The 2022 Expert-In-The-Loop Forum by Compliance.ai is now available on-demand! Watch sessions here

Navigating Regulatory Scrutiny Webinar

This webinar dives into a global perspective of today’s regulatory environment. In this webinar, panelists answer the burning questions of: How and why does ESG impact your operations process? What do organizations need to prepare an effective digital strategy? Is your organization prepared to scale its compliance efforts? Listen in as regulatory and compliance experts Doreen Ghusar and Kelvin Dickenson discuss:
– The volatile state of financial services
– Staying competitive in a time of uncertainty, scrutiny and change
– Developing an integrated risk management process
– Best practices on digital migration to mitigate uncertainty in the future of your operations

*Read the full transcript below.

Navigating the regulatory landscape during periods of intense growth, change and regulatory scrutiny.

Speakers: Kayvan Alikhani, Dhoreen Ghusar, Kelvin Dickenson

Host Introduction: Hello everyone, we’re just going to have a few minutes to let people file into the room and we will get started momentarily. All right. Hello and welcome to Compliance AI’s webinar, “Navigating Today’s Regulatory Landscape During Periods of intense growth, scrutiny and organizational change.” If you have questions during the webinar, please feel free to drop them in the q&a section box below. We’ll cover those at the end. (Sometimes we’ll pick them up if they’re highly relevant during the conversation as well.) Let us know if you’re having any technical issues by dropping the host a message in your chat box and we’ll get to those questions at the very end. We wanted to start off this webinar today by sharing our webinar schedule Kayvan. If you can, yes, there we go. If you guys would like to, we have our events section on our website. I’m dropping the link in the chat here where you could check out all the other events that we’ll be hosting throughout the year as well as registration links for the webinars that are coming up. Now I will turn it over to Kayvan Alikhani, the CEO and co-founder of Compliance AI.

Kayvan Alikhani (Kayvan)

Thank you so much Ronjini. With me today, we have Doreen Ghusar, Head of compliance at Onbo and Kelvin Dickinson, Senior Vice President of GM and change agent with SAI. Thank you so much for joining me, discussing a topic that is probably impacting every regulated organization. But specifically, today focusing a little bit more on banking, financial service and insurance impact. First of all, the state of current affairs within the US, as it relates to regulatory changes. We’ll focus on some areas that we’re seeing increased scrutiny. Talk about areas of competitive growth as we’re having scrutiny. Then how your organizations are continuing to grow and evolve. How do you then apply best practices to complete that digital migration and mitigate uncertainty as your organizations continue to grow? Starting the conversation regarding US regulatory activity, it’s good to have a picture straight out of compliance study, (shameless self promotion) a screenshot of our product, showing how agencies in the US (at a federal level) have been pacing in the past 12 months alone. Regarding regulatory changes that are published, either in the form of proposed rules, agency updates, guidances, reports, final rules and finally, enforcement actions. From a rulemaking perspective, you can also see a very active and robust collection of proposed final rules being published within the US (Federal alone,  I thought it would be overwhelming to bring in the 50 state aspects that we also track and also international regulations.) For today, looking at the volume and velocity of regulatory changes that we’re seeing now and in the past year. The flip side of regulations is enforcement actions. Once again, we see a pretty steady flow of regulatory enforcement and compliance-related enforcement actions that have followed suit. (Specifically ones impacting the financial service organizations here in the US or multinationals operating in the United States.) So, with this backdrop, we want to see if we can start a poll: Saying “okay, well, this is all happening, enforcement actions are coming. What regulatory challenges keep you up at night?”  I think there’s some answers here ranging from “not being able to keep up with them,” that your organization has “fines coming in and you’re missing deadlines, ” or that “all is well and no need for any worries.” So we’re gonna give it a good minute as the answers are flowing in. 

I’ll be very interested to see who’s sleeping well at night and want to contact them to see what’s the secret to that?

<To Moderator> All right, did you want to publish it? Great. So it seems like no one’s sleeping well. The majority are talking about missing important regulations as being their number one concern, followed by not being able to keep up. 

Kayvan

A closer look at the US regulations and increased scrutiny: New administration has been in play for a couple of years in emerging regulations, a new direction and maybe looking at the patterns here-Doreen what are you seeing emerge in terms of both the directions? In light of the volatility of the political environment? What are we seeing from the administration as it relates to regulatory and compliance matters?

Doreen Ghusar (Doreen)

Yeah, absolutely. Again, Hello, everyone, and thank you for inviting me to speak on this topic. With the current administration, what we’re typically seeing more and more focus on is, again, consumer impacts. It’s looking at the benefit that the consumer will endure by using a certain product, a certain tool of looking at financial stability, looking at racial equality within, you know, lending aspects of the world across the board. And, you know, as we look at cryptocurrencies, AML, and BSA impact is also an extremely important topic that is being looked into in detail with this new administration. So, those are the top things that are happening in the regulatory banking environment as of right now. And then, of course, you know, with respect to our volatile political environment, there’s a lot of things that’s happening within the global aspect of things that impacts the US financial system in one way or another. So, you know, really looking at from a risk perspective, how does that impact and affect banking as a whole, whether it’s consumer lending, whether it’s, you know, real estate, or whatever aspect of lending we’re looking at, and, of course, everything else that is going with, you know, with the war that’s happening, and how the sanctions are affecting not only the US, but globally, as well, too.

Kayvan

And earlier, Kelvin, I provided a sense of volume and pace for US organizations double clicking on that, can you talk about where we’re seeing areas of scrutiny as it relates to those changes.

Kelvin Dickenson (Kelvin)

Yeah, absolutely Kayvan. Of course, there’s scrutiny in a lot of areas and things like the changing impacts of risk in Europe, things that happen outside the control of an administration also have a big play here. Some things are happening both in the US and outside the US that impact us really focus on the emerging importance of ESG. For this audience, the governance aspects are almost as important as the current teeth in the environmental aspects of privacy and cybersecurity, it’s also increasingly important. So again, we think of not just the overwhelming uptick in ransomware attacks and then illicit intrusive activity. But you also think of the potential of this being used by nations as bad actors, and the increasing threat, when you have conflicts on the ground. So again, back to the European unrest, that has an impact on privacy and cybersecurity and elevates the risks that companies have to protect themselves against. It also elevates the focus to which regulators will key in on this and maybe tighten expectations. We’ve seen that not at the national level, but also you’ll see that at state levels, there is an increased focus on what the notifications should be when the customers have to be told if the data has been compromised, and so on and so forth. Beyond that, there’s increasing demand for cryptocurrency to be regulated through the Bank Secrecy Act in the same way that regular currencies are. And we see almost a contest between state regulators and the Fed who’s actually going to regulate this currency. But given the volatility in there, given the opaque nature of it, and the clear opportunity for bad actors to leverage it for the wrong reasons, there’s clearly going to be more action around that. And then finally, anti money laundering. And when we think of anti money laundering, most people think, you know, organized crime, but increasingly, this is sanctions, evasion, and export controls. And that, of course, becomes much more heightened when you have a more dynamic sanctions regime, when you have new sanctions, especially on individuals that come up and are quite complex, especially as you consider high net worth individuals in certain countries. And when you see export controls, specifically on dual use goods, and help those goods find their way into countries that we don’t want to so that’s going to continue to work both change regularly, but also be increasingly scrutinized. Most of this ties back to ESG. So as you are socially found to be not in compliance with export controls, that is going to be found very socially unacceptable, as well as frowned upon and sanctioned by a regulator. 

Kayvan

Yes, the areas that you’ve outlined, I think we had a session I want to say a couple months ago, on privacy, cyber suit, crypto, I think we covered it in a prior webinar, anti money laundering, we did a session at our EITL. But ESG, of course, this emerging area, kind of double clicking on that. What do we see specifically as it relates to ESG (the overarching concerns) and give us a sense of what we mean by greenwashing. How, what role are executive orders playing in all this? And also, how does the investor community think about ESG? With or without regulations in place?

Kelvin

Yeah, absolutely. So the first thing to remember about ESG is nothing that occurs within the banner of ESG is actually new. So it covers environmental issues. There’s already a tremendous amount of environmental regulation. There are specific standards emerging in the EU and in the US around how we account for our impact on the environment. And that, in many ways, has been done for a while. But what the impact of ESG does is it increases the stakes. So that ties back into your point about greenwashing. Right, it’s moving beyond, having a kind of wooly statement of intent that says “we’ll be carbon neutral by the time I retire,” to “we will reduce carbon by ‘this much’ over ‘this period’ and here are the steps.” (by the way, we will give you concrete audit-proof accounting, for that’s how it goes certainly in Europe.” You may even have to lay scope two or three into our supply chain and their impact beyond just aspirational goals, that are really more PR and marketing than they are concrete. With the new reporting frameworks, you know, this is now auditable, and has clear consequences (if it is wrong.) So that’s one impact. Beyond the environmental factors is the big focus right now, because that’s where the regulators are putting hard measurements and potential enforcement. The social aspects of ESG are already well documented. Again, this elevates it beyond, “I have a diversity equity inclusion program” to “I have that and I want to measure it, I’m going to show you my progress against it.” Not only do regulators care about that being real and accurate, (and that ties very well into just the integrity of your reporting), but employees also care about it and increasingly have choices. Customers care about this and that has a key impact on your business. They will vote with their wallets if they do not see the companies demonstrate the same values that they share and they have choices too. We mentioned the investor community. I do want to touch on governance. We’ve talked about governance risk and compliance for many years. All of the aspects of ESG really just transform. How do I show risks to my business and how do I show the impact that my business has on these things. Governance is making sure that your finances and tax accounting are beyond reproach. It’s making sure that your SOX compliance is audit-proof: that your policies and procedures match the aspirational culture that you want to talk about in your analysts reports, code of conduct, and whistleblower hotlines. All of these are governance aspects about “how do I police my impact, as a company, on society and on the environment?” The Investor community views this in two ways: one is a cost to investors. The community wants to be able to stand behind the veracity of ESG indices. So if they say this is a portfolio, an investment that is environmentally sound, they want to be able to stand behind that. But secondarily, investors are also increasingly recognizing that companies that are well-governed companies that have sound environmental and social policies, good corporate citizens, and demonstrate this actually grow better and thrive in the long term, they are better investments for an investor. So is ESG important for regulators? Yes, I would argue that the stakeholders of the investor community, the customer community and the employee community are actually going to have a much bigger impact on companies.

Kayvan

Also, in light of what we saw in the Supreme Court here in the US, taking away some of the power of the federal agencies to regulate from an environmental perspective, (specifically the coal industry), executive orders are coming into play. There seems to be sharp contrast and contradiction across jurisdictions, (When you look at where Europe is, in terms of the adoption/enforcement of environmental, social governance-related regulations versus the US.) Now the executive order is being used as a lever to impact that. Are you seeing that within organizations that you’re talking to? Are companies confused about the direction the US is taking around this? Or are they more in preparedness and readiness? We have to be able to do this anyway. Then the cross jurisdictional aspect is, are you also seeing the same thing from clients and from organizations (that you’re talking to) a “sense of confusion” around this?

Kelvin

It’s not so much a sense of confusion, I think. It’s probably fair to say most of the world is confused about the way the US regulates things. We do have the competing voices of the Supreme Court who will interpret. You have executive orders, which often will become contested, either at the state or the higher court level, and then you will have the encouragement of new regulation to work its way through the House and the Senate, that may that, in fact, change either of those. Obviously, there are very large societal issues, such as Roe v. Wade, that are very polarizing, certainly in the US probably not anywhere else, that now are causing those to have executive orders, Supreme Court decisions that change things, and also competing and very different regulations at the state level. So you’re going to continue to see that. What you’re also going to continue to see is that companies are really not waiting to see what the regulations lead them to do, because they’re very well aware and most of them do business globally, not just in the US, most of them are subject to the whims of the investor and customer community. This social stance is actually more important in terms of revenue and market cap than regulation. What you’re going to see is that in the absence of clarity, the companies will find clarity for themselves. There will be a “grown up” in the room. I think we will see corporations taking the lead here. How they tie into climate matters or into social matters, they represent their employee base, customer base and investment matters that affect the business in terms of market cap. 

Kayvan

In many cases, the impact on a financial service organization is very much indirect. Maybe environmental regulations are not impacting your company directly, but they do impact the loans that you’re issuing to organizations that are not complying with those environmental regulations or, as you said, as a “badge of honor,” or as a marketing method or to attract investors who are very much now ESG-aware and ESG-concerned. So those would be the drivers.  Now speaking of companies and their posture as it goes, regulations are changing. That train has left the station. Alongside that, companies are growing: operating in new jurisdictions, launching new products/services, going through M&A, new products being launched. So Doreen, while regulations are changing, how can companies scale their compliance practices alongside the regulatory changes as they’re going through growth? What do you see as the drivers there? What do you think they should be watching out for (from a compliance perspective)?

Doreen

Yeah, absolutely. The nature of the banking business and people’s understanding of “what is banking?” continues to evolve in so many ways that we’re seeing today. The industry is challenged. Players are state, federal and global regulations. One of the things that I highly recommend organizations to keep an eye on is the fundamentals, while at the same time preparing for the new laws and regulations that emerge. Their focus areas such as, you know, as we’ve mentioned, ESG, financial inclusions, digital assets, you know, to name a few, one of the things that I would highlight is the regulatory parameters. So several banking activities, they occur outside of the Federal Bank regulatory parameters, as you know, we as compliance officers know and are instead addressed, at state and local levels. Just, how Kelvin just said. It’s kind of humorous to see the competition between state and federal for our anti money laundering BSA AML impact, but this model is coming under a lot of increased pressure with digital development, like we’ve seen in the industry is stable coins, decentralized finance. However, absent a crisis, given the closely divided Congress and the midterm elections, regulatory environment may also come from agencies instead of legislation. So that’s something we have to keep a keen eye on and be aware of what’s happening. With respect to governance and core risk management, again, one of the things we have to ensure that the financial risk management, governance expectation, we have, you know, strong internal controls. Make sure that organization understands what are the three lines of defense, and how that is implemented operationally, and owned by both the border supervisors, long level employees, that is extremely critical to industry wide call to action. And, of course, you know, in the newly emerging risk areas like remote and hybrid work environment that is becoming extremely common these days. I’m not going to talk more about compliance and anti money laundering, as Kelvin has covered that. But, you know, one of the things that also we need to ensure and look at is your consumer and consumer protection. So, building on the momentum, and of course, renewed focus on consumer protection is one of the things that’s extremely important to this administration. And, of course, we expect the banking and financial regulators will accelerate consumer related supervision and enforcement activities in 2022, with a particular focus on areas such as fair and responsible banking. The other things to keep in mind is also your data infrastructure and technology resilience. So, you know, more than ever data is critical to identify and manage emerging risk developers mitigation responses. The results that we need to look at should be looked at as a technology strategy alongside data strategies to consider the integration and legacy systems. So what is the data availability across the firm? What are your privacy protection considerations, your data security, analytics and capabilities and resiliency. The other important factor, again, is to focus on and consider is, you know, your third party risk management. Is it a cornerstone? Yes, it’s a cornerstone of a non-financial risk for banks and banking regulations. We need to understand what are the banking ecosystems and what banks are doing to operate their programs, of course, in these three areas. What does agility and responsiveness look like? What does consolidation look like? And how can you expand upon that? So those are those are some of the things that you know, from a regulatory change train that is moving that…

Kayvan

Doreen, did we lose you?

Doreen

I’m right here. Sorry. I’m sorry about that. My internet just went out. <continues>

How do we deal with growth and again, it’s understanding the development plan, understanding the model, understanding what is more important, and putting that on the roadmap and of course, doing a risk assessment to, you know, deploy that from what is your highest medium and low level risk and something that, you know, that needs to be done now, something that needs to be considered with the factors I just mentioned, and how do you continue to move on. One of the things that, again,  as we continue to evolve as compliance officers, or as these people within our realm, there are so many great tools that are available to us right now. And honestly, that’s what makes me go to bed and sleep like a baby. <laughs>And, you know, just knowing what these tools are, and helping us accelerate and expand our focus within the regulatory risk management compliance realm is extremely important, because this is something that is helping us to identify your risk areas and manage your compliance management system.

Kayvan

Yeah, sorry, go ahead, please. I didn’t mean to interrupt you. 

Doreen

Go ahead, continue. 

Kayvan

Growing as a company, I’m operating in a new jurisdiction at the same time I just observed, you know, four states have significantly increased the level of scrutiny and five areas, how many more people do I need to hire? What tools do I need to add? What kind of structural changes do I need to make to my organization? Are you as a compliance practitioner finding companies to be very well set and making those assessments or implementing? Or are we kind of more on a crawl/walk/run comparison like we were somewhere 10 years ago? Where do you see organizations now and in fact, I am trying to incorporate the question that I saw from how do we as an organization identify the technologies that help us with scaling? In other words, what approach is taking constantly putting RFPs out RFQ is out what process? Have you seen as a compliance practitioner helping organizations scale alongside the regulatory minutia or tsunami that’s happening in front of them?

Doreen

Yeah. No, those are good questions, I think one of the very, extremely important things to do depending on not depending on I mean, it doesn’t really matter what stage your company is, if you’re a new company, if you’ve been operating, you know, for the past five years, 1020,  it’s one of the extremely important things is to do a risk management oversight. What are your risks? Do you know the risks that entails in your company? What are those trending analysis? Can you look at your process and operations and procedures and models today? What does it look like from compliance by automation is 80% of the work that you’re doing or production that is being done is that a manual process, you take a human or somebody that is making sure that they are going in and crossing all the T’s and dotting all the i’s, and building from there, based on that, automating the tools again, you know, I had, it was taking me about six hours a day at an organization, I was to go in and map out all the regulatory changes that was happening, and that is across the board from federal to state level. And one of the things that I was able to do and found very successful was go in and do this risk assessment and then say, Okay, well, what are the tools that are out there that can help me, you know, be a more robust compliance officer, and this will blow your mind because it did mine. My time spent went from six hours to 20 minutes a day. Now, that allowed me you know, more than five and half hours to be able to focus on other components of compliance management system and again, it’s something that we are opening up more resources personally or on the team to be able to expand and grow your product or grow your company in the the area of growth that is important to you. So that’s one of the things that I would highly recommend. Yes, we’re doing our daily work, but try to carve out some time and do your risk analysis and assessment to really identify the vulnerabilities within the company that you can build upon for future success.

Kayvan

It sounds like: break it down into small individual pieces and identify the level of activity that happens in those areas and then seek automation Kelvin. Go ahead. Did you want to add to it? I apologize.

Kelvin

No, I’d love to just build on this. And Doreen you’re so right about the fact that you know, as this changes, and also as your organization changes, it doesn’t scale with just more hours in the day, right? You need to find smarter ways to do things and more automated ways to do things. So I’ll bring your first two points. And one is, it starts with recognizing change. Understanding half of our audience said missing regulations related to organization was their biggest concern. And as they change, it’s easy to miss things. So having a process to make sure that you capture things and can in an intelligent way, imply the obligations that are relevant to you is the first step. But it’s important to remember, that’s only the first step. You really need a broader, Integrated Risk approach to your business that recognizes risks, identifies ways to control those risks, and develop appropriate assessments against those risks so that you can determine how do I measure it? What is the acceptable level? Does it fit with my appetite? And beyond that, does the control adequately cover this, and whether that’s broader strategic risks, or whether that’s for an example, IT risks and needs to change within specific frameworks, you need the correct components and the right tools in your broader GRC to do that, but coming back to the concept of well, this happens when regulations change. It actually also happens when you change. So you imagine, you know, one day, you’re a bank, you do business in four states, now you buy a network of 100 branches from a competitor, and they’re in California, and you’ve never done business in California before. Now you have potentially different financial products that you’re selling, you need to understand the regulations relative to those, you need to understand the state level regulations that now you have to comply with. I need to understand from a scale perspective, does not this now put me in a different place in my overall size. So what you need is beyond the regulatory change, you actually need access to a regulatory library that tells you, okay, based on where I am now, what new obligations do I have from that? How have my risks changed? What do I need to do now to assess those risks? Again, how can I automatically update those risk assessments and really understand my exposure in a rolled up way so that executives can make informed decisions. So that’s really how you need to look at it’s not just, you know, what has changed today, it’s what now applies to my organization as I change.

Kayvan

Yeah. And that essentially changes the structure on tooling, perspective that you have. And of course, gone are the days that we could throw raw data at compliance officers and hope that they can accomplish anything within a very short period of time, I think that the level of complexity and volume and frankly, contrasts and contradictions across jurisdictions prevent that, basically approach. Speaking of that, now, let’s talk about tech and tech coming in and incorporating into your compliance practice. Hopefully, we can take Doreen’s 20 minutes and take that to two minutes through tech automation. 

<Poll>

Have you as an organization integrated technology into your compliance practice? The answers:

  1. We love doing everything manually
  2. We’re considering yet we’re assessing it, 
  3. We’ve started integrating 
  4. We have bulletproof RegTech already implemented.

It will be great to see where we are on this. 

Kayvan

And give it another 40 seconds as the answers are rolling in. We love doing everything by hand, I’m assuming that’s going to get <pauses> Oh, let’s just see. (I think that would have been the answer, maybe seven, eight years ago.) And now of course, we’re seeing more of a forward leaning group of compliance officers and GC’S, who are very much aware of the impact that tech and automation can have in streamlining compliance practice. And we’re also seeing regulators that are inviting organizations to look for any and all opportunities for automation. So the answers are in. We still started a solution, our strategy seems like companies are on their way. You see the answers, assessing and ones that are in integration, that kind of lines up with a lot of the surveys, compliance studies in this regard as well. <pause> So I’m going to close this poll. Pop up considerations for digital upgrade. So as we’re going through this now, we talked about the role of tech. So Doreen, what are the prescriptive considerations for an organization that’s going towards that you mentioned, upgrade from legacy to contemporary solution and the integration of all that throughout the organizations? What considerations do you advise for that digital upgrade?

Doreen

Yeah, absolutely. I think one of the things that needs to happen in the beginning at first, as you’re going through and looking at these digitization aspects of tools is what do you want to be done? What kind of digital tool are you looking at? There’s so many out there that we need to identify. And then of course, as you all know, compliance is the last business unit within the organization to get budgeting. So sometimes it really becomes an analysis for us to say, well, this is important why, and this is how it’s going to help us scale. So one of the things that we want to look at is the context of the regulatory requirements that are going to be needed by compliance officers within the organization to build. What tools are out there that are able to provide that. So, you know, have your requirements list. And of course, within the requirements list, I would jot  down and say, “this is an absolute need” within this, a digital tool that I need to require at the minimum. So understanding those requirements, and it’s very important. Also, of course, being aware of what solutions are in the market today. To be honest, this is how I met Kayvan. I ended up going to a Reg tech conference and as a compliance officer, everything was manual. We’re working towards things that have been just happening in the banking industry, which is your spreadsheets, your documents, but you know, just kind of staying apprised of all the tools that are being introduced in the market, and how that is going to support your skill is extremely important, especially now, because tools are integrated with each other. So if you’re using a tool, you need to go and focus in and say, I need to bring in risk management into that, is there an integration? How long is that going to take to put that into place? Is that something that you can build within the next 90 days and get going? Or is that something that’s going to take another 12 months? So those are some of the things that you need to consider as you are looking into digitizing and looking at introducing these tools into the organizations? Who should consider upgrading? I mean, if you’re looking at your organization, again, there’s so many tools out there, but I will speak specifically for compliance. For me personally, it’s being able to go into a tool and say, give me all the requirements for 10 states in the organization, but then also map that out to federal regulation, what does that take? Does it have the ability to do that, so I can do my job and be able to go in and advise better. When one of the baselines: is it user friendly? Is that taking me a click of two buttons or is that making me sit here and go through pages after pages after pages to be able to get that information? So, as we’re looking at digitization, you’re also looking at how fast and accurate and quickly you can be able to access this information. And then again, within the company, of course, you may have assets that you are not utilizing. I mean, there’s been so many times within my consulting or I am talking to a peer or networking. They say, Well, “I have so and so”, have you maximized that tool? Have you leveraged that tool to its full capacity to be able to do certain things within the organization. So it’s extremely important to give consideration to that and see what other tools that you already have that are helping you. But again, what other tools are out there that can scale you? And honestly, don’t be afraid to ping a digital tool company and have a conversation with them about what you’re looking at. What can they offer versus what do you need.

Kayvan

Sorry to interrupt you, it seems like when you say who is considering upgrading, I’m in Stage A, I’m going to be acquiring, I’m going to be launching a product, I’m expanding into another jurisdiction, that’s one category and of course growth. I used to be considered low from an AUM perspective now moving to medium or large. That’s another consideration. So typically, we’re seeing that those are the drivers and of course, the other aspect of the driver for upgrading is like I’m watching my competitors and watching them getting enforcement actions issued against them for lack of digitization, the fact that they were slow to respond or that they did not have a robust process in place from compliance led to those. Is that also what you’re seeing as drivers from one side? You know, being growth focused and from the other side, the stick of being worried about fines and enforcement actions to the drivers for considering digitalization?

Doreen

Yeah, those are definitely a great input. I mean, always look at your competition and definitely see what enforcement actions and scrutiny they are put under because to you, it helps you prepare, of course, for your areas of impact.

Kayvan

And one question we had was, you know, obviously, we’re talking about banking, financial services and insurance and within insurance, you have this notorious, specific local jurisdictional coverage that solutions need to have in order for it to be useful to insurance practitioners and to insurance companies. So regulatory changes just at a federal level or just at a specific, let’s call it jurisdictional authority is not sufficient. So again, I’m considering upgrading because it’s become a nightmare. <laughs> For me to keep up with this highly diverse and contrasting level of regulations. Kelvin, are you seeing that as a driver also for consideration of digitalization and upgrade: the fact that it’s just tough to keep up with what’s happening in the regulatory landscape?

Kelvin

It is tough to keep up. So generally speaking, the more varied your businesses, so the more diverse your range of products is, and the larger your business scales and the more jurisdictions that it touches, the more this is going to move from, I could do this to be efficient, to I absolutely have to do this in order to take the risk out because I’m going to miss things otherwise. And even at the smaller end of that scale, starting digitization early allows you to get there before you just have this burdensome unwieldy reliance on human judgment, and manual things where we’re tracking things in spreadsheets and SharePoint, which we know doesn’t work. So should you start your digitization journey early before you need it? Absolutely. At a certain scale on a certain complexity, it’s critical, you cannot possibly either understand your current obligations, understand the obligations associated with a new product or a new market that you want to launch into, or keep up with the pace of change in either if you are not digitized.

Kayvan

And speaking of digitization, any type of change that you try to prescribe within an organization is associated with risk. So Doreen, what are the risks that we can talk about and alert organizations in terms of digitalization? And how can companies evaluate and quantify those risks with respect to their plans?

Doreen

Yeah, again, if we keep talking about risk management, it’s understanding your risk and developing those structures to identify how you can automate these digitization aspects? Right. One of the things when considering a digitization is, again, looking back at the provider and understanding definitely what type of compliance requirements they have to abide by, do they abide by their Enforcer? You know, are they looking at data security, data privacy, how are they going to make sure that the information that is running through this system, any PII, third party management oversight that you’re completing, is the company one may require them to be SOC compliant? Depending on the tool that you’re using, there’s various different regulations that they need to abide by. So if it’s a consumer impact tool, and you have to make sure that they’re meeting Web Content Accessibility Guidelines, what are some of those things with respect to making sure that having a really great due diligence process in place that you’re requesting them with respect to regulatory state agency, and sometimes your investor requirements as well to that need to be considered when identifying these particular tools and digitization aspects that we’re looking at? So scoping it really up front to your needs, and the requirements is extremely important. Does the company have breach activity? If there is a breach, how do they approach that breach activity? Are they identifying you? Or are they not identifying you? What are the protocols of doing that? So, understanding those components from a compliance perspective and understanding what commitment we’re looking at, is extremely important. As we’re assessing these various different digitizations within the company and building these automated tools,

Kayvan

you’re bringing in a solution, it is not isolated and siloed and separate from your compliance practice. It’s basically an extension of what you’re doing. So whatever risk management and risk profiling, that you had for tools and instruments and services you were using today, and now need to be extended to the services that you’re bringing in, in the future. So the evaluations are as if this is now a larger part, the organization has grown and now those tools are simply part of that larger organization. So Kelvin, as it relates to that, how do you complete due diligence and how do you reach compliance requirements with that type of perspective on these solutions that help with digitization? Yeah, so (I think 10 times, by the way, it gets pretty interesting.)

Kelvin

So I think there are already two aspects to this. First, when it comes to digitizing the subject at hand, which is how do I keep up with regulatory change? How do I understand the regulatory obligations as my company changes, right? There’s relatively little risk from a data protection perspective, because nobody’s PII is going in there, except perhaps the user who signs into it. So that’s a relatively low profile. But where the risk is, did I pick a solution that I’m going to be able to rely on? Right. So first, how do I feel about the technology provider? What is their disaster recovery plan? Do they have a SOC Doreen’s point? And if so, how current is that? And what other qualifications are associated with it? Beyond that? How comfortable do I feel with their ability to keep up? Do they have the right technology to scale? Do they have the right technologies to really give me the coverage of the regulators that I need, and the right technology to actually employ the right obligations from them, so that I didn’t just go from reading something on paper to just reading something digitally, but there’s actually no process behind it. So getting comfortable with the efficacy and security and durability of the solution is the first step in intelligence. Secondarily, beyond that, what you really want to look at is, okay, here’s where you actually have risks. When I understand obligations, I now need to bring those beyond I see the obligation into how do I manage and write policy about that? How do I distribute and get an attestation for policy around that? How do I recognize the risks now associated with this, and properly assess those risks across my organization? And then map appropriate internal controls to those risks? And what that really says, is that beyond. Do I have a way to get the change in a digital way? Do I have a way to integrate that seamlessly into the rest of my GRC processes? So can it integrate very well with other software providers? Or is it in fact delivered alongside a GRC suite that can allow me to do this because the more that these processes are connected on a digital level, and not siloed, the more you will take risk of data dropping.

Kayvan

Demanding interoperability, demanding transparency, demanding auditability, extending the same security requirements you had internally to those solutions. In fact, you can never blame that solution for compliance failures, it’s still your company that’s on the hook. So as I mentioned, it’s an extension. So having said that, now looking at best practices, in terms of preparing and moving to the future for organizations, Kevin, what would be the call to action or checklists that you would suggest organizations consider in that journey?

Kelvin

Well, I think that there’s really two things. One is: begin with the end in mind, right? We’re not looking to keep up with regulations, just to keep up with regulations. We’re looking to do it to protect shareholder value, to protect our customers, protect our reputation and also to be compliant. But what that means is you have to be able to move that on in digestible increments. You can’t say, Okay, I need all of these things so I’m gonna implement a completely new digital risk practice. Because that’s audacious and destined for failure, what you really need to do is start with the most important pieces first, and build on those. I’m going to get an early win by getting to the point that I have a digital way to recognize my obligations. Okay, now that I’ve done that, I’m going to integrate that into the way that I write policy, whether that means I add on a new policy tool, or whether I integrate it with what I have already. Next, I’m going to go to the next thing. So trying to decide what to do everything, and it’ll magically happen in a year is just not going to stand up right, and is destined for failure. So you really need to identify small wins along the way, and do them in an agile approach. This is not waterfall. This is not I have a Gantt chart, it’s 18 months. This is:  “I want to make this work and I’m going to build on it for the next piece and build on the next piece until you really have built a sound practice around your entire business process. Automation, you know, don’t automate for the sake of it, right? If I have a team of seven internal auditors, I have less need for automation than if I have a very complex business and I have a team of like 50 Internal auditors and I need extended workflow management and work paper management and skill management that go on time writing that goes along with that. So don’t over automate by the solution that you need, not the solution that your biggest aspirational company in five years from now needs. Transparency: I think it’s really key, internally. People have to know what the project is, why it’s important and what the goals are. And then the vendors that you rely on to put it together, it’s important that they know what your objectives are, and what means success for you. Because otherwise, they’re going to be focused on delivering that product to every commons, you are going to be focused on getting your needs met, but you will not have alignment in the middle. So you have to be having a really outcome oriented conversation with your providers, so they understand what you’re trying to achieve with their product that avoids buying mistakes, where you buy something, and it doesn’t actually do what you thought it would do. But it also avoids extended engagements where the goals change along the way. So if you start again, with the end in mind, with the right goals and a clearer understanding, you will have a better deployment of technology. External transparency is important. But that’s more important when it comes to when the rubber meets the road, how you’re able to articulate this is my stance on social matters. This is my policy for green Dei, this is how I comply. And here’s my public facing statement, our data privacy and security and keeping with the regulations that I’m required to. And then finally, compliance, where you’ve got to have the diligence around the partners that you work with, that they meet the requirements. So that’s what I would say is key for success is begin with the end in mind, take it in little chunks, build on early successes, be transparent, and be diligent along the way. 

Kayvan

Yeah, absolutely. And I couldn’t agree more with the aspects you mentioned in terms of breaking problems into smaller pieces, you know, reg tech regulatory technologies, one group of technologies and our company, obviously providing a solution in this realm to help organizations to:

 A. stay abreast of change that is impacting their organization and be able to reduce the size of that noise so they don’t have to spend a lot of time (like six hours). Doreen, I’m sure you can multiply that for senior compliance officers, it becomes completely out of hand. How do you really pull that needle and identify the needle in the haystack and then from there be able to route it to the right people in the organization, whether it’s ESG related or privacy, whether it’s cybersecurity related, looking at solutions that help automate that routing and help you streamline the change management that you have a plan of record, a workflow and a process that helps you and of course, not just being kept abreast of what changes regulators are publishing, but also how serious are they about these regulations in the form of tracking enforcement actions, both for the intel that it provides you in terms of your competitive Intel, but also areas to watch out for products and solutions you are about to launch or jurisdictions you’re expanding into or acquisitions you’re about to make. And finally, reducing that painful process of generating reports that help you make decisions in terms of how many more people you need to hire, what other tools do you need to deploy or being able to report externally to auditors so that they can see that you have now a robust compliance regulatory change management or compliance practice in place we see this more and more. And I will tell you that this slide is really informed through conversations we’ve had with a good number of compliance officers out there who share very much this vision for reg tech and its delivery.

Wrap Up/Q&A

Opening it up to questions as we’re approaching time. And I see a couple of questions that came through. Kelvin, you mentioned ( by the way, it’s open to questions, you can send the questions on the q&a session) you mentioned the different levels of let’s call it prioritization between the US and Europe in terms of ESG. Is this kind of like a wave that started coming towards the US or you see this one year out to Europe? What do you see in terms of timing and how US companies would be impacted with ESG related matters? I know that you mentioned state level players already taking matters into their own hands, including California where we’re working out of but what do you see that from a federal level in the United States?

Kelvin

So I think I mean, the EU comparison is a good one. You know, I generally view regulations Kayvan as being a little bit like spring fashion. It’s got some Paris but it always comes to New York and they are in a couple of months, right? So we inevitably will see the same pressures. And I think you see that in the way that the SEC regulations are coming together, they closely follow the same frameworks that we’re starting to see in the EU taxonomy. Specifically regarding environmental disclosures. I think we are going to start to see more regulatory teeth around social aspects and governance in the EU. I think you also start to see that closely followed in the US. The US always adopts later than the EU, I think we saw that in data privacy. But you know, California was a close follow over to GDPR, for example, and many other states now have data privacy frameworks that are actually very similar and in many ways built on California. So I think you will see the same pressures. But I think, again, as much as this is federal, the state level of regulation, companies are going to move more quickly than the regulators need them to. Because the customer pressures, the revenue pressures, the investor expectations, and their ability to retain key talent who have choices and want to work in a company who share their values have a much bigger impact in the in the near term on the company, then potential regulations a year from now,

Kayvan

Doreen, in your practice: another question, I’m going to slightly reword it. Compliance practitioner advisor, consulting, organizations and compliance. Are you seeing when we talk about reg Tech, we saw the answer to the poll, does that match what you’re seeing out there in terms of the maturity and the availability of these tools? Are companies still in a wait and see mode? Or do you see them more into a, it’s not a matter of if it’s a matter of when let’s go and schedule this type of digitization automation? Are we still where we were? Let me put it differently? 2017? Or do you see the maturity curve kind of getting there and evolving, so companies can safely employ and deploy these types of solutions?

Doreen

Yeah, I’ve definitely seen a maturity building from 2017. To current right now, with respect to these types of tools being introduced in the company. And of course, with the pandemic, with working from home, everything being so digital, these tools are becoming more and more important to identify. There’s great tools that, like compliance.ai, that I would recommend taking a look at because one of the things (again, with the last minute I have) it’s extremely important to look at the tool that can help you build the foundation that you are currently in today, what does it look like? If you want to mature that foundation? Can the tool be able to do that for you? Can you further evolve that tool or your organization or your business model with using this tool? Or using a tool that you’re identifying for the business purpose? And then what does it look like from a sustainability perspective? Can this tool still be able to provide you the level of support and assistance that you’re looking at, you know, down the road three to four years from now? Or is that something that is a complete stop once you reach a certain spot within the organization, so definitely a great tools that are out there. And of course,  meeting your objective, these are the four components that I would say are extremely important to consider.

Kayvan

It seems like you’re strongly advocating that sandbox, trying things out, kicks the tires in parallel to what you’re already doing, as opposed to kind of like the rip the band aid type approach. And that makes sense. Well, one, appreciate your feedback and your time and also the plug you gave us Doreen. Thank you so much Kelvin as well. Ronjini Did you want to talk about this upcoming EITL forum event?

Ronjini Joshua (Moderator)

Of course, you’ll see Kelvin and Doreen and many of our other expert advisors joining us for the second annual EITL forum, coming up here on September 7th and 8th.  I’ve entered the link into the chat. If you guys want to check out the landing page, you’ll learn a little bit more about the sessions that we’ll have. We have a preliminary agenda. We also have Joanne Barefoot joining us as a keynote on day two of the event. And registration is free. So please go and register for the events.

Kayvan

Thank you so much. Really appreciate it. And thank you again, Kelvin and Doreen and look forward to our upcoming sessions. Thank you, everybody, for participating.

Doreen

Pleasure. Thank you. 

Kelvin

Thank you

X