Need to understand and control the entire IT estate including End User supported applications will grow in importance for regulatory compliance against a backdrop of Brexit uncertainty
Henry Umney, CEO of ClusterSeven, offers his views on the regulatory and risk management trends in the banking and financial services industry for 2019:
- Brexit will confound banks in 2019, whatever the outcome
The UK’s departure from the EU at the end of March will continue to have a significant impact on the banking, insurance and asset management sectors throughout 2019, almost regardless of the nature of the final departure. Brexit uncertainty is presently forcing banks to implement their most stringent contingency plans, in terms of re-locating critical business services, processes, and in extremis, specific roles and personnel. To this end, division of data, processes and responsibility need to be managed carefully to ensure these changes are executed smoothly, efficiently and with full auditability. Further complexity is provided by the UK’s Prudential Regulatory Authority’s (PRA) announcement that institutions will be able to continue to trade as branches of their head office, rather than as a (more capital intensive) subsidiary post-Brexit. This, alongside the European Banking Authority’s (EBA) recent announcement that it sees ‘back to back trading’ between the City of London and the EU as beneficial, suggests that there is a willingness to find a modus vivendi that allows complex cross-border transactions and business processes to continue as normal, almost regardless of the final Brexit outcome.
This complex, conflicted environment will place a premium on understanding how disparate business processes and applications, including how end user supported processes (e.g. using spreadsheet-based applications) are configured, allowing institutions to respond quickly to new developments – and potentially even reversing previous decisions about re-locating people, roles and business units.
- Regulators and auditors will demand mature model risk management
In the US, the momentum for a mature approach to model risk management will gather further pace as government frameworks including SR 11 7, CCAR/DFAST stress testing and CECL, for example, are more closely scrutinised and audited by regulators. Increasingly these governance frameworks are being extended to include the tools that feed the models and there is recognition of the significance of the spreadsheets and other end user supported applications to the models covered by these frameworks.
This approach to sophisticated model risk management will find favour with European regulators too, a trend that is already in motion with regulations such as TRIM and SS3/18. This is fundamentally driven by regulators’ collective objective of demanding visibility of critical models and enhancing the operational resilience of financial institutions. Effective data management, including that stored in spreadsheet-based and other end user supported applications, is central to these frameworks.
To meet the excellence in data governance and auditability as demanded by the regulators in the UK and US, financial institutions will be forced to apply the same level of controls to their end user supported application environment – as they apply to their broader corporate IT environment. This reflects that spreadsheets are often the ‘go to’ tool in developing a broad range of business and financial models.
- The transition away from LIBOR will present a major operational challenge
Due to the enormity of the transition from LIBOR (London Interbank Offered Rate) to alternative reference rates (e.g. SOFR, Reformed SONIA SARON, TONAR), financial institutions will begin adjusting their processes and systems, in preparation for the switch to new reference rates by the end of 2021. The clock is ticking.
With a parallel universe of spreadsheets connected to enterprise systems such as risk, accounting models and a plethora of non-financial contracts, financial institutions will need to ensure that the relevant changes are also accurately reflected in the spreadsheet-based processes. Given the broad range of potential alternatives to LIBOR, it seems possible that multiple replacements may be in use in different jurisdictions. There will be a premium on being able to identify transactions and contracts quickly and efficiently, and applying the appropriate reference rate, quickly, efficiently – and again with full transparency and auditability.
- GDPR has the hallmarks of expanding into a global framework, its compliance will need to be in organisations’ DNA
GDPR has all the makings of becoming a global standard. Already, California is taking the lead with the California Consumer Privacy Act (CCPA), which comes into force in 2020. Other US states are also considering similar regulations to protect the rights of their residents.
With a fine of $1.6 billion levied on Facebook this year, the EU has clearly demonstrated that it means business. In 2019, organisations will have to shift their GDPR focus to ‘sustainable compliance’. They will realise that inventorying IT systems for GDPR-relevant and sensitive data was merely a good first step to meet the compliance requirements on 25 May 2018. GDPR compliance will need to part of their DNA – requiring it to be a ‘business as usual’ activity. With unstructured confidential data (e.g. personal details of clients and employees) often residing in spreadsheets, visibility alongside continuous monitoring, controls and stringent attestation of information will be essential to meeting GDPR demands such as the right to be forgotten and data portability. Automated spreadsheet management will become critical to sustaining GDPR compliance.
