It’s been 10 years since Thomson Reuters Regulatory Intelligence published its first Cost of Compliance report. Thus, the conclusions of the Cost of Compliance 2019 are not surprising to those who have been paying attention: the costs and complexity of compliance continue to increase. While the broad strokes may seem apparent, the true value of the report comes from the details that point to better solutions. Ten years have seen many developments in regulations, but arguably more changes have occurred on the technology side. The concept of RegTech did not even exist 10 years ago, and by 2020 it will make up 34 percent — $76 billion — of all regulatory spending. While early proponents of RegTech thought it would immediately lead to decreased spending, costs continue to rise. Part of the issue is the expansion of regulatory requirements; there are now an average of 220 regulatory alerts per day, which is up from 201 in 2016. The firms surveyed for the report expect no slowdown, with 71 percent anticipating an increase of regulatory information published by regulators and exchanges. Successfully implementing RegTech is usually more than a simple one-time integration. It requires strategic planning, process changes and ongoing optimization of new procedures to deliver the full potential. As the report writers state, “the successful deployment of technology and the ability to automate future compliance activities is seen as one of the greatest potential innovations for the next 10 years in compliance.” The RegTech implementations of today are laying the groundwork for a future of automated, scalable, adaptable compliance that enables smoother, more efficient operations and more value-added services. Making sense of data Effective reporting, wherein operational insights are delivered to senior staff and the board, is crucial to enable proper oversight and performance of fiduciary duties. Reporting is also at the heart of the relationship with regulators. Thus, the costs of reporting are a substantial piece of the overall cost of compliance, and gains here will provide cost benefits as well as improve insights and, ultimately, confidence in the overall regime. One potential RegTech solution, Digital Regulatory Reporting (DRR), calls for regulatory rules to be made machine readable, allowing automated access to a firm’s database to collect reports. A report by the UK’s Financial Conduct Authority (FCA) regarding the concept found that “the cost of interpreting and removing ambiguity from regulatory rules and the collation of relevant data, were the most commonly referenced costs associated with the current reporting regime.” The use of multiple systems, which often require updating for new regulatory rules, is a major contributor to reporting complexity. Another significant factor is lack of clarity in the information requests, which leads to misreporting and subsequent fines. While DRR is only at the trial stage, the FCA states that it “has the potential to fundamentally transform how the industry understands, interprets and then reports regulatory information.” Increasing budgets While compliance budgets are increasing, the days of mass hiring of personnel to perform manual checks seems over. While 38 percent of companies report that their compliance team will grow, a majority (59 percent) believe that their team size will remain the same. What is changing, though, are the roles and responsibilities of the teams. As the field becomes technology based and complex, there’s increasing demand for compliance staff with deep understanding of technology and data science, as well as senior staff who have in-depth knowledge of financial services. The adequacy and availability of these skilled resources is at a premium, making finding the right staff a challenge. Looking forward, the rapid advancement of technology promises to require even more skilled and knowledgeable staff. As one respondent stated when asked about the biggest change for compliance in the next 10 years, “changing skillsets and profile of compliance officers (fintech/Big data, cybersecurity, data protection and other emerging risks to cope with) while being replaced by robotic-advisory and AI for compliance monitoring.” To improve the ability to hire and retain the necessary talent, firms are starting to recognize the value in enhancing the role that compliance has. Their technical savvy and ability to deal with complexity, uncertainty and large amounts of data will help them perform well in this age of digital operations. Compliance is now getting a seat at the table, as evidenced by more senior positions within firms. This is, perhaps, the biggest change in compliance over the last 10 years and something that can drive progress. Coming from a perspective that can manage risk, implement technology and create an ethical culture, compliance can help create better organizations and, as a result, a better world. As we embark on a new year, let’s look back and analyze the major shifts in the regulatory environment over the last one year, and what they mean for compliance professionals in 2019. By any yardstick, 2018 was an eventful year; it was marked by quick and sweeping changes in regulations, which, consequently, fueled greater spending on regulatory technology (RegTech) – indeed, the RegTech sector grew by 23.5 percent in 2018. GDPR Perhaps the most significant regulation on privacy protection in recent years, the EU’s General Data Protection Regulation (GDPR) enforces strict data handling procedures when it comes to data belonging to citizens of member states of the European Union. GDPR represents a shift in the individual’s right to privacy – it has major implications for how entities gather, use, manage and purge user data. The possible fines for non-compliance are significant: Up to four percent of the non-compliant company’s annual revenue. It has been more than six months since GDPR was enacted, yet the applicability of the regulation still remains mired in confusion. As late as November last year, 56 percent of privacy professionals admitted to not having complied with GDPR; 20% believed it may be impossible to be fully GDPR-compliant. Despite the wave of anxiety that GDPR created amongst companies with businesses in Europe, there has been, till date, no significant action taken for non-compliance – although regulators did exert minor penalties against some companies and served ultimatums to others. However, these are still early days for the regulation, and, as such, the EU seems determined to uphold high standards for privacy protection. As the EU is often at the forefront of privacy rights, the GDPR could prove to become an instructive template for other countries as they update their data protection laws. PSD2 The Payment Services Directive 2 (PSD2), another major European initiative, is intended to increase innovation and competition in the payments industry. The PSD2 requires that banks open up access to customer account data, allowing third-party providers to use that information. These third-parties are divided into two categories: PISP (Payment Initiation Service Provider)Providing bill payment, money transfer and other payment services AISP (Account Information Service Provider)Providing aggregation and analytics over multiple accounts Enabling the entities belonging to the aforementioned categories to access customer account data held by banks would create a slew of opportunities for fintech services. Another important thing to consider are the upcoming Strong Customer Authentication (SCA) requirements – part of PSD2, they are designed for improving online and mobile fraud prevention measures. Ensuring that these SCA measures provide the necessary security while not hindering customer transactions will be a major theme for 2019. eIDAS Yet another European regulation that came into effect is the Electronic Identification, Authentication and Trust Services (eIDAS). In pre-eIDAS Europe, each member country had its own digital identity scheme. The problem, however, was that these identity schemes weren’t exactly compatible with each other; in other words, if a Polish national was moving to Spain, she couldn’t utilize her digital identity from Poland to access public services in Spain. Instead, she had to set up her digital identity from scratch in her new home — a time-consuming (and, ironically, analogue) process which required her to present physical documents, multiple pieces of government-issued ID, third-party notarizations, etc. in person. eIDAS — the European Union’s (EU) ambitious project to create a truly portable identity — has the potential to be an effective correction to this problem by creating a standardized digital identity framework, and allowing digital identities to work across borders. While it’s not mandatory for a member state to notify their eID scheme, it is obligated to accept another member state’s digital identity scheme if it (the scheme) has been notified. While the roll-out is a work in progress seeing as only six member states have full notified status, the scope and ambition of eIDAS is striking. It represents one of the largest implementations of an interoperable digital identity framework. While eIDAS is likely to ease and improve access to public services across Europe, its implementation could dramatically help the private sector adopt an interoperable digital identity framework. According to Zac Cohen, general manager at Trulioo, “The rules and infrastructure it puts into place will make it easier for private sector firms to accept and implement similar processes.” FinCEN’s new rule Meanwhile, across the pond, in the United States, some major new customer due diligence (CDD) requirements came into effect. Under the Financial Crimes Enforcement Network’s (FinCen) final CDD Rule, collecting, maintaining and reporting beneficial ownership information is now necessary for financial institutions. Making Know Your Business (KYB) processes more stringent are part of larger trend: Consider the Fourth Anti-Money Laundering Directive (4AMLD) and the upcoming 5AMLD in Europe. While collecting customer identification information is standard practice, identifying ultimate beneficial ownership (UBO) information can be difficult. Typically, the process is manual-intensive, slow, expensive and prone to fraud and errors. The process may involve staff conducting complex searches and then importing, analyzing and reviewing the information across multiple databases. The new requirements came into effect in 2016; however, regulators were aware that they would entail significant preparations and changes to existing processes – for that reason, obliged entities were given two-years to become complaint with the new rules. Still, many institutions are having a hard time meeting the new requirements, even as some regulators are calling for stricter standards. Sports betting in the US Another major regulatory change in the US was the Supreme Court ruling which struck down the Professional and Amateur Sports Protection Act, opening the way for individual states to allow sports betting. The market potential for sports betting is huge – it’s between $150 to $400 billion annually, according to estimates. Sports betting will be permitted in at least 26 states – six states already permit it, others have either passed a bill, or introduced legislation that is pending approval. However, bookies and other betting operators will need to tailor their compliance and risk mitigation strategies to each state’s unique requirements. Key takeaways Of course, these were only a few of the regulations that impacted compliance in 2018. Here are some of the larger themes that can helps us better understand the context of these regulatory changes. Frequent and regular change Up to 300 million pages of regulatory documents will be published by 2020; more than ever, compliance teams would need to acquire more knowledge to stay abreast of changes and become more agile to adapt to such changes. Harmonization Creating numerous and increasingly complicated procedures is not a scalable approach. Rather, harmonizing workflows to simplify planning, operations, and oversight is a path to limiting the costs of compliance as well as improving its performance. Ensuring security without creating friction To avoid fines, decrease risk and protect the brand, compliance requires a high level of security. Customers, on the other hand, desire instant access and seamless onboarding experiences. Compliance should engage more actively with technology solutions so that it can ensure security and compliance without affecting the speed and convenience of customer onboarding. Companies can meet these challenges by arming their compliance departments with RegTech solutions; enabling automation, improving workflows and reducing the burden of paperwork are essential needs as the compliance function undergoes rapid change. Trulioo, which has been at the forefront of RegTech for years, is used by some of the world’s biggest tech companies, banks, payment processors, and money transfer companies, along with major online marketplaces, financial institutions, gaming companies and financial services. Thanks for reading; we hope 2019 is a great year for you and your organization. Posts navigation Previous 1 … 3 4 5 … 34 Next
It’s been 10 years since Thomson Reuters Regulatory Intelligence published its first Cost of Compliance report. Thus, the conclusions of the Cost of Compliance 2019 are not surprising to those who have been paying attention: the costs and complexity of compliance continue to increase. While the broad strokes may seem apparent, the true value of the report comes from the details that point to better solutions. Ten years have seen many developments in regulations, but arguably more changes have occurred on the technology side. The concept of RegTech did not even exist 10 years ago, and by 2020 it will make up 34 percent — $76 billion — of all regulatory spending. While early proponents of RegTech thought it would immediately lead to decreased spending, costs continue to rise. Part of the issue is the expansion of regulatory requirements; there are now an average of 220 regulatory alerts per day, which is up from 201 in 2016. The firms surveyed for the report expect no slowdown, with 71 percent anticipating an increase of regulatory information published by regulators and exchanges. Successfully implementing RegTech is usually more than a simple one-time integration. It requires strategic planning, process changes and ongoing optimization of new procedures to deliver the full potential. As the report writers state, “the successful deployment of technology and the ability to automate future compliance activities is seen as one of the greatest potential innovations for the next 10 years in compliance.” The RegTech implementations of today are laying the groundwork for a future of automated, scalable, adaptable compliance that enables smoother, more efficient operations and more value-added services. Making sense of data Effective reporting, wherein operational insights are delivered to senior staff and the board, is crucial to enable proper oversight and performance of fiduciary duties. Reporting is also at the heart of the relationship with regulators. Thus, the costs of reporting are a substantial piece of the overall cost of compliance, and gains here will provide cost benefits as well as improve insights and, ultimately, confidence in the overall regime. One potential RegTech solution, Digital Regulatory Reporting (DRR), calls for regulatory rules to be made machine readable, allowing automated access to a firm’s database to collect reports. A report by the UK’s Financial Conduct Authority (FCA) regarding the concept found that “the cost of interpreting and removing ambiguity from regulatory rules and the collation of relevant data, were the most commonly referenced costs associated with the current reporting regime.” The use of multiple systems, which often require updating for new regulatory rules, is a major contributor to reporting complexity. Another significant factor is lack of clarity in the information requests, which leads to misreporting and subsequent fines. While DRR is only at the trial stage, the FCA states that it “has the potential to fundamentally transform how the industry understands, interprets and then reports regulatory information.” Increasing budgets While compliance budgets are increasing, the days of mass hiring of personnel to perform manual checks seems over. While 38 percent of companies report that their compliance team will grow, a majority (59 percent) believe that their team size will remain the same. What is changing, though, are the roles and responsibilities of the teams. As the field becomes technology based and complex, there’s increasing demand for compliance staff with deep understanding of technology and data science, as well as senior staff who have in-depth knowledge of financial services. The adequacy and availability of these skilled resources is at a premium, making finding the right staff a challenge. Looking forward, the rapid advancement of technology promises to require even more skilled and knowledgeable staff. As one respondent stated when asked about the biggest change for compliance in the next 10 years, “changing skillsets and profile of compliance officers (fintech/Big data, cybersecurity, data protection and other emerging risks to cope with) while being replaced by robotic-advisory and AI for compliance monitoring.” To improve the ability to hire and retain the necessary talent, firms are starting to recognize the value in enhancing the role that compliance has. Their technical savvy and ability to deal with complexity, uncertainty and large amounts of data will help them perform well in this age of digital operations. Compliance is now getting a seat at the table, as evidenced by more senior positions within firms. This is, perhaps, the biggest change in compliance over the last 10 years and something that can drive progress. Coming from a perspective that can manage risk, implement technology and create an ethical culture, compliance can help create better organizations and, as a result, a better world.
As we embark on a new year, let’s look back and analyze the major shifts in the regulatory environment over the last one year, and what they mean for compliance professionals in 2019. By any yardstick, 2018 was an eventful year; it was marked by quick and sweeping changes in regulations, which, consequently, fueled greater spending on regulatory technology (RegTech) – indeed, the RegTech sector grew by 23.5 percent in 2018. GDPR Perhaps the most significant regulation on privacy protection in recent years, the EU’s General Data Protection Regulation (GDPR) enforces strict data handling procedures when it comes to data belonging to citizens of member states of the European Union. GDPR represents a shift in the individual’s right to privacy – it has major implications for how entities gather, use, manage and purge user data. The possible fines for non-compliance are significant: Up to four percent of the non-compliant company’s annual revenue. It has been more than six months since GDPR was enacted, yet the applicability of the regulation still remains mired in confusion. As late as November last year, 56 percent of privacy professionals admitted to not having complied with GDPR; 20% believed it may be impossible to be fully GDPR-compliant. Despite the wave of anxiety that GDPR created amongst companies with businesses in Europe, there has been, till date, no significant action taken for non-compliance – although regulators did exert minor penalties against some companies and served ultimatums to others. However, these are still early days for the regulation, and, as such, the EU seems determined to uphold high standards for privacy protection. As the EU is often at the forefront of privacy rights, the GDPR could prove to become an instructive template for other countries as they update their data protection laws. PSD2 The Payment Services Directive 2 (PSD2), another major European initiative, is intended to increase innovation and competition in the payments industry. The PSD2 requires that banks open up access to customer account data, allowing third-party providers to use that information. These third-parties are divided into two categories: PISP (Payment Initiation Service Provider)Providing bill payment, money transfer and other payment services AISP (Account Information Service Provider)Providing aggregation and analytics over multiple accounts Enabling the entities belonging to the aforementioned categories to access customer account data held by banks would create a slew of opportunities for fintech services. Another important thing to consider are the upcoming Strong Customer Authentication (SCA) requirements – part of PSD2, they are designed for improving online and mobile fraud prevention measures. Ensuring that these SCA measures provide the necessary security while not hindering customer transactions will be a major theme for 2019. eIDAS Yet another European regulation that came into effect is the Electronic Identification, Authentication and Trust Services (eIDAS). In pre-eIDAS Europe, each member country had its own digital identity scheme. The problem, however, was that these identity schemes weren’t exactly compatible with each other; in other words, if a Polish national was moving to Spain, she couldn’t utilize her digital identity from Poland to access public services in Spain. Instead, she had to set up her digital identity from scratch in her new home — a time-consuming (and, ironically, analogue) process which required her to present physical documents, multiple pieces of government-issued ID, third-party notarizations, etc. in person. eIDAS — the European Union’s (EU) ambitious project to create a truly portable identity — has the potential to be an effective correction to this problem by creating a standardized digital identity framework, and allowing digital identities to work across borders. While it’s not mandatory for a member state to notify their eID scheme, it is obligated to accept another member state’s digital identity scheme if it (the scheme) has been notified. While the roll-out is a work in progress seeing as only six member states have full notified status, the scope and ambition of eIDAS is striking. It represents one of the largest implementations of an interoperable digital identity framework. While eIDAS is likely to ease and improve access to public services across Europe, its implementation could dramatically help the private sector adopt an interoperable digital identity framework. According to Zac Cohen, general manager at Trulioo, “The rules and infrastructure it puts into place will make it easier for private sector firms to accept and implement similar processes.” FinCEN’s new rule Meanwhile, across the pond, in the United States, some major new customer due diligence (CDD) requirements came into effect. Under the Financial Crimes Enforcement Network’s (FinCen) final CDD Rule, collecting, maintaining and reporting beneficial ownership information is now necessary for financial institutions. Making Know Your Business (KYB) processes more stringent are part of larger trend: Consider the Fourth Anti-Money Laundering Directive (4AMLD) and the upcoming 5AMLD in Europe. While collecting customer identification information is standard practice, identifying ultimate beneficial ownership (UBO) information can be difficult. Typically, the process is manual-intensive, slow, expensive and prone to fraud and errors. The process may involve staff conducting complex searches and then importing, analyzing and reviewing the information across multiple databases. The new requirements came into effect in 2016; however, regulators were aware that they would entail significant preparations and changes to existing processes – for that reason, obliged entities were given two-years to become complaint with the new rules. Still, many institutions are having a hard time meeting the new requirements, even as some regulators are calling for stricter standards. Sports betting in the US Another major regulatory change in the US was the Supreme Court ruling which struck down the Professional and Amateur Sports Protection Act, opening the way for individual states to allow sports betting. The market potential for sports betting is huge – it’s between $150 to $400 billion annually, according to estimates. Sports betting will be permitted in at least 26 states – six states already permit it, others have either passed a bill, or introduced legislation that is pending approval. However, bookies and other betting operators will need to tailor their compliance and risk mitigation strategies to each state’s unique requirements. Key takeaways Of course, these were only a few of the regulations that impacted compliance in 2018. Here are some of the larger themes that can helps us better understand the context of these regulatory changes. Frequent and regular change Up to 300 million pages of regulatory documents will be published by 2020; more than ever, compliance teams would need to acquire more knowledge to stay abreast of changes and become more agile to adapt to such changes. Harmonization Creating numerous and increasingly complicated procedures is not a scalable approach. Rather, harmonizing workflows to simplify planning, operations, and oversight is a path to limiting the costs of compliance as well as improving its performance. Ensuring security without creating friction To avoid fines, decrease risk and protect the brand, compliance requires a high level of security. Customers, on the other hand, desire instant access and seamless onboarding experiences. Compliance should engage more actively with technology solutions so that it can ensure security and compliance without affecting the speed and convenience of customer onboarding. Companies can meet these challenges by arming their compliance departments with RegTech solutions; enabling automation, improving workflows and reducing the burden of paperwork are essential needs as the compliance function undergoes rapid change. Trulioo, which has been at the forefront of RegTech for years, is used by some of the world’s biggest tech companies, banks, payment processors, and money transfer companies, along with major online marketplaces, financial institutions, gaming companies and financial services. Thanks for reading; we hope 2019 is a great year for you and your organization.