LONDON – The financial services industry has always been heavily regulated, but since the economic meltdown of 2008, regulations have been added in an attempt to stop such an event from occurring again.
According to Juergen Weiss, a research director at analyst firm Gartner, political risks and regulations are having such an impact on the financial services sector that companies should be investing more on regulatory compliance – between 30% and 35% of total IT expenditure, he suggests.
At a recent talk at the Gartner Security and Risk Management Summit, Weiss outlined the extent of the problem, telling his audience the number of European Directives has risen from 507 in 2005 to 768 today. While not all of those affect financial services specifically, plenty of them, such as rules on privacy or bribery, affect business in general and have an impact on their IT systems.
However, Weiss chose to nominate what he felt would be the five most important regulations to affect financial services over the coming years, and the ones that would have the biggest effect on those running IT systems to support risk management. What most of the regulations have in common is a requirement for companies to gain a more coherent view of their overall risks, rather than working in isolated silos.
This regulation should come into force in January 2014, and is designed to protect insurance policyholders and beneficiaries in the European Union by ensuring the stability of insurance companies. Applicable mainly in the EU, it is also being adopted by Israel, Mexico and South Africa.
Solvency II will require companies to change their processes and products, and improve their overall risk management models, said Weiss, not only to gain a much clearer view of their business position at any given time, but also to report that position to financial regulators. He predicts it will cause a consolidation in the market, with larger companies surviving.
From an IT point of view, there is greater emphasis on data quality, integrity and traceability. This will require a more holistic and integrated system architecture than many operate now, so companies can carry out closer data governance.
Due for introduction in stages between 2013 and 2019 (although Weiss predicted it will take longer), Basel III applies to global banks and is intended to manage liquidity risks.
Its effect will be to introduce more frequent capital “stress tests” for banks, and it will require banks to have mature processes to identify, measure, monitor and control liquidity risk. As with Solvency II, these requirements imply a less-siloed approach to systems design. IT systems will need to operate faster and provide more granular data management.
The Single Euro Payments Area (SEPA) initiative aims to improve the efficiency of cross-border payments within Europe by turning the fragmented national markets for euro payments into a single domestic one. Another goal is to reduce fees associated with such payments.
The initiative began in 2008, and in 2009 the SEPA direct debits system was launched. This currently has a low take-up accounting for just 5% of direct debits, and there has been a proposal to set a deadline for full implementation by 2014, although that has not been decided yet.
For the moment, banks will need to operate parallel infrastructures as they introduce new messaging systems to manage SEPA payments, while still operating their current payments arrangements. They will also have to implement new technical standards for message exchange between banks, and between banks and customers.
Retail Distribution Review
This UK legislation, due for implementation in 2013, will apply to insurance companies and could also affect some banks, Weiss said.
Its goal is to protect clients who are receiving financial advice, and deliver a more transparent commission structure for those selling financial services. In addition, it aims to improve the solvency of financial advisors and generally raise professional standards.
Weiss predicts its effect will be to reduce the number of financial intermediaries, as smaller firms find it harder to comply. He added it will also reduce the number of complex financial products on offer, and promote the use of direct-to-consumer channels, with more selling being done online.
The implication for IT is core insurance systems will need to be revised to handle the new products and channels. Weiss also predicted more business will be done through mobile devices that need to be securely supported.
Data breach notification laws
Unlike many states in the US, Europe does not enforce mandatory disclosure of data breaches, except in the telecommunications and ISP sector. In the UK, public sector also has to disclose any breach, but the rest of the private sector is currently exempt.
Weiss, and many other observers, expect that to change over the next two to three years, and financial services are likely to be the first to be affected, he said, because of their heavy reliance on online distribution channels.
That means they will have to initiate continuous monitoring of e-commerce services and e-banking applications, while also increasing data privacy tests to ensure they maintain protection of personal data.
Weiss said financial services needed to organise their response to the growing level of regulation by a series of actions that include:
- Identifying all regulations that apply;
- Updating long-term business strategy;
- Updating IT strategy;
- Prioritising investment areas, and finding synergies between regulations, as internal controls can apply to multiple regulations);
- Considering the creation of an organisation-wide competency centre for compliance, with stakeholders from all sector of the business.