Chapter 4: Complex regulation
Trends: A cursory glance at recent headlines about Facebook should be sufficient to show that privacy, and who “owns” one’s data, has blown up into a controversial and pivotal issue.
The investments business is no different. European regulators are taking the lead, leaving some firms wrestling with the recently implemented General Data Protection Regulation (GDPR).
Privacy will soon have a similar impact on U.S. asset managers when the California Consumer Privacy Act (CCPA) goes into effect in 2020. While similar to GDPR, it will affect managers collecting or selling Californians’ personal information, irrespective of where the manager is based. With numerous requirements, CCPA will impose a significant legal compliance burden. And even if a manager doesn’t have California-based clients, they will be subject to CCPA if using data containing California personal information.
As daunting as this prospect is, it comprises only a small part of the regulatory compliance picture most managers face. Cybersecurity is a related issue. Liquidity risk continues to be scrutinized. Sales practices are fair game. Operational risk management is also coming into focus as an area of enforcement. Making matters worse, the proliferation of regulatory bodies worldwide means that any firm with global operations (or ambitions) must contend with an increasingly complex landscape of rules and rule makers (Figure 1).
Some firms even struggle to adequately address existing regulation. There have been widespread teething problems associated with the EU’s MiFID II, which was implemented in early 2018. Data handling issues and the restructuring of payments for research are only two of the areas that have been widely reported as problematic. As noted by Vivien Crayston of Eureka Financial, “The process changes, data supply and vendor engagement to manage all these were perhaps mostly underestimated. Now firms through 2018/19 are still struggling to effectively and smoothly integrate into their business functions.”1
Implications: Privacy practices will only become more important, and the best firms will be proactive and ahead of the curve.
Being perceived as loose with client data is a major strike against any firm in this environment. While currently a European issue, we expect GDPR-like regulations eventually will be enacted globally. As such, technology solutions should be developed with sufficient flexibility to handle upcoming requirements. As bad actors multiply and the arms race heats up, cybersecurity has never been more critical. A lot of work has been done, but cybersecurity is not going to become less important. The implications of a hack reach far beyond any potential financial loss. At a minimum, investors will need to be reassured, liabilities will increase and regulators will increase scrutiny.
Firms operating across multiple jurisdictions face the greatest challenge. They’ll likely need more personnel, but they may not be employees. Outsourcing will play an important role for many firms, and regulatory technology (“regtech”) will aim to streamline and transform cumbersome regulatory processes. Functions likely to be affected include anti-fraud and risk management, personal data consent, regulatory reporting, fund reconciliation and more.2
There is little doubt that the cost of compliance has risen dramatically in recent years. How spending will change in coming years is less clear. According to a Thomson Reuters survey, two out of three firms expect to increase their compliance budget in 2019.3 Complying presents limited commercial value, but financial penalties and reputational risk from non-compliance are significant, meaning that additional margin pressure is inescapable.
According to research from Accenture, however, “About two thirds of global financial firms expect compliance teams to slash spending by 10% or more within the next three years.”4 After years of rising expenses, firms are now looking to technology for ways to lower compliance costs. They are increasingly relying on technology to accelerate product development, make distribution more efficient, reduce redundancy, send alerts, monitor trades, track risk exposures, automate investor servicing, simplify purchase process across mobile devices, check investor identities and track rule changes across jurisdictions.
More cutting edge are predictive analytics that can assess whether past misconduct means certain employees might also commit wrongdoing in the future, or what investors are likely to redeem uncharacteristically. Also interesting is natural language processing, because of its ability to “help analyze large amounts of text and feed relevant information into new databases,” according to Dilip Krishna of Deloitte.5 AI is also being used to monitor trade compliance and examine marketing material for noncompliant content.
All of this signals a sea change in approaches to compliance. Regulation is a resource-intensive, money-draining proposition that is affecting margins. Many firms are resigned to simply throwing money at the problem. While understandable, this is not sustainable. A more strategic approach that leverages technology not only streamlines compliance processes but lays the groundwork for more flexibility. Rather than reacting to every change in the regulatory landscape, Deloitte suggests that “regulatory change is driving many firms to commit resources to evaluate and change their operating models to meet their plans for growth and efficiency.”6