Control Mapping: What it Is, Why it Matters, and Why Banks Must Remain Audit Ready
Well-designed internal controls are the foundation of each bank’s operations, and no two banks have the same controls. A bank’s controls may include software systems, forms, checklists, spreadsheets, and even flow charts allocating responsibility for various operational tasks. These individualized controls enable employees to run their bank in compliance with various local, state, and federal laws. Banks with branches in multiple states can be subject to up to 350,000 different laws and regulations that are frequently changing, which require ongoing updates to a bank’s processes, procedures, and controls.
Historically, most banks have relied on manual reviews of large volumes of regulatory change alerts to keep controls up to date. For many years, this approach was common even among the largest banks. In recent years, however, because of increased supervisory pressure brought on by public enforcement actions, several large banks have set a new standard for compliance by employing an automated control mapping process. As a result, banks that still rely on ad hoc, manual processes risk falling behind the standard of care that regulators expect for keeping controls aligned with legal and regulatory changes.
Why it Matters
As compliance officers, risk management officers, and in-house counsel know quite well, banks are expected to keep abreast of the latest developments in legal and technological compliance advances. Accordingly, examiners frequently conduct peer reviews, also known as horizontal examinations, to determine industry standards. In short, adopting the most scrutinizing, rigorous standard used by peer institutions for compliance monitoring and control implementation is often the best defense against potentially serious supervisory and enforcement actions.
Until recently, AI-enabled control mapping has been viewed as cost-prohibitive for most banks. However, adoption by larger banks has demonstrated that such automated, targeted control mapping updates are both feasible and effective. Highly automated systems, such as CompliSolv, have proven that banks of any size can implement an efficient control mapping process at an accessible cost.
Because these new systems have created a more effective control mapping process that mimics the processes used by the big banks at a price point that shouldn’t be an impediment for even the smallest of banks, the technological advances that have made these systems possible are creating a new standard of care that banks will need to live up to. Unlike the prevalent approach in the industry, these new systems don’t remain stagnant. As regulations change, state laws are re-written, and new laws are adopted, these systems recognize the updates and flag the impact on a bank’s controls in real-time.
How to Become Audit Ready
Given that this new standard is driven by more affordable technology, banks are under increasing pressure to ensure they remain audit ready. Like many other industries feeling the impact of AI, financial services compliance is in the midst of a technological revolution. Banks that continue to follow the path of the past may struggle to justify their decision to customers, examiners, and plaintiffs’ lawyers alike.
Where it was once sufficient for compliance, risk management, and legal staff to ensure that their banks were using a reasonable system for complying, these in-house leaders now need to understand how their compliance system works, including how it is developed, refined, and remains current.
Examiners and auditors routinely assess multiple institutions and cite deficiencies where banks fall short of leading practices. In the past five years, control mapping has drawn heightened scrutiny as large banks worked through consent decrees with their auditors. The expectations developed during that period have since trickled down the ranks of auditors and examiners, creating clearer standards for banks of all sizes.
As a result, now is the time for all banks to take advantage of the new lower cost technology in order to keep from falling behind their peers in this critical area of operational focus.