13 Point Plan to Manage Significant Regulatory Corrective Actions
Straight To The Point
Significant regulatory corrective actions have the potential of being exceptionally disruptive. The financial cost of complying with a consent order or other formal or informal supervisory action can be considerable. These projects require time, resources and commitments from corporate officers and board members. As such, they can easily derail strategic plans by shifting focus to achieving compliance above all else, causing you to lose ground to your competitors.
In recent years, several high-profile consent orders received prominent media attention. One such case, related to a large savings bank, illustrates the challenges of achieving compliance. Over a period of three years, the bank was subject to three consent orders from multiple federal agencies including $150 million in civil money penalties and more than $10 million in customer restitution due to violations of law and inadequate compliance and risk management practices. Since at least 2019, the bank has been managing numerous corrective action projects related to various supervisory orders.
Whether the fines are large or small, managing supervisory corrective actions brings a unique set of challenges. In this point of view, Reference Point lays out some important considerations based on decades of experience leading multi-year corrective action initiatives. Our aim is not to lay out an all-inclusive playbook that details each of the legal, governance, technical and operational considerations that go into standing up a regulatory change program. Nor do we cover all the fundamental items we would expect to see in place in most initiatives, regulatory or otherwise, including adoption of a formal governance structure, use of communications plans, and risk and issue logs, to name just a few. Instead, we offer thirteen key things to keep in mind when managing a corrective action and building a corrective action framework.
Planning is critical to addressing corrective actions, and creating a “plan for the plan” is sometimes a best practice that can be used to reduce execution risk and unnecessary expense. This is because planning a significant multi-year corrective action initiative may legitimately take weeks or months to complete. If your regulator is willing to accept a plan for the plan, resist the urge to commit to multi-year milestones without first knowing how they will be achieved, or without understanding the key dependencies between them.
A good plan for the plan will include a detailed set of steps that need to be completed to establish the official corrective action plan, which will include work packages and key milestones and dependencies. Producing this documented plan for the plan aids the firm not only in helping build a constructive working relationship with your regulator in resolving the identified issues but helps ensure that important internal constituents have a practical and pragmatic working understanding of the objectives, timetables and resources that will be needed.
It should be noted that in some relatively rare cases it may even be prudent to share this plan for the plan with the firm’s external auditor.
When planning, remember to allow ample time for signoffs. Delivery of a work product is not in and of itself sufficient to achieve compliance. In most cases, following delivery there will come waves of reviews and verifications from technology teams, legal and compliance teams, internal auditors, and company executives. Besides the good business practice of ensuring internal alignment, often regulators will want Board signoffs which add further delays to the process. Do remember in this process to document these reviews and as appropriate the firm may even find it necessary to seek independent validation of deliverables. Taking these steps will reduce the number of follow-up requests from the regulator and enhance the chances that corrective actions will be accepted as submitted.
“Work packages” should be owned by a single individual. We’ve seen too many cases where shared accountability leads to missed commitments. And formal signoff of a work package should require either a handwritten or digital signature to demonstrate clarity of ownership and accountability.
How work packages are tailored will depend on the nature of the corrective action, but accountability is a must.
When standing up a corrective action initiative, recognize that every aspect of what is done may require some form of audit or validation.
Again, we need to highlight the importance of documenting not only the end result, but critical processes in addressing the regulatory findings.
This quite often means that the legacy practices and processes of the “lines of defense” involved in the corrective action may need to be tailored to achieve a successful regulatory outcome and timely closure.
Be sure to document each of the controls your organization intends to put in place so the regulator and your Internal Audit team understands up front exactly what audit trails will be available to them. Not taking this step is often a key cause of friction and frustration between the firm and its regulator.
Make sure the official plan includes a formal change management process, and that the process is approved by the organization’s primary regulator in advance. Change most certainly will occur, and the absence of a change management process will lead to undue fire drills, tension, and uncertainty.
Keep it Simple
Remember that regulators are people too. They have bosses, feelings, anxieties and job pressures (particularly if the regulatory action is escalated to Washington for review) just like everybody else. In this day and age of “design thinking” remember to be empathetic to your regulators’ wants and needs. Never forget that clearing the corrective action requires that they put their reputations on the line, so make it easy for them to do so.
Manage Flight Risk
Identify key subject matter experts up front and make sure that they are not flight risks. If a key stakeholder leaves to take a new job elsewhere as key milestones are coming due, chaos can ensue. Remember that everyone is not a key subject matter expert. But for those who are, take the time to work with HR to ensure succession plans are in place. For true, critical experts, consider the use of a retention bonus agreement or other incentives.
Bank executives may not perceive the “business benefit” to the project, so depending on your corporate culture, getting business stakeholders to buy in may be a challenge. Ensure that you clearly convey both the importance of having sound governance and regulatory processes as well as the damage, economic and reputational, that will ensue from not successfully addressing the regulatory findings. Even if not directly impacted, all firm stakeholders have a “stake” in ensuring timely and appropriate action is being taken. Where appropriate, companies can consider adjusting business stakeholders’ performance reviews and bonuses to account for their commitment to shepherding a corrective action to completion. These measures send a clear signal to the regulator and to the business that from the top of the house the firm is committed to achieving compliance.
With so many stakeholders involved, reporting format can be challenging. For example, what may be necessary for The Board of Directors, may not work for Internal Audit, Regulatory Relations or other key executives. Maintaining all these bespoke reports takes a lot of effort and is costly. It also can lead to confusion about the current state of affairs based on different “as of” dates and report formats. It’s important to have a plan and a commensurate budget to manage the reporting and track status appropriately. Again, best practice is to have a single owner of the communications to ensure consistency and correctness.
Engaging consultants with practical experience in managing regulatory actions can help to move the process along effectively and efficiently and ensure that the organization is leveraging the collective experience of a team of professionals who know what pitfalls to avoid. This becomes especially apparent when it comes to operationalizing the changes. In our experience most organizations find it useful to employ consultants to ease the burden that transition brings to an organization’s full-time staff. When planning your initiative remember to account for impact to ongoing projects due to staff constraints as well as the potential impact of staff burnout on existing operations and future plans.
Management proactively monitoring and then managing against burnout becomes critical. Often staff are asked to do their BAU work while simultaneously taking on all the due diligence, investigation, creation and implementation surrounding regulatory corrective actions. The loss of key players is unfortunately a common occurrence, with the domino-like cascading impact adding yet more work and frustration on the remaining individuals.
Don’t go for a big bang approach. It’s better to show incremental improvements over time. Establish a pace and then keep to it. And communicate, communicate, communicate… you and the rest of the team may know what you are doing, but don’t assume that other constituents and most importantly the regulator are fully conversant. The onus is on the firm to communicate proactively – it is nearly impossible to over communicate.
Project delivery always includes a degree of uncertainty, and your organization probably requires that you use some form of a risk tracking template to mitigate this uncertainty. But because the stakes are usually higher when managing a corrective action initiative, we recommend implementing a simple approach to go beyond the use of a risk register. If you try to populate a risk register by asking the project team to document the risks they’re most concerned about, we’ve found teams are often reluctant to do so for a variety of reasons. But if you simply ask each team member how confident they are (100%, 95%, 90%, etc.) that the team will meet the next set of upcoming milestones, you’re more likely to get a genuine answer. If you poll different team members independently, their confidence estimates should align. If they don’t align, take action. And if the confidence levels are low, then ask why. Their responses will generally give you the risks you need to keep an eye on.
Again, if timelines and benchmarks are likely to be missed it is far better to give the regulators (and key stakeholders) a clear timely heads-up. While no one likes bad news, surprises are multiples worse.
Confidential Supervisory Information
Unlike most projects, both informal and formal corrective action initiatives will involve management of confidential supervisory information (CSI). Managing access to CSI requires strong controls. Ensure your team understands the controls in advance, and that they also understand the significant risks associated with deliberately or inadvertently leaking CSI.
Meet our Risk & Regulatory Compliance Experts
20+ years of experience in leadership roles in large financial services firms covering operational risk, technology risk, compliance, project management, and large-scale transformations.
35+ years of experience with the OCC including serving as Assistant Deputy Comptroller. Extensive experience with large and midsize bank supervision.
35+ years of leadership experience as a regulator and consultant. Former Senior Executive/Regional Director of the FDIC. CFE, CRCM & ACAMS.
35 years of leadership experience as a bank regulator. Former Senior Executive/Regional Director of the FDIC.
Table of Contents
About Reference Point
Reference Point is a strategy, management, and technology consulting firm focused on delivering impactful solutions for the financial services industry. We combine proven experience and practical experience in a unique consulting model to give clients superior quality and superior value. Our engagements are led by former industry executives, supported by top-tier consultants. We partner with our clients to assess challenges and opportunities, create practical strategies, and implement new solutions to drive measurable value for them and their organizations.