Comply or die

By Julian Rogers, Deputy Editor

Financial services firms face an avalanche of regulations when it comes to meeting compliance standards.

If there is one word on the lips of Senior Executives in the financial sector today it has to be ‘compliance’. Firms face a raft of legislation covering all aspects of their business while the regulatory landscape is always evolving. As well as the staffing costs associated with compliance, the financial sector shells out serious money in terms of IT as new systems are installed. Suddenly the CIO can find a load of work land on his/her desk when new regulations require a radical overall of the IT operations within the company. The problem is that the banking world has become increasingly complex, leaving the institutions open to potentially damaging risks. Senior Executives are forced to walk a tightrope, juggling the company’s performance while strictly adhering to compliance regulations. Nick Andrews, a partner at compliance and regulatory consultancy provider Mpac Consultancy LLP, says the sector appreciates the consequences of non-compliance. “Compliance has become central to all financial firms, although its impact on that firm can still be down to the attitude of the senior management no matter the quality of the compliance function,” he explains. “The large pan-product firms with international reach, especially in the banking sector, are way up the compliance curve and often pour vast amounts into compliance to ensure they are as far to the forefront as possible. These are the firms that can see significant financial or cost saving gains if they carry out the latest initiatives.”

One of the most significant regulations to hit the banking world is Basel II – a framework created to improve transparency and avoid disastrous losses and possible bankruptcy. By the end of 2006 all banks operating in leading developed countries must adhere to new standards dictating the minimum capital levels they must hold. Basel II is the second attempt by banks to agree on common capital standards after the original accord fourteen years ago. Critics argue that this has stifled growth amongst financial institutions. Complying with Basel II credit risk regulations is expected to cost the UK banking sector at least £2.5 billion, according to analysts. Meanwhile, Markets in Financial Instrument Directive (MiFID) which relaxes the way shares are sold, will prove a major compliance responsibility for banks when it is eventually rolled out. The Directive, which does away with the idea that shares have to be traded through an exchange, will require additional staff and IT funding. Andrews explains: “The large investment banks have everything to gain from the onset of MiFID and will not necessarily baulk at paying the cost of setting up project teams, implementing IT systems, employing staff etc as they will have clearly defined the cost benefit to themselves. Whereas for a small stock-broking firm, the MiFID initiative can be daunting with little perceived financial gain and consequently little buy-in from the senior management.”

Research just carried out by a market data technology vendor found that around a third of financial firms will be shelling out more than 10 percent of their budgets on complying with MiFID regulations. California-based VahYu quizzed 129 senior executives and found that a just over a fifth (21 percent) will spend more than 20 percent when implementing the new procedures. Commenting on the results VahYu’s CEO Jeff Hudson says: “It is clear from these poll results that preparation for MiFID’s impact on IT infrastructure is being given serious budget and resource allocation. A major component of MiFID is the manner in which market data is processed and managed. New feed handlers will need to be built, massive amounts of data will need to be analysed and published out and existing systems will need to store, quote and trade data for years. Those who fail to take proper action will be unable to survive without implementing the proper technology.”

Many players – including the Financial Services Authority (FSA) in the UK – are warning that the costs of MiFID compliance may well outweigh the benefits and that it is putting an IT burden on firms. Industry-watchers are predicting that putting IT systems into place to cope with MiFID could take two years. There is no doubt that MiFID vastly increases the dependency on IT, not only to support the business, but to guarantee its survival. Those financial firms that don’t comply with MiFID regulations leave themselves open to being fined or sued while any manager found culpable of grievous mismanagement faces the threat of imprisonment.

Andrews says Compliance Officers should start working on implementing systems to deal with MiFID. “The IT implications may be very significant for some firms. What we and other observers have said for some time now, firms must get planning for MiFID now, and that, at the very least, means getting senior management involved. We only hope that whilst firms are gearing up and concentrating on MiFID and its related issues, firms do not stop working on other up and coming and existing initiatives. For example, fraud, both internally and externally generated, is becoming more complex and regular. Today, I have already seen a number of headlines on the growing threats and costs of fraud, received a new style of email structure inviting me to launder money through my personal bank account and four phishing requests. So Compliance Officers cannot take their eyes off the ever growing threat of attack.”

Of course, any new regulation hits firms in the balance sheet when it comes to compliance, but Senior Managers can’t afford to cut corners. “The outcome can mean major reputational and financial damage,” says Adrian Lloyd, Compliance Director at the UK’s Banking Code Standards Board (BCSB). “Firms and whole sectors need to find a way of recognising and mitigating the long term compliance risks they are running, even though the regulatory rule book may not outlaw some current high-risk practices. The life insurance industry's problems in the UK, involving over a decade of massive damage from compliance failings, are an object lesson with pension mis-selling, followed by endowment mortgage mis-selling, compounded by the imposition of tougher solvency requirements.”

Andrews believes that Senior Executives are also all too aware of the personal implications of non-compliance “Enforcement action leading to fines and other sanctions are likely to increase simply as a statistical factor of a greater number of regulated firms being in the UK,” he highlights. And at the moment the FSA is looking to increase the size of fines to hammer home to firms the importance of the regulations. “It is pretty obvious that failing to be compliant will have the potential to hurt both the sinning firm and the sinners themselves,” Andrews continues. “With the onset of greater reliance on the senior management being responsible for compliance, it should help to focus the minds of the senior management that they can't ignore compliance especially as it now gets personal. With the risk of personal sanction now being very real, it may be that greater interest and time resources are allocated by senior management to ensure that the compliance risks are mitigated wherever possible.”

As the compliance landscape constantly changes, firms cannot afford to become complacent. And they cannot afford to procrastinate over setting into place good IT systems and procedures – even if the initial costs appear high. A recent study carried out by the EU found that one third of large banks expect to spend €100 million achieving compliance. The IT costs will make up around two thirds of that budget. “In the UK there are signs of genuine acceptance of the need to ease bureaucratic regulatory burdens, with a shift to a more principle-based approach to regulation and supervision,” says Lloyd. “But this puts more onus on firms to manage the risks of customer detriment inherent in their business, with the possibility of heavy sanctions for those who get it wrong through bad judgement or weak internal controls.” Andrews argues that the FSA needs to step back and give the industry time to get its plans in place, especially for the smaller companies. “The smaller firms must be wondering at times what can happen next – we have seen a large number of consultation documents, policy statements, EU Directives and other requirements all coming out needing to be addressed. The call to the FSA to give the industry a bit of breathing room is certainly getting louder.” For the time being senior management must soldier on through the compliance minefield.

An overview of Basel II
By the end of this year, international banks operating in the EU, US and Japan will have to follow new standards that state the minimum capital levels they must hold and the information they release about their financial risks. The banks have to compile new levels of compliance relating to three types of risk – market risk (share price changes, exchange rate and interest rate fluctuations), credit risk (creditors do not meet liabilities) and operational and reputational risk (losses from human error, system failure, corporate scandals). Basel II is designed to improve public supervision of banks, reduce the chances of disastrous failures and increase stability in the financial system. It will also reduce volatility of credit losses by funnelling capital more effectively and spreading risk.

Since 1992 banks have been required to hold a minimum level of capital in reserve to protect them in case they suffer unexpected losses. Up until now the system has not discriminated between creditworthiness of individual borrowers, be it governments, multinational companies or small business. The new regulations produce a more accurate overview of a bank’s risk profile and while giving companies greater incentives to make their business planning more risk sensitive. Those international banks operating in Belgium, Canada, France, Germany, Italy, Japan, Luxemburg, the Netherlands, Spain, Sweden, Switzerland, the UK and the US are included in Basel II.

What does MiFID entail?
The Markets in Financial Instrument Directive, or MiFID for short, is a radical shake-up of the way that shares are sold by the banks. When MiFID finally comes into force, it will scrap the idea that shares have to be traded through an exchange. Many banks currently move shares they are already holding between the customer that want to buy and sell, which is easier than going through the exchanges. Firms will have to be able to prove 'best execution' on deals, taking into account price, venue, cost and speed. Also, records will have to be kept for five years. The directive affects which investment banks, market data companies, trading platforms and, of course, the exchanges. MiFID was due to go active in April 2006 but this has been postponed until late 2007 to allow firms time to comply with the regulations.

CCO or CIO?
The role of Chief Compliance Officer (CCO) is the subject of much debate in many boardrooms. As the added pressure of compliance intensifies for financial firms, senior executives are increasingly looking to him/her to make sure the company is staying on the right side of the regulators. Many businesses, however, still tend to delegate compliance to the CIO although bosses are starting to realise the benefits of having an officer dealing solely with compliance. The US adopted this view after the Sarbanes-Oxley (SOX) Act of 2002 was introduced. SOX – created to stamp out corporate fraud within public companies – led to businesses appointing dedicated CCOs, for fear of falling fowl of the new strict accounting law. Reputation is everything within the financial sector so senior management need to make sure they appoint the right candidate in order to avoid a tarnished image should irregularities arise. As well as this, compliance and technology are so closely linked. The job of compliance often involves a large emphasis on technology so a good working partnership with the CIO needs to be established – the CCO will often not be able to operate without a sound IT structure in place. The CCO needs to know what technology can do because it is the company’s systems that prevent C-Level executive from being found culpable of wrongdoing. And because the two roles are so entwined, boardrooms often decide that the CIO can deal with compliance on his own. The CIO within these companies is sometimes referred to, with tongue-in-cheek, as the compliance information officer (CIO). These CIOs see compliance as a necessary evil which prevents them from doing their proper jobs – but with ever increasing regulations, more and more companies could be changing tact and appointing dedicated CCOs to the boardroom.