Making the best of regulatory overload
Three major, over-lapping sets of regulations will soon be hitting banks and investment firms. David Millar takes a look at the similarities between Basel II, Sarbanes-Oxley and MiFID
In a January survey of 1,300 chief executives, the threat posed to business growth prospects by overregulation topped the list of concerns - for the second consecutive year.* This was in spite of increasing confidence that prospects for revenue growth were improving. Concern about overregulation came above worries over competition or market volatility, and considerably higher than potential problems of political change and terrorism.
This survey result is, perhaps, unsurprising in the face of the tide of new regulations being introduced in the US, Europe and at the international level. True, delays are in prospect for some aspects of both the New Basel Accord (Basel II), governing bank capital, and the American Sarbanes-Oxley Act (SOX), setting financial reporting standards. However, with political concern over the stability of individual banks, the protection of small investors, and the development of transparent trading markets, it is inconceivable that governments and regulators will allow any of the planned regulations to be abandoned or greatly diluted.
Basel II and SOX are the two regulations that seem to threaten the greatest impact on the global banking markets. The first will require allocations of capital to be made to cover credit, market and operational risk, and oblige internationally active banks (and other financial firms in the EU) to make detailed calculations on all transactions and on actual or potential risk incidents. The second requires companies and their auditors to assure the public that their accounts are accurate, have not anda cannot be tampered with and that all incidents that may impact the accounts are being reported. On the surface there does not seem to be too much overlap between these two regulations. But when one starts to look at the governance, record keeping, risk management and documentation requirements, it is apparent that there are significant areas of overlap (see accompanying table). And, Basel II and SOX are by no means the only new regulations demanding major compliance changes.
What is MiFID?
Another new law that is now starting to have an impact on the compliance, process and systems requirements of major banking operations is the Markets in Financial Instruments Directive known as MiFID. This directive forms part of the greater move towards a pan-EU transparent market in instruments, and focuses on the interactions between investment firms and their professional clients. It replaces the Investment Services Directive (ISD), which has been in effect since 1995. Part of the EU's Financial Services Action Plan, MiFID is designed to produce a single European market in financial services and to harmonise regulations for all EU firms as well as foreign firms operating inside the EU.
MiFID is also one of the first of the EU directives to follow the Lamfalussy process - i.e. a broad framework directive, which is effectively cast in stone; and more detailed provisions that can be revised in the future without requiring further legislation. These detailed provisions are dealt with under a so-called Level 2 process, involving technical advice from supervisors and consultation with the finance industry (the drafting and passing of laws by the EU Commission, Council and Parliament constitute Level 1).
Two years is given to resolve the Level 2 issues before a directive comes into effect. In the case of MiFID, the original framework was adopted on 30th April 2004. The Level 2 process has not yet been finalised and this is expected to be completed by the end of April 2005, which would only have given a year for firms to implement the changes. However, in January, the responsible EU Commissioner, Charles McCreevy, announced that he would submit a proposal to delay the implementation to end April 2007. At the time of writing this had not yet been confirmed.
Three areas where MiFID will have a major impact (subject to the above Level 2 consultation process) are the requirements that all trading parties enter into formal contracts; that all trades take place at "best execution" prices (similar to the US's proposed Regulation NMS aimed at revising stock exchange trading rules, and also currently in the consultation process); and that these prices are made public before and after the trade, and trades at different legal entities within the same company are also subject to best execution and disclosure.
Other changes between the new directive and previous law involve expansion of the scope of instruments covered (many previously exempt derivatives are now included) and the promotion of investment advice to be defined as a core service (with pure research being demoted to being an ancillary service). MiFID also operates a three level client classification - retail client, professional client and counterparty - similar to that used by Britain's regulator, the Financial Services Authority, although there are concerns that the intermediate category has become more restrictive.
Compliance overlap
However, it is the areas of commonality, or at least similarity, between MiFID, Basel II and Sarbanes-Oxley that demand particular attention from those transatlantic banks and other financial firms caught by all three sets of regulations. Although Basel II and SOX have differing objectives, they both use risk techniques to achieve their ends. To achieve their risk measurement and assessment controls they need core data and, in both cases, this is provided by transaction data, recorded incidents and documented processes. MiFID also emphasises risk techniques as the regulated firms must establish risk management policies that include the identification of all risks, including operational risk, the level of risk tolerance within the firm, and the risk management processes designed to mitigate the risks. This requirement, like Basel II and SOX, will also require transaction, incident and process data.
There are other areas, too, where requirements create the need for common processes. Both SOX and MiFID specifically require the retention of relevant communications and the documentation of relevant processes. Although Basel II is less specific about these areas, its governance and replicability requirements demand similar functionality. All three regulations also require specific governance, outsourcing, conflict of interest and disclosure policies.
A common strategy?
The table accompanying this article describes the main requirements of all three regulations under common headings so as to highlight differences and similarities.
So, what steps can be taken to reduce chief executives' prime concerns? Many of these concerns are at the effort required to prove compliance and the distraction of critical staff, rather than the inability to continue with current and previous business activities. Many executives consider that, through their best practices, they comply with most of the new regulations and that it is only the proof and the documented standards that they do not have. However it is the creation of this evidence that is time consuming.
To date most Basel II and SOX programmes have been kicked off independently and have been working to tight timescales despite delays in the dates for final compliance. There are few, if any, implementation projects that treat both these requirements as a single, coordinated programme with common data frameworks. That is understandable given the timescales, the many clarifications of requirements coming from the law-makers, and the continuously developing understanding of the best implementation techniques. Many firms recognise these issues and accept they will discard their temporary solutions in one or two years. In some cases, projects are complete or close to completion and the experiences obtained are now available.
These experiences could be combined to create a single common financial transaction, corporate processes and risk management framework which would underpin MiFID, and replace the various uncoordinated, and often semi-manual, processes that have been implemented in the initial Basel II and SOX compliance programmes. Over the long term, money and effort would be saved and the framework could reduce the cost and impact of future regulations.
Common compliance plans
US firms will have their SOX compliance running now. Affected non-US firms must be compliant from July 2006 at the latest. Basel II compliance depends on the capital approach taken but end-2006 is the latest date for risk management processes and many firms will be collecting risk data much sooner.
MiFID will be defined by the end of this April and firms will be starting their planning. This is the time to start planning the common compliance framework, for implementation in May 2007, which will coordinate the requirements of the above three regulations, reduce compliance spending and take an initial step in reducing the impact of any new risk-associated regulations.
David Millar is an independent risk consultant and can be contacted at david@dxl-risk.com.
*PricewaterhouseCoopers' 8th Global CEO Survey: Bold Ambitions, Careful Choices
