and its impact should be performed across all inter-dependent
lines of business and address a broad array of risks. Analysis in
advance of the change should consider the:
■ ■ ■ Life cycle of the new product or business change;
■ ■ ■ Risk that the change may result in potential consumer harm;
■ ■ ■ Assessment of new third-party relationships;
■ ■ ■ Assessment of related management expertise; and
■■ ■ Creation of documented procedures for new or revised
In many organizations, the risk management department establishes a committee charged with monitoring, reviewing, and
approving business changes and related risks. The committee is
typically comprised of representatives from the various risk disciplines including information security, financial intelligence (Bank
Secrecy Act/Anti-Money Laundering), credit risk management,
operational risk management, legal, and compliance. Internal
audit may also participate as a non-voting committee member.
In a small bank where there is not an operational risk function,
the head of operations may participate. And where there is not a
formal committee for this stated purpose, there could also be a
product development and improvement committee that considers
the changes that result from new/changed products. Intranets often
allow for staff to ask for compliance assistance beyond products,
and for a list of changes to rules and regulations for department
managers to consider and manage.
The make-up, details and reporting lines of the committee
may differ by bank or bank size, but essentially the committee is
responsible for review of the business case, sales, operations and
systems impact, addition of new third-party relationships, legal
ramifications, and compliance risks. Committee activities should
be reported to the appropriate management committee, usually
an enterprise risk committee, and ultimately significant changes
or high-risk changes should be escalated as needed.
Compliance officers must be prepared to vet changes thoughtfully to ensure organizational success. To do this, a structured
program that outlines the compliance considerations for evaluating change will guide the analysis, provide documentation, and
articulate the compliance guidance and feedback provided to
both bank management, the board, and the regulators, thereby
providing effective challenge regarding the change.
Compliance shares the responsibility with other risk functions
and business lines for reviewing changes and providing guidance
on alignment with the bank’s risk appetite, and compliance with
applicable regulatory requirements. A formal compliance change
management program, including a framework of questions, will
help ensure the compliance assessment is thorough and any concerns or risks identified are communicated to appropriate levels
of management. Making sure the program is executed properly
is imperative. A more senior compliance officer with deep compliance and operations knowledge is best positioned to evaluate
compliance risks and business impacts. The individual must be
comfortable escalating risks to senior levels of management and
responding to challenging questions.
A formal compliance change management framework should:
■ ■ ■ Help facilitate effective challenge;
■ ■ ■ Assess the impact of the business change;
■ ■ ■ Identify the potential compliance risk it may bring to the bank;
■ ■ ■ Provide the documentation needed to support management
reporting and regulatory expectations.
And, including the following items should help accomplish
New or amended rules or regulations
Responsibility for identifying new rules/regulations, changes to
rules/regulations, or review and evaluation of consent orders and
regulatory guidance falls on the compliance and/or legal department. Regulatory changes are driven by a mandated regulatory
timeline and implementation is ultimately reviewed by the bank’s
regulators in the examination process. It must be done well. At
a minimum, regulatory change management should include the
■ ■ ■ Monitor regulatory changes through various news feeds, regulatory websites/email subscriptions, or industry publications.
Some institutions may also subscribe to governance, risk, and
compliance (GRC) software products that offer regulatory
change modules that provide updates and summaries. Advances in regulatory technology or “regtech” promise to make
the regulatory change process more efficient and transparent.
■ ■ ■ Review, understand, summarize, determine, and communicate
applicability of the regulatory changes to business lines and
functions impacted. Consider starting this review and communication when proposed rules are issued.
■ ■ ■ Determine accountability within both the business line and
■ ■ ■ Ensure all interdependent business lines and operations functions are identified and active in the change project. If third
parties are involved, be sure to include them as well.
■ ■ ■ Establish a project timeline for implementation that outlines
key milestones. Depending on the magnitude of the change,
the bank’s project management office may also be engaged.
■ ■ ■ Assess changes required to policies, procedures, disclosures or
agreements, systems, training, marketing materials, compliance
monitoring, and internal audit programs.
■ ■ ■ Determine appropriate reporting and escalation within the
business line and senior management for updates to the regulatory change project.
■ ■ ■ Ensure system testing protocols occur, if applicable, prior to
roll-out of the change.
■ ■ ■ Review and monitor the regulatory change post-implementation
to ensure processes are operating as expected.
■ ■ ■ Monitor complaints post-implementation to address any negative customer impacts.
Once introduced, a change is more likely to become
successful when it gives employees ample time to
develop the awareness and desire to accept the
change, the knowledge and ability to make it happen,
and the right follow-up to sustain it.