By Ian Pollard, SVP EMEA at Signavio, discusses how financial service organisations in today’s shifting landscape can mitigate risk and meet regulatory compliance in a bid to future proof themselves. 

The pace and impact of change is affecting every industry, with the financial services sector in particular facing an expanding scope of regulatory concerns. As the landscape continues to prove highly volatile, the risks and regulations organisations face are becoming more abstract, highlighting the need to prioritise proactive risk and compliance management.

In recent years, a new wave of government regulations calling for business practices to adapt has disrupted the market. Since the General Data Protection Regulation (GDPR) directive has come into force, European Union (EU) citizens have been granted more control over their personal data. If companies are unable to collect and protect data responsibly, they can face fines of up to 4% of annual global turnover^[1]. Furthermore, with the second Payment Services Directive (PSD2) deadline fast-approaching, companies are obliged to carry out Strong Customer Authentication (SCA) to make online payments more secure. With 3,863,000 fraud cases reported in June 2019^[2], the sector requires more preventive measures which allow for the effective and efficient management of risk and compliance matters.

The scope of compliance, combined with the wealth of customer data financial institutions are entrusted with, can make risk management seem a costly and time-consuming task. Compliance, however, is no longer an unfortunate extra cost, but a crucial investment to meet demands created by global regulatory change. In order to safeguard a company’s future whilst maximising business returns from this investment, robust governance structures is a prerequisite.

Define and Document

The first step to building an agile management structure is to create a comprehensive framework that meets the regulations within the given industry. Both current and premeditated audit requirements must be defined to make allowances for flexibility, ensuring a company is able to respond to changing regulations as they happen.

Identifying the key risks, involving both Subject Matter Experts and key stakeholders, is a central piece of the process. Those accountable can then prioritise different degrees of risk that may hinder the achievement of strategic objectives and compliance targets.

Design and Educate

Managing risks is not solely about identifying regulations, but ensuring that all employees are working in tandem. To achieve the company-wide endeavour of compliance, the entire team must be empowered with the correct technology and tools and involved in conversations around regulations. This will encourage proactive compliant behaviour and quicker reactions. Ultimately, a risk management framework that spans across internal boundaries is more sustainable than one that relies heavily on a single risk manager.

Deploy and Test

The designed system now needs to be automated as much as possible, allowing a company to do more with less. Being reactive in a timely manner is essential, and for a risk management structure to be fully watertight it needs to be tested against a number of possible scenarios. Automation alleviates a company’s reliance on manual compliance systems, so they can instead benefit from the efficiencies of an incident model. Implementing workflow solutions, this model streamlines the testing process, in turn freeing up more resources that be dedicated elsewhere – all whilst simultaneously reducing risks.

Refine and Monitor

At this stage, further testing is required to recognise flaws in the system that may not be effectively reducing risks. Detecting compliance deviations can become a more efficient process by implementing data analytics already belonging to the company. This intelligence can be regenerated to detect breaches before they become a huge expense, informing more concise decision-making.

According to Thomson Reuters, over one-third of organisations spend at least one full day per week tracking and analysing regulatory change^[3], undoubtedly leading to decreased productivity. To counteract this, mapping out and documenting workflows ensures all incident evidence is kept on record, which both abides legal requirements and optimises efficiency.

Manage and Improve

For continual compliance, a full circle system must be completed with a consistent focus on seeking and acting upon new ideas. This level of contingency planning allows companies to close the gap between their current and desired state of compliant behaviour.

Highly prone to facing penalties, financial service providers recognise the need to be GDPR compliant, however businesses remain wary in approaching risk and compliance as the landscape is in constant flux. To avoid ramifications, institutions need to promote transparent communication, rigorous monitoring, and responsible escalation throughout the company.

^[1]https://www.itgovernance.co.uk/dpa-and-gdpr-penalties

^[2]https://www.ons.gov.uk/aboutus/transparencyandgovernance/freedomofinformationfoi/fraud