The Story of Two Banks:

A Regtech Cautionary Tale and Helpful Guide

By Lyn Farrell and Matthew Van Buskirk

“We always overestimate the change that will occur in the next two years and underestimate the change that will occur in the next ten. Don’t let yourself be lulled into inaction.”

— Bill Gates

Once upon a time, there were two banks, with similar compliance programs and staff. They evolved in two very different ways over the next ten years. Let’s look at how these banks operate, along with their costs, and the changes that their compliance officers will oversee in the next decade.

Octagon and Hexagon Banks are two contrasting organizations, representing two paths for current CCOs. Octagon continues with the tried and true, accepting there will be frustrations using old technology that automates a few functions but does not use artificial intelligence or machine learning to advance their processes. Hexagon embraces new technology and exponentially improves both the cost structure and efficacy of bank compliance functions.

Imagine that Octagon Bank continues with its current systems technology and the processes, while Hexagon Bank migrates to cloud-based core processing that helps the bank analyze data more efficiently to reduce friction in operations. The compliance team is encouraged to use regulatory technology (regtech) and robotics to make compliance processes more efficient.

Where will they be ten years down the line? Let’s imagine how different they might look in the year 2030.

Here are some of the differences:

Compliance Structure and Staffing

Octagon Bank

Octagon has always run its core processing on a legacy system that is owned and operated by one of the traditional bank core processing companies. It is a bit awkward, but the bank is committed to using it because the leadership has had no appetite for a large conversion effort. Octagon’s internet banking program is an off-the-shelf program with basic functionality sold by its core processing company. It is not appealing to customers under 45 who expect more than the basic deposit and intra-bank money transfer options that are offered.

Octagon’s compliance department includes 80 employees. Of those, 45 are in the AML group, operating the BSA/AML program, monitoring suspicious activity alerts, documenting false positives and preparing SARs.The remainder of the compliance group are divided between advisory services assigned to assist the first line groups (seven employees), monitoring and testing (10 employees), HMDA/Fair Lending (six employees), governance (three employees), and ongoing risk assessment duties (nine employees).

Hexagon

At Hexagon, bank management decided years ago to migrate to a cloud-based core processing company that helps the bank analyze data more efficiently to reduce friction in operations.

Hexagon’s compliance department consists of 30 employees. Of those, there are 10 in AML, three in fair lending/HMDA, five advisors, two in risk assessments, two in testing, two in governance, two technologists, two operations specialists, and two decision scientists. The group uses software to perform nearly every mundane task within the department. Technologists and data scientists work directly with the bank’s information staff to set up data streams from the various products that allow the compliance team to test transactions and improve risk assessments automatically. Operations specialists work directly with ops areas around the bank to help smooth out processes that are found to cause potential customer problems (and potential UDAAP issues).

The major difference in how the programs of these two banks work is their use of technology to accomplish typical compliance program functions. Hexagon needs fewer people and can afford to hire specialists like data scientists and operations staff because many of the traditionally labor-intensive tasks the group needs to perform are now automated. Octagon’s group has changed little in its compliance performance during the past 10 years. So, their program looks much like it did in 2020, 2015, or 2010, for that matter.

Testing

At Octagon Bank, testing is performed on a schedule that is set at the beginning of the year based on new products, regulatory changes, and the number of testing hours available. The testing staff assigns personnel and works its way through the business lines and operational areas based on that schedule. They test transactional samples as well as compliance with policies and procedures. Testing requires seven full-time compliance professionals and one administrative person. The process takes a toll on the business units and operations, but it has worked for many years and the bank does not see a reason to change it.

At Hexagon Bank, all consumer loans booked the previous day are automatically loaded into the bank’s testing system to test for compliance with laws, regulations, and bank policy. Anomalies and exceptions are noted and sent to the testing team for review. Feedback is given quickly to any bank staff that have caused either an error or a violation of bank policy. The testing staff of two can easily handle the second line compliance testing for the entire organization. Testing results reports are given weekly to their business and operations partners with any suggested changes. Hexagon’s ability to move beyond sample testing to 100 percent automated reviews has given it full visibility into its risk level.

Risk Assessments

At Octagon Bank, the risk assessment team prepares extensive risk questionnaires organized by regulation, covering every pertinent part of the organization. These questionnaires contain thousands of questions that the team answers with help from the first line of defense annually. Once the questionnaires are completed, with the inherent and residual risks assessed, each area is assigned a risk rating. Most of the time, the risk ratings are calibrated and negotiated with the first line of defense based upon the perception of control strengths and comprehension. The risk assessment process from start to finish consumes much of the year with risk assessment outcomes finished by the end of the fourth quarter, just in time to start the process over again for the next year.

The compliance team at Hexagon receives data from almost every part of the bank, automatically streamed to the bank’s risk assessment engine for review and processing. These include:

• Data coded from complaints;
• Fraud cases;
• SARs;
• New product information;
• Early account closures;
• Dormant accounts and product usage (including spikes in usage and never used products); and
• Auditing and testing and examination findings.

These data points, among others, are either daily, weekly or monthly input into the risk assessment system. Filters for each data stream flag risks as stable, falling, or rising and provide notices of changes in the bank’s risk status. Data on control functions are also inputted into the risk assessment engine from testing and monitoring activities to measure the efficacy of the controls. Risk assessment reports are produced daily, weekly or monthly, depending upon the frequency of the inputs for the compliance team. Reports are provided monthly for the cross-functional risk assessment committee. This committee meets once a quarter to provide a calibration check on the system. The risk assessment filters are changed as needed and new data is developed as the compliance or risk team determines the need. The operational experts and data scientists work with the risk assessment team in compliance to ensure that appropriate risk data are being captured and analyzed.

Fair Lending

Octagon’s compliance team uses a legacy fair lending program that uses the bank’s HMDA data to test for fair lending compliance. While the program has some regression analysis capability, the fair lending team works with a different vendor to produce more specific regression analysis. When anomalies are found, the team hires a fair lending attorney to help it determine where the root cause problem lies.

Hexagon’s team tests fair lending performance in real time when each new mortgage or home improvement loan is booked. The borrower’s characteristics, along with the property location are used to recalculate regression analysis data for the bank. The bank has tools to prevent some fair lending issues. It requires loan decision makers to input all data into a testing system before agreeing to loan terms. If the rate is outside of bank policy, the loan cannot be booked and the lender must resubmit the loan data. The bank has a 100 percent compliance with rate policy performance record using this system. Any attempt to override the system is flagged in compliance and in credit policy.

HMDA

At Octagon, about 50 percent of the mortgage-related applications are submitted online, while the other half is taken in the branches or through mortgage brokers using manually completed applications. The HMDA information is input into the bank’s HMDA reporting software. It is then scrubbed quarterly before it is finally submitted. This is a time-consuming process and the bank usually hires an outside firm to help with the task, but the bank generally has had no HMDA data problems using it.

At Hexagon Bank, all of the bank’s mortgage loan applications are submitted online. Even applicants who apply in branches are required to submit them online at terminals within the branch. HMDA-required information on race, ethnicity, and sex is gathered in a pop-up box, separate from the application itself. The applicant cannot move forward through the application until he or she checks the boxes or checks the “I do not wish to provide this information” box. The information is then sent straight to the HMDA processing engine within compliance. It is later matched with the completed application through a unique numbering system. The underwriting area and all decision-makers never have access to the information. Since the applicant’s actual information is input directly into the system, Hexagon has no data quality issues with its HMDA monitoring information data. The HMDA engine uses artificial intelligence to ensure that the remaining HMDA fields are correct. Anomalies are flagged and sent to the HMDA team for review. The team spends around 10 hours a quarter on HMDA quality control.

AML Transaction Monitoring and SAR Filing

Compliance at Octagon uses some rule-based technology to assist in AML compliance management and to monitor transactions. The rules-based tool produces a large quantity of transactions to review and investigate. The false-positive rate is around 75 percent but each must be investigated and documented in order to complete the compliance program requirements. The role of investigators is fairly tedious and one of the biggest compliance problems is job satisfaction among analysts and investigators. There is high turnover in these roles.

At Hexagon, artificial intelligence is used to find transaction anomalies from established norms as well as transactions similar to known financial crime typologies. Flagged transactions are reviewed, and truly suspicious cases are fed back into the system to help it learn over time. Once false positives are identified, this information is also fed back into the system to prevent them from being flagged again. The bank uses a software tool that aggregates all transaction data streams and presents them to analysts in a graphically visual format. The process helps investigators move quickly through the process because the information is more readily understandable. Both the AML team in compliance and the fraud team use the same portal so the information is visible to and the machine learning element of the system learns from both. Hexagon has used this software to investigate and file SARs and the bank has found that it has fewer false positives and actually catches more real suspicious activity. The number of false positives hit 15 percent of the transactions flagged during 2029 so the hours spent in investigations has decreased accordingly.

Conclusion — Show Me the Money.

Hexagon’s current compliance budget is $16 million. Of this amount, approximately 30 percent is for personnel, 40 percent for technology, and the remainder is allocated to other items. Octagon’s compliance budget for 2030 is $25 million. About 50 percent of the budget is for personnel, 20 percent technology, and other significant costs in the budget include legal and consulting costs to help with annual projects and remediation work.

This analysis does not take into consideration the job satisfaction of compliance professionals, freed from mundane tasks of analyzing partially complete data sets and striving to make sense of information that is not complete or clear.

Looking Ahead at Regtech:

We have realized that compliance is being transformed by technology and that rate of change will be exponentially increasing, along with other areas of technological advancement. Over the next few years, this change will call upon every compliance professional to rise to new challenges that will be unfamiliar, sometimes scary, and also — exciting, rewarding, and fun.

Every bank CEO wishes that compliance efforts cost less and that there could be more resources — both people and dollars. Compliance professionals want greater efficiency with less waste while being failsafe for our business line colleagues. Most seasoned compliance leaders wish that their efforts could be more effective in achieving the goals of the regulations, such as serving more middle-to-low income consumers, catching money launderers, or helping people avoid financial problems and live better lives. While we’ve all had these thoughts in some form, we have had to compromise because we do the best we can with the systems we have.

However, this no longer has to be the case. Technological advancements, including data digitization, the Internet of Things, artificial intelligence, blockchains, cloud computing and more, will fundamentally alter how compliance is done. And, regtech figures out how to find, analyze, and share information in entirely new ways. (See A Radically New Approach to Simplifying Regulatory Compliance: The Use of Regtech by SK Karanam, ABA Bank Compliance, page 26, January — February 2020.

What should a forward-thinking compliance leader do now to take advantage of the current state of compliance technology and move toward a better future?

The following steps will help prepare compliance professionals to transform their programs as technology advances:

1. Educate yourself on the different types of technology that are or will become available. For example, learn about artificial intelligence, machine learning, natural language processing, and robotics and how they are being used in regulatory fields.
2. Keep abreast of how your regulatory agency is embracing innovation. All of the bank regulatory agencies have innovation programs underway and all are attempting to modernize their own supervisory processes. The issuance of the Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing on December 3, 2018, was a step in this direction.
3. Take steps to improve your data quality and accessibility. Having good data available for analysis is an essential part of this technological transformation. Making data clean and accessible is a harder step but a necessary one. Compliance leaders may not have the ability to make the decisions required to accomplish this, but they should certainly use their influence to help the bank’s leadership make good decisions regarding the bank’s data.
4. Migrating to a cloud computing environment is more cost-effective, can be more secure, allows you to own your own data, and it is easier to access and manipulate the data. Many larger institutions have migrated much of their data to the cloud where it is generally much easier to analyze and manipulate. It is certainly more difficult to deal with data that is held captive by a core processor and banks will need to make decisions on how to deal with their vendors to ensure that data is handled in the bank’s best interest.
5. Develop a diverse compliance team. Having operations experts and technologists will give compliance teams a broader skillset and allow you to make more intelligent decisions. It will also cause the compliance voice to have more gravitas and allow an ability to adapt quicker and more easily when there are changes in ops and technology areas.