How do you divide up the responsibilities?
We have a centralized approach but a decentralized execution, which seems to work in a large company like ours. In each of our business units and in the technology organizations, there's an individual whose job is related to compliance with applicable laws and regulations. They work closely with people in my group who're forming policies and creating communications around those policies. On a day-to-day basis we're working together to ensure [that] we've got a compliance system in place in the business unit or in the technology area and that those policies are getting executed. Our group is overseeing that and making sure it's working, that the design is effective, and looking for soft spots that bear more attention. How do you divide responsibilities in terms of compliance? How does your governance model work?
The way our model works, accountability for compliance rests with either the business unit or the technology areas that are responsible for ensuring that they have systems, controls and procedures to ensure compliance on a day-to-day basis. My organization is more about oversight -- making sure that there's an effective policy that is communicated and builds awareness. We ask if we're prepared for soft spots in the industry and if we're bulletproof in regards to some of the things going on in the regulatory community. CIOs very much have a skin in the game. We spread it [responsibility] out by creating policy and communicating it to the areas that are responsible for execution and accountability. What kind of price tag comes with compliance? Are you having to shell out wads of cash to comply with government regulations?
If a company hasn't been walking the walk all along, they're going to be ponying up a lot of money. I think organizations that have continued to invest in this all along [will not have to spend an exhorbitant amount of money]. There may be spikes in some particular areas, such as with anti-money laundering regulations that emphasize monitoring systems. But in general, if financial institutions or any kind of industry have been building their compliance systems all along and paying heed to them, we're not talking about massive amounts of funding having to go into it. If you have an organization that hasn't paid heed to it, I think the stakes are so high they're going to have to pony up in a big way. But I think the vast majority [of firms] have done it incrementally. What kinds of technologies are you looking at to make your plan work?
We're going to look for technologies that supplement our business model, which is a customer-centric business model. We have four major lines of business, and it's very conceivable that we could have a single customer who has a space in every one of those lines. To the extent that we can look at things from a customer's point of view and ask 'what are we managing for this customer' -- that's what we're looking for. This [approach] not only works for compliance and risk management, but also for customer profitability and marketing relationships. I think that technology that helps with customer-centric business models are the ones we're going to be looking for, whether they're on the risk management side or on the CRM side. If a new law or regulation comes out, how do you and the CIO handle it?
If a new law or regulation comes out and we know there's going to be some technology impact, probably one of the first individuals I would communicate with would be the CIO who's assigned to my area. We'd talk about whether the new law would require a system to change; would we have to contract with a vendor to get this done; what are the options in front of us; what would be the funding needs associated with that; are we talking about process, people changes -- the whole gamut. I'm joined at the hip with the CIOs in my organization. There's more and more technology impact in the world of compliance today, particularly with large companies. I find myself meeting daily with the CIO to make sure we're on track. How is this regulatory climate different for the banking industry than it is for other industries?
Banks have a fiduciary responsibility and are here to serve the customer -- there's a certain amount of trust that's expected. That means that there's going to be more and more [pressure] from regulators and more and more laws around what you do. In the years to come, the financial arena will have much more to contend with in terms of regulations, especially since we're dealing not only with people's money, but also their information.
FOR MORE INFORMATION: