Every compliance officer working on Wall Street these days seems to be drowning in new regulatory requirements, especially those that demand more data.
There is the Dodd-Frank Act with its requirements to report on risk management, which is one new set of data to capture. Then there are Dodd-Frank's new supervisory standards from the Federal Reserve, which will add another pile of data to capture and report. Don't forget new agencies such as the Consumer Financial Protection Bureau, and the data they'll want for their analyses. And of course there's the new Office of Financial Research, which will want data about … well, nobody quite knows, but the compliance department will likely get stuck with that too.
So said a half-dozen compliance officers from some of Wall Street's biggest firms at a recent executive forum hosted by Compliance Week and Deloitte, to explore the current state of Dodd-Frank compliance. Across the board, all reported much more vigorous supervision, and much more demand for empirical evidence to document what the companies are doing.
“Regulatory risk is the number one risk right now. There is no doubt about that,” said Deborah Bailey, managing director of Deloitte's banking and securities regulatory practice and former deputy director at the Federal Reserve. “With or without Dodd-Frank, the regulatory environment has significantly shifted.”
Roundtable participants agreed that the Dodd-Frank Act and other regulations have led to far too many regulators demanding too much data, most of them under unrealistic deadlines. They also said the overall regulatory environment has become more aggressive. Some regulators just want more data than they have had in the past, such as the Federal Reserve Board; others are entirely new, such as the CFPB and the Office of Financial Research, and are asking for data for the first time. Regardless, multiple roundtable participants admitted that they currently just don't have the resources to keep up with the demand.
“Not only have the regulations changed, but the supervisory approach has dramatically changed,” said Walter Bishop, managing director and head of bank regulatory affairs at Deutsche Bank. In the last year, the number of regulators working on site at Deustche has tripled, he said. “It's been a real sea change in everything we've experienced over the last 18 months.”
That new regulatory regime has led to formidable new pressures on compliance departments. To meet those burgeoning reporting requirements financial firms need to put new IT systems in place, sophisticated and secure enough to cull through massive amounts of information and pinpoint related sets of data—and workers with the right expertise to do that data sifting and produce the necessary reporters. Good luck executing those tasks with the legacy compliance systems of the pre-Dodd-Frank era, many said. “We can't rely on ad hoc systems to help us comply,” said Jack Sonnenschein, vice president of enterprise compliance risk at American Express. “There needs to be controls built into those systems.”
Fair enough, but any effort like that requires hefty increases to the compliance budget—which always seems to trigger, as one compliance executive put it, a “level of schizophrenia” among senior leaders. Others in the room agreed that senior managers understand on a conceptual level the urgency to build new IT and compliance systems that can capture and aggregate information across the enterprise, but don't necessarily follow through with doling out the budget dollars to execute a compliance system overhaul.
Even the task of educating company leaders about the new rules, and the implications those new rules have for compliance departments and employees generally, is daunting. Because financial firms are now so globalized and complex, and so heavily regulated as well, “I'm not sure that those who are providing that education to management and the board are as informed as they should be,” said Peter Reynolds, chief risk officer of the wealth and investment management division of Barclays Americas.
As usual these days, the slow pace of new rulemaking was another sore point. Roundtable participants were particularly frustrated with some rule proposals' vague language and timeframe, which has left compliance officers unable to develop practical solutions to what those rules ask. “When are they going to make determinations as to what companies are supposed to be doing, and the timeframes in which they're going to have to implement some of the regulations?” asked one executive.
New Kids on the Block
The proliferation of new regulatory agencies—the Financial Stability Oversight Council, the Consumer Financial Protection Bureau, the Federal Insurance Office, and the Office of Financial Research—was a recurring theme in the executive forum. All are asking for more data from financial firms; none, roundtable attendees said, seem to be coordinating with each other to put those demands into a coherent framework that will keep the compliance burden to a minimum. “There is a high degree of individual discretion that's being granted to regulatory agencies that was never the case before,” one executive said.
For example, several compliance officers complained that they didn't understand the purpose of the OFR. In February the OFR published its strategic framework, outlining an ambitious agenda that entails building a data center and research arm to study financial transactions, and then use that research to help the Treasury Department's Financial Stability Oversight Council set policy. Beyond that, attendees said they remain in the dark about what types of data the agency will want, and how the OFR will collect it (presumably, by having compliance departments report it).
Some attendees questioned, however, how federal regulators—now with massive volumes of unstructured data at their fingertips—are going to do any better of a job identifying the risks. As one put it: “Government regulators are trying to see if they're smarter than the people with the experience and expertise who have been doing this on the front lines every day. That's a little scary.”
Reynolds agreed. “We can turn over that data, but it's about as useful to them as it is to us,” she said. “All it's going to do is generate a host of questions, which we ourselves are working out.”
One silver lining: At least now, everyone said, compliance executives have the mythical “seat at the table” with other senior executives managing firms' risks. “Compliance not only has a seat at the table, but it needs to drive strategic change,” said Ed Hida, global leader of risk and capital management at Deloitte.
As regulations continue to develop, Bailey advised the banking industry to work more collaboratively with regulators to offer the solutions that address the spirit and intent of what the laws require and develop an effective plan that outlines how the firm will comply.
Solving the problems that result from massive regulatory demands for data won't be easy, but those that involve themselves in the process will have a better chance at remaining one step ahead of the onslaught.