Personal Finance. Money. Investing.
Updated at 16:07

With one in three bank staff now employed in compliance, and financial institutions groaning under the pressure of an ever-increasing regulatory burden, 2018 is set to be the year that RegTech rides to the rescue, stripping out huge cost from banks’ processes.

In the same way that nimble start-ups introduced FinTech to the financial sector, the stage is now set for the same tech-savvy entrepreneurs to apply the latest technology to help tame the regulation beast. 

The challenge is even more pressing now, with the arrival of an alphabet soup of blockbuster regulation including GDPR, MiFID II and PSD2, which will stress institutions like never before.

What is RegTech?

Deloitte has set high expectations for RegTech, describing it as the use of technology to provide ‘nimble, configurable, easy to integrate, reliable, secure and cost-effective’ regulatory solutions.

At its heart is the ability of ‘bots’ to automate complex processes and mimic human activity. And RegTech start-ups are already using robotic process automation to translate complex regulation into API code using machine learning and AI.

The holy grail of RegTech, however, is to strip out huge layers of cost and dramatically lower risk by developing and applying complex rules across all business processes in real-time, automating what can otherwise be an expensive and highly labour-intensive job. Simply put, RegTech promises to do the job faster, cheaper and without human error.

Behavioural analytics

Just like its FinTech cousin, RegTech is already being used for a surprisingly wide range of applications, for example banks are using behavioural analytics to monitor employees, looking for unusual behaviour patterns that may be a tell-tale sign of misconduct.

Brexit will also present a golden opportunity for agile RegTech start-ups whose tech solutions can adapt and transform quickly according to the new regulatory landscape, while traditional institutions struggle with the pace of change.

Unlike FinTech however, which has largely been focused on B2C solutions, RegTech start-ups have to work much more closely with traditional financial institutions. That’s because capital markets are a highly complex, regulated area, where institutions are cash-rich and where access to funding is critical if vendors want to disrupt.

Bespoke solutions

Traditional institutions are also more likely to need solutions that are specifically tailored to the challenges they face, rather than the one-size fits many approach developed by FinTechs. For example, they rely on many different data systems, and this torrent of data often makes it difficult to compile reports to deadline for regulators – a perfect challenge for a RegTech start-up.

RegTech could well be the cavalry, riding in to save the investment management industry from the increasing amount of data being produced that financial regulators want access to. A significant amount of this data is unstructured, making it difficult to process, which adds a greater level of complexity. The flow and complexity of this data is only going to increase, and with it the challenge for banks.

Financial institutions are increasingly pulling out all the stops to crunch data and meet the regulator’s next deadline and in this high-pressure environment teams are not necessarily developing the strategic overview needed to streamline their IT architecture in order to reduce operational risk.

Compliance at speed

RegTech promises to automate these processes, making sense of complex interconnected compliance rules at speed, making compliance more cost effective, while reducing the chance of human error.

It also promises to dispense with the current time lag between a period end, the collection of data by the institution and assessment by the regulator – a process that is always backwards looking.

Under the RegTech model, powered by data analytics and AI, information is in real-time and self-correcting to ensure the regulatory process remains dynamic and relevant.

The scale of the advantages promised by RegTech, are such that banks successfully harnessing its power will strip out huge amounts of cost from their processes, which can then be invested in business-critical innovation, giving early adopters a clear competitive advantage over the rest of the market.


John Cooke, Managing Director

Black Pepper Software

E-commerce has experienced exponential global growth over the last decade. A wider array of markets has encouraged greater competition and provided more opportunities for online merchants to reap the rewards. However, staying ahead of the competition in such a climate is easier said than done and, if not approached properly, going global can put merchants at risk of falling behind. With this in mind Finance Monthly hears from Ralf Ohlhausen, Business Development Director at PPRO Group, who sets out ten simple steps to help make a success of going global.

1. Assess cross-border market opportunities

Consider the barriers to trade in the regions that interest you, making sure the benefits of doing business in the area outweigh the costs of meeting market needs and expectations. Also, don’t dismiss high-growth markets, such as Vietnam and Poland, which might be relevant for your business, but not the regions that spring to mind when looking for new sales opportunities and cross-border expansion.

2. Know your market and audience

This is important not only in terms of what you sell and to who, but also in terms of the most relevant payment preferences. Online casinos do not accept credit card payments due to the fraud potential, while travel websites need to offer customers the option to pay via credit card due to the high value of the transaction. Sale conversions are linked to the provision of appropriate payment methods – and payment behaviour varies by demographic, just as purchasing behaviour does. In many cultures, younger people are more likely to use non-traditional payment methods, but if your target audience is primarily older, this may not be relevant. Do your research by considering all important marketing segments before you begin to trade.

3. Plan your marketing strategy

If you are new to a region, you need to raise your profile and gain customer trust to convert browsers into buyers. Consider your target market carefully. For example, a German national buying furniture online would rather not pay for a new sofa in advance, but wait for delivery and then pay directly from their account. Think about the behaviour of your target customer and which marketing strategies will resonate most successfully with them. If this is out of your remit, then working with a local marketing partner will provide the necessary knowledge to attract and retain business in the region, supporting long term growth.

4. Plan your market entry

The best marketing plan in the world will fail if not supported by a well thought through market entry strategy. Consider the best way to set-up shop in a new region, as it will differ depending upon your business model and regional knowledge. Do you need to use a partner to begin with, to sell via an online market place, auction site or through an established local vendor? If so, for how long? Or can you go it alone from the start?

5. Consider your market share and positioning

Your current market/s may be crowded or dominated by one or two big names. If you enter an emerging market with a carefully tailored and localised offering, you could grab a large slice of that niche before others do.

6. Review payment methods

When it comes to payment options, decide how much risk you are happy with. Some payment methods may be convenient for customers, but carry a greater burden of chargeback/refund risk or other cost to the vendor. Such risk can often be mitigated, for example by offering less riskier forms of payment, such as SEPA direct debits, for goods below a certain value or to trusted customers. So-called ‘push payments’, which are proactively sent by the client, are less risky in terms of chargeback but their use must be balanced with local preferences. Examples of push payments include giropay in Germany and iDEAL in the Netherlands.

7. Personalise your e-commerce offering for local needs

Make sure customers are only offered the products and payment methods relevant to their location, in a regionally-appropriate format. There are several ways of doing this, including local versions of websites and identification of site visitors by location (e.g. according to their IP address), which then dictates the pages and payment options available. You should offer each visitor at least three, or ideally around six, of the most popular payment options in their location, to maximise your chances of making a sale.

8. Do not leave it too late

Online retailers wanting to take a share of emerging markets need to act now, while the trend towards internationalisation is in its infancy and market niches are free.

9. Compliance matters

As a business, you must comply with a multitude of legal, financial and customs regulations of the markets you trade in. It is therefore crucial to keep abreast of and respond to any regulatory changes in a timely fashion. This generally demands external expertise, particularly as the penalties for non-compliance can be extremely tough.

10. Consider third-party support

When making a foray into a new market or region, it is important to keep on top of commercial and regulatory barriers and implement the best alternative payment methods. This is fundamental to the success of your business expansion. However, very few retailers have sufficient expertise in-house to manage all of these matters optimally, so finding a partner who can support you on your global journey can be the key to success.

While the prospect of ‘going global’ is still new for some, it’s vital for merchants to break into new regions quickly, armed with the best strategy and proposition to seize the opportunities, before the competition swoops in. Only by taking this approach can merchants win new customers and multiply their bottom line, building new revenue streams and expand into new regions. Global success is only a few steps away, and now is the time to go for it.

Overwhelmed by demanding new regulations, leading financial institutions are relying on video to manage the flow of critical information to employees. Below Paul Herdman, Vice President of Qumu EMEA, explains how finance teams and compliance officers can make the most of enterprise videos.

With worldwide financial institutions finally beginning to recover from Brexit, and derivatives markets still adjusting to the rollout of MiFID I, the next communication crisis for this turbulent industry is already looming. As political and regulatory regimes continue to extend their influence, firms doing business across the EU must now preparing for implementation of the revised Markets in Financial Instruments Directive (MiFID II)—which reaches beyond banking to impact trading as well—while US-based financial institutions are busy figuring out how to comply with GDPR (the EU’s General Data Protection Regulation).

With both regulations including organisations and their global subsidiaries, greater market transparency in the financial industry is becoming a worldwide mandate. These new directives will have a huge impact on regulated firms in 2018 and beyond and will require financial institutions to upgrade their processes, their compliance operations and most importantly their communication technologies.

A 2017 Thomson Reuters survey revealed the average annual cost of compliance for global financial organisations is $119M per organisation. Additionally, 73% of communication professionals reported that communicating company news to employees is a serious challenge and 37% reported internal silos as the number one challenge for internal communications.

As these companies respond to increasing demands of regulators to meet new directives, many are proactively focusing on developing robust communication programmes. And the centrepiece of these new programmes is, in many cases, an enterprise video platform. Live or on demand, IT executives know that video communication can be fully automated, easily searchable and consumed on any device—making it the perfect communication solution in highly regulated environments. In fact, if managed well, video communication can translate into shorter time-to-compliance, and save financial services firms hundreds, or even thousands, of dollars per year per employee.

But how?

Enterprise video to the rescue

There are many ways using an enterprise video platform can help financial institutions meet compliance directives:

Timely communication: when workforces are dispersed, video messages can be easily created and instantly distributed to employees as regulations change.

Opportunities for feedback: key stakeholders can submit feedback and questions to the executive team, which can be captured and tracked for future resolution, or to identify gaps in the current process.

Timely collaboration: financial institutions can create private communication channels where key team members can share knowledge, insights and outcomes related to their discipline or functional responsibility.

Strategy alignment: video is a great way to present a consistent story across the organisation—before the message is taken externally and any room for misalignment is eliminated.

Increased readiness: video polls can be used to gauge readiness on a specific topic or portion of a new regulation, reinforcing mission-critical compliance procedures.

Documented audit trail: with marketing teams playing a key role in the new directives, automated workflows for approvals and audit trails are key for financial promotions and marketing collateral compliance.

Configurable security: executives can share knowledge quickly across the organisation, privately to specific groups of key stakeholders or to larger audiences with no content restrictions.

Reporting and analytics: a video content management system can provide advanced analytics on content review, meeting attendance and overall engagement with the company message.

In conclusion – broaden your reach

Technology investments in enterprise video are key to mitigating regulatory risk. Not only do they provide a platform to communicate how regulatory changes will impact activity, but they allow financial institutions to quickly adapt to evolving rollouts, and ensure that all financial activities, including trades, remain in compliance. With the right enterprise video platform in place, many global financial institutions have been prepared well in advance for MiFID II and GDPR to happen. Is your company ready?

If you are interested in any small scale company video production in the UK, businesses can reach out to Tell Your Story UK here.

Darren Craig is an Associate Partner within Northdoor plc- an IT Consultancy specialising in Data Solutions. Founded in 1989, Northdoor has created a consultancy-led engagement model for clients looking to start their GDPR programme. In their experience, the company has found that companies are very confused about the legislation and need advice around the processes involved in meeting GDPR legislative requirements. The Northdoor Rapid Response programme allows clients to quickly define their strategy, clarify their existing position around data and data security and create a clear roadmap to allow them to progress towards meeting their GDPR target. Once the roadmap has been defined, Northdoor has a combination of consultancy services and a series of solutions to detect, encrypt and secure client data to ensure that their environment meets their needs. Here Darren tells Finance Monthly more about the GDPR-related services that Northdoor offers and the challenges that UK businesses are faced with less than 6 months before the looming deadline.


With the European Union General Data Protection Regulation coming into effect in May 2018, in your opinion, what are UK companies doing in terms of preparing for GDPR?

I think that so far, many companies have spent a lot of time educating themselves and building their awareness of what GDPR is. We’re finally beginning to see companies that are starting to implement programmes of work. However, there's still a large percentage of companies that we talk to every day that haven't even started their formal programmes yet and don't expect to start one until January next year.


Do you think that this will give them enough time? 

It depends on the size of the company, but I think that there will be a lot of British companies that won’t manage to be fully compliant by 25th May 2018.


Why do you think so many businesses in the UK have yet to initiate a GDPR compliance programme? 

I think it's a mixture of reasons. One of them is connected to the lack of marketing in relation to GDPR that the Information Commissioner’s Office (ICO) has done. I’m under the impression that a lot of companies think that GDPR is just another version of the Data Protection Act, which is not the case. It is in fact a very significant change, when compared to what the Data Protection Act expects them to do.


What are the first steps towards GDPR compliance? 

The first step is understanding the gaps within your business. It is fundamental for businesses to accept that data protection is not just an IT issue - it's a cross-business challenge that requires all departments to come on board as part of the GDRP project and identify the data protection gaps they have between their current processes.


What does a typical GDPR compliance project entail?

As mentioned, the project itself starts off with a gap analysis where companies identify the gaps they have. This is then followed by a discovery exercise in order to identify all the personal data information that the business currently processes. The third stage of the project is then taking that data and mapping it back to a process within the business. Finally, companies have to carry out a Privacy Impact Assessment (PIA) against the process - only then they fully understand the amount of work that they need to do in order to become GDPR compliant.


When assessing compliance, what areas do you find businesses commonly struggle with?

The most common challenge relates to marketing. Traditionally, companies use marketing data from lots of different sources, but under GDPR, they will require explicit consent to be able to use this information going forward.

The other challenging area is HR - the requirements are for Human Resources to make sure that they have the right legal basis in place to process their employee information.

The third area where we see companies struggle is third-party supply chains. Under the Data Protection Act, the supply chain wasn't liable, however, under GDPR, the supply chain and the owner of the data are equally liable. Thus, there's a legal requirement for every company to ensure that the third-party supply chains that they work with are also fully compliant.


Can you tell us more about the work you’re doing in the field of GDPR?

The work we're primarily doing at the moment is advisory work where - helping companies understand how much work they need to do around GDPR compliance and establish their project plan.


Why should companies choose Northdoor to help them with their GDPR compliance projects?

Northdoor is not a company that's just jumped on the GDPR band wagon – we have been a business for over 28 years and our key priority is to advise clients and help them manage their information assets effectively. We not only advise them in relation to compliance of data, but we also help them secure their data and get value from it. We manage the whole lifecycle of information assets throughout the business and this has always been our core focus.


For more information, please go to:, email: or call 0207 448 8500.


The rationale behind the regulation

The General Data Protection Regulation (GDPR), referred to by some as ‘the’ biggest change to European privacy laws in the last two decades, is causing commotion across the globe as businesses rush to become compliant by May 2018 or risk facing heavy sanctions.

Finalised in April 2016 the new regulation, which will replace the Data Protection Directive 95/46/EC, has the goal to better protect an individual’s personal data. For clarification purposes that could be any form of information leading to a person’s identification including but not limited to their name, email address, ID number, location data, income and bank details, health information and IP address.


So why a greater focus on the data subject?

Not so dissimilar to the rules of the road, a poignant comparison made by David Lewis, GRC Manager at cyber security specialists Imperva, a person visiting a website should be protected. When browsing online it is expected that our personal information is secure and makes it to its end destination safely too.

Unfortunately, as recounted in the press all too often of late, the risk of a visitor’s data being breached has increased exponentially.

In November of this year, details surrounding a breach suffered by Uber in 2016 surfaced. According to the company, 57 million people have been affected as a result of the cyber-attack. A month prior, detailed card payment information of approximately 60 000 Pizza Hut customers among other user data was thought to have been exposed to hackers. A month prior Deloitte was involved in a cyber-attack for which the real fall out has yet to be defined but is said to have compromised Deloitte's global email server. In July 2017, it became clear that Bupa’s data breach had impacted half a million customers.  In 2016, Android malware compromised over a million Google accounts. In 2013, Yahoo also disclosed a breach affecting up to 3 billion of its email users.

In response to the drop in user trust and confidence which inevitably negatively impacts businesses and the economy, governments are increasing regulatory safeguards.  Unlike the Directive, the GDPR will provide a single set of rules for all companies handling, storing, sharing and processing EU related personal data. Organisations will have to implement new measures to meet the requirements of the regulation and be extremely careful how they acquire, collect, use and store the data of their clients, customers and employees.

The implementation of a single regulation is thought to facilitate business processes in the long run and incentivise organisations to consolidate and streamline data in one place from the offset, where it can quickly be anonymised. The significant reduction in organisational costs, the potential for innovation and the building of greater rapport with customers as well as the decrease in brand and reputational damage associated with avoidable breaches are also argued to be among the benefits of the new regulation.


Cloud services and the GDPR

 The rules of the GDPR apply irrespective of whether data is stored in the cloud or on paper. The former in particular presents several challenges with regards to compliance.

On the one hand, according to Elastica’s Shadow Data Threat Report, as little as one percent of cloud providers’ internal processes are compliant with the new legislation. Less than three percent enforce secure password policies to meet the requirements of the GDPR. This has in part got to do with the Directive’s emphasis on the controller rather than the processor, leaving many a provider unaccountable for the role they play in data privacy and security. Aside from the scenario where direct contractual obligations are enforced on behalf of the controller, processors are not held liable for loss or exposure of information. Where regulation isn’t an issue cloud service providers can limit their focus to ease of use and navigation of their platforms and services.

On the other hand and according to the most recent Netskope Cloud Report, EU firms are unaware of how many cloud applications their organisations are actually using, which on average is believed to be over 600 software programs.

Under the new regulation, the rules will be far more stringent, the threat of fines as high as 20 million EUR or four percent of a companies’ annual revenue (whichever is highest) real, and the sharing of liability binding between both processor and controller. Cloud providers as well as users must enforce a series of technical and organisational procedures to guarantee the level of security required. According to Dr. Rois Ni Thuama, Head of Cyber Governance at OnDMARC the fines are not necessarily the biggest threat to a business’s bank account. The data subject’s right to sue following a breach, whatever the implications, is far more concerning.

“What we are seeing now is a clear division between a growing number of companies that say ‘wait, this GDPR thing is real’, and those who still don’t understand you cannot simply move data around the cloud without addressing data privacy. Privacy regulation is becoming mainstream in IT, in the same way that drug licensing became so for the pharmaceutical industry. It’s either make it clear that you comply, or forget about selling to serious customers,” says Bostjan Makarovic Founder of Aphaia, a GDPR-focused consultancy.

The attitudes of controllers and processors will need to change drastically especially when it comes to negotiating agreements. Strict provisions on the scope of duties of the controller and processor will need to be defined and implemented. Annabel Jones, UK Director at ADP commented: “contractual due diligence will be even more important as businesses seek to partner up with companies that can show data is processed lawfully”. An increase in third party due diligence and a greater focus on insurance policies will most likely also be discernable.


Steps to compliance

When selecting a provider, cloud using organisations need to ensure they choose vendors that are, in the first instance, able to tell their clients where the data they process and store is located. According to the GDRP data transfer to a third party outside the EU that does not have adequate data protection standards is only allowed under certain circumstances. Currently only 11 countries meet such standards.

It is equally important that companies are made aware of any third parties involved in the processing of the data. According to Trustwave’s Global Security Report, approximately 63% of data breaches involve third parties who are often considered a company’s biggest area of risk exposure. As a result they will be the first to be investigated by regulators. If the latter are involved at some stage of the process, measures need to be taken to ensure that they too are compliant.

Security should be a top priority for providers who ought to be able to explain the various measures adopted to protect data from modification, unsanctioned processing or loss. All data centers must be compliant with the latest ISO certifications, the storage and transmission of documents should be carried out exclusively via SSL connection with AES 256-bit encryption. Regular penetration tests should be carried out to assess data security. Two-factor authentication, data deletion, trash retrieval and access controls are just some of the ways data owners can have autonomy on how and whether their data is kept.  


About Drooms:

Drooms, Europe’s leading virtual data room provider, works with 25,000 companies around the world including leading consultancy firms, law firms, global real estate companies and corporations such as Morgan Stanley, JLL, JP Morgan, CBRE, and UBS. Over 10,000 complex transactions amounting to a total of over EUR 300 billion have been handled by the software specialist.





With MiFID II looming, finance businesses across the UK will be reviewing their practices to ensure the way they work complies with the new regulations. Here, Alex Tebbs, Founder at VIA, explains what the regulations mean for the way we communicate as businesses, and how your business can comply come January 2018.

MiFID II is a targeted regulation update that aims to improve transparency and better protect both providers and customers of the finance sector.

In that sense, it exists to make things better for everyone; but with the January deadline looming and uncertainty still rife around the impact of Brexit on the update, many in the finance industry are still considering the best way to achieve compliance in their business.

It’s a regulation update made up of many facets, one being the requirement for businesses to record their communications in any instance where that conversation results in, or intended to result in, a transaction. Those communications must be retained - and be accessible when called upon - for five years after the event.

Creating a post-MiFID communications plan

In many ways, the communication requirements of MiFID II make a lot of sense. By recording our conversations, we can be sure that we are serving our customers in the best way, and that they are protected from any potential misunderstandings or misdemeanors.

But in today’s multi-device, multi-location business landscape, compliance isn’t so simple. While once we would have communicated on one device (likely a landline) and from one office, the reality of business today is that we often use multiple devices (and even encourage colleagues to bring their own devices) and operate across multiple locations, including remote working from home, offices in different countries and communications on the move.

This presents a challenge for finance professionals. How do we achieve compliance in this complex communications landscape?

The best place to start is with a review of your existing communications plan as a business. You’ll need to work out what platforms and devices are used to communicate, and make a record of all of those, as they will need to be included in your recording strategy. Be aware that this mightn’t be as straightforward as it sounds, and it’s likely to take time to uncover all the comms platforms in use.

The next step is then to work out how best to record those communications. On a landline, this would require hardware such as a microphone plugged into the handset. There are various apps that make it possible to record calls on a smartphone or via clients like Skype.

An alternative to this somewhat clunky process is to invest in a unified communications platform. This brings all your communication tools - smartphones, landlines, Skype, instant messaging, text - onto one platform which can be easily controlled from one portal, making recording and keeping those conversations a much easier, quicker process.

However you choose to manage your communications, one thing is clear; you will need to be able to both record, and keep, those conversations from January when MiFID II comes into play.

Security considerations in communications

It certainly won’t have passed by your attention that another sizeable regulation update is taking place in 2018; namely, GDPR, an update to data protection rules.

With GDPR putting renewed emphasis on security - and with MiFID’s requirements for comms recording - security should be placed firmly atop the agenda of financial firms.

There are various options on how we achieve security in communications. The most universally relevant and powerful is that of end-to-end encryption; with the main risk of unsecured comms being that communications could be intercepted en route, end-to-end encryption removes this risk by making the information, even when intercepted, entirely useless.

For those businesses using a unified communications platform, encryption and many other security considerations are included as standard, with large investments being made by those companies into stress testing their platforms and removing any vulnerabilities as soon as they are considered as a potential risk factor. For those using separate communications channels, a strict security testing strategy will need to be in place to ensure all communications are safe and private.

In terms of retaining those recorded conversations, security is a concern once again. Secure servers and storage areas are a must; consider also who has access to these recordings, and ensure they have a signed agreement in place that complies with data protection rules, and that your business’ data protection processes are up to date - especially as GDPR hits in May 2018.

MiFID II and the communications landscape

There is much left unknown about how MiFID II will affect finance businesses in the long run, and it’s likely that the implementation of its regulations will uncover complexities that need to be clarified as we move into the new year.

With that said, the communications element is prescriptive; finance professionals must record and maintain a record of all communications, regardless of device, platform or location. Is your business ready?

With just six months until GDPR hits Europe hard, Finance Monthly has heard from Nigel Edwards, SVP of Insurance Europe & Head of UK at EXL Service, on the threat GDPR poses to emerging technologies, fintech, regtech and so forth.

For insurers, the General Data Protection Regulation (GDPR) promises to be a difficult hurdle to overcome without the right strategic approach and expertise. Businesses in the insurance industry are some of the most vulnerable to being caught wrong-footed by the incoming GDPR rules because of the data rich environment they naturally operate in. The widespread use of third party administrators means that data flows can be difficult to control in a way that keeps firms compliant with the new regulation. Another question that is high up on the agenda for industry decision-makers is the effect that GDPR will have on future technology adoption.

In recent years, the insurance sector has undergone an unparalleled degree of technological disruption. Telematics technology, for example, has dramatically changed how insurers price policies by gathering data on individuals’ driving habits and behaviour. The use of social media analytics is making the claims process more straight forward and the use of technologies such as geo-location is creating better conditions for underwriters to evaluate pools of risk. One thing that these technologies have in common is their reliance on large amounts of collected customer data to function effectively. Will these techniques be hamstrung by the demands placed on companies under the GDPR regime?

Assessing the data ecosystem

For the most part, GDPR will not force insurers to curtail technology adoption, so long as precautionary steps are taken to better manage the data inputs and outputs on which new technologies rely. All of the existing InsurTech solutions that are on the market or close to arriving will remain options for brokers and underwriters to incorporate into their strategic spend - but only if the underlying infrastructure is in place to enable the rigorous management of client data.

Perhaps one of the most onerous demands placed on businesses due to GDPR is the so-called ‘right to be forgotten,’ which will grant EU residents the right in some places to request a full removal of their personal details from any company’s systems. For many insurance firms, of which a large proportion will have been trading since the start of the age of digitisation, large caches of over 30 years’ worth of client data have been accumulated. This is data which may not be in a single standardised format and spread across siloes in multiple locations – posing a considerable challenge when it comes to compliance to right to be forgotten guidelines.

Aligning with a long-term strategy

For new technologies to remain viable, steps must be taken to ensure that the core infrastructure upon which data is stored and transferred is responsive to frequent requests for deletion or transfer. This may result in the overhaul of legacy IT systems which are not fit for purpose and a more selective retention of customer information, as opposed to a policy which swallows up large pools of data indiscriminately.

Whilst this may entail some capital outlay, the decision to update legacy systems should be taken in the context of a new stance towards regulatory compliance. The GDPR is just one regulatory hurdle that must be overcome by insurers next year, but it can serve as a starting block for a more agile approach to data handling – especially for firms who have historically neglected the task. In the long term, laying the foundations for new technology adoption will not only facilitate better business agility but also a more intuitive approach when interacting with clients and their data.

Research from leading information security company Clearswift has shown that the education sector is rivaling technology for the top spot when it comes to GDPR preparedness.

The research surveyed 600 senior business decision makers and 1,200 employees across the UK, US, Germany and Australia. When asked whether firms currently have all of the necessary processes in place to be compliant the top five performing sectors included technology and telecommunications (32%), education (31%), IT (29%), business services (29%) and finance (29%).

The survey has also revealed, of all the sectors, healthcare is the least likely to be ready for the upcoming GDPR, with only 17% of private and public sector bodies claiming to have the processes in place to comply with the legislation. Following closely behind is the retail sector with a mere 18% of the industry ready for GDPR, and marketing at 19% and legal at 21%.

Overall, the research has shown that only a quarter (26%) of businesses are currently ready for General Data Protection Regulation (GDPR). However, with the deadline fast approaching, a further 44% are putting processes in place and expect to be ready in time for May next year, when the legislation comes into force.

Dr Guy Bunker, SVP of Products at Clearswift, said: “With 64% of UK businesses currently making moves towards GDPR compliance, the outlook is not as bleak as previously thought.

“It is clear that the regulation has grabbed the attention of businesses, but what is important is that their focus is in the right place. Those viewing GDPR as an opportunity will be in the best position to not only comply, but evolve their organisations, enhance their security posture and achieve business growth.

“Educating employees about how to safeguard critical information, introducing data protection guidelines and instilling a culture of data consciousness in the workplace will not only bring organisations closer to compliance but help reduce the chances of a data breach.”

Although the majority of businesses may not currently be ready for GDPR, employers have begun to identifying the departments within their organisations where data protection is needed most. The most common departments to have budget allocated for spend on GDPR are finance and IT (31%). This is particularly relevant as most businesses believe their critical data predominantly lies in the finance department (55%), suggesting that finance will be under the spotlight in the coming months as organisations look at how they can prepare for GDPR.

When looking at the size of an organisation, 46% of the businesses that reported they are ready for GDPR had between 500 – 999 employees. Compared with larger corporations of 5000 or more employees, only 19% reported they are ready, suggesting that bigger is not necessarily better.  Smaller enterprises are leading the way over their larger counterparts in putting processes and technology in place ahead of May 2018.

While many organisations are expecting to be ready for GDPR, our research has shown that a typical company-wide IT project takes around six months to roll-out, meaning those that aren’t ready now are running out of time to introduce new technology which could help them comply with the legislation.

Dr Bunker added: "The key focuses for GDPR compliance are educating employees and understanding where your data lies. However, organisations that are still looking at how they can prepare should focus on security solutions that can be integrated within existing infrastructures, such as Data Loss Prevention (DLP) tools and content inspection software, which are the biggest priorities in preventing data loss and can be used to demonstrate compliance with GDPR legislation. This can save time and costs by adding these to existing security investments instead of the removing old technology and replacing it with completely new solutions.”

(Source: Clearswift)

Bermuda has won world approval of its tax information exchange practices with other jurisdictions.

A global body said this week that those practices comply with international standards.

Premier and Minister of Finance the Hon. David Burt JP MP responded to the announcement by thanking Bermuda government officials who have worked hard to make this a reality.

The Global Forum on Transparency and Exchange of Information for Tax Purposes (the Global Forum) said that Bermuda was among the countries screened under a new and enhanced peer review process aimed at assessing compliance with international standards for the exchange of information on request between tax authorities.

Bermuda, Canada, Australia, Cayman Islands, Germany and Qatar were deemed to be “largely compliant”.

The new round of peer reviews – launched in mid-2016 – followed a six-year process during which the Global Forum assessed the legal and regulatory framework for information exchange (Phase 1) as well as the actual practices and procedures (Phase 2) in 119 jurisdictions worldwide.

Today’s result means that Bermuda maintains the rating obtained through Phase 1 as a jurisdiction largely compliant.

Premier Burt said, “This is tremendous news and excellent for Bermuda. My thanks to all involved in securing this important outcome.

“This result is a testament to the hard work of the team in the Ministry of Finance.

“It is good news for local industry, boosting confidence in Bermuda as an international business centre.”

The 144-member Global Forum is a leading international body for ensuring the implementation of the internationally agreed standards of transparency and tax information exchange.

The Global Forum’s new peer review process combines the Phase 1 and Phase 2 elements into a single undertaking, with new focus on an assessment of the availability of, and access by, tax authorities to beneficial ownership information of all legal entities and arrangements, in line with the Financial Action Task Force international standard.

Global Forum members are working together to monitor and review implementation of the international standard for the automatic exchange of financial account information, under the Common Reporting Standard (CRS), which will start in September 2017. The monitoring and review process is intended to ensure the effective and timely delivery of commitments made, the confidentiality of information exchanged and to identify areas where support is needed.

The Global Forum is the continuation of a forum which was created in the early 2000s in the context of the OECD’s work to address the risks to tax compliance posed by non-cooperative jurisdictions. The original members of the Global Forum consisted of OECD countries and jurisdictions that had agreed to implement transparency and exchange of information for tax purposes. The Global Forum was restructured in September 2009 in response to the G20 call to strengthen implementation of these standards.

(Source: The Government of Bermuda)

Dallas J. McGillivray is an experienced international regulatory and business manager.  He is a Fellow of the Institute of Chartered Accountant, Member of Institute of Directors and a Member of the Chartered Institute of Securities and Investment. He has extensive regulatory experience in senior management roles including as a Director and Trustee. 

He is also the Managing Director of FMConsult– a company that provides compliance, regulatory, product development and risk management services to a range of large international and start-up financial services companies since 2004.

On top of that, Dallas serves as Global Compliance and Operational Risk Director at a major asset management company for all business outside the Americas for 17 years with experience in global regulatory issues, covering both retail and institutional. He’s also a Director of UK Asset Management Companies and Trustee of UK Pension Schemes. 

Here he speaks to Finance Monthly about asset management and tells us more about his company – FMConsult.


What attracted you to the consulting sector?

 What brought me to the sector was an invitation to work with a small consultancy, with the objective to grow it. We binned the company and set up FMConsult. The work is varied and you meet a lot of bright entrepreneurs that are just starting out who need a bit of “grey hair” to help them along.


What are the key sectors that you provide asset management services to? What are the unique challenges of each sector, from an asset management perspective?

 We have a very wide range of clients from start-ups (that want a collective investment scheme set up, introductions to management companies, investment managers to attach to, etc.) to very large mature businesses that need some support during periods of change ( e.g. interim Head of Compliance role ). We are in the asset management space from wealth management to institutional asset management and everything in between.


What strategies do you implement to ensure that your clients’ goals and objectives are achieved?

 At FMConsult, we adopt a risk based approach to assess those business functions that have the largest impact on the business. Where are the issues? That’s what we need to know to be able to add real value.


 What are the challenges that your clients typically face in relation to meeting regulation?

 In the smaller entities, it may be capital resources and regulatory knowledge. They rely on FMConsult to add the regulatory knowledge. Outsourcing compliance is an economic way of delivering compliance standards, but it cannot replace senior management understanding that they are responsible and need to understand their responsibilities. Outsourcing compliance is not an abdication of regulatory responsibility.


 What were your main objectives when setting up FMConsult?

 Our main goal was to be a well-respected, independent regulatory and operational & investment risk consultancy firm, committed to working with clients to assist them in aligning financial services processes with ongoing regulatory requirements. 

 We also wanted to provide compliance solutions that enable senior management of financial services firm’s to demonstrate that they and their firm are currently and will continue to be aligned with UK and other regulatory requirements.



 How would you evaluate your role within FMConsult?

 My role at FMConsult encompasses a focus on business development and looking after a range of clients. I’m proud that the company punches above its weight in the industry. We have a very diverse range of clients that do take compliance seriously.





Below, Richard Smith, Director of Business Strategy at Inprova Energy discusses phase two of ESOS, the latest energy compliance rules.

Phase 2 of the UK Government's Energy Savings Opportunity Scheme (ESOS) has been given the official go ahead by each of the UK's environment agencies. This ends recent uncertainty surrounding the future of the mandatory energy assessment scheme, which was under review as part of the previous government's 2015 energy efficiency tax landscape reform.

Who does ESOS concern?

ESOS applies across the UK to 'large undertakings', such as organisations with more than 250 employees, or a turnover in excess of 50 million Euros and balance sheet worth more than 43 million Euros. It requires qualifying organisations to measure their total energy consumption and identify energy efficiency opportunities, but is not applicable to organisations that are required to comply with the Public Contracts Regulations.

There are four-yearly compliance phases. The first phase covered from 6 December 2011 to 5 December 2015 and phase 2 follows on from 6 December 2015 to 5 December 2019. Organisations that participated in ESOS phase 1 must repeat the exercise if they continue to meet the criteria, but cannot use the same data. There are also likely to be a number of new organisations that now qualify for the second phase due to a growth in employee numbers or turnover.

The scheme administrators have taken robust action to penalise organisations that fail to comply with phase one of ESOS. As well as fines of up to £50,000, non-compliant organisations are also 'named and shamed'.

How to comply with ESOS phase 2

  1. Determine if your organisation qualifies under ESOS legislation. Smaller businesses that are part of a larger corporate group may find that they fall into the scheme if one of the organisations in the group exceeds the employee and turnover thresholds. The qualification date is 31 December 2018.
  2. Appoint an accredited ESOS lead assessor to support the compliance process. While audit work can be carried out by suitably qualified individuals, the overall compliance process must be verified by an accredited lead assessor.
  3. Carry out compliant assessment activities/audits, identifying cost effective energy saving opportunities.
  4. Measure and record your organisation's total UK energy consumption for a continuous minimum 12 month period. This must include all buildings, industrial processes and transport activities and must include or span the qualification date of 31 December 2018.
  5. Complete your evidence pack and report on ESOS compliance to the Environment Agency by the compliance date of 5th December 2019.

Benefits of ESOS

Although ESOS doesn't yet require organisations to implement the recommended energy saving measures, there is powerful evidence of the financial wisdom.

From more than 150 ESOS audits completed by Inprova Energy during phase 1 of the scheme, our assessors identified energy savings opportunities ranging from 5 to 20%. This could amount to tens and hundreds of thousands of pounds worth of potential cost savings for typical sites.

Routes to compliance

Organisations can achieve automatic compliance with ESOS by gaining accreditation under the international ISO 50001 Energy Management Standard, which specifies the requirements for building, maintaining and continually improving a high functioning energy management system.  When choosing this route to compliance, it is important for all of your organisation's energy data to come within the scope of your ISO 50001 certification.

Alternative routes include implementing ESOS compliant energy surveys to identify energy saving opportunities; commissioning Display Energy Certificates (DECs) with accompanying advisory reports; or Green Deal Assessments.

ESOS Lead Assessors may also be able to consider audit work undertaken within the four-year compliance period (2015 -19) as part of other energy audit schemes, such as activity under the Carbon Trust Standard, and Logistics and Green Fleet Reviews, where these meet the requirements of ESOS.

The environment agencies are encouraging organisations to begin the auditing process as soon as possible. In particular, the ISO 50001 route requires early action, as it can often take well over 12 months to achieve certification and put in place a high performing energy management system. Allowing plenty of time will also avoid the last minute bottlenecks experienc

There are just six months left until Open Banking phase two begins, when customers will be able to digitally access and securely share their bank transaction data to get the most from their finances.

The initiative will encourage financial service providers to offer high quality, targeted services and in turn boost competition.

Roger Vincent, Head of Banking and Innovation at Equifax, comments: “The banking industry is set for a huge customer-centric shake-up with the implementation of Open Banking phase two in January 2018. This exciting development will dramatically change the customer banking experience, helping consumers and businesses to use their financial transaction data to access products more easily and better understand their finances.

“The initiative kicked off earlier this year with stage one, where the ‘CMA9’ (nine banks mandated by the Competition and Markets Authority) provided improved access to information such as ATM locations and product listings. The second stage is the real game changer, with bank transaction data made available digitally for consumers and businesses to share securely, and only with their agreed consent, via open application program interfaces (APIs). Through the open APIs the data can be used by authorised third parties to build new high quality and targeted services, including new digital offerings, facilitating a more competitive environment.

“The ability for transaction data to be used for automated creditworthiness and affordability assessments, fraud detection and product accessibility is endless. Customers will be able to control how their financial data is shared digitally and provide a deeper picture of the way they manage their money. This could mean a quicker, more secure and fully digital mortgage application process or faster access to finance for a new business venture. For those currently underserved by the market, for example young people or the self-employed, it could mean the start of a journey to better financial health.

“Over the next six months, banks need to embrace the move towards a more transparent banking world. To do this successfully, preparations must focus on meeting the long-term practical benefits of consumer empowered data sharing rather than approaching this change as a tick-box compliance activity.”

(Source: Equifax)

About Finance Monthly

Universal Media logo
Finance Monthly is a comprehensive website tailored for individuals seeking insights into the world of consumer finance and money management. It offers news, commentary, and in-depth analysis on topics crucial to personal financial management and decision-making. Whether you're interested in budgeting, investing, or understanding market trends, Finance Monthly provides valuable information to help you navigate the financial aspects of everyday life.
© 2024 Finance Monthly - All Rights Reserved.
News Illustration

Get our free weekly FM email

Subscribe to Finance Monthly and Get the Latest Finance News, Opinion and Insight Direct to you every week.
chevron-right-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram