The tangled web of regulation is hitting the headlines, yet again.
Changes proposed by the Federal Trade Commission (FTC) to the 2003 Safeguards Rule have been met by warnings from the American Financial Services Association (AFSA) that they may contain ‘traps’ for unwary financial institutions attempting to meet both state and federal laws.
How so? Any regulatory initiative that seeks to tighten the data security procedures of US banks and safeguard customer information must be a good thing, right?
Not always, especially when regulatory reform creates disparity between state and federal obligations. In a recent Bobsguide report Celia Winslow, vice president of legal and regulatory affairs at the AFSA, remarked: “Fifty different state data security laws would cause a host of compliance problems. In trying to meet the requirements of different state laws and, potentially, different federal laws, financial institutions could end up with policies that meet the different requirements, but not be ideal for safeguarding consumer information.”
When confusion and complexity reign, and banks get so caught up in trying to satisfy conflicting rules that the initial goal of safeguarding the consumer is compromised, surely this defeats the object?
The challenges are clear:
- Every US state is an independent jurisdiction. When it comes to financial services regulation, each US state may as well be a different country. For the majority of US banks operating “cross-border” the challenge of moving customer data from one state to another is risky. With different data security rules in play, meeting all compliance obligations, across all jurisdictions, is challenging.
- Conflicting regulations increase risk. For many CCOs, trying to comply with contradictory state and federal laws is akin to “robbing Peter to pay Paul”. Compliance teams must consider “what-if” scenarios and take risk-based decisions in the hope of avoiding the most punitive enforcement fines. When they devise policies that meet differing requirements, but do so at the expense of safeguarding customer information, have they succeeded or failed in their mission?
- Cost of compliance is soaring. Our banks are overflowing with regulatory experts focused on routine compliance work. Researching relevant upcoming regulation. Creating policies and controls that satisfy all regulations. Monitoring for regulatory change and assessing its impact on every policy, procedure and control in the bank. The manual effort and cost of compliance is crippling, especially for resource-stretched community banks and credit unions. Banks are spending 6-10% of revenues on compliance and, despite some big banks spending more than $1 billion annually on regulatory compliance and controls, they seem better able to swallow these obscene costs. But is this palatable and sustainable, when time could be better spent on higher-value work, the bottom line is impacted, and customers are suffering raised prices and curtailed innovation?
Thankfully, the rise and rise of Regulatory Technology (RegTech) in recent years has provided a viable and cost-effective solution to untangle regulatory complexity. Fueled by Artificial Intelligence (AI), tedious and error-prone compliance processes can be fully automated, freeing compliance teams to focus on high-risk and value-added tasks. AI has made it possible to capture regulatory data from all regulators, across all jurisdictions, connect it to individual policies, controls and procedures and issue automated alerts when any change in regulation, or transfer of data from one jurisdiction to another, results in heightened compliance risk.
Some would say that RegTech is a viable alternative to manual regulatory change management processes. Most are coming to recognize that it is the only way forward.
Discover how RegTech is solving complex privacy, data and security compliance challenges in the independent Burnmark/CUBE report “RegTech for Information Governance”.