The expectation that financial services firms will continue to face more regulation — both volume and complexity — has become the norm for compliance teams. In 2015-16 an average of 200 international regulatory changes and announcements were recorded daily (source: Thomson Reuters Regulatory Intelligence). Compliance teams face a monumental task, tracking and analysing these changes, and effecting change as required. It’s a necessary evil. And with budgets under pressure, the mandate to derive business benefit from spend on compliance has never been greater.
Three-quarters of financial firms also expect focus on regulatory risk management to rise in 2016, in light of news that harsher penalties are likely to be imposed. In the words of Sally Quillian Yates, deputy attorney general at the U.S. Department of Justice, “One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.”
So compliance just got personal. Senior management has responded by directing compliance and risk teams to increase their armoury, and protect the firm, its staff and its customers, at all levels of the business.
Digital border control warrants its place, front and centre of any risk mitigation strategy. Digital transformation projects have accelerated in recent years, triggered by the advent of the digitally native millennials, and increased client demand for anytime, anywhere self-service. Combined with internal usage of digital platforms that give access to client identifying data – and the inherent data leakage risks associated with that – financial firms must keep scrupulous records of all digital activity, and protect their digital frontiers, if they are to fully mitigate risk.
The requirements of the regulator are very clear. Financial institutions must be able to prove exactly what a customer saw and did via the firm’s digital channels (web, social and mobile). They must capture all digital activity and interactions, and retain them in easily accessible form, for up to 10 years (varies by regulation). This is especially challenging in today’s dynamic digital world, where personalisation is pervasive.
From a technology standpoint, legacy systems built to track digital interactions were designed with customer experience analysis in mind, and are physically incapable of satisfying compliance or conduct risk requirements. With capture rates of 95% or below, these systems are useful only for monitoring anonymous usability trends, and performing e-commerce conversion analysis. They fall far short of satisfying compliance requirements.
In order to generate a view of digital activity, legacy systems rely on file-centric log file analysis, or so-called ‘man in the middle’ attacks, which intercept traffic between a customer’s device and your firm’s digital border. From a compliance and risk perspective, neither approach is effective; there is no certainty that all digital activity is captured, interpretation of log files is error-prone, time consuming and lacks context, and man-in-the-middle capture is often sabotaged by network security protocols that are necessary to protect your digital frontier from external threat. The only workaround – and even then not conclusive – is to lower security settings to a level that compromises other aspects of your business, increasing the risk of personal data loss and theft.
So, if your digital tracking systems cannot capture 100% of all digital activity, this begs the question: “Is 100% truly necessary for compliance?” Clearly so, unless your compliance and legal teams are willing to accept the substantial risk that the 5% or more digital activity that you are missing contains one or more indefensible acts of conduct, which could lead to a multi-million-dollar fine, loss of reputation, or even a jail sentence.
With the compliance and risk tide turning, financial firms must review their digital compliance status, and think more creatively about how to meet changing regulatory expectations, with additional investment in compliance technology, often tagged ‘Regtech’.
Pioneers in the Regtech space are now recording every mouse movement, tab click, keystroke, screen rotation and finger swipe, to provide an exact rendition of a customer’s interaction, or an employee’s digital activity. Playback is in movie-like form, so the compliance team, a regulator, or a legal official can see exactly what a customer or employee saw, at any moment in time. Typically, records are retained in compressed and tagged form, providing client-oriented search and far greater accessibility. This approach represents a progressive shift towards a client-centric operating model, which is a driving force for most financial institutions.
And the icing on the cake? This new wave of RegTech solutions finally delivers broader business benefit from spend on digital compliance. User behaviour can be monitored to alert the forensic team (in real time), when fraudulent acts are detected. The vast array of big data that is captured for compliance purposes can be used for customer behaviour analytics, and day-to-day customer service and support.
Furthermore, due the extended retention periods required for regulatory compliance, this data provides a product life-cycle perspective of behaviour from the customer, leading to more accurate profiling, which marketers can use to encourage long-term customer satisfaction and retention.
With clever investment in Regtech, spend on compliance can truly become a business enabler, delivering measurable return on investment, rather than being viewed simply as a necessary evil insurance cost.
By Nicola Cowburn, CMO, Qumram.