology being leveraged.
- Understand where the regulatory requirements must come into play and what can be deferred, if possible, to later cycles. If your organization is truly operating in an agile way, there should be enough iterations to ensure front, middle, and back-end requirements are included in the appropriate cycles.
- Be diplomatic in how opinions are delivered. “You can’t…” doesn’t work with your kids so why do you think it will work with your peers? Subtle rephrasing followed by offering up some options, or at least the statement “let me think about some alternatives to that approach” can go a long way.
- Actively participate in other non-compliance aspects of the project which demonstrate engagement and help build business knowledge (just don’t forget your day job).
- Streamline or modify the project, risk review and assessment to work better in a fast-paced or agile environment.
- Work with the project team to understand the process maps and clearly identify the disclosure or other requirements needed in each step of the process, thereby putting the business in a better position to ensure requirements are addressed as part of the build. (This is also the work needed to develop controls and testing later, so do it in real-time).
- Look at ways to automate or at least ensure appropriate disclosures and other materials are inventoried in the right place, so the business can access the right information for deployment without always needing to reach out.
- Make it clear what steps in the process do require compliance review and tell people when it cannot be left up to automation or the business to action.
- Don’t be afraid to speak up to the business leader. If you see something going down the wrong path and in need of a serious course correction, before you run it up your food chain, give the business the chance to hear your concerns –especially if it is serious enough to get your leadership involved. It may be difficult, but you will be respected for it in the end, rather than viewed as a “tattle-tale” or worse a “spy”.
Compliance officers are very committed to their role. It is difficult to jump on the fast-moving train, especially for those of us who have been at it for a while and need to evolve our approach. However, there is no college or university that teaches these skills. It definitely is a bit of learn as you go.
To any business partners reading this article, give your compliance partner a chance to do their jobs … they are in that role to help you, and the organization, manage risk – not hinder progress.