Regulatory risk is an increasing burden, yet many firms are still not taking an integrated risk-based approach to dealing with compliance
Financial services firms that can predict probable regulation can use this insight to improve business practices, avoid non-compliance, and create a more positive reputation with clients and authorities.
“Regulatory expectations are not static,” says David Lawton, partner at consultancy Alvarez and Marsal, and former director of markets policy and international at the Financial Conduct Authority. “Issues and approaches, which might have been under the radar ten years ago, suddenly come to the top of the agenda, and firms will then have to scramble to confirm they are not falling foul of these.”
Post-crisis banking has had a relatively consistent stream of court cases and regulatory rulings as historic practices are brought to light and found wanting. These range from engagement in cartel behaviour when setting the London Interbank Offered Rate (LIBOR) benchmark to tax advisory business, which was found to be helping evasion, rather than avoidance. Moreover the sets of rules that frame financial services activity have changed considerably in this period.
Using process management tools to keep abreast of new rules
“We have had to manage a wave of new rules since the 2007/8 crisis,” says Jean-Marc Guiteau, head of regulatory technology (regtech) for BNP Paribas Securities Services. “The size of the wave is reducing now, but that does not mean the flow of work is becoming less constant. While new topics are not arising, the rules that have been set are constantly being fine-tuned and corrected.”
To keep abreast of both changing rules and themes, financial services businesses must have a solid set of processes, which can capture that information and integrate it into plans and operations.
“Even if you are capturing all the data from regulatory announcements and feeding that back into your bank, you still need to ensure you have qualified what effect that information has on your business,” says Mr Guiteau. “You need business process management tools to bring the new rules into your workflow. That must feed into your policies, procedures and documents. As a result there is not one single technology that addresses the end-to-end solution; it will be a mix, and will depend on the complexity and scale of your business.”
Technology providers are finding fertile ground in their support for managing regulatory risk. Research by Alvarez and Marsal, published in January, found that of 352 regtech startups, the largest segment (84) were offering support for regulatory compliance and the segment of firms that showed most growth (68.8 per cent) in their collaboration with banks, regulators and domain experts was compliance support.
Regulatory tech helps 360º visibility of compliance
Working with regtech providers can help financial institutions of all sizes to tap into new technologies and overcome any limits that existing IT infrastructure might have. Where the practical challenges of supervising activity once required an expansion of headcount and manual processing, the increasing electronification of business is making automated supervision more viable.
“If you are a human, you might have to look at samples of all the events that have occurred to monitor compliance. However, if you have a machine doing the monitoring, it ought to be looking at 100 per cent of events,” says Michael Grecoff, chief executive of regtech firm Bay Street Technologies.
Brian Collings, chief executive of Torstone Technology, observes: “Recently the regulators have been making sure the relevant data is being provided from financial firms, but increasingly the focus will be on the quality and completeness of that data. Firms now need to show there are systematic controls in place to ensure you are providing accurate regulatory and compliance reporting.”
The key is an integrated approach and qualification of data
A growing number of reporting requirements have made firms more transparent, particularly in the areas of trading activity, risk management and fees. Many businesses are capturing that data and feeding it back into the firm to build a single view of risk.
“An integrated approach, when dealing with regulatory compliance, is also a much more efficient way of providing accurate regulatory and compliance reporting, because the quality and completeness are already part of your regular daily operational processes, so with minimal additional effort, you can add the controls to ensure the accuracy,” says Mr Collings.
The key to deriving value from technology in this way is to ensure that information is turned into usable knowledge, notes Mr Guiteau.
“This kind of widened data access and the capacity to manage more data is useful, but you can reach a point you have so much data you don’t know what to do,” he says. “So I do believe broadly that the more data we have, the more confidence we can get, but we have to be cautious regarding the qualification of the data, its analysis and that any decision we take [based upon it] is in context.”
Reducing regulatory risk by applying risk management strategies to compliance
The classic model of risk management is to operate three lines of defence in which the business line manages risk, oversight is provided to check that management and then the process is audited to assess its success. Imposing this within compliance allows firms to improve control of their exposure to regulatory risk. This must be built upon thoughtfully if firms are to handle regulation successfully as they do other risks.
“To take a risk-based approach you need to first consider the inherent riskiness of what you do; secondly, the comfort you have in your first-line controls around what you do; and third, keep a forward-looking eye on the potential for regulators to move their own focus as to what is important,” says Mr Lawton of Alvarez and Marsal.
It will be necessary for business leaders to create the right environment for a risk-based approach to bed down and to enable change
To some extent that will require investment in, and engagement, with new technology providers to develop capabilities that meet the expectations of authorities.
“If you are a large firm and you do not budget appropriately to use the latest technology, then you could be failing your regulatory obligations,” warns Mr Grecoff.
However, it will be necessary for business leaders to create the right environment for a risk-based approach to bed down and to enable change.
Mr Guiteau concludes: “Senior managers have to support not just the creation of ideas, but they must give the time to test and run new solutions.”