Regulatory data compliance can be a confusing and exhausting process for anyone in the banking and financial services industry. The laws vary by state and circumstance and evolve year after year, leaving companies in a cloud of confusion about the best practices for their data.
But the stakes are high: breaking compliance regulations has financial and often criminal implications. The key to successful data compliance is having the right partner.
At Saxony Partners, we offer our financial services clients decades of experience working directly within the industry coupled with a thorough understanding of how to store, organize, and optimize data within regulatory guidelines. Here is our practical beginner’s guide to a few of the most common regulatory data compliance laws.
Current Expected Credit Losses (CECL) requires that expected losses must be estimated over the life of loans to ensure that a financial institution remains within a specific range. It is the follow up to Allowance for Loan and Lease Losses (ALLL) in the wake of the 2008 recession, explained Michael Martin, Saxony’s Senior Manager of Financial Services.
“Your assets and liabilities must be within a specific, predefined range,” Martin said. “This allows for systemic guards across the financial services industry in the United States and the global financial system as a whole. CECL is a way of measuring your anticipated risks based on the impact of a variety of hypothetical economic scenarios.”
So what happens if you don’t accurately report on your expected losses?
“You can definitely expect monetary penalties, although is not yet being fully enforced” Martin said. “The Federal Reserve is a key player in setting macroeconomic policy and requires adherence. If you are out of compliance with CECL, you’ve found yourself crossing the Federal Reserve, FDIC, NCUA, and OCC simultaneously. It would be a reputational risk, a monetary risk, and frankly an overall operational risk to not make CECL compliance arrangements.”
Angel Armendariz, Saxony’s Business Development Executive for Financial Services, said failure to comply with CECL is serious not only because of the fines, but because of the consequence for your business practices.
“Generally, failure to comply can lead to consent orders and penalties from the [Office of the Comptroller of the Currency],” Armendariz said. “In the worst-case scenario, the OCC can take over your company’s operations. They can require companies to approve all executive hires and expenses through them in order to prove the value.”
The Gramm-Leach-Bliley Act (GLBA) deals with safeguarding personal and financial information for consumers. It contains rigid requirements and will require training for all of your employees.
“If you as a customer want to open a checking account for example, the financial institution has responsibilities to safeguard the privacy of your personal information,” Martin said. “Beyond that, this legislation also determines what information can be collected and what financial institutions can do with this sensitive information, like selling it or using it for marketing purposes.”
Misusing or failing to protect customers’ private data is such a serious offense, it can warrant jail time. Good GLBA training is a hallmark of all major financial institutions, because it protects the customer, the employee, and the organization.
“Not only are you facing fines and fees, there are criminal implications associated with even one employee violating GLBA,” Martin said. Security and privacy are the foundation of effective information management compliance. In an age where we collect more customer data than ever before, data is our greatest asset, but we have to ensure it does not become a liability.
The California Consumer Privacy Act is a state-specific law that takes data protection in the GLBA a few steps further.
“The CCPA provides enhanced information privacy protection for Californian consumers in a wide variety of industries, not exclusive to financial services,” Martin said.
“It involves just about any type of transaction a consumer or customer is asked to provide data. It is comprehensive privacy legislation that dictates how Californians’ data can be used as well as when and if it can be sold. It also requires that companies provide any data collected on specific customers to them if they request it. Customers can even request for a company to delete their data completely.” This “right to be forgotten” is deeply rooted in the culture of law and governance in Europe, but because the CCPA itself has roots in the GDPR, new privacy rights are making their way to the USA.
Out of all the recent compliance regulations, Martin said the CCPA is one of the most confusing and difficult for financial institutions. There is anxiety around accepting and processing CCPA related requests for information, and many companies are simply resolved to doing this manually.
“Many companies we work with are having to comply with this legislation for the first time ever and have very little idea how to do it,” Martin said. “If you don’t have your data structured, organized, and readily available to your own company, how can you provide it to a customer when they request it? How can you delete it?”
Naturally one of the biggest challenges is determining how to access and organize Californian’s data separately from the rest of the U.S.
“You have to define within your company which data is within scope of the legislation and which data is not,” Martin said. “But you have to understand the legislation and you have to catalog and analyze your data in order to do any of that.”
Though CCPA is specific just to California for now, the state has a history of influencing national regulations. For example, California’s emissions standards and fire safety standards also began as state-specific laws, but later became the baseline for national regulations. It’s possible CCPA could be the basis for a similar national data privacy law.
As of January 2020, it is still uncertain as to when regulators will begin enforcing the regulation (or, for that matter, punishing companies for non-compliance). The same can be said for CECL, at this point.
Data Compliance Solutions for Financial Services
While learning that your company is out of compliance might make you want to panic, there are actionable steps you can take to reverse the problems.
“Most financial institutions don’t realize the skeletons they have in the closet when it comes to data regulation,” Armendariz said. “When an auditor comes along and requires them to fix things, they typically have limited time to address all of their compliance issues before they are penalized. That’s where we come in. We help companies stay within the boundaries of all of these regulations and meet the requirements to become compliant.”
While a legal team would spearhead the efforts toward compliance, Saxony can advise on the data solutions that will best address each regulation.
“We would provide the platform to make it easier for the company to identify data that is not in compliance and ensure that they can stay in compliance in the future using new tools,” Armendariz said.
While any data consultant can recommend the right technology tools, most will have a huge learning curve when it comes to specialized industry regulations. At Saxony Partners, genuine industry expertise and thorough knowledge of technology intersect. Our financial services team members have all worked in the field and have long-time familiarity with all of the compliance regulations financial institutions face.
“IT experts do not tend to have a good mindset for what compliance looks like in any industry,” Martin said. “I think Saxony is unique because our whole mantra is ‘business first, technology second.’ We are on the lookout for compliance risks and they are front of mind for us.”
Whether you are interested in a proactive approach to data compliance or you have received a consent order and need to act fast, Saxony Partners can help. Reach out to us today for the best data solutions for your business.