Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

Stalling Out on Dodd-Frank

Matt Kelly | February 13, 2012

Disenchantment with the Dodd-Frank Act seems to be in the air these days. Last week I wrote about executives in the energy sector grumbling over Dodd-Frank compliance. This week the banking sector gets its turn.

The latest round of nay-saying happened earlier this month when I moderated a forum for compliance officers at various Wall Street firms, hosted in New York by Wipro Technologies. Many of those in attendance also brought along compatriots in their IT departments or straddled the IT-compliance border themselves, so they know the paralysis surrounding Dodd-Frank compliance firsthand.

Their complaints were strikingly similar to those of the energy executives I'd met the week before. Regulators—primarily the Securities and Exchange Commission and the Commodities Futures Trading Commission, with the Federal Reserve close behind—are giving them no clear sense of what they want to see as the end result of Dodd-Frank compliance: that is, the hard data that financial firms will be expected to capture and report to the agencies. What structure should the data have? What IT systems or compliance programs will pass muster with the agencies as effective? Questions like that.

Perhaps one can defend the agencies, that they can't be expected to know precisely what final product they'll want from compliance departments when many crucial rules haven't even been adopted yet. (Don't forget, comments for the proposed Volcker Rule were due Feb. 13.) But that puts compliance officers everywhere in the position of one woman I met at this event, trying to build better compliance systems at one of the largest banks on Wall Street. She told the tale of approaching the bank's IT staff for help in modifying a few systems. “No problem,” they told her. “What's the project deadline?”

“Ah… hmmm,” she told the rest of us. “I wish I knew. I wish anybody knew. Nobody does.”

This is where the theory of Dodd-Frank crashes into the reality of human beings. Of course IT people want a project deadline. They want an objective. They want a budget. They want an action plan they can use to execute the task of writing new code, and they want it to be precise. You can't fault them for it; this is how IT people get graded, rewarded and promoted.

Our forum's conversation then wandered into what software upgrades financial firms are launching for Dodd-Frank compliance right now. I asked: How many of you are using home-grown solutions? Many hands went up. And how many are using some sort of strategic partnership with a large vendor, the Oracles or IBMs or Wipros of the world? Hardly any hands went up.

This is no fault of the large enterprise software vendors, most of whom have great products and great people. But as one compliance officer told me when Compliance Week last explored this subject 14 months ago, “What, I'm going to recommend a full ERP software implementation that takes two years, and then find out the rules have changed and new vendors can give me the same products at half the price? That'll be a great way to get myself fired.” Not much has changed since then, apparently, because the compliance officers at this latest forum said almost the exact same thing.

So compliance departments struggling with Dodd-Frank compliance today are taking the IT road they know: Microsoft Office applications. They create more policy narratives in Word, more spreadsheets in Excel—and more presentations in PowerPoint to persuade regulators and audit committees that, yes really truly, we're trying to stay on top of things. The truth is that they're using Microsoft as a tactical weapon, something to hold them over until regulators give a much better sense of what they want to see for compliance. Only then will large numbers of compliance departments seriously consider more strategic IT investments with ERP software vendors.

The woman I mentioned earlier, struggling to secure support from her IT staff, said with a wry smile that her compliance department likes to call the Microsoft approach “the interim solutions.”

OK, I said, but are these interim solutions really anything much more than window-dressing to show that at least you're trying? “I wish I knew,” she said, and then departed for an evening train home.

I went back to the bar for another drink. I suspect many compliance officers want to do the same these days.

Programming note: Compliance Week will be hosting an executive forum of its own for compliance officers in the financial sector next month, in New York City. We will be discussing the new risk management and risk disclosure obligations that the Dodd-Frank Act imposes on banks (especially systemically important ones), so if anyone here would like to attend, please drop me an email at and I can provide the details. Full-time, in-house compliance, risk, and audit executives only!