By Kevin LeglerDodd-Frank forever changed the standard of how banks determine the applicability of state laws. Prior to Dodd-Frank, federal law often preempted state law. Under the new analysis, that is generally no longer the case. As a result, banks of all sizes and charters have had to pay more attention to state law.
That trend looks to continue for the foreseeable future. Consumer protection bills appear to dominate state legislative sessions, resulting in a peak of state laws being released during the typical U.S. congressional session, from March through June. A national institution with a relatively modest product offering will be impacted by dozens of state laws in 2020, each containing requirements and expectations which must be complied with to varying degrees of difficulty.
Due to all these factors, bank compliance officers need to develop an effective method to ensure they are state-law compliant. But where does one begin with this new universe of rules? There are many variables impacting a bank or financial institution’s compliance expectations related to state laws (e.g., geographic footprint, product, and service offering), and as such each firm’s optimal solution for addressing those laws may also vary. While these variables are critical within the solution design, the underlying process itself is fundamental and may be consistently applied across institutions. It is for those reasons this article will focus on the process of identifying, assessing, implementing, and managing on-going state law changes, providing specific business considerations through-out the process.
The first step in the process is to establish a reliable monitoring mechanism to identify state law changes. If state laws are new to the firm’s formal monitoring processes or have only been included for a few years, consider conducting a historical lookback to establish a baseline of existing state requirements and expectations by applicable product and service to ensure proper coverage. Remember to include general provisions (e.g., Article XVI, Section 50, of the Texas Constitution, related to equity loans) in any lookback as some states embed product-specific or basic consumer protections, applicable to all businesses operating in the state, within those provisions. Therefore, they may not include those requirements directly in financial industry-specific laws.
- Frequency: At what frequency will monitoring for state laws be conducted? Establish and maintain a regular schedule for monitoring which aligns to the organization’s product/service offering and risk appetite. Given the recent volume of new and revised state laws, a bi-weekly or monthly monitoring process would be advisable, particularly for firms operating in multiple states.
- Internal monitoring process: Is a centralized or decentralized process most efficient? Assign monitoring functions to internal resources with appropriate legal and/or subject matter expertise. Do unique processes necessitate unique monitoring functions (e.g., Tax; Human Resources)? While a centralized monitoring process affords the most control, weigh the benefits against the added complexity of including highly nuanced laws and change management activities within a broader enterprise process.
- External monitoring process: Is an external solution warranted based on the volume of change or lack of internal resources? Law firms offer state surveys depicting requirements by product and service while a wide field of vendors offer services to support monitoring processes. Each of these solutions come with benefits and limitations, so consider the full extent of organizational monitoring needs prior to signing any contracts. While state surveys provide an excellent mechanism for identifying all existing state laws (to establish a baseline of applicable requirements), they only provide a “point in time” view and quickly become outdated. Leveraging state surveys for on-going monitoring is generally cost prohibitive and does not typically provide data in a manner which accelerates internal change management activities. An ever-increasing number of vendor solutions are now offered which support regulatory monitoring and change management activities to varying degrees. In its simplest form, a vendor alert may provide notification of the change itself and offer a link to the state website. On the other end of the spectrum, many vendors offer hosted solutions which employ Artificial Intelligence (AI) and/or Machine Learning to aid in the identification of regulatory issuances pertaining to a specific product or service, and may provide full text, discrete requirements, and a redline version of the change.
- Sustainability: Do adequate resources exist (labor and/or budget) to maintain the monitoring process? Monitoring is not a one-time event, so verify organizational commitment to maintaining on-going monitoring functions during design to ensure a sustainable process.
- Controls: What controls are necessary to verify laws are not missed in monitoring? As regulatory monitoring is an important aspect of an organization’s risk management function, it is advisable to document the scope and sources of monitoring as well as incorporating some form of controls within the process. For internal monitoring, consider a regular quality assurance check to verify all applicable laws from a given state were picked-up in monitoring as expected. For an external vendor solution, it would be ill advised to completely rely on technology from a risk management perspective. While technology has made significant advances, AI functionality is still cutting edge and will require more time to earn full industry and regulator acceptance. While automated solutions are admittedly enticing from a speed and cost perspective, inquire as to what human based quality checks exist within the process and consider how defensible that process would be during an audit or exam. A machine-aided process in which AI deliverables are supported by human review appears to best align with industry risk appetites at this point in time.
Maintaining regulatory requirements
Once a new or changing state law has been identified through monitoring, it becomes data which must be organized and managed to remain useful. The next step of the process relates to how state requirements/expectations are maintained and what down-stream business processes those requirements support. First, determine which laws are applicable, what specific requirements are necessary to maintain, and at what level of detail. Does full text, section, or sub-section level granularity of the law best support business needs? Are discrete requirements (e.g., “musts” and “must nots”) necessary to maintain individually? Consider what is needed to manage the change initially and what adequately supports on-going business line research, testing functions, and change management when making these decisions.
Second, establish a state law inventory or library. The basic requirements for the inventory should be driven by the business decisions regarding level of granularity and the considerations provided below. Typical options for an inventory fall into one of three general categories:
- Spreadsheet: Effective for managing a limited number of requirements for smaller institutions or for unique business functions managing a small sub-set of state requirements within a larger organization.
- Database: A variety of configurable database options exist in the market which may be used to support a higher volume of requirements. The additional functionality provided by a database (searching; linking other data elements; system integration) will serve the needs of most organizations and prove to be far more valuable and sustainable than a spreadsheet.
- Regulatory data management system: An internally- or vendor-managed application typically consisting of: a regulatory data feed; requirements library; and business process workflow to facilitate change management. This type of system is best suited for large organizations with a broad product offering operating in multiple states. Clearly this is the most dynamic and robust option, offering the most automation and built in control processes, but it is also the most expensive and labor intensive to build and maintain.
Do not underestimate the importance of these business decisions or the highly technical nature of building a requirements inventory. A significant amount of resources are required to define and organize these types of data structures, with each decision building upon the last—so changing course can prove to be expensive and time consuming. There are many business variables to consider when assessing how to maintain regulatory requirements for your organization.
- How many state requirements are applicable?
- How often have those requirements changed, historically?
- Who within the organization needs to access this data?
- What level of detail is necessary to support internal processes?
- What organizational data elements will be linked to the requirements (e.g., product; service; process; risks; controls)?
- Do internal resources exist to manage this data?
- Do internal resources have the technical expertise to adequately define data architecture and system requirements?
The answers to these questions and decisions regarding level of detail will dictate what option most effectively manages the multitude of state requirements pertaining to your business.
Defining organizational obligations
States often emulate existing federal requirements and other states as well, so there will inevitably be duplicate or similar requirements which may present an opportunity for aggregation into one organizational obligation. From a process standpoint, combining multiple requirements into one obligation simplifies business practices and the associated risk management functions, generally improving consistency of execution and lowering residual risk. Consider comparing state requirements to the requirements from other applicable issuances:
- Other state laws, including general provisions
- Federal regulations
- Federal exam manuals and guidance
- Agency guidelines (e.g., Fannie Mae)
- Card Association rules (e.g., Visa)
- Local ordinances
- Extraterritorial regulations (e.g., EU General Data Protection Regulation)
- Company policies
Aggregating requirements will not always be practical or necessarily desired by the business. Applying the most stringent requirement across all states in your footprint may prove to be cost prohibitive or limit business opportunities. Some topics lend themselves well to aggregation, such as elder financial exploitation. In this case, state and federal requirements align well and may easily be combined into a simplified set of obligations that might perhaps be framed as policy requirements. However, the topic of debt collection is more highly nuanced for each state and therefore far more complex to consider for aggregation. Here again, individual business considerations should drive these decisions, and regardless of what those decisions are, assessing the totality of regulatory requirements by topical theme is a valuable exercise for any organization. At the end of this process step, individual state requirements and those aggregated as organizational obligations should be clearly identified and documented to facilitate a formal gap analysis across the organization.
Assessing impacts and identifying gaps
Establish a reliable process and regular cadence for communicating state requirements and organizational obligations with business partners, to identify impacted audiences. A collaborative process with opportunity for cross-functional dialogue will yield better results and manage risk far more efficiently than email distribution alone. Properly identifying organizational impacts is a critical control within the process, in that if you miss an audience at this point, they will not be included in further change management efforts and will therefore be out of compliance.
- Assess each discrete requirement/obligation within this process. Go to the lowest level of granularity necessary to effectively manage the risks.
- Gap analyses are best conducted by the impacted business or function as they are most familiar with applicable business practices.
- Consider differences between business lines and product offerings when determining requirement/obligation applicability, as different business functions may choose different solutions for managing risks (e.g., asserting preemption).
Business line gap analyses should clearly identify where business practices diverge from requirements/obligations. Propose action plans to close each gap identified and assess how those action plans will impact your business (e.g., revenue; products; services; processes; systems; and policy requirements). Obtain internal agreement on the approach to satisfying requirements/obligations prior to implementation. A collaborative dialog between business partners (including risk and compliance) will result in action plans which both meet business needs and effectively mitigate risks. Revise action plans, as appropriate, and implement to close all gaps. As always, document action plans and maintain evidence for audit and exam purposes.
Integrating state requirements into the risk framework
Action plans should include tasks to incorporate new state requirements or obligations into the organization’s compliance and risk management framework. The specific actions necessary to accomplish this integration will vary by organization, but fundamentally this process should consider how new or revised requirements apply to risks, controls, quality assurance programs, risk assessment processes, and internal audit functions. Also, consider how systematically linking requirements to these risk framework data elements may support and accelerate future risk and change management activities.
A general concern of incorporating state requirements into an organization’s overall risk framework is related to volume and the fact state requirements could quickly overwhelm existing federal requirements if all those requirements are treated equal. Large organizations with a broad product offering generally manage tens of thousands of discrete federal requirements within their risk management processes. Considering many states emulate requirements already established by federal rules, the potential to end up with over 100,000 discrete requirements in an organization’s risk framework is a definite reality. Controlling and assessing such a large volume of requirements is neither practical or even feasible for most organizations, so establishing a risk-based approach to determine what state requirements are included in the risk framework is essential.
Ongoing change management
The quality of an organization’s risk management framework is heavily influenced by the efficacy of its change management functions. Any effective process for managing state law must include a reliable mechanism for identifying and incorporating future changes. Change management should be a fundamental consideration within each process step to ensure sustainability and on-going compliance with state laws.
Assign a process owner, or owners, to manage and provide oversight for different aspects of the process. Verify all applicable state laws are covered within the process and ensure all aspects of the process have adequate resources to sustain the function. Consider that cross-functional processes may need to change over time to respond to an evolving business or regulatory environment. Regularly assess the process for improvement opportunities and collaborate with business partners to fine tune aspects of the process most important to their business.
With a wide variety of business drivers and geographic footprints, each financial institution carefully needs to assess how to comply most effectively with state laws. There is no “one size fits all” option, however, establishing a formal process (even in its most rudimentary form) will provide the basic organizational structure to facilitate the initial assessment and on-going management of state laws. The risks are real, from fines and remediation activities levied through State Attorneys General enforcement actions, to the reputational harm incurred through non-compliant business practices. Adherence to state laws is important to financial institutions and their customers, so in this case good risk management practices also support good customer service and corporate citizenship.
While the sheer volume and scope of state laws may appear daunting, banks will have a reliable and sustainable process to manage state requirements efficiently, and the associated risks by:
- Developing a regular monitoring mechanism;
- Creating an inventory of applicable state requirements;
- Defining organizational obligations;
- Assessing how organizational obligations impact the business, and what gaps may exist;
- Implement action plans to close gaps;
- Consider state requirements within the bank’s risk management framework; and
- Ongoing change management.
Kevin Legler, CAMS, CFE, has a background in Information Technology and has worked within the financial services industry for over 14 years. Reach him at KevinLegler13@gmail.com. Any opinions expressed in this article are the author’s own and do not reflect the view of his employer or ABA.