Author: Scott Goebel
Scott Goebel is a Partner at Edgewater Equity Partners and a Member of the Board of Directors at Ascent. In his 20 years of service in various legal and oversight roles at Fidelity Investments, including General Counsel of Fidelity’s Asset Management Division and Head of Fiduciary Oversight, Scott has developed and led high-performing legal, risk and compliance programs on a global basis. His deep expertise and experience in Regulatory Lifecycle Management guide Ascent’s innovation strategy of deploying AI to transform risk and compliance operations for the financial services industry.
===================
Download the Ascent RLM eBook
Executive Perspective
A casual read through recent articles on effective compliance programs presents a range of important elements for every compliance program and a wealth of suggestions on how to improve the effectiveness of these programs. From risk assessments to reporting lines to audit and tracking functions—there is no dearth of opportunity for improvement, and no shortage of advice on how to update and upgrade your compliance posture.
So, where to start? In this case, the obvious answer is the correct one: a corporate compliance program cannot be effective without a clear, accurate picture of the regulatory landscape facing the company. Regulatory lifecycle management (RLM) is the process of building and continually updating that regulatory picture. It is simply not possible to design a compliance program without understanding which regulations apply to a company, that is, without an RLM program. Therefore the first step is to figure out what rules and regulations apply to your business. All the other assessment, design and implementation activities flow from this regulatory map (which some people refer to as a regulatory inventory). Unfortunately, two significant challenges arise in the preliminary effort of building a regulatory map.
First, one must identify the full universe of regulatory artifacts that need to be considered. What jurisdictions are you in today? What are the regulated activities that you are conducting? These and related questions help frame the initial set of regulators and regulations that might apply. The next step is probably the most straightforward, in most jurisdictions: collect the full current set of applicable regulations. However, other regulatory activities can also be critically important to building an inventory. “Soft” regulatory actions (that is, details on how regulators actually apply the regulations) matter. For example, effective interpretation of US federal securities almost certainly involves a review of SEC No-Action Letters, and any UK banking compliance program needs to consider the impact of “Dear CEO” letters.
Second, regardless of the scope of relevant regulatory activity, the landscape is constantly changing. New regulations, amendments to existing regulations, clarifying pronouncements from regulators and litigation that may offer new judicial interpretations—these are a few of the examples of the types of activity that result in constantly shifting regulatory risks and obligations.
How can companies, and in particular the legal, risk and compliance professionals at these companies, deal with these twin challenges (the broad range of regulatory activities that impact a company and the rapidly shifting nature of these activities)? Regrettably, but understandably, track records are mixed. Outside experts (such as law firms, consultants and other third-party experts) or large numbers of internal employees combing through document feeds or online search tools have been the standard approach. These solutions are expensive and, like all manual processes, often result in incomplete or inaccurate views of the regulatory landscape. Forward thinking companies are turning to automated solutions providers to deploy new strategies and techniques to help them stay on top of regulatory changes.
Components of Regulatory Lifecycle Management
An effective regulatory lifecycle management program will address the following major areas:
1. Coverage. When building a regulatory map, it is important to consider four broad elements of coverage. First, what business or activity are you engaged in? A high-level answer to this question is usually straightforward, but distinct activities or different client types can trigger additional regulatory obligations, so understanding the full scope of the business is vital. Second, where are the activities conducted? Large multinational banks have very complicated structures and sophisticated compliance and risk systems to track multiple regulatory schemes, but even smaller companies often face regulatory scrutiny from several jurisdictions. Third, which regulators have jurisdiction over activities in which geographies? And finally, what are all the sources of regulatory obligations facing a company. The inquiry of course starts with “black-letter” legislation and regulations, but many jurisdictions (particularly in Europe, Canada and parts of Asia) view non-binding guidance as critical elements of the overall regulatory framework.
2. Current Regulations. Once the scope of coverage is established, the next task is to pull together the full set of current regulatory obligations. Analyzing the full universe of relevant obligations can be time-consuming, but it is a critical step in building a robust compliance program. Unfortunately, the process of identifying relevancy is complicated by the fact that some regulations (or related guidance and other interpretative material) are quite voluminous—and in many cases only certain parts of a rule will apply to a particular company. It can therefore be quite helpful to approach each regulation as a series of “sub-rules” or granular obligations, some of which should be captured and reduced to written polices (and others of which can safely be ignored.)
3. Change Management. Regulations change all the time, for all kinds of reasons. Regulators often revisit existing rules, looking to close loopholes, clarify meanings or modernize outdated provisions. Legislatures pass new laws that grant or rescind regulatory authority and mandate (or allow) regulatory responses. Judicial systems will interpret provisions, sometimes in ways that trigger new regulatory or legislative initiatives; including new or amended rules or sometimes the elimination of rules. And there are many other ways that regulators signal new regulatory approaches, from new guidance to enforcement actions to sweep exams and announcements of upcoming regulatory focus. Given the pace of change, and the many processes by which regulatory changes occur, regulatory change management involves several distinct activities. Generally, these activities fall into two categories: work surrounding longer-term, slower developing potential changes, and responses to well-defined near-term changes.
- Longer-term changes. As a general matter, regulatory change takes time. Even in periods of major regulatory retrenchment, regulations do not simply appear with no warning. Admittedly, it may feel that way sometimes—particularly during periods of increased regulatory output, as in the months following the financial crisis of 2007-2008. However, even in these cases, the high volume of regulation is the challenge, not the time available to consider any one of a set of proposed rules. Typically, regulators carefully build their rule-making agendas based on legislative and regulatory priorities, and in many jurisdictions seek public comment to avoid unforeseen and undesired effects. This means that market participants usually have ample time to participate in formal rulemaking efforts.
But, if formal rulemaking is so accessible, then why is it important for firms to get actionable regulatory intelligence about upcoming changes? In short, the answer is that the early stages of legislation and rulemaking can be critically important to firms seeking to influence or understand various initiatives. It is becoming increasingly common to refer to this “early-warning” activity as “horizon scanning.” It goes without saying that regulatory change can create risks and opportunities, and early insight into how regulators are framing a particular issue—that is, while the new regulation is still on the horizon–is very valuable. In its best form, horizon scanning will bring together information about regulatory activity for a market participant well in advance of any formal rulemaking. This in turn allows a company to reach out to regulators with suggestions on potential approaches to a rulemaking—and to advocate for those approaches that have the least cost (or greatest advantage) for that company. In other cases, simply understanding the sensitivities and goals of a regulator will give a company more time to modify operations or business conduct in anticipation of likely final rules.
- Near-term changes. As the regulatory process progresses, likely outcomes become clearer and there is less opportunity to lobby for changes. When final rules are adopted, rule text is available and compliance and effective dates are published. It’s now time to figure out how to comply with the new rule. And in many cases, the regulatory lifecycle management process has this simple ending: companies know about a rule, have planned for the final regulation and are ready to implement business and compliance changes to deal with the rule.
If only managing regulatory change always followed this ideal path. In practice, keeping track of final rule changes has become increasingly complex, with more rules, longer more complicated rules and more guidance on how to interpret these rules. Legal, risk and compliance teams are in general very good at analyzing and adapting to new rules, provided they know about the rules. But these organizations are often overwhelmed by the volume of work they need to accomplish just to keep the compliance program running, never mind the crisis of the day. So unfortunately, sometimes final rules and rule amendments are simply missed entirely.
4. Reporting and Oversight. Internal reporting and oversight are critical elements of any compliance program, and failures in this area can have serious consequences for firms and individuals. Some regulatory regimes are clearer than others about oversight obligations—for instance, the UK Financial Conduct Authority’s Senior Managers and Certification Regime are quite specific about the responsibilities of (and individual liability for) various participants in a company’s compliance processes. Regardless of regime, even distributed compliance functions must from time to time involve centralized reporting, oversight and review. Regulatory change management, as a critical input into compliance policies and procedures, should be subject to oversight and periodic review. Historically, given the volume of work involved in simply collecting regulatory change, substantive reporting has been a challenge. As a result, many organizations simply report on the number and/or quality of identified changes—but these reports are not a tool for evaluating the quality and effectiveness of a company’s regulatory change management efforts.
5. Tracking/Auditing. Recording and retaining decisions about the scope and effect of regulations is an important aspect of compliance, for several reasons. First, no compliance program is infallible—but a reasonably designed program implemented in good faith will, in almost all circumstances, satisfy regulatory standards. Retaining a record of regulatory change management activities and decisions can demonstrate overall effectiveness and design. Second, as regulations change over time, compliance obligations similarly change. Determinations of compliance (or non-compliance) must be evaluated against the then-current rules—which means that companies would be wise to track regulatory changes over time. Finally, audits and reviews (including internal reviews and those triggered by external events such as regulatory inquiries, litigation, commercial diligence, etc.) necessitate comprehensive recordkeeping.
Ascent empowers you to take control of your regulatory lifecycle.
High performing firms are rapidly embracing AI-powered automation like the Ascent Regulatory Lifecycle Management Platform to reduce risk, unlock efficiency, reduce operating costs, and improve agility. Our Platform, which includes next generation horizon scanning tools and revolutionary AI-powered change management capabilities, is designed to empower compliance, risk, legal and audit teams to:
- Know everything they need to know
- Respond to changes quickly and confidently
- Harness automation to power high-performing operations
- Scale regulatory lifecycle management across the enterprise
Ascent’s eBook “Taking Control of Your Regulatory Lifecycle” provides a comprehensive overview of how AI-powered automation can revolutionize your information sharing and compliance operations.
Lastly, spend a few minutes assessing your regulatory lifecycle management processes to see how you rate, and how automation can be a game changer for your business. Or, Contact Ascent to learn more.
