Financial Regulation—How to Find a Balance Between Costs and Benefits? Status quo, and possible ways forward

By Maciej Piechocki, Member of the RegTech Management Board, BearingPoint

The financial crisis was a catalyst for the creation of new supervisory authorities and a steady stream of new regulations forcing financial institutions to spend billions on technology and operations for regulatory compliance. Now, 10 years after the crisis, four years since the establishment of the Single Supervisory Mechanism in Europe, and with Basel IV at the gates, the frequency of change and the introduction of new requirements remain high, and many stakeholders are dissatisfied with the status quo. Financial institutions bemoan the high cost of compliance, and regulators are unsatisfied with data quality and the level of transparency.

In June, the Basel Committee on Banking Supervision (BCBS) published a progress report on the adoption of the BCBS 239 principles for effective risk data aggregation and risk reporting (RDARR). Global systemically important banks (G-SIBs) should have implemented the principles by January 2016. The BCBS report states that even though the deadline has already passed, most of the G-SIBS have made, at best, marginal progress in implementing the principles. In May 2018, the European Central Bank (ECB) published the report from their thematic review of the effective aggregation of risk data and risk reporting, based on a sample of 25 G-SIBs and D-SIBs (domestic systemically important banks), which also showed an unsatisfactory state of implementation in the European Union (EU). None of the G-SIBs or D-SIBs were fully compliant with respect to all of the BCBS 239 principles. A major reason for this was the banks’ inability to implement the most important principles: Principle 1 on governance and Principle 2 on data architecture and information technology (IT) infrastructure. Large international banks have struggled with implementing an integrated architecture for the entire banking group due to international operations, complex business models and an overreliance on manual processes.

Facing the ongoing discussion between all stakeholders about the costs and benefits of compliance, the European Commission (EC) conducted in 2015 a “Call for Evidence” and invited all stakeholders to give feedback on the EU regulatory framework for financial services. According to the EC, supervisory reporting was named as one of the key challenges due to inconsistencies between reporting frameworks, the number of requirements and related implications on IT, and unsatisfactory use of standards, which would lead to high complexity and accordingly high costs. One of the EC’s follow-up activities to this “Call for Evidence” was a public consultation on the “Fitness Check on Supervisory Reporting”, which lasted from December 2017 to March 2018. The consultation aimed at evaluating whether supervisory reporting requirements are fit for purpose, at quantifying the cost of compliance and at identifying solutions for streamlining supervisory reporting.

Whereas 38 percent of the respondents are of the opinion that EU supervisory reporting requirements contribute moderately to financial stability, the majority state that there is a lack of proportionality in the existing reporting frameworks and that the depth of new insights from the required data does not correspond to the required effort. 93 percent of the respondents stated that “supervisory reporting in its current form is unnecessarily costly”. Among the main reasons named are the number of requirements, related costs for human resources and IT systems, as well as unclear and redundant requirements. However, few respondents were able to quantify compliance cost. The median for initial implementation cost of new regulations was 1 percent (the average value 3.24 percent), the recurring costs for 55 percent of the respondents was below 1 percent of the total operating costs, for 36 percent between 1 and 5 percent. While 48 percent of the respondents run their reporting solutions in-house, 44 percent partially outsource their processes. Asked which would be the most effective solutions for streamlining supervisory reporting, respondents named as short-term measures the reduction of the number of data elements and a greater alignment of reporting requirements; whilst in the long-term, they considered standardization (the development of a common financial language), better process automation and greater use of technology as the most important levers.

The cost of compliance

The results of the consultation reveal how difficult it is to quantify the cost of compliance and to identify the best levers to reduce the costs. Against this backdrop, from May 2017 until May 2018, Chartis Research and BearingPoint conducted a research on how to cut the cost of compliance, based on interviews with a range of banks and institutions from Europe and the United States. Part of the research was the development of a focused cost-attribution model that financial institutions can use as a diagnostic tool to benchmark their RDARR processes and levers against those of peer institutions.

According to this study, the cost for RDARR makes up the biggest proportion of compliance costs. Chartis estimates that RDARR represents around 80 percent of a financial institution’s risk budget, with associated operations and technology costs alone driving around $70 billion of annual cost. For example, in applying our model, we found that complex international financial institutions spend $550 million on average on data-management infrastructure (22 percent of their total technology spending; data input and enrichment account for 11 percent and 6 percent respectively).

The main levers that financial institutions can assess and adjust according to our research are:

• centralization within the key processes (front office, risk analytics, and aggregation and finance repository);

• availability of application programming interfaces (APIs) including clearly defined data interfaces and standard formats;

• feed-handler standards (data extraction by standardized protocols);

• number and diversity of supported reports; and

• use of existing (regulatory) utilities.

Key findings are that financial institutions using integrated platforms and regulatory utilities, or shared service centers, and firms with higher benchmarks for feed-handler standards and use of APIs have lower compliance spending than their peers. These results correspond with the results of the EC supervisory fitness check that found that standardization, higher process automation and greater use of technology are the main long-term solutions to increase efficiency of supervisory reporting processes.

The data challenge

Whereas the cost of compliance is largely an issue for reporting institutions, data management and quality are challenges for all stakeholders. The BCBS progress report on BCBS 239 adoption revealed that the mission-critical requirement of effective risk data sourcing and management is still not fulfilled. Many G-SIBs struggle with disparate and legacy IT systems, which result in poor data quality and aggregation capabilities. Moreover, there are still many manual processes in place, which makes RDARR processes error-prone and slow. According to the BCBS report, the situation may be less challenging for domestic systemically important banks (D-SIBs), since their operations are more focused on their domestic market and their business models are less complex.

But not only financial institutions struggle with data-sourcing and -management issues; 78 percent of the respondents to the EC consultation—including the public authorities—state that they face data-processing challenges. A major challenge for regulators is the increasing volume of granular data from various sources—not only from the different reporting regimes, but also market data and data from the internet.

A major issue in data management is the interoperability between reporting frameworks and between subsidiaries. Most respondents of the EC consultation think that it would reduce the regulatory burden if they would only need to deliver data once for multiple reporting purposes. From our experience, we strongly believe that ensuring interoperability between reporting frameworks would significantly reduce compliance costs. Interoperability would help improve the management of supervisory data, but only if data were standardized and made interoperable at the financial contract (input) level and not only at the template (output) level. We have implemented an input-based approach in the technical platform for the Austrian regulatory utility AuRep (the Austrian Reporting Services GmbH), which acts as an intermediate platform between the Austrian banks and the Austrian central bank OeNB (Oesterreichische Nationalbank). AuRep processes more than 1.4 billion records each reporting date. It facilitates prudential and statistical reporting and also incorporates future regulations such as AnaCredit. Austria has chosen an innovative approach regarding the data input format. The template-based reporting method is replaced by a so-called “input-based approach” based on data cubes. The Austrian banks deliver micro data on the level of single contracts or deals such as loans, deposits and securities in the form of so-called “basic cubes” to the central platform. These basic cubes are enriched by additional attributes, and the required reports are then generated in the form of multi-dimensional data cubes, the so-called “smart cubes”. Smart cubes are finally analyzed, signed off and remitted to the OeNB. The new model ensures more consistent and higher quality data and relieves the banks from the obligation of having to complete templates. This, in turn, allows cost-sharing of compliance as well as standardization of data collection.

Sourcing strategies—regulatory utilities and Risk/Regulation-as-a-Service (RaaS) 

Today, AuRep is an internationally recognized example of how compliance costs can be reduced through the use of regulatory utilities, not only through the input-based approach, but also because of the innovative outsourcing approach that could point the way to the future of regulatory reporting. The AuRep approach is based on greater harmonization and integration of data within banks as well as greater integration of the IT systems of the supervisory authority and the supervised entities. The way it works is through a buffer company, AuRep, which is co-owned by seven of the largest Austrian banking groups, representing 87 percent of the market. The OeNB together with Austrian banks have developed the “data-input approach” through which each entity prepares their data in a standard format in a series of basic data cubes according to OeNB specifications. Austria’s new framework has the potential to succeed in clearing the information bottleneck.

Regarding outsourcing to regulatory utilities, there are different models in the marketplace. Our research with Chartis shows that financial institutions prefer utilities for operational niches or specific jurisdictions outside their home bases. For financial institutions in certain markets, outsourcing a very significant part of the workflow was appropriate—especially specific activities such as reporting and data management for certain markets. These were seen as very good candidates for utilities and powerful mechanisms of cost control.

Moreover, in recent years, we have noticed a clear tendency among smaller and medium-sized financial institutions to opt for managed services offerings. RaaS (Risk/Regulation-as-a-Service)models are cost-effective alternatives to in-house solutions. Moreover, the firms benefit from lower personnel cost if the provider takes care of the regulatory maintenance of the solution.

Regtech and Suptech—the potential of new technologies 

Great hopes are being placed in new technologies. In 2015, the British Financial Conduct Authority (FCA) coined the term regtech (regulatory technology). “RegTech is a sub-set of FinTech that focuses on technologies that may facilitate the delivery of regulatory requirements more efficiently and effectively than existing capabilities.” These innovative technologies include, among others, artificial intelligence (AI), machine learning, blockchain/distributed ledger technology (DLT), application programming interfaces (APIs), as well as shared utilities such as AuRep and cloud applications. Areas in regulatory reporting that could most benefit from the use of regtech solutions are RDARR, modeling, scenario analysis and forecasting, and interpretation of regulations.

Innovative technology can also help regulators to streamline regulatory processes. In late 2017 at the Singapore FinTech Festival, the Monetary Authority of Singapore (MAS) coined the term suptech (supervisory technology) for innovative technology with transformative power for financial regulators. Regulators need new technology to manage the increasing data volumes and to deal with the trend away from template-based to granular reporting, for example, with respect to securities holdings statistics (SHS) and analytical credit datasets (AnaCredit). As Professor Claudia Buch from Deutsche Bundesbank stated at the European Central Bank Statistics Conference in July 2018, “The ‘statistical value chain’ is changing profoundly given to the increased demand for microdata.”

Currently, the process of sourcing, aggregating, validating and analyzing data is inefficient due to limited capabilities of data-management platforms and analytics tools. The Bank for International Settlements (BIS), which is closely monitoring the current technological trends, sees suptech as an opportunity for regulators. “The same technologies that offer efficiencies and opportunities for FinTech firms and banks, such as AI/ML/advanced data analytics, DLT, cloud computing and APIs, may also improve supervisory efficiency and effectiveness.”

Suptech pioneer projects mainly focus on data collection and analytics. In the area of data collection, the FCA, for example, has initiated a project to explore the potential of machine-readable regulation (digital regulatory reporting, formerly named model driven machine executable regulatory reporting = MDMERR), i.e. the conversion of regulatory text to a machine-readable format, which could help to minimize the scope for interpretation of regulations, to increase consistency and improved compliance. The Austrian central bank with its innovative data-input approach is another example of suptech in the area of data collection. Other suptech pioneer projects are exploring big data, artificial intelligence (AI) and machine learning.

Collaboration for beneficial financial regulation

It is obvious that, in view of the complexity in financial regulation, the current challenges can only be solved when all stakeholders take a collaborative approach, and we are seeing many collaborative initiatives across the globe among regulators, banks, academics, tech start-ups and incumbent technology providers. Examples include regulatory sandboxes and standardization initiatives driven by banks or supervisory authorities, such as the ESCB (European System of Central Banks) Integrated Reporting Framework (IReF), which aims at harmonizing statistical data requirements like those for SHS and AnaCredit across Europe. Another example is AuRep, which is the result of a close collaboration between the Austrian central bank OeNB and the Austrian banking industry.

The EU regulators have an important role to play by mandating an improved interface for data submission and by revising the reporting requirements to attain improvements in standardization. A concept and the necessary IT infrastructure must be developed by the supervisors under the mandate of EU regulators. Eliminating ambiguities in the reporting fields, reducing redundancies and increasing standardization would all help to simplify the data-management process. Combining these improvements with a reporting model such as the AuRep data input approach in Austria, with its modern “interface” to the supervisor, could lead to significant improvements and cost savings for all parties.

Still, governance remains an unsolved issue in two ways. At the macro-level, responsibilities have to be clarified among regulators and between regulators and the banking industry. At the micro-level, the question of risk data governance is still unsolved. The progress report from June 2018 showed that governance is still at an unsatisfactory stage at many G-SIBs. The BCBS report especially names a lack of structured policies and frameworks for risk data aggregation and reporting activities and inadequate data-governance approaches due to inconsistencies between legal entities and insufficiently defined data ownership. We see the same at many regulators. A study conducted by the Central Banking Journal and BearingPoint in 2017 revealed that there was still a significant data-governance gap at central banks.

Summarizing the above, 10 years after the financial crisis, there is still a long way to go to find a balance between the costs and benefits of regulation and to make financial regulation fit for purpose. But with all industry stakeholders collaborating, identifying the right initiatives, applying innovative technology with purpose and clarifying governance issues, we are confident of achieving this goal within the next decade.

References: