By Lyn Farrell
Risk testing is at its best a painful prospect. Even before Dodd-Frank was enacted, risk organizations implemented fairly robust testing programs. However, since its passage regulators have placed more emphasis on risk management systems and testing is front and center of any risk or compliance program.
Testing is labor-intensive and time-consuming, both for the risk staff and for the frontline units. Testing schedules are established on an annual or biannual basis with test scripts revised on the same basis.
Large testing staffs are necessary to perform the hundreds (potentially thousands) of checks necessary to determine if regulatory and procedural rules have been followed. In many cases, multiple groups within institutions perform overlapping tests in order to satisfy their organizational requirements. It is no wonder that business leaders have often complained to me that, with regulatory examinations, in-house operations, compliance and risk testing as well as internal auditing, they feel like their operations are tied up with testing tasks continually, consuming the time and energies of their own staffs.
Risk testing at its most primitive involves Excel spreadsheets and many line items to check. The most robust testing of this sort can only examine a sample size of transactions, nowhere near an entire portfolio of loans, deposited or complaints. Unfortunately, this is where the majority of financial institution still sit in their testing programs. There have been some advances in testing. Some organizations have created more sophisticated systems with testing scripts built into shared platforms that encompass regulatory and process updates added on a regular basis. This process still requires a lot of upkeep and testing is still performed often only periodically.
In the future, the best risk practice for risk and compliance testing for many bank areas and products will be the use of automated testing. Automated testing happens continuously, with 100 percent of the transactions undergoing testing immediately after they are booked (in the case of loans, for example) or after they happen (in the case of complaints, for example). This type of automated, immediate testing will provide business leaders and risk management groups daily feedback on potential problems. This fast feedback is crucial to fixing problems, tweaking procedures or retaining staff before problems grow large.
Let’s take a real-life example. Some more sophisticated institutions have already implemented automated testing on mortgage lending portfolios, both on the servicing and fulfillment sides of their operations. Mortgage loans are one of the easiest products to test using automated software because these loans have been digitized in their operations for many years.
Loan applications are either taken digitally or converted into digital files, as are the disclosures. The servicing portfolios are also performed with digital inputs and can be tested fairly easily. In addition, mortgage rules are almost all binary in their application. Other areas, such as UDAAP testing, are more complicated to automate since there are fewer “yes/no” answers.
Mortgage lending testing is the ideal start for automated testing because programs are available today that will run regulatory and procedural testing on every loan the day after booking. The information on policy and regulatory violations are reported back to risk and compliance as well as the business unit. The business unit appreciates that mistakes are caught early so multiple errors of the same type going on for months just do not happen.
Scott Essex, a risk and compliance consultant who is familiar with automated mortgage testing, says: “Continuous automated mortgage testing gives you daylight into 100 percent of the portfolio every day.” This type of testing is a breakthrough in fast information delivery and provides the bank with the ability to remediate anything before it becomes a consistent problem.
The costs of implementing automated testing in mortgage loans includes not just the bare costs of the software that tests the transactions but also the costs of clearing and maintaining data that is clean and usable. Due to the highly regulated nature of mortgage loan origination and servicing, most institutions have worked to make their mortgage data fairly clean already. This is why it is a good place to start continuous testing. The costs in implementing continuous mortgage testing will be eventually more that offset by the reduction in labor costs required to maintain and execute the more typical manual testing regimes, both in the risk and compliance areas and in the business line itself.
Other types of automated testing using artificial intelligence and machine learning are out there also. Some large institutions area using process mining technology to find deviations from procedure and to learn what types of deviations are “good”—meaning the procedure is too cumbersome and can be streamlined—and which types are “bad”—meaning that there is a regulatory or procedural violation.
Since most process mining can scan written notes and emails from customers and bank employees, it is a great tool to find potential problems in processes that are non-binary in nature. For example, complaint management is a ripe area for this type of testing. Institutions using process mining have been able to find potential UDAAP issues to be more fully tested and studied. It enables managers to adjust training and processes to prevent the problems from occurring in the future. This type of process mining testing has enabled institutions to find issues with highly sensitive lending programs, such as CARES Act lending programs that were set up so fast that procedures were able to be refined daily using process mining techniques. This enabled the institution to find anomalies and prevent problems from becoming widespread.
The future of risk and compliance testing is bright with automation and artificial intelligence solutions that will enable institutions to test complicated transactions and find problems in areas that have been difficult to test in the past. It will enable a more cost-effective, efficient way to test for risk and compliance issues.
Lyn Farrell is a regulatory strategy adviser for Hummingbird, a regtech company. She is the 2012 recipient of the ABA’s Distinguished Service Award for compliance and is the is author of ABA’s Reference Guide to Regulatory Compliance. She can be reached at Lyn.firstname.lastname@example.org.