Mid-year checkpoint: 6 compliance trends
This post was originally published on August 15, 2023, and was updated in October 2023.
Amidst the ever-changing landscape of business and regulatory environments, banks and fintechs have to meet the critical challenge of maintaining robust compliance programs that keep up with evolving consumer expectations. Monitoring the latest compliance trends and keeping track of current and pending legislation and regulation is essential for forward-thinking organizations. You want to avoid regulatory penalties and protect your reputation, while you continue to unlock growth opportunities and future-proof your business.
Let’s take a closer look at some emerging compliance trends to make sure your compliance program is on track and ready to accommodate potential changes that could arise in the near future.
1. Prioritizing a process and call chain to handle complaints from the Consumer Complaint Database
Banks and fintechs need to have a well-documented, clear-cut process and specific line of communication in place for identifying, handling, and responding to all complaints from the CFPB’s Consumer Complaint Database. When you’re developing a consumer complaint protocol, consider the following:
Who initially addresses the complaint?
Which types of complaints are referred to your compliance officer?
When is it appropriate for complaints to be escalated to your board?
Who ensures that the protocol is being followed?
How often are you auditing your consumer complaint protocol to implement and finalize any necessary changes?
Without a definitive complaint management process in place, you not only expose yourself to potentially costly penalties from the CFPB ($3.7 billion alone in 2022), you miss an opportunity to learn from your customers, and you risk your reputation.
This is especially important for fintechs because the CFPB dusted off years-old, dormant legislation to level the playing field between banks and fintechs. As of late summer 2022, it’s leveraging the "larger participant rule" within the Dodd-Frank Act to regulate nonbanks, neobanks, and fintechs and hold them to the same standards as traditional financial institutions. Recently, the CFPB also:
Issued an interpretive rule that affirms states’ authority to enforce Dodd-Frank rules on a state-level for additional oversight.
Proposed a registry to help track repeat offenders. According to the proposal, fintechs that face penalties from a financial protection agency or court orders on any level would disclose this information on a public forum and make repeat offenses easier to spot.
Proposed an additional registry that requires fintechs to submit information and publicly disclose terms and conditions that waive or limit individual rights within non-negotiable form contracts.
With public platforms in place, the CFPB hopes to raise the stakes and send a message that noncompliant fintechs run the risk of regulatory penalties and losing credibility, customers, and influence in the market.
2. Reassessing, updating, and streamlining your incident response plan in light of increased CFPB rules and oversight
Similar to establishing an order of operations for managing customer complaints, you need to make sure your incident response plan (IRP) is up-to-date and working properly. As a quick refresher, successful IRPs include:
A description of your assessment process. Identify the types of disruptive incidents that are most likely to occur, and then assess your risk of experiencing those incidents in both the short- and long-term future.
A description of your incident response team. Select a team of employees who are responsible for responding to incidents and outline their responsibilities. The team should include representatives from different departments within your bank or fintech such as IT, compliance, and legal.
A process for identifying and reporting incidents. Outline a user-friendly process that encourages employees to report all incidents, even if they’re unsure if the incident is actually a breach.
A process for containing and mitigating the effects of incidents. Include steps to stop the incident, prevent further damage, and restore the institution's systems and data.
A process for communicating with customers, other affected parties, and the appropriate regulatory channels. Communicate information about the incident quickly and accurately, explain your response, and describe any steps that customers can take to protect themselves in addition to reporting the incident through the proper regulatory channels.
When you are updating your IRP, make sure you can answer the following questions:
How often are you performing a risk assessment? Do you need to increase the number of checks?
How often are you conducting security testing? Should it happen more frequently?
Have you clearly identified the key members of the response team and established a call chain?
Have you identified your worst case scenario and documented a specific response plan to address that occurrence should it happen?
What communication channels will be used to stay in contact with stakeholders during an incident?
How will the incident be investigated once it is mitigated?
You should also be thinking about how your bank or fintech is providing access to an anonymous, confidential internal whistleblowing channel. To stay compliant, your whistleblower plan should include several critical elements:
Reporting mechanism: The reporting mechanism should be confidential, easy to use, and made available to all employees.
Investigation process: The investigation process should be timely, thorough, and impartial. Make sure it’s conducted by a team of experienced investigators outside of the named department.
Protection from retaliation: Employees who report wrongdoing should be protected from retaliation. This protection should include prohibiting employers from firing, demoting, or otherwise discriminating against employees who report wrongdoing.
Training for employees: Employees should be regularly trained on the company's whistleblower policy and reminded of the protections outlined above.
By ensuring anonymity and offering protection against retaliation, internal whistleblower channels encourage transparency and empower employees to come forward with any concerns. They’re an important component of IRPs to assist with early detection and prevention of potential legal and compliance risks.
3. Watching (and preparing) for upcoming crypto regulations in light of new EU guidance
In Alloy’s inaugural State of Compliance and Benchmarking Report, 60% of respondents expected crypto regulations to increase in 2024. And while keeping tabs on crypto compliance has been on many watchlists for the past several years, one key factor has changed.
In April 2023, the EU Parliament endorsed a uniform legal framework for crypto asset markets known as the Markets in Crypto Act (MiCA). It was signed into law in June 2023 and constitutes the most comprehensive piece of crypto regulation to date. When MiCA starts to take effect in 2024 and 2025, crypto platforms, token issuers, traders, and other providers will need to be licensed by the EU. They will also be held liable for losing investors’ assets and need to ensure that they have the required reserves to fulfill redemptions — even in the event of mass withdrawals.
What does this mean for the US crypto industry? If the US adopts this framework, it will provide a uniform approach to regulating crypto domestically that is also harmonized with the EU. Crypto would be subject to more rigorous oversight in an attempt to stabilize this normally volatile asset and align it within the traditional US financial system.
If your bank or fintech holds crypto on your balance sheet, you need to seriously consider your KYB/KYC processes. Are they robust enough to account for more oversight over crypto transactions while keeping up with the fast-paced world of digital assets? Do you have the resources to build these solutions on your own? Finally, are you pulling in data from on-chain data partners to help facilitate these processes? Forward-thinking banks and fintechs would be smart to prepare accordingly.
4. Taking future AI regulation into consideration
55% of fintechs surveyed are already using AI in their compliance processes. Another 29% are exploring how it can be used and plan to use it in the near future. As more financial products and services incorporate AI and machine-learning models into their technology platforms, it’s important to keep in mind that the financial services industry still isn’t sure how AI might be regulated in the coming months and years.
In October 2022, the Biden administration released a Blueprint for an AI Bill of Rights — aspirational guidelines that provide a potential framework for future regulations. The document identifies and outlines the current administration’s five underlying principles for the use of AI:
Safe and effective systems which “should undergo pre-deployment testing, risk identification and mitigation, and ongoing monitoring”
Algorithmic discrimination protections which “should take proactive and continuous measures…to use and design systems in an equitable way”
Data privacy to ensure that only “data strictly necessary for the specific context” is collected and consumers are “free from unchecked surveillance”
Notice and explanation so consumers are aware an automated system is being used and are notified of “significant use case or key functionality changes”
Human alternatives, consideration, and fallback so consumers can “opt out from automated systems in favor of a human alternative” and view public reporting of human governance processes
No matter how future regulations unfold, the path to compliance is likely going to be an intricate process; It can be complex and challenging to stay up-to-date with the regulatory landscape. For example, in mid-September 2023, the CFPB issued guidance on the use of AI in credit denials. CFPB Director Rohit Chopra said:
“Technology marketed as artificial intelligence is expanding the data used for lending decisions, and also growing the list of potential reasons for why credit is denied. Creditors must be able to specifically explain their reasons for denial. There is no special exemption for artificial intelligence.”
Banks and fintechs have long been required to follow Regulation B in the Equal Credit Opportunity Act (ECOA) to avoid making credit decisions that cause a disparate impact. In addition, they mustdisclose their “principal actions” for denying credit to a potential borrower. With this guidance, the CFPB expresses concern that they will continue to rely on sample adverse action templates to fulfill these disclosure obligations — even as their credit decisioning processes and data sets become more complex through the use of AI tools.
However, it’s important to note that banks and fintechs can also use these same tools to adhere to relevant regulations and compliance requirements as they change. Using AI tools to create flexible, automated credit underwriting workflows helps ensure that appropriate predefined rules are systematically applied. As a result, every step of the process is aligned with regulatory compliance, and the workflow is agile enough to accommodate quick updates as new regulations arise or preexisting regulations are amended.
And keep in mind, banks and fintechs also face the challenge of disclosing enough information to remain compliant without increasing their risk of fraudulent activity. When fraudsters are more aware of why applications are being denied, they can use this knowledge to their advantage, and try to discover more loopholes that lead to application acceptance and easier access to funds.
The best way you can prepare for future regulations is to closely evaluate your current AI applications and consider what efforts you can take to align them more closely with the Biden administration's and the CFPB's guidance above. (You can also take a look and see how Alloy applies these principles to our solutions.)
5. Banks and fintechs using more automated, data-backed decisioning processes to help manage compliance
If your tech stack is effective and operating to the best of its ability, it will help remove data silos and centralize information instead of contributing to its segmentation. Instituting one, real-time workflow that utilizes data orchestration can assist with multiple facets of regulatory compliance: CFPB regulations, anti-money laundering (AML) regulations, and sanctions issued by the Office of Foreign Assets Control (OFAC).
Data orchestration is the process of collecting, transforming, and managing data from a variety of data sources into a single view or workflow to enable more automated, data-backed decisions. It helps you move from a risker, periodic KYC approach to an automated, perpetual KYC approach. This is particularly helpful when complying with AML regulations. Platforms that utilize data orchestration make real-time data more accessible to your data analysis tools and can even be set up to directly eFile a suspicious activity report (SAR), cutting back on valuable time and resources that compliance teams often spend on this task. When 55% of organizations believe that lack of automation is their biggest compliance barrier — and also claim that their compliance teams spend 34% of their time drafting and filing SARs, suspicious transaction reports (STRs), and currency transaction reports (CTRs) — data orchestration offers big, real-time benefits.
Data orchestration also lets you piece together a string of potentially suspicious activity that isn’t possible to spot with incongruent data sources. It’s not enough to simply spot inconsistencies in your business data. Rather, you need to see how inconsistencies fit together to form a larger perspective — that’s where data orchestration comes into play.
For example, If you observe that a customer used a debit card at a hair salon, that likely wouldn’t raise any red flags. But what if they used it for that transaction at 3 a.m.? And what if they’ve been buying gas across state or border lines multiple times a month — on top of purchasing several airline tickets? When you see all of these behaviors unfold at once, seemingly unrelated activities suddenly become a lot more suspicious.
As a result, the benefits of using more automated, decision-backed decisioning processes are two-fold:
It provides the flexibility that’s needed to comply with regulations as they change and evolve, so you can quickly adapt and incorporate new data sources into your workflow.
It helps you spot more sophisticated instances of suspicious activity, so it’s easier to comply with any currently existing regulations.
You’re able to see more activity, follow up with the necessary actions, and stay covered from multiple regulatory angles.
6. Increasing scrutiny of third-party vendor management systems
On June 6, 2023 the OCC, FDIC and FRB issued final Interagency Guidance on Third-Party Relationships. This guidance incorporates prior OCC guidance and FAQ regarding the management of third-party relationships. Coupled with the recent OCC Blue Ridge enforcement actions in 2022 and the FDIC Cross River Bank enforcement action from 2018, banks can now piece together a general playbook for managing their third-party relationships, including those with fintechs. Vice versa, fintechs also have a better idea of their partner banks’ expectations.
Of note, the Interagency guidance confirms that banks can rely on a third party, like a fintech or other vendor, to perform due diligence on other third parties that contract with the fintech or vendor to provide critical services. Banks and fintechs should proceed accordingly:
The bank must factor in the risk of relying on that fintech or vendor to perform the due diligence.
Fintechs must prepare to invest more in their compliance management capabilities as their bank partners start to impose higher standards.
This guidance does align with federal regulatory exam practice over recent years, which emphasizes that financial institutions relying on other companies to satisfy federal regulatory obligations must be able to demonstrate a robust and dynamic third-party vendor management program, including aligned policies, procedures, and internal controls. Alloy’s own vendor management program is designed to support our bank and fintech clients’ reliance requirements and meet their third-party management obligations.
Alloy’s compliance report does show that fintechs have already started to make heavier compliance investments now that their bank partners are imposing higher standards. 51% have compliance teams of 11-24 employees, and 93% of the total respondents indicated that they use at least one third-party platform to assist with compliance management.
How Alloy can help
As the leader of a bank or fintech, you need to implement an end-to-end compliance program, continuously incorporate your learning into the programs, and maintain a flexible tech stack that allows you to do so. With an identity risk solution like Alloy, banks and fintechs can connect to 180+ data sources and streamline the data into a single workflow that provides robust applicant risk profiles, an activity history of customers’ actions, and recurring, automated checks against sanctions watchlists.
To explore how Alloy can help you keep pace with regulatory compliance at onboarding and throughout the customer lifecycle, check out our compliance tools and schedule a demo.
Benchmark your compliance strategy against industry trends.
Gizelle Barany is General Counsel at the identity risk management company Alloy. As a financial services legal expert and executive advisor, Gizelle provides strategic and practical legal and business solutions at Alloy. Previously, Gizelle served as Chief Legal Officer of LendUp Global, providing strategic guidance in launching a digital bank and managing complex regulatory matters. Gizelle also served as General Counsel to Marqeta, Inc., leading its global legal efforts. Gizelle also led government relations initiatives and is a frequent presenter on financial services issues at industry conferences. Gizelle has a JD from the University of California, Berkeley – School of Law.
