Skip to main content

regulatory change management

How Mortgage Lenders Can Leverage Automation to Strengthen Compliance in a Turbulent Economy

By Blog

This post was contributed by Michael Rasmussen, GRC Pundit & Analyst.

In today’s ever-changing economy, mortgage lenders and service providers face a growing number of regulations and risks in compliance. This opens up an opportunity for organizations to rearchitect their compliance processes and leverage automation to remain competitive in this uncertain environment.

Mortgage lenders and service providers, as a segment of the financial services industry, face a lot of change. The mortgage space right now is a tough one and interest rates are only going up. Firms are writing fewer loans, whether it’s a new loan or a refinance. The market is shifting and drying up for the foreseeable future of the next year or two. The industry is changing and reacting to uncertainty in the economy. Mortgage companies’ internal processes and employees are changing, particularly with the economy staff is shrinking and expected to do more with less employees. Regulations and risks in compliance are also increasing that impact mortgage lenders and service providers.

While the volume of loans is decreasing, regulatory change – including enforcement actions and guidance – remains on a steady stream of growth. The law or regulation itself does not have to change, but how it is enforced and monitored over time evolves. However, it is more than regulatory change as the business itself is changing. If that employee is not aware of the policy related to the regulation, or not trained properly, it leads to compliance failure. If that process changed, or technology, and the controls needed to comply with the regulation are not in place, then compliance fails.

WATCH NOW: 5 Tips to Supercharge Your Compliance Programs in 2023

The challenge is that many mortgage lenders and service providers are short-staffed when it comes to compliance. There is a barrage of regulatory changes, updates, and enforcement actions. But even if the firm is fully knowledgeable, they must ensure the culture, operations, processes, and behavior of individuals is compliant. Regulatory compliance is not an option. Amid uncertainty and change comes increased compliance risk exposure. While executives may be in cost-cutting mode, they cannot afford to become non-compliant. It is time for organizations to look at innovation and adjustments to make regulatory change and compliance more efficient in human capital and financial capital resources while at the same time striving for effectiveness, resilience, accountability, and agility.

This might seem like a conflict, to save money and time while increasing effectiveness and agility, but technology delivers this. To address the volume of regulatory change and its impact on the business requires that mortgage lenders and service providers seek to automate compliance with technology. Cognitive GRC technologies that leverage artificial intelligence – natural language processing, machine learning, predictive analytics, and robotic process automation – is delivering real value in efficiency while increasing effectiveness and agility of regulatory change management processes. It is times of uncertainty that companies can become stronger through redefining their processes and leveraging automation to cut costs and be more effective than their competitors.

During this time of uncertainty, there is an opportunity for mortgage firms to rearchitect their compliance processes to keep pace with the volume of regulatory change and ensure the business operationally remains compliant within the scope of this change. Technology enables this allowing the organization to filter through the volume of updates and changes and flag what really matters and how it impacts the mortgage business, operations, processes, policies, and behavior. Regulatory change technology delivers cognitive compliance to make the mortgage lender/service provider more efficient in their time and resources to monitor regulatory change and effectively keep operations current with regulatory change amid changing processes and employees. 

Regulatory mapping is key to compliance. Are you doing it effectively?

By Blog

Regulatory mapping may mean different things to different organizations, but new RegTech tools can help you more accurately and efficiently meet all your mapping challenges while freeing you from manual, administrative work. 

Defining Terms

As regulatory burdens increase and regulations change in response to everything from political winds to well-publicized industry failures, regulatory compliance will remain a rapidly changing and growing industry segment. 

Despite the near-universal concern about regulatory compliance, standard terminology around many common concepts is still missing. One such concept is “regulatory mapping,” a compliance term that means different things across the industry. Below are three distinct definitions we have encountered:

1) Regulatory mapping – of laws, rules and regulations to your business to determine your obligations

In this instance, regulatory mapping refers to the process of reading and analyzing voluminous regulatory text to understand exactly which specific obligations apply to your business. Whether conducted in-house by compliance personnel or outsourced, this process typically has people digging into the rules to determine which obligations are applicable to the business. Personnel will capture the firm’s baseline obligations across jurisdictions and determine which obligations are the same or similar across jurisdictions, and which are unique.

To do this, most firms create and maintain a rule register or rule inventory, i.e. a list of all the rules that apply to the business. An obligations register is a newer concept that refers specifically to a register or inventory of the specific obligations that apply to the firm, detailed down to the line level of regulation.

LEARN MORE: How Ascent Delivers Targeted Obligations


2) Regulatory mapping – of regulatory changes to your obligations

This definition involves compliance personnel constantly scouring regulatory websites, newsfeeds, and other sources to capture the latest rule amendments or additions and then conducting applicability analysis to determine which changes apply to your organization. 

Compliance personnel must then do the complex work of impact analysis to understand how the changes impact the firm’s existing obligations – Has an existing obligation changed in some way? Are there new obligations due to the rule change? Are any existing obligations now rendered unnecessary due to the change? 

Compliance teams must answer all of these questions before updating their rule register and obligations register accordingly. 

LEARN MORE: How Ascent Automates Regulatory Change Management


3) Regulatory mapping – of your obligations to your internal controls, policies, and procedures

Regulatory changes need to flow through to your controls and policies so that you can properly coordinate and execute the changes throughout the business. In this context, regulatory mapping is the process of tying your obligations to those internal controls, policies, and procedures. 

LEARN MORE: How Ascent Maps Obligations and Rule Changes to Your Controls and P&Ps


Mired in the Manual

Regulatory mapping represents a complex web of legal documentation, rule changes and internal processes. Regulatory change management is considered especially daunting as sources of regulatory change include international, national, state, and local legislative action, court decisions, and executive actions. The work of identifying these changes and dialing them in to what applies to the organization remains largely mired in manual and siloed processes.  

READ MORE: The State of the Compliance Industry


RegTech to the Rescue

The explosion of RegTech now provides an alternative solution to managing the challenge of regulatory mapping that does not require throwing additional personnel, time, and resources at the growing regulatory burden. The right automation tools can help alleviate much of the manual work of mapping regulatory requirements (regardless of which definition you are focused on)—but only if the tools are well-designed and implemented.

“Automation, technology, and expertise help transform the regulatory mapping and compliance functions from merely a cost center to a function that supports financially sound and efficient decision-making by capitalizing on business intelligence and supporting the commitment to appropriate compliance processes.” Compliance Week

The benefits of leveraging automation in regulatory mapping processes are many, including:

  • The ability to convert regulatory text into your specific obligations more efficiently and accurately, with less chance of human error (Ascent’s output is 99.5% accurate)
  • Streamlining the process of capturing regulatory changes relevant to your business, understanding their impact, and mapping them to your policies and controls
  • Freeing your compliance team from tedious, error-prone administrative work and increasing their focus on facilitating compliance, developing regulatory strategy, and proactively planning for regulatory change 
  • Providing a more complete understanding of your regulatory landscape, while spending less time and money
  • Reducing regulatory and reputational risk, avoiding fines, and lowering your overall cost to comply

READ MORE: What is RegTech?


Mapping Regulatory Requirements with Ascent

Ascent helps financial firms conduct all three types of regulatory mapping more accurately, efficiently, and at a lower cost. Ascent offers:

  • Automation to identify the obligations that pertain to your specific organization
  • Constant discovery of rule amendments and updates that apply to you, connected to your existing obligations so you can instantly understand the impact to your business
  • Seamless connection via API to best-in-class GRC platforms like IBM OpenPages so you can map your obligations to organizational controls, policies, and procedures

The first (and most difficult) step in setting a regulatory compliance framework

By Blog

Compliance and Risk professionals have a tough job. Not only are they responsible for maintaining compliance according to their organizations’ existing regulatory framework, but—more importantly—they are responsible for determining what their firms’ regulatory framework is in the first place.

But first, what is a regulatory compliance framework?

A regulatory compliance framework “is a structured set of guidelines that details an organization’s processes for maintaining accordance with established regulations, specifications or legislation. It outlines the regulatory compliance standards relevant to the organization and the business processes and internal controls the organization has in place to follow to these standards.” (source: TechTarget)

Regulatory compliance framework
When it comes to financial regulation, this process of outlining relevant standards and requirements is the first and foundational step in setting a strong regulatory compliance framework. It is also a huge liability for both financial firms and their compliance / risk officers due to the sheer amount of regulation that exists today.

READ ARTICLE:  Regulatory mapping is key to compliance. Are you doing it effectively?

Faulty foundation of regulatory requirements = susceptibility to risk

On average, U.S. firms are overseen by a handful of regulators (significantly more if they operate globally), and each regulator has hundreds to thousands of pages of regulation that they maintain, update, and enforce regularly. For example, between 2019 and the fourth quarter of 2020, the Securities and Exchange Commission (SEC) published 147 rule changes and 263 guidance notes. And that’s just for one regulator.

With rule changes up nearly 500 percent and a new regulatory update issued every 7 minutes globally, it is increasingly more difficult for Risk and Compliance professionals to identify all of the regulatory developments that apply to their business.

In fact, aligning policies with new and changing regulations is a top challenge for over a third of organizations (35%) according to an Ethics & Compliance Policy & Procedure Management Benchmark Report from Navex Global. In that same report, just over one quarter (27%) of organizations also attested that they are challenged in improving version control, reducing policy redundancy, and inaccuracy.

And yet, many firms continue to try to manage and synthesize this influx of information in the same ways that it always has—by increasing personnel to do the work manually.

Manual solutions only plug the cracks in the foundation

Today, Risk and Compliance teams undergo the tedious and burdensome task of gathering information from:

  • International, national, state, and local legislative action
  • Court decisions
  • Executive actions (regulations, guidelines, and enforcement) 
  • Other supporting legal materials

Once they have compiled this information, compliance analysts then assess those regulatory documents to extract the laws, rules and regulations within them, and analyze those requirements to determine which might apply to their business. After hundreds of hours of hard work, the analysts finally are able to present the foundation for the firm’s regulatory compliance framework back to the business for approval. 

Only then, finally armed with this knowledge, are teams able to begin the real, vital work of compliance—reconciling their obligations with their policies and procedures, creating controls, and implementing compliance throughout the business. 

However, in our current regulatory climate, this process is becoming increasingly impractical. The pace of regulatory change and the cost of compliance haven’t slowed down. At the same time, neither has the cost of non-compliance. In just the last three months, the Office of the Currency Comptroller (OCC) has issued fines of $60 million, $85 million, and $400 million.

Missing even the finest detail within a body of regulation or rule amendment can be disastrous for financial firms’ bottom lines, not to mention their reputation. Like the proverbial needle in the haystack, any obligation missed among the thousands of lines of regulatory information could have severe consequences come audit time.

‘Regulatory knowledge automation’ restores framework from the ground up

What is regulatory knowledge automation?

‘Regulatory knowledge automation’ is the process of using algorithms to create knowledge from data, such as analyzing regulatory text to determine an organization’s applicable regulatory obligations.

INFOGRAPHIC: Regulatory Knowledge Automation, Explained

By leveraging next-generation technologies like
machine learning (ML) and natural language processing (NLP), this knowledge creation work can be completed in mere minutes, at a fraction of the cost, and greater accuracy than ever before.

At a glance: 

  • NLP is the combination of computer science and linguistics that allows computers to understand human language. In essence, NLP takes the dense texts of regulatory documents and “translates” them into machine-readable language. 
  • ML is the capability to “train” systems how to complete a task. Once NLP has translated regulatory text into something that can be read by a machine, trained ML systems can extract the rules and requirements from that dense text.

These two technologies are at the heart of Ascent’s RegulationAI™, a true innovation in regulatory technology. RegulationAI™ is able to:

  • Process thousands of pages of regulatory documents
  • Identify all of the standard requirements that derive from the laws, rules, and regulations within those documents
  • Determine which of those standard requirements correspond to a singular financial firm based on their business practices and unique regulatory burden

What makes a good RegTech partner: fit and scalability

By Blog

Finding the right RegTech partner can be difficult. So we sat down with an industry expert to get his take on how he evaluates vendors.

As an expert in regulatory change management, Vincent Schultinge has seen the evolution and impact of regulation on financial firms firsthand. So, naturally, he has also been drawn to the niche industry that emerged to try to solve these RCM challenges—RegTech. 

Now, in his current role as a senior RegTech consultant at ING, he is responsible for defining, developing and implementing RegTech innovation throughout the ING organization. During his sit-down with Ascent, Vincent shares:

  • His perspective on what makes a good RegTech partner
  • What methodology ING follows when looking to implement a RegTech partner
  • How making machine readable regulation will open doors for the future of RegTech

Editor’s note: This interview has been lightly edited for clarity.

Using RegTech Maturity as an Evaluation Benchmark

To Vincent, managing regulation is a task that’s too fluid and too risky to put into the hands of new-to-the-market solutions. Here’s how he considers the maturity of RegTech.

When assessing a RegTech provider, you want to make sure it fits your business’s demands. I have a firm belief that we should strive for market standard solutions. Therefore I look to see whether a RegTech has the potential to become a market standard for their solution or offering. Once we have measurable results from a Proof of Concept (PoC), then we can decide if a RegTech is suitable for our purpose or not.

The way we assess RegTechs differs from the way we look at other vendors. Due to constant regulatory oversight as a bank, we have less freedom to experiment. For many business cases we will look for parties that are more mature and that have, for example, delivered the equivalent product to our peers or are engaging in sandboxes with regulators.


Being Able to Audit RegTech’s Black Box

Vincent believes that “auditability” is a key factor that firms should also consider when determining whether or not to work with a RegTech provider.

Providers should always be able to explain and demonstrate how their machine learning works. For risk and compliance teams, auditability of machine learning is absolutely key. If you can’t audit a technology solution properly, especially a machine learning solution, it becomes Pandora’s box. Not to mention that regulators won’t accept anything less than full transparency.


Aligning Around a RegTech Provider

At ING, Vincent’s team relies on what they call “PACE” methodology when considering what RegTech solution to implement.

Whatever methodology you are using to implement RegTech, you have to be consistent, thorough, and constantly verify that you are doing the right thing. 

At ING, we use our in-house PACE methodology for the delivery of innovation. This applies to our delivery of RegTech as well. With PACE, we combine Design Thinking, Lean Startup and Agile Scrum into a single process. PACE consists of five stages being: discover, problem fit, solution fit, market fit and scaling. 

For us this works really well and we gained a lot of traction with this in the organization. On top of PACE methodology at the whole of ING we practice an agile way of working. This helps accelerate the way we set up PoCs as well as other partnerships. 


Unlocking the Value of RegTech

For RegTech to truly be effective, Vincent has learned that it’s important to first have a culture of innovation prior to implementing a solution.

It is essential that you have business owners with the right mandate and budget who are convinced by the usage of technology. Business and innovation teams have to be able to establish the demand and create strong use cases for the application of RegTech. Teams should collaborate in such a way that the business demand and the premise of the solutions are a true match. This will help with validating and demonstrating the benefit of using certain RegTech solutions along the way. Regardless of the size of the firm, you need the right innovative culture and the right appetite from business owners; otherwise, it just won’t work.


Using RegTech to Manage Pandemic Woes

According to Vincent, the pandemic has only amplified the need for RegTech.

Regulatory changes keep coming, especially considering that people are working remote and are having to align virtually due to the pandemic. Regulators demand that banks remain in control. So, firms need to be able to monitor upcoming changes in the regulatory landscape by scanning the regulatory horizon as well as assessing obligations and potential risks. This is where having proper tooling in place for horizon scanning and risk assessment will definitely help firms to maintain control in these difficult times.


Pioneering the Next Frontier of RegTech

What’s next for RegTech? Vincent believes that making regulation machine readable will open incredible opportunities for financial firms to unlock the true potential of RegTech.

In order for RegTech to play an even bigger role in the industry, we first need to look into a few things— machine readable regulations, data and format standardization, and global harmonization of regulations. If regulations, updates and guidelines become machine readable and ingestible globally, it will become easier for firms to demonstrate compliance and adhere to rules and guidelines more efficiently. It will open a whole range of possibilities for the adoption of RegTech within financial institutions.

The same applies to data and format standardization. If we can agree on common data and format standards, adherence to regulations becomes more efficient. With the financial system being a truly global system nowadays, it allows institutions to act across jurisdictions in a safer and more compliant manner. Together, with harmonizing regulations globally, this could translate into a much broader usage of RegTech within the financial system. This end goal is something that I believe will contribute to the overall safety and stability within the financial industry.

ING is a global bank that aims to empower people to stay a step ahead in life and in business. Visit ING’s website. 

For more content like this, subscribe to our email updates.


SEC Priorities: Cryptocurrency Regulation and a Changing of the Guard

By Blog

Despite the pandemic, Reuters reports that the U.S. Securities and Exchange Commission (SEC) has had a banner year, with more than 700 cases and enforcement actions. As of November, that number represented over USD $4.7 billion in penalties, fines, and disgorgements assessed. The ratio of fines to penalties is a bit askew, considering that one fine alone represented a USD $1.2 billion settlement.

Still, the agency has been particularly busy with disclosure and regulatory-related penalties, in contrast to a mere seven enforcement actions by the Financial Crimes Enforcement Network (FinCEN). Of course there is an issue of the remit of the respective agencies that would need to be taken into consideration, but one priority of the SEC has seemed to remain squarely in the initial coin offering (ICO) / cryptocurrency-related space. Here’s a look back at SEC cryptocurrency regulation from this year and what’s to come from SEC leadership in 2021.

ICOs Strictly Subjected to Howey Test

The SEC announces its enforcement priorities annually, and 2020 was no different, if only in that respect.  At the start of the year, the Office of Compliance Inspections and Examination (OCIE) released its 2020 Examination Priorities, and in it the agency noted that “digital assets” would be a priority. Many of the enforcement actions that occurred throughout the year were related to either ICOs, either as fraudulent schemes or due to poor regulatory disclosures.

The SEC has treated ICOs fairly strictly over the past few years, perhaps punctuated by the Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO (the “DAO”), released in mid-2017. This report galvanized the agency’s approach to tokenization and ICOs, noting that strict adherence to the Howey test (i.e., an investment of money and expectation of profit as the result of a common enterprise, with the profits coming from the efforts of a third party) would apply to ICOs.

To that end, ICOs who tested the SEC’s resolve found that the failure to register or seek an exemption to the Howey criteria would result in multi-million dollar penalties.  In one enforcement action in particular, the SEC noted that the ICO in question—though it knew or had reason to know that it was a security based on the DAO report and prongs of the Howey Test—continued to sell its offering without making appropriate disclosures to its investors.  

READ MORE: The Most Telling Guidance of 2020: Corporate Compliance Programs, AML & More


Changing of the SEC Guard

The current chairman of the SEC, Jay Clayton, has publicly stated that he intends to step down from the position, leaving the incoming administration to make a nomination. Clayton’s tenure was remarkable, and has seen lauding from both sides of the aisle.  The two current names being floated to replace him are Gary Gensler, former chairman of the Commodities Futures Trading Commission (CFTC), and former prosecutor Preet Bharara. Already named to President Elect Biden’s transition team, Gensler has no shortage of experience dealing with both regulators and the private sector.

During his time at the CFTC, Gensler pushed for sweeping regulation of swap trades and has been viewed as someone who—as a former partner at Goldman Sachs—could potentially deliver diplomatic regulatory outcomes. Bharara, on the other hand, poses a far more significant shift in regulatory tone. Bharara is known, and well-respected, for his work on major insider trading and white collar cases.

Despite the significant number of actions under Clayton’s tenure (over 3,000 examinations in 2020 alone), Bharara’s appointment would signal a no-nonsense approach to both civil and regulatory engagements.

Preparing for What (and Who) is Next

Other names circulated are Dodd-Frank contributor Michael Barr, as well as Allison Lee (a former securities law practitioner and currently an SEC commissioner) and Kara Stein (a former SEC commissioner) who would both bring senior-level, hands-on experience to the position. There are innumerable variables still at play after the outcome of the November 2020 election. Needless to say, the SEC and other high-profile regulatory positions will keep Wall Street waiting with baited breath, and those of us in the bleachers a lot to consider. 

READ MORE: What are “granular” obligations in RegTech, and how do they reduce your risk?


No matter who takes the helm at the SEC (and at other U.S. regulators), it’s important for financial institutions to keep tabs on regulation at both the national and state level. It’s within these agencies that incremental changes occur and often catch organizations off guard. Be sure that your firm is ready for what’s next. Shore up your compliance and risk strategy by identifying all of your key risk factors, including any potential gaps in your firm’s regulatory obligations / requirements.

READ MORE: Regulatory Change Management: A Tech-Based Approach


Ascent helps banks and other financial firms stay above the rising tide of regulation, from the SEC and other regulators. Learn more about our regulatory coverage here.

The Most Telling Guidance of 2020: Corporate Compliance Programs, AML & More

By Blog

There has been no shortage of media chatter in the very unusual 2020 calendar year.  For those concerned with organizational compliance, the release and re-release of regulatory guidance and legislation — particularly around BSA/AML and corporate compliance programs — has been nearly unparalleled.  As we will show, these developments have significant implications, if not direct calls to action, for banks.   

The BSA/AML Manual Hits Hard

At the risk of hyperbole, the Federal Financial Institutions Examination Council’s (“FFIEC”) Bank Secrecy Act/Anti-Money Laundering (“BSA/AML”) Examination Manual (the “Manual”) is perhaps the most sacrosanct of all regulatory frameworks. Intended to serve as a field guide for examiners, instead its outlines and parameters are utilized by banks’ BSA/AML compliance departments as the foundation for their compliance programs and by auditors as a basis for testing protocols. Updated in April, the Manual was not radically updated but the updates that were made were significant.  First and foremost, the Manual makes reference to “other illicit activity” as a nod to the nebulous nexuses between crimes like healthcare fraud, corruption, and money laundering.  The Manual further updates provisions in regards to risk assessments (while not flat out requiring them) and board-level oversight, broadly, requiring that banks ensure that their compliance programs are tailored to their unique risk profiles.  

Perhaps the most significant updates include expansions to the expectations around training.  Where only a paragraph existed previously, the updated Manual expands its expectations to have role-based technical and subject-matter training, along with much more precise guidance on the expectations for board of directors training.

READ MORE: Regulatory mapping is key to compliance. Are you doing it effectively?


A Major Emphasis on Corporate Compliance Programs

As many compliance practitioners were settling into remote working, the U.S. Department of Justice (USDOJ) re-issued its Evaluation of Corporate Compliance Programs (the “Guidance”).  In examining whether to consider and the depth of criminal penalties, prosecutors too (harkening back to the Manual) should look at whether the organization at issue maintains and leverages a risk assessment to inform decisions about compliance and mitigate the risk of misconduct.  The Guidance goes on to note that perhaps one of the most important factors is, based on the risk assessment, how were allocations for staffing, technology, and resources such as training allocated.  Were cost centers given hiring priority over compliance staff?  Is the annual compliance training program a leaflet?  Are the sales staff on top-of-the-line computers while the compliance and audit teams are using ineffective tech? 

All seem like fair questions. 

The Guidance directly states that compliance should be built into the compensation scheme, and that it should be a considerable factor in the allocation of (or withholding of) bonuses.  Lastly, the Guidance reiterates the need for ongoing monitoring, testing, and escalation of the state of misconduct-related controls and their investigations.  

READ MORE: How an Integrated Risk Management (IRM) approach can transform your organization


On the AML Horizon

There are two fairly significant developments  pending approval, and we cannot emphasize “pending” enough – a shell company transparency provision and the Anti-Money Laundering Act of 2020.  They are both embedded within a defense spending bill that the White House has threatened to veto for unrelated reasons. The shell company provision would mandate the registration of beneficial owners with the Treasury department, effectively ending anonymous shell company use within the U.S.  

Secondarily, if passed, the Anti-Money Laundering Act of 2020 would mandate that the Secretary of the Treasury take steps to “streamline” BSA/AML compliance requirements.  In its September Advance Notice of Proposed Rulemaking (“ANPRM”), FinCEN sought input from the banking community on how to make more “effective” use of BSA/AML systems and processed, skewing more in favor of law enforcement’s needs than compliance.  The proposed AML Act seems to end-run the feedback solicited by the ANPRM, and place the obligation with the Treasury to ease, reduce, or otherwise better facilitate the production and utilization of BSA/AML-related information.  

While the approval of the AML Act and its governing bill are in a tentative state, the ongoing developments in this space speak to big changes for the BSA/AML compliance space going forward.  

Keeping Pace with Change: A Tech-Based Approach

While these regulatory developments are broad reaching, their impact is different at each financial institution. This leaves Compliance teams with the tall order of reading through and analyzing the regulatory text to determine which parts of the Manual or the Guidance applies to their organizations — which can be like looking for a needle in a haystack.

According to an Ascent internal analysis, 65 percent of the regulatory text (the haystack) is made up of definitions and clarifications. The remaining 35 percent, which actually consists of obligations, is what compliance teams need to be reviewing in order to determine what regulatory requirements and obligations specifically apply to their firm (the needle).

READ MORE: Regulatory Change Management: A Tech-Based Approach

Ascent can help banks and other financial firms stay above the rising tide of regulatory change. Read this article to learn how our RegTech platform can help your firm quickly produce “granular obligations” and keep them current as new regulatory developments arise.

If you’d like to contact a team member directly, you can do so here

To stay up on the latest in regulatory technology and other news, subscribe to our monthly Cliff Notes newsletter below.


A former regulator’s take on AI, Big Tech, and RCM

A former regulator’s take on AI, Big Tech, and RCM

By Blog

Rick Bonhof. Managing Consultant, SynechronWe recently sat down with Rick Bonhof, a managing consultant who leads the Amsterdam regulatory change and compliance practice within the business consulting arm of Synechron—a leading digital transformation consulting firm that accelerates digital initiatives for banks, asset managers, and insurance companies around the world.

In his role, Bonhof oversees a team of experts who help clients build the regulatory framework that enables compliance. As an advisor for the digital-first firm, Bonhof is hyperfocused on making compliance more efficient through the use of technology, leveraging emerging tech such as machine learning and existing systems such as GRCs.

Prior to Synechron, Bonhof served as a supervision officer for Dutch regulator Autoriteit Financiële Markten (AFM) at the height of the 2008 financial crisis. After spending seven years crafting and executing supervisory strategy for AFM, he decided to redirect his work from supervising firms to actually helping them become compliant with regulation. And so, after witnessing how Synechron helped a number of financial institutions get back on track with EMIR (the EU equivalent of Dodd Frank in the US), Bonhof transitioned to the firm.

During our sit-down, Bonhof shared his blended supervisory-consultative perspective on a variety of topics—from the role of regulatory change management during the COVID-19 pandemic to how Big Tech will shape the future of financial services.

Editor’s note: This interview has been lightly edited for clarity.

Setting the Record Straight on Regulators

Touching on his experience as a former regulator, Bonhof kicked off our conversation by sharing what he wished compliance professionals knew about regulators, and what he wished he had known as a regulator. 

When I made the switch from regulator to consultant, I realized that a lot of financial firms are afraid of regulators. But the reality is that regulators are people too and most are not out to fine you. What I think compliance professionals sometimes forget is that if you’re able to explain to regulators why you made certain decisions and how you implemented certain requirements, they’ll listen to you.

“A lot of financial firms are afraid of regulators. But the reality is that regulators are people too and most are not out to fine you.”

My advice to compliance professionals is to document their interpretation of the rule and why they applied the rule in a certain way according to their interpretation, so they have all of the information they need when it comes time to talk to regulators.

On the flip side, what I wish I had known as a regulator was, no matter how simple a request for information may seem on paper, it doesn’t actually mean that there’s a clearcut way to gather requested information or to implement a new rule. Many financial institutions do not start out as multinational global-spending institutions—they grow through mergers, acquisitions, and restructuring.

So there’s a whole collection of teams that suddenly need to contribute to this “one simple request,” making it not so simple after all.

Managing Regulatory Change in the Time of COVID 

Bonhof has long emphasized the importance of having a well-documented regulatory change management (RCM) strategy, especially when it comes to major events such as financial crises, election years and of course — the COVID-19 pandemic.

When it comes to regulatory change management, my mantra has been “take control, be in control, and demonstrate control.” 

“Take control” is about understanding what your obligations are, understanding the impact of them, and then implementing and enforcing a compliant process.

“Be in control” is about understanding where your firm is in terms of compliance with the requirements, and revisiting both its requirements and compliance processes frequently. You should not only be control testing your processes to understand whether your firm is compliant with existing rules, but also monitoring whether there’s a change coming that could impact compliance with those rules. And, if there is a change on the horizon, then you need to go back to “take control” and proactively act on it.

Lastly, “demonstrate control” is about being able to take the evidence that you have and explain both internally and externally to what extent you comply with those measures.

How to Avoid Dropping the Ball on RCM

In Bonhof’s view, the biggest mistake that firms can make when implementing RCM best practices, is to treat them as a one-time solution. 

Most regulatory change management processes are driven by a regulatory change implementation date. Let’s say that a firm has to comply with X, Y, and Z by January 1, 2021. What I’ve found (and even been guilty of myself) is that many firms focus solely on making that milestone without the end result in mind. So once the firm does reach it, everyone sort of drops the ball and says, “We’re done, we made it.” But that’s the wrong approach because 2021 does not mark the end of implementing that change, it actually marks the start of it. 

What I’ve found (and even been guilty of myself) is that many firms focus solely on making [a] milestone without the end result in mind.

Firms are expected to be compliant with that new rule, and need to have a roadmap that accounts for what comes after that date. Firms often put makeshift technical solutions in place to meet the deadline, but then what happens is the technical solution silently becomes the structural solution. The result is that there’s no roadmap beyond that point to account for new data that needs to be tracked or changed, resulting in an issue of data quality and therefore explainability. 

COVID Response: Swings of the Regulatory Pendulum

To Bonhof, regulatory change management has never been more important as the pandemic response continues to fold. While he and his team have seen the easing of certain regulatory requirements, they have also seen the mounting impact of others.

On the one hand, the regulatory response to the pandemic has been to suspend certain requirements in order to alleviate the burden of regulation. However, at the same time, we’ve also seen an increase in requests for financial firms to implement certain risk measures from regulators such as the European Securities and Markets Authority

For example, we had an “intelligent lockdown” in the Netherlands that prohibited us from going to the shops or the cinema. As a result, this (like other lockdowns across the globe) had a large impact on service providers, as many businesses had outstanding loans with financial institutions and were suddenly not able to make good on those loans. This has led to a tipping of scales with regulators adding more capital reporting requirements, while continuing to suspend or delay implementation of other regulatory requirements. For example, ESMA deferred the final two phases of its bilateral margin requirements to provide additional operational capacity for counterparties to respond to the immediate impact of COVID-19. 

On the Importance of Innovation in IRM

While regulators have been more forgiving during the pandemic, they have also become increasingly more aware of all of the possible gap—bringing the topic of Integrated Risk Management (IRM) to the fore. Here’s Bonhof’s take on IRM.

Integrated Risk Management allows you to identify what risks exist within your firm, define a response to those risks, and then determine whether your firm is within that risk appetite. Ultimately, IRM combines all of those processes and rolls them up into a multi-level process chart where you can prioritize risks and pinpoint which ones are of the highest risk to your firm. 

IRM is such a hot concept right now because regulators are putting more emphasis on it.

As part of Synechron’s FinLabs RegTech accelerator suite, I’ve actually had the opportunity to work on automating parts of IRM. Knowing how effective your controls are is a key part of integrated risk management, so we built an intelligent control testing environment that maps a firm’s individual control statements into a decision tree that automatically runs against a data set to help firms quickly pinpoint whether a control is effective or not. This advancement frees up compliance teams’ valuable resources so they can focus on remediating any deficiencies.

These types of innovation are becoming more important as Integrated Risk Management continues to gain more traction. IRM is such a hot concept right now because regulators are putting more emphasis on it. For example, ESMA recently published a consultation paper that assessed the suitability of the management at financial institutions, which concluded that the highest levels of management (including at the board level) need to understand their firms’ requirements, how they are complying with them, and what the state of the firm’s risk management looks like.  

Clash of the Titans: Big Banking vs. Big Tech

As an innovator in his own right, Bonhof is naturally drawn to industry disruptors. In particular, he has been following the rise of digital banks and believes that it’s only a matter of time until Big Tech enters into the banking industry as well.

The rise in digital banks has served as a catalyst for digital transformation in the industry at large. In order to stay competitive with digital banks, traditional banks have worked to provide digital services to their customers. For customers, having a digital bank account becomes more of a commodity because it opens up a whole ecosystem of additional services around it. 

For digital banks, their competitive advantage is that they’re not burdened by a chain linked system of legacy tools or processes, so they can get it right immediately. Digital banks can be more nimble when it comes to things like digital client onboarding processes and company reporting. On the other hand, it’s difficult for digital banks to achieve the same scale as larger banks. Plus, they’re bound to face the same kind of regulatory requirements as incumbent banks and will need to comply with them, lessening some of their initial competitive edge.

When Big Tech enters the market, it will drive a significant change that some incumbent banks will likely not be able to transition through and will lose traction within the market. 

What I’m really curious about is when Big Tech will officially enter into the banking space. Today, we have Apple Pay and Google Pay, but I think that it’s just a matter of time before they’re adding banking services to their offering. At that point the market will change. Digital banks just mark the beginning of the banking industry’s digital transformation. When Big Tech enters the market, it will drive a significant change that some incumbent banks will likely not be able to transition through and will lose traction within the market. 

Financial Firms and Regulators to Step Up Their AI Game

With the high likelihood of Big Tech companies entering the market in addition to other innovations in financial services, Bonhof is encouraging the industry to direct its focus toward emerging technologies such as Artificial Intelligence (AI) now, before it’s too late.

I think regulators really need to step up their digital game. They need to understand the tech component that goes into digital banking. AFM just compiled an insightful trend report where they spoke around their fears about Big Tech entering into the financial market. Today, Big Tech is predominantly supervised by privacy watchdogs. But, if Big Tech entered the financial market tomorrow, financial market regulators would not always be allowed to share information with those supervisory agencies, so that would make supervision really difficult. 

Regulators are just now issuing responses around the use of AI, which center around the concepts of explainability and trustworthiness. Together, they are two sides of the same coin because they help explain the decisions that come out of algorithms and apply fair principles that limit their biases. However, I still think that we have a ways to go and that regulation around the use of AI will only continue to increase in the future as the digital market matures.

The Role of AI in Regulatory Compliance

According to Bonhof, the role of AI is not just limited to the mechanics of digital banking. It applies to regulatory compliance too.

We recognize that regulators are starting to provide guidelines around AI, so we are changing the way that we advise our clients about AI. AI was once the new and exciting thing to talk about. Now it’s the means to an end. We’re looking at where AI models can help firms improve explainability in their compliance processes. 

AI was once the new and exciting thing to talk about. Now it’s the means to an end.

Using robotics (or AI) helps automate certain regulatory compliance processes such as horizon scanning, and makes the outcomes of those processes more predictable and reliable. AI allows teams to focus less time doing the monotonous work of running these processes and more time on investigating outliers. Instead, the “robot” leads the processes and identifies areas where there are inconsistencies that require the review of compliance experts.

On Implementing RegTech: Final Advice

So, what’s Bonhof’s advice to firms that are looking to implement new technologies in their compliance programs? “Be really clear about what you want to achieve in your compliance program and therefore what you want the technology to achieve.”

First, you need to understand where you are and where you want to go. For instance, if your firm was just fined by a regulator, then you’ll likely need to find a solution that can help you become more compliant. On the other hand, if your organization is in a good place but needs to become more efficient, then it’s likely you’ll need a different tech stack than the firm that was recently fined. When you understand what you want to achieve by adding technology, then you can better pinpoint the right type of technology solution for your compliance program.


If you’d like to learn more about Synechron, visit their website. To learn more about Rick Bonhof, connect with him on LinkedIn

If you’d like to contact an Ascent team member, you can do so here. Stay tuned for our next interview from the lines of defense. All interviews will be featured in our monthly Cliff Notes newsletter, which you can subscribe to below.

Subscribe to Cliff Notes

Webinar screenshot

[Webinar] Effectively Managing Your Regulatory Obligations Register

By Blog

Struggling to understand what your organization needs to comply with? Wasting too much time and resources scraping through regulations and building your obligation register? You’re not alone.

In this webinar, experts from LogicGate and Ascent we walk you through regulatory compliance insights and best practices to save you time and resources.

Learning Objectives

» What is the difference between a “top down” vs. “bottom up” approach to regulatory compliance?

» How do you evidence compliance, especially during a pandemic when the labor force is spread out?

» Boards are scrutinizing compliance more closely; how do you balance in-house staff, outsourcing, and technology?

» Learn how to set up a repeatable process around your compliance program to manage change & downstream impact.


  • Brian Clark, Founder and President, Ascent
  • Marc Van de Ven, Sr. Solutions Engineer, LogicGate
  • Moderated by Megan Brown, Head of Strategic Alliances, LogicGate

This webinar is hosted by OCEG (Open Compliance and Ethics Group)


About the Ascent / LogicGate Platform Integration

LogicGate Risk Cloud™ is a cloud-based platform with a suite of risk management applications that transforms the way businesses manage their governance, risk and compliance processes. Now with a powerful new integration, you can fuel your compliance program housed in LogicGate Risk Cloud™ with targeted regulatory data from Ascent. Seamlessly map your regulatory obligations and citations to your controls and P&Ps, trigger change alerts, and more. Learn more about Ascent’s API integrations here


For monthly insights on compliance and technology, subscribe to our monthly newsletter Cliff Notes below.


Regulatory Change Management: A Tech-Based Approach

By Blog

What is Regulatory Change Management?

Regulatory change management (RCM) is a multi-step process that ensures your organization stays compliant with any new changes in regulation. At a high level, RCM involves the intake of regulatory changes (rule amendments or additions), determining the impact of those changes to the organization’s existing obligations, updating the necessary controls, policies and procedures, and then working with the lines of business to ensure those changes are socialized and implemented.

Flow chart of traditional regulatory change management process (manual)

Firms Struggle with Regulatory Change

For regulated businesses, keeping up with the torrent of regulatory change is a constant struggle. In an environment where rule updates have increased by 500 percent in the last decade, Risk and Compliance workers face a confluence of challenges:

  • Compliance personnel must determine the impact of rule amendments or additions to their existing obligations, a process that repeats with every change in regulation.
  • Relevant changes must be reconciled with a firm’s controls, policies and procedures. Manual documentation and siloed pockets of knowledge throughout the organization leave the business vulnerable to human error.
  • The economic turmoil spurred by COVID-19 has seen many companies reigning in their budgets. As a result, those tasked with regulatory change management are now being asked to do more with fewer resources.

There are some 300 million pages of regulatory documents published globally, full of dense language and crucial but often subtle implications. Teasing out relevant regulatory obligations from these texts and mapping them to your organization has historically required countless hours of manual work. 

READ MORE: Regulatory mapping is key to compliance. Are you doing it effectively?


As compliance operations move increasingly into the digital era, it is clear that regulatory change management is particularly ripe for automation. 


Regulatory Change Management in the Age of Digitalization

Technological innovation has allowed financial firms to significantly improve their compliance processes. Here are some of the ways RegTech tools are helping financial institutions better manage regulatory change:

» By collecting regulatory content in one place, making it easier to monitor the regulatory landscape and reducing reliance on email/mailing lists.

» By surfacing regulatory changes that apply to a specific firm, narrowing the universe to applicable insights only.

»By helping compliance personnel organize and triage regulatory changes by mapping them to the firm’s business taxonomy.

» By helping compliance personnel map regulatory changes to the firm’s policies and controls, streamlining the process of assessing impact.

» By providing continuous insights, updating a firm’s obligations register in real time and flagging instances where operations no longer match requirements. 

Modern approaches to compliance risk are becoming increasingly necessary as regulation continues to grow and evolve. By investing in regulatory change management tools, financial firms are able to increase their compliance team’s efficiency and effectiveness while proactively protecting the business from regulatory and reputational risk. 

READ MORE: Solution Highlight: How Ascent Automates Regulatory Change Management


To stay up on the latest in regulatory technology and other news, subscribe to our monthly Cliff Notes newsletter below.