Originally posted June 20, 2017
Rick Bachman, Scale Compliance
Most compliance professionals like me start their day with an obligatory skim of all the various (and sometimes random) national compliance news sources we’ve subscribed to over the years. It’s as much ritual as routine, and if you work in compliance, you know why you do it: to see what's happening in the compliance world; to know what’s befallen our peers and regulators; to gossip over who’s been fined or whether Cordray will still have a job come summer. But does any of this information help you run a better Compliance Management System?
I recently attended a small compliance group meeting with a former high ranking attorney from the OCC. He was very informative and knew all of the inner workings of the political climate in Washington, D.C. He was able to drop names of current and former heads of policy and discuss their approach to managing the issues set before them. He was able to speak to the content of phone calls between state Attorneys General and policymakers at the OCC. He spoke to the impact of the new FinTech bank charter, and the tension between the CSBS and the OCC that it created.
In other words, he had a lot of impressive things to say about macro-level subjects that affect the compliance professional’s daily operations almost nil. Of course, a clear view of macro-level trends, and the players who control them, is hugely valuable, especially to large-scale institutions who have the ability and will to influence federal policy. The macro view might have an institution rethink their product development plans and remove something that might fall out of favor with regulators in the near future.
But for the vast majority of compliance departments and professionals, and for the vast majority of companies who don’t hire lobbyists or write seven-figure checks to trade organizations, what does one do with this somewhat unhelpful (albeit interesting) macro-level information? Sitting in a nicely appointed courtyard with a cocktail in hand, some 2,000 miles from D.C., I struggled to answer the question.
Eventually, my best answer was to take stock of the things I still need to do with my department’s CMS. I ran through a mental checklist of my CMS’s major components and considered whether and how any of them needed to change based on this macro-level information. That exercise led to a few realizations:
1. Macro-level compliance policy information is great for cocktail parties with other compliance professionals, but for most of those professionals, seldom relevant to the hard work of protecting a company day-to-day. We crave information, relevancy, and recognition. We are giddy to know that a certain AG called the head of the OCC and then threw them under the bus the first opportunity they had. We want to be connected.
2. Compliance professionals are usually good at either compliance policy or operations, but not both. This isn't a knock against either camp, but to really understand and predict compliance policy, one has to have worked in the industry for decades and risen pretty high up the ranks; and the higher up you go, the further you get from doing operational compliance work.
3. Most firms in the FinTech space have enough to worry about at the micro level. Compliance is hard, and getting it wrong is easy. Take SoFi, OnDeck, and LendUp – each suffered significant fines from state or federal regulators in the last few years, and each had capable compliance leads at the helm.
The takeaway? Macro-level compliance policy information is a luxury, and not one that should be purchased at the expense of building a solid, defensible CMS tailored to the law as it stands today. If your house is on fire, wait to remodel.
Policy changes will impact how we operate, to be sure, but a CMS based on sound principles, including a good change management process and a clear understanding of the business, can and should weather macro-level changes nicely. Our compliance programs need to be flexible enough to implement the rules and allow us to change them if needed, but the foundation of our programs and the mechanisms we use to implement, monitor, test and correct defects should be able to withstand changes in the political climate.
None of this is to say that understanding macro-level compliance trends is not important; of course it is. That’s why we all read those morning news briefings, and none of us is about to stop now.