Interpreting and implementing new regulations and rule changes is a perpetual effort, and many financial services firms continue to struggle to meet regulators' deadlines despite initiating resource-heavy compliance initiatives across the enterprise. As it becomes clearer that the pace of oncoming regulation isn't slowing down anytime soon, industry solution providers are coming up with new ways to unify compliance efforts across the organization, bringing efficiencies and benefits to the business from widely maligned regulatory mandates.
Since the advent of Sarbanes-Oxley, regulators have opened the throttle to legislation in anticipation of fast and furious changes to the financial services industry as its troubles bubble to the surface. And any hope for a respite or deregulation is naive, according to Andrew Wilson, lead for risk and regulatory management, Accenture [Ed. Note: Since being interviewed by WS&T for this article, Wilson has left Accenture].
"Things aren't going to change -- there is going to be more regulation coming down the pipe," Wilson says, adding that the sheer volume of regulation and the expected time lines for compliance keep firms from grasping the true impact of regulations in a unified way. "If you're to really step back and take a more strategic view, to do all that and put it together would make it difficult to hit the deadlines imposed on [firms]," he adds.
In response to the overwhelming demands of regulatory agencies, many financial services organizations have taken an ad hoc approach to compliance. The demands of individual regulations are being met with regulation-specific strategies, technologies, data, people and processes. "When the various laws and rules and regulations are passed, and implementation deadlines are set, they're being addressed one at a time and are being segmented out to the specific fields in the company and down through the departments, and even to the staff to evaluate and implement without looking at the big picture," explains Sondra Forkner, chief compliance officer for the Raymond J. Lucia Companies, a San Diego-based independent financial advisor.
What occurs as a result is redundancy in projects across an organization, where similar, if not identical, efforts are occurring in more than one business unit. "You have very dispersed types of projects that do not know that other projects are going on, and essentially duplicate those activities," explains Venkat Raghavan, program director for security, policy and compliance, IBM Software Group. "[Compliance] has been a very bottom-up activity happening in most companies."
But organizations are beginning to recognize the inefficiencies that are built into their siloed compliance efforts and are rooting them out by combining the efforts of compliance and business teams across their enterprises. The ability to do this has come, in part, as a result of better enterprise data management and the understanding of the benefits of information normalization from the top to the bottom of a business, according to Accenture's Wilson.
One instance in which companies are able to combine compliance and business processes, Wilson relates, is in the transaction monitoring requirements stemming from anti-money laundering (AML) regulations, such as the USA Patriot Act. "What you're doing [for AML] is two things: assembling a volume of transaction data -- understanding what was transacted for whom by whom; and second, there is a series of rules you have to run against that data to look for certain behaviors and patterns," he explains. "If you're to take those capabilities, it is the same thing that's done in [customer relationship management], just with a different set of rules."
The data sets and rules engine technology leveraged in AML compliance compliment those of the product marketing teams, and vice versa, Wilson continues. Bringing these efforts into contact with one another is just one way firms are using their compliance efforts to improve the rest of their business.
Wilson also notes the potential for alignment between Basel II and credit risk management and exposure, as well as the similarities between Regulation National Market Structure (Reg NMS) in the U.S. and the Markets in Financial Instruments Directive (MiFID) in the European Union as primary areas where mutual benefit can be realized.
Consistency Is King
Combining the processes behind business lines and the compliance department is a lofty ideal, but it may be unattainable. And broadening the view and the application of compliance processes across an enterprise cannot happen overnight, but there are meaningful efficiencies to doing so. The obvious place to start is to obtain a view of what the firm's different business lines are doing to comply with applicable regulations, and standardizing those activities, reasons Kevin Ludwick, head of regulatory services for compliance vendor QUMAS (Florham Park, N.J.) and former senior regulator for the U.K.'s Financial Services Authority (London).
For Boston-based Fidelity Investments, unifying the compliance efforts across more than 20 individually functioning businesses began with creating a single set of policies and procedures to be followed by the entire enterprise, according to Dave Querze, the firm's VP of risk oversight. To accomplish this, the company uses a solution from QUMAS. Using QUMAS' DocCompliance solution, Fidelity built a centralized repository for all policies across the company, known as the Compliance System of Record (CSR).
Prior to building the CSR, compliance was a disparate effort with minimal enterprise-level control, Querze acknowledges. "Every business unit had responsibility for maintaining its policies, for building them out according to the regulations, for housing them properly and making sure they still have document control," reports Querze.
The business units of Fidelity stored their policies in any number of locations, including file storage locations, corporate libraries or Web sites, Querze notes. "One of the major things that we saw an opportunity for was to have one system of record for all of our policies and procedures that related to the regulations from the SEC as well as the other regulatory bodies," he says.
But, Querze adds, he recognized the need to have a policy and procedure record that was configurable by business line, as not all regulations were applicable to all parts of the enterprise. He says he also wanted to be sure that the businesses would retain control over their own governance and be able to change their policies as necessary, while preserving the chief compliance officer's window into their processes.
"Every time we want to make another set of rules that is kept in the system of policies, I don't want to have to put on a snorkel and mask and dive back into the code," Querze says. "I don't want to have to rebuild the system every time there's a new change or a new policy or a new regulatory body that comes into play."
"Dealing with change needs to be normative, not the subject of special programs, and the compliance framework needs to be capable of supporting that," says Ludwick. He notes that while Fidelity was the vendor's first client in the financial services industry, two other "industry titans" now are using the platform in implementations of 18,000 and 30,000 seats. He declines to specify the companies.
Fidelity Investments' Querze explains that the impetus for creating the CSR was not a matter of cost savings; rather, it was an attempt to view the organization as regulators view it. "They look at Fidelity not as 20 business units -- they look at us as one company," he relates. "So we said that, in reality, we should be able to present ourselves as one company." <<<