Address Regulatory Compliance Challenges in the Financial Services Industry with Enterprise Architecture

Dec 7, 2020
Written by
Nick Reed
Nick Reed

Address Regulatory Compliance Challenges in the Financial Services Industry with Enterprise Architecture

Regulatory compliance is a core business fact of life for the financial services industry today. Compliance is not only about combating financial crimes such as money laundering, fraud, and tax evasion. But also about operating in a prudent and responsible manner and being able to prove that you have the policies, procedures and processes in place to do it reliably – covering everything from capital and corporate governance to data privacy, disclosures and diversity. Compliance plays an essential role in helping to preserve the integrity and reputation of a bank.

The last two decades have seen thousands of new regulations being introduced by various regulatory bodies for the financial services sector. The most prominent ones are the Patriot Act and the Dodd-Frank Act in the USA, and GDPR and PSD2 in Europe, with consequences for institutions outside these regions as well. The General Data Protection Regulation (GDPR), probably the most talked-about regulation, provides a set of rights to EU residents around their consent when it comes to organizations using their data. Since banks are handling a large quantity of personal data, the regulation considerably impacts how data is stored, processed, shared, and secured.

In the wake of rapid digitalization and increasing dependency on partners for providing business services, new regulations are also being proposed. One such consultation, on Operational Resilience, i.e. the ability of financial institutions to rapidly adapt their business and continue critical operations in the event of disruptive business events, is being carried out in the UK as a top priority by the Bank of England (the Bank), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA). Many financial institutions are already providing operational resilience reporting to UK regulators. This covers the processes, third parties, data and technology on which critical business services depend, and is aimed at supporting resilience analysis and risk-based mitigation and remediation planning.

The costs of increased regulation are reflected in the consistently rising compliance overheads of financial services companies since the 2008 financial crisis. According to one estimate, banks were spending around US$270 billion[1] per year on compliance globally by the year 2017. The compliance costs make roughly 10 percent[1] of the operating costs of banks and are all set to double[2] by the year 2022. These compliance costs already show a 60 percent increase for retail and corporate banks compared to figures before the financial crisis. The increasing compliance costs pressure coupled with low-interest rates, a slow economy, and the economic shock from the COVID pandemic have a significant negative impact on financial services profitability.

What causes compliance overheads?

  • Increasing compliance workforce costs: Rapidly growing and changing regulations is making the compliance function more demanding. It requires an army of compliance staff to just digest these regulatory changes. Compliance staff now makes up 10%[3] or more of the workforce of large banks. At a major US multinational bank, the compliance staff made up almost 15%[3] of the workforce in 2018, up from 4%[3](!) in 2008.
  • Complicated compliance reporting: Since every jurisdiction has different compliance requirements and reporting standards, in practice this results in a plethora of reporting types and associated underlying data sets. This makes compliance reporting efforts complex and laborious. In many cases, supporting documentation for these reports cuts across many dimensions of the business and requires input from a wide range of process and system owners who may not always have the up-to-date information at their disposal. Often, this results in repeated “data calls” where resources have to go hunting for data to refresh out-of-date reports, and increasingly complex reporting ‘point solutions’ that struggle to keep up with the business logic of combining multiple inputs in a coherent model.
  • Process and application proliferation: As regulations get addressed individually in ‘point solutions’, the compliance processes and supporting applications often proliferate, resulting in duplication of effort, functionality, and data, as well as increasing complexity in the IT estate and technical debt.

What happens when compliance risks become real?

The compliance process should be a holistic, enterprise-wide effort that relies on real-time data to make informed decisions. While complying with regulations certainly incurs compliance costs, not abiding by them may threaten to destroy your organization altogether.

One such cyber incident involving the violation of the GDPR involved a major British airline. This incident, believed to have begun in June 2018, had user traffic to the British Airways website diverted to a fraudulent site. Through the site, details of around 500,000 customers were harvested by the attackers. The International Commissioner’s Office (ICO) held British Airways responsible for the poor security arrangements at the company including login, payment card, and travel booking details as well as name and address information, and proposed a £183.39 million[4] fine under GDPR.

In another incident, a US-based credit reporting agency, found records that its 147 million[5] customers’ data had been stolen in 2017. The Federal Trade Commission (FTC) slapped a fine of almost $700[5] million on the agency for its failure to take effective steps to secure its network, which had led to the breach.

As per the FTC, the agency failed to patch its network after being alerted in March 2017 to a critical security vulnerability affecting its ACIS database, which handles inquiries from consumers about their credit data. Besides, the agency failed to segment its database servers to block access to other parts of the network once one database was breached and also failed to install robust intrusion detection protection for its legacy databases. When the internal IT department of the agency ran a series of scans that were supposed to identify unpatched systems, none of the vulnerable systems were flagged or patched. The vulnerability was soon after exploited by hackers to break into the systems and steal data, which ultimately cost the company almost a billion dollars in penalties and jeopardized its reputation.

How does enterprise architecture benefit FSIs in dealing with compliance challenges?

We all understand that complying with regulations is a complex, cross-functional effort. It can’t just be limited to the domain of the Chief Compliance Officer or the cybersecurity department. Compliance should be a joined-up, enterprise-wide effort that brings together relevant business and IT stakeholders, all having a critical part to play in the planning, implementation, and maintenance of the process and IT infrastructure of the organization.

Enterprise architecture models provide a foundational single source of truth on which a variety of compliance reports can be generated using the connected models that join together disparate data sets covering multiple dimensions of the organization, e.g. people, processes, data, applications, technology and third parties. This streamlines the compliance function, improves efficiency and effectiveness, and reduces complexity and technical debt.

It also enables effective data management of the information used for compliance reporting. This ensures ongoing data quality in the form of completeness, correctness and currency of information, everything operationalized into business-as-usual processes. The result is that the enterprise enjoys transparency, objectivity and accountability of data quality – which is of keen interest to the regulators assessing the maturity and effectiveness of compliance.

Gaining enterprise-wide visibility and keeping costs down

Global enterprises have thousands of processes, applications, and services scattered across several business units, making the whole IT landscape complex and poorly accessible for manual strategic analysis. This complexity creates the need for modern data-driven EA tools that can bring together the people, process, and technology aspects of an organization and collect comprehensive, real-time data on these entities.

The data is organized and structured through flexible and coherent data models. It can also be further processed and used to build intuitive visual dashboards of the IT landscape concerning the existing business capabilities and processes (see Figure 1). It allows for easier identification of abnormalities and capability gaps, as well as drives stakeholder collaboration towards informed decision making. Since full compliance reporting requires connecting all the relevant dots in the organization, this visibility ensures that compliance reporting does not suffer from any unintended exclusion of processes or IT systems. What’s more, it takes away the manual effort required to create these reporting artifacts and saves precious resources and time for the organization.

Figure 1. A BIAN capability model with supporting capability application count underneath. This clearly showcases the organization’s capabilities as well as the applications supporting each individual capability (visualized in Bizzdesign HoriZZon).[/caption]

Improving operational resilience and containing outages

One of the primary reasons for disruption in business services is the inability of the IT infrastructure to meet SLAs, caused by technology failures and other operational incidents. The abundance of unsupported, obsolete technologies makes the IT systems susceptible to low performance, outages, and data breaches. This ultimately has repercussions for compliance, operational resiliency, and the organization’s brand perception.

Enterprise architecture assists companies in keeping track of the lifecycle of technologies (identifying dependencies between applications, processes etc.) and determining the optimal course of action for managing obsolescence. These actions may encompass purchasing extended support, panning system migrations, or decommissioning the affected application altogether.

Figure 2. Applications and capabilities that are dependent upon the Oracle 10g database. The obsolescence date for the Oracle 10g database is 1st January 2021, putting these applications and capabilities at risk of no vendor support.
Figure 2. Applications and capabilities that are dependent upon the Oracle 10g database. The obsolescence date for the Oracle 10g database is 1st January 2021, putting these applications and capabilities at risk of no vendor support.[/caption]

Ensuring compliance with data security regulations

Preventing data security breaches is the top priority for compliance and risk management staff at major financial organizations. GDPR requirements push compliance teams to regularly monitor the location and health of their data centers, the health of the systems which are storing and processing the personal data and tracking related actions of those systems’ owners. By making this information readily available, enterprise architecture becomes critical for planning and getting the right data security measures implemented across the enterprise.

Furthermore, in the wake of any personal data breach, enterprise architecture can help identify the source(s) and affected applications, and provides a platform for stakeholders to collaborate on designing appropriate measure to contain the fallout. With the PSD2 implementation, organizations need to monitor the data transfer and performance of several internal and external APIs. By providing a blueprint showcasing the interconnected services and APIs, EA helps businesses to locate external APIs, which probably would require additional layers of security to defend against any cyberattack.

Summary

The regulatory challenges are both significant and growing for financial institutions. However, with the right set of approaches and tools, it is possible to build a dynamic architecture of the organization and leverage it to identify key insights that assist with compliance reporting, risk management and ongoing optimization. To help your organization in establishing a solid enterprise architecture function, Bizzdesign offers a mature platform and associated services that center around value creation and getting early wins fast.

Horizzon is a leading business design platform that uses a data-driven architectural approach to deliver compelling business intelligence artifacts, which effectively guide and assist executives in their decision making process. Importantly, Horizzon is a leader in open standards and frameworks support, providing users with a wide set of industry-approved best practices and reference models such as BIAN (Banking Industry Architecture Network), ACORD (Association for Cooperative Operations Research and Development), Panorama 360 and SABSA (Sherwood Applied Security Architecture) for building a strong financial services compliance value chain.

To learn more about Bizzdesign and how we can help your organization meet its compliance challenges and strengthen its overall operational resiliency, don’t hesitate to get in touch with us or go watch a free product demo.

References

  1. https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Financial-Services/fs-rise-of-managed-services-in-financial-services.pdf
  2. https://www.duffandphelps.com/-/media/assets/pdfs/publications/compliance-and-regulatory-consulting/2017-global-regulatory-outlook-viewpoint.ashx
  3. https://www.economist.com/finance-and-economics/2019/05/02/the-past-decade-has-brought-a-compliance-boom-in-banking
  4. https://edpb.europa.eu/news/national-news/2019/ico-statement-intention-fine-british-airways-ps18339m-under-gdpr-data_en/
  5. https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related