Things That Go Bump in the Night: What Will Keep Compliance Officers Awake in 2022

“Be afraid…Be VERY afraid.” Although the red-headed stepchildren 2020 and 2021, did not have us morphing into fly-hybrid creatures (ok, yes, referencing 1986’s The Fly horror classic), they did bring about one of the biggest shocks to the financial services industry since the financial crash. COVID-19 took banks’ business continuity plans and other contingency measures head-on, pressuring compliance officers into addressing unknown, but now very present gaps in their compliance programs. Operational, financial, credit, legal, and regulatory compliance risks reared their heads, splaying open technology and process deficiencies, and ushering in the need to improve compliance systems at scale. We have learned compliance is more than a tick-box exercise. 

As we begin the new year, it is imperative financial institutions know what lies beyond the horizon for 2022. This article addresses the top five compliance concerns of 2022. 

1.  BSA/AML

Financial crimes are growing but in response, agencies are doubling down on policies and guidance to create a more transparent financial system. With the passing of the Anti-Money Laundering Act of 2020, FinCen and the agencies are taking actions to implement changes. We are seeing an increase in attention to beneficial ownership, with regulations and guidance supporting FinCen AML/CFT priorities. These priorities are reemphasizing enhanced AML requirements, regulations, and enforcements and provide initiatives banks need to be aware of to address many of the broader issues confronting the financial industry as a whole. This includes corruption, cybercrime (including cybersecurity and virtual currency), fraud, foreign and domestic terrorist financing, transnational criminal organization activity, drug trafficking organization activity, human trafficking and smuggling, and proliferation financing.   

At this point, the AML/CFT priorities are just a preview of what is to come—no immediate changes to BSA requirements for banks or non-bank financial institutions have been made. FinCEN is charged with publishing those additional regulations regarding AML/CFT priorities. But once finalized, covered financial institutions are required to incorporate AML/CFT priorities into their risk-based AML and BSA compliance programs. Increased BSA/AML regulations and enforcements will pose risks to financial institutions, so banks should take proactive steps now an begin updating their existing compliance programs to account for AML/CFT priorities. This includes flexible compliance programs and incorporating data analytics into their audit and compliance programs to better monitor the risk areas identified in the priorities. 

2.  Data Protection

The Agencies issued Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, a final rule effective April 1, 2022 with a compliance date of May 1, 2022. This rule requires banking organizations to notify their regulators as soon as possible, but no later than 36 hours after identifying a significant computer-security incident that results in actual harm and rises to the level of a “notification incident,” as defined in the final rule. This rule is also applicable to a bank service provider, or a company or person that performs covered services. Bank service providers also must give notice to one designated contact at the bank via email or phone as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has or is reasonably likely to materially disrupt or degrade covered services for four or more hours. 

Financial institutions and their providers need to ensure that they have the plans, policies, and procedures in place to comply with these requirements.  This could include updating incident response plans to include the appropriate points of contact, performing training exercises with the new timing requirements, incorporating applicable definitions into service provider contracts, as well as updating incident response playbooks. But banks must remain cognizant of other applicable state, federal, and international security incident reporting requirements, such as the GLBA and Interagency Guidelines Establishing Information Security Standards, and BSA SAR reporting just to name a few. 

3.  Environmental, Social and Governance (ESG) Risk

ESG and sustainable finance has experienced a lot of encouraging progress, with meteoric growth in ESG-themed investment funds, ESG-rated loans and bonds, and the coming consolidation of ESG rating and reporting systems. But, for all this progress, the ESG landscape remains unknown. Banks are failing to align their public commitments with practice. Yet that is not without a lack of clarity and standards in ESG metrics, or the methodologies used for ratings. Social issues are coming to the forefront of public discussion as COVID-19 aids in highlighting certain social problems. Sustainable finance is not going away—banks need to consider ESG strategies, reporting accountability metrics, and data-driven insights into their compliance programs, regardless of size of the institution. Boards of Directors should begin educating themselves on the costs of these initiatives and what they could/will entail as more parameters emerge. 

4.  Allowance for Loan and Lease Losses (ALLL)/Allowance for Credit Losses (ACL)

For all banks, examiners will be focusing on ALLL and ACL adequacy considering any stress on credit portfolios. Because of COVID-19, regulators are evaluating banks’ actions to manage credit risk, particularly given the changes in market conditions, termination of pandemic-related forbearances, and economic uncertainties. As an industry, we are just now beginning to see what the lasting effects of COVID-19 have been on the economy and consumers. Examiners are going to be focusing on strategic and operational planning to ensure banks are maintaining positions, especially regarding capital, the allowances for credit losses, management of net interest margins, and earnings.  Remaining vigilant when considering growth and new profit opportunities will demonstrate the Boards and managements’ understanding of the impact of the new activities on the bank’s financial performance, strategic planning process and overall risk profile. 

5.  Crypto Assets and Fintech

In 2022, banking regulators are going to continue to clarify what role traditional banks can legally play in the cryptocurrency market. The past years brought about massive changes in understanding and regulatory oversight to the cryptocurrency markets, with the OCC leading that initiative. Going forward, the agencies are planning to clearly detail the specific activities banks can engage in involving cryptocurrency, including holding it on balance sheets, issuing stablecoins, holding crypto assets, or even facilitating crypto trading on behalf of customers. It is acknowledged already that the rapid growth of cryptocurrency presents potential opportunities and risks for traditional banks, so understanding what activities are permissible, as well as the fact that a bank’s participation will rely heavily on expectations for safety and soundness, consumer protection and compliance with other existing laws and regulations remains key. 

The years 2020 and 2021 faced challenges of digital transformation, and 2022 will look to stabilizing “new normal” business activities. The Fintech evolution of digital banking has increased, forcing new innovations in engaging customers and tailoring products and services. Real-time analytics also provide increased speed of service. Regulators are going to be identifying banks that are implementing significant changes to their operations using new technological innovations and will be evaluating their implementations, including use of cloud computing, artificial intelligence, and digitalization in the risk management process.  

In short, 2022 is going to require progressive, forward-thinking vision. As Dr. Seth Brundlefly (played by Jeff Goldblum) said wisely: “Don’t go back to it.” 2021 brought about an unexpected mutation: forever moving forward, banks need to be considering local, national, and global financial conditions and initiatives. What we once knew as compliance concerns are continuing to shift, evolve and expand. Top industry and compliance concerns continue to emerge, so taking action to ensure your institutions will thrive in the new, exciting financial system of tomorrow is critical.