They agonize over if they have captured all the information relevant to them or whether they have missed something that will haunt them later. Unfortunately, this question usually goes unanswered forever. Missed or not, the initial analysis will be completed to identify the watchlist. The complexity does not end there. Then begins the discovery process of what these regulations mean in layman terms.

Processes vary between companies, but once a new directive, regulation, guidance or recommendation passes the initial assessment and makes it into firms internal watchlist, the work really begins. The piece of text has to go through impact assessment to understand what areas of business, products or services it has an impact on. With the advice from internal and external lawyers and consultants, it is then interpreted in terms of what they think the regulator wants and what it actually means to them. Dozens of highly qualified lawyers conduct impact assessments, which could take anywhere between 6 to 10 weeks. The whole endeavour is a logistical and human resources nightmare, and not to mention incredibly costly.

When we survey financial institutions about how many people are involved in these processes, we receive neither clear and consistent answers nor exact figures. Two people from same company asked in the same meeting will quote very different figures. While one might say “7 to 9 people”, it may be immediately contradicted by another person saying “more like 300 to 400, depending on how you count”. In reality, no one knows, for various reasons.

Eventually, all the interpretation, impact assessment and consultations, lead to the formation of projects. Each one will be allocated a task force with ownership and responsibility assigned to the business. In turn, they will be tasked to implement change, eliminate or correct the course. At this stage, compliance becomes its own project, demanding man-hours and oversight like any other critical initiative. It is time-consuming and inefficient, and the numbers tell us that it doesn’t work.

The 50 largest EU and US banks spent 321 billion dollars on fines between 2009 and 2016. These penalties will only become more onerous as regulation increases.

A recent survey found that 90 percent of firms believe they are at either high or medium risk of not being fully compliant with the 2018 MiFID II deadline, as an example. The industry struggles to appropriately implement regulatory changes within the business. And fixing this problem has never been more vital. In the 21st century, banks must move with the times or risk drowning in regulation.

If one looks closer to what the fines are for, it is mainly due to poor conduct. And this means firms are failing at best practices around enterprise risk management (Three Lines of Defence) Fundamentally, it means not having strong and robust corporate governance program.

Governance has been a big theme for the industry in the recent years. Perhaps further encouraged by principles like the ones written in BCBS 239, the last 3-5 years saw the rise in focus on data governance for regulatory reporting. This included many initiatives on data standards including Legal Entity Identifier and the extension of ISO 6166 (ISIN, CFI and FISN) to account for transaction reporting of OTC derivatives under MiFID II, a lot of thought leadership on data connectivity, as well as many new solutions around data lineage and data visualization.

However, less has been done around developing corporate governance framework. Business operating procedures, group policies, systems and controls, contracts and documentation hold significant insight into risks, how businesses operate, how they implement regulatory change and the decisions made along the way, and as such play a huge role in compliance. Yet, how to capture all of this data for evidencing and providing detailed information in a structured way is less understood. A further spin to this would be how to automate this so as to reduce human-intensive processes prone to errors, and to smartly position the business to prepare for the eventual move by regulators towards machine-readable rulebooks.

We are fortunate to witness the change being driven by the innovation occurring within the RegTech space, and a lot of energy being invested in working on the most difficult issues discussed here. Changes in regulations are reflected in massive changes in documentation. We at ClauseMatch are even more fortunate to see it from the inside and take an active role in addressing these challenges. Tasked by a top-tier bank, we are building a RegTech ecosystem to automate the whole regulatory change lifecycle for the global bank, bridging the gap between fast changing regulations and internal policies, procedures, and controls.

Charles Dudley Warner said, ‘Everyone complains about the weather, but no one does anything about it.’ ClauseMatch is excited to be at the forefront of solutions that will take the industry through the changeable weather of shifting regulation.