Information management impact on compliance and risk mitigation

Information management impact on compliance and risk mitigation

 

By Jawad Alalawi, July 26, 2020

Financial Regulators rely on data they receive to fulfill their supervision and risk-management duties on authorized financial firms. It is the standard way for overseeing and understanding the local economy and its interrelation relations with the international community. Liquidity, fraud, money laundering, terrorism financing are the top topics for the regulator in forming its macro vision on the local economy.

Information management requirements for regulators

Regulators work on data received or requested from financial firms, data is meaningless without a defined information model that makes them readable to humans, makes them tangible to generate statistics, and makes them accessible to make decisions. Data residing on storage mediums might not be meaningful; transforming data into well-presented information is the ultimate target. Authorized regulated firms provide regulators with huge amounts of data periodically and on request, those data are getting obsolete soon unless they are loaded and aggregated into a central data management information system, keeping them accessible, handy and meaningful.

A regulator assessing the compliance status for a financial firm works through data-collected from the firm, data sampling, and then forming a general understanding about the adherence level. A financial firm could fail to provide a consistent data-model of information about its clients, their products and services under good standing form. Many firms fail to profile its clients properly on reported data to regulators. That failure could lead to rate the firm as high risk, or rate specific product as risky product, or might lead to a penalty or license suspension.

Costs involved in data-management

The time spent on data-analysis to form a clear picture inside a regulated firm is considerable. Data-collection and data-entry is time and cost. Compliance team, risk management and anti-money laundry teams are usually limited in people and allocated budget; sometimes they are all in a single department with very few team members. Relying on poorly collected and formatted data makes their job hard. Similarly, a well-structured business environment, robust information management systems, enable regulated firms to do effective and less cost work. The trade-off between both directions is mostly to the favor of lowering costs.  

The regulator requirements, of reported data for transactions, and good standing loans outstanding as an example are regularly specific. The inclusion of defaulted loans, and suspicious transactions with granular details in all reported data, lead to inefficient data-model communication between the financial firm and the regulator. Differentiating data reporting by the purpose of reporting participates in cost reduction and improved reported data.

Example: World Financial Crises information systems failure

Weaknesses in legacy information systems, inherited bad-design data-architectures are increasing the risk on financial firms, and limits the financial authorities ability to exercise good risk-assessment. World Financial Crises (WFC) 2008 is a great example of financial firms’ limited data-systems in providing their managements with the minimum required level of risk exposure they were facing, the systems at that time were lacking the ability to aggregate enough data into risk assessment models if they were available. The result was a world level catastrophe. On the other side, regulators ability as well were not good in the formation of good standing position about financial firms risk status, the industry claim of many experts “regulators were underestimating the subprime cascading effect”, was accurate due to the undervalued importance of good data-management and information systems, along with allocated budgets at that time.

Risk Assessment within regulated firms

The relationship is very tight between risk mitigation and effective information management. A better risk assessment and risk profiling is always a result of accurate, up-to-date and sufficient information in place. The more information available at a certain point of time, matched up by a well-structured data aggregation information system, the better results it generates, and higher accuracy risk calculation.

Risk mitigation is accumulated experience over the time, the more cases the firm or person works with, the more they get better in understanding the risks on certain patterns or trends. Personal or group judgment to an observed behavior, raising trend, reported incidents for investigation by authorities, direct and indirect collaboration with other financial firms, industry news and events are all participating in building risk mitigation experience.

People with strong memory and high analytical skills do the best in anticipating risks and judging results using their correlation and overall comprehension skills. They usually excel in generating sound results, reading current trends and anticipated risks on transactions, products and business systems. The outcome of a single person never goes beyond the person’s existence; once the person leaves, accumulated experience, working practices, implemented procedures, are all referenced as the person’s legacy. Most personal legacy systems lack organizational practice unless systemized.

Regulated firms do not depend on a single person, they build business structure, they work through governance practice, and implement systematic information management approach beyond the single person, structured systems that work to the organizational interest. People change or replacement does not impact the organization systems and processes, although some people are leaving strong fingerprints. The legacy that works without the need to do massive change in practices and procedures for a long time, preserve continuous productivity, and keep smooth running operations, is the best personal legacy in a regulated firm.

The result of a systemized environment in risk assessment, risk mitigation, and effective risk management processes is the best risk management practice for a departed successful manager within any financial firm.

Information management for business and compliance

Information meant to drive businesses, information are conceptualization of collected data from processes working to create products or serve customers. Collecting data, grouping them, feeding them into data management applications, and consuming them is the norm now. Capturing the right data for product development or customer service is important, proper customer serving and risk mitigation is a product of well-developed information management systems.

Successful business information systems are simple to manage, easy to capture information, easy to digest information and transform it into meaningful outcomes. Data on systems remains raw material unless transformed into meaningful, digestible form of information.

Achieving the status of compliance is the result of adhering to regulator general rules, and organization internal rules; by transforming the rules and regulations as a daily practice, unnoticeable. Due to the nature of the current business environment and the mass amount of business transactions executed daily, achieving compliance is a hard task to do using manual business processes without strong information management systems.

Information collection and reporting approach

Each regulatory jurisdiction has its own data collection, data-reporting, data-aggregation philosophy. Within each jurisdiction, no two regulated firms follow exact data-collection, data reporting, and data-aggregation style and format. Irrespective of the regulatory framework, data management follows a specific pattern to work effectively under all regulatory jurisdiction.

It is important to have an approach to standardize the entire process of information collection, information storage, information reporting, statistics generation, and risk profiling.

The following are all basics to provide structured approach:

  • Customer onboarding
  • Product selling
  • Operational process data
  • Operational data collection
  • Data storage information systems

Regulated firms differ on their processes and products, however, the commonalities are a lot between processes and products. They are all selling financial products and services. 

Customer onboarding is the most important step nowadays; it is composed of a large set of data collection from new customers, or by updating existing customers’ information. Financial firms globally forced to follow US-treasury customer declaration requirements for tax purposes, and combating the financing of terrorism “CFT”, along with their local regulatory requirements. Some banks made large booklets for customer onboarding just for opening a bank account. Segregating basic customer information from special purpose and special reporting data can lead to standardized data sets of customer onboarding.

General practice for data management

 There is a business purpose for data management, business goals define the purpose. Any business sells a product/service to its consumers; the product dictates the process, process needs information, information needs medium, the medium works on a setup. Ultimately, it is a cycle starting from the business drivers to the consumer consumption and reuse.

The pillars for data management

  • Products or service to sell/consume
  • Consumers who buy or consume
  • Business process that deliver products or services to consumers
  • Imposed regulations and governance practices

 

Data Management for the product/service

  • Product/service need identification
  • Product/service creation
  • Product/service selling
  • Product/service consumption
  • Product/service improvement or upgrade
  • Product/service retirement

 

Data Management for consumers

  • Consumer registration, or profile definition
  • Products and services tracking for the consumer
  • Business process and people that serves the consumers

 

Data Management for business process

  • Front line people capturing consumer intent and requirements
  • Business units consuming consumer data to deliver products or services
  • Support units consuming consumer products or services data to continue service delivery
  • Regulatory units within the business to ensure related regulations applied properly

Data Management for Governance Practice

  • The business setup for product or service delivery
  • The product or service delivery process definition
  • The relationship between business and consumer definition

 

Data Management for Compliance and Risk Management

  • Profiling customers from the onboarding process
  • Working from an inventory of risks to mitigate
  • Calculating a risk value for each customer transaction
  • Rating the customer on term of risk level
  • Reviewing customers’ due diligence
  • Profiling the financial firm overall risk

 The above illustration is generic to most types of financial firms businesses in order to deliver products and services. Any financial firm needs effective data management to be compliant and mitigate risks. Failing to address data management in a regulated environment, will lead to failure in compliance, failure in compliance is the result of bad risk-mitigation practice within the business.

Governance in the process

Throughout my experience, I found that governance is the most neglected practice within businesses and the major source of regulatory gaps in the business as well as the major source of non-effective risk management. It is not the people’s ignorance of governance importance; it is the day-to-day operations introducing challenges to handle regularly. Small financial firms tend to skip governance practices.

It is difficult and cumbersome to reverse the process from daily operations, to lay out clear processes, reaching up to a solid governance model. With that difficulty in mind, regulation frameworks come into play. Throughout its long time maturity and collected experience, regulation frameworks for regulated environments deliver strong ground to ensure proper relationship between governance and products/services delivery to consumers.

Further reading: Information classification role in regulated environment (case study)

About the Author: Jawad Alalawi

Information Technology Professional specialized in Financial Payment Services, Risk Management, Information Security, and Compliance. Experienced in solutions development and implementation. Email contact (sjawada5 at gmail.com)

Technology Specialist & Consultant

(20)