Scottsdale, Arizona, June 7, 2022 – i3strategies®️, a boutique consultancy with unique expertise in the Financial Crime Risk and Compliance space, is pleased to present our latest blog post.
We hear a lot about modernization and its promised benefits. But how exactly does modernization happen? Regulators are wary of changes that may upend a compliant program. Financial institutions are conditioned not to upset regulators. How does innovation and modernization occur in such a situation?
Many Financial Crime Risk and Compliance operations are riddled with inefficient manual work, high costs, and outdated technology. Compounding these problems is the fact that programs detect just a tiny portion of the actual suspicious activity flowing through the financial system. Yet, in most cases, these same programs comply with regulations, creating a peculiar environment where things don’t work very well, but they work well enough. This creates a suboptimal and unsustainable status quo. Congress and the Administration know this and frequently vocalize their encouragement for change. But is encouragement alone incentive enough for risk-averse institutions and field examiners to make changes needed to modernize how we detect, investigate, and report suspicious activity?
The government says it wants to offer specific direction on modernizing but has yet to issue guidance on how to do so. As potential guidance is considered, what can regulators and institutions do now to accelerate modernization? How can institutions and organizations move forward with projects while not raising concern among on-site examination teams that then make financial crime compliance officers wary of trying new approaches?
A New Mindset
For modernization to succeed, regulators must re-orient their perspective away from the status quo’s safety and security. In its place, regulators need to see modernization as inevitable, and they seem to in 2022. However, in government, when leadership declares a new policy, those doing the work in the field are sometimes reluctant to change. This is not a criticism of those in the field; it is just how human nature works - the status quo provides a sense of safety and security. For modernization to work, field examiners must feel protected from undue criticism by their agency’s leaders.
Agencies should acknowledge that when institutions embark on modernization projects such as replacing software, re-organizing departments, merging operations, and rearranging workforces, some of these efforts will succeed, and some will not. In instances where they do not, and institutions are transparent about that, examiners and institutions should not fear repercussions from agency management. (The FFIEC 2018 Joint Statement on Innovation to Combat Money Laundering and Terrorist Financing did say innovation “pilot programs in and other themselves should not subject banks to supervisory criticism even if the pilot programs ultimately prove unsuccessful.” Issued nearly four years ago, it may be time for the regulatory agencies to re-state this publicly and more often.)
Getting Started; A Workable Approach to Modernize
To incentivize innovation, it will be helpful if and when regulators issue formal guidance spelling out the steps for institutions to plan, execute, and report on modernization projects. We understand the suggestion of yet more guidance likely meets with an industry-wide eye roll. Still, institutions will be reluctant to pursue new approaches without clarity of what regulators find an acceptable strategy, and innovation will continue at its molasses-like pace.
Despite the lack of specific guidance from regulators, it makes little sense for institutions to delay modernization projects. It is understandable in such a situation that institutions feel reluctant to begin. However, having a clear, defined, and easy-to-understand project framework reduces concerns for both the institution and the field examiners. Here are some suggestions for creating a solid modernization framework.
- Alignment of Key Stakeholders. Modernization projects begin with thoughtful, detailed conversations between all the departments and management required to upgrade systems and processes. This includes AML, sanctions, fraud, anti-corruption, information technology, internal audit, purchasing, finance, lines of business, the C-suite, and the board of directors.
- Clear Strategy: For this purpose, let’s define strategy as the goals you want modernization to achieve. These must be clear and easily understandable. Nothing dooms a plan as much as a lack of clarity. Without getting into too much detail on strategic planning, start by asking a few questions such as, “what is currently working effectively and what is not?” “Is [insert process name] sustainable?” “How do we stack up compared to our peers?” Pick the program elements you want to modernize and craft what the new versions look like. Get agreement from all the stakeholders on which goals to pursue over the next three years. Take the goals - whether new technology, procedure changes, workforce changes, or operating model changes - and spell out the reason for the proposed changes, the readiness to undertake the changes, the needed budget, the risks of implementing the change, and how those risks are mitigated.
- Written Plan of Action. Without detailed written plans, modernization projects will fail. Plans included step-by-step direction on the work steps needed to achieve change and who will perform which step. Plans must also include timelines, milestones, resource allocation (people and technology), and dependencies (what needs to happen for the project to work).
- Transparent Communications. Financial Crime Risk and Compliance executives need to communicate regularly with an institution’s executives, the board of directors, internal audit, and the regulators. These communications are to update each group on the status of the modernization work plan, including achievements, delays, adjustments, and risks.
- Update Program Components. Plans around updating risk assessments, policies and procedures, and training staff on new processes.
- Practical Testing Measures. A written plan, schedule, and resources independently tests new technology, processes, procedures, and operations.
- Retire Outdated Approaches. Define criteria for retiring every policy, procedure, process, and software system that are no longer effective. Spell out which new process or system will cover risks old approaches were meant to address. Incorporate all the elements of the strong communication plan already in place with management, internal audit, and the examiners.
For modernization to succeed, a mindset shift is needed. Unless the industry believes regulators support change, modernization will stall. Institutions must believe they have leeway to try new approaches and occasionally have these approaches fall short without fear of punishment and penalty. Agreeing on a defined framework for how to modernize is the best way forward.
Post Script for Regulatory Agency Management
As agencies contemplate guidance, consider emphasizing the message conveyed in the 2018 FFIEC Joint Statement on Innovation Efforts that modernization aims to improve how “...banks identify and report money laundering, terrorist financing, and other illicit financial activity…”. The purpose of modernization is not to duplicate every current risk assessment, due diligence, monitoring, investigation process, procedure, scenario, or typology. Expectations that organizations operate old and new software systems simultaneously, or “run in parallel,” is costly, time-consuming, and sends the message that regulators expect a new system to do precisely what the old system did. This impedes progress and discourages attempts to innovate. Modernization means leaving the old stuff behind.