The responsibility of the modern Chief Compliance Officer is very wide. He/she must ensure compliance to a wide array of statutes that include laws (international, regional, national and local), guidelines, standards, codes and best practices. The initial problem is to determine which of these does the company need to comply with, to which clauses of each, and to what maturity. The next problem is to implement this compliance. However, the bigger problem is to keep track of the new statutes as they arise and the changes in the existing ones as they are made. This calls not only for effective and efficient compliance processes, but also systems that help automate these processes. A whole new industry and a promising new profession has arisen to meet this need.
The Chief Compliance Officer also must ensure that compliance is embedded into the existing and new business processes and systems and that these processes and systems are modified and updated whenever there is a new or changed compliance requirement. This has necessitated the design, development and use of software tools. Many such tools are now available as stand-alone tools or as part of a suite of tools known as GRC (governance-risk-compliance) tools. However, these generic GRC tools do not meet the needs of industries that have elaborate compliance requirements. FIs are one such industry. Tools that add on to these GRC tools are needed by banks and other financial institutions. This need has created a new technology known as 'Fintech' or 'Regtech'.
As stated above, one of the aftershocks of the global financial crisis of 2008 was a massive increase in regulatory zeal. The resultant upheaval left FIs facing a complex web of cross-jurisdictional requirements. Extraterritoriality and differences in interpretation of regulation at a national level have exacerbated the challenge of on-boarding and managing data throughout the client life cycle. Ticking the boxes, file-and-forget and generally keeping your own local regulator happy is no longer enough.
What has caused the shift from national to extraterritorial? In an attempt to reduce systemic risk, regulators have moved from concentrating solely on domestic financial institutions to a broader focus which now includes counterparties too - FIs are no longer merely 'too big to fail' but also 'too interconnected to fail'. This extraterritorial view can be seen in such regulatory and tax obligations as FATCA, Dodd-Frank, EMIR, the OECD Common Reporting Standard (CRS), and the various Basel Accords. The volume and complexity of new regulations has created a perfect storm for FIs where a tsunami of regulation is bearing down on outdated, fragmented infrastructures and on paper-based processes that have changed little in the last 20 years. To date, many FIs have responded with a tactical, firefighting approach, with the inevitable increase in headcount and IT costs. It is clear that the answer, to quote Henry Ford, is not 'faster horses'.
The cost of getting it wrong has gone up too. Recent fines for regulatory shortcomings and breaches of sanctions have run into the billions of US Dollars. Increased costs and risks have made many major FIs reluctant to do business with counterparts in those countries where the returns from providing services no longer justify the increased costs and regulatory risk. The resultant 'de-risking' has led to many local and national banks in these countries losing access to US Dollar correspondent banking.
How are FIs to cope if 'faster horses' isn't the answer? The answer is regulatory technology, or regtech. Regtech is a whole new way of looking at the problem from a strategic rather than a tactical viewpoint. FIs need a technology platform that offers the following solutions and advantages:
-- Better data quality and reduced cost of meeting the data requirements of new regulations.
-- The ability to capture, understand and respond to changes affecting clients, counterparties, their ownership hierarchies and associated parties.
-- Centralized process ownership and control.
-- Scales to meet growing business demands.
-- Rules-driven workflow solutions for regulatory and tax classification.
-- Rules-driven risk assessment tools.
-- Document management capabilities that uses digital copies of documents enriched with relevant metadata.
-- Easy to integrate with existing IT infrastructures.
-- Extensive analysis and reporting tools to let FIs see where bottlenecks are, what they're getting wrong and what they're getting right.
-- Meticulous audit trails - not only do you have to get it right, you have to show the regulator how, why and when you got it right.
-- Reduces regulatory risk.
-- Prevents costly rework.
-- Reduces cost of headcount, IT overhead and regulatory sanction.
-- Improves time to revenue.
-- Improves customer service
This is a long and perhaps daunting list of requirements. The temptation is often to try and meet them by building an in-house solution, but time and regulation waits for no man. Off-the-shelf solutions are available and are already proving their worth to FIs from local retail banks to global giants. When selecting a supplier, make sure you choose one who can meet ALL of the above requirements, can get you up and running in months rather than years, and has verifiable client references.
As stated above, the tactical, firefighting approach, with the inevitable increase in headcount and IT costs shall prove to be too costly for FIs. The entire governance - risk - compliance triangle has to be rebuilt based on a new and modern technology infrastructure. The following steps need to be taken by FIs in order to survive.
1. Implement corporate governance based on BS 13500:2013 - this is the 'Code of practice for delivering effective governance of organisations' formulated by the British Standards Institution (BSI). It came into effect on 31 August 2013 and is now being adopted widely. You scribe had participated in some projects to help implement it and to audit its compliance. This is a simple standard that is 'intended to be used by those concerned with the governance of organisations as a basic checklist to ensure that all the elements of a good governance system are in place'. BSI however clarifies that 'when an organisation can demonstrate that it is implementing all the Code's recommendations, it can be said to have a system for delivering effective governance. Having such a system does not guarantee effective governance or the achievement of objectives, but it does at least encourage and support positive organisational values and behaviours'. Compliance to this Code therefore just constitutes the first step towards effective corporate governance.
2. Implement Technology Governance based on ISO 38500:2015. This is the responsibility of the board and the management, not IT. This will enable the board and the management to control their galloping IT costs and know exactly what IT is doing.
3. Implement Enterprise Risk Management and Business Continuity Management based on ISO31000 and ISO 22301 standards.
4. Implement Information Security Management based on ISO27001. Information is the most valuable asset of any FI - not money or people. The board must, therefore, take direct interest in securing it. Getting ISO27001 certification is easy, the objective should be to create and maintain a culture and climate of information security. This, only the board can ensure.
The above provide the stable platform for compliance and only after implementing them can an FI hope to be continually compliant to the ever-increasing compliance needs.
This consultant has witnessed and helped several companies transform themselves by implementing the above systems in combination with sophisticated compliance tools integrated with their core systems.
The time for FIs in Pakistan to start doing this is now. The challenge of the CPEC cannot be met without this transformation.
(The writer is an international consultant practicing in the GCC and Africa in the domains of corporate governance, compliance, risk management, business continuity and digital enterprise transformation. His recent book titled 'Technology Governance - Principles & Practices' is available on Amazon. He can be contacted at email@example.com or through LinkedIN)
Copyright Business Recorder, 2017