By Iain Chidgey, VP and General Manager International at Delphix

Economic swings, digitisation, and cybercrime have collectively sparked significant regulatory reform across industries. Existing mandates like PCI, HIPAA, GLBA, and FISMA have gone through multiple revisions that increased non-compliance penalties and tightened enforcement. New and updated financial reporting directives including CCAR, the Dodd-Frank Act, EMIR, MiFID II, and Basel III have dramatically increased the burden and cost of compliance for banks across the globe.

In fact some of the leading banks have spent up to $4bn annually on compliance with a Thomson Reuters survey indicating that more than two-thirds of firms (68 percent) are expecting an increase in their compliance budget this year and 19 percent expecting to invest significantly more.

While the visible cost of compliance may seem to be the growing importance and size of compliance teams in IT, the real costs are far greater in magnitude and impact. In fact the direct cost of compliance, while significant, is dwarfed by the opportunity cost — having to forego other projects that drive revenues and improve margins.

Growing backlog of application projects

Iain Chidgey

In many sectors, especially banking, software applications are a growing source of competitive differentiation. Not surprisingly, application development teams are overwhelmed by a growing backlog of project requests in the form of new application rollouts, customisations, upgrades, and integrations.

Compliance requirements only add to this backlog because applications have to be re-instrumented to keep pace with constantly evolving regulatory guidance. For example, many banks are overhauling applications and building out compliance data repositories to meet swap transaction data recordkeeping and reporting requirements of the Dodd-Frank Act. Moreover, compliance-driven projects often have to be prioritised over other projects that could have a clear and present impact on revenues and core business processes.

Redirection of operational IT resources

Regulations also introduce extensive reporting requirements to facilitate audits and validate compliance. Delivering on these requirements generally involves a three-phase lifecycle, spanning data collection, modelling, and reporting. But data management challenges are a major bottleneck at every stage. During the collection phase, source data availability and access are major constraints. In the modelling and reporting phases, multiple copies of source systems are needed to parallelise reporting work streams.

Across regulations, the cost of creating and maintaining reporting environments is overwhelming. Frequent refreshes of data in reporting systems tax the data sources, the network, and the reporting environments themselves. The recent wave of stress test laws like C-CAR, EMIR, and MiFID have brought these challenges to the forefront in the banking sector, and the net impact has been a redirection of already limited IT operational resources from production support and other important projects to compliance initiatives.

Barriers to IT transformation

Rising regulatory pressure and the resulting mismatch between IT resource supply and demand are driving interest in projects that can fundamentally transform IT agility, cost efficiency, and utilisation. Among traditional industries, the financial sector leads the way when it comes to cloud adoption, application portfolio rationalisation, offshoring, and outsourcing.

Ironically, regulatory compliance creates as many barricades around transformational projects as it provides impetus to execute them. Current data archival solutions fall short of required recovery service level agreements (SLAs), putting organisations at risk of audit failure if legacy applications are retired. Banking applications also contain widespread sensitive data that is only harder to protect in the cloud or in offshore and outsourced staffing models that fundamentally reduce control and visibility. Invariably, these projects and their potential return are blocked by security – and governance -related objections.

Compliance without compromise

The rising cost of regulatory compliance is untenable, given the inevitable, growing pace of regulatory reform. The direct cost of compliance, while significant, is dwarfed by the opportunity cost of forgoing other projects that can drive revenues and improve margins. The response across industries has been far too reactive. Point solutions, implemented for the most specific of regulatory requirements, have led to an amalgamation of compliance tools with limited impact and numerous secondary costs.

The problem must be tackled at a more fundamental level and the reality is that the data supply chain for compliance and governance is broken. Data is siloed across multiple formats (files, databases, big data, etc.) and locations (on-premises, private clouds, public clouds), without consistency or control. As a result, as data moves and changes, it gets harder to track, manage, and govern. It is time to tackle the problem at its core — at the data layer.

Technologies that virtualise data at its point of generation offer an opportunity to reverse the compliance dilemma. Virtualising data at its source eliminates compliance-driven project backlogs, operational resource redirection, as well as barriers to IT transformation.