Anastasia Dokuchaeva, Head of Partnerships, Clausematch
By 2020 there will be 90,000,000 paragraphs of rules published by global regulators. MiFID II is now in force, GDPR is only a few months away, BREXIT is looming large on the horizon and that is just to name a few. This makes it an unprecedented time for compliance in the heavily regulated financial services industry. Or perhaps this is the “new normal” as it is rightly regarded.
Regulations have a profound impact on the industry and its participants. Everything from policies, procedures, products and internal risk controls are affected within enterprises, yet there remains a great disconnect between them. Developments in this area include initiatives such as the recently completed TechSprint. This time the fourth annual collaboration focused on model-driven, machine executed, regulatory reporting. The proof of concept involved taking a small subset of reporting rules from FCA and PRA handbooks and proving that it can successfully structure them and make them machine-readable and executable, pulling required information directly from a firm.
While such initiatives are exciting and much needed, there is still a lot of work to be done and many more regulators to get involved. In the meantime, financial services firms struggle with manual “gap-prone” projects in response to an increasingly complex, constantly changing regulatory environment. The compliance requirements are getting stricter, the reporting is ever more demanding and places a much greater emphasis on overall transparency and accountability.
Firms are trapped in a daily feedback loop of gathering regulatory changes, interpretation and assessment of the impact it has on business.
A small firm operating locally would be watching updates from only a handful of relevant authorities. But a global bank with branches worldwide would be aiming to comply with 500 plus regulators, as an example. Industry-leading vendors and aggregators like Thomson Reuters (TRRI) and RegDelta by JWG can help gather a respectable percentage of that list, albeit unlikely all. Coverage will vary, but typically be somewhere up to 375-400. While someone like TRRI will likely provide stronger coverage of various authorities across multiple jurisdictions, the latest innovators leverage technology to offer deeper analytics at the article-by-article level.
Regardless of the technology, a large portion is still done manually either internally or by outsourcing to other service firms with the right technology and subject matter expertise. In this day and age, a typical manual process looks surprisingly basic, profoundly risky and tedious. It’s a labour intensive process that will kick off with dedicated personnel who will be assigned respective regulators to watch. Each day, usually twice (once in the morning and again in the afternoon), they will go to the regulators’ websites and pick up all documentation new from the previous time they visited. The documents are then manually pushed through and joined with other vendors’ data.
They agonize over if they have captured all the information relevant to them or whether they have missed something that will haunt them later. Unfortunately, this question usually goes unanswered forever. Missed or not, the initial analysis will be completed to identify the watchlist. The complexity does not end there. Then begins the discovery process of what these regulations mean in layman terms.
Processes vary between companies, but once a new directive, regulation, guidance or recommendation passes the initial assessment and makes it into firms internal watchlist, the work really begins. The piece of text has to go through impact assessment to understand what areas of business, products or services it has an impact on. With the advice from internal and external lawyers and consultants, it is then interpreted in terms of what they think the regulator wants and what it actually means to them. Dozens of highly qualified lawyers conduct impact assessments, which could take anywhere between 6 to 10 weeks. The whole endeavour is a logistical and human resources nightmare, and not to mention incredibly costly.
When we survey financial institutions about how many people are involved in these processes, we receive neither clear and consistent answers nor exact figures. Two people from same company asked in the same meeting will quote very different figures. While one might say “7 to 9 people”, it may be immediately contradicted by another person saying “more like 300 to 400, depending on how you count”. In reality, no one knows, for various reasons.
Eventually, all the interpretation, impact assessment and consultations, lead to the formation of projects. Each one will be allocated a task force with ownership and responsibility assigned to the business. In turn, they will be tasked to implement change, eliminate or correct the course. At this stage, compliance becomes its own project, demanding man-hours and oversight like any other critical initiative. It is time-consuming and inefficient, and the numbers tell us that it doesn’t work.
The 50 largest EU and US banks spent 321 billion dollars on fines between 2009 and 2016. These penalties will only become more onerous as regulation increases.
A recent survey found that 90 percent of firms believe they are at either high or medium risk of not being fully compliant with the 2018 MiFID II deadline, as an example. The industry struggles to appropriately implement regulatory changes within the business. And fixing this problem has never been more vital. In the 21st century, banks must move with the times or risk drowning in regulation.
If one looks closer to what the fines are for, it is mainly due to poor conduct. And this means firms are failing at best practices around enterprise risk management (Three Lines of Defence) Fundamentally, it means not having strong and robust corporate governance program.
Governance has been a big theme for the industry in the recent years. Perhaps further encouraged by principles like the ones written in BCBS 239, the last 3-5 years saw the rise in focus on data governance for regulatory reporting. This included many initiatives on data standards including Legal Entity Identifier and the extension of ISO 6166 (ISIN, CFI and FISN) to account for transaction reporting of OTC derivatives under MiFID II, a lot of thought leadership on data connectivity, as well as many new solutions around data lineage and data visualization.
However, less has been done around developing corporate governance framework. Business operating procedures, group policies, systems and controls, contracts and documentation hold significant insight into risks, how businesses operate, how they implement regulatory change and the decisions made along the way, and as such play a huge role in compliance technology. Yet, how to capture all of this data for evidencing and providing detailed information in a structured way is less understood. A further spin to this would be how to automate this so as to reduce human-intensive processes prone to errors, and to smartly position the business to prepare for the eventual move by regulators towards machine-readable rulebooks.
We are fortunate to witness the change being driven by the innovation occurring within the RegTech space, and a lot of energy being invested in working on the most difficult issues discussed here. Changes in regulations are reflected in massive changes in documentation. We at ClauseMatch are even more fortunate to see it from the inside and take an active role in addressing these challenges. Tasked by a top-tier bank, we are building a RegTech solutions ecosystem to automate the whole regulatory change lifecycle for the global bank, bridging the gap between fast changing regulations and internal policies, procedures, and controls.
Charles Dudley Warner said, ‘Everyone complains about the weather, but no one does anything about it.’ ClauseMatch is excited to be at the forefront of solutions that will take the industry through the changeable weather of shifting regulation.