The financial services industry currently faces an unprecedented raft of regulation, which is being driven by two distinct objectives. First, the increasingly stringent compliance climate in which firms must prove they have effective controls and processes in place to ensure accountability and an effective corporate governance model. Second, the overarching goal of the regulators, particularly in Europe, to encourage greater harmonisation, competition and customer protection within all financial markets.
This commentary considers some of the most significant regulations affecting the industry and how organisations are dealing with this. As the most recent regulation to come into force, the Markets in Financial Instruments Directive (MiFID) is an appropriate starting point.
MiFID – The Story Continues
Most of the EU Commission’s regulatory work is based on implementing the Financial Services Action Plan (FSAP), where the ultimate goal is to create a single European market in financial services. MiFID is a fundamental pillar of the FSAP and, as of 1 November 2007, introduced a common set of rules aimed at increasing the range of investment services and activities that can be passported by firms, and so make it easier for them to conduct cross-border business.
All but three member states have now transposed the directive (i.e. the published final rules) and of the three remaining, Spain, Poland and Czech Republic, two (Poland and the Czech Republic) have indicated that they will transpose the directive in March 2008. Spain has not yet indicated when it will transpose MiFID in full.
“To put it in simple terms, MiFID is about transparency. Transparency in the way financial institutions organise themselves, handle clients and conflicting interests, execute orders, disclose the level of risk in the products and services offered, and how personal advice is provided,” says Michael Viller Moller, executive director and global head of legal and compliance at Saxo Bank.
In his article, A Single Passport to Europe’s Financial Markets, Moller explains that one of the main objectives of MiFID is to ensure that all clients have the necessary knowledge and experience to understand the risks involved in a product before investing in it. “Banks are obliged to ensure that retail clients have been informed of the potential risks connected with trading financial instruments, which are not necessarily appropriate for them,” he says. “MiFID does not restrict clients from trading in any product; it only sets the level of information to be disclosed to clients prior to trading.”
While the aspirations behind MiFID are justified, there has been criticism about the regulators’ expectations of the implementation process. “For a complex piece of legislation like MiFID, which involves multiple systems changes for firms, much more time should have been allowed than the MiFID timetable provided for, and there needs to be more intensive consideration of the practical effect on market participants of the proposed policy changes,” insists Paul Richards, head of regulatory policy at the International Capital Markets Association (ICMA). “In future, much more account should be taken of the project management disciplines that are needed if legislation is to be implemented properly without giving rise to undue risks that occur if consequential changes are rushed.”
Indeed, the upheaval of MiFID’s impact looks set to continue, as areas of concern are addressed and firms complete their implementation plans. “While MiFID has now come into force, there is still more work to be done in terms of whether firms have dotted the ‘i’s and crossed the t’s on issues, such as documenting procedures and finalising client agreements and consents,” says Bernadine Reese, director, Financial Services Group at Protiviti. “During 2008, the Committee of European Securities Regulators (CESR) will also be considering aspects of MiFID that might need further guidance and the EU Commission is still consulting on areas of possible extension to MiFID, such as commodity derivatives and transparency in the bonds market, and this will extend into 2009.”
In the UK, further policy documents are also expected in 2008 from the country’s regulatory body, the FSA, and a key issue going forward will be the position of collective investment schemes (CIS) operators in the post-MiFID world. According to Michael Wainwright, partner at international law firm, Eversheds, the FSA has acknowledged that its proposals in CP07/9 had the effect of applying best execution to operators in circumstances where it did not previously apply. It has now decided to extend the application of the code of business (COB) exemption, and so delay its proposed implementation of its current proposals until 1 November 2008. This will allow the FSA time to consult with the industry during 2008 and conduct a full cost-benefit analysis.
Will MiFID live up to the EU Commission’s expectations for the European securities market? “It will be impossible to assess whether MiFID’s ambitions have been achieved until all member states have implemented the directive and the changes brought about by the directive have had time to settle in,” insists Wainwright. “We also have to wait until firms in the EEA have had time to implement necessary changes and have begun to identify and take advantage of the opportunities potentially available under MiFID.”
In fact, according to Protiviti’s Reese, clients are only now thinking about their MiFID programs and whether they have actually realised the business benefits of the regulation because it has introduced business opportunities in a number of areas, including new execution venues in the equities market and facilitating the cross-border distribution of funds in Europe, for example.
Wainwright at Eversheds believes the earliest the industry can really assess the success of MiFID realistically is 2009, although many of MiFID’s key changes, such as seeking to open up markets and increase competition, are likely to take effect only after several years, if at all.
Basel II and Current Market Turbulence
Basel II has been another ongoing regulatory focus this year with banks gearing up for the first implementation deadline for the advanced approaches to credit and operational risk next January. The Basel II Framework prescribes a more comprehensive measure and minimum standard for capital adequacy and the regulation seeks to improve existing rules by aligning regulatory capital requirements more closely to the underlying risks that banks face. In addition, the Bank for International Settlements (BIS) has explained that the Basel II Framework is intended to ‘promote a more forward-looking approach to capital supervision, one that encourages banks to identify the risks they may face, today and in the future, and to develop or improve their ability to manage those risks’.
This statement is particularly pertinent when we consider the current credit crisis affecting the banking industry. Last month, the Basel Committee on Banking Supervision reiterated the importance of ‘implementing the Basel II capital framework, strengthening supervision and risk management practices in areas, such as liquidity risk, and improving the robustness of valuation practices and market transparency for complex and less liquid products’. In fact, earlier this year, the Committee initiated a review of jurisdictions’ approaches to supervising and regulating funding liquidity risk. This work will now take into account the lessons learned from recent market events, including how liquidity risk is assessed by banks and supervisors under the assumption of stressed market conditions and the risks related to off-balance sheet exposures.
For Paul Richards at the ICMA, it is not clear whether Basel II or MiFID would have made a significant difference either in preventing current financial market turbulence or in resolving the problems that have emerged if they had come into effect earlier. “One particular problem is that the treatment of collateral under Basel II may need to be rethought,” he says in his article, Turbulence in the Financial Markets: Regulatory Impact. “The question is whether Basel II gives excessively generous terms to collateralised instruments and covered bonds (e.g. in relation to unsecured interbank lines). And if the authorities need to rethink elements of Basel II in relation to the banking sector, this may also have implications for Solvency II in the insurance sector.”
One unexpected result from recent market turbulence is the reaction from the US Federal Reserve, the Office of the Comptroller of the Currency, the Office of Thrift Supervision and the Federal Deposit Insurance Corporation, who have finally agreed on the implementation of Basel II in the US. According to Adam Honore, senior analyst at the Aite Group, even though the US is now moving forward, uncertainty around implementation is a concern. “The US regulators are still soliciting comment letters on specific initiatives, and implementation could take some time. Furthermore, the guidelines are too ambiguous right now to instill spending in this area,” he says in his article, Are US Banks Ready for Basel II?.
Philippe Carrel, global head of business development at Reuters Trade and Risk Management also discusses whether banks are actually ready for the Basel II implementation deadline in his article, Fear, Greed and Regulation: The Basel II Effect. “The answer all depends on how you define readiness. If it is about complying with regulatory capital allocation rules, chances are that most [banks] have been in full compliance or have even been exceeding requirements for some time already,” he says. “However, if the spirit of Basel II was to create a safer and more profitable market place by harmonising risk policies with capital allocations and leading all participants to adopt best practice operations, the outcome could actually be the opposite of what was initially the desired effect.”
Carrel argues that by establishing norms and codifying practices, every set of rules can invariably be overridden. He also believes that Basel II regulators and consultative papers have been greatly influenced by the codes of conduct of Tier 1 banks. “The rationale must have been that if the entire industry could upgrade to a Tier 1 bank approach to risk management and operational control, then it could only be to the benefit of all,” he says. “However, the events in recent weeks have tended to prove that this might not always be the case.”
Sarbanes-Oxley: Five Years On
A discussion about compliance and regulation would not be complete without reference to the infamous Sarbanes-Oxley Act (SOX). SOX was originally enacted following the collapse of Enron – the most publicised accounting scandals of all time. Section 404 is probably the most well known part of the regulation, which requires that chief executives and chief financial officers personally certify that financial statements are complete and accurate, under the risk of jail time.
While proponents of SOX argue that it has fostered greater accountability with the fact that CEOs and CFOs can no longer use the excuse of “I didn’t know”; detractors criticise the regulation for being costly as well as overly burdensome in terms of its requirements. Five years on, what impact has SOX had on internal controls and how has the industry adapted to the regulation?
According to Protiviti, during the initial years of compliance, the intensity of SOX preparations challenged many internal audit functions’ ability to complete their original plans and regular work. In 2005, the company conducted a survey among firms to determine whether and how internal audit functions could ‘rebalance’ their activities to address risks overshadowed by the intense focus on financial reporting. The most recent follow up to the survey benchmarks the evolution of internal audit’s ‘rebalancing’ in the years following SOX.
“Internal auditors are considering the broader framework of operations and regulatory compliance and getting back to basics in terms of adding value in all areas of the business – not just through SOX compliance,” affirms Kristen Kelly, associate director, Internal Audit Group at Protiviti.
The survey revealed that the three most widely employed rebalancing strategies among internal audit departments are reducing the total population of controls, reducing the number of key controls and increasing reliance by external auditors. Survey respondents also said that the burdens of SOX are heaviest in the first year, when some companies found that compliance could consume more than 75% of an internal audit department’s resources.
Despite the criticisms of high costs and complex requirements, SOX has gone some way to re-asserting the importance of accountability and transparent corporate governance within organisations. The US Securities Exchange and Commission is looking at how to adapt SOX going forward and this should take into account market opinion.
Evolution of the Compliance Function
MiFID, Basel II and SOX are just three regulations in the myriad of compliance issues affecting the financial services industry. As a result, the pressure on organisations and their compliance officers has never been as great. In order to cope with this strain, the role of the compliance function is evolving and three trends are prevalent in this transition.
Relationship with senior management
According to Richard Warrington, head of regulatory affairs and compliance at National Australia Bank Group, compliance directors need to encourage, influence, and even have the authority to direct senior management to comprehend and understand their responsibilities. “Compliance has a role to play in raising senior executive and board awareness of how their accountabilities and responsibilities must focus on compliance issues,” he insists in his article, Compliance From the Top Prevention is Better Than Cure: Fraud Prevention Strategies For the 21st Century. “Governance frameworks and risk management structures are there to help, but the individual directors and executives must understand their roles to deliver the necessary direction to meet business goals and also regulatory requirements.”
The UK’s FSA is also focusing on senior management responsibility and Matt Lucas, executive assistant, regulatory strategy department at the FSA, explains that the authority’s principles-based regulation strategy underlines this. “We will be looking to senior management to engage with the principles and to ensure that their firms deliver outcomes that meet these high level requirements. And greater flexibility for firms is likely to mean that decision-making moves up the organisation,” he says in his article, Update from the FSA: Next Steps on Principles-Based Regulation. “We expect that as the outcomes we are seeking should be the same as any reasonable business is seeking, this will be a benefit for firms. But it does mean that senior management and boards will need to ensure that they factor regulatory outcomes into their decision-making and judgments.”
The FSA’s concentration on more principle-based regulation does allow firms to comply with requirements in a way that suits their business, rather than following a set of prescriptive rules, however, Reese at Protiviti does warn that this can potentially open the way for the business to challenge compliance’s interpretation of requirements. “As a result, it might increase complexity for compliance officers, although a healthy debate with the business can ultimately achieve a better outcome,” she says.
Internal controls and processes
The emphasis on internal controls and compliance programs is also mounting with the spotlight on process, decisions and documentation and what firms are actually doing within their compliance programs. “Regulators are delving deeper into the area of compliance risk and firms must be able to provide accurate answers about their compliance program and strategy,” says Stephen M. Epstein, vice president, head of product management at Mantas.
Epstein claims that while compliance officers have always been under significant pressure to address new compliance demands quickly, what has changed is the fact that they are becoming strategic rather than tactical. “They are now considering how to consolidate information gained from investments in compliance solutions to gain a better understanding of their regulatory exposure across all business lines,” he claims. “They are also under pressure to reduce cost – not only in deploying a compliance vision – but in the ongoing cost of maintaining a solution and managing the information that is generated.”
Integration of compliance function with the business
Compliance officers are rethinking how they can meet the requirements of their compliance program by aligning people, processes and resources to meet their strategic goals. As result, the compliance function is transforming its position as a remote entity within the organisation into one that is fully integrated with the business.
“One of the biggest challenges facing compliance officers today is managing the burden of regulation. They must deal with the complexity and speed with which the regulatory landscape currently changes and therefore project management is essential,” affirms Sean Wade, chairman of the Association of Compliance Officers in Ireland (ACOI). “This requires significant skills, such as the ability to communicate and represent requirements at senior level as well as become a more integrated part of the organisation’s overall business model.”
Wade argues that compliance with regulation should be integrated into all business processes so that the business is compliant in its day-to-day activities. “In order to do this, companies need to focus on collaboration, and the compliance officer must be more involved with the business in terms of implementing any regulation,” he says.
This view is supported by David Symes, managing director of Compliance Recruitment Solutions (CRS), who believes that because the detailed rules of regulations change with less frequency, a good compliance officer should have time to face the business properly, advise them fully on day-to-day transactional advice and be a proper part of developing new products and services. “The ideal compliance officer should be able to command credibility with the business by both understanding commercial practices and objectives as well as the rules,” he says.
Another dynamic that is fuelling this trend is that regulation has traditionally been based on a prudential framework, in order to ensure a stable financial system, but consumer aspects of regulation have become increasingly significant. “The compliance function can provide a useful bridge between the business and the customer in the interest of best practice and meeting customer requirements,” argues ACOI’s Wade.
Going forward, raising the profile of compliance must be a priority for all organisations. “Scaling up the function is vital because it is no longer sustainable for it to be a low resourced or isolated function,” argues Wade at ACOI. “Basel II, Northern Rock and the current credit crisis will cause regulators to focus closely on financial and operational risk management processes as never before, so companies must make sure they implement strong post-implementation checks and early warning signals at an operational level.”
The impact of current regulation clearly cannot be avoided and organisations must continue to adapt and comply with new requirements. As stated at the beginning of this commentary, there has been an unprecedented amount of regulation in the last few years but there are signs that pressure will ease over the next 12 months.
“The European Commission has recognised that there is regulatory fatigue and that firms need some breathing space to comply with the recent raft of regulations,” says Reese at Protiviti. “The UK’s FSA has also signaled its intention to let firms get to grips with MiFID, for example, before they start their reviews of firm’s MiFID implementation and compliance. The regulators have recognised the fact that there has been a lot of change in a very short timeframe.”
While organisations will not be able to stand still completely, 2008 will provide a chance to take stock and make sure their internal controls and processes and compliance strategies are in order and functioning effectively.
Businesses should look to identify the strategic opportunities presented by GDPR rather than simply seeing regulatory hurdles as an additional constraint, costs or obligation for the compliance officer.
The new EU General Data Protection Regulation of the European Union will have a wide impact on how data of EU citizens can be stored – and business are well advised to not take it lightly.
New Thomson Reuters research into Know Your Customer (KYC) related challenges impacting financial institutions (FIs) and their corporate clients reveals that many of the issues raised by the company's 2016 survey remain.
Once there is KYC blockchain, the technology will be at the forefront of helping to identify those who present a greater risk of criminality, argues David Poltorak, chief technology officer at Fortytwo Data.