Grainne McKeever, Marketing and Communications Consultant at Imperva, shares an outline of the regulations with which financial services must comply in 2020.
The Sarbanes-Oxley Act (SOX) was introduced following a number of financial scandals involving huge conglomerates and obliges companies to establish internal controls to prevent fraud and abuse, holding senior managers accountable for the accuracy of financial reporting.
The financial crisis in 2008 meant even tighter rules for financial services with the Dodd-Frank Wall Street Reform and Consumer Protection Act in the US bringing a great deal of new regulations for the sector. In Europe, in a joint move between the UK, France and Germany, banks were forced to contribute to the region’s economic recovery by paying an annual tax levy.
The UK experienced a complete overhaul of its financial regulatory structure when the existing tripartite system was abolished and replaced by a new framework consisting of the Financial Policy Committee (FPC), the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA). Since then, new regional directives have materialised, including the New York State Department of Financial Services’ (NYDFS) regulation, and the Monetary Authority of Singapore’s (MAS-TRM) guidelines.
Driven largely by digital transformation, the emergence of much more rigorous privacy and security regulations around the globe such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) in the United States, has created additional regulatory layers for organisations to comply with. While GDPR is not specific to financial services, it has had an enormous impact on this industry.
A common requirement of many regulations is to appoint a Chief Information Security Officer (CISO), Chief Technical Officer (CTO) or, in the case of GDPR, a Data Protection Officer (DPO). Each of these appointments come with specific obligations these roles must manage to ensure their organisations stay compliant.
[ymal]
Data Protection
Many regulations are designed to protect personal customer data. The GDPR, for example, places the emphasis on commitment to individuals’ data privacy by implementing a Data Protection by Design approach, implying organisations need to build privacy and protection into their products, services, and applications.
Data privacy is also one of the key requirements of the NYDFS regulation which mandates that firms should implement and maintain policies and procedures for the protection of their information systems and the non-public information stored in them. For MAS-TRM, the protection of customer data, transactions and systems is included in its risk management principles and best practice standards.
Data Discovery
To protect your assets, first you need to know where your databases are located and what information they contain. Only when you have full visibility of what regulatory content your databases hold can you conduct an assessment to prioritise and assign a risk profile to datasets.
To protect your assets, first you need to know where your databases are located and what information they contain.
Data Monitoring
A recurring requirement of data regulation is that organisations should have visibility of user access to be able to answer WHO is accessing WHAT data, WHEN, and HOW that data is being used. This is certainly true of the GDPR which requires organisations to maintain a secure environment for data processing. For MAS-TRM, establishing appropriate security monitoring systems and processes is outlined as a requirement in the guidelines, “to facilitate prompt detection of unauthorised or malicious activities by internal and external parties.”
Incident Reporting
Reporting incidents in time is critical for avoiding regulatory penalties, which can be severe and costly for an organisation, both financially and in terms of reputational damage. However, security teams are often overwhelmed with large volumes of incident alerts risking a genuine threat slipping through the net.
Using advanced machine learning and peer group analysis to distil the number of alerts that bubble to the surface will make it easier to recognise a real breach in time to stop it from accessing internal networks.
With a plethora of privacy and security regulations grounding themselves in organisations across the world, there is no choice but to adhere to them to ensure the security of others, as well as making sure that accountability is at the forefront of all businesses in the financial sector. By financial services adhering to data protection, data discovery, data monitoring and incident reporting they will be able to continue to flourish whilst having security at heart.
Compliance is a must-do activity, not a nice-to-have. According to Colin Bristow, Customer Advisory Manager at SAS, it is essential that companies extract maximum value from compliance processes, reducing the possibility of it being considered a cost centre.
Technological innovation can help to lift some of the compliance burden. The level of technology you can realistically implement depends on how advanced the organisation is to start with. One company’s moonshot could be another’s business as usual. Assessing the starting point is just as important as considering the benefits and end goal.
RegTech, AI and the future of compliance
This is the question that the burgeoning RegTech (regulatory technology) industry is seeking to answer. AI is typically at the forefront. RegTech partly focuses on improving the efficiency and effectiveness of existing processes. As part of that improvement, organizations are using AI, machine learning and robotic process automation (RPA) to smooth the integration and processes between new RegTech solutions, existing legacy compliance solutions and legacy platforms.
Why look to AI for help? Recent regulations, such as GDPR or PSD2, are handed down in the form of large and extremely dense documentation (the UK government’s guidance document for GDPR alone is 201 pages). Identifying the appropriate actions mandated by these lengthy documents requires a great deal of cross-referencing, prior knowledge of historical organisational actions, and knowledge of the relevant organisational systems and processes. What’s more, several regulations attract fines or corrective actions if not applied properly (like the infamous "4% of company turnover" penalty attached to GDPR).
In short, the practical application of regulations currently relies on human interpretation and subsequent deployment of a solution, with heavy penalties for noncompliance. This is where AI can help, reducing the workload involved and improving accuracy. Here are three key examples of how AI can help companies turn compliance into a value-added activity.
1) Reducing the risk of nonconformity
Following the deployment of compliance processes, there is often residual risk. This can be as a result of unforseen gaps in compliance processes, or unexpected occurrences that become apparent when operating at scale.
That’s partly because there are usually a lot of steps and processes to be carried out during the data collation stage of compliance programmes. RPA can help reduce administrative load associated with these processes that include a high degree of repetition – for example, copying data from one system to another. AI can then help process cross-organisational documentation, combining internal and external sources and appropriately matching where necessary.
AI can also help to reduce companies’ risk of noncompliance with, for example, privacy regulations. Furthermore, using AI techniques, organisations can automate transforming and enhancing data. Intelligent automation allows companies to carry out processes with a higher degree of accuracy.
2) Improving process efficiency
Inefficient processes can also hinder compliance. For example, automated systems that detect suspicious transactions for anti-money laundering (AML) processes are sometimes not always as accurate as they could be. A recent report highlighted that 95% of flagged transactions are closed in the first stage of review. Effectively, investigators spend most of their day looking at poor quality cases.
Use of an AI hybrid approach to detection ensures there are fewer, higher quality alerts produced. Furthermore, it is possible to risk-rank cases which are flagged for investigation, speeding up the interaction and relegating lower-risk transactions. Although AI forms an underlying principle across most modern detection systems, maintenance is key to managing effective performance.
AI can also be used to bolster AML and fraud measures more widely. For example, applying AI to techniques such as text mining, anomaly detection and advanced analytics can improve trade finance monitoring. This, in turn, can improve the regularity for document review and consignment checking, improving the validation rates of materials as they cross borders.
[ymal]
3) Keeping up with regulatory changes
Compliance never stands still. Businesses have to contend with a constantly evolving landscape, potentially across several regions. AI can help to optimise the processing of these regulations and the actions they require, helping companies keep up to date. Companies that need to effectively comply with several differing regulations require a wide range of understanding across all parts of the business. The size, complexity and legacy systems of the business can be significant obstacles.
To mitigate this risk, companies can use natural language processing (NLP) to automate aspects of regulatory review, identifying appropriate changes contained in the regulation and then relaying potential impacts to the appropriate departments. For example, AI could help geographically diverse companies determine whether changes in the UK have an impact on their Singapore office.
Humans still needed
It’s important to note at this point that AI and RegTech are not expected to widely replace humans. We are seeing early AI entries in the RegTech space, but they’re primarily helping with lower-hanging fruit and repetitive tasks. AI is primarily enhancing the work humans do, making them more effective in their roles.
AI does not come without some considerations, however. There is a great deal of focus and scrutiny on associated possible bias in AI deployments. Other discussions are exploring the transparency and governance of applications and questions around who owns generated IP. As a result, it’s essential that AI works closely with humans, enhancing activities and balancing an appropriate level of manual oversight.
AI is augmenting compliance practices by providing faster document review, deeper fraud prevention measures and greater contextual insight. It is also reducing noise in high-transaction environments and lightening the documentary burden on staff. From the start of the regulatory review to the end of the compliance process, AI holds part of the overall solution to a more efficient and valuable compliance function.
Without this integrity – and constant striving for health - a market risks becoming a venue for market manipulation, insider trading and other undetected criminal behaviour. Catherine Moss, corporate Partner at Shakespeare Martineau, explains for Finance Monthly.
Preventing behaviours amounting to market abuse, and tackling a lack of awareness of risk, has been central to the regulators’ quest for fairness for a number of years. So, following on from the July 2016 introduction of the Market Abuse Regulation (MAR), how is the UK faring and with a further review by the European Securities and Markets Authority (ESMA), what does the future hold?
Markets are driven, and develop depth, through pricing; and prices are – and have always been – vulnerable to manipulation. MAR, and its previous manifestations, were designed to identify behaviours which manipulated markets, or which allowed people to buy securities or commodities on a privileged basis with information which was not generally available to other trading parties.
The UK has had a legal framework around insider dealing and market abuse for a number of years. However, the introduction of MAR in 2016 formed a further part of a Europe-wide attempt at greater harmonisation, in response to scandals which came to light in the financial crisis and the greater complexity of the financial markets and emergence of alternative trading platforms. In the move towards a more congruent, European-wide, regime encompassing not only securities trading but trading in fixed income and commodity markets and related benchmarks, did the EU fulfil its markets’ needs? Leaving aside the question as to whether the latter could ever be achievable given the myriad trading venues now available, have market participants found the legislation fit for purpose?
The upcoming review of MAR will be undertaken by ESMA, looking into how well the regulations and directives are being implemented, whether the regime should be broadened, whether cross-market order book surveillance should be made subject to an EU framework; and, suggesting purposeful legislative amendments. Consideration is to be given to extending the regime to the foreign exchange markets. In addition, aspects of MAR which are still - unhelpfully - subject to specialist debate as to their scope, for example buybacks, insider lists and managers’ transactions, are to be further considered by ESMA.
At its simplest, there is a need to balance the desire of a company to access public money and trade its securities on a public platform against the requirement to adhere to the rules which apply to that market and its participants. It is crucial to the health of a market to ensure that information which may unfairly disadvantage other parties is not only managed securely but released in accordance with that market’s rules. Julia Hoggett, Director of Market Oversight at the FCA, put it starkly: “The life blood of all well-functioning markets is the timely dissemination of information, without which effective price formation cannot take place. The malignant form of that same life blood is the misuse or inappropriate dissemination of that information.”
However, as companies and their advisers know, market abuse legislation - whether EU or local - has been traditionally quite complicated and tricky to comply with. As the recent survey results from the Quoted Companies Alliance (QCA) demonstrates, issuers and their advisers have exhibited a broad range of responses to legislation which is meant to direct efforts to maximum harmonisation. However, these requires additional processes and procedures to be put in place, understood and adhered to.
Lack of certainty as to the MAR requirements, for example, on the duration of closed periods, is striking. The FCA has quite rightly observed that “awareness is not present in all market participants.” Given the FCA’s stated objective of making effective compliance with MAR a state of mind - at least amongst the community it regulates - it must be asked how this is to be achieved within the current, or future, legislative framework where achieving certainty as to the meaning of the legislation appears difficult.
Clearly, with the introduction of any new regulation, some companies and issuers adapt faster than others, particularly if they are larger and better resourced. It is obvious from the QCA’s survey results, however, that many smaller and mid-size issuers are still navigating MAR’s complex requirements hesitantly. But more worryingly, it can be seen from the pattern -and lack - of regulatory announcements that some issuers, particularly in less obvious and well-policed trading venues, seem not to have recognised the breadth of its application. Education clearly is key and greater regulatory and market promotion of the constraints which issuers are to work within is to be encouraged.
With the introduction of any new regulation, some companies and issuers adapt faster than others, particularly if they are larger and better resourced.
So, what should be done to ensure that the requirements of MAR become part of an issuers “state of mind”? Effective regulatory response can seem sometimes to be limited to the publication of extensive decision notices which are picked over by advisers, keen to ensure that practical examples of poor behaviour, or the failure of systems, can be relayed as precautionary horror stories to their clients.
Many issuers seek regular training sessions with their advisers or company secretaries and become more confident as the reporting and transactional cycle demands their attention. Others find it difficult to engage in the processes required. Some, however, are not well-served by the advisers operating in the market and sector within which they trade. The FCA appears keen to seek to educate all issuers but, inevitably, issuers are still tripping up as they fail to understand, or to take advice on, the requirements of the regulatory framework within which they operate.
Whilst the ESMA review of MAR is unlikely to change the regime substantively, some regulatory time should be devoted to tailoring it more expressly to an issuer’s needs and securing a greater measure of awareness. Whilst the regulatory burden is unlikely to be lessened, clarity of approach together with greater support from markets and trading platforms as to the implications of MAR to their issuers would be welcome.
Less well known, however, is another more imminent deadline. The PSD2 regulation requires banks to implement facilities for these third parties to test their functionality against a simulated bank environment six months prior to the September deadline, which means that these environments must be in place by 14th March. Below Nick Caley, VP of Financial Services and Regulatory at ForgeRock, explains that despite the importance of this fast-approaching deadline, many of the thousands of eligible banks are significantly challenged in meeting either deadline. And, while there are no formal penalties for not complying with it, there will certainly be consequences that could have long lasting commercial, technical and reputational effects.
Consequences of non-compliance
Banks which fail to meet the March deadline will need to implement fallback ‘screen-scraping’ - where customers essentially share their security credentials so third parties can access their banking information via the customer interface and collect the data for their own services - as a contingency mechanism at the same time as implementing their PSD2 API by the September deadline, something that would not be in the interests of banks, or their customers, and could lead to graver problems further down the line.
There are multiple problems associated with screen-scraping. Firstly, there are the significant security risks it poses. Screen-scraping involves customers sharing their banking security credentials with third parties, which is an outright, bad security practice. No-one should ever feel comfortable sharing a password to a system, let alone one that provides access to a bank account. Such credentials, whilst clearly able to provide access to banking data, also unlock numerous other account functionalities that should only be available to the account owner. Any increase in the risk that banking credentials could be compromised will not build the confidence of consumers.
Alongside security considerations, there are also cost implications since maintaining more than one interface increases the resources required. Each interface will require strict and ongoing monitoring and reporting to the National Competent Authority. While larger tier one banks might be able to absorb this extra cost, for smaller banks this will further compound the already serious burden of compliance with the regulatory technical standard (RTS).
Beyond these very practical concerns, failing to comply with the March deadline will mean banks are left playing catch up on the developments set to be made as PSD2 comes into effect. Avoiding such pitfalls would mean banks can significantly boost their long-term prospects, giving themselves a strong foundation to stay on top of PSD2, meeting regulatory deadlines whilst crucially increasing their ability to compete in the new era of customer-centric financial services.
Despite the clear importance of the March deadline, many banks are still largely focused on developing their production APIs ahead of the September deadline, rather than their testing facilities. For those banks who haven’t yet found a solution, having development teams put a testing facility live in such a short space of time might seem like an impossible task. The good news is that there are ready-made developer sandboxes that banks can deploy in a short space of time to stay on top of the requirement for a testing facility. These sandboxes are essentially turnkey solutions that are fully compliant with the defined API standards, making the March 14th deadline much easier to digest. Banks should look to these ready-made sandboxes if they haven’t already found a solution.
Looking further ahead
As the trusted holders of customer banking information, PSD2 gives banks an unrivalled opportunity to add value for their customers. Through development of new interfaces, modernization of authentication methods and the redesign of customer journeys, banks can achieve the new holy grail for any business; delivering intuitive, secure digital services and experiences that are personalised to the customer offering far greater insights and advice.
With the focus on complying with deadlines, it’s also important for banks to keep an eye on the competition. The promise of PSD2 is to provide a level playing field to encourage competition and innovation. There are certainly plenty of new competitors: Account Info Service Providers (AISPs), and Payment Initiation Service Providers (PISPs), retailers and internet giants, all have the opportunity to introduce their own payment and financial management products and services that integrate directly with the established banks.
At the same time, the challenger banks built from the very beginning to be ‘digital natives’ have been leading the way with innovative customer-first experiences and third-party marketplaces that go beyond what is currently on offer from traditional players. This means banks will need to provide better digital services to stay competitive, giving people more freedom and choice in the way they interact with financial services.
The March deadline is the first litmus test for which banks are keeping up with PSD2, and which are falling behind. However, as we have seen, the far-reaching changes that PSD2 heralds means this upcoming deadline won’t just be a test of a bank’s ability to meet technical regulations - it will be a strong indication as to how well each bank will be prepared to stay competitive in our increasingly digital future.
Martin Kisby, Head of Compliance at Equiniti Credit Services, explores the motivations behind the evolution of compliance functions in consumer credit firms.
Risk and compliance departments, once held in low esteem by other business units, have evolved into a crucial function for protecting profitability. This is still a controversial statement in the consumer credit industry, but it’s easily justifiable. To do so, let’s take a look back.
It’s 2008. The consumer credit market is regulated by the Office of Fair Trading (OFT). Firms have a set of guidelines they are required to adhere to, but in reality can interpret or even circumvent them entirely. Business objectives are often, if not always, placed ahead of consumer needs.
So what was the role of the compliance function back then? Well, it provided some assurance to the OFT that firms were not ignoring its guidelines in their pursuit of profits.
This often led to compliance functions being derided as the ‘Business Prevention Unit’ or ‘Profit Police’ and being allocated minimal resource.
Fast forward to 2014: the financial crash has altered the consumer credit landscape dramatically. Trends in mis-selling, together with poor consumer outcomes, have highlighted the need for fundamental change. The creation of the Financial Conduct Authority (FCA), by merging the OFT and Financial Services Association (FSA), is intended to add more stability and oversight to the sector, ensuring better service delivery for consumers.
Big changes ensued.
The FCA developed a more robust and detailed handbook, which not only provided guidance on how firms across the sector should be operating, but also changed what was previously ‘advice’ into hard and fast rules.
Firms were given only interim permissions and needed to complete an approval process to gain full FCA authorisation. This required firms to demonstrate strict adherence to the new and updated rules and guidelines.
From this point onwards, the role of compliance was transformed. Firms began to allocate significant resource to this function to ensure they could provide continued assurance to the FCA that its rules and guidelines were being followed. It became imperative to demonstrate that mis-selling, unreasonable collections practices, affordability issues and poor customer service were being eliminated.
The compliance department evolved from the ‘Profit Police’ into a pivotal function in every FCA regulated firm.
Risk management also became more prevalent under the new regulatory body, as the System and Controls section of the FCA’s handbook requires firms to assess and manage their risks, and have a Chief Risk Officer as one of their Approved Persons – individuals the FCA has approved to undertake one or more controlled functions.
These complimentary objectives meant that compliance and risk departments were consolidated. Compliance plans were established to monitor specific elements of the FCA handbook and verify adherence to them. Any identified control inadequacies could be migrated onto a firm’s risk register for monitoring and remediation.
Back to the present. Four years on from the introduction of the FCA, firms have, overall, implemented the necessary oversight to demonstrate that they are meeting their regulatory requirements and treating customers fairly.
But let’s be honest – there are selfish motivations too. A strong compliance department, empowered to change processes as best practice dictates, reduces the risk of both regulatory fines and exposure to defaults. This increases revenue and protects profit margins.
In a sector competing on cost at a scale never seen before, and where consumer brand loyalty is decreasing by the day, protecting a firm’s margins is crucial.
As compliance has increased in importance, technology has kept pace and evolved to reduce the time and cost burden regulation could otherwise have imposed. Now, best-of-breed credit management solutions seamlessly integrate compliance monitoring and reporting into their sourcing, approval and collections processes.
Happily, this combination of motivations and technological developments has created a win-win for lenders and borrowers alike: an established and proactive risk and compliance function that not only protects consumers but also contributes to the strategic objectives of the lender’s business.
It has equally attracted the attention of retail investors and potential bad actors. Combine the elements of hype tactics, fanciful notions of a new paradigm, and greed, we have the perfect market factors which could induce a frenzy unlike we’ve seen since the beenie babies craze. Oh wait, this sounds awfully similar to 2017, does it not? Below Jamar Johnson, crypto expert and owner of Otravel.ai, explains the potential regulation trends we may be looking at when it comes to cryptocurrencies.
Sure, many are now jumping on the blockchain bandwagon, and it is up to responsible regulators to guide the market and its participants responsibly for the next wave of blockchain mania, if and when it arrives. However, we must take on a more nuanced approach to said proposed regulation: how does a regulator support true innovation while not stifling its stated goals through high-cost barriers to entry as some might argue has taken place in New York with the BitLicense? How does countries like the United States incorporate policy frameworks that are similar to Singapore and Malta which are emerging as a hotbed for attracting blockchain talent? The issue becomes even trickier, when one factors in the opportunities for wealth creation (estimated to be in the trillions) despite the US currently lacks a comprehensive framework towards the blockchain across all 50 states.
Self-regulation organisations are commonplace in other sectors - for example, the Regulatory Authority in the Financial sector (FINRA) plays a major role in the Regulatory organisation of the broker and exchange.
The current EU laws do not provide protection to any investor who can be exposed to the risks of digital asset markets, taking into account the significant prices and the lack of supervision of offers and exchanges.
While many nations have discussed their policy towards the blockchain and cryptocurrencies, some of the smallest countries and regions have quickly moved into the creation of novel laws and programs designed to attract top talent within the blockchain space--like Malta, Singapore, and Puerto Rico being the closest US example, to date.
New and evolving financial technology companies need to comply with a network of laws and regulations that are designed to help customers and finance their finances and reduce the costs of repairing terrorists.
Across the pond, the Financial Authority of the United Kingdom provides fintech companies with a single domestic finance Regulatory Authority, clear qualification and test parameters, the possibility of waivers (on permission and review) and direct cooperation with Regulatory Authority.
The initial coin offer (ICOs) have become a popular way for businesses to earn money by launching a new digital coin in exchange for crypto currencies such as bitcoins or air. In countries like the US, it will be prudent for ICO founders to have clear guidance from a professional lawyer or legal team to help navigate the complex body of legals and regulations surrounding the offering of securities and meeting the Howey Test.
Last year, the Financial Authority (FCA), the UK's Financial watchdog, issued a statement detailing the risk of investment in ICOs.
In February, the U. s. Treasury Committee, which consists of several politicians, launched a request for digital currencies and a dispersed technology or a blockchain.
Part of the act requires digital exchange and portfolio to apply customer-specific care checks such as banks.
The regulatory environment within the US concerning digital currencies are not clear just yet. But we know they are coming and on its way to being formed (look into places just as Puerto Rico, Wyoming, or New York as an example). But regulations are coming. New announcements and stances are being made on a recurrent basis. The benefits for proper regulatory structure in the US is not there just yet, but the opportunity is too great to ignore: new tax base, the ushering in of the next waves of America’s greatest entrepreneurs, and the shape the narrative for the blockchain revolution currently underway.
The civil rights group wants to highlight the way in which these businesses handle data and asserts that they do not currently comply with the Data Protection Principles of transparency, fairness, lawfulness, purpose limitation, data minimisation, and accuracy.
Tip of the iceberg
Privacy International’s criticisms are based on 50 subject access requests but admits that this investigation has “only been able to scratch the surface” of potential data exploitation practices. In fact, in October the Portuguese data watchdog issued a €400,000 fine to a Portuguese hospital for two GDPR violations, highlighting just how painful fines for non-compliance can be.
With the sheer volume of data financial services companies host, there is clearly scope for major issues if it isn’t managed efficiently. So why are many struggling with GDPR six months on?
Cracking the complexities
The regulations pose so many challenges - industry goliaths can receive hundreds of subject access requests every day, presenting a huge administrative headache. At the other end of the spectrum, SMEs in the financial services sector may struggle to have even the most basic of systems in place to stay on top of data management.
There is also the complexity of understanding exactly what the law requires – what data can and can’t be stored and what the “right to be forgotten” means. Consider for a moment the back-up systems that most businesses have in place – by definition they are designed to not forget things. Does forgetting mean removing references even in long-lost archives? How do companies even begin to know where every piece of data they store on someone is hosted?
Automate, don’t complicate
Despite the endless advice issued in the lead up to GDPR, many businesses still don’t have the necessary tools in place. Companies need robust processes and systems in place to tackle incoming queries and ensure timely follow-up and resolution. Response is not just a matter of customer satisfaction. It’s now the law.
Fortunately, technology can play a big part in easing the GDPR burden. Some of the time-consuming administration surrounding GDPR can easily be handled by having an automated system to capture data requests thus freeing up the human workforce to focus on more added-value tasks. An automated system can help companies retrieve information requested by customers, especially if they hold multiple forms of data on them.
Ironically, given that many worried GDPR would be the bottleneck to its widespread adoption, AI will prove central to automating subject access requests. Embracing technology that continues to grow increasingly knowledgeable in the intricacies of GDPR and algorithms will automatically see necessary data deleted when customers request to be forgotten.
This removes the burden of compliance from financial professionals, who may legitimately spend hours trawling systems for any reference to one client, when AI can manage this in a matter of seconds. Professionals can utilise this time saving by adding value to clients instead – strengthening relationships and increasing the chances of them being brand advocates, rather than requesting to be forgotten.
No financial services company wants to see its name in the headlines for falling foul of GDPR requirements – both the financial penalties and reputational damage will prove difficult to bounce back from. Clients will inevitably move to competitors if they are suspicious that data processes aren’t up to speed. It’s therefore imperative that all businesses automate their GDPR processes, rather than struggling in silence and risking severe damage to their company in the process.
Almost a year in, is MiFID 2 fit for purpose, and what needs to be done to make sure that financial services companies start to comply? Below Matt Smith, CEO of SteelEye, explains.
Failure to comply implied threats of reputational damage and harsh fines from the FCA and so, come implementation day on January 3, those firms which hadn’t digested MiFID II’s 1.4 million paragraphs of rules in time were left living in fear of a crackdown from regulators.
Eleven months in, that crackdown has yet to materialise. And while a number of firms have undertaken the effort and expense to implement MiFID II’s myriad rules in full and have hopefully reaped the benefits of doing so, an equally substantial number haven’t – and regulators appear to be turning a blind eye.
This ‘softly, softly’ approach by the FCA has been picked up by commentators. Gina Miller, head of wealth manager SCM Direct, recently called for the Treasury to investigate the FCA for its failure to enforce MiFID II. This was in response to an April investigation which uncovered fifty firms in breach of MiFID II’s transparency rules. Despite receiving this dossier, the FCA wrote only to eight of the firms.
Given the breadth and complexity of MiFID II, most in the industry weren’t surprised that the FCA didn’t react strictly to non-compliance immediately after January 3. Equally as important as complying with MiFID II was that the markets affected by it continued to function effectively – which necessitated giving some time for the new rules to settle down.
But the lacklustre approach of the FCA is less understandable now we are approaching the anniversary of MiFID II’s implementation day. At the very least, it is unfair to those firms which took the time, trouble and expense to comply with MiFID II right from its implementation date – particularly smaller companies lacking substantial in house resources in technology and compliance.
The FCA’s unwillingness to enforce MiFID II is, unsurprisingly, having an effect on the number of firms making an ongoing effort to comply. As evidence, ESMA recently published its data completeness indicators, which showed a significant shortfall in companies’ compliance with ESMA’s data filing requirements – often submitting unsatisfactory data that is incomplete or late.
Ongoing ambiguity with MiFID II’s rules may be in part to blame. In the build up to MiFID II, many firms didn’t seem to fully understand what was actually required of them. This knowledge deficit was worsened by a lack of clear guidance from the FCA, which has continued.
Across the industry, the FCA has been criticised for this ambiguity, arguing that it makes it near-impossible to comply with the regulation. Even within firms, individuals have come to different interpretations of the rules and, throughout the industry, there is little coherence when it comes to compliance and what needs to be done by when.
The FCA has claimed that its soft approach to enforcing compliance is soon to end, meaning firms could soon have to embrace MiFID II or risk being left behind. But with ambiguity remaining and a number of hurdles ahead, many in the industry are beginning to wonder if the FCA even knows what exactly it is going to be enforcing.
The shadow of Brexit looms large and the future of London as a financial hub is still unclear, as is definitive information on what regulatory regime will apply: a paper backed by ex-Brexit Secretary David Davis suggests numerous reforms to MiFID II. Moreover, the form and scope of MiFID II could soon be set to change considerably, with MEP Kay Swinburne already hinting at the possibility of a MiFID III.
This leaves both the FCA and financial services firms flying blind when it comes to both compliance and enforcement. This climate of uncertainty puts on hold the achievement of MiFID II’s goals of increasing transparency, investor protection and market competition.
If these goals are to be realised, a more responsible stewardship of its own rules – and uniform implementation of them – must be enforced by the FCA. If the FCA delivers on what it promised with MiFID II, out of enforcement a more transparent, competitive and efficient industry should emerge.
A greater proportion of IT decision-makers in the financial/banking sector see key financial services regulations as a driver of innovation (34%) than regard them as a barrier to it (24%).
More than a third (34%) of IT decision-makers across the UK financial sector regard key financial services regulations such as PSD2 and FRTB as a driver of innovation within financial services organisations, while fewer than a quarter (24%) see them as a barrier to it. That is according to survey of IT decision-makers across a range of financial and banking sector organisations, including retail and investment banking, asset management, hedge funds and clearing houses.
The survey, commissioned by software vendor, InterSystems, also found that just 20% of these decision-makers believe their organisation is very well prepared for the roll-out of the new regulations.
Graeme Dillane, financial services manager, InterSystems said: “Historically, firms have responded in a piecemeal fashion by putting in place new siloed applications to meet the needs of each new ruling. The latest round of regulations raises the stakes by effectively demanding businesses break down their data silos, better integrate their data enterprise-wide, and analyse it in real time in the context of new event and transactional data. All of that makes it vital that organisations innovate now.”
To lay the foundations for innovation, firms need automated systems. Currently, however, automation levels are low. Just 21% of the sample said they had fully automated the processes they had put in place to meet regulatory and compliance demands. 33% said they had not automated them at all.
More positively, the survey indicates that IT decision-makers across this sector are aware of what needs to be done to change this. Nearly two thirds (66%) said that they expect innovative technology will have an important role to play in ensuring regulatory compliance for financial services businesses over the next five years.
“It’s clear that financial services businesses increasingly understand just how crucial it is to actively innovate in order to address the challenges presented by the latest industry regulations,” says Dillane, “and the good news is that we are starting to see evidence on the ground that they are seeking out new solutions to help ensure their compliance.”
(Source: InterSystems)
The European funds industry still has major concerns over Brexit and the fear and uncertainty that comes with it, according to new research with European fund managers.
More than half of respondents (55%) say that Brexit continues to be one of the biggest issues facing the funds industry in 2018. However, the study, conducted by online board portal provider eShare with delegates at the recent FundForum International event in Berlin, also revealed the funds industry was generally optimistic about prospects for the industry in 2018 and beyond - 82% believe that the funds market is generally buoyant despite political and economic affairs.
“The fund management industry has faced much pressure over the past few years, with new regulation intended to improve transparency adding many layers of complexity to governance and compliance programs,” said Camilla Braithwaite, Head of Communications, eShare. “But confidence amongst European fund managers remains high despite this, with Brexit the only main concern for many. However, with the major decisions over Brexit and its impact on financial services still to be made, fund managers are proceeding as normal until they know more and the industry is thriving because of it.”
The new regulations, such as GDPR and MiFID II, have undoubtedly affected the industry though, with fund managers increasingly aware of the risks that come with non-compliance. 84% of those surveyed felt that their organisation could improve the operations surrounding risk management and decision-making.
With fund managers facing tough decisions about compliance, investments and many other factors, the ability to be transparent about such matters was one of the most important things identified by survey respondents. 97% said that demonstrating transparency into decision-making is increasingly important for the industry.
As the pressure grows on fund managers to be compliant and well-governed, so the need for transparency increases too. 84% of respondents said that technology is the future for improving governance standards within the funds industry.
“Transparency is essential in modern fund management and demonstrating this is right at the top of the agenda for most fund managers, keen to reassure clients and regulators alike,” continued Camilla Braithwaite. “Technology can play a significant role in this, showing how decisions were reached and supporting governance and compliance requirements. The industry has woken up to the potential of technology to help in this way, and the research would suggest that the mood within fund management is positive.”
(Source: eShare)
With the new IFRS 15/ASC 606 compliance regulations now in place, CFOs need revenue recognition solutions that can handle complex, multi-element arrangements and fast changing product offerings. CFOs can no longer survive in fast paced business environments with a revenue recognition process where you kick off in the morning and sit around waiting for the answer. Real-time revenue recognition reporting is today’s reality. Rajiv Chopra, expert at Aptitude Software explains for Finance Monthly.
I am amazed that in 2018, and with this backdrop, so many CFOs are still not utilizing advances in accounting technology and are overly reliant on manual solutions. Over 75% of prospective clients I am speaking to are still managing revenue recognition accounting with home-grown “band-aid” systems that are reliant on manpower, excel and internal “spaghetti IT” solutions.
These manual solutions, in which the C-suite place their trust, are high risk. There is a high dependency on a select few individuals who are working under intense pressure for sustained periods of time, levels of staff turnover are high, and teams suffer from ‘Excelitus’ and burn out from the boredom of repetitive tasks. The real value of the finance team - providing management with data insights and analysis, is lost.
For example, we saw an $8bn dollar company operating in 160 countries, running 60 plus inventory spreadsheets just to track their sales. It would take 3.5 hours to open these spreadsheets – you can imagine the stress levels when they needed to close the books! Another company was doing 6 million transactions in a quarter, with 19,000 products and running 20 different revenue management systems, just to know where their revenue was. The level of financial risk was frightening with so many opportunities for misses and mistakes.
The question to CFOs and Chief Accounting Officers is why? You’re not saving money when your staff are waiting around for slow systems, correcting errors that shouldn’t be there and spending time on low value, repetitive processes. When we pose this question to CFOs and CAOs, one of the most common answers given is habit. Yet when pressed, they often admit that concerns over cost is often the real reason behind their hesitancy to adopt new technologies and automated solutions.
While the cost of revenue recognition solutions will always depend on the specific profile of an organization, a recent survey from PWC shows that the majority of companies (58% public / 84% non-public) have spent or will spend less than $500,000 complying with the new revenue recognition standards, with implementation costs going up in step with an increased contract volume and complexity (PWC 2018 accounting change survey).
There are several areas where organizations can look to build return on investment, but I believe the human cost of manual revenue recognition is significant and often undervalued by many companies. You just have to look at the high levels of staff turnover in finance teams, also consider the stress levels as they try to close the books manually and deliver substantiated reporting. In their study on the financial impact of staff turnover, Oxford Economics estimates that it costs over $39,000 just to replace a finance employee when you consider the loss of productivity, agency fees, HR and management time.
At our recent RevConnect conference, the benefits of new revenue recognition technologies were described as ‘night and day’ by David Peterson, Revenue Accounting Manager from Ivanti. He explained how, by moving from a spreadsheet-based solution to an automated revenue recognition solution, they had reduced their close from 5 to 3 days, giving his team time to do more analysis and deliver more insights to the business.
Using automation also means finance teams can leave behind all the rote tasks of data download and copy and paste and focus on data insights and analysis. New technologies also encourage innovation and attract technology-savvy talent. A recent survey from the Association of Accounting Technicians revealed that 75% of finance professionals found that using accounting technology has either made their job easier or freed up time for them to concentrate on adding value to the business.
The benefits for CFOs who have embraced new revenue recognition technologies are extensive. Crucially, they have much happier and fulfilled finance teams. They can also take back control of their environment which can result in increased output, better critical decision making, and more business opportunities.
I encourage all CFOs to stop playing catch up, be proactive and reduce the manual processing of revenue recognition. Empower your team to add value to your business, grow as contributing team members and move away from hours of manual tasks that don’t have a place in the modern CFO office. When speaking about his organization’s move to an automated revenue recognition solution, Mark Flournoy, CAO, at Intuit summarized the change perfectly: “We (finance) are actually now in service to enable the rest of the business.”
With one in three bank staff now employed in compliance, and financial institutions groaning under the pressure of an ever-increasing regulatory burden, 2018 is set to be the year that RegTech rides to the rescue, stripping out huge cost from banks’ processes.
In the same way that nimble start-ups introduced FinTech to the financial sector, the stage is now set for the same tech-savvy entrepreneurs to apply the latest technology to help tame the regulation beast.
The challenge is even more pressing now, with the arrival of an alphabet soup of blockbuster regulation including GDPR, MiFID II and PSD2, which will stress institutions like never before.
What is RegTech?
Deloitte has set high expectations for RegTech, describing it as the use of technology to provide ‘nimble, configurable, easy to integrate, reliable, secure and cost-effective’ regulatory solutions.
At its heart is the ability of ‘bots’ to automate complex processes and mimic human activity. And RegTech start-ups are already using robotic process automation to translate complex regulation into API code using machine learning and AI.
The holy grail of RegTech, however, is to strip out huge layers of cost and dramatically lower risk by developing and applying complex rules across all business processes in real-time, automating what can otherwise be an expensive and highly labour-intensive job. Simply put, RegTech promises to do the job faster, cheaper and without human error.
Behavioural analytics
Just like its FinTech cousin, RegTech is already being used for a surprisingly wide range of applications, for example banks are using behavioural analytics to monitor employees, looking for unusual behaviour patterns that may be a tell-tale sign of misconduct.
Brexit will also present a golden opportunity for agile RegTech start-ups whose tech solutions can adapt and transform quickly according to the new regulatory landscape, while traditional institutions struggle with the pace of change.
Unlike FinTech however, which has largely been focused on B2C solutions, RegTech start-ups have to work much more closely with traditional financial institutions. That’s because capital markets are a highly complex, regulated area, where institutions are cash-rich and where access to funding is critical if vendors want to disrupt.
Bespoke solutions
Traditional institutions are also more likely to need solutions that are specifically tailored to the challenges they face, rather than the one-size fits many approach developed by FinTechs. For example, they rely on many different data systems, and this torrent of data often makes it difficult to compile reports to deadline for regulators – a perfect challenge for a RegTech start-up.
RegTech could well be the cavalry, riding in to save the investment management industry from the increasing amount of data being produced that financial regulators want access to. A significant amount of this data is unstructured, making it difficult to process, which adds a greater level of complexity. The flow and complexity of this data is only going to increase, and with it the challenge for banks.
Financial institutions are increasingly pulling out all the stops to crunch data and meet the regulator’s next deadline and in this high-pressure environment teams are not necessarily developing the strategic overview needed to streamline their IT architecture in order to reduce operational risk.
Compliance at speed
RegTech promises to automate these processes, making sense of complex interconnected compliance rules at speed, making compliance more cost effective, while reducing the chance of human error.
It also promises to dispense with the current time lag between a period end, the collection of data by the institution and assessment by the regulator – a process that is always backwards looking.
Under the RegTech model, powered by data analytics and AI, information is in real-time and self-correcting to ensure the regulatory process remains dynamic and relevant.
The scale of the advantages promised by RegTech, are such that banks successfully harnessing its power will strip out huge amounts of cost from their processes, which can then be invested in business-critical innovation, giving early adopters a clear competitive advantage over the rest of the market.
-
John Cooke, Managing Director
Black Pepper Software
