As costs for risk functions continue to increase, it is crucial to both reduce manual tasks and innovate processes through technological tools as well as an expanded skillset.
In this episode of Protiviti’s Powerful Insight’s “Future of Compliance” podcast series, Protiviti Risk and Compliance Managing Director, Vicki Alexander speaks with Nishant Desai, the Chief Compliance Officer of TIAA Bank and Gary Stein, the Chief Product and Compliance Officer of Openpay US. Vicki, Nishant and Gary share insights on how Compliance Leaders must embrace change, utilize technology, and bring innovation to compliance functions.
Listen to this podcast to learn about current Compliance function skillsets, what is needed for the future and how compliance can be transformed from performing reactive tasks to managing future risks.
To learn more about Protiviti’s Risk Transformation services, visit us at our website.
Hello. This is Kevin Donahue, a senior director with Protiviti, welcoming you to another edition of Powerful Insights and the latest episode in our Transformation Series: “Focused on the Future of Risk and Compliance.” In this episode, Vicki Alexander interviews Nishant Desai and Gary Stein. They discuss the current skill set in the compliance function, what is needed for the future and how compliance can be transformed from performing reactive tasks to managing future risks. As costs for risk functions continue to increase, it is crucial to plan to remove manual tasks and innovate by using both technological tools as well as an expanding skill set to propel the functions. Now, let’s go to their conversation.
Thanks for having us.
Again, thanks for having us here. I started my career at Bank of America, where I spent roughly nine years in a number of roles starting with information security, global markets, risk. I did a couple years in various operations compliance-focused areas, including commercial corporate banking. Then, more recently, before leaving Bank of America, the global tech and ops compliance function. During those years, I had the pleasure to work with Vicki in a number of capacities there as well. Then, I moved on to SunTrust Bank, where I joined Vicki to help establish a more modern compliance management system, starting with policy fundamentals all the way to testing strategies for, at the time, a large super-regional financial services organization. Prior to coming to TIAA Bank, I was the deputy chief compliance officer for BB&T, overseeing a number of compliance programs and various governance functions.
Awesome. Thank you, Nishant. Gary, what about you?
I’ve backed my way into the compliance role, to be honest with you. I started my career working for Arthur Andersen and then another Big Four, Big Six, Big Eight consulting firm after business school. From there, I went to go work for Signet Bank in the 1990s, and when we were acquired by First Union, moved back up to the D.C. area and joined a boutique consulting firm called Furash & Company that focused on the financial services industry.
From there, when Ed Furash retired, a couple of folks there with me launched another boutique financial services strategy consulting firm called Capital Performance Group. I was there for a little over 10 years and worked with banks, credit card companies, some fintechs and vendors, but I like to joke that during that time, in helping my clients with product rollouts, I saw legal and compliance as two-month delays on any of our rollout schedules.
Then, a combination of financial midlife crisis — I decided to leave my firm and joined a brand-new agency, the Consumer Financial Protection Bureau — and, whether it was to atone for past sins or what have you, I think the last nine years that I spent at the bureau really shaped a lot of my current thinking. I came in to work on deposits and overdraft. My policy portfolio expanded to include consumer payments, consumer data, especially as it pertains to Section 1033 and consumer-authorized data access, as well as unsecured credit and credit card at times. I did a lot of work there. I had the opportunity to meet Vicki and lots of other great people. I interacted a lot with both providers and consumer advocates and really enjoyed the idea of helping industry to adapt and understand consumer perspective and consumer interests and how regulation might apply in some of the emerging and evolving markets.
Late at the end of 2020, I got a call from Brian Schneiderman, whom I had met while I was serving on the Fed’s steering committee at its Faster Payments Task Force, and he’s had a client — he was at Deloitte at the time — a buy-now, pay-later firm called Openpay that was coming to the U.S. and was interested on forming a U.S. team. I thought it was just the perfect time to make my transition. I like the concept of the model. I really like our strategy.
As with the bureau, it was an opportunity to get on the ground floor of what I think is going to be a great organization and, in our case here, has some legs. We’ve been operating internationally for eight years. The opportunity to work with great people to shift my experience to a different kind of role and to do it on the practitioner’s side I felt was too exciting to turn down. So, I joined them at the beginning of this year and been drinking out of fire hoses ever since.
We have an interesting perspective on this. It’s probably going to be quite different from Nishant’s, and I think this is going to be a great contrast in the sense that, look, we are a fintech. Whereas there is a road map that’s typically built out for banks, there isn’t so much —or many of us on the nonbank side might not be as well aware of what that road map should be. However, our case is a little different. Like I said, we’re an Australia-based firm, we’ve been around eight years. Also, we operate in New Zealand and the U.K. and had, actually, built out a pretty robust compliance management capability for Australia, the U.K. and New Zealand.
So, we have the opportunity to not start from scratch, but to Americanize, if you will, what we’ve done. I think what became immediately apparent, and probably somewhat shocking to some of my Australian colleagues, is just how much more comprehensive and robust the compliance requirements are in the U.S. as opposed to the other countries. So, while we were probably way ahead of the curve from a lot of fintech startups, even those that started, say, in Silicon Valley, we are building out — not just Americanizing, but building tremendous number of elements as we get ready for our first loan here in the U.S. Part of that stems from the alphabet regs, as well as UDAP and everything else that exists in the U.S., many of which don’t really have as broad of analogous counterparts Down Under or in the U.K. So, we’re building out lots of capabilities and things there. We’re also building out the team and the infrastructure as we get ready in the U.S.
To your original question, one of the things that I always felt when I was at the bureau was that when you think about “What is compliance?” at least from a consumer protection standpoint, I try to think about, “What is it that the statutes and things were really set out to do? Why is it that a consumer would need these types of protections? And what about new channels, new products, and new markets presenting new risks and things?”
I’m not an attorney. I learned enough about the statutes and regs when I was at the bureau that I used to joke that I was one Latin class away from passing the bar. I would think about, “Well, why is it that a consumer would have the right to dispute errors? How does a consumer’s ability in a marketplace stack up against big corporations, and why may they be at a disadvantage, or why they may not understand something, and so why is this disclosure or that required?” I think when you try to go and understand the root of why the requirement exists, it’s generally not that hard to look at your business model and to see, “OK, do we present the same kind of challenge?” Even if the reg may not apply as clearly, do we feel that the consumer has the same vulnerability, and what might we need to do about that? I’ll pause there because I realize I went on quite a bit.
No, very interesting to see the viewpoint, especially as you’re building, right?
Yes. I will tell you that a large part of it has been not just the policy development but, as we go through the consumer journey in the app, there are disclosures. There are notifications and lots of other things that we have to make modifications to do to execute here.
First of all, I embrace all organizations, Gary, so I hold nothing against you being in a fintech entity. It’s actually been good for the industry collectively. I think it’s brought a lot of healthy competition, frankly, and in some cases, to the benefit of the consumers, so I think it’s a great thing. To Gary’s point, the dichotomy between the two, the way I look at traditional banking spaces, we have teams. Compliance teams, we have infrastructure, and where we find ourselves adopting into this change oftentimes is upgrading and retrofitting processes and tools rather than building from scratch. In many cases, I would have preferred to start from scratch, because it gives you a lot more playing field to design something that’s going to be suitable for what you’re trying to solve for, but in a bank, traditionally, where processes may have been in place for a long time, it is hard to do that at times.
When we think about adapting and changing, I look at three principles, frankly, and a lot of them revolve around the people: First, the compliance professionals today really need what I would call a skill set boost to be able to effectively assess compliance risks in these new emerging areas, where in the past, having a solid, say, subject-matter-expertise background. Gary, I’m not a lawyer as well, so ultimately, we have something else in common, which is great. Having a solid subject-matter expertise is sufficient, and was sufficient in the past. I think going forward, where we really see the need, at least from my lens, is capability of individuals being able to leave together the mechanics. How does the thing or the widget work, in addition to applying that regulatory knowledge? A lot of times, what we see are compliance professionals who have one or the other but may not necessarily have both, and I think in the future, there’s going to have to be a convergence of both.
Second, today and historically, we could have taken as a function, weeks — maybe months — to assess a new product or a modified product or service, and I think in the future, down the road, compliance professionals really will need to be more timely in the engagement as organizations move to this agile development mind-set where there’s more rapid development and deployment of digital features and products.
In the past, taking a couple months was OK. I think in the future state, that is going to be a bit difficult for institutions, particularly if you think about fintechs that are innovating on a rapid basis; the compliance professionals are also going to have to keep pace as well. Then third, broadly speaking, I think this applies to everybody, but the client’s function, just in general, is going to have to be more data driven beyond the traditional areas where they applying that approach.
For example, in AML, I think, it has been very easy over the past several years to institute technology solutions and become very heavily data driven. We need to really take that and go outside of AML. There’s more than just traditional transactions, and that really means, for that next-generation compliance officer, giving that individual the right skill set. Whether it’s training, whether it’s coming out of the collegiate area, using data is more than simply making a process faster. I think, to me, these are the three focus areas I would have going forward for the compliance function.
Let me start with the easy one first, which are the roadblocks. I think people is a key component of it. I think we can solve for that. I think the one area that’s really difficult for compliance professionals or software is the cost? Getting past the initial upfront cost in a lot of these use cases and scenarios can be daunting, particularly as we’re coming off of an event like the pandemic. Going in to make a request for a couple million dollars to implement a solution, I think, is not likely going to get a lot of air time. Timing is a big part of this; getting the cost right out of the gate is also a key, and then the people piece is a third factor.
In terms of where these tools are utilized, I think there are so many use cases now. The list keeps growing week to week, month to month. Where the technologies have done really well are in those high-volume, highly repeatable processes. I’ll use AML transaction monitoring as another example where it’s really done great over the past several years in our institution and in others that use various versions of this. Where I’d like to really see some ongoing adoption is in the area of complaints management. There are tools out there today.
I think the key challenge, again, is getting the tool in the house and being able to apply it and then make sure our people know what to do with the data that’s provided. Another scenario, perhaps, is using this for sentiment analysis to help us predict where there might be some compliance issue based upon how a customer interacted with an agent and how the tonality of that discussion went.
Data privacy is probably the other area. We deal with privacy a lot. We’re a highly complicated organization. As are many, they large, with a number of different affiliates, a number of different privacy laws, both state and internationally, that you have to deal with. In this particular area, I just think there is significant upward benefit in using and adopting, say, AI or NLP tools that help not only ensure compliance with privacy laws — that’s a big part of the puzzle — but there’s also my view of strategic offering to clients, that the institution takes privacy seriously, that we’ve got the mechanisms and the controls to make sure we can protect your data. I think there’s benefit in being able to use that as a strategic selling point shortly after tools are adopted as well.
Awesome. Gary, you’re just building yours out. What are your thoughts? Are you thinking about these tools and implementing them within your processes? You are a fintech, so is the answer bodies, or is the answer technology, or a combination of both?
It’s probably a combination of both, and where we think the sophistication and intelligence pays off. I think Nishant hit on the key areas, probably in order. Fraud monitoring is one area where we look most immediately. Anything that can help us be more intelligent about seeing things without creating unnecessary friction back into the process flow, either for our consumer, the merchant or other partners there, I think, is important — helping us to communicate with our customers intelligently, understand issues, determine patterns and figure out how best to communicate back to them. We’ve looked at utilizing chat channels and other things that can understand and service customers most cost effectively, but effectively in general too. I think those are some of our most immediate issues.
One area that I think the agencies have announced is a joint effort last week to look at where, I think, a lot of interest always jumps to underwriting and stuff. I don’t think that’s on our immediate list right now, primarily for the explainability and other factors, but I think that’s an area that the industry always thinks could be an application, but probably, as Nishant said, not one of the earliest.
Perfect. Gary, what’s the most innovative thing you’ve seen out there or have used?
That’s a great question. The way I look at it, I’ll tell you, in terms of a compliance setup and everything, we’re looking at all kinds of tools. We’re looking at tools that can help us respond to customer inquiries. We’re looking at tools not just in the servicing, but with delinquencies and other things that let consumers dictate how they want to interact with us and to make any type of issue resolution as easy as possible. I think that’s big. I do think the application of some of this AI and fraud and money laundering monitoring is a really big opportunity.
Quite frankly, I think, stepping back, overall, the way that offering something like an unsecured loan, which is what we do, has moved from a manual-spreadsheet-driven, cost-inefficient process to something that’s app driven is really — let’s not miss the 800-pound gorilla that’s there. We can enable a consumer at the point of sale to enroll, apply and qualify for an unsecured loan that basically goes anywhere from a few hundred dollars up to $20,000, and do that with a thorough underwriting, and do that with all proper notifications and consents and everything top of mind, and do it in seconds. Do it in a way that because it’s digitally enabled, ensures a consistency of approach. It ensures that rules-driven infrastructure that makes it easy to monitor how things are working.
I feel like what we’re bringing to the market here are products that banks and others have struggled to offer or to do so cost effectively. I think the whole digital delivery not only provides access but also provides safe access, and I think that’s not something to be treated inconsequentially.
Quicker, faster, better, right?
Nishant, what are your thoughts? What’s the most innovative thing you’ve used or is out there that, in a perfect world, you would use?
I actually want to dwell on one of Gary’s points here. I think it’s a great perspective as well, simply because you’re essentially delivering highly efficient, consistent compliance solutions, right? That’s a lot of what’s being offered at the table, and it goes beyond AI or NLP in many cases. I thought that was a great example.
Coming from my perspective, and perhaps when these tools were used at the first point in time, they were perhaps innovative. I think they’ve become somewhat commonplace nowadays, but if I think about robotics, the RPA’s automation tools for those high-volume areas to gain efficiency, the basic text mining for compliance — again, these are things that have been in place for a number of years. I don’t know that they’re necessarily innovative anymore. And then regulatory change — we might have open risk, or simply helping funnel new regulatory changes or notices to your perfect locations. Again, at a point in time, probably Earth-shattering to a degree. Today, not so much.
I think there is a lot more I would like to embrace. That’s probably where I would say today, the innovative technologies that are out there, that are growing, to me, privacy is probably the one area where I think there’s going to be tremendous benefit not only for us but for the industry holistically in helping manage consumer requests, helping manage compliance with laws. I think those items are just so resource intensive at the moment, and when you compound that equation by the amount of data that financial institutions generally have on hand, it is a very complex challenge to solve for, and I do think these future technologies are going to be very helpful — some of which are already here.
Let’s switch to the elephant in the room and talk about the U.S. regulatory bodies. They have been embracing technologies and efficiency. I believe we started seeing that a few years ago. They use it in their work and in automated reviews with data that is input. Does that change the way you’re going to utilize technology in the future or view technology in the future, Nishant?
No, I think, Vicki, this is actually a reinforcement. It should be a reinforcement for every compliance professional that the ship is already in progress and your regulatory agencies are adjusting as well, which simply means you should already be there or well underway for planning. If you don’t, we’re going to be caught in this question of response, in a cycle that may not end well for an institution. To me, this is really an affirmation of where things need to head down the road.
Gary, your thoughts?
I agree. It’s interesting. You announce a job change on LinkedIn, and then you immediately start getting hit up by lots of vendors that want to talk with you and everything. Not surprising, but it’s amazing how many of them tout solutions that will facilitate regulatory and reporting. These are efficiencies that, I think, are absolutely critical. It not only helps to ease a burden but makes sure that it’s happening on a consistent basis. I think those things are huge. It will be interesting.
I was at the bureau for two presidential administrations and a few different directors, depending on how you count the acting directors there. We did see in the last era a move to horizontal exams that enable more information collected across a number of entities versus on-site, deep-dive audits. I think this pandemic has changed a lot of things. In addition to all the artificial intelligence and regulatory tools, we’re all finding out how we can do things remotely, and so I think these data uploads and other stuff are probably going to stick around for quite a while. Your ability to plug into them is only going to make things a lot easier. I think the regulator interest in being able to take temperatures broadly in everything just makes common sense.
All right. We’re going to move to the rapid-fire round. I’m going to ask you questions, and I want you to use one word to describe your answer. Gary, what do you see as the top priority for the year ahead?
I’d say consumers.
Nishant, describe yourself in one word.
The same — excited.
Perfect. Gary, what did you want to be when you grew up?
Honestly, probably a basketball player.
It would be a cardiologist before I even knew what that meant, frankly.
OK. Nishant, who do you most admire?
This one’s easy. My mom.
Yes, I’d have to say my parents.
Awesome. Gary, what is one book that you would recommend to all up-and-coming leaders in risk compliance or transformation?
That’s a tough one. I’m not a big reader of the business books, so I’ll struggle in that one a little bit. I’ll tell you, one of my favorite books of all time that has nothing to do with risk and compliance is The Count of Monte Cristo, and I know it’s only rapid fire, but I’ll just say treat others well is probably the message there.
Very good. Nishant?
I’m going to be in Gary’s corner here. I think picking one book is hard, but maybe I’ll generally stipulate that the book probably comes from Peter Drucker. I do enjoy his reads.
Well, guys, thank you so much for participating in our future-of-compliance podcast. I’ve enjoyed speaking with you and having you share your insights.
Thank you for having us.
Our thanks to Nishant Desai, Gary Stein and our own Vicki Alexander for this informative conversation. Thank you for listening today. Watch for the release of our May edition, when Dolores Atallo will lead a discussion focused on the future of enterprise and risk management. To learn more about Protiviti’s perspectives on risk transformation, visit our risk transformation page under the risk and compliance section at Protiviti.com. Lastly, I invite you to subscribe to our Powerful Insights podcast series and to review us wherever you get your podcast content.