Ronjini Joshua (RJ): Hello, this is Ronjini Joshua. Today I’m here with Rick Dupree the CEO and Founder of Risk Alliance, and advisory board member of Compliance.ai. Today we’re going to talk about how the banking industry is doing more with less in result of the pandemic. And now, coming out of the pandemic. Hi, Rick, how are you doing today?
Rick Dupree (RD): I’m good, Ronjini. Good to see you. I’m doing well.
(RJ): Yeah, I’m very happy to have you here. We’d love to kind of dive into how banks can be more efficient. I think the first thing we kind of want to talk about and dive into is, what are the trends that you’re seeing in the banking and financial industry, with the growing and mounting regulations that are happening with all these new laws that are passing with the, you know, change of administration, the pandemic? I mean, I think it’s always been a lot of regulations. Are you seeing any specific trends that are happening right now?
(RD): Yeah, absolutely. Um, there are trends. To your point, though, there’s always a lot of volume. Every year the volume seems to increase, and we have different trends maybe but there’s always volume. Just focusing on administration as you brought that up. Even in the last administration, there was a trend and not deregulation necessarily, but some changes in existing regulations. That’s volume. In my opinion, that’s still something that financial banks and neo banks need to take into consideration. But last year in particular, going through the pandemic there were a lot of changes certainly around the specific to the pandemic, such as you know, the payment Protection Program. There are a lot of regulations and requirements around that program. OSHA had published several guidelines for employees that apply to banks and neobanks, all the while you had just your regular kind of day-to-day banking regulations that you still have to adhere to.
(RJ): Yeah, of course. Are you seeing that teams are any more overwhelmed than they were having to, like, agree with the volume? But are they? Are they a little bit more challenging because things are new? Or is it just the pace is picking up and staying up?
(RD): Yeah, I think a couple factors contribute to not only what I mentioned, with respect to, you know, trends are different, but volume is the same. This is just what we know, as of this point in time, right. I mean, with this administration, one could argue, trends will change, and volume will increase. But we don’t know that just yet. I know, with the new head of CFPB, there’s probably going to be certainly more of a regulatory oversight focus on the banking industry for consumer protection in particular. And that would go across the Neo banks and FinTech’s within their purview and their remit. At the same time, what you’re seeing is just a plateauing, or actually, we’ve seen over the last few years of plateauing of budgets in the risk and compliance space. And even more recently, despite the pandemic, despite the change in administration, you’re seeing a decrease in funding for these critical functions. So, you have to do more with less and you have to get smarter. And so there’s a lot that can be done with respect to increasing efficiencies. One of the terms I like to use is what I call program debt. It’s like tech debt. Over time, what you see in mature organizations or mature banks is that they have programmed components, they’ve laid over programmed components over time. So as they’ve had findings internally and externally, the tendency is to just get through that fight to remediate that finding, and then move on to basically your day to day until you get more findings, which is inevitable, right? Criticism from you know, audit, auditors, regulators, internal management, whatever the case may be. So there’s that kind of program debt. One of the things I can promote and recommend just to go through your program and see where you have this program. So where have you have you overlaid program components to old, older program components that may actually, that a lot of situations cause inefficiencies. There’s redundancies, you’re doing something six months from now, very differently, or maybe just the opposite of what someone else in your program has been doing for the last two years, but you haven’t reconciled that. So first and foremost, I’d say go through and just really look at your programs, your risk and compliance programs where you didn’t where do you have duplicate? Where do you have overlap? Where can you remove that program? And you can immediately start realizing efficiencies that way?
(RJ): Are you seeing any specific areas that seem to take more time? Or is pretty common that you’re seeing people like get caught up in these particular spots that maybe they could kind of look at first?
(RD): I think regulatory legal and regulatory change management is where you see a lot of duplication of effort, especially in the control functions. So legal kind of has their own process, risk has their own compliance has around finance with respect to Sox has their own. So I think immediately, you know, looking at centralizing that, and because that’s not the case, you know, and just getting your management and an executive commitment is okay. This is the area who’s going to handle regulatory change management, and you are all going to be clients of this area, and you’ll give them your requirement and they can look at tool solutions, etc. But we’re going to do it in one centralized location. The other area where I see a lot of duplication of effort is risk assessments. Now, there are testing. There’s independent testing, there’s QA QC, there’s risk assessments that are done as part of the compliance function, there’s risk assessments that are done as part of risk obviously. You have testing from auditors and examiners, but when they come in that’s a little separate and you don’t have control over that. But with respect to what you have control over and is appropriate for you to combine and leverage to three times rather than once, I would highly recommend that. And I’m very big on technology. You get that centralized, get it standardize, leverage it multiple times, and then add technology to it to make it more efficient.
(RJ): So that actually brings up another question for me in my mind. When you’re saying get this centralized, you know, kind of collaborate and figure out where the duplicates are happening. Obviously time is already a factor time is already an issue, like not having enough time to do a lot of this stuff. And this kind of audit, well, what kind of time do you think goes into something like this, when you have to make a little bit of a program or transformational shift within how you’re operating? And how does that pan out with the ROI section, because I’m sure a lot of people get a little concern saying things like, Oh, my God, it’s going to take us a week to figure this out or two weeks to figure this out. Is it going to give us enough ROI to take that extra time to figure it out? What does that look like?
(RD): And honestly, a week or two weeks would be fantastic. It’s usually six to 12 months.
(RJ): Okay. So that would be very ambitious.
(RD): And it depends on kind of the program component you’re looking at, but there are, so I would focus on just where are you? And you don’t have to like necessarily have technology to do this. Just interview your teams. Where are they spending the bulk of their time? I was working with a client not too long ago who was spending a lot of time on clearing their OFAC, their screening lists or sanction screening queue. And where I think they are 30 to 50 percent of transactions were going into this exceptions queue for manual review. And the end, if you’re a bank that literally has 30 to 50 percent of your customers flagging for OFAC reasons. That’s a whole bigger problem you need to address but more than likely it’s because of data integrity. It’s in your process is to set up in a way that is creating more alerts than really your risk profile warrants. So one way to do that, to me is where people are spending a lot of time and not getting the best ROI to your point. These aren’t true risk issues, it’s just operations. And my risk team and my compliance team should be spending more of their time on higher value items. So I would just focus on areas like that, where you can realize these efficiencies. And sometimes you can introduce a technology to help you get over that hump. So that’s where I’m going with this. Sometimes you can take the technology and get it proof of concept, based on, you know, current environment. You can provide some data, and they’ll give you an idea. This is where you are now, and this is where you could be with respect to our implementation. And that alone could create some significant efficiencies in your organization almost overnight.
(RJ): Yeah, okay. Well that sounds like a dream to anybody. Okay, so I think we talked, and you alluded to tech a little bit, of course. What kinds of solutions can help you ensure, like being able to scale those kinds of programs? Just, you know for your institution, for any institution. What are the types of solutions that can ensure scalability? You know, while you’re kind of sifting through all the mess that’s happening?
(RD): I mean luckily I’ve been in banking all of my career. And you know, before the financial crisis, and even before all of the current alphabet soup of regulations, so to speak. And even prior to that, you know, managing your risk and compliance obligations and legal obligations is fairly cumbersome. It’s a lot of work and it needs to be very targeted and very strategic based on your business objectives. Even 510 years ago there weren’t the solutions that there are today. And they’ve come so far that I have been involved in some audits and some exams, where the auditor and the regulator are asking what technology are you using. There’s almost an expectation that you’re using technology and especially even for the kind of repeat tasks, the lower level tasks that you can automate, that you can maybe through rules, even kind of auto approve those kinds of things. So again, I go back and it depends on you know, really your individual risk profile of your firm and what your business objectives are making sure that your written compliance program is aligned to your business objectives. If you have an area of risk, that has nothing to do with how you do business or where you’re heading as a business or a bank. You need to get out of managing that risk, it’s not a risk to you. So you need to exit that, and this goes back to programs that you could have had that because it was a risk at one point, or someone just made the wrong call in identifying as a risk. Where you truly have risk based on your business objectives, that’s where I would focus my technology strategy. And there’s quite a few options out there from GRC tools, to sanction monitoring tools, to process mapping tools, to regulatory technology, management tools, all of those. Depending on where you’re spending your person power, is going to be an investment that will have an ROI for you.
(RJ): That’s good point. So diving a little bit more into that, how can GRC and maybe other technologies be an efficient way or an efficient delivery method for RegTech?
(RD): Yeah, you know, regulatory technology, regulatory change management technology let’s just say, as a standalone product is extremely beneficial to an organization. One of the reasons I got involved with Compliance.ai is because I lived the nightmare daily of monitoring regulations for change. I would have email alerts coming from different various regulators that would allow that, so that I can get in front of these regulations. And we monitored it all and kept it in an Excel spreadsheet that everyone, you know, back then I don’t think we had a SharePoint site. So we were like passing around or it was on a shared file or something and you had version control.
(RJ): Sounds very secure.
(RD): And very secure, efficient, and quite effective too. Regulatory change, you know, kind of RegTech in general, you know, when that came out on the years I got very interested in because that was just a part of my life, and I felt that we were wasting our time doing as efficiently as other methods.
(RJ): there’s a better way, right?
(RD): There’s a much better way finally with technology. Now you’re seeing this with a lot of the other types of technologies that are coming up, because there’s always this regulatory component to what you’re doing. If it’s a sanction screening tool, if it’s a risk management tool, a GRC more generalized tool and there’s a regulatory component to it. You may have this as part of your process and is something you have automated, let’s say in the GRC tool, that is driven by regulatory obligation. So if that regulatory obligation shifts, you want to know about that, so you can change your process potentially. What you’re doing in an automated fashion using the GRC tool may no longer be compliant. So having an integrated kind of RegTech component to that, I think it’s extremely powerful.
(RJ): Right? Yeah that’s a good point. What do you think is a good way to kind of get started in finding out what are the most important things to you, that you think they should be looking for?
(RD): I’m an advocate of going back to your business objectives. So what are your goals? What are your strategic goals and business objectives as an organization? And what is your risk profile as a result of that? So if you are a payments company, you’re going to have risks associated with moving money and you’re going to have risks associated with it if you’re doing it for consumers and individuals. You’re going to have risk associated with regulatory obligations around disclosures, reclamation periods, and that kind of thing. Right. That will inform your risk profile, and ultimately your program, and from there your technology. I’d say benefits are where you could benefit from technology. What I wouldn’t recommend is going straight to technology. I mean, there are some great solutions out there, but again any vendor you go to they’re not going to know your business. They’re not going to know your unique environment. They are going to know their regulations, discipline, and all that. But you need to come to them with requirements. You need to come to them with your business objective and with your risk profile. Figure out your pain points. Once you figure that out then bring that to a vendor and say, what can you do for me?
(RJ): That’s very good advice. Thank you so much, Rick, for taking some moments with me to discuss this. I think everybody should be kind of becoming more efficient. I feel like the pandemic has really expedited that to everyone with getting a little bit more automated and situated with their processes, and I think is highly important in this day.
(RD): Absolutely. I mean as awful as the pandemic has been, it has really shined a light on this with really inefficient, manual, you’ll kind of legacy business processes, you know, especially in my space around risk and compliance management. And so that shining of that light is a good thing. And then otherwise, pretty dark here.
(RJ): Well, thank you so much. Thanks for joining us and have a great day!
