Although almost all companies are struggling with new regulations and compliance issues, financial services firms have been particularly burdened by them. Unfortunately, new regulations such as Sarbanes-Oxley and the Patriot Act are turning out to be merely the starting point for on-going implementation and management of new compliance processes, because most of these regulations are still relatively young and are continuing to evolve even as companies struggle to implement them.
Some organizations have sought targeted solutions (also known as “point” or “stand-alone” solutions) to bring themselves quickly into compliance with specific statutes. While this helps organizations address specific issues, it also ends up creating a series of standalone (or “siloed”) compliance solutions that eventually limit an organization’s power to manage its compliance requirements effectively. These disjointed compliance solutions may also prevent companies from leveraging some of the technologies available to handle the entire issue of corporate governance and compliance.
This paper takes a closer look at the regulatory and compliance challenges facing financial services organizations today. It examines the limitations of traditional stand-alone solutions and typical enterprise application integration (EAI) solutions, and offers a look at Ensemble, from InterSystems Corporation. Ensemble provides a comprehensive platform for rapidly building strategic compliance solutions that can monitor a business in real-time and rapidly integrate existing applications and reports. The paper also presents a sample broker/dealer compliance scenario to illustrate the challenges organizations face, and the ability of Ensemble to help create a more comprehensive compliance framework.
The Current State of Compliance
Over the past couple of years, being a good corporate citizen has taken on a new meaning. Organizations of all types now must devote more time and resources to corporate oversight and meeting government regulations. In particular, financial services firms have been hit with a number of new SEC and other regulatory compliance rules, including:
- The Patriot Act, which includes a series of compliance requirements associated with anti-money laundering, OFAC List, customer identification, SAR reports, and multiple other issues
- SEC Rule 17-a4, focused on email and Instant Messaging compliance
- Sarbanes-Oxley, which is aimed at ensuring more complete corporate governance
- Mutual Fund Trading Compliance, focused on tightening securities regulations
Unfortunately, this is not a final list, since most analysts agree that new regulations will continue to be released. They may include facets of Basel II, changes in Net Capital Requirements for Broker/Dealers (proposed amendment to Rule 15c3-12), and additional Patriot Act regulations.
Financial services firms have chosen a variety of ways to address these regulations, including custom development projects, enhancements to existing systems, or purchasing a vendor-provided system to address compliance concerns. Unfortunately, many firms have treated each compliance requirement separately. Often, the solutions implemented are department-specific, creating silos of redundant functionality. In many cases, these solutions are add-ons that perform scans and generate reports in batch, not utilizing a real-time infrastructure. The result is an inconsistent compliance framework of disparate technologies and processes. In addition, as regulation changes are introduced, existing systems must be enhanced or extended to meet the new requirements.
With the focus shifting to identifying problems before they occur, firms are struggling to enhance current solutions and modify their business process strategies from after-the-fact reporting to prevention. This effort is often overwhelming. Many firms are struggling to keep up with regulations, and have abandoned any attempts to create a compliance framework.
The Challenge Faced By Financial Services Firms
The greatest challenge for financial services firms will be to implement the many compliance solutions in a timely manner, while keeping the overall cost of these implementations at a minimum. Having multiple systems in place will increase burdens on technology staff and compliance analysts, as they sift through the data generated by each individual solution.
Many firms have first-generation Patriot Act and SEC Rule 17-a4 solutions in place, and are considering different approaches to Sarbanes-Oxley compliance. Companies that market and sell mutual funds are scrambling to put systems in place to track trading activity. The focus has started to shift from reporting on violations after they have occurred to trying to prevent future violations, which requires changing existing business processes.
Most of these compliance solutions contain common architectural components, such as:
- A portal-like user interface
- Business process definition
- Alert and filter mechanisms
- Adapters to home-grown systems and packaged software
- Activity monitoring (mostly done in batch)
However, these common components are often not re-used, resulting in costly, individual solutions. Firms that rush to implement a quick reporting system to meet a specific regulation often find that their solution is not extensible and cannot expand to support other departments within the organization. When it comes time to build a true, real-time activity monitoring solution to catch compliance breaks before they occur, the existing solutions are often scrapped.
Limitations of Tactical Approaches
A good solution not only fixes one problem, but it fixes future problems too. Unfortunately, too many of the compliance solutions that financial services companies are installing or creating are focused on solving a single issue. They do not provide the organization with a structure that can easily and cost-effectively address future changes to existing regulations, or new regulatory or compliance requirements.
In particular, most organizations have tried one of two tactical approaches to solving their regulatory needs:
- Vendor-provided Compliance Solutions: Existing packaged solutions relegate compliance activities to technological silos. This raises costs by preventing the re-use of common components (such as user interfaces, alert mechanisms, filters, and adapters). Many firms find that packaged solutions cannot meet their critical business requirements, including the ability to scan and report on real-time activity. Integrating these packaged solutions with their existing trading, risk management, and operations infrastructure is often complex and incomplete.
- Traditional Integration Software: Traditional Enterprise Application Integration (EAI) software products provide some of the support services needed for a common framework for compliance projects, but fall short in two major areas:
- Real-time data access – Data storage is left to traditional databases, limiting the ability to perform real-time monitoring on live data.
- Ease of use and administration – Many EAI products are really a suite of separate products that must be integrated before they can be used together, adding complexity to the implementation. Such technology assemblies also yield “fragile” solutions that are difficult to manage and which suffer from reliability problems.
In addition to these shortcomings, many EAI product vendors believe that graphical modeling tools are enough to model business processes. However, the requirements of a compliance solution are often complicated and cannot be handled solely through graphical tools. The ability to write custom code to handle specific business rules is critical to a successful solution.
Overall, these approaches to compliance can provide tactical benefits, but they quickly become liabilities for most organizations, as they try to handle new regulatory requirements or extend the solution to cover changes. Since the financial services industry is so competitive, with high regulatory requirements and very limited time-to-market windows, financial services organizations should pay particular attention to these shortcomings of tactical compliance solutions. They may severely limit future options, may require multiple redundant compliance solutions, and will have a negative impact on an organization’s competitiveness and its ability to respond in a timely manner to new business requirements.
The Strategic Approach – Ensemble
Efficiently managing current and future compliance requirements and regulatory changes requires a solution that’s designed to change over time. A good solution will also take the best aspects of vendor-provided compliance solutions (mainly that they’re tailored for specific problems and can be developed fairly quickly) and combine them with the best aspects of the traditional EAI-type solutions – the ability to integrate a wide range of applications into a consistent system and create processes that flow across applications. By adding real-time data access and consistent management and reporting, you have the foundation for a strategic compliance system.
This is exactly what InterSystems created with Ensemble. Ensemble provides financial services organizations with a comprehensive (but flexible) platform for creating and managing compliance processes and applications. Unlike traditional EAI products, Ensemble excels at enabling rapid development of custom solutions that are more agile and complete than packaged compliance solutions and less costly, complex, and time-consuming to implement. Ensemble also provides an extensible platform for extending and integrating existing compliance applications into a broader, more holistic, compliance solution.
The following attributes enable Ensemble users to rapidly create strategic compliance solutions:
- Real-time Data Access: Ensemble’s powerful architecture, proven scalability, and transactional bitmap indexing technology enable firms to build real-time compliance solutions. Existing batch and reporting solutions can now be extended to provide real-time alerts, notifications, and reporting. Ensemble allows you to build solutions that perform compliance checks on trades and payments during execution, suspending transactions that do not meet the compliance rules. All of this can be done while complex reports are running against the same transactional data being scanned for compliance violations.
- Rapid Integration: Ensemble’s unified graphical, XML-, and code-based development environment accelerates modeling and automating business processes for business analysts and developers and supports rapid, service-oriented development of composite applications that leverage existing data and functionality. The ability to blend custom code with graphical modeling separates Ensemble from its competition and enables it to solve the most difficult compliance and integration problems.
- Persistent Object Engine: Ensemble has a distributed, high-performance, ultra-scalable, SQL-compliant object database that manages and stores all metadata, messages and process state information, without the cost or overhead that are typical of relational databases. Organizations receive all of the benefits of object technology, as well as real-time access to both live and previously processed messages for auditing and business activity monitoring (BAM), and high reliability and recoverability for long-running business processes.
- Universal Service Architecture: The ability to leverage and extend current compliance solutions comes from Ensemble’s Universal Service Architecture. Consistent, efficient object representation of disparate programming models and data formats enables use of the latest, most powerful development tools and technologies to access legacy data and functionality as reusable .NET or J2EE components, Web Services or XML. The risk of being locked into J2EE- or .NET-specific products is eliminated, and flexibility is maximized.
A Sample Compliance Scenario
To see how Ensemble’s real-time integration infrastructure can make a strategic difference when it comes to compliance solutions in the financial services industry, let’s take a look at a typical compliance scenario. For the purposes of this example we will talk about a hypothetical financial services firm called DE Holdings.
As DE Holdings, Inc. was working through many of the new compliance issues in its industry, it knew that it needed a more strategic solution to compliance, but wasn’t sure how to meet the new requirements and build new solutions while continuing to leverage its existing investments. DE Holdings had an existing anti-money laundering (AML) reporting solution. It needed a process management solution that included a user front-end; adapters to connect to transactions and payments, OFAC lists and internal customer lists; an alert engine to notify the appropriate departments via email after suspicious activities occur; detection algorithms to spot suspicious activity; and workflow functionality for managing the investigation process.
DE Holdings purchased a vendor-provided solution built on Java technology. Some custom coding was required to connect to the OFAC lists and internal customer databases, as well as internal trading systems. As with many solutions, the access to transactions required batch processing. The system generated alerts only after suspicious activity had already taken place, limiting their value. (See Figure 1.)
Figure 1 – Basic AML Solution
Although this solution met its initial requirements, there was a desire to make the solution real-time, so DE Holdings could catch exceptions as soon as possible. In addition, not all departments were included in the initial solution. Some of the smaller areas were doing manual checks because they deemed that their volume did not warrant an automated solution.
Using Ensemble’s rapid integration capabilities, a composite application providing real-time alerts was built, leveraging the existing AML solution. The new alert mechanism could identify suspicious activities based on real-time data. The suspicious activities could then be acted upon, with the results being fed back to the originating databases and applications. This two-way communication was made possible by Ensemble’s real-time message engine.
Those departments (not served by the initial solution) performing manual checks were integrated into the automated solution by simply feeding their information into the real-time infrastructure. (See Figure 2.)
Figure 2 – Real Time Alerts Added to AML Infrastructure
The addition of Section 236 in October 2003 added the requirement for financial services institutions to have a Customer Identification Program. These programs require verification and documentation of customers that open new accounts, including an obligation to check names against suspected terrorist lists. In the hypothetical case of DE Holdings, existing customer identification processes and programs (implemented on the .NET platform) were integrated into the real-time compliance checks using Ensemble’s Universal Service Architecture. Using Ensemble’s application development capabilities and persistent object engine, these checks were conducted in real time and integrated into the existing alert infrastructure. (See Figure 3.)
Figure 3 – Integration with Customer Identification Program
Shortly thereafter, DE Holdings decided to implement new trading rules in anticipation of SEC regulation regarding mutual fund and broker trading scandals. Instead of building a trading compliance engine with its own interface, filtering, and adapter frameworks, Ensemble’s Universal Service Architecture was used to leverage the work already done for the existing compliance solutions, while providing the facility to develop the new functionality required for the trading compliance solution. By building a custom adapter to the mutual fund trading infrastructure, the real-time alerts generated could be used to stop non-compliant transactions before they occur. (See Figure 4.)
Figure 4 – Mutual Fund Trading Compliance Module
It’s wonderful to finish something and know that you’ve touched every base, handled every problem and have built something that will withstand the test of time. Unfortunately, compliance solutions are one area where such a thought is bound to fail. By their nature, regulatory compliance and corporate governance solutions are constantly changing. Addressing individual requirements might help companies out of a jam and provide for a “quick win,” but they’ll come up short in the long run. Today’s successful companies are approaching compliance issues as an important goal that requires tactical (and quick) wins but within a strategic framework that can be easily leveraged as new regulations come out or as existing ones change.
As a result, good compliance solutions must be extensible and flexible, since regulations are constantly being added and changed. To keep costs down, a rapid integration platform is the essential foundation for state-of-the-art compliance solutions. Many firms have already responded to existing regulations by building and implementing individual solutions to scan data and generate reports after the fact. These solutions are often limited to specific departments and do not provide a firm-wide view of compliance. In effect, they provide good looking, but dead-end solutions, unless they’re integrated into a broader compliance context.
With Ensemble, these individual solutions can be leveraged and enhanced to monitor activity in real time, allowing firms to proactively avoid future non-compliance investigations.
Ensemble is uniquely positioned to allow firms to build complete, real-time compliance solutions, while leveraging existing investments in custom systems and vendor packages. Whether it is by enhancing an existing vendor system, building a custom compliance solution, or integrating existing compliance packages into a common framework, Ensemble is the only product that is designed from the beginning to address these problems, and allow access to critical data in real time.