IT teams doing long hours in the City building and integrating compliance systems are unconvinced that software frameworks are about to make their lives a whole lot easier.
With less than 100 days until Markets in Financial Instruments Directive (MiFID) kicks in, many IT chiefs and compliance officers are focusing on this one directive, rather than taking the time to work on centralising their compliance efforts with a governance, risk management and compliance (GRC) framework.
Yet a recent report published by risk consulting firm Protiviti says that in a regulation-driven world, compliance frameworks are the way forward, although executives face substantial challenges in implementing them.
The appeal of a GRC framework is that they span operational risk, credit risk, market risk, financial reporting compliance and IT governance and offer a holistic alternative to the fragmented point solutions available in the market.
The report states that the use of GRC software is on the increase. According to the survey, 34% of firms have already implemented a GRC framework, while another 22% anticipate they will do so.
Certainly, the scale and expense of compliance exercises is beginning to prompt a more centralised response from big financial services players, hope the suppliers.
"Banks are easily spending €10m (£6.68m) each on MiFID compliance alone," points out Sunil Chopra, CEO of outsourcing firm Tata Consulting Services. Chopra has noticed a greater desire for implementing centralised systems that take a top down view of all across the enterprise.
And the volume of duplication of effort uncovered in running multiple compliance tasks is also quickening the search for a more centralised approach according to S.Ramakrishnan, CEO of Reveleus and Mantas. His thesis is that Basel II and its requirement for operational risk was a catalyst for discussion of generic frameworks: “People implementing [solutions to comply with Basel II] were in the interesting position of looking across the office and seeing colleagues involved in very similar work for Sarbanes Oxley."
Yet financial regulation think tank JWG-IT Group has found that IT departments are sceptical that GRC frameworks are going to change their lives just yet. In a report published in June, the group said that only 20% of companies questioned are confident that implementing MiFID systems is an opportunity to gain a competitive edge with improved offerings.
"The vast majority of firms sit amidships and believe they still have much to do and the remaining third are planning just minimal attempts to keep regulators and clients at bay," according to the bulletin.
"The difficulty most organisations have with MiFID is that it’s so broad, it affects the whole bank and responsibility and ownership is hard to pin on just one person," says PJ Di Giammarino, co-chair of the MiFID working group. “All those products are being touted do different things. True there are some end-to-end solutions, but they’re for a piece of the picture, like financial reporting,” he says.
S. Ramakrishnan, however, argues that compliance activities fall into two camps: Surveillance of dealer transactions and customer behaviours on the one hand; and certification and assessment of institutions’ processes on the other. Processes in each are fairly generic, he reckons. “You need to solve the demands of both classes of regulation within one framework in order to solve the demands of the next generation”, he contends.
To date, IT teams have shouldered much of the responsibility of rolling out compliance and governance reporting systems and already have the experience of Basel II and Sarbanes Oxley under their belts. A GRC framework would see IT departments working less under their own steam in silos on one-off compliance exercises and more under the coordinated direction of a compliance officer.
But IT would also have to continue and increase the numbers of conversations across the business with legal and internal audit and business units, points out the Protiviti report. A majority of respondents (71%) said it was important that team members from various disciplines – including legal, compliance, enterprise risk and internal audit – are involved and regularly communicate with one another with respect to planning and execution.
Peter Golden, head of the financial services special interest group (FINSIG), a specialist group of the British Computer Society (BCS), points out that even considering frameworks are a luxury that only the big players can afford. “All the big institutions are forming discussion groups to interpret what MiFID means. Smaller outfits on the ‘buy-side’ of the securities world, such as institutional investors, are not invited to these privileged clubs circles. As a result," says Golden, who is also an ex-IT director of Barclays Bank. “Many of the smaller firms are behind the curve.”
Another everyday concern that continues to tax IT teams, highlighted by the Protiviti report, is that of aggregating enterprise-wide risks and reporting them to executive management through a common risk language. And, although 76% of the respondents agreed that it is important, only 52% currently do this at their firms.
Other low level challenges currently vex IT staff working on compliance projects includes data cleansing. “One of the biggest problems with MiFID is that you have to report on different counterpart names. In the eco system where there are disparate reporting systems, this may entail standardising on six different reference tags," points out Rebecca Bond, head of global marketing for FRS, which markets enterprise risk and regulatory compliance solutions.
One thing all IT professionals working in financial services have in common, GRC frameworks or not, is that they are very, very behind. "A lot of stuff is sitting on the desk of compliance officers and hasn’t got to the IT people as fast as it should," says BCS’ Golden.