Thursday, April 12, 2007

An 'incremental' approach to compliance

The spate of regulations banks have to comply with reads like a shopping list; MiFID, Reg NMS, Know Your Customer, anti-money laundering, Basel II, fraud detection .....

And historically most banks have opted to buy separate solutions to address each regulation. Yet, given the zealousness with which the regulatory treadmill is churning out new or revised pieces of legislation, implementing separate solutions is no longer considered a viable approach. "When you deploy multiple compliance solutions, costs go up," says Stephen Epstein, vice president, head, product management, risk and compliance software provider, Mantas.

Epstein compares the scale of upfront investment required by most banks today to comply with a raft of regulations to the early days of order management system deployment. However, the difference with regulatory compliance, he says, is that the cost is not just a one-off investment; it is ongoing as new pieces of regulation come online, banks must source new data, documentation etc.

"The cost of supporting regulatory examinations is the real 'killer,' Epstein continues. "Banks need to have documentation readily available, the right policies and procedures in place and be able to say why an alert has been generated."

The only ones that appear to be benefiting from the overwhelming tide of regulation, corporate governance and compliance is the regulators, consultants and vendors implementing these myriad solutions. Yet, recognising that there is often overlap between different regulations in terms of the functionality and business processes required: transaction monitoring, scenario analysis, client classification, regulatory reporting; the latest industry buzzword to emerge is GRC (Governance, Risk and Compliance) framework.

According to Mantas, GRC is about implementing a flexible framework which does not just address regulatory, governance and compliance needs 'now', but 'future proofs' the business against future changes to regulation, governance or compliance, as well as allowing firms to re-use components from previous GRC implementations to address future needs.

"GRC is about repackaging old wine into new bottles; leverage-ability and re-usability is the value proposition," says S. Ramakrishnan, CEO, Mantas and Reveleus.

Forrester Research predicts that the GRC software platform market will grow from $590 million today to $1.3 billion by 2011.

By focusing on areas that overlap between regulations and integrating components that address these areas, Mantas and Reveleus have combined elements (transaction monitoring, behaviour detection, risk, control and self-assessment) from their once separate solutions to provide a GRC framework, a single platform which aims to reduce the duplication of effort and cost associated with implementing separate risk, governance and compliance solutions.

An example of the Reveleus/Mantas GRC platform at work is in the area of regulatory compliance with MiFID, where functionality; business execution analytics, scenario analytics, client classification, regulatory reporting; from both vendors' solutions are combined to help firms address various requirements such as best execution and KYC under MiFID.

But while GRC software platforms may be in the midst of a 'hype cycle', is it destined to fall into the 'trough of disillusionment' based on challenges around implementation and integrating data across traditional product silos within banks?

Ramakrishnan of Mantas/Reveleus says they are not trying to sell a 'monstrous' strategy to banks. The idea he says is to implement a GRC framework in incremental steps, starting with a specific regulation such as MiFID, for example, and then re-using data and analytic components of that installation to help with compliance, governance and risk management in other areas such as KYC, AML or fraud.

1 comment:

CoronaII said...

Ms. FT Insider:

While you are certainly correct in your assessment that banks (and registered securities institutions) have a mountain of regulatory obligations, I would add that it’s not always effective to merely “buy” a solution to address regulatory needs. Technology provides a wealth of support in this expanding environment of deep pools, algorithmic trading and globalization. However, time and time again, the problem of human intervention stymies even the best designed and well thought out electronic compliance solutions.

Maybe you saw this week’s NASD news release announcing the fines and sanctions levied against Knight Securities former CEO for his supervisory failures. Imagine the size of the IT budget at Knight back in those high revenue days of ’99 and 2000! I would feel safe in saying Knight had the best and the brightest developing compliance solutions for them. Notwithstanding the efforts of Knight’s IT staff, boys will be boys and, well, you get the picture.

Mr. Epstein also has some good points as regards costs. Unfortunately, few firms fully appreciate or are guided by the importance of a well-funded compliance department. In my experience the dollars seem to be thrown at the latest revenue-generating project, or newest purportedly effective technical solution rather than towards necessary compliance infrastructure. No surprise then that a glance through the monthly Notice to Members Disciplinary pages reads like a who’s-who of the biggest players in the market. Is regulation burdensome? Yep. Is it necessary? Absolutely.

Like Mr. Epstein, I also used to think the regulators operated with a heavy hand as a means to generate revenues. I believe now, however, that the spread between industry practices and regulatory understanding is narrowing so that regulatory oversight is better positioned to see the mischief that for so many years went unnoticed. Unfortunately, as is often the case, the majority must pay for the transgressions of the few. Regulatory oversight has increased thanks to Messrs, Gruttadauria, Pasternak and Lay, not because they need or want the money.