The tone from the top can be heard loud and clear at many U.S. financial institutions: Compliance must be an enterprisewide endeavor. As firms feel the financial burden of complying with a multitude of regulations, including the Sarbanes-Oxley Act of 2002 (SOX), the USA Patriot Act and Basel II, forward-thinking firms are examining ways to use their existing technology for more than one compliance initiative.
Deutsche Bank already has started leveraging data captured for USA Patriot Act requirements to meet other rules, such as NYSE Rule 431 (the margining rule) and SOX 404 (substantiation of integrity). And, as of press time, the Bank of New York was preparing to utilize its SOX financial reporting tool for Basel II compliance. "Our ability to have reusability in either the systems or the processes we have around compliance ... is important for us to be efficient and to have enough dollars to invest in new initiatives," says Kurt Woetzel, CIO, Bank of New York.
The holistic compliance trend, or centralizing compliance initiatives across an institution's varied businesses, is relatively new. According to a compliance survey of financial services senior executives conducted by PricewaterhouseCoopers and the Economist Intelligence Unit in 2003, only 29 percent of respondents said that compliance was "largely centralized on a global level" within their organizations. Additionally, only 25 percent of respondents said that it was "largely centralized on a regional level."
Now, two years later, Carlo di Florio, director of the governance, risk and compliance practice at PricewaterhouseCoopers, has seen a significant shift in thinking. "The dialogue [around compliance] has gotten more holistic," he says. "From governance, technology and process perspectives, the question [has become], 'Is there a vision or strategy to get from siloed management to holistic management?'"
Di Florio believes that pressure from public investors is at the core of the current drive to break down silos. Recent legal and legislative actions, including highly publicized mutual fund investigations by New York State Attorney General Elliot Spitzer, have put compliance in the spotlight. As a result, investors who traditionally measured the success of a firm by return on investments are now giving sound corporate governance and ethical compliance practices the same importance as financial performance.
Public pressure has motivated senior management to focus on holistic risk management and compliance programs, and even rating agencies such as Moody's and Standard and Poor's are beginning to grill firms on their present programs. "Senior management is tired of worrying about whether or not they're going to appear in the Wall Street Journal; they're tired of investors calling them up and asking them what they're doing for holistic risk management and compliance," says di Florio.
Maximizing Processes and Tools
Bank of New York's Woetzel asserts that his firm's views on holistic compliance have had a trickle-down effect. "Bank of New York is a company that clearly has a view that centralized services are more efficient than decentralized services, and that mind-set really comes from the top of the company right down," he says. Woetzel believes that this mind-set is most evident in Bank of New York's latest effort to utilize both existing processes and financial reporting tools that currently are used for SOX reporting requirements to meet the imminent needs of Basel II. (Both Basel Pillar 3 and SOX 409 require the timely disclosure of material changes in operations and financial condition.) Woetzel declines to disclose the name of the tool but reveals that "The vendor is one of the large ERP [Enterprise Resource Planning] providers around financial reporting." He also adds that Bank of New York will be using the vendor's financial warehouse for Basel II as well. "Common tool, common training and common practices [are] helping to leverage the technology dollars we're investing," he says.
David Paris, formerly Deutsche Bank's global head of information management services, says the bank has been working on a leveraging initiative of its own. Paris joined Deutsche Bank in 2003. Until May of 2005, he headed the group that was directly responsible for collecting data that was captured in the investment banking, sales and trading operations of the organization, and setting up an internal shared services utility that could standardize the data and make it commonly available across multiple business lines.
"My view is that you capture, structure, enrich and distribute data with another end deliverable in mind," says Paris. "What you want to try to do is ... identify common elements of multiple business requirements across different functions or different business lines and set up a semi-generic deliverable that satisfies multiple needs."
In 2003, Deutsche Bank implemented a client operations data standardization strategy that involved deploying a data capture vehicle across the bank's six key sales and trading operations. The tool, dbClient, was designed largely in-house but built with assistance from an outside vendor (which Paris declines to name) according to the bank's specifications. DbClient enables data to be captured and structured in a common format regardless of volume and business site. This standardization strategy helped to maximize a variety of processes within the bank, including compliance, according to Paris.
Paris explains that information collected to meet stipulations under the USA Patriot Act (e.g., shareholder information, listing information, director information, etc.) also can be used for other rules, such as NYSE Rule 431, SEC 15 a-6, SOX 404 and the EU savings directive (which is similar to IRS 1099 reporting). Additionally, data standardization also improves consistency in terms of reporting to regulators.
"Regulators tend to be very focused on data consistency across the entire organization," says Paris. "It does you no good reporting to one regulator off one set of numbers if you're reporting to a different regulator off of a different set of data ... because they will get together and compare, and if they find a basis level of difference, you're going to have to explain the rationale."
Of course, consistency isn't the only benefit of holistic compliance. Paris adds that reusing existing systems across an organization rather than purchasing new systems that can only solve compliance issues within a silo ultimately saves money and lowers head count. But perhaps the most valuable benefit is a better reputation. "If you're an organization that's not always in trouble, think of how compelling that is to your shareholders," says PricewaterhouseCoopers' di Florio. "Whether you're talking to the media or to investors, ... it becomes an asset."
4 Steps to Centralization
1. Start with a vision. Outline what you're trying to achieve with your enterprise objectives, tie those into your business objectives and design an enterprisewide framework that focuses on structure, people, processes and technology.
2. Establish a compliance-friendly culture that defines the firm's core values and ethics for actual decision making.
3. Create a holistic compliance architecture that includes an inventory of all the existing technologies in-house, along with their capabilities. Redesign rules and turn on tool switches that will allow you to leverage existing systems to achieve the objectives outlined in your vision.
4. Develop an enterprise compliance dashboard that identifies what the key metrics are to measure the success of your holistic compliance program. Your dashboard should be able to show you how you're doing, where you're going, and whether or not you need to stop and fix something.
On the Net:
The Bank Of New York https://www.bankofny.com/htmlpages/index.htm