A holistic approach to financial services regulations: Four building blocks for better compliance
Information technology is a critical enabler of compliance with the wave of new regulations sweeping across the financial services sector. But no single solution can enable a holistic compliance strategy. Financial institutions need a multifaceted, flexible framework that can incorporate new technologies as they emerge.
A holistic approach to financial-services regulations Four building blocks for better compliance
Boston John Plansky Senior Partner +1-617-521-8801 john.plansky @strategyand.pwc.com Carl Drisko Partner +1-617-521-8809 carl.drisko @strategyand.pwc.com Jamie Solomon Senior Executive Adviser +1-617-543-9557 jamie.solomon @strategyand.pwc.com
Chicago Carl Hugener Partner +1-312-578-4897 carl.hugener @strategyand.pwc.com Kelley Mavros Partner +1-312-578-4715 kelley.mavros @strategyand.pwc.com Caitlyn Truong Partner +1-312-578-4690 caitlyn.truong @strategyand.pwc.com Michael Horvath Principal +1-312-578-4519 michael.horvath @strategyand.pwc.com
New York Vaidyanathan Chandrashekhar Partner +1-212-551-6419 vaidyanathan.chandrashekhar @strategyand.pwc.com Hector Nelson Partner +1-212-551-6405 hector.nelson @strategyand.pwc.com Arjun Saxena Partner +1-212-551-6411 arjun.saxena @strategyand.pwc.com Samuel Bloustein Principal +1-212-551-6567 samuel.bloustein @strategyand.pwc.com
About the authors
Carl Drisko is a partner in Strategy&’s Boston office. He is aligned with the digital business and technology practice and leads the financial-services architecture practice. Kelley Mavros is a partner in Strategy&’s Chicago office. She is aligned with the digital business and technology practice and leads the financial-services Fit for Growth* offering.
* Fit for Growth is a registered service mark of PwC Strategy& Inc. in the United States.
The financial-services industry has already spent enormously on regulatory compliance, both in dollars and in time. Estimates suggest that companies will spend US$50 billion globally by 2015. But too frequently these efforts are reactive to regulatory developments, and handled at the business unit level without the executive attention they deserve. This might seem expedient in the short term, but it is a risky and inefficient approach for the enterprise, which needs to take a more holistic approach to compliance in order to mitigate risk and reduce cost while simultaneously identifying new business opportunities arising from regulatory changes. Information technology is a critical enabler of compliance; however, no single solution can enable a holistic compliance strategy. Instead, financial institutions need a multifaceted, flexible framework that can incorporate new compliance-related technologies as they emerge. Executives designing such a regulatory and compliance architecture should consider four critical building blocks: data and analytics, vendor solutions, internal execution, and utilities. The proper combination of these four building blocks can help a financial institution keep pace with today’s very fluid regulatory environment and exploit business opportunities for a competitive advantage.
Be strategic, not reactive
The unrelenting pressure of existing regulations, as well as the uncertainty caused by a pipeline of emerging domestic and international rules, is creating significant challenges for the financial industry. As companies make expensive, complicated adjustments to comply with regulations such as Dodd-Frank, the Foreign Account Tax Compliance Act (FATCA), and anti-money laundering (AML), they must also ready themselves for new complexities brought by the likes of Basel III and MiFID II. In a recent survey by SunGard Financial Systems, 43 percent of financial executives cited new regulations — governing areas such as transparency, reporting, liquidity, and taxes — as the most pressing issue for the next two years (“The Regulatory Pressure Cooker,” 2014). The industry has already spent huge amounts of time on compliance, not to mention money — close to US$50 billion. But 80 percent of the executives surveyed said their technology still requires major alteration, and they expect compliance-related IT costs to grow at a compounded annual rate of 6.9 percent from 2014 to 2017. With so much at stake, and with so much being spent, it’s vital that financial-services companies direct their IT investments wisely to keep long-term costs down while ensuring transparency and risk mitigation. Unfortunately, too many compliance initiatives are reactive to regulatory developments and occur at the business unit level. Managers are under intense pressure to react swiftly on their own to keep day-to-day operations running. But the result is predictable: uncoordinated regulatory patches across the enterprise that duplicate efforts and increase the risk of missing critical compliance-related issues. Instead, financial-services companies need to take a more strategic, less reactive approach to compliance-related IT investment. Companies should coordinate compliance initiatives at the enterprise level, across traditionally siloed business units, functions, and regions. And there’s urgency to do so. First and foremost, financial-services companies must meet the array of regulatory requirements across the enterprise. The costs in terms of
fines and reputational damage for noncompliance are significant, sometimes in the billions of dollars. In fact, 80 percent of C-suite executives report being stressed about the potential damage to their firms’ and their own reputations. Second, companies need to better coordinate compliance efforts across the enterprise, which requires recruiting knowledgeable talent. The scarcity of this talent is driving up salaries in regulatory roles by 11 percent. Third, companies must not lose business focus. Employees should not be so overwhelmed with regulatory duties that they cannot perform their primary job responsibilities. Finally, companies should leverage their capabilities to capitalize on new revenue opportunities created by new regulations.
Architectural building blocks
Given the scope and pace of new regulations, there is no easy answer or single IT compliance solution. A multifaceted, flexible approach is necessary. This makes intuitive sense. Because technology is constantly evolving, a strong, durable regulatory and compliance architecture is one with the adaptability to take full advantage of new technologies as they emerge. With this flexibility in mind, we have identified four critical building blocks of regulatory and compliance architecture for most financial institutions: data and analytics, vendor solutions, internal execution, and utilities. Within each of these are many options and trends for executives to consider (see Exhibit 1, next page). But the due diligence is well worth the effort. Not only can a combination of these four building blocks help a financial institution keep pace with today’s very fluid regulatory environment, but the right combination can also help to identify and exploit business opportunities for a competitive advantage. Data and analytics From 2014 to 2015, financial institutions are expected to increase their spending on data management by 17 percent, from $7.5 billion to $8.9 billion. Meanwhile, spending on analytics will be even higher — growing 12 percent, from $10.7 billion to $12 billion. This level of spending reflects the powerful supply and demand dynamics at play. On the supply side, data is increasing exponentially, driven by process automation, digitization and market technologies, mobile access, and real-time data access. On the demand side, regulatory reporting requires ever more data spanning customer types, asset types, markets, and jurisdictions. Although this dynamic poses significant challenges, one bit of good news is that as much as 80 percent of data is common to various regulatory requirements. For example, European Market Infrastructure Regulation (EMIR), Dodd-Frank, FATCA, and know-your-customer
Good news: 80 percent of data is common to various regulatory requirements.
Exhibit 1 Regulatory and compliance: A multifaceted approach to IT
Vendors are not the only third-party solutions — emerging utilities take on non-differentiating tasks to meet regulatory needs
Data and analytics
Determine data needs once — enterprise view to fulﬁll multiple regulatory requirements
Regulatory and compliance
Execution is critical — optimize organization, methodologies, and technologies to execute technology-driven transformations
Buy versus build — vendor solutions can be leveraged to support regulatory and compliance functions
Design and architecture
Flexibility through architecture — how you design now helps you meet continued change
Source: Strategy& analysis
(KYC) rules share a number of data entities, including the Legal Entity Identifier (LEI) and other specifics about the legal entity, as well as ownership structure. By focusing on how to fulfill multiple regulatory requirements at once, the company can reduce the overall enterprise compliance effort and cost (see Exhibit 2, next page). In the past, companies seeking access to this data had to spend millions of dollars transforming it — through heavy integration across numerous data stores — into a single data warehouse. This is onerous and expensive. Today a financial institution’s data architecture can be much more flexible, with three distinct layers: data storage, data access, and reporting/analytics. By integrating data requirements and creating a common enterprise-wide data taxonomy, the company can pull data directly from multiple storage points without expensive and cumbersome data transformation. Once the organization has this level of data access, it can identify potential ways to drive revenue. For example, a company that offers real-time data on trade positions could also offer more in-depth risk exposure and regulatory support services. Vendor solutions Financial institutions face a stark choice. They can continue to spend time and money updating complex, aging, in-house technology solutions — thus devoting the resources necessary for constant development — or they can consider third-party solutions that take advantage of industry-wide upgrades to both functionality and technology. Evidence suggests that financial institutions — long committed to internally built solutions — are rapidly shifting gears in the face of the regulatory and IT challenges. In 2011, only 50 percent of financial institutions had any interest in governance, risk, and compliance (GRC) systems from third-party vendors. By 2014, that number had jumped to 62 percent, a figure that includes institutions already operating third-party solutions, those in the process of implementing them, and those planning to buy them next year. All told, industry spending on external risk software is projected to increase 8 percent, to $8 billion, from 2014 to 2015, while spending on external services rises 11 percent, to $5.9 billion.1 This new willingness to leverage third-party solutions to support regulatory and compliance functions is due, at least in part, to the emergence of many vendors with sophisticated solutions. Besides GRC vendors, financial institutions can now consider vendor technologies to support data management, workflow, and document processing, as well as KYC, anti–money laundering, and FATCA solutions.
Financial institutions are rapidly shifting gears and are more interested in GRC systems from third-party vendors.
Exhibit 2 80 percent of data may be common across regulations
Sample of data requirements by regulation
Legal entity name
Legal entity address
Legal entity structure
EMIR tax details* Speciﬁc EMIR Avox ﬁelds EMIR-speciﬁc requirements FATCA special entity tag Speciﬁc Dodd-Frank Avox ﬁelds U.S. person ﬂag/qualiﬁer Global Intermediary Identiﬁcation Number Tax docs
Consortium status Politically exposed person status review
U.S. indicia/details Legal entity FATCA requirements
* Data entities are partially shared between regulatory requirements. Source: Marc Murphy FIMA video (Fenergo, Feb. 27, 2014); Strategy& analysis
Internal execution Execution is critical. To this end, firms should explore technologies and practices — both here today and on the horizon — to improve IT delivery efficiency and effectiveness. We see four big trends for financial institutions to consider: • Cloud: Cloud technologies are fundamentally scalable, virtualized, and standard. They deliver savings in the range of 20 to 60 percent, provide capacity in minutes versus weeks, ease the maintenance burden, and are secure (often combining private and public components). More than 60 percent of financial institutions now have cloud technologies implemented, and Gartner estimates that global spending on cloud technologies across industries will grow from $76.9 billion in 2010 to $210 billion in 2016.2 On the compliance front, the cloud helps a company build capacity faster, which is vital to keep up with regulatory requirements. • Big data and analytics: “Big data” technologies continue to mature and improve their ability to discover and predict across disparate sets of structured and unstructured data. Thus, integrating big data technologies can improve risk analytics, provide real-time operational data aggregation, and enhance a financial institution’s ability to monetize its own data assets. It also improves regulatory compliance by allowing the company to better assess risk exposures based on internal and external data. Undertaking a big data integration can be done in-house, or in conjunction with any of a number of firms building big data partnerships. • Advanced document processing: Many regulations require not only data but also some proof that the data is correct. Advanced document processing satisfies these requirements by extracting information and linking that data back to its evidentiary source. Historically this process required people to review those documents and manually input information into data fields. But that is changing, thanks to natural language processing technologies that automate data extraction and evidencing. These technologies include “learning” systems that improve information extraction over time, transforming what was once mere document management to full-fledged document processing. Although manual checks are still required, cost savings can be significant — as much as a 70 percent reduction in labor costs. • Agile practices: Even with the best underlying technology, getting to market quickly can be a challenge. Agile is not a new concept, but financial institutions often have resisted putting it in place for fear it could result in inadequate documentation for regulatory and
audit reviews. But today — even with regulatory issues so significant — 52 percent of financial institutions have turned to agile practices because these small, cross-functional teams (“scrums”) focused on incremental delivery (“sprints”) can reduce time to market by 70 percent, while also improving business collaboration and flexibility. To better address regulatory issues, about 35 percent of financial institutions rely on a “hybrid methodology.” A hybrid methodology uses scrums and sprints, but puts attention on up-front solution design, has controls throughout development, and ensures documentation around audit/compliance approvals. Utilities Software vendors are not the only third-party option for financialservices companies. More industry utilities, or small firms and/or business units offering a specific “utility” function within the value chain, are emerging. Increasingly, these utilities are looking beyond their traditional back-office role to support middle- and front-office functions. Their goal is to help financial institutions meet new client and regulatory demands more efficiently by taking on nondifferentiating tasks throughout the organization. Financial institutions are quickly recognizing the value of this approach, and there is a growing consensus that they can all benefit by creating industry standards for non-differentiating functions to support regulatory needs. Potential areas for technology and data utilities include handling non-security reference data, security reference data, and client and account data. Although utilities do not assume the financial institution’s risk, they help streamline the processes, data, and technology to make the institution more effective at managing its risk (see Exhibit 3, next page). Recent new utilities include DTCC’s Global Trade Repository for OTC derivatives reporting to provide transparency into the global market; the Global Markets Entity Identifier utility — formally known as the CICI utility — to assign LEIs as a standard unique industry identifier; SWIFT’s KYC registry for the collection and distribution of standard information, which is due to go live this year; and the client reference data consortium of DTCC and six member banks to develop a single source for standard data and documents to meet global KYC/AML, FATCA, and additional regulations.
Industry utilities are looking beyond the back office to support middle- and front-office functions.
Exhibit 3 Opportunities for utilities
Common business architecture
Transaction management Product control Performance and attribution Collateral and cash management Pricing and valuations
Securities processing OTC processing Collateral processing Global payments Claims and fails processing
Client services and on-boarding
Treasury Credit and market risk Operational risk
Trade and execution management
Financial control Regulatory and compliance
Technology and data
Non-security reference data Architecture and design Security reference data Client and account data
Potential opportunity for utility
Source: Strategy& analysis
Commit the enterprise
In summary, it is vital in today’s regulatory environment that financialservices companies direct their IT investments wisely to keep long-term costs down and improve risk mitigation. This can’t happen if compliance initiatives devolve to the business unit level. Companies need a holistic, enterprise-wide view to streamline the use of data for compliance and react to new business opportunities. Ultimately, financial-services companies need to take a more strategic, less reactive approach to compliance-related IT investment. Meeting regulatory requirements is a transformation. It requires a “management system” that is fully committed and engaged from the top, taking into account all strategic elements from compliance to cost to revenue, and engaging the entire organization to span traditional silos. It requires an “operating system” that is enterprise-wide, with an integrated road map, program management, and transparency. Finally, it requires a “cultural change” that involves the entire organization, not just those people assigned responsibility for compliance. The task may sound daunting, but a few leading financial institutions have already proven that it’s achievable and beneficial. Institutions that can follow suit stand to gain a sustainable competitive advantage.
Chartis, “RiskTech100 2014,” Nov. 2013.
Gartner Inc., “Forecast Overview: Public Cloud Services, Worldwide, 2011–2016, 4Q12 Update,” Feb. 8, 2013.
Strategy& is a global team of practical strategists committed to helping you seize essential advantage. We do that by working alongside you to solve your toughest problems and helping you capture your greatest opportunities.
These are complex and high-stakes undertakings — often game-changing transformations. We bring 100 years of strategy consulting experience and the unrivaled industry and functional capabilities of the PwC network to the task. Whether you’re
charting your corporate strategy, transforming a function or business unit, or building critical capabilities, we’ll help you create the value you’re looking for with speed, confidence, and impact.
We are a member of the PwC network of firms in 157 countries with more than 184,000 people committed to delivering quality in assurance, tax, and advisory services. Tell us what matters to you and find out more by visiting us at strategyand.pwc.com.
© 2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. Disclaimer: This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.