summarize the regulatory requirement
■ Include a link to the source document for easy access to more detail.
■ separately detail the effective date for quick reference
Identify affected line(s) of business.
describe the impact including advantages and disadvantages tro the bank.
clearly articulate inherent risk and controls that exist or need to be implemented.
Identify the level of impact (e.g., system enhancements, disclosure revisions, procedure updates, and
Identify needed resources
Identify next steps (including roles and responsibilities
loB and loB compliance
loB and loB compliance
log, loB compliance, and It enterprise compliance
of reporting is more fully described later. After a rule has been
implemented, move it to a third tab to capture closed projects.
The final rule has been published. A thousand things go through
your head: What is required from a regulatory perspective? What
lines of business are affected? Does the final rule create a substantive change or simply a tweaking of procedures? Will a formal
project plan be required? How much time until the effective date?
Conducting an impact analysis is critical for all final rules. It
may also be helpful to apply the process to substantive proposed
rules and significant regulatory guidance issuances.
It is helpful to establish a memo template to assess and communicate business impact. Given that the development of the
document will be a collaborative effort, define roles and responsibilities up front. Exhibit 2 contains an example of the topics
you should include in the impact analysis, as well as a possible
division of tasks between groups.
As each area works through the business impact phase, it is
important to be aware of the industry’s current experiences and
struggles. Insight can be gained through networking with peers
to understand their interpretation and application, watching
the news, reading articles, staying abreast of enforcement action
activity, and participating in trade organization discussions. Such
awareness will help compliance, legal, IT, and LOB management
think beyond the strict reading of the regulation at hand and
capture context regarding the intent of the change.
It is also recommended that you assign initial risk ratings to
various categories to help you gauge risk during implementation.
Key categories to consider include the following:
Regulation risk: Are the changes material or complex, requiring
significant analysis and interpretation and thereby indicating high
risk? Are they moderate in complexity, indicating moderate risk?
Or, are they relatively straightforward, low-impact changes more
indicative of low regulatory risk?
Line-of-business (LOB) implementation risk: Is the LOB placed
in a high risk category due to the impact from required changes
to forms, disclosures, policies/procedures, or training? Is the
regulatory change considered low risk due to minimal changes
that will be required? Or is it somewhere in the middle?
Information technology (I T) risk: Is IT risk high due
to significant programming or system updates? Perhaps
IT changes are expected, but the full impact can’t yet be
quantified. Or, risk could be low with few, if any, IT changes
Time risk: High risk would indicate that significant concerns
exist that the regulatory change will not be (or has not been)
implemented by the effective date. Moderate risk recognizes that
a significant amount of work remains to be completed to ensure
full implementation by the effective date. Low risk signals that
all stakeholders are on target for implementation by the effective
date with no significant concerns identified.
Overall risk: This category is a subjective assessment based upon
your estimate of total risk after considering the impact of the other
four categories and any mitigating circumstances.
Obviously, you can define more risk categories that may
be appropriate for your institution. Using this type of regulatory change risk assessment provides a useful reporting tool for
executive management that quickly summarizes the bank’s risk
position for any given regulation, and also the bank’s position,
as a whole, in managing all regulatory changes (refer to Exhibit
3: Regulatory Change Dashboard on page 12). As referenced
earlier, this dashboard can also be easily used as the “final rules”
tab of your regulatory log (discussed in the identification section
of this article).
It is important to recognize that not every change will require
the same degree of formality in implementation. That is to say,
not every change will require a full-blown project plan with
several levels of oversight and working groups. Using the risk
assessment approach discussed in the impact section will help
you make appropriate determinations given the risk level of the
change. That being said, for each regulatory change, you will
still want to maintain a minimum amount of documentation.
These records demonstrate a thoughtful analysis of the change
implementation and appropriate sign-off that the change was