Regulatory compliance is always top of mind in the financial services industry, and all the more so this year, with the sweeping, and sometimes conflicting, changes that many expect on the American political landscape. So it wasn’t surprising that our annual regulatory recap webinar for members of The IIA’s Financial Services Audit Center, conducted at the end of last year, drew a large and engaged audience.
The election of Donald Trump and Republican gains in the legislative branch suggest we may be heading into a period of regulatory reform. Indeed, President Trump said during the election process that he wanted to repeal aspects of the Dodd-Frank Wall Street Reform and Consumer Protection Act, and some analysts predict impact to the Consumer Financial Protection Bureau (CFPB), which was created under the Act.
On the other hand, the President has advocated reinstatement of Glass-Steagall, a Depression-era law barring banks from engaging in investment activities. The law was repealed under President Bill Clinton in 1999 — a move that the current president says set the stage for the financial crisis of 2007-2008.
And that’s just the tip of the iceberg. A change of control in Washington means new agency heads and a predicted slowdown in the pace of enforcement activities as the new administration finds its footing.
Nevertheless, financial institutions need to operate under the current rules and regulations until, and if, new regulations replace them. There have been several recent regulatory developments of note, and they were the subject the November edition of our Compliance Insights newsletter, summarized here. Specifically, they are:
- New prepaid rules — The CFPB finalized a rule that significantly changes the regulatory environment for financial institutions offering prepaid accounts. The new rule provides stronger protections for consumers of prepaid accounts, including new protections for “hybrid” prepaid cards that contain credit features.
- Reporting cybersecurity issues — The Financial Crimes Enforcement Network (FinCEN) published an advisory to assist financial institutions in fulfilling their Bank Secrecy Act (BSA) obligations regarding the reporting of suspicious activities related to cybersecurity issues.
- Foreign correspondent banking risks — The Office of the Comptroller of the Currency (OCC) published guidance on the periodic risk re-evaluation of foreign correspondent banking, which is applicable to all OCC-supervised national banks that maintain these relationships. The OCC advises these financial institutions to routinely re-evaluate foreign correspondent banking portfolios.
- Fiduciary guidance — The Department of Labor (DOL) released both the first and second in a series of frequently asked questions (FAQs) to provide additional guidance on the implementation of its new fiduciary rule, which concerns the expansion of the types of retirement products and communications that trigger fiduciary status for retirement investment advisers and is designed to ensure the advisers’ actions are aligned with the best interests of their clients. Recent press has reported that, as a result of the presidential election, there is a potential for actions to be taken that may modify the implementation of the rule, but no specific details or timing have been released.
Looking ahead to 2017, we anticipate that examiners will focus on sales practices and incentives; cybersecurity; compliance management, especially in the second line of defense; compliance with Bank Secrecy Act/anti-money laundering rules; stress testing; and vendor management.
We’d like to leave internal audit departments within financial institutions with some key points we believe are essential to an effective internal audit performance in this dynamic regulatory environment. Some are intuitive. Some may be new to some, if not others.
- It all starts with an internal audit risk assessment and internal audit plan development. The right plan in this environment anticipates change. Interview various constituents in your organization (general counsel, chief compliance officers), as well as trusted advisers outside your organization. In addition to required annual reviews — AML, BSA, SAFE Act, and others — it’s important to understand your examiner’s expectations regarding emerging risks.
- Having the right expertise is important. After developing an internal audit plan, it’s wise to take stock of the internal audit team and proactively address any capabilities gaps, internally through training, or externally through trusted partners with subject-matter expertise.
- Flexibility and scalability are critical this year given the possibility of regulatory change. We’ve heard from many audit executives who say they are dedicating more special-project time to their internal audit plans, just in case.
- And, as always, relationship management is key. In times of change, it is especially important to keep in close touch with the chief compliance officer and the compliance organization. We may not be able to anticipate all the changes we encounter, but how we react to that change can make all the difference. With the right frame of mind, proper planning, and the right team of advisers, internal audit departments can look to 2017 with confidence.