Financial institutions and compliance professionals continue to place significant importance on the presence of appropriate change management controls in their organizations. While the federal banking agencies don’t formally define change management, it’s generally considered to be the identification, evaluation, and implementation of processes and controls to help institutions make developments in accordance with regulatory requirements. Regulatory agencies insist that change management is a key element of an institution’s compliance management system. Here, we’ll dive into why this is important, highlight what regulatory requirements are in place, and detail proper controls and best practices for institutions to implement.
When Something Goes Wrong
Imagine you’re the Compliance Officer at a financial institution undergoing a regulatory exam, and the examiner comes into your office to speak with you. Turns out, your institution is going to be cited for a violation related to your Rewards Checking product. The product offers a high interest rate, but the minimum transaction criteria to earn this rate isn’t properly disclosed to the customer. Also, a monthly maintenance fee is being charged that’s $3 higher than the amount included in your Fee Schedule.
The examiner hands you copies of three different advertisements for the product, all of which reference different terms. He explains to you that several branch-level employees were questioned about the product, but each expressed some level of confusion over it. Ultimately, your institution is going to be cited for a violation in the examination report. Not only will your institution have to take steps to implement corrections for disclosures, systems, documents, training, and advertising, it will also have to endure considerable expense to reimburse customers who were under credited interest or over assessed fees.
An analysis of the circumstances that led to this violation is then performed, and concludes that:
- The business line made a decision to make changes to the Rewards Checking product, but neglected to discuss the change with the Compliance Department at any point before or after the changes took effect.
- Account opening disclosures were revised by the business line, but the person responsible for this task left the institution for another opportunity shortly before implementation. Consequently, the correct disclosures were never finalized and distributed to the branches or marketing department.
- No formal training ever occurred for the revisions to the product. The business line simply sent out an informal email to branch staff talking about how the product was being enhanced, but gave very little details.
These results demonstrate that the institution lacks sufficient change management controls. If adequate controls existed, these failures could have been identified and remediated prior to the exam, avoiding the violation and reimbursement issues.
The Importance of Change Management
Change is a constant. It’s something that institutions and compliance professionals will always have to endure. Common examples of events that warrant change include:
- Corrective action for addressing audit or examination findings
- Improvements or efficiencies in existing processes
- New vendors
- Regulatory updates
- Strategy or policy amendments
- System conversions or upgrades
- The creation of new products and services
- Turnover in management or personnel
Institutions shouldn’t only prepare for change on a large scale (such as a major regulatory shift like the expansion of Home Mortgage Disclosure Act [HMDA] reporting). Even small events, such as a new interpretation or a software patch, can have ripple effects. Institutions should anticipate change as a frequently occurring event.
These changes also come with great risk. The Federal Financial Institution Examination Council (FFIEC) includes change management within its Uniform Interagency Consumer Compliance Rating System. Institutions that fail to display appropriate controls over change management may not just face a specific technical violation, but also a lower examination rating. Failure to appropriately address change could also result in issues like reduced operational efficiency, inadequate communication, customer confusion, customer service issues, or reputational risk. These issues could have a domino effect throughout the organization if not handled appropriately.
Several regulations provide guidelines for institutions detailing how to address change management concerns that arise in customer disclosures and communications. Deposit-related rules include the Truth in Savings Act (Regulation DD), Electronic Fund Transfers Act (Regulation E), and Expedited Funds Availability Act (Regulation CC). The Truth in Lending Act (Regulation Z) addresses lending account notifications, and electronic disclosure rules are addressed by the Electronic Signatures in Global and National Commerce Act (ESIGN).
Deposit regulations require institutions take steps to notify impacted customers when deposit account products are changed in a manner that adversely affects terms previously disclosed. This need commonly arises with increased fees or new fees. However, institutions should ensure that other, less considered changes are also accounted for in customer notifications. Other trigger events include matters increasing customer liability, a reduction in electronic fund transfer services, additional transaction limitations, or interest-related matters such as a reduction in a compounding or crediting frequency.
Typically, beneficial changes don’t require customer notification (with the exception of beneficial changes to an institution’s funds availability schedule under the Expedited Funds Availability Act). Notification timeframes vary based on the regulation imposing the notification requirement. The Truth in Savings Act and Expedited Funds Availability Act require 30 days advance notice for adverse changes, while the Electronic Fund Transfers Act only requires 21 days. Notification of beneficial changes under the Expedited Funds Availability Act must be provided no later than 30 days after the change.
Lending changes-in-terms requirements vary based on the product. Credit card/non-home-secured open-end loans typically require 45 days advance notice for rate increases and other significant changes, such as changes to penalty fees, transaction fees, the grace period, or balance computation method. Certain changes can be made without customer notice, such as a termination of privileges resulting from a court agreement (unless fees or penalties are imposed). Significant credit card changes, with some exceptions, require the lender to provide the borrower the right to reject the change. In such situations, Regulation Z identifies several repayment options that the lender can utilize.
Home-secured open-end loans have less restrictive changes-in-terms requirements. Lenders must provide 15 days advance written notice for any change to a term identified in the account opening disclosure, or if the minimum payment is increased. Similar to open-end products, certain changes don’t require customer notification. In the event that the lender has to impose restrictions on advances or a credit limit, the notification can be provided within three business days, as long as specific reasons are given.
Written and Electronic Notification
Regardless of whether it’s a change to a deposit account or a loan account, institutions will want to ensure that their customer notification is done in written form. Impacted customers should be notified with the proper form of communication. For example, institutions offering impacted passbook accounts won’t be able to notify all customers through a “statement stuffer” message. Institutions should avoid simply sending out a copy of a new disclosure without explanation. Areas that have been changed should be clearly identified, whether by providing a cover letter or by clearly labeling it on the disclosure. Institutions notifying loan borrowers of a change via periodic statement will also want to review Regulation Z to ensure that the proper formatting and proximity rules are followed.
As more customers utilize electronic means to open accounts and perform transactions, institutions can consider providing electronic notifications of changes in terms—but must ensure that they only do so for customers who already provided consent under ESIGN. Any electronic communication must be handled in the same medium already consented to. For example, a customer who consented only to email communication can’t be required to log on to a website to access a PDF document identifying the change. Whether or not it’s directly related to a change-in-terms notification, if hardware or software changes occur with respect to electronic communications, institutions need to follow ESIGN’s rules to obtain new consent before providing additional electronic documents.
Controls and Best Practices
Thorough Risk Assessments
There are a variety of key controls and best practices that many institutions are utilizing to ensure that they’re prepared when changes occur. Whenever a prospective change is imminent, institutions should consider performing a risk assessment, which can be a critical tool over the change management process. A risk assessment can be utilized to address a new product or service, handle a vendor or system change, or be part of a broader evaluation of how the institution addresses their requirements and regulatory environment. As part of this evaluation, institutions can ask questions such as:
- Why is this change taking place?
- Is the change required, or optional?
- Are there any exceptions or limitations regarding the change?
- What is the volume of personnel in the institution impacted by the change?
- What is the volume of customers impacted by the change?
- Is customer notification required? If yes, what are the time periods?
- What is the prospective cost to implement the change?
- How will the change impact the institution’s ability to comply and meet its operational and strategic objectives?
By performing a risk assessment, an institution can evaluate the potential benefits and pitfalls that will be involved throughout the change. While some changes will be required no matter what (whether due to regulatory updates or expiration of vendor contracts), there are often business decisions to be made regarding aspects of the change. This assessment will enable the institution to evaluate the net results of the change, determine its level of importance, and decide what resources need to be allocated where. You may even determine that the change will have a negative net impact on the institution, and ultimately consider not making it at all.
Institutions should consider whether a formal committee or task force should be formed over any prospective changes. Many institutions maintain compliance committees that include representatives from various business lines within the organization. The compliance committee is often seen as a good place to discuss and oversee the change management process. Other institutions have separate working committees that are specifically created for the project. For example, many institutions have a new product/service committee, which is responsible for determining when a new product or service may be warranted and also covering all relevant aspects of the changes it will impose throughout the organization. Other institutions form temporary task forces when major changes occur, which are dedicated solely to the identified issue and disband upon completion.
Oftentimes a change will impact a wide variety of areas within the institution. So, regardless of what type of committee or task force an institution establishes, it’s critical that there’s proper representation from the different business lines in the organization. Beyond the primary business line impacting the change, departments such as Compliance, Marketing, Training, Accounting, Information Systems, and others may need to be involved. The institution will also want to make sure that meetings occur frequently.
Sufficient oversight of the change management process is also key to its success. It’s important to have buy in on any change-related initiatives from senior management within the organization. At least one member of senior management, or someone who reports to them, should be directly involved in the change process. This involvement will assist in ensuring that strategic objectives are met, objectives are progressing timely, and team members are being held accountable. A formal action plan should be developed and implemented any time a material or significant change is necessary. By clearly delineating the deliverable timeframes, individuals and departments responsible for each task component can measure and track the project status and whether those involved are fulfilling their responsibilities.
Sometimes the systems and technologies utilized can be the most critical part of the change management process. For instance, when major HMDA and Truth in Lending Act changes occurred during the past few years, institutions often found themselves in positions where they were at the mercy of their software vendor and couldn’t fully implement changes in processes until the vendor had upgraded its systems. Institutions should proactively identify which systems and vendors are going to be impacted by the change, and reach out to them as early as possible.
There are going to be times where institutions may realize that existing vendors aren’t able to handle the necessary upgrades. This situation may warrant due diligence to find a new vendor, which can be a lengthy process. Existing vendors can often handle the changes, but will need time to implement software upgrades. The institution will want to ensure there’s continuous communication with the vendor over any upgrades. The institution should reverse engineer vendor due dates by identifying the project deadline and working backwards to make sure there’s sufficient lead time to perform testing and make any necessary corrections. When the upgrade takes place, the institution will need to update all appropriate employee systems and access. Utilizing out of date systems can quickly lead to violations. Institutions will also want to confirm that any upgrades don’t have unintended effects on other automated processes.
Anytime an institution implements a change, it’s highly likely that a variety of different documents will be impacted. Institutions will want to do an inventory of any possible documents impacted to ensure all are updated accordingly. The institution’s written policies and the procedural documents that staff rely on when performing their duties are the most critical to this process. If properly maintained and sufficiently detailed, these documents can guard against issues driven by employee turnover because they provide detailed instructions on day-to-day processes.
Any training material that could possibly be impacted by the change should be re-evaluated to determine if it’s current and appropriately identifies new processes and controls in place. Many changes directly impact customer disclosures. Institutions will need to update such material. It’s critical that institutions catalog and assemble any old, outdated disclosures to ensure their replacement and destruction. This caution also carries over into electronic material. Old policies and procedures should be removed from systems and network drives so only the current one can be accessed.
Evaluation & Audit
Controls to evaluate the change are also an important part of the change management process. When institutions identify a date by which changes must be implemented, the ideal scenario is to have the changes ready one to two months in advance of that date. This time period will enable the institution to perform monitoring over the changes to see if they’re effective and don’t cause any unforeseen issues. Institutions will want amend pre-existing monitoring and quality control checklists to reflect anything new or different that’s impacted by the change. Institutions should also evaluate their audit plan, making the necessary adjustments to capture the change into future testing plans. Any permanent change should be captured in each subsequent audit. As changes increase risk, it’s ideal to have an audit performed that analyzes the change within a year of implementation.
Is It Working?
One final best practice that institutions should consider is revisiting the change after a certain period of time to consider whether the change was worth it. Management will want to consider whether the change has had the net effect that was expected, going back to the risk assessment completed earlier in the process. Just because a change has taken place and was successfully implemented doesn’t mean that the expected results will occur, or that unexpected factors won’t come into play and effect things at a later point in time. Management will want to ensure any post-implementation evaluation doesn’t take place until a sufficient amount of time has passed so there’s clean data.
Beyond formally auditing the process for regulatory compliance, institutions will find such an evaluation helpful in seeing if strategic objectives have been met. In addition, it will be helpful to see whether there’s anything that came out of the process that should be considered for future instances where a change must be implemented.
Using these change management best practices, your institution will adequately prepare for the shifts that impact your business, strengthen your agility, and improve your processes to capitalize on these changes—allowing you to accelerate in the market.