Tim Burniston, senior advisor for regulatory strategy at Wolters Kluwer, discusses the implications of a recent survey from Wolters Kluwer that showed lenders are increasingly concerned about new regulations and their ability to manage risk.

In December, Wolters Kluwer launched the latest edition of its annual Regulatory & Risk Management Indicator survey, which provides an overview of how banks and other lenders are engaging with the risk and regulatory requirement landscape each year. The survey found that lender concern about regulations jumped ‘considerably’ in 2022, with nearly 70% of lenders indicating concern about anticipated small business lending data collection regulations and the ability to manage those requirements. To dig into more of the survey’s finding and their implications, Tim Burniston, senior advisory for regulatory strategy at Wolters Kluwer, spoke with ABF Journal in an exclusive Q&A.

Before we dive into the survey’s findings, what can you tell us about its methodology and how it determines the data?

Tim Burniston: This survey is in its 10th year. Our goal was to develop an instrument that we could use to consistently measure concerns regarding regulatory compliance and risk management in the moment and over time. We thought that using an index would enable us to analyze changes and capture forward-looking views of where institutions expect to spend their time and resources in the coming 12 months.

We send the survey to a very broad base of banks, credit unions and mortgage companies and collect trend information on the breadth and depth of regulatory and risk concerns. It helps us determine the anticipated regulatory impact on institutions and gives us some insight into their current risk management efforts. It also helps us signal areas for the coming year that the lending community should be concerned about. We use that information to put together what we call a regulatory and risk management pain index score, and then we track and report those scores annually.

Most of the responses come from smaller banks and credit unions, but we did find that the percentage allocation of the respondents matches up very well with the asset size distribution of the industry. The respondents are primarily from bank management, executive and compliance roles, and then people that are in lending roles.

The score itself is made up of 10 different factors. Seven of the factors come from the survey and three of the factors are what we call regulatory environment factors. That’s information on enforcement actions, fines, and new regulations. There are also compliance factors that come from the survey instrument itself as well as risk management factors. Those are compiled and scored on a consistent basis by us from the same sources every year. This year’s factors cover a period from July of 2021 through June of 2022, with the survey administered from July to September each year, and then we work in the fall to compile the results.

The scores that we get from looking at the 10 different factors are put into a formula to generate the main score. The main Indicator score was lower this year, primarily due to a reduction in the number of enforcement actions and the dollar amount of the penalties associated with those enforcement actions, but the overall score was in line with our pre-pandemic results.

What were some of the most important findings of this year’s survey?

Burniston: Despite the drop in the overall score, our respondents identified notable concerns relating to five different things. The first was with tracking and keeping current with regulatory change. That was a theme we saw throughout the survey responses. The second issue was proving compliance to regulators, usually during an examination or a supervisory interaction.

There were also concerns about actual compliance with specific regulatory requirements and several concerns associated with compliance management, most notably manual processes, inadequate staffing, and too many competing business priorities, all placing stress on the ability to maintain and manage an effective compliance management program. And then finally, the number of new regulations to monitor, track and, where needed, to implement.

One other thing that I should point out is that the respondents are giving considerable attention to what we call environmental factors, such as interest rate increases, inflation, the potential for a recession and ransomware attacks in their enterprise business risk planning efforts.

Change management was the most pressing regulatory compliance issue regardless of lender size in the survey. What does that tell us?

Burniston: It tells us that the ability to absorb the breadth and the volume of regulatory change is overwhelming and a formidable challenge no matter what kinds of resources an organization might have available. Basically, regulatory change doesn’t discriminate based on size or resources. Everyone’s subject to regulatory change in the same way, creating the same set of concerns about the ability to absorb it all and operationalize it. In addition, the general business environment is complicating the implementation of regulatory changes, which carries with it its own set of challenges, especially given the present economy. These findings also suggest that institutions are feeling pressure from regulators to make sure that they are managing change in a way that’s going to assure future compliance for their organizations and for their customers.

This year’s survey noted a pretty significant jump in concern over new regulations. What do you think was behind that finding?

Burniston: There are several significant regulatory initiatives underway, and I think that influenced that finding. I’ll cover a few. The first would be Community Reinvestment Act (CRA) regulatory modernization. The next would be the forthcoming Dodd-Frank small business lending data collection rules (or 1071 rules) that the Consumer Financial Protection Bureau is expected to issue shortly. And finally, the Bank Secrecy Act and anti-money laundering related compliance challenges. I think the respondents are anticipating challenges arising from the implementation of these regulatory changes across their enterprises.

The CRA rule and the small business lending data collection regulations could both be issued in final form at roughly the same time. Both are very complicated and are going to require a consolidated effort across an institution to implement. These are both large-scale regulatory changes that have been on the horizon for several years. For banks, the CRA regulatory changes will create new evaluation methods, new things to learn, new data to collect, new examination processes, and new approaches for working with their communities and their partners.

In some ways also, the 1071 rules and the CRA rules are intertwined and have to sync up. But to go a little bit further on that, the small business lending data will also be used for fair lending analysis. First, lenders are going to have to have a system for obtaining, capturing and reporting the information. And then, they’ll also need to be able to analyze it and determine what the data are showing about their lending patterns, especially about the gender, race and ethnicity of small business loan applicants. We saw in the survey results that 68% of our respondents are either very or somewhat concerned about their ability to manage these rules.

The survey also identified a pretty substantial decrease in fines and enforcement actions. What do you think led to these results?

Burniston: Some of it is really timing. As I mentioned, the survey period covered July of 2021 to June 2022 and the development of an enforcement case is a really complicated initiative. It often plays out over a very long period of time before the organization and the regulator reach a conclusion on the matter in the form of a formal document. At the very end of 2022, we saw a huge $3.7 billion enforcement action get finalized. That large penalty will end up being reflected in next year’s survey, so I would expect that score to go back up to where it was last year and have another corresponding effect on our overall Indicator score. If that particular enforcement action had occurred in July, however, it would’ve gotten picked up and we wouldn’t even be talking about this right now.

The takeaway from it for me, however, is even though those enforcement numbers are lower in this year’s survey scores, people shouldn’t look into that and say  that means  the regulators are looking the other way, that they’re lightening up. In fact, to the contrary, the examinations that they’re doing are just as rigorous as they ever were. I would caution folks not to look at that score and say, “Gee, there’s nothing to really worry about here. Enforcement actions are going down.” I don’t think that’s necessarily the case.

Which new or soon-to-be-enacted regulations cause the most stress for lenders and why?

Burniston: The CFPB’s forthcoming small business lending data collection reporting rules could cause the most stress for lenders. This is new ground for many institutions, and the proposal issued by the CFPB indicated to the industry this is going to require not only an implementation challenge, but an analytical challenge. There are a lot of unknowns here. If you have a certain number of small business loans, you might not have to report at all, but if you’re over a certain threshold, you will have to report, and we don’t know what that number’s going to be. The data elements that need to be reported have to be finalized. The implementation time period, which lenders are concerned about, also has to be set.

Of course, those questions will all be answered when the final rule is issued, and that final rule is expected to be issued anytime between now and March. Having those answers is going to help people understand, but the challenge of implementation will remain. There’s also the analytical work needed to understand the data. That’s new ground as well, and the analytical models aren’t in place. In addition, operationalizing the rules in whatever time period the CFPB ultimately provides is going to still be challenging.

What are some of the top obstacles to an effective compliance program and how can lenders overcome them?

Burniston: According to the survey results, the respondents indicated that their top three obstacles to implementing an effective compliance program were manual processes, inadequate staffing and too many competing business priorities. I’ll just break those down a little bit. For manual processes, for example, the regulatory environment that organizations face today is way too complex for businesses to manage compliance without the help of technology and automated processes and resources. Spreadsheets just don’t work. We saw that the scores jumped to 54% this year from 45% last year on manual processes. Manual processes often lead to errors, inconsistencies and disconnects across the three lines of defense in an organization.

When it comes to inadequate staffing, there was an increase over the 2021 score of 41%, moving up to 44%. That could reflect a couple things. First, there could be some residual effect of the alleged Great Resignation. Second, it could be a symptom of the difficulties with attracting and retaining good people. Another factor that could be influencing the inadequate staffing concerns might be related to work-from-home practices. Finally, anticipation about the future is also a key factor. Compliance officers all look down the road, if they’re doing their jobs correctly, and see that there’s a lot to do, suggesting present staffing is inadequate to handle that forthcoming workload.

Too many competing business priorities speaks for itself. More and more, we see people having to take on more than one role or do other things that they didn’t expect that they would have to do.

To overcome these concerns, the first thing to focus on is the deployment of technology. Regulators are expecting, especially in an environment where banks are under remote supervision, enterprise-wide risk management programs that connect to different parts of an organization and make sure that everybody is moving forward in a consistent way on implementing change. A fully functioning compliance management system integrated with an organization’s three lines of defense is another component. It’s also important to make solid business cases for more team members early, as everyone in an organization is constantly competing for resources. If you need those resources for compliance, you need to make a solid business case early on before available resources are gobbled up elsewhere by other business units.

Lastly, it is important to have a very solid and comprehensive regulatory change management program in place that captures what’s happening across the regulatory community and is able to identify requirements, map those requirements to products and roles and make sure everybody understands what they need to do for implementation.

The survey found that only 28% of institutions have made significant progress on becoming fully digitized. What do you think is holding them up and how can they overcome this obstacle?

Burniston: Competitive factors and basic business economics are going to continue to drive the acceleration of digital transformation. Consumers are expecting seamless digital experiences from loan application to closings, including with loan signatures and loan payments. About the only positive thing about the pandemic is it moved digital transformation more in that direction. Other business transactions outside of banking are becoming more digital or entirely digital—and consumers are accustomed to that and expecting it. In the survey, 79% of respondents said that enhancing the customer experience for their organization was a very important driver of digital transformation.

Increased profitability was the primary driver behind our respondents’ movement toward the adoption of a digital lending process, with 85% saying that was very important to them.

With that said, when looking at that 28% number, that’s pretty good when you consider many of our respondents are smaller banks. The other way to look at that is almost 75% are making progress toward building out a fully digitized lending capability. That’s really a positive step.

Were there any findings from the survey that surprised you? If so, what were they and why?

Burniston: I had expected that more of our respondents were going to say that they were experiencing more regulatory scrutiny on their fair lending exams. We have 16% of our respondents indicating more scrutiny, and that was higher than in 2021. Why more? Well, regulatory focus on fair lending is very high. We’re going to watch that one for 2023, but I did expect that was going to go up a little bit higher.

The other thing I expected to see more concern about (and was surprised that we didn’t) was climate financial risk management. We had 27% of our respondents indicating they were giving significant attention to climate risk related risk management, with 23% giving it some consideration. If you look at where we were at the beginning of 2021, there was a lot of anticipation about not only what was going to come from the federal prudential regulators, but also from the SEC with regard to any climate-related regulatory reporting rules. We did see some proposals there. We did see the prudential regulators moving in the direction of being able to provide clearer and better expectations, and we’ll see more of that this year. But I did expect that number to be a little bit higher than 50, even though it’s still pretty significant.

Some other surprises included increases in the scores for managing risks across business lines, giving us our highest number, at 59%, in the past four years. However, when we look back at when we began the survey 10 years ago, that number was close to about 70%. Third-party risk management went from about 15% of folks identifying it last year to 26% this year. That’s a lot. It probably reflects a lot of growth in partnerships with third-party firms, making regulators pay more attention to third-party risk management. We also saw increases in compliance management system investments. All the numbers for every category we asked about were up.

Finally, there are environmental factors that are weighing heavily on our respondents, such as interest rate increases, inflation and the possibility or potential for a recession. In addition, 73% of respondents indicated they thought that an overall reduction in regulatory burden was either somewhat or very unlikely over the next two years. That’s the highest number we’ve ever received on that particular question, and we ask it every year.