The Finastra Forecast: Compliance in 2020

The Finastra Forecast: Compliance in 2020The Finastra Forecast: Compliance in 2020

As 2019 winds to a close, we’ve sat down with Finastra leaders to talk about trends that will impact credit unions and community banks in the upcoming year. In this discussion, Mitch Lucas, Vice President, Lending Product Management, Development & Compliance for Finastra, talks about economic drivers that could affect compliance for credit unions and community banks, changing approaches to enterprise risk management and compliance management, and what tech trend will have the greatest impact on community bank and credit union compliance in the near future.

What regulations will have the most impact in the next 18 months?

“The most impactful regulation will not come down from Congress. It has come from California. The California Consumer Privacy Act  (CCPA) is a set of data protection and privacy standards intended to impose EU-style data protection and privacy on firms for the benefit of California residents. However, California’s deployment of this protection is extra-territorial, meaning it will have a wide impact on firms outside of the state.”

“The CCPA has a fair amount of exemptions and caveats, but it is certainly the beginning of a trend.  About a dozen other states have either had bills in the last legislative sessions put up for committee consideration or have moved toward requiring legislative study in order to prepare a refined bill for their next legislative sessions.”

“At a high level, the CCPA looks a lot like the EU’s General Data Protection Regulation: For example, consumers will have the right to know their data is being collected and to opt out of data collection.”

“Consumers will almost have a right to be forgotten, but it’s not as intensive as the EU take on data protection and privacy. This is the standard that will be most challenging for financial institutions to meet. How can financial institutions take care of data in a way that allows them to delete, or “forget” consumer data from a transaction, or even from an entire long-term relationship?”

“The answer is: Not easily. Technology providers do not and have not created data structures in any of our systems that support this approach. To do this right, we have to think about data and its constructs in a completely different way than we ever have before. That’s a massive technology challenge and a massive compliance problem.”

“Fortunately, exceptions and loopholes in the CCPA will result in a very light compliance burden for financial institutions, for now. But the compliance burden is not the only consideration  there will be a market burden as well. Community banks and credit unions that want to be good actors and attract new account holders and members will be under a lot of pressure to answer questions like, “What is happening with my data?” and “What are you doing with my data?”

“The need to provide answers to those types of questions will create new competitive and market pressures on financial institutions. For that reason, now is the time to think about how to implement and support the kind of data protection we’ve never had to deal with before.”

Should community banks and credit unions change their approaches to enterprise risk management in 2020?

“Enterprise risk management can be pretty straightforward for small financial institutions. Some just use a Word doc or an Excel spreadsheet, along with general operational controls around banking activities. But as a financial institution grows and its activities become specialized and diverse, the ability to systematize enterprise risk management becomes critical.”

“We traditionally think about products like Fusion LaserPro as providing a point solution around compliance. Fusion LaserPro takes all the necessary activities associated with the loan and walks the user through procedural compliance (i.e., they must make a loan in a certain way) and delivers substantive compliance (i.e., they must disclose terms and conditions or rates in a certain way). The outcome is a sound transaction and a sound asset added to the books.”

“But enterprise risk management is a broader topic. As we think about how compliance is changing and becoming more complex, there’s a melding of two worlds. We saw this in the market years ago, as far back as the transition from the old RESPA to TILA-RESPA. It turns out that collecting data and disclosing it in a certain way as part of a transaction is pretty straightforward. It’s the process requirements upstream where things become quite complex. For example, how will loan officers and tellers be educated on how to speak to customers about data collection, and what triggering events will be associated with that? Today’s enterprise risk management solutions should be able to manage the entire enterprise and reduce or even prevent the risk of things like improper conversations and data collection.”

“We saw the need to manage compliance upstream and across an organization when we came to the market with a tool known as Compliance Management that takes all content we were preparing and delivering for a software solution and expands on it to deliver in an automated fashion.”

“Content is now placed in the work queue, so the right people at the financial institution can be aware a change is coming and they can manage it through the entire process. Along the way, they are able to understand and assess the appropriate risk for that change, report to peers, and assign workflows to other parties. This minimizes risks such as the development of an unnecessary piece of software to manage the upcoming change.”

“The bottom line is that enterprise risk management and compliance management are now integral to each other.”

What else do you see ahead in 2020?

“The URLA 1003 changes that are coming next year will impact the mortgage side. Finastra has been working on rolling out capabilities to meet the new data collection requirements for mortgage apps. We’ve been sharply focused on getting this right so that the integrations with Fannie Mae and Freddie Mae are complete, tested, and ready to go when the deadline for URLA 1003 hits in the middle of next year.”