Skip to content

The Public Notice and Comment Process

Jim Freis, co-founder of CRINData, talks with John Maher about the public notice and comment process. He provides an overview of how regulations are developed, and then, he explains the process of providing input during the notice and comment process.

Transcript

John Maher: Hi, I’m John Maher and I’m here today with Jim Freis, co-founder of CRINDATA, a FinTech startup supporting financial institutions and their service providers. Today, our topic is the public notice and comment process. Welcome, Jim.

Jim Freis: John, great to be here today.

How Are Regulations Developed?

John: Great. So Jim, today we discuss that private industry can play a valuable role in shaping regulatory expectations through involvement in the public consultation process for new regulations. So, based on your background, Jim, is a former regulator as well as in the private sector, can you provide us with an introduction into how regulations are developed? I know that for some people, this is an entirely opaque, behind the scenes process.

Jim: Certainly. And I guess this is something, especially for non lawyers, something that may not be that approachable for you. But what I can say is that it’s critically important and extremely valuable for affected parties to play an active role with government authorities in developing regulations that make sense. And what do I mean by that? Let’s step back for a second. 

1. Legislators Pass a Law

Jim: And the first aspect is, what’s our starting point? Our starting point is when a parliament, a congress, passes a law and they say that here we have a risk, or we have an activity that has privileges to provide a certain service and it’s subject to rules. Specifically in the financial services industry, in order to hold consumers’ money, you’re subject to licenses and you need to engage in significant risk management processes so that you don’t breach that public trust, lose your consumer money, or you face potential repercussions. Not just for your individual depositors and investors, savers, but also potential ripple effects in the economy where the government has to come in with taxpayer money to rescue you and you make people whole.

So it’s a specific aspect that’s different from some businesses where an entrepreneur starts out and they’re successful or they’re not. They take the loss. In the financial services industry, you can have an impact on the general public, so that’s why it’s subject to licensing authority. So then the question is, what are some of the more detailed aspects of risk management in practice that are expected for the license entity to follow through? And this is where the law grants significant authority to the specific supervisor to go out, identify the risks, and raise, through regulations, expectations through risk management. 

2. The Regulator Seeks Comments From Industry Insiders

And as a general matter, the regulator will go out with a public notice and comment period and they’ll say, “Here’s what we’re trying to do. Here’s the risks that we’re trying to get at. Here is our proposal of the way to address that risk and what our expectations are from you. Please give us feedback into whether this makes sense, both in the general principles, as well as in the practice. How would you go about implementing them?”

And that’s a good practice across almost all jurisdictions. And we see it, whether we talk about EU guidance that’s out for public comment, or US guidance that’s out under what’s known as the Administrative Procedure Act. 

3. Further Guidance Is Developed Over Time

And the third aspect is, once we put out the rules, there might be further guidance that develops over time. Guidance is different from a rule in that it doesn’t prescribe that you must do this and that. Or it doesn’t prescribe the way that you should carry out your individual activities, and in particular, risk management. But it gives you an idea of the type of best practice and considerations to take into place. And again, this is an aspect where the regulators are saying, this is the direction that we expect you to go.

Here’s black lines that you cannot cross or preconditions. Again, such as having a license, if you want to provide certain activities. But then, how you go about your customer experience and how you grow your business while still being cognizant of the risks. Here’s something to think about in the way that others in the industry have done it. That has to evolve over time and it’s very important for regulators to get the benefit of those who are doing this on a day-to-day basis, see opportunities to do things better in the future, and have that constantly evolve. So again, public consultation and public taking seriously to give that input is very critical.

Development of Regulations Related to Risk Management of Third-Party Service Providers

John: And how are these regulations being developed more specifically in respect to risk management and the reliance on third party service providers?

Jim: So one of the aspects is helping a regulator understand what is reasonable. And by that, I mean, again in principle, we understand the point that any regulated entity retains risk. Even if, or retains responsibility, even if they contract with a third party to help them provide a certain service. You can’t contract out your regulated activity or licensed authority and your obligations to your consumers. But then the question is, where is that balancing act? And where is a cost benefit, where it makes sense?

And this is something that we increasingly see in terms of legal requirements on governments, that there should be a weighing of costs versus benefits to regulation. And you provide a lot of input on the practical side from the regulated industry, what are the real costs and benefits in practice? And another aspect is, what is reasonably available out in the market to mitigate risks?

And by that, just look at the way IT systems have changed, and the way IT costs have fallen, although we have much greater capability than we did in the past. Only a matter of a few years ago, certainly a decade ago. If we’re saying that, essentially through regulations we’re creating minimum standards, it’s important to know that a certain capability is generally understood in the market to be commercially available at a reasonable price. That’s something that a regulator can then put into a minimum standard, which is very different from saying, “Anything’s possible.” 

And yes, the entities that have the best search engine capabilities might be able to do incredible things with data, but I’m not going to invest that in my small organization. Nor can I reasonably contract that out with someone. That’s an important aspect of, again, knowing what’s the difference between commercially reasonable, and what’s state-of-the-art, or what’s pie-in-the-sky that we shoot for the clouds. But really there’s not going to be a quantum computing example for us available within the next few years.

Who Provides Public Comments and Why Are They Useful?

John: So you mentioned the public comment processing. In general, who is it that provides these public comments? And what are the characteristics of a comment letter that make it particularly valuable?

Jim: It’s actually a very important and valuable function of industry associations, to both monitor these aspects of changes from regulators, and to gather comments and ideas on behalf of their membership. Some institutions, some individual banks or regulated entities, might not feel comfortable putting their name on letterhead that’s critical of a regulator. 

It might be an aspect that the regulator is pushing to change the regulations, make them more strict, because they’ve been concerned that parties have not kept up with, again, readily available commercial activity. So call it the minimum standards that they would expect as the risks are growing.

If you’ve been criticized by your regulator, it’s hard to come back and tell them that they’re wrong in trying to make regulatory guidance more precise on an area that they were trying to hold you accountable for. So the industry associations can be quite good about that, both in terms of the breadth of their membership and the credibility that they bring in bearing that. 

On the other hand, you also get a risk of having a least common denominator approach. So where an individual institution or an individual service provider has something to say, when they can be specific, when they can provide statistics, when they can provide examples of what is the real cost or implication? Or what are the trade-offs that they would need to make as a business to implement a certain proposal? That’s extremely valuable to a regulator, especially when they’re looking at this cost benefit analysis. And also one thing that I can tell you, as a former regulator that’s extremely valuable is, it’s easy to criticize but it’s also important to give regulators some feedback as to what they’re doing correctly.

That could mean whether the principle makes sense, that this is an area of risk that should have enhanced focus. Whether it should be a priority, whether it should not be a priority at this specific time. Including aspects of reinforcing the notion that it should be risk-based, where issues should be prescriptive, minimum standards. Or where they should be left to the discretion of the institution. And again, subject to an aspect that they could be second guessed as to whether they reasonably used that discretion. But again, from a positive side, constructive feedback is always useful. To say that regulators shouldn’t impose more rules in some areas, maybe that’s good, but that really doesn’t help advance the process very much.

Where Is the Most Opportunity for Input Into Regulation Development for Third-Party Risk Management?

John: And where do you feel like you see the most opportunity for input into the development of regulations, related to third-party risk management and outsourcing?

Jim: I think in this area, one of the most important aspects is to step back and use the benefit of broader experience and broader exposure. So what do I mean by that? For me personally, having worked in multiple jurisdictions and implemented regulations, including with respect to third party, risk management, and outsourcing, being an outsourcing provider reporting to boards myself, I look at aspects of overall concepts and principles. 

Of course, you need to look up the details, but the details are irrelevant if we’re going in the wrong way from the principles. Why do I mention this? Because any individual regulator is only coming from the perspective of their area of competence and their oversight authority and their regulated entities. That is, by definition, driven by the specific jurisdiction for which they’re responsible. As well as, so both the geographical jurisdiction, as well as the subset of entities.

If I say, which I think is a very simple statement of the truth, that in the financial services industry today, we have more and more players that provide services on a cross-border basis. We as consumers have more and more opportunities to choose between multiple different service providers. Take the area of payments, I can use a FinTech, I can use an entity that’s not subject to regulation, one that’s subject to light regulation, like a type of e-money provider. Or one that is subject to heavy regulation, such as a bank. 

These have different regulators, but I might expect that they should have at least minimum standards and a focus on risk management in dealing with my data, my money, and the potential aspect of a disruption in planning their contingency measures. So I can come back with a comment and say that, “Here, you regulator, I appreciate the opportunity for guidance, but let’s learn from aspects that are happening in different jurisdictions. Let’s learn from aspects that are happening across different regulated or licensed sectors.”

That’s from a consumer perspective. But also think from the aspect of the service providers, if I’m an IT company that is providing risk management software for outsourcing risks, I’m providing that to companies that might be providing the services on a global basis. And I want to help them, not just beat a specific paragraph or a specific comment from one regulator, I want them to have a system that makes sense for their business. 

And the one service that they provide to 100 different entities in 20 different countries, I want to provide them a solution that meets that together. So it’s important on that side, from an industry perspective, to bring back to the regulators, from an individual jurisdiction, the benefit of global insights, global approach. Encourage them with respect to harmonization that moves the industry, and good practices and risk management, forward.

Contact CRINData to Learn More

John: All right, well, that’s really great information, Jim. Thanks again for speaking with me today.

Jim: Again, it’s an important aspect and anything I can do to work with, encourage, and continue my own practice in developing new guidance and encouraging regulators, that’s something important.John: And for more information, you can visit the website at crindata.com. That’s C-R-I-N data.com.

Tags:

Related Posts

Third Party Risk Management and Cybersecurity for Banks—Interview with Jim Freis

Mark: Hello, everyone. This is Mark Stetler, CEO of CRINDATA. I’m with our fearless leader, Jim Freis, chairman of CRINDATA. We are going to discuss today… Read More »Third Party Risk Management and Cybersecurity for Banks—Interview with Jim Freis

FDIC 2022 Risk Review expands focus on operational risk management, emphasizing cybersecurity risks in connection with third-party service providers and new incident reporting rule

  • Blog

On May 20, 2022 the Federal Deposit Insurance Corporation published the 2022 Risk Review, the FDIC’s comprehensive summary of emerging risks in the U.S. banking system as observed over the past year.

Jim Freis Presents at The Institute of Operational Risk

Jim Freis to discuss practical aspects of the Computer-Security Incident Notification Requirements fat NACHA annual conference