How can banks optimise regulatory compliance and everchanging rules? Instead of an ad-hoc and piecemeal approach, regulatory compliance challenges can be addressed by an "optimised" parallel approach, which takes advantage of common business and processing traits across multiple regulations.
Banks and financial institutions today are facing a multitude of regulatory agendas and increasing levels of onerous compliance requirements by regulatory bodies and central banks around the world. It has been noted that the financial services industry as a whole is facing significant scrutiny from regulators, professional bodies, central banks, standard setters and so forth. In the US, these include, but not limited to, BASEL II, Dodd-Frank, Sarbanes-Oxley, New York Stock Exchange requirements, and many more.
In Malaysia, the expanding universe of regulations that may impact banks, in one way or another, include those from Bank Negara Malaysia ("BNM"), Suruhanjaya Syarikat Malaysia ("SSM"), Suruhanjaya Sekuriti ("SC") and Bursa Malaysia ("Bursa"), just to name a few. From the regulations perspective, BNM is the prudential regulator of the Malaysian financial services industry that promotes financial sector stability through the progressive development of sustainable, robust and sound financial institutions and financial infrastructure. Some of the legislations that apply to BNM's activities include the Banking and Financial Institutions Act, Hire Purchase Act, Insurance Act, Exchange Control Act, Anti-Money Laundering and Anti-Terrorism Financing Act, and so forth. Laws administered and enforced by SSM range from the Companies Act to the Registration of Businesses Act. SC oversees the compliance of reporting entities, with their requirements under the Capital Markets and Services Act, Securities Industry Act, Futures Industry Act, etc.
While experience seems to appear that many banks and financial institutions address regulatory issues "as they come" and in a serial manner, the regulatory compliance challenges could be addressed by an "optimised" parallel approach, which takes advantage of common business and processing traits across multiple regulations.
Developing a Portfolio of Regulations Impacted
A bank or financial institution must first identify a portfolio of the multiple sets of regulations by which they would like to validate in their optimisation model. By developing a compliance portfolio of regulations, the bank can have a definitive view of what regulations it needs to comply with. The next step is to use this portfolio of regulations or requirements (which can be as big as a dictionary) for further analysis by mapping against similar regulatory requirements within the portfolio itself to identify commonalities.
For illustration purposes, let's use a simple example and take one of the requirements from a privacy law that a bank needs to comply with. A typical Privacy Principle might say “Privacy Officer required….” whereas various country regulations might say that there needs to be a “data custodian”, or an “individual assigned responsibility”, etc. The bank needs to recognise how to characterise these regulations, no matter what language it is, and to identify commonalities across regulations that the bank needs to comply with.
Banks need to understand all regulatory impacts and develop a common process management, as well as having an in depth understanding of what the bank is already doing or has done to date to meet those regulations. Does the bank have sufficient internal policies in place to meet, say, 50 requirements of a "secrecy" regulation and 160 requirements of internal controls required by one of the BNM's circular/guideline? Are there any commonalities between say Requirement No. 31 of the "secrecy" act and Requirement No. 77 of the internal controls framework where the Bank could optimise efforts of compliance and the level of work performed?
Compliance Convergence and its Sustainability
Many current regulations have common risks and control objectives that are well suited for an integrated compliance approach. Combining risk and compliance needs that focus on the changing regulatory landscape, organisations should identify these converging compliance threads and trends, and design an effective strategy to harmonise their remediation initiatives and integrate their compliance and control activities.
Most banks are impacted by a multitude of regulatory compliance mandates as part of their normal business activities and many have had to deal with a number of new regulations recently (for e.g. Foreign Account Tax Compliance Act in the US, Data Protection Act in Malaysia, International Financial Reporting Standards, etc), with emerging requirements still expected. While the resulting compliance efforts and costs can be a significant operational and productivity burden, banks could view both the benefits and value of having an integrated compliance approach with an opportunity to transform the regulatory compliance processes that have long been taken care of by checklists, manual worksheets and forms.
Banks need to further understand and address this challenging regulatory environment, and move from a regime of unique compliance initiatives for each new regulation, to a more sustainable, cost-effective, integrated framework capable of addressing current and emerging mandates.
Identifying how commonality can be achieved is a formal process that must be centrally managed and should be looked at from both the systems as well as the regulations perspective. Commonality should be defined both at the regulation level – top down approach and the data/systems level – bottom up approach.
At the regulation level, core detailed regulatory requirements are usually managed within a facility, with the help of IT or a tool. Where existent, the bank's previously populated regulations or detailed compliance checklists can be utilised in this effort. Common functional aspects of regulations are extracted, registered or defined in a lexicon, modelled and certified as common by interpreting those regulations. This can be performed by the bank's compliance team or with the help of external regulatory experts. In doing this, the bank needs to know the means of first identifying the core functional components of a regulation, whether from a top down or bottom up perspective.
At the data and systems level, by working with a conceptual architecture, high level modules, data and processes can extracted with the help of the IT team. Modules, data and processes are extracted, registered/defined in the lexicon, modelled and certified as common. Top down and bottom up common components are modelled and rationalised, and commonality certified while detailed data are defined for common components. Once related systems attributes are defined for a given regulation, those systems characteristics can also be analysed to identify commonality attributes. Again, this can be accomplished by the bank's compliance team with the help of IT personnel or external consultants.
Sarbanes Oxley ("SOX") 404 – Internal Controls documentation and assessment requirements under SOX can be implemented without introducing needless duplication of previous efforts, by identifying commonalities and using an integrated compliance approach.
Anti-Money Laundering ("AML") – Current and emerging regulations stemming from legislation such as the US Patriot Act and similar European 3rd Directive (including enhanced CIP/KYC), challenge many organisations to deal with differing interpretations of risks but essentially, similar risks and control objectives exist and can be dealt with in a consistent and sustainable way.
Banks and financial institutions must take action now to improve compliance practices and hopefully this article can help compliance professionals to start thinking into identifying the areas that a bank's compliance programmes should cover and how to optimise those compliance needs. I certainly view regulatory compliance as a mandate and regulators will expect full compliance with all the rules and regulations they administer and enforce. Banks and financial institutions should view regulatory compliance as an opportunity to take a fresh look at their existing compliance programmes, and to re-tool and to adopt state-of-the-art new procedures and processes designed to ensure that they are compliant with laws and regulations.
Whatever the process that is ultimately developed by a bank, that process needs to be sufficiently scalable and responsive to address additional requirements. This is simply because regulations are changing all the time and new regulations might be in force or new requirements are constantly being implemented by various regulators.
The views expressed in this column are the author's own and do not necessarily reflect this publication's view, and this article is not edited by Asian Banking & Finance. The author was not remunerated for this article.
Do you know more about this story? Contact us anonymously through this link.