Non-compliance with audit standards and requirements is detrimental to a bank or lender. For standards such as PCI, non-compliance can result in financial penalties or in a bank being unable to process credit card payments. The CCPA assesses civil penalties of up to $7,500 for each intentional violation. Additionally, some standards require public disclosure of violations and incidents. Such disclosures result in reputational harm and public impact.
While it is difficult to quantify the impact of non-compliance accurately, it is clear that it has far-reaching effects. Reputational risk is a significant concern for banks, as a negative reputation leads to lost customers, decreased revenue, and overall harm to the banks standing in the community.
In addition to penalties and fines, a company found to be non-compliant may face civil or criminal litigation. If a bank knowingly fails to comply with regulations they may be subject to punitive damages and significant fines. To avoid these negative outcomes, banks must take proactive steps to ensure compliance and effectively manage risk.
Internal audit scorecards, communications, and assessments are legally discoverable in court matters. They can be used to demonstrate a bank’s negligence or prior awareness of potential issues. Some banks engage consulting firms for their economic, financial, and strategic expertise to provide attorney-client privileged assessments to mitigate risks and become more compliant.
Be Proactive in Protecting Yourself
There are various strategies to protect yourself from audit, regulatory, and reputational risk. A combination of controls and monitoring, software-driven analysis, and awareness of penalties and their impact help organizations manage and reduce risk. By taking proactive steps to ensure compliance and address potential risks, banks can protect themselves and their employees from negative consequences.
- Strict controls and monitoring: Enhanced visibility through operational security practices, spot checks and enhanced authentication controls can reduce or eliminate risk.
- Software-driven analysis of multiple standards: Software applications take the hard work out of compliance, providing an intuitive, cost-effective interface capable of managing multiple requirements.
- Crosswalks: Identification of standards and commonality enable banks to improve audit outcomes.
- Awareness of penalties and impact: Non-compliance and disregard of requirements can severely impact organizations and their officers and employees. Public awareness of breaches and other incidents usually results in increased oversight and accountability.
Governance Trends to Watch
Throughout 2022, we saw mounting pressure on risk, legal, and compliance teams to improve coordination with line-of-business and other teams in the operations function. The three lines of defense – front-line business activities, risk and compliance, and internal audit remain a strong governance model. However, the recent siloing of functions limits the ability of controls to be fully integrated throughout the organization.
Risk reduction happens when IT and the business take appropriate actions. Compliance capabilities must shift from reporting to achieving outcomes. This is critical as organizational risk will likely be re-scoped in 2023 to include the broader partner channels and third-party vendors, increasing demand for this capability. Banks and lenders should increase integration and collaborate to reduce risks. To improve overall risk management, teams must emphasize outcomes over reporting, for example, by prioritizing the time to remediate risk over assessment frequency.
Compliance requirements continue to evolve. Privacy regulations such as the California Consumer Privacy Act (CCPA) and industry-specific regulations such as the New York Department of Financial Services (NYDFS) and Cybersecurity Regulation (2018), are raising the bar. We see indications this pace will continue and accelerate. And, the systemic risks identified in 2022 will likely result in increased oversight and obligations.
So this year, legal and compliance teams should:
- Prepare to scale up to meet compliance requirements and obligations.
- Increase the use of automation and orchestration to enforce the policy.
Start shifting from Reporting to Demonstrable Risk Reduction. Legal and compliance teams often excel at auditing, identifying, and reporting on risk. But continue working towards the shift from analysis to action by collaboratively reducing risk with other teams. To do this:
- Bring legal and compliance objectives and key results (OKRs) into alignment with the business.
- Integrate legal and compliance services, such as classification and service management.
- Develop a business case process for risk reduction – by addressing concerns over increasing costs or reduced performance, for example.
- Improve program metrics and executive reporting.
As an industry, we have the opportunity to transform the lives of millions of people. Informed has the power to drive industry collaboration and financial wellness for all. Come find me at the Bank Automation Summit to continue the conversation!
With more than 15 years’ experience in the financial services industry, including tenures at Santander Consumer USA and Visa, Jessica Gonzalez is now the Director of Lending Strategies at Informed.IQ.