Cashing in on the value of compliance

The world’s desire for corporate regulation swings like a pendulum. In the late 1980s, the so-called “Big Bang” freed the financial markets from all but minimum regulation.

The world’s desire for corporate regulation swings like a pendulum. In the late 1980s, the so-called “Big Bang” freed the financial markets from all but minimum regulation.

But by the mid-1990s, it was clear that a new, more rigorous regulatory regime was needed to cope with globalisation, the changes in the markets and the growing use of technology.

A succession of scandals from Barings Bank, to Enron and Worldcom, caused the pendulum to swing towards tighter rules, and since 2000, the list of regulations has grown steadily. It now includes the US Sarbanes-Oxley Act, the Basel 2 risk management rules for financial institutions, the International Financial Reporting Standard (IFRS) and the Market in Financial Instruments Directive (MiFID).

This is only the start. In Europe alone there are about 50 current compliance directives, and more in the pipeline. Regulations are, of course, necessary for order and stability. But they are a burden on business and increase costs – especially in the finance sector.

Compliance also has an impact on IT systems and their future development. Market research firm Gartner notes that spending on IT for compliance is growing at twice the rate of overall IT spending.

Against this background, companies are looking for the best way to meet their compliance obligations while keeping costs down and, if possible, getting the best value from their compliance-related IT investment.

“Compliance is making people think at a higher level and forcing them to do things that are good for the business. Estimates on the cost of compliance vary, but whichever way you look at it, it is a lot of money and smart companies see they can use the investment to improve their business,” says John Napoli, global director of financial services at BEA Software.

“At its simplest, compliance is about bringing data together to create reports for the regulatory bodies and getting them in on time. But if you approach it properly – look at the similarities across different regulations and draw the efforts together – you can keep the costs down,” he says.

Chris Coggrave, a managing principal in the securities practice at Hewlett Packard, says that compliance is a long-term project. “It is back to the simple things – people, processes and technology. You are looking at your effectiveness so you need to define key measures and see how good the processes are. Compliance is not a one-off event – it is a journey.”

Coggrave does say, however, that it can be a positive journey and can bring benefits too. “If you link back to the improvements that can be made from a governance programme, compliance becomes part of the justification for other things such as the potential to improve processes.”

The main pre-occupation for global companies listed in the US since 2004 has, of course, been to comply with Sarbanes-Oxley. Despite some early protests about the impact on company profits, there is clear evidence that compliance can help to improve business practice.

A recent survey of 261 US financial executives on the impact of Sarbanes-Oxley, by financial software specialist Oversight Systems, found that business benefits can come from compliance. Improvements in the accuracy of financial reports were cited in 47% of responses – up from 27% in the previous year. Other benefits included fewer errors in financial operations and better information for auditors.

When online bank Egg installed an e-mail archiving system, the project delivered spin-off benefits. “Egg handles 60,000 e-mail messages a day, and for Sarbanes-Oxley and Basel 2 compliance, these must be stored for seven years,” says George Giorgiou, finance sector marketing manager at communications integrator Affiniti, who implemented the system.

“The EMC storage system we installed met the compliance goals, but it has also enabled Egg to save on primary storage costs and improve the way it manages its e-mail.”

Now that most organisations have complied with Sarbanes-Oxley, attention has switched to other looming deadlines. The financial sector in particular has its work cut out. The first phase of Basel 2 comes into force later this year, and MiFID is slated for November 2007. For those affected, compliance will involve a huge effort over the next 18 months.

Many organisations have learned valuable lessons from their Sarbanes-Oxley compliance programmes, and are taking a more strategic approach to IT for Basel 2 and MiFID.

“If you look at the way the industry has approached compliance in the past, it was a practical approach. Some started by creating spreadsheets manually to produce the reports. Some moved on to point solutions for specific compliance programmes. But both are costly and many companies are now taking an architectural view,” says Napoli.

BEA’s approach based on service oriented architecture (SOA) aims to create a general-purpose foundation for compliance programmes. “A lot of compliance is about seeing your exposure across the whole enterprise. Reports are not enough – companies need the data in real time. We bring data together in a data services layer from multiple databases and present it through a business services layer.”

Jonathan McKenna, director of business consulting at BEA, says, “Most companies have expensive IT systems they have developed over the years, but they are siloed. SOA enables them to bring these multiple sources of data together. This is especially important for MiFID compliance where post-trade data needs to be published  to exchanges very quickly.”

Unlike most other regulations, MiFID will mean significant structural changes in the way financial markets operate. Michael Mainelli, director of London-based city consultants Z/Yen, sees MiFID as a catalyst for significant change to financial sector IT.

“You are looking at a new model with new regulations and you have got to build this into IT systems. But there is an opportunity for those who think ahead and take an architectural view.”

McKenna notes that those who can process data quickly will gain a competitive edge. “MiFID has so many sources of data to keep track of. The amount of pre-trade data, for example, is expected to rise by between four and 10-times. But if you can deal with it quickly you get an advantage.”

Access to consolidated data brings other potential benefits. The same data gathered for compliance can be turned into business intelligence.

“The focus of compliance is giving finance departments an opportunity to be more proactive. At our Finance Forum earlier this year, the debate centred on how finance departments can move from a purely transactional role to deliver business intelligence,” says Graham Walter,  vice-president of UK, Middle East and Africa at software supplier Cognos.

“They can take the basic reporting capability they have built for compliance and add value by analysing the data.”

The burden of compliance can then be countered by improvements in business processes and better IT systems. The ultimate aim of the regulations is to make companies act properly and be seen to do so. But in the process they can also gain by using technology to go beyond simple compliance and provide access to the “intelligence” hidden in the data.


Founded in New York in 1882, Chubb Insurance has grown to become one of the world’s leading insurance companies with about £23bn of assets and 2005 net income of £957m. It employs 11,800 people in 120 offices, spread across 29 countries.

“There is an awful lot to compliance in our industry and we look at it in a number of ways. We are putting in some point solutions, but we are also looking at it in the context of business intelligence,” says Peter Thomas, vice-president of European enterprise IT at Chubb.

Chubb had plans for improving its business intelligence systems beyond compliance. “Insurance is an area where information is king, so we must have a very good understanding of the numbers. We identified the need for business intelligence architecture for commercial reasons. But because we had started on this trip it meant we could use the same approach to help with compliance.”

Chubb installed Cognos business intelligence software to bring data together to help meet both its commercial goals and its compliance obligations. “Data consolidation is one of the main pillars and we use the consolidated data for compliance. But we can also use it to monitor our effectiveness.”

Sarbanes-Oxley and Basel 2 are, of course, the two biggest compliance programmes for Chubb. But its strong presence in the London markets means it also comes under the Financial Services Authority (FSA). Changes in FSA rules mean yet more compliance work.

“The current initiative is towards contract certainty. Traditionally there has always been a certain informality where details are established later. The FSA wants to move to a more rigorous framework for insurance contracts where the contracts are finalised before they go into effect. This means we have to provide a lot more information,” explains Thomas.


Compliance deadlines suffer from the same disease as IT project delivery deadlines: they slip. The deadline for the Market in Financial Instruments Directive (MiFID) was originally set for October 2006. It then moved to April 2007 and, currently, is set for November 2007, but there is always the possibility the deadline will slip again.

The far-reaching nature of MiFID – it not only imposes rules of transactional transparency, it also fundamentally changes the financial trading structure – means there is a lot more work to do than was first thought.

Basel 2, which imposes more rigorous risk management on financial institutions has been subject to even longer delays. In 2001, it was expected that it would be in place by 2004. The deadline was shifted to 2005 and now the first phase is scheduled for the end of 2006, with completion by the end of 2007.

While most European institutions are confident of meeting the deadline, there is concern that some US banks might not be ready in time. Further slippage seems a distinct possibility.

Read more on IT legislation and regulation