A nonprofit consortium that includes the 100 largest financial institutions in the U.S. released a study this week that says regulatory overlap in the financial services industry could be costing some of the nation"s largest banks millions of dollars.
The group met Thursday to discuss the study, titled "Reconciliation of Regulatory Overlap for the Management and Supervision of Operational Risk in U.S. Financial Institutions". While the report didn"t specifically address cost savings that could arise from consolidating regulatory projects, members of the Banking Information Technology Secretariat (BITS) consortium said considerable time and effort is wasted rolling out compliance programs as siloed projects rather than coordinated across an enterprise.
"In many cases, financial institutions, pressured to find timely solutions, build stand-alone processes for each new set of regulations. The result is numerous redundant and duplicative processes," said Christine Brick, vice president of enterprise governance regulatory consulting and coordination at Wells Fargo & Co. Brick is also a member of the BITS Operational Risk Work Group, which includes representatives from more than 65 member financial services firms.
The study, which was completed in May by KPMG, after having been initiated by BITS, identifies the overlapping regulatory requirements contained in the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA), the Gramm-Leach-Bliley Act of 1999, the Sarbanes-Oxley Act of 2002 and the proposed Basel II accord of July 2003.
For example, Gramm-Leach-Bliley addresses financial reporting and internal control systems, as do Sarbanes-Oxley and FDICIA. Basel II"s Advanced Measurement Approach for operational risk covers internal controls as well.
The study offers specific ways regulated firms can eliminate redundant compliance processes.
"IT is a huge factor in this. I can"t quantify that for you, but that"s something we dealt with as a specific issue, and it underlies the efficiency factor," said Leslie Mitchell, a senior consultant at BITS.
Hugh Kelly, a former regulator in the Office of the Comptroller of the Currency and a principle at KPMG in New York, said financial institutions and regulators need to work together to combine multiple sets of requirements into a single risk-control assessment process, with one testing process and one set of policies and procedures.
"Today, we"ve built up silos within institutions. If institutions continue to go down that siloed route, the cumulative cost of compliance will be substantial," Kelly said.
Meanwhile, several federal agencies, including the Federal Reserve Board, the Federal Deposit Insurance Corp. and the Securities and Exchange Commission, agreed to extend the deadline for complying with Basel II requirements in the U.S. by one year, to 2008.
Basel II is European-born legislation that outlines strict operational risk-management frameworks for the largest international banks in the U.S., allowing them to set aside less capital to cover risk once the frameworks are in place. "I don"t think the extension will delay implementation of Basel II projects. It will afford more flexibility for big banks," Kelly said.
The federal banking agencies said that under the revised timeline, the first opportunity for a U.S. bank to conduct a parallel or real-world test of its Basel II systems would be January 2008. U.S. banks adopting the Basel II capital rules would also be subject to a minimum three-year transition, during which the amount by which each institution"s risk-based capital could decline would be limited.
Andrew Wilson, a partner at Accenture Ltd., said that between 50 percent and 70 percent of the costs related to rolling out Basel II compliance systems are IT-related.
Basel II regulations will require enterprises to bridge data islands across business units to aggregate data and create standardized ways to collect operational risk information. They will also require the building of large data warehouses to run predictive analytics and reporting applications against that information.
"One of the things Basel II does is it requires firms to maintain that data for a longer time -- three to five years, depending on data type," Wilson said.
U.S. regulators are also seeking public comment on a proposed Basel IA regulation that would allow smaller U.S. banks to participate in Basel II"s risk-management practices without implementing the full Basel II framework.