translating compliance spending into strategic investment_final full

CEB TOWERGROUP | Capital Markets

© 2015 CEB. www.executiveboard.com

TRANSLATING COMPLIANCE SPENDING INTO STRATEGIC INVESTMENT

15% loss in ROE Systemically important banks have lost 15 percentage points off ROE and have struggled to gain back ground. Macroprudential regulation, designed to reduce systemic risk, had the inevitable consequence of pummeling the bottom line.

155 rules undecided Almost five years after Dodd-Frank was introduced, only 60% of the rules had been implemented in practice, leaving 155 rules still to be decided. This continued uncertainty requires prolonged investment to mitigate the risk burden.

REGULATIONS HAVE PUMMELED PROFITABILITY FOR SELL-SIDE BANKS

UNCERTAINTY STILL REMAINS OVER 40% OF DODD-FRANK RULES

GAINS IN EFFICIENCY HAVE FAILED TO KEEP PACE WITH REVENUE

Source: Bloomberg

Dodd-Frank Progress Report of Required Rules Finalized Rulemaking Progress as of March 31, 2015

Source: Davis Polk, “Dodd-Frank Progress Report,” March 2015

Source: S&P Capital IQ Research Insight

Global Asset Management Efficiency Ratio vs. Revenue

$0

$100

$200

$300

$400

$500

-$4,000-$3,000-$2,000-$1,000

$0$1,000$2,000$3,000$4,000

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Revenue per Employee ($) Average Global Revenue ($ millions)

60% Finalized

Finalized rules

235 155

Remaining rules

-10%

0%

10%

20%

2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

ROE Tier-1 Capital Ratio

Return on Equity (ROE) and Tier-1 Capital Ratio of Systemically Important Banks Average of 14 banks, 2004-2013

70% efficiency loss While the average global revenue earned by asset management firms continues to reach all-time new highs ($415M as of 2013), the efficiency ratio, measured by revenue per employee, is only 30% the size of its 2007 peak.

i.

CEB TOWERGROUP | Capital Markets

© 2015 CEB. www.executiveboard.com

100

35 30

17 16 15 12

0

50

100

Business ProcessOutsourcing

(BPO)

Social NetworkingTechnologies

InformationTechnology

Outsourcing (ITO)

ApplicationDevelopment &Maintenance

(ADM)

Order Routing &MessagingNetworks

DerivativesSystems

Rest oftechnologies

(average)

FUNDED BUT ON THE FENCE: OUTDATED VIEWS ON OUTSOURCING

45% Nearly half of surveyed capital markets executives plan to adopt or replace their existing outsourcing services by 2019. The firms that will benefit the most from these investments are expanding the partnerships beyond traditional low-value activities.

45% 45% 44%

Percentage of Firms Either Adopting or Replacing Sourcing Platforms by 2019

N = 1,266 Source: CEB 2015 Global FSI Survey

Application Maintenance & Development

Business Process

Outsourcing

Information Technology Outsourcing

In a recent poll of capital markets executives, CEB found a revealing contradiction in their perceptions about outsourcing. Although executives indicated a high intention to increase spending on all types of outsourcing, they rated it as a relatively low-value activity. These “reluctant spenders” see outsourcing as a rote task that doesn’t bring the same level of business value as other technologies or services.

Most capital markets firms still underestimate the gains that sourcing partnerships can bring in mitigating uncertainty and regulatory risk. These firms are resting on antiquated perceptions — that the primary role of outsourcing is to take commoditized, low value tasks and export them to a third-party firm. Leading firms are expanding their approach to sourcing and identifying partnerships that will create differentiating value.

Value Shortfall Perception Index Technologies and Services Indexed by Highest Spending Increases with Lowest Ratings of Value

Source: CEB 2015 FSI Survey

Investing in sourcing

ii.

2015 CEB All rights reserved.

May not be reproduced by any means without express permission.

1

Withstanding the Regulatory Spotlight Reducing the Risk Burden in Risk and Compliance Management

Gert Raeves Compliments of Cognizant Technology Solutions Senior Research Director Capital Markets Atit Amin

Senior Analyst Capital Markets June 2015

CEB TowerGroup Key Findings Given the barrage of new regulatory standards, firms are spending large portions of their technology

budget on implementing and operating risk management and compliance functions. CEB projects that global spending on risk management and compliance technology will hit nearly $45B with North America and Europe expecting a 20% and 16% compound annual growth rates, respectively, through 2018

To reduce these costs, leading organizations are undertaking transformative business-led initiatives that promote a flexible technology infrastructure and leverage outsourced service delivery solutions.

Some of these initiatives include leveraging data utilities, converging market and reference data and outsourcing risk functions including KYC and list management.

Centralized data management will also be crucial to the success of these initiatives; however almost 70% of capital markets firms either do not have a data management strategy or have not invested in it.

Additionally, moving to a business-led, vendor enabled model will also allow firms to further identify opportunities for innovation and expanded capabilities which will be critical for continued profitability.

Executive Summary

In years past, risk management was traditionally dominated by financial and hazard risks, such as complying with new regulation and managing against a lack of liquidity. Now that those risks can be transferred through hedging and insurance, they have taken a backseat to strategic, operational, and reputational risks that business leaders must proactively identify and manage. These business risks, if not managed correctly, can dramatically affect an enterprise’s financial results, brand, and even ability to operate, thereby having a severe negative impact on shareholders, customers, and employees. Additionally, the operating costs to manage risk and compliance functions has dramatically increased and cutting costs will require a substantive shift across business, IT and vendor teams. Within the context of new regulatory requirements, capital markets firms cannot afford to practice risk management the old fashioned way. Serving the sophisticated needs of future risk management principles will require a broader change in the perception of risk technology. Instead of viewing it as a “nice to have”, highly effective risk governance models position risk technology as business critical and a function that delivers



2

competitive advantage. As a result, CEB TowerGroup believes that risk management and compliance technologies, built upon a flexible delivery model that promotes context-based innovation, speed-to-market, and an agile workforce, is the best means of integrating the discovery, measurement, monitoring, and management of firm-wide risk.

Withstanding the Regulatory Spotlight

Since the 2008 financial crisis, financial institutions have faced unprecedented regulatory challenges, resulting in increased efforts at implementing risk management and compliance solutions. Four years after the Dodd-Frank Act became law, most firms still expect further spending increases as new rules take effect. As of December 2014, only 231 of the collective 398 rulemaking requirements have been finalized according to Davis-Polk research, leaving almost 42% of requirements still to be decided. As a consequence, more than 60% of surveyed capital markets firms expect to increase their Dodd-Frank expenditures during the next 12 months, signaling the breadth and depth of changes that are scheduled to come (Exhibit 1).

Exhibit 1: Dodd-Frank Progress Report (Top); Asset Managers Increasing IT Spending Per Regulation in 2015 (Bottom) Rulemaking Progress as of December 1, 2014 (Top); Percentage of Capital Markets Firms Answering “Increase in Spend,” Excluding Answers of “Unsure”, 2014 (Bottom) Sources: Davis Polk, “Dodd-Frank Progress Report”, December 2014 (Top); CEB 2014 FSI Survey (Bottom).

To illustrate, an additional list of new regulatory safeguards that financial institutions are planning for include:

Data Reporting: Changes to reporting of census information, fund investment in derivatives, liquidity

and valuation of holdings, securities lending, and separately managed accounts.

Portfolio Composition Risk and Controls: Mutual funds and ETFs may require a board risk

management program for liquidity and derivatives. Risk management requirements may include



3

updated liquidity standards, disclosures of liquidity risk, or measures to limit the leverage created by a

fund’s use of derivatives.

Dismantling Plans: Investment advisors will need to submit plans for a “major disruption” to their

business.

Stress Testing: The SEC may conduct annual stress tests on large funds and investment advisers,

similar to those conducted by the Federal Reserve on commercial banks.

Given this barrage of existing and new regulation, firms are increasing their spending on compliance technologies as the post-crisis regulatory landscape shifts market structure and necessitate new governance and reporting procedures. Per CEB estimates, capital markets firms have already incurred more than $20 billion in compliance costs since 2009, not counting additional layers of litigation costs and legal settlements. In our opinion, the largest sources of compliance costs emanate from regulations that have altered, and in some cases, created new market structure in both the equities and derivatives markets across the United States and Europe. For example, as the trading of OTC derivatives trading moves onto exchange-like venues, traders will have much greater insight and access to information and trade data. With better tools and resources at their disposal, traders will also have to respond faster to price volatility, and make efficient, informed investment decisions. The shift from manual, human-based trading to screen-based execution raises the importance of possessing real-time, streaming information and data flows, and up-to-the-second pricing, risk, and valuation. As such, an optimal trading environment will require firms to have interoperable systems that can not only integrate data through trading, risk and pricing but also incorporate the cost of centralized clearing and settlement so portfolio managers and traders can assess the fully loaded cost of a derivative instrument. This shift will require considerable enhancements to disparate systems, streamlined processes to ensure processing time is not impacted and require more cross-team communication. Moreover, regulation and compliance costs are rising for ‘Change the Bank’ (CtB) initiatives and teams as they prepare systems to comply with new standards and processes. The regulation will also impact Run the Bank (RtB) teams as they ramp up to manage and support these more complex compliance and risk management functions going forward. CEB projections indicate that global spending on risk management and compliance technology will hit nearly $45B with North America and Europe expecting a 20% and 16% compound annual growth rates, respectively, through 2018 (Exhibit 2). Furthermore, according to the Bureau of Labor Statistics, compliance officer employment in the finance and insurance industry within North America is expected to rise 11% nationwide from 2012 – 2022.



4

Exhibit 2: Global Technology Spending on Risk Management and Compliance (Top); Global Technology Spending on Risk Management and Compliance (Bottom) By Region, Share of Cumulative Expenditure as of 2014 (Top); In Millions of USD 2008(P) – 2018(P) (Bottom)

Source: CEB Analysis

And while the up-front technology investment will be significant and unavoidable, the project impact of some regulation should diminish with technologies that can reduce costs and enhance control. Firms should examine post-implementation cost-cutting and process improvement opportunities as part of compliance technology enhancements to make the most of required changes. This can be achieved by implementing management principles that enable technology and business teams to maximize returns, centralize and streamline risk data management and reporting and outsource non-core risk and compliance functions all to reduce cost.

Implement a Flexible, Business Led Risk Management Organization

Digitization – defined as how enterprises exploit all sources of data and technology to enable new capabilities and a more efficient value chain – will become increasingly important to risk and compliance functions as effective implementation can dramatically reduce cost and streamline processes. To capitalize on these gains, risk and compliance IT teams will need to implement a flexible technology infrastructure that promotes the enduring strengths of business, technology, and vendors. Pejoratively nicknamed “shadow IT” and even “rogue IT,” business-led IT has provoked executives to try and stamp it out with increasingly rigorous governance processes that channel technology-related spending through Corporate IT. Nevertheless, CEB research believes that the rise of business-led IT is inevitable and beneficial. Because information enables an increasing amount of business outcomes, more than 70% of business leaders are now willing to run their own technology projects. We believe that the rise of business-led IT is inevitable and when implemented correctly, can reduce spend and be more beneficial to the organization than just improving IT delivery. These benefits include a rapid test and learn cycle which allows business



5

teams to experiment with new capabilities earlier in the lifecycle and thereby reduce costly testing cycles. Additionally, as regulatory costs rise for IT teams, business-led risk and compliance provides an additional 40% of technology investment. However, not all business-led IT spending is healthy; when poorly managed, it can drive up costs, risks, and create data silos. Risks of business-led IT includes underestimating operational stability needs, weak vendor management, and immature, duplicative siloed solutions. To reduce these risks, leading firms are playing to the comparative advantages of the organization (Exhibit 3). In this ideal paradigm, business teams drive innovation as they have the best insight into clients, products and competitors. Additionally, this model offers flexibility as business teams are better able to control resources and make trade-offs between opportunities. This shift also plays to the strengths of vendors and IT teams by outsourcing deep, technical expertise to service providers and freeing up internal IT teams to focus on building skills that will have lasting value to the business. In this new paradigm, vendors provide subject matter expertise (SME) at a reduced cost and provide efficient, scalable operations that are often unfeasible with an internal IT team. As firms move towards outsourcing SME, IT teams can then focus on enduring skills such as bolstering service management, offering a cross-enterprise perspective and consulting the business as they lead innovation initiatives.

Exhibit 3: Strengths of Technology Projects Led by IT, Vendors, and Business Line Leaders Illustrative Source: CEB Analysis

Centralize and Streamline Risk Data Management and Reporting

Due to increased cost pressures, divisions between market and reference data are also converging. While the two types of data are historically purchased and processed separately, the separation should be eliminated, as risk and finance functions begin to straddle the front-and-back office divide. This approach would ensure that



6

financial data is consistent throughout the business and reduce the cost of managing the divisions in silos. According to CEB’s Data Management Survey, 71% of business leaders are planning to converge market and reference data in the coming years. This is particularly notable for risk management teams given the negative impact inaccurate data can have on risk analytics and compliance. As firms break asset-class and business line silos, a one-data approach will improve risk and compliance management, service, and cut costs (Exhibit 4). Firms that have already moved to a one data approach have seen improvements in risk analytics, data consistency, as well as trade processing and reporting. In fact, three leading G-SIBs in North America partnered with Cognizant to comply effectively with the BCBS 239 regulation related to risk data aggregation and reporting. Post-implementation, the firms realized rationalization of enterprise risk data, developed data traceability, lineage, and aggregation, created glossaries and process maps for gap analysis, and ensured transparency and automation of regulatory reports for Basel and Fed exams.

Exhibit 4: Convergence of Historically Distinct Investment Analytics Technology (Top), Five Areas of Asset Class Convergence that Offer the Highest ROI Potential (Bottom) Illustrative Sources: CEB Analysis

Additionally, Dodd-Frank requires firms to re-examine their standards, particularly around counterparties, contracts and underlying securities. Yet, many firms report low standardization maturity, which amplifies the challenges of Dodd Frank implementation and the ongoing maintenance of data standardization. Given this challenge, leading firms are moving towards an outsourced security master model to ensure data standardization and reduce overall maintenance cost. For example, Bank Vontobel—listed on the SIX Swiss Exchange—operates in 21 international locations and manages a total of CHF 150 billion in client assets, turned a data management initiative into a new revenue source by creating an outsource service. Their existing system’s reliance on specialists, along with new regulatory requirements and a multi-data provider model, drove the urgency for change. To simplify their processes, reduce cost, and gain revenue, the firm outsourced their security master services. The benefits of the project included an internal data management and BPO



7

strategy in a single platform which provided scalability to onboard more customers with different levels of services as well as quality and efficiency improvements. Institutions also display low maturity in risk data aggregation and reporting of several important types of risk data. According to the CEB 2014 FSI Survey, almost 70% of firms either do not have a data management strategy or have not invested in it. Low standardization maturity will amplify the challenges of Dodd-Frank implementation, as it requires firms to reexamine their standards, particularly around counterparties, contracts, and underlying securities. Furthermore, Basel III introduces several new principles that risk and compliance teams will need to be prepared for including, but not limited to:

Governance: Risk aggregation capabilities should be subject to strong governance arrangements.

Data Architecture and IT Infrastructure: IT infrastructure should support risk reporting practices

during times of normalcy and stress.

Timeliness and Comprehensiveness: Reporting will require up-to-date risk data in a timely manner

and will be expected to cover a broad range of on-demand, ad hoc risk management and reporting

requests.

Frequency and Distribution: Board and Senior Management should set the frequency of risk

management report production and risk reports should preserve confidentiality.

These principles are notable as they are ambitious and cover a broad set of risk aggregation and reporting capabilities, shift focus towards data accuracy, completeness and timeliness, and require several IT-specific capabilities, such as real-time and ad hoc reporting. It will be important for RtB teams to consider these factors as they prepare their risk management and compliance functions for the future state. Building these capabilities in-house can be costly and difficult to maintain therefore outsourcing opportunities should be considered to scale for increased regulation and reduce operating costs.

Leverage Outsourcing, Utilities, and Partnerships to Cut Costs

To rein in costs while maintaining the integrity and efficiency of daily operations, many corporations are responding by turning to outsourcing service providers and utility models. In March 2002, American Express signed a $4 billion deal with IBM to outsource its IT infrastructure in an effort to improve flexibility of costs and capacity in light of extreme volatility. By moving toward an outsourced model, they were able to cut infrastructure costs by 50% and IT staff by 33%.1 The trend will be similar among other financial institutions as their compliance-related costs continue to grow. JP Morgan, for instance, recently announced that it had grown its compliance IT spend by 27% since 2011 in order to meet demands.2 Banks without necessary controls have in some cases received strong penalties from regulators. HSBC was forced to a pay a $1.9 billion in anti-money laundering fine in last year.3 As more regulation is unveiled and the demand for processing speed grows, the push towards partnering, leveraging utilities and outsourcing will become critical, particularly in anti-money laundering (AML) and know your customer (KYC) technologies, as it can reduce operating costs and enable the agility required to handle the changing demands. To mitigate risk and combat rising costs, financial institutions are also engaging in strategic partnerships to centralize commoditized risk and compliance activities. For example, a group of the world’s biggest banks have 1 “Benefits of IT Outsourcing Contracts”, CEB CIO Leadership Council, August 2008.



8

2 “JPMorgan Ramps Up Compliance and Controls IT Spending”, Finextra, September 18, 2013.

3 “HSBC to Pay Record US Penalty”, Wall Street Journal, December 11, 2012.

joined forces with SWIFT to develop and use a centralized due-diligence system designed to reduce the burden of compliance and the rising regulatory costs associated with it. Bank of America Merrill Lynch, Citi, Commerzbank, JPMorgan, Société Générale and Standard Chartered are among the group to have signed an agreement to jointly launch SWIFT’s KYC registry, which is a type of secure electronic repository for the masses of information required by banks as part of their due-diligence process on corporate clients all over the world.4 The KYC registry offers a powerful if rare public example of how banks are working together to resolve problems brought about by the regulatory onslaught. Under the agreement, the banks will participate in a SWIFT-led working group to agree on the registry’s processes, as well as the documentation and information necessary to fulfill KYC requirements across multiple jurisdictions. In addition, the banks are to start populating the registry with their own KYC data (Exhibit 5).

Exhibit 5: Sample of Recent Industry Data Utilities Illustrative

Sources: Clarient, Euroclear, Markit, CEB Reference Data Review, SWIFT.

Similarly, banks are also outsourcing the storage of compliance data to help reduce costs through a shared IT platform. Barclays, Credit Suisse, Goldman Sachs and JP Morgan Chase signed a memorandum of understanding (MOU) with post-trade services group the Depository Trust & Clearing Corporation (DTCC), with the aim of creating a shared repository for client reference data.5 The DTCC said the jointly developed data platform will enable banks, broker dealers, asset managers and hedge funds to store information including regulatory compliance data in a central library. Likewise, Cognizant has also worked with its clients to create similar internal utilities or shared service models for reconciliation and reference data processing.



9

4 “Major Banks Sign Up for SWIFT’s KYC Registry”, Bank Systems & Technology, March 4, 2014.

5 “Banks to Develop Shared IT Platform for Compliance Data Outsourcing”, ComputerworldUK, October 4, 2013.

Manage Sourcing Strategically to Gain Maximum Value

While industry utilities and outsourcing can be valuable for protecting data, cutting cost, and streamlining processes, firms will need to closely evaluate which risk and compliance functions lend well to an outsourced model and then prevent value erosion across the sourcing lifecycle. The first step is to validate the suitability of sourcing. This can be achieved be evaluating the criticality of a function (defined as an activity that would pose an immediate threat to the organization) against core value (defined as an activity that contributes to the firms competitive advantage). Activities viewed as core and mission critical, such as risk modeling, analytics and decisioning, should always remain in-house and on-site; whereas activities that are highly commoditized, such as list maintenance, reporting and data management, are better candidates for outsourcing (Exhibit 6).

Exhibit 6: Business Process Outsourcing Suitability Screen Illustrative Source: CEB Analysis.

The next step is to prevent execution risk that threatens a firm’s ability to gain maximum value from an outsourced model. Firms often migrate to outsourcing services as an unsustainable short term solution to a long term problem. To reduce value leakage, capital markets firms need to develop a sustainable outsourcing plan that avoids the follow common failure paths across the sourcing lifecycle:

Strategic Misalignment: Sourcing strategy is not linked to long-term strategies and financial

objectives.

Unfavorable Terms: Lack of initial cost transparency leads to suboptimal contract terms.

Measures that (Don’t) Matter: Choosing a vendor based on performance targets and SLA’s that fail to

reflect the end-user experience.



10

Out of Sync Teams: Coordination is poor between external providers and in-house staff.

New Role, Old Skills: Retained staff lack sourcing management skills.

Static Performance: Inflexible contract terms limit the ability to adapt to evolving business strategy.

No Innovation: Organizations are unable to create incentives for vendor led innovations.

Conclusions

In part due to an accelerating confluence of new-to-world risk factors, risk management is only going to get more difficult. There is a right way and a wrong way to respond. The best way to implement prudent risk management principles without introducing unnecessary organizational drag is to have IT, risk, vendor and business teams work together in delivering a flexible delivery model that promotes context-based innovation, speed-to-market, and competitive advantage. The ability to manage risks must become an essential leadership competency—on par with (and integral to) executing a strategy, launching a new product, and leading an effective team. Risk management is not a discrete activity for business units to conduct separately from strategy, business processes, and talent management; done properly, it is deeply embedded into all three of those important activities—not slowing them down or adding more cost burden, but actually improving them. Cognizant Technology Solutions commissioned CEB TowerGroup to conduct independent research and analysis of compliance and risk management trends in capital markets. The content of this report is the product of CEB TowerGroup and is based on independent, unbiased research not tied to any vendor product or solution. Although every effort has been taken to verify the accuracy of this information, neither CEB TowerGroup nor the sponsor of this report can accept any responsibility or liability for reliance by any person on this research or any of the information, opinions, or conclusions set out in the report.

translating compliance spending into strategic investment_final full

Documents

capital markets firms

ceb towergroup capital

revenue source

finalized rules

capital ratioreturn

average global revenue

doddfrank rules gains

types of outsourcing