The challenge for financial services firms is to find ways of handling the heavily increased reporting burdens effectively – ensuring compliance – and efficiently – at acceptable cost.
Key questions they need to ask include:
- How should we monitor and interpret complex regulations?
- How will our business be impacted?
- How do we know if we are compliant with the reporting requirements?
- How can we capture the reporting information to the aggregated or breakdown levels?
A systematic and comprehensive approach is essential to developing a sustainable compliance and risk management program.
Effective governance is important to ensure awareness of the data reporting requirements across the board, and to monitor regulatory developments for changes and their impact. An efficient regulatory watch function with defined communication lines should be established to remain abreast with regulatory updates and to disseminate impact analysis across the organization. Where the implications of current or new regulations are unclear, systematic engagement with regulators, and with other stakeholders such as industry bodies, can clarify interpretations to develop appropriate solutions within the context of an organization's business, risk and information management structures. It should go without saying that understanding the impact on business and operating models requires a holistic knowledge of the business and associated workflows – but this is often challenging where there are multiple geographies, jurisdictions, markets and product lines. The need is to create a complete characterization of the business, including a clear and updated view of cross-border business activities and their implications for reporting to local regulators.
Developing the necessary capability involves creating the right infrastructure and establishing appropriate governance mechanisms. Technology systems and processes need to be both comprehensive to capture all necessary data in an appropriate form and flexible to enable reconfiguration in order to meet new reporting requirements. Translation of data collected into the appropriate form for information reporting requires detailed understanding of both the letter and the underlying intention of the relevant regulation.
A single owner for each report required should be responsible for ensuring specific compliance, accuracy and coverage. Governance mechanisms need to be established at each organization level to ensure compliance and quality control.
Senior executives and board members need assurance that the organization is meeting its obligations. The overall reporting framework and system needs to be monitored for performance and subject to independent risk analysis. Key risk and performance metrics should be used to monitor significant risk trends and the health of the control environment. Equally, regulatory feedback and reporting should be closely analyzed to confirm satisfaction and/or to identify evidence of potential shortcomings.
As with all critical business issues, the system and processes for regulatory reporting need to be dynamic and flexible, subject to some form of continuous improvement overview. This is all the more important in this case: first, because of the rate at which requirements are changing; second, because of the vital nature of compliance and the potential cost of failure. The continuous improvement cycle involves five steps (see Figure 1):
Given the scale of the challenge, it is understandable that many firms are looking to external specialist providers to take on some or all of their regulatory reporting obligations. Where a financial services firm has a shared service centre which is itself managed by an outsourced service provider, and through which most or all of the relevant data already flows, it can be a relatively simple step to extend the scope of the service to include reporting. Automation and the implementation of specialized regulatory reporting systems are a major growing trend, with companies such as Lombard Risk Management, AXIOM and FRS Global from Wolters Kluwer developing extensive market presence.
However, there are critical limits to the extent to which reporting responsibility can properly be outsourced. Crucially, the initial interpretation and analysis (cf Understanding above) has to remain in-house, as do the need for continued judgment and oversight and final responsibility for ensuring effective and efficient compliance.
Designing a complete framework for regulatory reporting which balances all the requirements is itself a complex and specialist task.
Regulatory reporting has become not only a major data management issue but a key strategic challenge. While the primary burdens fall on financial service companies themselves, all organizations involved in the industry, including regulators themselves, are struggling to cope. Surmounting the challenge depends on buy-in and support from the most senior levels of the organization and is likely to require investment of time and money in new systems, processes and operating models. However, successful firms will secure the benefits in terms of more efficient processes, lower costs and the flexibility and scalability to deal with future challenges.
KPMG believes there is also the potential for really smart organizations to go beyond this, turning the situation to their benefit, providing themselves with deeper insights into their market and clients and creating new sources of competitive advantage.
A growing burden in asian capital markets
The impacts of regulatory change on the reporting lifecycle are being felt particularly strongly in the Asia-Pacific region, where there are also heavy local reporting requirements. Very often, global cross-border regulations do not take into account the different reporting context in Asia- Pacific, and frame new requirements for a western environment, where the volume of regulatory reporting requirements is significantly lower.
Systems and process infrastructures in Asia-Pacific firms or branches/subsidiaries are often ill-suited to coping with the reporting burden. They have often been built in an ad-hoc fashion, mixing a wide range of local and global systems, across business lines. There are also a number of broader cultural constraints. In an environment that remains highly manual, the amount of time and effort spent on regulatory reporting in Asia is generally not properly assessed, and is often under-estimated. Cross-border activity can be less closely monitored and more difficult to manage, creating difficulties in satisfying local requirements in different jurisdictions.
All of this means that implementing effective governance frameworks to ensure the appropriate quality and extent of regulatory reporting is especially challenging. Banks in many Asian countries are facing heavy pressures from these changes in supervisory structures and from heavily increased reporting burdens. The numbers involved are huge: we estimate that a bank operating in the main Asian markets may have to submit more than 50,000 regulatory reports each year, which represents, of course, 50,000 individual potential points of failure.
Regulators struggling too
The massive increase in information reporting is not simply a burden simply for financial institutions. Regulators across the world are themselves struggling to cope. Commissioner Scott O'Malia of the US Commodity Futures Trading Commission (CFTC) recently said it needed drastic improvements in its technical capabilities in order to analyse the trading data it is now collecting in accordance with the Dodd-Frank Act:
"Since the beginning of 2013, certain market participants have been required to report their interest rate and credit index swap trades to a [Swap Data Repository] SDR. Unfortunately, I must report that the Commission's progress in understanding and utilizing the data in its current form and with its current technology is not going well. Specifically, the data submitted to SDRs and, in turn, to the Commission is not usable in its current form. The problem is so bad that staff have indicated that they currently cannot find the London Whale in the current data files... Solving our data dilemma must be our priority and we must focus our attention to both better protect the data we have collected and develop a strategy to understand it. Until such time, nobody should be under the illusion that promulgation of the reporting rules will enhance the Commission's surveillance capabilities."
Scott O'Malia, US Commodity Futures Trading Commission1
US OTC trade reporting: A specific challenge
In the wake of the financial crisis, there was a new emphasis placed on the potential risks posed by over-the-counter (OTC)-traded derivatives. The leaders of the G20 called for a determined effort to regulate global OTC derivative trading to mitigate systemic risk, improve market transparency and protect against market abuse.
Policy and regulatory initiatives have since followed a twin-track approach to ensuring greater stability: encouraging the migration of 'standard' OTC swap transactions onto regulated exchanges; and imposing new reporting, surveillance and oversight on the remainder. In the US, Title VII of the US Dodd-Frank Act – the section governing OTC derivatives – created a new regulatory regime for this previously unregulated market.
In the securities market, while ultimate responsibility rests with the US Securities and Exchange Commission (SEC), the bulk of the operational burden falls on the Financial Industry Regulatory Authority (FINRA), which regulates broker-dealers that operate in the OTC market. FINRA is the largest independent regulator of securities firms doing business with the public in the US, and is authorized by Congress to take action to ensure that investors are protected. FINRA oversees about 4,250 brokerage firms, about 162,155 branch offices and approximately 629,525 brokers.
However, the challenge posed by these numbers alone is far from the whole of the story. The scale of the task is vastly complicated by the fact that these complex transactions routinely cross borders, and are potentially subject to multiple and competing sets of regulations and regulators.
There is also continuing debate over how far the global reach of the US regulatory requirements should extend. A key issue was articulated most clearly recently by the SEC Chairman:
"...subjecting every OTC derivatives transaction that touches the US in some way to all aspects of US law – that is, the "all-in" approach – ignores the realities of the global marketplace. And yet, treating clearly different regimes as equivalent across all key policy areas risks will create regulatory gaps, regulatory arbitrage, and a potential regulatory race to the bottom."2
For the last decade and more, the imperative among equity market participants has been to pursue constant improvements in speed and access to markets. Trades and markets are highly automated, and react in fractions of a second. Capturing the massive amounts of data involved, at the required real-time speed, is a massive challenge.
For firms engaged in this market, there are comparable challenges in satisfying the increasingly demanding regulatory requirements. As the market has developed, IT systems and infrastructures have evolved, often piecemeal, to serve the prime focus on speed and access. They have rarely been built for systematic data collection and transfer. The blanket emphasis on trading as rapidly and as efficiently as possible has crowded out the scope for developing the systems needed for systematic regulatory reporting. This does not necessarily imply that there are many broker-dealers failing in their obligations. But the increasing pressure from regulators is leading to a constant series of low-level penalties for technical infractions.
As a general conclusion, current reporting systems may be increasingly unfit for purpose. Patching and mending will eventually prove inadequate. If the regulatory agenda is to succeed in its objective of increasing the stability of markets and electronic trading, many market participants will need to implement major systems changes. Among the most important challenges for firms is to put in place robust change management processes (rules and IT enhancements) and an equally robust testing program to continually monitor reporting against rules and requirements. Lastly, reporting and escalation to management on key metrics (volumes, errors, system issues, audit issues, late trades, etc) need to be incorporated into the governance processes to ensure efficient attention and the right tone from the top.
1 CFTC's Implementation of Dodd-Frank – Grading Agency Transparency, Keynote Address to SIFMA Compliance and Legal Society Annual Seminar, March 19, 2013
2 Regulation of Cross-Border OTC Derivatives Activities: Finding the Middle Ground, Elisse Walter, Chairman US SEC, American Bar Association Spring Meeting, April 6, 2013