Policy management for financial services: how to be audit-ready
Compliance in financial services is complex and is only getting more so. Regulators and bodies such as the FCA in the UK and the SEC and FINRA in the US have the power to impose significant fines that can reach into the tens or hundreds of millions. Senior individuals may be required to be listed as accountable for different areas. They can even be named in a lawsuit. This puts enormous pressure on compliance professionals to ensure everything is watertight. Even beyond the demands of being in a regulated sector, there is a range of other legislation to consider, from employment law to whistleblowing to accessibility requirements.
It’s no surprise that PwC found that 85% of compliance and governance leaders believe that compliance requirements have become more complex over the past three years, and Regology found that 92% of compliance professionals say their job is also getting more difficult.
The challenges around financial services policy management
The challenge of a multi-layered regulatory landscape is felt by the compliance team in areas such as policy management.
Regulators have gone beyond wanting to know that you have policies and that they tick all the appropriate boxes. They now want to know that your policies are up to date. They want evidence that employees are actually following them. And they want to see a robust system in place to make sure all of that happens. How you manage and govern policies and procedures is as critical as what the policies say. It’s as much about the “how” as it is about the “what”.
One core issue is that, while the need for more robust and comprehensive governance and management practices has grown, the tools that manage policies have not necessarily kept pace. As we will see, in many financial services companies, policy management has numerous challenges.
What policies do financial services companies have in place?
Any financial services provider will potentially have huge numbers of policies across different areas, including:
- Regulatory and compliance: covering everything from anti-money laundering to fraud prevention to tackling financial crime to how to frame financial promotions.
- Governance & risk: from governance structures to whistleblowing to disaster recovery policies.
- Data protection & security: ensuring information security and data privacy, including how to respond to a data breach.
- Employment & HR: everything from legal requirements to disciplinary procedures and recruitment processes.
- Client delivery: all matters relating to working with clients and providing financial advice.
- Operational policies: important policies like procurement and IT that are important to the everyday running of the business
- Health & safety: a range of key policies to ensure people stay safe.
For global companies, different versions of these documents may also be required across jurisdictions and locations, or even for different groups of employees.
Financial services policy management: typical challenges
The sheer number of policies and procedures is certainly a factor in making financial services policy management complex, but challenges are frequently due to a lack of a fit-for-purpose solution and limited governance applied to policy lifecycle management.
Policies and procedures are scattered across different SharePoint sites, shared drives on the network, or stuck in people’s inboxes. These policies are impossible to keep track of, so multiple versions are in circulation, with no visibility into what is still current and what has been superseded. This makes policies impossible for employees to find when they actually need them and also erodes confidence and trust in their authority.
Employee attestation processes that confirm employees have read and understood a policy are important for compliance, but the process for tracking completion and sending reminders is often manual. Using email and spreadsheets to track employee attestation is massively time-consuming, error-prone, inefficient, and simply not scalable.
SharePoint has no built-in review automation for policy lifecycle management. Each policy needs its own workflow, covering both first publication and recurring reviews. Setting these up individually in Power Automate is time-consuming and hard to scale.
Some policies have simply not been kept up to date, and it is not clear who is responsible. Often, this is because the original policy owner has left, and no one can remember when it was last updated. Having no recognised owner also leads to policy gaps.
All policies need to be updated from time to time, often involving changes and reviews by multiple stakeholders. When stakeholders use email for this process, it becomes impossible to track when a policy was updated, whether everyone who was meant to review it did so, and who actually approved it. There is no audit trail or record, which regulators do not want to hear.
As already noted, some policies need to differ by jurisdiction or line of business. But sometimes the lack of standardisation is an issue, with different departments and locations running different versions of the same policy unknowingly.
How regulators view these challenges?
A regulator will take a dim view of a bank or wealth management firm that fails to meet challenges around policy management and cannot demonstrate:
- a robust and systematic approach to making sure that policies have named owners and reviewers, established approval workflows and a system to track the status of where each policy is in its review lifecycle.
- that employees have read and understood relevant policies, with a timestamp for when that happened, and which version of a policy it applies to.
- an accurate audit trail of any changes to a policy, who made that change, when it was done and what the change was.
- a proactive, systematic, comprehensive and effective approach to policy management in operation.
- evidence for all the above during an inspection, at short notice if necessary.
Imagine a regional or challenger bank, or a mid-size wealth management company, that is two weeks away from a compliance-related visit and faces challenges across these areas. Not only will there be two weeks of frenetic and stressful activity, but there will also likely be gaps, incomplete records, policy owners who have since left the business, data errors, and so on.
The regulators are very used to seeing this kind of piecemeal and hurried response, with gaps in the evidence, and know that it is, to some extent, papering over the cracks rather than demonstrating the systematic, well-governed, and effective policy management system they want to see.
How financial services companies can be audit-ready?
Financial services companies need to be “audit-ready” so they can quickly produce evidence that they have policy management under control and support a broader culture of compliance. The best way to achieve this is by investing in a policy management solution that is genuinely fit for purpose for a complex, fast-moving, and highly regulated sector like financial services.
An audit-ready system has several elements in place.
Policies and procedures are easy to find because they are all in a single policy library with effective search and browse options, so employees know they can always find policies at the point of need rather than having to look through multiple SharePoint sites or email threads.
Version control, clear ownership and effective governance give employees confidence that the policy they are accessing is the latest version. This means the policy library is fully trusted. When an agent is speaking with a customer and needs to quickly check a data privacy policy, they can find it.
Employees also need to be able to access policies without barriers and friction. If a customer agent must open a different app, or enter their log-in details, or encounter an unfamiliar and confusing interface, they are far less likely to access a policy.
Feedback from Xoralia customers has consistently reflected the value of the solution being built for Microsoft 365: policies can be found via a SharePoint intranet or through Microsoft Teams, directly in the flow of work, with no new system to navigate. The combination of this effortless access and the single policy library shows regulators that employees have genuine proximity to policies.
A good policy management solution provides automated policy lifecycle management, ensuring policies are kept up to date, appropriately reviewed by the right stakeholders, and have clear, transparent ownership. This supports audit readiness and sends all the right messages to regulators.
In a solution like Xoralia, this is achieved through:
- assigning access roles for each policy (starting with the policy owner).
- creating custom review and approval workflows.
- introducing automated review scheduling that sends notifications if a policy is due to expire.
- transparency that displays owners and status to support accountability.
Successful employee attestation is critical for supporting compliance. This is achieved through an easy-to-use interface that can be targeted to different roles and easily integrated into an onboarding process. Automated reminders and robust reporting can help support high adoption and track progress. The data should then be easy to export to present as evidence for regulators.
Robust reporting to produce evidence for compliance inspections needs to extend beyond employee attestation. It should also cover policy updates, audit trails on policy changes, compliance logs and more, all underpinned by automated approaches to reduce errors, drive efficiency and enable audit readiness.
Supporting financial services policy management
Financial services policy management is challenging for multiple reasons. Without tackling these issues, the job of compliance teams becomes much harder.
Investing in a policy management solution like Xoralia can do some of the heavy lifting. It can get you on the road to audit readiness and ease the pressure on compliance professionals.
Want to see how Xoralia might help your team? Arrange a free demo.
About the author
Dan Hawtrey
Dan Hawtrey
How policy management software can help
We think the best place to store your policies is inside SharePoint. Most companies already have SharePoint as part of their Microsoft 365 subscription. Using SharePoint means you have full control of your policies, and many best practices can be achieved right out of the box. However, there are gaps and certain best practices are hard to achieve.
To fill these gaps, and for best results we recommend using purpose-built policy management software for SharePoint and Microsoft 365.
We’ve developed a dedicated solution called Xoralia (pronounced Zor-ra-lee-a) that will ensure you have the best overall approach to policy management, supporting your users, policy owners and administrators.
We learned all about policy management from many years of building custom solutions for our clients on SharePoint. But we kept coming up against the same challenges, mostly caused by feature gaps in SharePoint. One day, a client asked us to build a policy management tool that filled these gaps. The trouble was, they didn’t have a lot of budget. But we had a good relationship with them and so we decided to collaborate on it provided we got to keep the code. Looking back, it was a pretty simple tool but over the years we have added more features and relaunched it. We’re now on version 3 and our original customer is still using it!
3 benefits you can expect from Xoralia
Make it easy to find policies
Centralised policy library with powerful search and filtering
Reduce administrative burden
Automations and notifications so that all policy tasks are carried out on time
Demonstrate compliance and best practice
Sophisticated tracking and dashboards to drive and measure compliance.
And lots more!
What our clients say
A great time saver and tool for document management
We have found Xoralia to be very beneficial to us as it has allowed us to focus on other area’s as Xoralia will take care of who has read the documents and notify them if they have not. A great time saver and tool for document management all together.
Tim Galer
IT Coordinator
Hughes
Ideal partner for our regulated environment
LifeArc operates in a strictly regulated sector where compliance and information security are critical. It is essential that LifeArc’s workforce have easy and effortless access to the latest up-to-date policies and procedures, which is the structure Xoralia gave us.
Adam Lythgoe
IT Manager
LifeArc
How to get started with Xoralia
Step 1: Explore or request a demo
Start a free trial for instant, hands-on access, or fill out our form to book a personalised demo at a time that suits you.
Step 2: Get a price proposal
If Xoralia looks right for your organisation, ask us for a tailored quote. We’ll outline any options and packages to fit your needs.
Step 3: Install and launch
Set up Xoralia in your environment with our support. We’ll provide onboarding, training, and full assistance to get your team up and running quickly.
Here's what you'll get
-
Central policy library
-
Search and filter tools
-
Mandatory read policies with attestations
-
Quizzes
-
Notifications and alerts
-
Employee dashboard
-
Line manager dashboard
-
Works on mobile, in Teams and SharePoint
-
New policy creation workflows
-
Policy update workflows
-
Review and approval gates
-
Policy version history
-
Compliance dashboard
-
Audit trail
-
Full reporting
And last but not least:
-
Professional implementation service and support
-
Evergreen software – frequent updates and improvements
-
Comes with our "it just works" support warranty – we’ll fix any bugs, often before you even notice
Ready to get started?
Connect with us to streamline your policy management and ensure effortless compliance.
Real value to our business in a short space of time
Working in a highly regulated financial services sector, we are required to ensure that our staff fully understand certain policies and Xoralia enables us to do that with an embedded quiz as part of the attestation.
Anonymous
Financial services
Uniting excellence in integration and features for seamless policy management
As the newly appointed IT Manager at our company, I was tasked with implementing the Xoralia policy management tool, and the experience has been nothing short of impressive.
Rian Stuart
IT Manager
TwinStream
