03:17 PM
Holistic Compliance
When Jay Cohen, vice president and chief compliance officer at MONY Group - a diversified financial-services company - spoke at this fall's InformationWeek conference on compliance in financial services, he enumerated a laundry list of IT projects on his firm's agenda.
Heading up that list were: spending on Sarbanes-Oxley, enhancing surveillance technology to keep track of all sales practices, anti-money-laundering compliance, privacy and security technology, as well as e-mail supervision and retention issues.
"Yes, I spend a lot of time with my CIO these days," says Cohen, a former prosecutor who is responsible for preventing illicit activity in the firm's retail brokerage, mutual-fund and insurance businesses.
It's no secret that financial-services firms like MONY Group are grappling with requirements to comply with multiple regulations. According to a recent compliance study conducted by the InformationWeek Media Network: 81 percent of the 36 securities and investment firms interviewed are taking steps to comply with SEC Rule 17a-4 regarding retention and surveillance of e-mails and instant messages; 72 percent are addressing the USA Patriot Act; and 62 percent are dealing with the Sarbanes-Oxley Act, which requires the certification of financial controls and the integrity of data impacting financial statements.
But if financial-services firms are so busy coping with a bevy of urgent regulations, why are they buying one-off technology solutions?
Pundits suggest there is some commonality in this myriad of regulations, and thus firms should take a more holistic approach to compliance.
One analyst contends brokerage firms are manifesting "a fire-drill mentality" when it comes to implementing compliance technology, where they could be investing in strategic initiatives. "When you look at these (regulations) and you recognize the impact of all this together, it becomes more and more evident that a holistic approach is the only way to go," says Robert Iati, director of the Securities and Capital Markets Practice at TowerGroup, a Needham, Mass.-based research and consulting firm.
Rather than develop or purchase piecemeal technology solutions to address each regulation, Iati and other experts say it makes sense for securities firms to develop a global-compliance architecture that cuts across all the data, workflows, processes and controls that underlie a firm's business.
Even though "Sarbanes-Oxley is a general-ledger-type requirement, while USA Patriot Act is customer-identification and transaction based, they all roll up a couple of levels into the same bucket," says Iati. All compliance is based on historical data that is comprised of transactions and customer data, argues Iati. "The core of what's needed is data, which reverts back to an architecture that allows you to extract data and add rules to it."
Today, that is not the way it happens. Instead, each time regulators knock on the door, the head of compliance confers with the CIO, who has to figure out what to do.
To beat the deadline, firms are taking a reactive approach. "These regulations are coming down so fast, and with very urgent timeframes, that you have to respond very rapidly and quickly," says the CIO of a retail-brokerage firm, who requests anonymity.
Firms need a two-pronged approach to compliance, the CIO says. The first is reactive and the second is a strategic view.
In the long term, since firms know that more regulations are going to surface and more compliance situations will arise, firms ought not be more reactive, the CIO says. "You end up incurring more costs, you end up needing consultants to come and the vendors have got you, and they're not flexible in negotiating."
Compliance is already consuming a higher percentage of Wall Street's IT budgets. "Compliance systems are certainly chewing up more of my budget than they have in the past, but just not with SOX alone, with others as well," says Richard Rzasa, vice chairman and CIO of Technology Solutions at TD Waterhouse.
This year, brokerage firms are expected to spend from 8 to 12 percent of their IT budgets on compliance technology, up from 6 or 7 percent previously, estimates TowerGroup.
Common Denominator: Data
Knowing that more regulations are coming down the pike, "You start building a data warehouse or repository or a place that you can very quickly mine the data, and either report on it or monitor it to just comply with the regulations," says the CIO, who requests anonymity. "The information is client information and transactions, and if you capture all of these, it's just a matter of how they want it reported or monitored." By that, he explains that even though regulations such as the USA Patriot Act and SEC Rule 17a-4 are different, there's enough commonality across the regulations to warrant this approach.
Firms can also use their customer-relationship-management system as a repository for client information and transactions, including cash inflows and outflows. This sounds easy, but it assumes a firm can find all the information and pull it together. What happens if the information the compliance officer needs resides in disparate systems or with different companies?
For instance, MONY is required to conduct sales-practice surveillance on its brokers and insurance agents. One rep may be purchasing mutual funds for the customer or purchasing annuities, while purchasing mutual funds for the same customers from a company outside MONY. "We need a complete picture of his relationship with one of our customers," says Cohen.
A lot of the data that MONY needs is in different areas of the company. "It's similar to doing anti-money laundering, suitability compliance or market-timing compliance," says Cohen. "In order to be able to do all those things, we need to look at all of our information, not just separately," he says.
The same holds true for anti-money laundering. Broker/dealers have to pull together all customer data across product silos and look for patterns of suspicious activity.
Lehman Brothers worked with Actimize to develop a system that helped it create a customer-identification program (CIP). "The money-laundering surveillance that we have in place basically hooks into all the firm's systems, so it tracks all activity without regard to product," says David DeMuro, managing director of global compliance and regulation at Lehman Brothers. "Actimize taps into every one of our data sources," he adds.
Ivy is Editor-at-Large for Advanced Trading and Wall Street & Technology. Ivy is responsible for writing in-depth feature articles, daily blogs and news articles with a focus on automated trading in the capital markets. As an industry expert, Ivy has reported on a myriad ... View Full Bio