An Integrated Solution
An integrated data reporting system is necessary to comply with regulatory demands in the current climate, argues Simpson, who notes that Cadis -- which has offices across the globe, including in London and New York -- provides this kind of system for financial institutions. "What we've seen in the past is that people put a Band-Aid on when every new regulation comes out to make sure they're compliant," he says. "But with the sheer weight of regulation now required, that model is not sustainable."
Integrated systems, Simpson insists, enable consistency, which in turn makes compliance easier. "Consistency is the word we keep hearing," he relates. "If you're running a treasury system in London, it should be consistent with what the accounting system in Sydney is running. That's what firms are going for, and getting that makes meeting the regulatory requirements that much easier."
One regulatory reporting area in which banks have been making significant changes is suspicious activity reporting (SAR), which comprises reports made by financial institutions to the Financial Crimes Enforcement Network (FinCEN), an agency of the United States Department of the Treasury, regarding suspicious or potentially suspicious activity. The agency will demand e-filing of all SARs by June 2012.
Banks also have been busy with new guidelines from the Federal Financial Institutions Examination Council (FFIEC) regarding online authentication and fraud prevention. The FFIEC is requiring financial institutions to implement multiple layers of online security, such as device authentication in addition to standard usernames and passwords. Layered security involves not only front-end authentification -- identifying the user -- but also back-end measures such as making sure payment activity is consistent in a given account. This is designed to reduce ACH, wire and other types of online fraud, according to the regulators.
An Opportunity to Consolidate
Dena Hamilton, manager of financial services solutions for the Americas for Detica NetReveal, a Guildford, U.K.-based security solutions provider for the financial industry, says the two new regulatory measures are forcing banks to rethink the structure of their businesses, and the new risk reporting standards required for compliance offer banks an opportunity to consolidate some internal functions. "From an industry perspective, this is causing convergence," she says. "They're causing banks to take a real look to try and decide, 'Can I run my fraud and compliance programs under the same person? Tech-wise, can I do that with one technology?'"
Banks can benefit from taking a single-platform approach to reporting so, for example, SAR reports can be shared between a bank's compliance and fraud departments, Hamilton explains. "It's all about operational efficiency and cost savings," she says. "Regulations are just bringing to the forefront all of these enterprise opportunities. The challenge is, before all these regulations, everyone went to a siloed or best-of-breed approach. I've always been a proponent of having a single platform, and having one enterprise management solution."
Eventually, Hamilton believes, that is the kind of model most institutions will embrace. "Not only will it be the regulations causing convergence, but it will create cost efficiencies and allow for streamlining of operations," she says. "It's causing people to look at the way things were done over the last several years."
Crumbling Under the Stress Test?
In addition to Dodd-Frank, regulators have implemented several pieces of guidance over the past year related to risk management, such as the so-called "stress tests" given to 19 banks and thrifts, each with more than $100 billion in assets, to determine whether they have enough capital to withstand an economy worse than presently anticipated. These banks have had to submit capital plans for review on a daily basis, and the Federal Reserve recently announced that it is requiring another 12 banks, all with total assets of $50 billion or greater, to participate in the stress tests.
Bernie Mason, regulatory relations liaison with the Philadelphia-based Risk Management Association, says federal regulators are expected to announce that they will conduct similar stress tests for smaller banks, though they won't be held to the same standards to which a Bank of America or Chase would be held. Still, Mason stresses, this could prove burdensome to community and small banks. "They don't have as much staff or resources to devote to this type of thing," he says. "There's some apprehension on the part of community banks about these stress tests being pushed down to them."
Banks both big and small, however, have made risk management more of a priority in the past few years, in light of the financial crisis and recent scrutiny on the industry, Mason acknowledges. "Most people argued that risk management was one of the deficiencies going into the crisis," he says. "The practice in banks now is to have a heightened focus on risk management."
That heightened focus has led to a bigger role for a firm's chief risk officer, notes Cadis's Simpson. "What we are seeing in our projects is that CROs now have a larger voice in the organization," he says. "Boards are giving them money and resources."
Ultimately, Simpson believes, the strict regulatory environment will make banks more efficient. "The regulations are definitely forcing through change -- sometimes quite painfully," he says. "But the industry will be better off when it's done."