Long reads

Regulatory Change Management: solving the modern Rubik’s Cube

Richard Dupree

Richard Dupree

CEO and Founder, Riskliance

The very reclusive inventor of arguably the world’s most popular 3D puzzle, the Rubik’s Cube, just recently published his first book. The book is all about his iconic puzzle and comes almost 50 years after he introduced his invention to the world. The inventor’s, and now author’s, name is Ernő Rubik. Ernő has been obsessed with puzzles since he was a boy growing up in Hungary.

This passion continued into his later life even as a sculptor, architect, and ultimately, a professor of architecture. It was as professor, that he was looking to model three-dimensional movement to his students when he came up with a prototype he called the “Bűvös kocka," or Magic Cube. To Ernő, puzzles were more than transactional problem solving activities to pass the time. As he writes in his new book titled Cubed: The Puzzle of Us All, Ernő believes that “puzzles bring out important qualities in each of us: concentration, curiosity, a sense of play, the eagerness to discover a solution.” 

Solving puzzles was always a favorite pastime of my youth. I used to spend summers with my grandparents in Texas and we spent many an evening solving jigsaw puzzles. What I remember most from those times, aside from the three of us getting buzzed (me on Koolaid and them on gin and tonics) was the camaraderie, the strategy, and the equal footing they put me on as a team member contributing towards solutioning a problem. Success was achieved collectively and in a quicker, more fulfilling, and more effective way than it would have been solving those puzzles on my own.

As I got older, I sought out more complicated puzzles to solve, such as crossword puzzled, anagrams, cryptograms, etc. and I was fairly successful at these even on my own. That is until I came across a three-dimensional, handheld puzzle called Rubik’s Cube. The Rubik’s Cube became a worldwide sensation and I was just as obsessed with it as everyone else. However, despite hours and hours of practice, hints from friends, and watching others, I have only solved the puzzle maybe a dozen times over my lifetime. When I have solved it, it took days, was almost by accident, and was not repeatable at least for another several weeks only to again solve it by sheer luck.

I wrapped up my 10th year on this earth putting down that vile device vowing never to pick it up again only to come across a similar challenge in the heavily regulated world of US financial services years later. Understanding regulator expectations, interpreting obligations, determining applicability to line of businesses and processes, and managing changes to those regulations in an extremely dynamic state and federal regulatory environment had become my new Rubik’s Cube to solve. Would I fail again? Would I have to rely on luck or getting it right by accident? Or did I have an advantage this time that I didn’t have before?

A Little Regulatory History

The US financial services industry has been regulated in some form or another for hundreds of years. Despite these earlier versions of oversight, more formal and prescriptive oversight was legislated due to major financial catastrophes, such as The Crash of 1929 and the 2007-2008 financial crisis which had much further reach with respect to impact than had been experiences previously.

Similar increases in supervision were experienced in most mature economies around the world and as financial services became more global in nature, so did regulatory oversight. One of the key challenges today for providers of financial services as well as their vendors is the myriad of regulatory obligations applicable to them based on their physical and even virtual footprint.

For example, a US financial services provider (FinTech, bank, etc.) who facilitates a trade finance transaction on behalf of and between a business entity based in California, USA and a business entity based in London, UK could be subject to both the California Consumer Privacy Act (CCPA) in California and the General Data Protection Regulation (GDPR) in the EU (still applicable in the UK as of the date of this article) based on number of employees, data obtained as part of the transaction, how that data is used, and other factors. This illustrates the complexity that can arise across multiple jurisdictions for a single, simple transaction.

Imagine the regulatory obligation ecosystem for your entire set of products and services. If you are already in this business, you don’t have to imagine this at all. You live it, breathe it, and lose sleep from it every day. How do you assess your regulatory obligations as a result of your product set and how do you determine impact to underlying processes? And maybe more importantly, how do you adjust these as these obligations change? To give you an idea of the challenge you are up against, refer to the image below which displays a graph of US Regulatory Updates Week for the week of October 12, 2020. Keep in mind this is only one week’s worth of activity.

Source: compliance.ai

What is Regulatory Change Management?

Regulatory change management is the process of identifying, interpreting, and applying changes in the regulatory environment to your risk and compliance frameworks, underlying programs, and ultimately, to your operational environment and how you conduct your day-to-day business. In heavily regulated industries such as finance, insurance, health care, aviation, etc., regulatory obligations will typically impact all aspects of an organisation from how you onboard clients, service their requests, disclose information, to how you market to them, utilise their data, and execute on their requests.

Every aspect of your organisation could have a regulatory obligation associated with it. Regulatory change management is about integrating changes in regulatory obligations to the impacted areas of your organisation. And keep in mind this is not only about new laws and regulations, but also changes to existing laws and regulations even when laws and regulations are relaxed or overturned.   

To manage changes within the regulatory landscape, an organisation must first establish a baseline of current regulatory obligations. This can be achieved through documentation of policies and procedures that have been established to meet business objectives. For example, a FinTech might have a business objective to onboard 500 new customers a month.

In order to do this, the company would need to establish a set of supporting procedures one of which would include obtaining personally identifiable information (PII) in order to execute on Know Your Client (KYC) obligations (another regulatory requirement) in order to onboard customers in order to meet their business objective. The company already had KYC obligations but now that they have obtained PII on a consumer client, they are now subject to a host of privacy rules (GLBA, CCPA, GDPR, etc.). Therefore, the FinTech has created multiple regulatory obligations for itself in its pursuit of meeting defined business objective.

Once an organisation has identified its regulatory obligations associated with its business objectives and supporting operational processes, they should inventory the obligations along with the processes or controls in place to ensure compliance. This becomes a baseline for regulatory change management purposes. Any changes either to the business objectives, the supporting internal processes and controls or external regulatory obligations should result in an analysis to determine impact and any necessary changes to internal processes, risk inventories, etc.

All of this should be documented along with approvals and comments and archived for audit purposes. Auditors and regulatory examiners will want to view evidence that appropriate steps were taken as part of a company’s regulatory change management process to know not only how effectively the company is meeting its obligations, but what changes were made, why, and who approved.

Sound simple? Well, multiply that times every business objective, times every regulatory obligation, times every process, times every control, times every change to any of these and this quickly becomes a Rubik’s Cube of a problem. In fact, there are over 43 quintillion (43,252,003,274,489,856,000 to be exact) possible combinations for the Rubik’s Cube with only 1 of these being correct. Seem familiar?

Legacy Solutions

For most of my career in regulated financial institutions, regulatory change management was managed by a team of compliance and legal subject matter experts utilising mainly manual processes. Once a baseline for regulatory change management was obtained, staff would monitor changes to the inventory of regulatory obligations using external source data such as the Federal Deposit Insurance Corporation’s (FDIC’s) website for FDIC-insured institutions. This wasn’t ideal, but for a long time it worked.

Below is an example of how changes to the Volker Rule in 2019 would have been implemented using such a manual process along with an estimation of time for each milestone…

What Works?

Many organisations have combined regulatory obligations into themes, such as consumer lending, BSA/AML, privacy, etc. or into product categories, such as deposit, credit, payment, etc. Either or a combination of these could work. Some organisations might also sort regulatory obligations by line of business or region. Again, any combination of these could work provided it makes sense based on the organisational structure, the underlying processes, and the end user or customer. What is critical 100% of the time is that clear roles and responsibilities are identified and assigned. Ownership and accountability are key success factors in any regulatory change management program.

Another thing that works currently is the staffing of key risk and compliance personnel who understand and can interpret regulations and then translate requirements into business obligations. In some cases, it helps to have an attorney interpreting the laws whether that is an internal or external resource. In my experience, most regulatory change management frameworks at mature financial services institutions are effective but are extremely manual in nature, they can only scale through the addition of more staff and resources tend to be very costly in the Compliance space.

What Doesn’t Work?

In a nutshell, the “Spreadsheets, Email, and SharePoint” approach as I call it. It surprises me how many firms still use spreadsheets to manage their regulatory change obligations, communicate decisions and discussions around interpretation of applicability via email, and then attempt to archive all of this on a SharePoint site. Reconstructing this later for auditors and examiners as evidence of proper change management governance becomes a nightmare. It is especially concerning given how much time is spent on the manual steps involved in the mechanics of such a process, rather than focusing the effort on an interpretation of requirements based on business objectives and current operating environment.

This legacy approach takes more of a checklist approach to regulatory change management. Although there are some fundamental tasks that should be completed with each change, having a manual process using multiple disparate and disconnected systems usually means teams are spending much of their time on lower level compliance tasks. For example, monitoring changes to regulations, coordinating review of requirements, determining applicable policies and procedures, and then compiling and archiving all of this to ensure there is a comprehensive audit trail. 

For years, more regulations simply meant more compliance staff. I have been in many a budget meeting where management did not know enough about the process or alternative solutions to push back and typically these requests for additional FTE were approved creating bloated and costly teams over a period of years.

I certainly do not fault risk and compliance managers for this because for years, this was the only option and every year the volume of change increases. Most financial services companies today have a broad reach and are more than likely subject to laws and regulations in multiple states and even countries and at the mercy of multiple regulators. The thought of managing that level of complexity is just mind boggling.

What is the path forward?

If you are a regulated financial services institution, you will be expected to monitor the regulatory landscape and identify and implement changes applicable to your institution and ultimately adhere to those requirements. Consider the following as a very basic framework:

  • Inventory and assign ownership of regulatory obligations based on business objectives, underlying processes, and target market
  • Monitor the internal environment for changes to processes that have regulatory obligations identified
    • When these processes change, reassess the regulatory risk and mitigant controls to determine if they need adjusting
  • Monitor the external environment for changes to applicable laws and regulations
    • When changes to laws and regulations occur (and they will!), assess applicability to your environment
  • If applicability determined, assess impact of changes and design action plan as needed
  • Obtain additional opinions and/or approvals as needed
  • Implement change and manage change process
  • Test changes for effectiveness
  • Conduct ongoing monitoring
  • Document all the above for audit and business continuity purposes

Once the above framework is in place, I have 3 words…technology, technology, technology. The rate of change to laws and regulations will not decrease over time. In fact, there has been an increase year over year. Add to this the complexity of an international footprint if you have one, global transactions, and a trend towards a global regulatory convergence across multiple regulated industries.

The latter is a good thing by the way, but it is still regulatory change. The only way to stay on top of these requirements is to utilise technology solutions specific to this space. There are many great Governance, Risk, and Compliance (GRC) solutions and within the last few years, some very impressive and comprehensive regulatory technology (RegTech) solutions with workflow automation, machine learning and artificial intelligence capabilities.

Consider introducing RegTech solutions that automate monitoring of changes to laws and regulations that will allow risk and compliance managers to upskill analysts to focus on higher value areas such as determining emerging risks based on regulatory trends regionally, nationally, and globally or to simply allow them to spend more time with business partners advising on risk and compliance issues before they become an issue rather than after they become an issue.

The regulatory Rubik’s Cube is here to stay. The question is, will you spend your time manually trying to solve a puzzle that has over 43 quintillion possible combinations like I did those many years ago or will you take advantage of the technology available today to overcome these odds?   

Comments: (0)