Banking Innovation: A Case for CaaS (Compliance as a Service)

By Ramakrishnan Natarajan, Managing Consultant, iCreate Banking Decision Enablement Systems

It’s an established fact that the changes in banking industry are driven by fluctuating customer needs. Moreover, the regulatory environment globally is not only undergoing immense changes, but is also unclear on several aspects, owing to varied perspectives of different regulators and governmental institutions overseeing banking operations.

Adding to this, the economic environment in the aftermath of the 2009 crises has not entirely stabilized. Clearly, banks trying to survive through all this need to be agile, i.e. be able to respond to changes in all of these aspects, both quickly and effectively. Quickly – because otherwise, they incur steep costs, and effectively – because the competition has scaled due to consolidation (in the industry) plus the entry of non-traditional banking firms (who are not burdened by legacy hindrances).

Banks that will triumph the odds, are the ones that refocus on their core competence, i.e, serving the customers’ financial requirements in the best/quickest manner possible, irrespective of the environment or competition. The banking organization needs to be able to react efficiently in order to align well with the customers.

While banks aggressively pursue the ubiquitous ‘customer-centricity’ goal, all other activities should be operationalized and automated wherever possible, as long as there are sufficient levers to control/monitor the processes. These include Administration, IT, Compliance, Reporting, Audit, AML and Risk Management. Business model transformation and adoption of innovative technology are two levers, which when used in the right blend, can enable banks to achieve their goals faster in a difficult environment.

Regulatory Compliance: A Perpetually Evolving Landscape

Banks globally have gradually come to terms with the new reality of continuously changing regulatory conditions. On an average, there are about a 100 odd ‘alerts’ issued by regulators every day. This is an astonishing number, and the conventional approach of the compliance department addressing this overwhelming task is very soon going to be impossible. It is no more going to be the last minute scramble which banks used to grin and bear grudgingly and somehow get it over with. Add to this the varying quanta of penalties for non delayed submission of reports apart and for inaccuracies (some of them accidental). This is not a local phenomenon restricted to a few nations – research shows these changes are happening globally and (more alarmingly) growing globally.

http://qz.com/138036/how-the-rise-of-modern-regulation/

However, it is interesting to note that across these countries, the data required by various regulators have not changed in its nature, except that today the level of detail required by the regulators has increased exponentially. Topics that have been (and will continue to be) the concerns of regulators can be bucketed under the following areas for a bank. By extending the data model carefully with multiple reviews to ensure coverage of all the required data elements, banks can manage the changes mentioned above for each of these areas under global regulatory reporting.

Some of the possible solutions for getting on top of this dynamic scenario are:

• Build. By rallying capabilities in-house to develop and deliver a solution aligned to Regulatory reporting. This has 3 parts to it – (1) the Report tracking/analysis team, (2) the Report development and deployment team and (3) the Users for testing. Plus, a meticulously devised reporting strategy can ensure that Compliance stops being a concern. However, this comes with a steep price tag – of the hardware and software required for the implementation.

• Buy. Numerous ‘ready-to-deploy’ products are available that provide country-specific reporting packages and with vendors who help the bank implement them. But, the on-going regulatory tracking component still needs to be managed by the bank. Also, the investment in hardware is still a significant cost component.

• Compliance as a Service. A relatively advanced option, where the bank gets to use the reports as and when required. With just a one-time data extraction fee, the bank is able to comply with regulatory requirements for just the reports that are required. However, the bank needs to understand that this is a hosted solution in a public cloud and data security is dependent on the quality of security of the vendor providing the hosted cloud. While there are costs associated with data usage, it is only a fraction of the hardware investment in the build option. Regards security, there have been tremendous technological advancements by prominent cloud providers and banks can today trust the security of cloud hosted applications with data, as encryption occurs at all levels of storage. Other aspects of this option are –
Automation. With respect to regulatory compliance, there are 3 key components a bank would need to optimize –

1. Data Acquisition and Integration
2. Data Storage and Management
3. Data Usage and Submission

Data Acquisition and Integration. One of the major concerns facing a bank when trying to integrate data or build a reporting Data warehouse is the proverbial ‘single version of truth’, i.e. to be able to precisely pin a particular value to any metric to be reported or analysed. Factors contributing to this seemingly simple-to-solve problem are –

1. Multiple siloed systems being used by multiple lines of business (including Corporate Finance)
2. Manual storage and maintenance of data due to absence of standard storage mechanisms like databases or the long turnaround time for application deployment for automation software processes by IT
3. Multiple levels of manual adjustments leading to utter confusion on the reasons attributed to these changes and absence of ownership of adjustments at any level.
4. External data sources including Regulatory bodies and Rating agencies and absence of integration of this data into existing systems.

Data Storage and Management. When it comes to data storage, the most important questions are related to cost and security of the data. Of course, there are multiple considerations in this regard such as hardware considerations, scalability, business continuity, etc. But, all these roll up to either cost or security and are generally dependent on the size and scope of data. In turn, these are dependent on the size and scope of the bank’s business. Few key questions in this regard are –

1. How do we ensure security of data and tightly control access to the data, while at the same time ensuring there’s enough data for the business to utilize (thereby making it agile and effective)?
2. How much do we invest in hardware infrastructure, given the uncertain growth environment, where one can’t predict the data needs of even the next year, let alone predicting it for the next 5?
3. If we have already invested in storage, what do we do with the additional resources available with the bank to deploy them effectively, to ensure maximum ROI?
4. How do we ensure that all the required data is stored and a bit of what is not required is also stored, in order to be able to respond to changing data needs by the business?
5. What is the plan B to ensure no loss of data in case of an event, and what are the security features that need to be implemented for this data?

Data Usage and Submission. Regulators across geographies have been in hyperactive mode for the last few years. They have issued new, revised or expanded regulatory guidelines or are in the process of doing so (along with detailing the steps for implementing these new guidelines). Also, these regulations have spread their scope from the banks’ corporate finance divisions to other divisions, including lines of businesses such as Cards and Online banking. A bank, whatever its size, needn’t be concerned with these changes and can take steps in the right direction, key considerations being –

1. How to keep track of the various regulatory changes across multiple regulators and activate implementation across the bank?
2. How to ensure that all deadlines are met, and resubmissions are taken care of without the need to fight fire every time there’s a submission?
3. How to enforce the review process during submission and track the same centrally?
4. What are the output formats that need to be supported (Excel, PDF, XBRL, etc.) to close out the submission quickly?
5. What are the storage and archival needs for various reports?

Possible Solution Options.

1. Compliance as a Service (CaaS). Cloud computing has already begun transforming many sectors, and banking needn’t be an exception. Cloud technology has multiple secure deployment options that can help banks develop new products, service offerings, enable easier collaboration and improve time to market—all while increasing operational efficiency. For almost a decade now, banks have been contemplating investing in the cloud. Major concerns have been cost, security and managing disparate systems. Leading cloud providers have addressed these concerns with radical improvements in security (whilst shrinking costs). SaaS, for instance has been around for quite some time and certain key banking functions like HR, Accounting and certain Risk processes have already migrated to the SaaS model successfully.

CaaS fits the bill quite well for such an operating model. Given current technology options, the data is absolutely secure by leveraging robust encryption tools during the various stages of transit and storage of data. Also, there are multiple levels of Identity and Access management features built in to ensure data security. And with costs literally shrinking by the month, the benefits far outweigh the costs (if at all).

Cloud for regulatory reporting impacts multiple areas such as –

Data Acquisition and Integration

• Much easier and faster plug and play integration for various divisions leading to single version of truth

Data Storage and Management

• Capacity can be added, allocated, expanded and reallocated efficiently and quickly
• Giving banks the flexibility and agility to resolve complex issues related to complexity and cost of scaling up of traditional models to accommodate growth and scale down as/when needed.
• Hybrid options of private and public cloud to ensure maximum security for sensitive data as needed by the bank
• Backup, recovery and continuity ceases to be a problem of the bank helping them to refocus on their core activities.

Data Usage and Submission

• Regulatory reporting as a service offering means that banks no longer need to keep track of changes in the regulatory reporting guidelines.
• Prebuilt report templates with configurable rules can help banks reduce large overheads in terms of report preparation and submission
• Adjustments and non-standard data can be operationalized and incorporated into reports
• Reconciliation is easier and faster owing to unlimited computing capacity as/when needed.
• Complete audit trail helping banks attribute ownership to the report submission process

2. A Flexible Global Reporting Data Model

A strong data model built for Regulatory reporting that understands what is needed instead of what is available, makes for a strong foundation and a direct route to a single version of truth. The strength of this model must be tried and tested for various products and multiple scenarios across the bank. A trend in this area is the move towards a common regulatory reporting data model. As the regulatory reporting definitions are anyways published and everyone knows about them, a unique model does not provide much advantage to the bank and therefore a common model is a good approach. There are also hybrid options available for a little extra cost, yielding to easier extraction and mapping.

This improves parameters such as –

1. Data Acquisition and Integration. Mapping is much faster and easier owing to standardized requirements leading to lesser time to market for the solution.
2. Data Storage and Management. Changes are easier to make as/when the requirements arise. Also, only the data that is required is stored, thus reducing space.

3. Add-on Services

The data required in a regulatory reporting solution can support multiple internal reporting needs and analyses, if the requisite granularity is built in the design of the data model. This can help achieve a higher ROI by implementing a private cloud using the same data and extending the data further as required.

Another option would be add-on services by external vendors in these areas and providing access to these analyses within the bank. These can include –

1. MIS and Financial statements
2. Risk related reporting
3. Predictive modelling

Conclusion

The biggest risk for a bank today probably is not taking one! With rapidly evolving technology and a multitude of innovative solutions available, banks that defer investing, would only end up waiting endlessly and miss opportunities that agile competitors would cash in on. And speaking of innovations, Compliance as a Service may be an idea whose time has come.