Point of View about Risk & Regulatory Technologies

Transcription

1 Point of View about Risk & Regulatory Technologies Current trends about Risk & Regulatory Technologies Our point of view How can help? Our relevant approach Competitive intelligence 31 Appendices Credentials Contacts Leverage Risk and Regulatory Technologies to stay ahead of the competition

2 Contents 1 Current Trends about Risk & Regulatory Technologies 1 2 Our point of view 11 3 How can help? 21 4 Our relevant approach 24 5 Competitive intelligence 29 6 Appendixes 31 7 Contacts 34

3 Current trends about Risk & Regulatory Technologies 1

4 Section 1 Current Trends about Risk & Regulatory Technologies New challenges reshape the financial institutions business models Financial institutions are operating in a fast moving regulatory environment Maintain profitability despite dramatically increasing regulatory costs Regulators have developed a set of requirements and recommendations designed to increase the financial markets' stability. Emergence of new regulations and increased complexity of the existing ones have led to a large increase of the cost of compliance. Maintaining profitability and competitiveness while accommodating these new requirements is a real challenge for the financial institutions. Have control over data for real time capture of anomalies Regulations and laws have been reinforced and reconciliation of data sources is critical to ensure an accurate and complete knowledge of company data. As companies must prove they are compliant with regulations, all key data elements must be evidenced and easily available on demand for regulators with a certified quality. Enhanced record keeping requirements will be automatically integrated through systems. Moreover, a better detection and resolution of financial crimes require real time control of data (real time customer screening, transaction monitoring, ). Main challenges for financial institutions Develop robust and agile risk assessment models and tools to evaluate risk appetite in real time Risk management complexity is increasing and requires more sophisticated risk assessment models based on well defined and complete risk scenarios. New tools should be set up to monitor risk scenarios and evaluate risk appetite in real time through multiple data sources. Strengthen risk understanding and ownership by the business with a strong conduct culture and effective training A better understanding from business teams of regulators requirements is a first elementary step to ensure compliance with new regulations. A strong risk conduct culture should be associated with a robust compliance program to mobilize business teams from the top management to operational teams. Effective regulatory training should be provided to relevant staff: robust, tailored to each business, and delivered on an ongoing basis. e-learnings, adequate followup indicators and case simulations would allow to measure effectiveness. 2

5 Section 1 Current Trends about Risk & Regulatory Technologies Financial institutions are facing a complex and diverse risk landscape Regulations, risks and threats are forcing the compliance function to reshape its model Healthy companies are both solvent and possess adequate liquidity Basel and Solvency II are meant to increase the resilience of institutions and prevent the financial industry from a crisis that impacts the whole economy through leverage ratio requirements, liquidity coverage and a better monitoring of the risk and compliance. Improved transparency for consumers and greater market efficiency Considering the important potential detriment that financial services can cause to individual consumers and the financial markets, significant recommendations are provided to strengthen consumer protection and promote responsible finance Solvency & Liquidity Client protection Compliance program based around a robust policy on embargo sanctions is necessary to avoid sanctions Combatting terrorism is a priority for supervisors and regulators. Companies breaching embargos are exposed to multi-million fines. Financial markets integrity A complex and diverse risk landscape Embargo Investor confidence in the market is critical Market transparency is the focus of regulators to reduce and better control over-the-counter (OTC) activities. The industry must adapt its strategy to efficiently restore the public s faith in investment opportunities. Anti-Money Laundering Fraud Effective AML and CFT* regimes to protect the integrity of markets Money laundering and the financing of terrorism are financial crimes with significant economic effects. The challenge for financial institutions is to comply with strict rules issued by regulatory authorities and fulfil obligations of identification and prevention. Fraud analytics, prevention, and detection strategies must be implemented to limit losses Significant financial losses caused by fraud continues to plague financial institutions internal audit and risk teams, who are concerned by the increasing regularity of fraud and changes in its origins. *AML & CFT: Anti-Money Laundering / Combating the Financing of Terrorism 3

6 Financial market integrity Solvency & Liquidity AML Section 1 Current Trends about Risk & Regulatory Technologies Client protection Embargo Fraud Anti-Money Laundering Financial institutions have to engage in-depth organizational changes to face even more complex anti-money laundering regulations What s at stake for financial institutions? 61% 30% 5% 61% of financial institutions around the world declare being impacted by KYC regulatory changes Optimize KYC processes to better leverage clients data 30% of financial institutions declare that developing training sessions related to KYC requirements for their employees are among the highest priorities for the next months What are the operational impacts? Guarantee an efficient monitoring and analysis of transactions According to the United Nations Office on Drugs and Crime, the estimated amount of money laundered globally in one year is 2-5% of global GDP, or $800 billion - $2 trillion in US $ Source: Nice Actimize study conducted in May 2015 Automate reporting, scenarios and suspicious activity monitoring As part of KYC efforts, financial institutions collect data about customer behavior, spending patterns, business ownership, and sources of wealth. For example, a KYC risk score will likely be based on information such as client location, client type and ownership structure, length of relationship with the financial institution, sources of wealth etc. A dynamic KYC would allow continuous monitoring of clients and of their compliance to ever-increasing regulation. This could allow to offer clients the level of regulatory protection they are entitled to on an on-going basis. Regulators continue to impose substantial penalties for shortcomings in a firm's financial crime control framework that result in issues such as money laundering. Companies are therefore investing heavily in IT to detect and respond to AML in a more timely manner. One particular area of focus for firms with global businesses is around the sharing of suspicious trading reporting (STR) filings in different locations so that potential suspicious activity can be shared with control functions in other jurisdictions where the client may have a relationship with the firm. Suspicious transactions and their reporting to authorities can only be efficient if a thorough monitoring system is set-up and applied daily. Profiling and screening tools allowing to retain an audit trail for each case that was analyzed would enable accurate reporting. By analyzing the population of data, institutions can identify trends and patterns and better determine which behaviors fall outside an acceptable range. On-going automated analysis can reduce overall manual review efforts. 4

7 Financial market integrity Solvency & Liquidity AML Section 1 Current Trends about Risk & Regulatory Technologies Client protection Embargo Fraud Facing Fraud is a real challenge for the financial institutions Fraud is multifaceted, complex to detect and has several impacts on the financial institutions In order to protect themselves from fraud, the first challenge for financial institutions is the real time detection of the various fraud risks they are exposed to. The monetary impact of fraud on financial industry can be staggering. However, the reputational cost is as significant for financial institutions as the financial one. Cyber attack Attacks are committed over financial institutions Internet or computer networks. Thieves try to access usernames, passwords and credit card details through 'malware' such as computer viruses, Trojans, spywares or adware. Criminals try to obtain sensitive information by several methods : searching bins to find discarded bank statements; intercepting s; copying credit cards during a transaction; phishing (sending s which look they have come from a trustful organization); Identity theft 1 A financial impact evaluated to around 5% of annual revenues According to Association of Certified Fraud Examiners (ACFE) Insurance contracts Insurance companies are exposed to fraud on insurance contracts. It includes for example deliberately burning materials to collect insurance money, persuade disaster fraud victims to claim more damages than actually occurred, creating fraudulent claims or exaggerating the existing ones, Internal fraud are those perpetrated against a financial institution or its policyholders by agents, managers, executives, or other employees. It may include faking documents, making false statements, pocketing premiums, Internal fraud 2 3 A general decline in customers trust in financial institutions A negative publicity and a significant loss of reputation and business 5

8 Financial market integrity Solvency & Liquidity AML Section 1 Current Trends about Risk & Regulatory Technologies Client protection Embargo Fraud European financial institutions face intensified sanctions for embargo violations Strong compliance programs must be implemented by the financial institutions to avoid embargo sanctions Financial institutions should implement strong compliance programs to avoid financial and trade sanctions To avoid sanctions, the financial institutions involved in transactions from overseas should implement a compliance program based around a robust policy on sanctions and comprehensive systems to implement the policy effectively. Considering the fast and continuous evolution of the international geopolitical situation, internal control by the Compliance function of all transactions of business units, and third party distributors located in countries subject to embargos might be complex. The target policy should include : Maintenance and real time update of a list of countries which are subject to embargoes, Customer and transaction due diligence and screening against applicable financial sanctions in the identified countries, Maintenance of a list of politically exposed persons (PEPs) and implementation of preventive measures concerning PEPs Training and ownership-taking of operational teams on the defined policies and procedures. A major international bank paid almost $8.9 billion in 2014 to resolve accusations it violated U.S. sanctions against Sudan, Cuba and Iran. A French bank agreed to pay in 2015 to pay $787 million for violation of sanctions against Iran, Sudan, and other countries. A major international bank agreed in 2015 to pay $258 million penalty to settle charges that it did business on behalf of entities in U.S. sanctioned countries like Iran and Syria Over $14 billion fines have been paid during the last 5 years by European financial institutions for breaching US embargoes 6

9 Financial market integrity Solvency & Liquidity AML Section 1 Current Trends about Risk & Regulatory Technologies Client protection Embargo Fraud New trends and challenges in the area of Consumer Protection A raft of changes to consumer protection laws and regulations are proposed to heighten the supervision of financial products and services offered to consumers Acting in the best interest of consumers, unclaimed property compliance is being perused aggressively resulting in unexpected and substantial liabilities for many companies especially in the insurance industry (~42$ billion unclaimed assets in the US in 2015*). Unclaimed properties Insufficient consumer protection management jeopardizes reputation Inadequate consumer protection not only led to individual consumer detriment but is a major contributor to the global financial meltdown * CNBC article Unclaimed assets on the 21 Aug 2015 With most major global financial institutions operating globally, the need for cross-country data sharing is strong although often strongly regulated. Systems must be location-sensitive to accommodate local regulations while remaining flexible enough for information-sharing between territories whenever possible. Cross-country information management Client s data archiving and access Archival and access to sensitive and confidential client s information is a focus of most local regulators (ex: CNIL in France). Strict privacy procedures must be designed and enforced. All of the financial institutions employees must be trained and systems need to be audited on a regular basis to make sure the appropriate confidentiality mechanisms are in place. Adequately classify clients for tailored services Ensure third parties compliance With the ever increasing reliance on third party providers for services to consumers, the regulators will hold responsible the financial institution for any of its third party s insufficient consumer protection. Banks and Insurance companies must ensure that any third party acting on their behalf complies with their own level of consumer protection. The Know Your Customer (KYC) onboarding process is more than ever key in the ability of the financial institution to appropriately interact with its clients and asses the suitability and appropriateness of the products/services rendered to them. Clients classification will reflect investment profiles including risk-taking appetite, history with the institution, Automation of the KYC process and related data management is at the forefront of an enhanced clients onboarding experience. 7

10 Financial market integrity Solvency & Liquidity AML Section 1 Current Trends about Risk & Regulatory Technologies Client protection Embargo Fraud Solvency and Liquidity risks Too big to fail has failed and the requirements in terms of capital markets ratios are increasing The new requirements have a strong effect on asset management Multiple global financial regulations are designed to mitigate risk associated with financial transactions to improve financial market stability. On the one hand, financial institutions are required to maintain certain level of liquidity ratios that reflect their ability to turn other assets into cash to pay off liabilities and other obligations. On the other hand, demand for high quality collateral (cash and liquid assets) is growing, making the fulfillment of collateral requirements very difficult. As a result, institutions should have and maintain a holistic and accurate view of their assets quality in order to better respond to regulations and optimize their way of asset allocation and management. they lead to new challenges for financial institutions Improve regulatory compliance: Collateral legal agreements are often not integrated Capabilities are often limited for adopting emerging central counterparty clearing infrastructure and computing complex margin calculations Enable automation: Consolidated data from multiple operations systems are supplied in batches, not intra-day Stale data can result in inconsistent price feeds or instrument valuations Decrease mismatches between assets and liabilities: Frameworks such as ALM (Asset Liability Management) can be used in order to monitor and anticipate possible pricing differences between the company s assets and liabilities and require leveraging on technology capabilities such as: Data sourcing and management Common referential should be deployed in order to avoid inconsistencies along with flexible data models that take into account the future evolutions of regulatory requirements and allows easy data monitoring. Governance tools Basel and Solvency processes include several stakeholders at all stages. The related governance can be clearly defined and automated through workflow management tools. These tools allow an adequate monitoring of the processes and an audit trail. Reporting The increasing number of required reporting and the imposed standards must be produced on a regular basis both for internal and external use. These reports must be automated and should be flexible for specific regulators requests. Core technology In order to support all the applications and tools deployed to meet the requirements, the underlying core technology should be scalable and allow the management of a significant volume of data and flows and easy ratios calculation. 8

11 Financial market integrity Solvency & Liquidity AML Section 1 Current Trends about Risk & Regulatory Technologies Client protection Embargo Fraud Market integrity A reinforcement of market integrity during the last years has led financial institutions to deploy significant means to comply with new heavy regulations In order to avoid financial penalties that could reach 15% of their revenue, financial institutions must comply with new regulations such as the Market Abuse Regulation (596/2014/EU) (MAR). These regulations address all topics from detection of breaches to sanctions. Regulators expect that organizations will ensure all means are provided to prevent market abuse Detection of breaches Impacted financial instruments Inside information Chinese walls Confidentiality Market transparency The organization, procedures, systems, automated processes and notification templates must be reliable and efficient. The scope of financial instruments under the regulation must clearly be identified and under surveillance. Inside information must be restricted to authorized employees and not disclosed to investors or inside dealers. Chinese walls, information barriers established to control information amongst conflicting departments must integrate new regulatory updates. Confidential information and inside information flows must meet regulatory standards, and be segregated from the rest of the organization. Transparency of market operations (i.e. EMIR, Dodd Frank, MiFID II reportings ) is a prerequisite to enhance investor confidence and prevent from market abuse. Institutions can leverage on technology capabilities such as Big Data in order to monitor orders or quotes placed through systems. Data management is the key element to facilitate the identification, nature and characteristics of financial instruments admitted to trading and concerned markets. Inside information must be associated with a list of people in order to detect violations, and generate system alerts. Chinese walls implemented must be reflected in the information systems of the institutions. New data (cross wall formation) have to be collected, while assuring traceability. Confidentiality must be secured for all employees involved in such issues, and integrated in the systems by restricting internal access use of data to relevant employees. Information accuracy and availability require up-todate systems, effective dashboards, and control rooms. Access to flexible and configurable underlying technology is key. 9

12 Section 1 Current Trends about Risk & Regulatory Technologies Financial institutions are revisiting their risk and regulatory management technology framework The regulatory environment new challenges increase the demand on risk regulatory technologies Real time data gathering and analysis Real time data gathering from multiple sources, storage and analysis becomes essential for the financial institutions to ensure a real time risk detection, a better knowledge of clients (KYC), and a full view of their exposure to risks and financial crimes. Managing data complexity (volume, variety, velocity, and veracity) through a big data architecture creates a competitive advantage in risk detection and monitoring. Model and calculation engines Assessment of risks and of the compliance level with regulations by the implementation of models and calculation engines is a priority for financial institutions. The models and calculation engines should include monitoring and forecasting functionalities implemented in flexible IT systems linked with the regulations. The technical side behind the regulatory requirements is essential to stay compliant and competitive Transversal monitoring of risks The financial institutions strive to have a big picture of their risk exposure through a transversal monitoring and management of different risks. To generate such monitoring, a reshape of the IT risk architecture is necessary to rationalize the systems and data used to assess the financial institutions risk position, and link them with the financial systems. This will allow the creation of a strong IT platform ensuring a transversal monitoring of risks. Risk and regulatory reporting capabilities Enhancing the reporting capabilities is critical for financial institutions to respond to the increasing requirements regarding reporting, and to allow the analysis of risks and no compliance impacts. More dynamic dashboards are required from the IT architecture with the capacity to display aggregated information and drill down into detailed data in different systems. 10

13 Our point of view 11

14 Section 2 Our point of view Financial institutions can leverage technology to respond to regulatory requirements Technology when focused on the Compliance function challenges and on the regulatory requirements leads to a compliant and competitive IT strategy Data as an enabler of predictive analysis for risk prevention and real time detection Interconnected systems and databases allowing a standardized risk management and a transversal monitoring of different but linked typologies of risks Technology inputs Compliance solutions and tools linked with regulations through libraries with the capacity to better respond to regulations, or with streamlined implementation of relevant periodic and permanent controls Adaptive evolutionary IT systems thanks to machine learning and artificial intelligence technologies to fit with the fast moving regulatory environment A relevant, and sponsored IT strategy should be defined based on the Compliance function goals, and the technology capabilities and inputs to set up a technology game plan aligned with the regulatory challenges Strong prediction models thanks to consistent data real time collection and analysis Scalable and auto evolving transversal monitoring of scenarios, allowing risk prevention in a fast moving regulatory environment Compliance Function reliance on IT systems aligned with its challenges, and linked with the regulations 12

15 Section 2 Our point of view The critical role of data management capabilities Data control as the core enabler of predictive analysis One of the most significant lessons learned from the global financial crisis that began in 2007 was that banks information technology (IT) and data architectures were inadequate to support the broad management of financial risks. Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank group level, across business lines and between legal entities. Basel Committee on Banking Supervision - January 2013 Data governance As key business decisions become more data-driven, the amount of trust you need to have in your data increases. Yet many organizations struggle to build the necessary data governance capability that will underpin that trust. Our recommendations Data governance is much more than managing the risk in data, it is about developing an environment where the full potential of data is realized. Both risk and finance will play a critical role. Data quality An information explosion due to digitization and Internet of Things has increased the number of data sources, volume and complexity. Despite the strategic importance of data and analytics, challenges remain for organizations. More details in our publication Devil in the data: How banks can improve data management 13

16 Section 2 Our point of view The critical role of data management capabilities Big data: the time is now! Big Data investments will account for nearly $40 billion investments in 2015 alone Big Data is now an ever evolving opportunity with trends to watch including Cloud Big Data the Internet of Things Data as a Service Real-time insights No SQL databases Analytics apps and much more. Data analytics is helping organizations to build offensive business strategies for price and cost optimization and defining the next best marketing. Big Data enables also defensive business strategies when allowing organizations to respond to regulatory requirements, to optimize governance, risk and compliance solutions, and to develop solutions helping them to avoid sanctions, etc. Big Data will transform your risk management capabilities by : Improving decision-making Enabling predictive analysis Optimizing customer relationship Reducing risks For point of view on Big Data, refer to our publication Data Service Management: Leveraging Big Data as a Strategic Advantage Our relevant approach helps on all Big Data areas from strategy through execution: A combination of our data science skills and your data can provide new insight into your risk management Start by reshaping your business strategy around data and streamlining your data structure. Define your vision and you "data core values", think big and start small Set-up and monitor efficiently your data program Assistance at C-Level especially to CDO Simple start with relevant use-case Change management around data, mergence of new professions Technologies and innovation Increasing risk management performance through new strategy Identifying new risks Redefining position on the market based on risk appetite Your interaction with customers...and much more! 14

17 Section 2 Our point of view Technology to implement full risk coverage front to back controls One single control framework to quickly assess risk and prioritize corrective actions across a myriad of locations and business lines The volume of compliance requirements has grown significantly in recent years, bringing difficulties in implementing an effective compliance program within a short period of time. Compliance programs are implemented through complex governance structures requiring increased surveillance and key indicia production capabilities. They generally consist of: a governance framework, which clearly delineates responsibility and accountability of stakeholders, including appropriate periodic management reviews or other matters requiring management s attention (e.g. periodic certifications, external audits etc.) policies and procedures designed to document, describe and sometimes prevent some activities to be conducted to ensure that all operations comply with the regulatory requirements; they must be used as indicia to measure the compliance level by country, by entity or type of business. periodic independent testing and auditing of the effectiveness of the program must be performed by qualified personnel based on existing internal controls and policies and procedures; independent testing results should be used as indicia to measure the level of compliance and be a trigger for remediation actions. key performance indicators on the training of target personnel must be implemented in order to ensure that the program is effectively implemented and enforced. record keeping and audit trail capabilities are required to demonstrate compliance, and to be easily provided upon request of authorities or external audit. 5 Recordkeeping 1 Governance a system of internal controls based on standardized types of controls designed to monitor compliance and prevent risks occurrence; they have to be assessed and prioritized, and linked to related policies and procedures; control results follow-up and corrective actions monitoring workflows must be built, and types of anomalies ranked according to pre-defined criticality. 4 Training Management Dashboard Internal controls Periodic testing Audit 3 Policies and procedures 2 15

18 Section 2 Our point of view Technology to implement full risk coverage front to back controls A successful compliance program will require the right technology tools, assisting in enabling the appropriate levels of communication and management reporting Flexible technology allows to easily cater for change, giving management and stakeholders value earlier, and avoiding arduous manual processes. It must follow evolving regulations without wasting time on long coding iterations and long periods of designing and detailing requirements upfront. Regulatory watch Reduce the burden of monitoring regulatory requirements by automatically tracking and reflecting the latest regulatory developments, thus automating manual processes of data feeding Get a follow-up of the regulations, of the required certifications and regulatory calendar by target countries in one single tool Display up-to-date regulatory content by siloes or by topic Enable tracking of changes and provide detailed audit history Risk approach Define risk sand map them to regulatory siloes Deliver high-level business impact frameworks based on pre-defined risks, which could be tuned according to the your financial institution's own risk map; Use a standardized set of controls in order to mitigate identified risks Management dashboard Have a cross regulations view as risks and controls used to mitigate these risks may converge e.g. FATCA, Dodd Franck Act, MIFID regulations impact KYC related processes whereas Market Abuse rules align with MiFID ones. Use advanced search functionalities: filter critical content by country, legal entity, risk exposure, ability to view compliance confidence levels details. Define key performance indicators and periodic testing reviews and make them easily available for the Board and Senior Management Monitor policies and procedures and internal control implementation by legal entity or business line Send automatic alerts to appropriate stakeholders for effective and timely remediation of potential areas of noncompliance Tuning possibilities Processes, procedures and controls may range from broad impacts to more operational ones therefore requiring tuning by country or by business line; they must be monitored and integrated in the overall surveillance framework Regulatory compliance must offer the opportunity to strengthen the organization by relying and converging towards an integrated risks architecture not only to fight back,but also to provide business value. 16

19 Section 2 Our point of view Upgrading risk IT architecture to stand out from its competitors Leveraging technology to meet effective risks management is becoming an increasingly important source of competitive advantage The complexity of the business and regulatory landscape is increasing dramatically. Companies are navigating a proliferation of new regulatory requirements and stakeholder expectations, and are challenged to do so in a way that supports performance objectives, sustains value and protects the brand. Critical compliance and regulatory issues include the implementation of a wide variety of financial risk management reforms thought to provide more transparency and stability to global financial system. Regulatory risk reforms have a technical side that substantially contribute to perpetuate the reforms compliance and the company competiveness. For financial institutions, to be compliant within the new regulatory environment requires an important enhancements in the following fields: Data collection, Models and Calculations, Reporting. Data collection: Collection of accurate and reliable static, position and market data is a prerequisite for informed risk assessment and risk management. This process should ensure uniqueness, integrity and consistency across expansive data set. Models and calculations: Financial institutions have to further extend and reinforce the functionality and flexibility of their models and calculation engines. These tools should provide not only metrics but also more frequent updates. They should be audit-proof and enable the monitoring, planning and forecasting of figures. Reporting: Improved reporting capabilities is crucial to steering financial resources. Reporting tools should enable to display aggregated data and calculations on different aggregation levels and allow to drill down into details. It should provide access to current and historical data and reports and provide accounting and economic consolidated view. IT risk management systems should not exist solely to pass the exam, but to help providing strategic business value. For too long, financial institutions have viewed the implementation of risk management IT solutions as a defensive tactic or regulatory compliance activity. However, it should rather be seen as an opportunity to leverage technology to provide strategic business value. We believe that forwardlooking financial institutions should move beyond compliance requirements, capitalize on regulatory changes to generate insights in order to actively steer the business. By improving the IT architecture of its risks management, companies will be able to develop an accurate view of their financial resources that will serve as a result to facilitate their decision-making. Reporting Competitive advantage From a technology perspective, the regulatory changes mean significant upgrades of calculations engines and reporting and the underlying IT infrastructure (data storage and computing capacity) 17

20 Section 2 Our point of view Upgrading risk IT architecture to stand out from its competitors Implementing a solid risk IT architecture is a step to meet risk regulatory challenges and way to fulfill its business driven goals In order to comply with risk regulatory requirements financial institutions must produce required metrics and implement the required risk management process covering all types of risks: credit risk, liquidity and change risks, counterparty and market risk, operational risk, and non-compliance risk. The pressure of compliance to regulation is located on the company's business side rather than on the IT organization side which is likely the reason why most companies rely on a puzzle of workarounds ad hoc and short-term technical solutions - to meet with current regulations. By taking shortcuts on the technical quality, they increase the number of tactical solutions that are not flexible enough to meet future demands and pressures. Credit Counterparty noncompliance Risk management Market liquidity Change Operational What are IT requirements that the implementation of an effective regulatory risk reform should undertake? Consolidation of data into structured warehouses using highly automated process (ETL) to load consistent and nonvolatile data collected from multiple sources. It should become your organization s single source of truth and act as the principal underlying engine used by middleware business intelligence environments that serve risk management needs (reports and dashboards). Achieving an integrated reporting in order to evolve into more than a simple juxtaposition of financial and sustainability information in paper or electronic format. Steered by business-driven goals, these two traditions of corporate disclosure ( FR & SR *) should converge toward a reporting architecture that builds on the strengths of both while enabling assimilation of new knowledge, new issues and new metrics that flow from the social, environmental and economic dynamics. Implement solutions that allow to incorporate regulatory and specific scenarios into analytic data models. Risk managers should have tools that use a set of historical value to predict an outcome. Running those predefined or ad hoc scenarios allow to analyze the trend, seasonality, and error in your data and then projecting them into the future to predict likely results. Each time a simulation is performed, a richer understanding of the inherent risks is gained. *FR & SR : Financial reporting (FR) and Sustainability reporting (SR) 18

21 Section 2 Our point of view Machine learning Re-architect compliance workflows and automatically detect fraudulent cases in real time Human versus artificial intelligence. Expending and ever-more complex regulations require a high responsiveness from financial institutions. However, traditional methods are no more relevant as the volume of data outpaces peoples ability to process it. Cutting edge data science may help financial institutions being always up-to-date and avoid expenses related to the revision of their compliance and governance infrastructure to meet regulatory standards within a reduced time scale. What is machine learning? Machine Learning is concerned with computer programs that automatically improve their performance through experience. Compliance tools analyze data based on programmed rules that will be combined to have an overall rating of the client. However, this approach returns a significant amount of false alerts and uncovered cases and require frequent updates of defined rules according to regulations evolution. Understand the problem and its causes Identify the right sources of data Build new algorithms Reports and root causes analysis Performed in an iterative way How does it work? The principle is simple: the machine is learning or more precisely the software algorithm examine data from past cases with known outcomes to build patterns that will be used to predict future outcomes. This is performed in an iterative way in order to constantly refine the models and be able to detect fraudulent cases in real time. Machine learning models are able to analyze huge amount of data and learn from it without relying on pre-registered indicators or rules. Financial institutions should benefit and take full advantage of machine learning to better meet regulators expectations at lower costs. 19

22 Section 2 Our point of view Machine learning Advantages of machine learning models Real time monitoring Today s standard is real time. Machine learning is the only way to access this standard thanks to its powerful hardware architectures that enable real time fraud detection. Thus, analysts can monitor fraud in a real time and consequently face increased fraudulent activity and even more faster bank transfers. Less maintenance and time saving With machine learning, there is no need to maintain the rules or revise the algorithms as the software automatically update fraud detection scenarios. Likewise, machine learning don t rely on humans to adjust any thresholds or maintain the various blacklists. Hence, machine learning allows the analysts to spend less time maintaining the rules and updating the algorithms and allow financial institutions to make large economies on the extensive costs dedicated to maintenance. Real time monitoring Meet regulators expectations More accuracy Machine learning models can easily and more precisely detect fraud patterns as they occur, even when they might be undetectable for for humans. Indeed, they can rapidly detect changed behaviors and complex fraud scenarios by analyzing a large set of data from different types. The more data you have, the more accurate the machine learning model will be. As machine learning models function in an iterative way, they record more and more algorithms from various fraud schemas that they will automatically recognize when they occur. Less maintenance and time saving More accuracy A strong enabler to meet regulators expectations and be ahead of the competition All these criteria will enable financial institutions to meet regulators expectations and better monitor fraud activity without spending extensive amounts updating their compliance devices each time the regulations evolve. 20

23 How can help? 21

24 Section 3 How can help? From strategy through execution Questions that can help you answer How much effort is needed to source, collate and clean up data? What is the cost of my risk function, and are we using technology in an effective way to standardize and automate business processes? Do we have clear ownership and governance over risk data, including shared data with other functions such as finance and operations? How will we move from where we are now to our future design? How well do my current IT systems meet the objectives that my organization requires? How are we making the most of synergies in our risk technology and infrastructure investment? Have we defined the requirements for and designed a clear future architecture to meet the changing regulatory demands? 22

25 Knowledge management Section 3 How can help? From strategy through execution is combining a network of international regulation experts, off-the-shelf tools and methodologies and worldwide benchmark capabilities Regulation We share your expertise with you relies on a large Knowledge Management base, composed of in-house and market tools: Knowledge Factiva, Xerfi, Diane, etc. also has a wide range of benchmarks available, and can achieve further depending on your needs. regulatory experts have in-depth knowledge of all major regulations, with strong regulatory, compliance and fiscal watch and intelligence. Centers of expertise are focused on providing worldwide credentials to the network. From Strategy through Execution Combination of our data science skills and your data can provide new insight into your enterprise, including increasing profitability through new strategy implementation. leverages a key enabler of driving Strategy through Execution: Transform. Our framework provides a ready to use approach to drive and deliver the change through competency toolkits and methodologies. Project management Our experienced teams help clients to gain a deeper understanding of the total performance of the target business. We offer our clients best in class methodology to tackle complex business issue. As a large transformation project operator, is used to and has the skill necessary necessary skills to to maintain ongoing business services while delivering the enterprise transformation. s expertise in governance standards takes form in a Governance Framework as illustrated here. Regarding Risk and Regulatory Technologies projects, we tailor this framework around the following cornerstones: Master Data Management and Data Quality Organization Master Data Management and Data Quality Interface Organization with the legacy system Technological Interface with choices the legacy and system set up regarding Technological Analytics choices and set up regarding Machine Analytics learning Data Machine visualization learningand Reporting Data visualization and Reporting IT Data management 23

26 Our relevant approach 24

27 Section 4 Our relevant approach Our approach can assist any of your initiatives regarding Risk and Regulatory Technologies, by leveraging a unique combination of Technology & Business expertise Impact analysis Assessment of options Risk systems, strategy and architecture Risk data management Program and project management Requirements, design Business implementation Assessing the ability of a firm s existing infrastructure to meet the external demands of regulatory change, or of internally driven change. Identification and evaluation of options to address infrastructure and system gaps, including evaluation of suitability of vendor solutions and tools to address functional needs. Definition of a pragmatic fit for purpose risk architecture, including business, information, application and infrastructure views, as well as phased transition states. Definition and delivery of integrated approach to data management needs, including data governance, data dictionary, data models, data architecture. Supporting the definition and delivery of complex multiphase programs to transform the underlying systems supporting risk management. Supporting the capture and definition of detailed requirements and design within a risk systems transformation program. Supporting the business change aspects of a risk systems transformation program, including business testing, process change, data and report migration. 25

28 Section 4 Our relevant approach Our approach To help you implement this type of program, we have developed a Maturity Assessment tool to assess your risk management profile A few examples of Building Blocks and related assessment questions (out of 16 building blocks) Building Block name Building Block Description Risk Strategy Obligations Key Risk Indicators GRC (Governance, Risk & Compliance) Technology Risk Strategy defines the way in which an organization undertakes risk management. It demonstrates how the management of risk, risk appetite and tolerance enables the organization to reach its business objectives The set of mandatory (e.g. legislation and regulations) and voluntary (e.g. internal policies, industry standards, agreements with customers and other stakeholders) commitments/obligations that the organization needs/chooses to comply with The KRI is an indicator of the possibility of a future adverse impact or upside potential. KRIs provide an early warning to identify potential event(s) that may impact the ability or disability to achieve set objectives The IT systems that support and/or enable the business and (embedded) GRC processes and deliver GRC relevant data Questions Does the organization have an articulated, formulated and documented risk strategy? Is the risk strategy aligned to and integrated with the business strategy? How is this done? Is the risk strategy formulated top down, bottom up or a combination of both? What metrics are defined to measure risk strategy effectiveness? Is the organization aware of its obligation (mandatory and voluntary)? How? How can the organization demonstrate compliance with its obligations? (Demographic, politic, economic, geographical, technological, industry standards, licenses and permits, associations etc.) How are obligations connected to the compliance framework? Does the organization compare themselves to peers and good market practice? Are there a standardized set of mandatory Key Risk indicators? Does the organization use standardized Key Risk Indicators? What indicators are used? Do they use generic and business specific indicators? Are KRI s compared to the historic trends? Do they analyze the cause of movement of KRI s? Are the indicators clearly linked to the risks associated with the business? Do the KRI s cover all business areas? What is the status of GRC technology? Level of system fragmentation? Does the firm rely heavily on spread sheets? Are there common standards? Is ownership clear? Does the organization have one database and one set of data labels? Is there a common data warehouse? Is there a GRC data architecture? Are data validation or data quality checks done? Does the organization have an enterprise system strategy and/or System architecture? 26

29 Section 4 Our relevant approach Our approach When you start such a strategic project, our conviction is Clarify the risk and regulatory structure: an architecture to structure risk and regulatory capabilities, discover the insight into your risk management and think about where you want to be in five years. Test and learn to lay the foundation stone of your program. Pilot, assess, and operate: run research and development experiment to build a realistic and operational roadmap to reach efficient quick wins to present to your board Start by reshaping your business strategy around data and streamlining your risk and regulatory technological framework then define your vision and your risk and regulatory technologies core values think big and start small... and then set up and monitor efficiently your risk and regulatory technologies program. What is the right answer for your business? How can your organization get to the level where it truly can take advantage of in-memory analytics in combination with Big Data? Define a vision and your risk and regulatory technologies program s safeguards around business intelligence, data quality, governance, master data management, product, customer, use cases... Track and report: Measure integration efforts and business performance to constantly adjust efforts efficiently. 27

30 Section 4 Our relevant approach Our approach will help you bring innovation and disruption in your Risk and Regulatory Technologies is bridging innovators and the enterprise Fintech is bringing new disruptive players to the market coming from FS institutions, tech companies, infrastructure players, and start ups. They operate and innovate to answer regulators & government as well as investors bringing to the front emerging technologies & demographics, with incubators and accelerators-based and customer-centric solutions. is partnering with best of breed innovators & disruptors in targeted solutions areas including risk & regulatory and bridging the gap between industry players and emerging innovators. Why now? Because tech has lowered the barriers to entry Open Source Frameworks All-time available resources Proliferation of knowledge Full-spectrum dev support Scaled Cloud Computing Scalable strong security strategy Agile expansion of computing capability Dynamic marketplace for applications Developers On-Demand Short idea-product conversion Quickly capture new customer needs Agile and Iterative Development Cycles FinTech strategy XLOS Service Propositions Thought leadership Innovation programs Traditional Services Technology+FS collaboration Core assurance Risk assurance New Products / Services DeNovo Program Innovation Visits Digital strategy Social media Industry association Innovation Centers Accelerators Additional Firm innovation efforts Tax services Regulatory 28

31 Competitive intelligence 29

32 Section 5 Competitive intelligence Competitive intelligence Following are examples of Risk & Regulatory Technologies practices we have observed among financial services firms Risk Strategy Obligations Key Risk Indicators (KRIs) GRC (Governance, Risk & Compliance) Technology Industry-observed practices Financial Institution A (low maturity) Financial Institution B (average maturity) Financial Institution C (high maturity) Risk strategy cannot be explained Risk strategy is understood but not documented Risk strategy is based on the risk decomposition or risk aggregation only approach The organization can t demonstrate compliance with obligations No framework, policies, or procedures for identifying, managing and reporting obligations KRIs are used ad-hoc in some business units Some links between different business units, mainly across core processes No consistent standards applied High reliance on spreadsheets and manual processes KPIs defined but source data either not defined or not available Risk strategy exists but is business unit focused Undefined link between risk strategy and business strategy Some strategy communication but the messages are inconsistent The organization's risk assessment process considers compliance with its obligations Some policies and procedures exist within business units for managing known obligations Basic reporting of compliance with obligations KRIs for all business units defined Business units monitor KRIs within their own area of responsibility KRIs not linked across the organization Standards are defined but not consistently applied GRC systems in place but few standards in place and duplication exist Some knowledge as to the importance of data quality Consistent and enterprise wide methodology to assess strategic risks Business strategy and risk strategy co-exist Risk strategy is clearly defined using an integrated approach to risk measurement Opportunities arising from obligations are identified through the organization's strategy and business planning process Obligations are linked to KRIs (Key risk indicators) and CSFs (Critical success factors) The concept of KRIs is fully integrated with business Monitoring and reporting of KRIs are not consistently applied across the organization Benchmarking is done against industry good practice GRC systems used consistently across the business Clear definition of data standards and ownership in place Frequent Occasional Rare 30

33 Appendices 31

34 Section 6 Appendixes Some of our accomplishments Banking Group Banking Group Banking Group Context FATCA implementation program Transformation program for the compliance function BCBS 239 implementation program Issues In order to report to the American tax authorities, the Group chose to select a Global tool covering all of the Group entities requirements. Approach The main tasks were: Interviews with IT stakeholders and RFP items selection. Software provider s answers analysis and weighting. Recommendations. Benefits brought to the client an experience in selecting Global tools, as well as an understanding of the strengths and weaknesses of each solution. In order to strengthen its Compliance department, the Group invested massively in the recruitment and the implementation/rehabilitation of IT tools. supported the compliance direction for the scoping of this transformation program. The main tasks were : Structuring of the streams of the Program (governance, perimeter, deliverables ). Setting of a Program Management cell in charge of the monitoring of the Program (KPIs, budget and activities following, ). Identification of key risks and proposition of mitigation plans. Communication among the Business teams. brought to the client an experience in designing target operating models for the compliance function, as well as an understanding of the on-going compliance projects in the Group. BCBS 239 is a regulation that aims at strongly improving risk exposures aggregations to identify concentrations quickly and accurately. The main tasks were : Identifying organizational, technological and process impacts of the regulation. Defining the Group data governance. Defining the approach and roadmap for BCBS 239 implementation for all entities. Rolling out the approach including Proofs of Concept and Quick Wins. brought to the client an experience in operationalizing regulations, as well as an expertise in Data Management, Data Quality, and Data Lineage. 32

35 Section 6 Appendixes Some of our accomplishments Banking Group Insurance Company Insurance Company Context Asset and Liability Management (ALM) Issues In order to strengthen its asset and liability management capabilities, the Group decided to implement an IT structure that aimed at covering all Group entities. Approach The main tasks were: Business requirements. Improvements recommendations. Transformation process. Change management. Accounting consistency management. Benefits brought to the client an experience in accounting challenges in developing an ALM IT framework. Solvency II Pillar III regulatory reporting In order to report to the French regulator ACPR, the sub-group had to implement the MVBS sub-consolidation tool used by his Head Office. has been both defining processes and providing technical support to the production of regulatory reporting. The main tasks were: Leading the pre-production phase and defining the processes. Establishing an operational planning which involved contributions of stakeholders. Identifying technical adjustments needed to meet regulatory requirements. Offering operational support to the consolidation team. Providing a roadmap to enable local team to meet further requirements. brought to the client an experience in configuring tools for reporting purposes and has improved the tracing and reliability of data, while ensuring the replicability of the process for future sub-group reporting needs. Solvency II Pillar I & III In order to meet the directives of the Regulator, the group had to implement a tool for the production of QRTs (solo). The main tasks were: Integration of the Pillar 1 and Pillar 3 solutions into the Information System. Functional support and appropriation of the business content and features covered in the implemented IT solutions. Change management necessary for the success of such a project Design of the ORSA (Own Risk and Solvency Assessment) process. brought to the client an experience in increasing the reliability of data streams that feed the tool, in automating processing of QRTs consolidation/production, and in securing the quality of the results transmitted to the Group. 33

36 Patrick Akiki Partner Financial Services Technology leader Office: +33 (0) Mobile: +33 (0) patrick.akiki@fr.pwc.com Jimmy Zou Partner Financial Services Risk practice leader Office: +33 (0) Mobile: +33 (0) Jimmy.zou@fr.pwc.com Contacts To have a deeper conversation, please ask your contacts The following people have contributed to this Point of View: O. Alexandru A. Benbrahim N. Bendahman O. Derieux M. El Moujahid M. Fernainé M. Guennoun S. Korbi K. Rapson M. Squalli 34