A holistic
approach to
financial-services
regulations
Four building
blocks for better
compliance
Contacts
Boston
Chicago
New York
John Plansky
Senior Partner
+1-617-521-8801
john.plansky
@strategyand.pwc.com
Carl Hugener
Partner
+1-312-578-4897
carl.hugener
@strategyand.pwc.com
Vaidyanathan Chandrashekhar
Partner
+1-212-551-6419
vaidyanathan.chandrashekhar
@strategyand.pwc.com
Carl Drisko
Partner
+1-617-521-8809
carl.drisko
@strategyand.pwc.com
Kelley Mavros
Partner
+1-312-578-4715
kelley.mavros
@strategyand.pwc.com
Hector Nelson
Partner
+1-212-551-6405
hector.nelson
@strategyand.pwc.com
Jamie Solomon
Senior Executive Adviser
+1-617-543-9557
jamie.solomon
@strategyand.pwc.com
Caitlyn Truong
Partner
+1-312-578-4690
caitlyn.truong
@strategyand.pwc.com
Arjun Saxena
Partner
+1-212-551-6411
arjun.saxena
@strategyand.pwc.com
Michael Horvath
Principal
+1-312-578-4519
michael.horvath
@strategyand.pwc.com
Samuel Bloustein
Principal
+1-212-551-6567
samuel.bloustein
@strategyand.pwc.com
2
Strategy&
About the authors
Carl Drisko is a partner in Strategy&’s Boston office. He is aligned
with the digital business and technology practice and leads the
financial-services architecture practice.
Kelley Mavros is a partner in Strategy&’s Chicago office. She is
aligned with the digital business and technology practice and
leads the financial-services Fit for Growth* offering.
* Fit for Growth is a registered service mark of PwC Strategy& Inc. in the United States.
Strategy&
3
Executive summary
The financial-services industry has already spent enormously on
regulatory compliance, both in dollars and in time. Estimates suggest
that companies will spend US$50 billion globally by 2015. But too
frequently these efforts are reactive to regulatory developments, and
handled at the business unit level without the executive attention they
deserve. This might seem expedient in the short term, but it is a risky
and inefficient approach for the enterprise, which needs to take a more
holistic approach to compliance in order to mitigate risk and reduce
cost while simultaneously identifying new business opportunities
arising from regulatory changes. Information technology is a critical
enabler of compliance; however, no single solution can enable a holistic
compliance strategy. Instead, financial institutions need a multifaceted,
flexible framework that can incorporate new compliance-related
technologies as they emerge. Executives designing such a regulatory
and compliance architecture should consider four critical building
blocks: data and analytics, vendor solutions, internal execution,
and utilities. The proper combination of these four building blocks
can help a financial institution keep pace with today’s very fluid
regulatory environment and exploit business opportunities for a
competitive advantage.
4
Strategy&
Be strategic, not reactive
The unrelenting pressure of existing regulations, as well as
the uncertainty caused by a pipeline of emerging domestic and
international rules, is creating significant challenges for the
financial industry. As companies make expensive, complicated
adjustments to comply with regulations such as Dodd-Frank, the
Foreign Account Tax Compliance Act (FATCA), and anti-money
laundering (AML), they must also ready themselves for new
complexities brought by the likes of Basel III and MiFID II.
In a recent survey by SunGard Financial Systems, 43 percent of
financial executives cited new regulations — governing areas such as
transparency, reporting, liquidity, and taxes — as the most pressing
issue for the next two years (“The Regulatory Pressure Cooker,” 2014).
The industry has already spent huge amounts of time on compliance,
not to mention money — close to US$50 billion. But 80 percent of the
executives surveyed said their technology still requires major alteration,
and they expect compliance-related IT costs to grow at a compounded
annual rate of 6.9 percent from 2014 to 2017.
With so much at stake, and with so much being spent, it’s vital that
financial-services companies direct their IT investments wisely to
keep long-term costs down while ensuring transparency and risk
mitigation. Unfortunately, too many compliance initiatives are reactive
to regulatory developments and occur at the business unit level.
Managers are under intense pressure to react swiftly on their own
to keep day-to-day operations running. But the result is predictable:
uncoordinated regulatory patches across the enterprise that duplicate
efforts and increase the risk of missing critical compliance-related
issues. Instead, financial-services companies need to take a more
strategic, less reactive approach to compliance-related IT investment.
Companies should coordinate compliance initiatives at the enterprise
level, across traditionally siloed business units, functions, and regions.
And there’s urgency to do so.
First and foremost, financial-services companies must meet the array
of regulatory requirements across the enterprise. The costs in terms of
Strategy&
5
fines and reputational damage for noncompliance are significant,
sometimes in the billions of dollars. In fact, 80 percent of C-suite
executives report being stressed about the potential damage to their
firms’ and their own reputations. Second, companies need to better
coordinate compliance efforts across the enterprise, which requires
recruiting knowledgeable talent. The scarcity of this talent is driving
up salaries in regulatory roles by 11 percent. Third, companies must
not lose business focus. Employees should not be so overwhelmed
with regulatory duties that they cannot perform their primary job
responsibilities. Finally, companies should leverage their capabilities
to capitalize on new revenue opportunities created by new regulations.
6
Strategy&
Architectural building blocks
Given the scope and pace of new regulations, there is no easy answer
or single IT compliance solution. A multifaceted, flexible approach is
necessary. This makes intuitive sense. Because technology is constantly
evolving, a strong, durable regulatory and compliance architecture is
one with the adaptability to take full advantage of new technologies
as they emerge.
With this flexibility in mind, we have identified four critical building
blocks of regulatory and compliance architecture for most financial
institutions: data and analytics, vendor solutions, internal execution,
and utilities. Within each of these are many options and trends for
executives to consider (see Exhibit 1, next page). But the due diligence is
well worth the effort. Not only can a combination of these four building
blocks help a financial institution keep pace with today’s very fluid
regulatory environment, but the right combination can also help to
identify and exploit business opportunities for a competitive advantage.
Data and analytics
From 2014 to 2015, financial institutions are expected to increase
their spending on data management by 17 percent, from $7.5 billion
to $8.9 billion. Meanwhile, spending on analytics will be even higher —
growing 12 percent, from $10.7 billion to $12 billion.
Good news:
80 percent of
data is common
to various
regulatory
requirements.
This level of spending reflects the powerful supply and demand
dynamics at play. On the supply side, data is increasing exponentially,
driven by process automation, digitization and market technologies,
mobile access, and real-time data access. On the demand side,
regulatory reporting requires ever more data spanning customer
types, asset types, markets, and jurisdictions.
Although this dynamic poses significant challenges, one bit of good
news is that as much as 80 percent of data is common to various
regulatory requirements. For example, European Market Infrastructure
Regulation (EMIR), Dodd-Frank, FATCA, and know-your-customer
Strategy&
7
Exhibit 1
Regulatory and compliance: A multifaceted approach to IT
Vendors are not the
only third-party
solutions — emerging
utilities take on
non-differentiating
tasks to meet
regulatory needs
Execution is
critical — optimize
organization,
methodologies, and
technologies to execute
technology-driven
transformations
Data and
analytics
Utilities
Determine data needs
once — enterprise
view to fulfill multiple
regulatory
requirements
Regulatory and
compliance
Internal
execution
Vendor
solutions
Buy versus build —
vendor solutions can
be leveraged to
support regulatory and
compliance functions
Design and architecture
Flexibility through architecture — how you
design now helps you meet continued change
Source: Strategy& analysis
8
Strategy&
(KYC) rules share a number of data entities, including the Legal Entity
Identifier (LEI) and other specifics about the legal entity, as well as
ownership structure. By focusing on how to fulfill multiple regulatory
requirements at once, the company can reduce the overall enterprise
compliance effort and cost (see Exhibit 2, next page).
In the past, companies seeking access to this data had to spend
millions of dollars transforming it — through heavy integration across
numerous data stores — into a single data warehouse. This is onerous
and expensive. Today a financial institution’s data architecture can
be much more flexible, with three distinct layers: data storage, data
access, and reporting/analytics. By integrating data requirements and
creating a common enterprise-wide data taxonomy, the company can
pull data directly from multiple storage points without expensive and
cumbersome data transformation. Once the organization has this level
of data access, it can identify potential ways to drive revenue. For
example, a company that offers real-time data on trade positions could
also offer more in-depth risk exposure and regulatory support services.
Vendor solutions
Financial institutions face a stark choice. They can continue to
spend time and money updating complex, aging, in-house technology
solutions — thus devoting the resources necessary for constant
development — or they can consider third-party solutions that
take advantage of industry-wide upgrades to both functionality
and technology.
Financial
institutions are
rapidly shifting
gears and are
more interested
in GRC systems
from third-party
vendors.
Evidence suggests that financial institutions — long committed to
internally built solutions — are rapidly shifting gears in the face of
the regulatory and IT challenges. In 2011, only 50 percent of financial
institutions had any interest in governance, risk, and compliance (GRC)
systems from third-party vendors. By 2014, that number had jumped
to 62 percent, a figure that includes institutions already operating
third-party solutions, those in the process of implementing them,
and those planning to buy them next year. All told, industry spending
on external risk software is projected to increase 8 percent, to $8
billion, from 2014 to 2015, while spending on external services rises
11 percent, to $5.9 billion.1
This new willingness to leverage third-party solutions to support
regulatory and compliance functions is due, at least in part, to the
emergence of many vendors with sophisticated solutions. Besides GRC
vendors, financial institutions can now consider vendor technologies to
support data management, workflow, and document processing, as well
as KYC, anti–money laundering, and FATCA solutions.
Strategy&
9
Exhibit 2
80 percent of data may be common across regulations
Sample of data requirements by regulation
EMIR
Dodd-Frank
FATCA
KYC
Legal entity name
Legal entity address
LEI
Legal entity structure
EMIR tax details*
Tax ID
Specific EMIR
Avox fields
FATCA special
entity tag
Industry classification
EMIR-specific
requirements
Specific Dodd-Frank
Avox fields
Officers/directors
U.S. person
flag/qualifier
Relationships
Global Intermediary
Identification Number
Consortium status
Tax docs
Politically exposed
person status review
FATCA fields
U.S. indicia/details
Legal entity
FATCA requirements
* Data entities are partially
shared between regulatory
requirements.
Source: Marc Murphy FIMA
video (Fenergo, Feb. 27,
2014); Strategy& analysis
10
Strategy&
Internal execution
Execution is critical. To this end, firms should explore technologies
and practices — both here today and on the horizon — to improve
IT delivery efficiency and effectiveness. We see four big trends for
financial institutions to consider:
• Cloud: Cloud technologies are fundamentally scalable, virtualized,
and standard. They deliver savings in the range of 20 to 60 percent,
provide capacity in minutes versus weeks, ease the maintenance
burden, and are secure (often combining private and public
components). More than 60 percent of financial institutions now
have cloud technologies implemented, and Gartner estimates
that global spending on cloud technologies across industries will
grow from $76.9 billion in 2010 to $210 billion in 2016.2 On the
compliance front, the cloud helps a company build capacity faster,
which is vital to keep up with regulatory requirements.
• Big data and analytics: “Big data” technologies continue to mature
and improve their ability to discover and predict across disparate
sets of structured and unstructured data. Thus, integrating big
data technologies can improve risk analytics, provide real-time
operational data aggregation, and enhance a financial institution’s
ability to monetize its own data assets. It also improves regulatory
compliance by allowing the company to better assess risk exposures
based on internal and external data. Undertaking a big data
integration can be done in-house, or in conjunction with any of
a number of firms building big data partnerships.
• Advanced document processing: Many regulations require not only
data but also some proof that the data is correct. Advanced document
processing satisfies these requirements by extracting information
and linking that data back to its evidentiary source. Historically this
process required people to review those documents and manually
input information into data fields. But that is changing, thanks to
natural language processing technologies that automate data
extraction and evidencing. These technologies include “learning”
systems that improve information extraction over time, transforming
what was once mere document management to full-fledged
document processing. Although manual checks are still required,
cost savings can be significant — as much as a 70 percent reduction
in labor costs.
• Agile practices: Even with the best underlying technology, getting
to market quickly can be a challenge. Agile is not a new concept,
but financial institutions often have resisted putting it in place for
fear it could result in inadequate documentation for regulatory and
Strategy&
11
audit reviews. But today — even with regulatory issues so
significant — 52 percent of financial institutions have turned to agile
practices because these small, cross-functional teams (“scrums”)
focused on incremental delivery (“sprints”) can reduce time to
market by 70 percent, while also improving business collaboration
and flexibility. To better address regulatory issues, about 35 percent
of financial institutions rely on a “hybrid methodology.” A hybrid
methodology uses scrums and sprints, but puts attention on up-front
solution design, has controls throughout development, and ensures
documentation around audit/compliance approvals.
Utilities
Software vendors are not the only third-party option for financialservices companies. More industry utilities, or small firms and/or
business units offering a specific “utility” function within the value
chain, are emerging. Increasingly, these utilities are looking beyond
their traditional back-office role to support middle- and front-office
functions. Their goal is to help financial institutions meet new client
and regulatory demands more efficiently by taking on nondifferentiating tasks throughout the organization.
Financial institutions are quickly recognizing the value of this approach,
and there is a growing consensus that they can all benefit by creating
industry standards for non-differentiating functions to support
regulatory needs. Potential areas for technology and data utilities
include handling non-security reference data, security reference data,
and client and account data. Although utilities do not assume the
financial institution’s risk, they help streamline the processes, data, and
technology to make the institution more effective at managing its risk
(see Exhibit 3, next page).
Industry utilities
are looking
beyond the back
office to support
middle- and
front-office
functions.
Recent new utilities include DTCC’s Global Trade Repository for OTC
derivatives reporting to provide transparency into the global market;
the Global Markets Entity Identifier utility — formally known as the
CICI utility — to assign LEIs as a standard unique industry identifier;
SWIFT’s KYC registry for the collection and distribution of standard
information, which is due to go live this year; and the client reference
data consortium of DTCC and six member banks to develop a single
source for standard data and documents to meet global KYC/AML,
FATCA, and additional regulations.
12
Strategy&
Exhibit 3
Opportunities for utilities Common business architecture
Front office
Middle office
Back office
Client services and on-boarding
Transaction
management
Treasury
Securities
processing
Asset servicing
Research
Product control
Credit and
market risk
OTC processing
Tax operations
Analytics
Performance
and attribution
Operational risk
Collateral
processing
Reconciliations
Trade and execution management
Collateral and
cash management
Financial control
Global payments
Reporting
Pricing and
valuations
Regulatory and
compliance
Claims and fails
processing
Technology and data
Non-security
reference data
Architecture
and design
Security
reference data
Development
Client and
account data
Maintenance
Transactional data
Application
support
Infrastructure
Potential opportunity for utility
Source: Strategy& analysis
Strategy&
13
Commit the enterprise
In summary, it is vital in today’s regulatory environment that financialservices companies direct their IT investments wisely to keep long-term
costs down and improve risk mitigation. This can’t happen if compliance
initiatives devolve to the business unit level. Companies need a holistic,
enterprise-wide view to streamline the use of data for compliance and
react to new business opportunities.
Ultimately, financial-services companies need to take a more strategic,
less reactive approach to compliance-related IT investment. Meeting
regulatory requirements is a transformation. It requires a “management
system” that is fully committed and engaged from the top, taking into
account all strategic elements from compliance to cost to revenue, and
engaging the entire organization to span traditional silos. It requires
an “operating system” that is enterprise-wide, with an integrated road
map, program management, and transparency. Finally, it requires a
“cultural change” that involves the entire organization, not just those
people assigned responsibility for compliance.
The task may sound daunting, but a few leading financial institutions
have already proven that it’s achievable and beneficial. Institutions that
can follow suit stand to gain a sustainable competitive advantage.
14
Strategy&
Endnotes
1
Chartis, “RiskTech100 2014,” Nov. 2013.
Gartner Inc., “Forecast Overview: Public Cloud Services, Worldwide,
2011–2016, 4Q12 Update,” Feb. 8, 2013.
2
Strategy&
15
Strategy& is a global team
of practical strategists
committed to helping you
seize essential advantage.
We do that by working
alongside you to solve your
toughest problems and
helping you capture your
greatest opportunities.
These are complex and
high-stakes undertakings
— often game-changing
transformations. We bring
100 years of strategy
consulting experience
and the unrivaled industry
and functional capabilities
of the PwC network to the
task. Whether you’re
charting your corporate
strategy, transforming a
function or business unit, or
building critical capabilities,
we’ll help you create the
value you’re looking for
with speed, confidence,
and impact.
We are a member of the
PwC network of firms in
157 countries with more
than 184,000 people
committed to delivering
quality in assurance, tax,
and advisory services. Tell us
what matters to you and find
out more by visiting us at
strategyand.pwc.com.
www.strategyand.pwc.com
© 2014 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further
details. Disclaimer: This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.