The Regulators Want It – But, What is Effectiveness Testing?
As we all know well by now, regulators are increasingly concerned about bank-fintech relationships. They have made it clear that banks are ultimately responsible for risk-managing all third-party partners, including fintech programs.
But in this new world, where business models are novel and bank-fintech relationships are still maturing, what is compliance?
“Compliance” as we’ve known it is becoming fragmented and really complex. Bank compliance teams now oversee portfolios of different fintechs and sometimes multiple middleware providers, and fintechs deal with multiple partner banks. Minimum compliance now necessitates the integration of multiple teams and systems just to reconcile accounts and transactions.
So just as banking models are changing radically, “compliance” is changing. Old approaches will put your business at risk and choke your growth.
Fundamentally, the number one focus of compliance infrastructure today must be “effectiveness”.
But, beyond being a regulatory requirement, why does effectiveness matter? What is compliance effectiveness? How do you test it? And where does independent effectiveness testing fit in your technology stack? Below, we unpack these questions for you.
Why does effectiveness matter?
Effectiveness is a requirement that the regulators have been repeating for many years and one which is embedded in the concept of the three lines of defense. Now that automated effectiveness testing is possible, regulators will expect it to replace outdated manual dip sampling. In fact, we are already hearing that MRAs are being issued for exactly that. As one Chief Compliance Officer explains,
“Once you see a few banks doing 100% sampling, that’s going to become the expectation.”
But beyond being a regulatory requirement, effectiveness enables businesses to grow more rapidly and more efficiently. Compliance teams can be leaner and more efficient than ever before by reducing costs, saving headcount, and eliminating long and painful remediation projects. For example, Cable saves an average of $440k for customers and saved Tide 6 full-time employees.
Jonathan Wong
On top of that, by identifying any areas of ineffectiveness outside of an audit or regulatory exam, companies are able to fix issues in real-time and can proactively demonstrate to regulators how they are both addressing past issues and preventing future issues.
What is compliance effectiveness?
Effectiveness boils down to showing two things are true about your compliance program:
- all your regulatory requirements are met
- all your controls are working as expected
The #1 question you should ask about your compliance infrastructure is this: what systems let you show these 2 things are true at any time?
The simplest framework we know for understanding effectiveness is by organizing your desired compliance outcomes into 3 categories: “Breaches,” “Failures,” and “Risks.”
- Breaches - if you have no breaches of regulatory or policy requirements, what should be true all the time?
- Control failures - similarly, if all your controls that go beyond your regulatory requirements are working as expected, what should be true all the time?
- Risks - Then, on top of those two areas, are there any other indications that your controls may not be effective?
An effective compliance program begins with understanding the desired outcomes of having no Breaches, Failures, or Risks. Then, you need to be able to provide evidence of these outcomes to your stakeholders, auditors, and regulators.
One huge additional benefit to using this framework for compliance effectiveness is alignment with your partners. We hear time and again how one of the hardest things to do as a bank entering the embedded banking space is to align with partners on expected outcomes, priorities, terminology, and remediation steps. Such a framework ensures alignment, providing all parties with crystal clear expectations of the ideal desired outcomes.
How do you test for effectiveness?
Traditionally, testing for effectiveness has been done by dip sampling, a statistical method where a random subset of data or cases is reviewed to assess the overall compliance within an organization's policies and processes. But with regulators demanding greater assurance, manually reviewing only 1-5% of what’s going on across your entire portfolio—as is typical in dip sampling—is no longer sufficient. And it shouldn’t give you confidence as a compliance leader either.
In contrast, Automated assurance – the ability to perform continuous, always-on, effectiveness testing – helps you achieve 100% monitoring, enabling end-to-end automation across your entire compliance infrastructure.
As one of our customers said, ,
Automated assurance technology is also critical to unlocking your ability to evidence your effectiveness. As Steven Eisenhauer, Chief Compliance Officer at Ramp Networks said,
“Automated assurance gives me the confidence to walk into any regulator and say I know I don't have a breach.”
Automating assurance begins by understanding what data is needed. With the framework of Breaches, Failures, and Risks, once you understand what would strictly be defined as a regulatory breach, then you can begin by requiring your partners to give you the data that you need to understand whether you are meeting those requirements at all times. You can then move on to understanding all additional controls that are in place, either as requirements from you or at the choosing of your partners, so you can gather the data needed to identify any Failures.
However, automation extends well beyond this initial step. A truly effective compliance program then weaves automation through your entire compliance ecosystem - automated risk assessments, automated quality assurance, automated reporting - as well as through all areas of compliance - BSA and AML, credit, fair lending, and the alphabet of regulations that banks must comply with.
Where does effectiveness testing fit in your compliance tech stack?
Of course, your compliance control vendors, like our friends at Unit21, Sardine, Verafin, or LexisNexis, are not in a position to tell you themselves how effective their own controls are.
Effectiveness testing, by definition, must be independent, as made clear in regulatory requirements.
Therefore, automated effectiveness testing is a brand new concept, requiring a brand new system that you need to satisfy your requirements. The efficiency gains alone make it worthwhile, but the magic that automated effectiveness testing truly brings to a company is the ability to move faster, with more confidence.
For every tool, system, and process you have, you should ask: how does this help us sit down in front of a regulator, our Board, or in an audit, and show that all of our requirements are being met and all our controls are working as expected?
The future is having compliance tooling that tells you with 100% real-time coverage exactly how effective your compliance program is. This is the future that Cable offers.
