Regulatory Change Management:

Transcription

1 Regulatory Change Management: the critical compliance competence

2 CONTENTS Understanding the Challenge... 3 The Context... 3 Current Methodologies... 5 How do compliance departments cope?... 6 The future of compliance management: a connected vision... 6 New approaches... 8 The Evolution of compliance Regulatory Change Management: the critical compliance competence September 2013

3 Understanding the Challenge Organizations are growing increasingly aware of the complexities of the regulatory environment in the aftermath of the 2008 financial crisis. A significant shift in the way that financial services and markets are monitored and regulated has led to various policies coming under review, tighter boundaries being placed around the regulated industries and the establishment of enhanced regulatory bodies. The international nature of the crisis prompted a global economic recovery effort. Regulated industries were tasked with providing greater transparency in their business processes, more scrutiny was placed on decision-making procedures and a tide of regulatory changes began taking on a cross-border dimension. The existing regulatory framework took on a more global dimension and changes to regulation became intertwined with several existing and new international policy changes. Over the years, the changes in the regulatory framework have continued to create a growing stream of new regulatory demands. The geographical impact of these regulatory changes has led to even more complexity and cross-border influences have brought about new challenges in the quest to remain compliant in an evolving regulatory landscape. This paper will examine the current approaches available to address the challenges posed by high volumes of regulatory change. It will also attempt to explain why ensuring that your company is compliant is not enough - a clear understanding of potential risks and an ability to capitalize on opportunities are becoming increasingly important. The context Keeping abreast of the significant volume and complexity of regulatory changes has become increasingly difficult. A new range of reviews, regulatory announcements, speeches, discussions and consultation papers, coupled with an ever-evolving regulatory scope, indicates that this growth in both volume and complexity will not decelerate. Organizations consequently face a challenge: an increasing gap between requirements and resources, compounded by risk management systems that are not equipped to handle the influx of regulatory changes, conflicting requirements and disclosure processes. Moreover, companies risk facing substantial fines and subsequent remedial costs if they do not remain compliant. A straightforward and transparent process needs to be developed to promote understanding around regulatory changes and to ensure that organizations remain compliant and do not become subject to enforcement action. With enforcements, depending on the fine, reputational damage can ensue, and the regulatory agency will impose that the organization fix the problem by completing a remedial action within a set period of time - or face further penalties. Below is an infographic that displays the impact of fines on various Tier 1 financial institutions. 3 Regulatory Change Management: the critical compliance competence September 2013

4 A SELECTION OF THE BIGGEST BANK FINES IMPACT BANK FINE (IN $ MILLION) REASON YEAR HSBC 1,920 Money laundering lapses ING 619 Anti-sanctions Barclays 451 Libor** Manipulation Standard Chartered 340 Money laundering/ counter terrorist financing JPMorgan 270 Misleading investors Royal Bank of Scotland 138* Libor** Manipulation 2013 Credit Suisse 120 Misleading investors Prudential 47* Failure to report acquisition 2013 UBS 15* Suitability Failings 2013 Lloyds Banking Group 7* Complaints handling (PPI) 2013 Sources: Reuters, US Treasury, US Department of Justice, SEC, NYDFS, UK FSA *Fines: Amount approximated based on current exchange rate 12/09/13 **London interbank offered rate Resources and budgets are under scrutiny and developing an automated process of tracking and dealing with regulatory change enables organizations to improve efficiency and focus on understanding and analyzing the impact of change on their businesses. An automated approach is, by nature, less manually intensive and helps to minimize errors. The use of automated processes is also less protracted, enabling organizations to understand the risks they face ahead of the curve and ensure that opportunities that may be developed out of risk are not overlooked. Many organizations currently use disparate systems to monitor regulatory change across industries and geographies, which can lead to a lack of consistency in data and/or methodology. This detracts from the organization s ability to share, analyze and report on the risks impacting the business, and to effectively communicate this across multiple stakeholders. In the wake of the financial crisis, accountability has increasingly shifted to senior management and the board, who are held responsible for all activities and decisions within their organizations. Management and boards in companies with an international presence are finding that they have to deal with monitoring a complex level of cross-border activity. Consequently, many global compliance departments are now seeking a way to track regulatory compliance information and align the multi-jurisdictional rule changes with internal policies that have more automated 4 Regulatory Change Management: the critical compliance competence September 2013

5 than traditional, manual approaches, as a way of reducing the compliance risk facing management and the board personally. For example in the UK, an approved person is also a requirement under the new regulatory regime (Financial Conduct Authority and Prudential Regulation Authority). This places further accountability on a specific member of senior management to ensure compliance with new, updated or existing regulations. Current methodologies Compliance plays a critical role in bringing the lessons and findings of high-level recommendations to institutions and - where appropriate - in taking them to an operational level. Responses, however, are not always obvious or simple. For example, data that is derived from rule changes to official legislation on anti-money laundering and bribery - such as Sarbanes Oxley legislation, Dodd-Frank Wall Street Reform legislation, FATCA, the UK Bribery Act 2010, the US Foreign Corrupt Practices Act, AUSTRAC rule changes, and ongoing revisions to EU anti-money laundering laws, among others more directly related to parts of the business or individual skills employed within it - needs to be collected, analyzed and disseminated in a usable form across large organizations. These regulatory changes need to be examined both in terms of their long-term and their immediate impacts. While the test for short-term impact hinges on the rate of change to the compliance system to ensure that it meets statutory or other specifications, the test for longer term impact is evidence of change in organizational behaviour to reflect the wider market or other conditions. A poorly executed compliance approach whether in the form of inadequate collection, inaccurate interpretation or a failure of implementation has resulted in record fines for criminal breaches on both sides of the Atlantic. Examples include the $1.9bn imposed on HSBC for its money laundering breaches in Mexico and the $340m imposed on Standard Chartered Bank for its illegal trading with Iran. Regulatory offences are no less heavily punished, as Barclays Bank discovered when it was fined $451m in by UK and US regulators for offences related to the London Inter-Bank Offered Rate (LIBOR) scandal. Organizations cannot continue to resist the new regulatory framework on policy changes and they cannot afford to mismanage the regulatory change management process. The stakes are high: companies can succeed or fail based on the strength of their regulatory data management. The risk of reputational damage with current clients, prospective clients and the market is also of concern, and, in worst cases scenarios, mismanagement can lead to prison sentences or loss of license. The activities of political and other external bodies are adding an increased amount of information to the compliance burden. Since the behavior of financial institutions has become a matter of increased public interest on a global scale, many regulatory authorities have put forward new regulatory concepts with a view to ensuring that previous problems do not recur. For example, a proposal of the recent UK Parliamentary Commission on Banking Standards, published in June 2013 in an article entitled Changing Banking for Good, suggested that a criminal offence of reckless management of banks should expose directors to custodial sentences. The report said, The Commission has concluded that there is a strong case in principle for a new criminal offence of reckless misconduct in the management of a 5 Regulatory Change Management: the critical compliance competence September 2013

6 bank. The Commission s wider findings have implications for the regulation of all financial players, as they focus on bonus payments, a new Senior Persons Regime and Board as well as director obligations. The implications for boards of directors and senior managers is clear: compliance risks must be managed appropriately for the business, through a more robust approach to regulatory change management. By harnessing a wide range of relevant information for analysis, compliance departments will find they have greater insight into not only the changes that their organization needs to make to minimize compliance risks, but gain insights that can flow into the business s strategic planning and operations activities. How do compliance departments cope? Faced with a tsunami of regulation, companies can either respond by ticking the boxes and regarding the job as done, or they can seek to understand the long-term implications of change for their organizations and instill a culture of compliance. Since the range of data available can help to drive effective business decisions, it is important that the vast sources of information relevant to compliance are filtered and that key areas of concern are highlighted. This helps to ensure that gaps in how the organization manages and controls risk are identified, while also enabling the business to consider how compliance considerations can be better taken into account in strategic planning. In an effort to equip highly regulated firms with the necessary tools to understand, evaluate and manage regulatory change, the traditional method of tackling regulatory change has shifted to an approach that connects policy and risk in a centralized location. The ability to manage regulatory obligations and organizational processes in a connected, simplified way can equip an organization to better manage its risk appetite. Mapping regulatory changes against an organization s internal policies and compliance business workflow processes provides transparency to enable senior management and board decisions based on a clear understanding of risk. This new approach to regulatory change management helps to improve workflow, enables companies to spend more time ensuring that their businesses are compliant and ensures that policies and controls are properly communicated throughout the organization. With the move to digitization, highly regulated industries can also create different modes of assessments or exams. This consists of a testingbased approach where compliance processes and controls can be evaluated. There is also a structured approach, which involves a work paper-based examination where an investigation team can modularize the exam approach to plan and execute investigations based on risk, cycles and special requests. The future of compliance management: a connected vision The view on how a large influx of data relates to regulatory change has evolved: an organization s internal and external sources of content and data are now being looked at from a new angle to help compliance executives uncover patterns, trends and insights, while the speed at which this information is processed helps to drive business value. This connectivity gives organizations a competitive edge, since it provides a centralized platform which offers visibility across all of the company s silos and consistent terminology and language, whilst feeding relevant data to appropriate departments. 6 Regulatory Change Management: the critical compliance competence September 2013

7 The current large flow of regulatory data has threatened to overwhelm some compliance departments. If this data is managed appropriately, however, it benefits the user by providing further context on regulation changes affecting the organization. New trends in data analysis also add some scale to the data in an efficient and cost effective manner and enable organizations to gain insight in to how the data is being applied by end users across the business. In turn, the organization can identify how different parts of the company interact and investigate whether the regulation has an impact on lines of business. Big Data Analysis Data analysis is the next frontier in tackling large regulatory information sets. It aims to help organizations drive business value from data and to capitalize on increasing innovation and productivity in their businesses. The future of regulatory data analysis looks to align the different functions of governance, risk and analysis and offer organizations a more connected approach. A key benefit is that it will render regulatory information simpler and more transparent at a superior frequency. With this approach, the organization can combine relevant information, develop a consistent methodology and terminology to be used cross functionally within the business, and offer a more holistic view on key risks (whether financial, operational, IT or HR in nature) across departments. The Data Management Evolution Compliance data management is evolving to take the complexities of the volume, variety and veracity of regulatory information, and scale and segment this information in an efficient and re-usable way. This approach to data management also helps organizations achieve a deeper understanding of the regulatory changes affecting day-to-day business processes and complements their existing infrastructures, while offering the possibility of predictive analysis. The mapping of regulatory information against the organizational chart provides a visual representation of compliance risks and enables organizations to look at possible opportunities based on historical data, content and new rules. Individual compliance taxonomies can be filtered to the preferences of individual stakeholders needs. Compliance executives can either explore the potential of the opportunity for leverage or gain a better understanding of the risk to which the organization may be exposed. Taxonomies for effective data management Comparisons between data sets give managers a market tool for assessing competitiveness in markets, product sectors or business lines and enable them to conduct controlled experiments that enable better management decisions. Data that appears to be limited to ensuring that an organization is narrowly compliant with particular regulations or laws can, in fact, become a tool for enhancing operational efficiency. Such data can assist in developing strategy, as organizations adapt information to their business purpose. This is where taxonomizing regulatory data and connecting it into the key risks that impact organizations in their particular jurisdictions is vital. Taxonomized information has become measurable and is no longer viewed as subjective. The use of taxonomies enables organizations to visualize the long-term implications of a regulatory change by linking to and analyzing a number of similar events, statements or changes. The use of different levels of taxonomy is meant to help separate risks: if tagging is done efficiently, it will allow for data to be retrieved quickly and efficiently, an important element in ensuring that data is sent to relevant departments in real-time. 7 Regulatory Change Management: the critical compliance competence September 2013

8 New approaches Organizations that automate regulatory data, apply taxonomies, and map both to their business structure are finding it is transforming their compliance efforts. These organizations are able to then distribute regulatory change information to appropriate stakeholders in their organizations, determine what actions need to be taken, and track the completion of those actions. The ability to intelligently organize regulatory data and accurately direct it to relevant staff and stakeholders, while also embedding the data to assess responses and applicability, is key. The information needs to be presented in a form that: relates to the structure of the organization focuses on the goals of the relevant department assists in decision-making When regulatory data has been operationalized, recipients are restricted, to ensure both confidentiality and efficiency. In other words, if information is not relevant to a user, they will not receive it. Data becomes executable when it has been taxonomized. Decisions based on quantified MAPPING YOUR BUSINESS Rules Regulatory Events TAXONOMY Geography: X Sector: X Themes: X Geography: X Sector: X Themes: X BUSINESS UNIT United Kingdom Retail Brokerage Division Institutional Securities Division Fixed Income Division Owner: John Smith Asset Management United States Retail Brokerage Division Institutional Securities Division Fixed Income Division Asset Management China Retail Brokerage Division Institutional Securities Division Fixed Income Division Asset Management SUBJECT Accounting and Tax Accounting Auditing Financial Reporting Tax Bank Powers and activities International licensing Capital Capital Requirements Credit rating agencies Directives Reserving Solvency Securitisation RULES FSA Handbook Principles for Business (PRIN) Current Waivers PRIN 1. Introduction PRIN 2. The Principles PRIN 3. Rules about application PRIN 4. Principles: MiFID business POLICIES Fixed Income Division Policies Capital Requirements Policy Policy A Policy B Policy C Policy D Policy E 8 Regulatory Change Management: the critical compliance competence September 2013

9 and taxonomized data are reached more quickly and reflect a large number of sources, so data analysis geared to cross-border or crosssector compliance can isolate differences and anomalies. The analysis of regulatory activity in advance of making an investment in a foreign market provides a key pointer to latent risks that can be pre-empted. For example, a company examining two possible options for an overseas investment may select one over the other after analyzing and comparing the jurisdictions records for tough policing of internal tax and expense allocation policies. The critical value of intelligent regulatory analysis is demonstrated at the highest level of corporate policy-making. The Evolution of compliance Technology has the power to raise the authority of the compliance department within an organization. Compliance taxonomies can knit together legal, security and HR data sources. This cross-disciplinary analysis is seen as such an important Board resource that in some organizations, senior compliance officers are appointed to Board level on the strength of it. The independence of compliance from operations necessary to take it outside dayto-day pressures for profit making gives it additional authority. There is currently a growing need for a compliance audit function to monitor compliance frameworks ahead of internal audit reviews. Whether it is compliance reviews or some other form of scrutiny, it is crucial to have an active review function within the compliance department. Compliance will, in some circumstances, be used to review the entire internal regulatory framework in advance of a review by internal audit. Such a compliance review assesses whether appropriate policies and controls are in place and are adequate to address business risks. If they are not, the review can propose a route to rectify shortfalls ahead of any other investigation of the compliance group. Compliance departments are at the sharp end of a data revolution. Responding to the tsunami of regulation much triggered by the financial crisis and global concern about the management and organization of companies compliance officers are rapidly adopting the latest technologies. Company management teams realize that failure to invest in the best compliance technology can come at high cost. Those that take the plunge and make the investment will realize not only that they have a more efficient compliance process, but also that they have opened up opportunities to enhance the corporate bottom line. 9 Regulatory Change Management: the critical compliance competence September 2013

10 THOMSON REUTERS ACCELUS The Thomson Reuters Governance, Risk & Compliance (GRC) business delivers a comprehensive set of solutions designed to empower audit, risk and compliance professionals, business leaders, and the Boards they serve to reliably achieve business objectives, address uncertainty, and act with integrity. Thomson Reuters Accelus connects business transactions, strategy and operations to the everchanging regulatory environment, enabling firms to manage business risk. A comprehensive platform supported by a range of applications and trusted regulatory and risk intelligence data, Accelus brings together market-leading solutions for governance, risk and compliance management, global regulatory intelligence, financial crime, anti-bribery and corruption, enhanced due diligence, training and e-learning, and board of director and disclosure services. Thomson Reuters has been named as a category leader in the Chartis RiskTech Quadrant For Operational Risk Management Systems, category leader in the Chartis RiskTech Quadrant for Enterprise Governance, Risk and Compliance Systems and has been positioned by Gartner, Inc. in its Leaders Quadrant of the Enterprise Governance, Risk and Compliance Platforms Magic Quadrant. Thomson Reuters was also named as Operational Risk Software Provider of the Year Award in the Operational Risk and Regulation Awards For more information, visit accelus.thomsonreuters.com 2013 Thomson Reuters GRC00525/9-13