Cost of Compliance
The cost of compliance does still seem to outweigh the prospect of facing a regulatory fine and associated reputational damage. Adherence to regulatory requirements does not necessarily equate to increased revenue and better bottom lines. This may go some way to explaining why there is still perceived resistance when trying to secure budget for regulatory initiatives in comparison to revenue generating projects. It will be interesting to see the impact of the extension on the Senior Managers and Certification Regime (SMCR), and how the prospect of being held personally accountable will help to drive up client protection and regulatory adherence, rather than satisfying shareholders’ expectations.
Regulators themselves do not always get things right first time. Only recently, the Financial Conduct Authority (FCA) had to suspend receiving data into their Market Data Processor (MDP) in respect of MiFID II Transaction Reporting. The issue appeared to be in respect of too many files being received at the one time, and the sequential processing of these files not operating correctly.
In addition, the implementation of MiFID II has resulted in some changes in respect of CASS. Organisations may find this a little surprising given that CASS itself went through a major overhaul, as a result of policy statement PS14/9 ‘Review of the Client Assets Regime for Investment Business’. Although there is a tenuous link to regulators not getting things right first time, this highlights the speed of change that organisations are facing.
Organisations therefore need to be able to respond to last minute changes to regulations both from an interpretation perspective as well as ensuring such changes can be implemented. The more ﬂexible and adaptable an organisation’s reporting tools are, the better placed they will be to react to such change.
A robust governance framework has a large part to play in regulatory reporting and on-going compliance. Key governance components include culture and behaviours, policy and procedures, systems and controls and assurance. The final output is of course regulatory reporting but the journey to get there can be long and winding. Can an organisation link their regulatory rules to their processes, to their controls, to their roles and responsibilities and to their risks? Does an organisation have senior management oversight and controls in place, is there clear lines of sight and delegation, and is compliance embedded in culture and behaviours? These are tough questions which are particularly difficult to address in larger, more siloed organisations. However, the SMCR or accountability regime, as it is commonly referred to, will refocus attention.
Data is ‘King’
The reality is that many organisations are typically faced with multiple different systems that do not talk to one another and multiple different data feeds in different formats with spreadsheets and macros thrown in for good measure. This is not necessarily a criticism – it is no mean feat to be able to extract, amalgamate and consolidate data from core systems, whose primary purpose is not to support regulatory reporting.
These systems are designed for operational purposes, albeit the data contained within them is required in some way, shape or form to satisfy regulatory reporting requirements. However, without automated control frameworks and reporting solutions, organisations are typically faced with manual financial control processes, many interfaces both internal and external, more manual intervention, in particular as volumes grow, and the perception that regulation is an increasing burden. None of these attributes support the notion of robust systems and controls, or indeed a good governance framework.
Therefore, there is now not just a real need, but a real desire by firms to automate their reporting regimes, not only fuelled by the complexity and speed of change of regulations, but also by the increased interrogation from external auditors as well as regulators. The FCA, for example, expect better record retention and record keeping to drive up client protection in respect of client money and custody assets. CASS auditors are now looking more closely at systems and controls, in order to see if they are ft for purpose
In AutoRek’s experience, regulatory reporting submissions are only as good as the data they contain. Constant activity which encompasses formal preparation, robust submission, comprehensive sign off and approval, and on-going maintenance and review are some of the key components needed to have confidence in submissions. In summary, it’s the linking of the regulations to processes, to controls, to roles and responsibilities and to risks, all of which are underpinned by robust, automated control regimes, data validation and integrity and comprehensive audit trails. Overall this will give you confidence in your regulatory reporting and ongoing compliance. To end on a slightly brighter and perhaps idyllic note, could we dare dream that one day no new regulatory reporting requirements will be proposed until the economy stabilises, and regulators align. Perhaps this is a step too far, but one thing we know for sure is that regulatory reporting and the challenges that go with it are here to stay.