Bank Affiliate Rules: Six Steps for Regulation W Compliance (2024)

Challenges range from lack of an end-to-end awareness of regulatory requirements across the organization to outdated policies and limited procedures that do not provide enterprise-wide transactional guidance specific to Regulation W, observes Tom Rollauer, a director with Deloitte & Touche LLP’s Governance, Regulatory and Risk Strategies practice. “Corporate risk and compliance managers may want to take a pragmatic view of Regulation W compliance, which means balancing what is practical from a cost perspective with what is ideal in the new regulatory landscape,” adds Mr. Rollauer, who formerly served as a senior bank regulator with the Office of the Comptroller of the Currency and as the Executive Director of Citigroup’s Global Compliance function.

To implement an effective, centralized end-to-end compliance program, bank management and boards can consider several actions to bolster six different corporate functions and help improve Regulation W compliance and risk mitigation efforts.

1.Governance

“Good governance is the cornerstone of an enterprise-wide Regulation W compliance program and allows banks to more swiftly and effectively respond to regulatory requests and actions,” says Irena Gecas-McCarthy, a principal with Deloitte & Touche LLP’s Governance, Regulatory & Risk Strategies practice. This means relevant individuals should work to understand their role, responsibility and connection to transaction process steps so compliance leads to effective management and board reporting, she notes. A critical piece of the program includes a risk management process that uses three lines of defense: line of business (LOB), corporate compliance and internal audit.

• LOBs should initiate and execute transactions and verify that controls are in place to comply with the regulation. They are required to “Know your Affiliate,” especially for businesses with structured transactions and complex intercompany relationships, and understand how transactions trigger Regulation W requirements. When LOBs have their own risk and control personnel, banks should consider creating a framework that differentiates the roles between LOB and corporate compliance.
• Corporate compliance groups often operate as either separate units or as part of the finance function. In many cases, they develop and own the policy that outlines an institution’s compliance risk appetite and framework for Regulation W. Corporate compliance helps develop standards that implement policies and procedures at the LOB level and can designate roles, such as a steering committee and compliance officer, to focus on Regulation W efforts.
• Internal auditors validate the structure of a Regulation W compliance program and test the effectiveness within LOBs and compliance functions. They often perform broad scheduled testing, including assessing compliance as it relates to regulations and internal policies. However, testing should be separate from assessments performed by the corporate compliance organization. Oversight responsibilities can include having an appropriate understanding of Regulation W requirements. They also can include linking testing and validation to the institution’s controls across the first and second line of defense, as well as to other functions that have an impact on affiliate transactions, such as credit risk and finance.

2.Risk Assessment

LOBs, the corporate compliance group and internal audit should perform risk assessments for the activities under their remit. The goal is to determine the inherent and residual risks which remain and therefore need to be managed and controlled. The assessment drives the in-business risk and control organization’s (first line of defense) monitoring and testing control program. In addition, the assessment helps to determine the second line of defense: corporate compliance oversight. Building an effective Regulation W risk assessment program can include the following steps.

• Mapping and incorporating Regulation W requirements into the risk assessment program.
• Determining completeness of Regulation W requirements applied to business and control functions.
• Creating a common understanding of the types and nature of transactions with Regulation W implications from an inherent risk perspective,
• Aligning the risk assessment program to other parts of the overall compliance program (monitoring, testing and training).

3.Testing and Monitoring

An effective testing program provides ongoing, periodic monitoring and comprehensive escalation processes for Regulation W compliance, as well as assessments related to the effectiveness of controls. Controls can include the identification of an affiliate through an affiliate list, as well as identification of covered transactions by tagging affiliate transactions in financial, credit and collateral systems. When building a program for Regulation W compliance, banks should consider completing the following activities:

• Formalizing accountability across LOBs and support functions aligned to controls.
• Determining if the scope and frequency of monitoring and testing are sufficient.
• Tracking intercompany agreements and providing adequate documentation to evidence market standards, payment settlements and reconciliation of receivables/payables on a timely basis.
• Confirming collateral monitoring is complete and not fragmented across different units.

4.Training

Leading practices suggest that training should go beyond simply meeting Regulation W requirements to include helping functional stakeholders gain knowledge and understanding around their particular systems, policies and processes. Even if this knowledge exists in institutions, it typically resides with the regulatory and legal divisions and is not regularly communicated across the enterprise, resulting in LOBs having inadequate controls. Also, training can be used to communicate accountability and responsibility across an organization by fostering collaboration among various LOB risk and control functions. An effective Regulation W training program includes the following activities on a regular basis:

• Analyzing training needs on an enterprise-wide basis, so relevant training can be developed and provided.
• Offering comprehensive training to defined groups that own key controls.
• Documenting, tracking and monitoring of Regulation W training objectives and confirming that priorities are achieved.
• Including compliance training requirements in annual employee learning and performance goals, particularly for control owners of Regulation W.

5.Reporting and Communication

Institutions should establish a formal reporting and communications structure to confirm that stakeholders are receiving appropriate and timely information and meeting regulators’ expectations regarding Regulation W. “Corporate compliance departments can work with each LOB and function to establish meaningful templates that capture data in a consistent manner qualitatively and quantitatively,” notes Kim Olson, a principal with Deloitte & Touche LLP’s Governance, Regulatory & Risk Strategies practice. Corporate compliance groups also may want to “perform a horizontal analysis of the data so significant information can be reported to management and the board,” says Ms. Olson. An effective reporting structure should:

• Deliver consistent and regularly scheduled enterprise-wide reporting to management and the board, proving that compliance issues are aggregated, tracked and escalated for resolution.
• Identify triggers for escalation and/or to flag potential issues and report accordingly.
• Confirm that current management information system reporting is appropriately scaled to the risk profile of the organization and provides a clear view into credit exposures with the required collateralization across the enterprise for both loans and derivatives.
• Verify that reporting frequency and oversight are commensurate with the number and types of transactions.

6. Technology Enablement

Many banks have institution-applied risk and finance IT systems that will need to accommodate and effectively capture transaction activity, including affiliate identification, exemption applicability, collateral requirements, quantitative limits and reconcilement of certain service fees. An institution should provide an appropriate level of automation that scales to its risk profile based on transaction or product type and volumes. If done correctly, risk assessments would help identify areas in which process automation creates efficiency and greater transparency of activities. Regulation W compliance may be improved by using technology in the following tasks:

• Identifying Regulation W processes that are embedded in many risk, finance and underlying transaction systems.
• Determining end-to-end process flows that show handoffs for key processes across business and support functions.
• Maintaining an ongoing and centralized repository of key Regulation W information, including a complete and accurate affiliate list, covered transactions, collateral requirements, exemptions and type of exemptions and quantitative limits.
• Automating important risk-monitoring reports, such as collateral and capital limits, for level of capacity.

Related Resources

• Under the Spotlight: Banking Regulators Are Making ‘Regulation W’ a Priority
• Designing a Governance Operating Model for Financial Service Companies
• Governance Operating Model: A Tool for More Effective Board Oversight
• Board Risk Committees and the Roles of the CRO and CFO