a trojan horse for data initiatives? in financial institutions.pdf · compliance in financial...
TRANSCRIPT
Fubon Project Training
Compliance in Financial Institutions
A Trojan Horse for Data Initiatives?
Dilip Krishna, CFA FRMDirector, Risk Management and Capital [email protected]
The views expressed in this article are those of the author and do not necessarily reflect the views of Teradata. This presentation is for general informational purposes only.
2
Agenda
• Section I• Introduction to Compliance Initiatives
> Data Management Implications
• Compliance costs - “Spending” or “Investment”?• How to leverage compliance?• Examples and benefits of data management leverage• Conclusion
• Section II• Evaluating Enterprise Risk Information Management
3
Brief Bio
• Director of Teradata’s Enterprise Risk Management practice in North America. > Consulted on ERM and Basel II initiatives with several U.S and
Canadian financial corporations.
• More than 15 years of experience in technology and business consulting in the financial industry > Mostly Canadian Banks and Investment Dealers
• Large-scale projects including Basel II implementations. • Authored numerous articles about risk management and data
architecture• Spoken about the topic in diverse settings• Engineering degrees from the Ohio State University and the
Indian Institute of Technology• CFA and FRM designations.
4
GRC – A component of Business Management
• Governance - Process by which board sets objectives …oversees progress toward those objectives> Understand motivations of stakeholders> Set organizational direction> Process Oversight> Performance Management
• Risk Management – The process of analyzing exposure to risk and determining how to best handle such exposure> Supports risk taking and the organization’s ability to compete> “A ship in port is safe, but that’s not what ships are built for.” –
Grace Hopper• Compliance – Ensuring the organization follows applicable
rules and regulations> Process that makes governance work – complying with internal
rules
5
Implementing GRCPolicies, Methodologies and Infrastructure
• Organizational Policies and high-level Processes
• Methodologies or techniques to measure effectiveness and control processes
• Infrastructure –encompassing People, Processes and Technology
GRCPolic
ies
Infrastructure
Methodologies
6
Major GRC initiatives in the Financial Services Industry
Accurate and timely data capture and reporting
NASD order and execution reporting
OATS
Business Process refinement, Data Integration
Risk-based capital framework for insurance industry
Solvency II
Protection of customer information
Financial Information Privacy
Gramm-Leach Bliley Act (GLBA)
Business Process Control, Accelerated reporting
Financial Reporting, Corporate Governance & Disclosure
Sarbanes-Oxley Act of 2002 (SOX)
Pattern recognition, data integration, accelerated reporting
Anti-Money Laundering provisions – upgraded for anti-terrorism
AML/BSA (Patriot Act)
Business Process refinement, Data Integration
Capital Adequacy Framework for banks
Basel II
ImplicationsDescriptionCompliance Initiative
7
What is Basel II?
• Credit Risk > “The risk that a counter party … will fail to perform …”> e.g. Risk of non-payment of loans
• Operational Risk> “… loss resulting from … processes, people and systems…”> E.g. Internal/External Fraud, System failures, Anti-competitive
practices etc.
• Market Risk> ”…sensitivity … of a portfolio to changes in financial asset prices“> E.g. Losses due to decline of US$ vs. CAD$> Not significant for latest Basel Accord
• Basel II mandates calculation of risk due to these 3 factors
8
Basel IIData Management Implications
• What’s involved – Credit Risk> Collection of bank-wide loan exposure to counterparties> Calculation of “Risk Parameters” from historical loan data> Collection of history of losses via credit risk> The “use-test”> Reconciliation of credit exposures with financial statements
• What’s involved – Operational Risk> Collection of operational risk data> Calculation of “Risk Parameters” from historical loss data
• Data Management Implications> Availability of Quality, integrated data> Data Timeliness> Reference Data
9
Basel IIData Management Challenges
• Credit Risk – A Classic Data Warehouse problem> Collect data from variety of sources of loan data> Cleanse, Normalize and Integrate the data> Calculate and Report Capital> Issue: Metadata - Different business lines have different
definitions of data> Issue: Reference Data - Clean customer reference data, product
master data, internal hierarchy > Issue: Data Quality - Regulatory reports must contain clean data
• Operational Risk – finding data that isn’t there> Issue: Metadata – is it op. risk or credit risk?> Issue: Data just not available…
• Credit Risk is a data management problem while Operational risk is also a methodology problem
10
Anti-Money Laundering
• Initially implemented as Bank Secrecy Act of 1970> Patriot Act added significant burden to financial institutions> Since 2005 life insurers also have to comply
• FIs are required to report money-laundering activity> FINTRAC in Canada, FinCEN in the US> Several kinds of reports: Currency Transaction Reports,
Suspicious Activity Reports etc.• AML program has several components
> Customer Identification Programs> Customer Risk Scoring> Monitoring> Surveillance> OFAC scanning
• AML Responsibility is to report suspicious activity – heavy fines can result on non-compliance
11
Anti-Money LaunderingData Management Implications
• Customer Identification> Tracking Aliases
• Augusto Pinochet Ugarte = Daniel Lopez = Jose Ramon Ugarte• Western Alphabet can misrepresent names – e.g. Arabic names read differently
depending on where it is being read
> Customer Relationships may not be available> Capture of customer data in account opening> False Positives – increased cost
• Monitoring and Surveillance> Large data volumes> Timeliness requirements
• Data Management issues> Data Quality> Analytics on “Reference data” (Customer Data)
12
Capital Markets compliance – RegNMS, MiFID, OATS
• Goals> Best Execution and Investor Protection> Enhanced Transparency> Real-time order management and routing
• Data Management Implications> Robust securities and customer master data> Real-time processing algorithms> Historical data archive of large amounts of data> Daily reporting of information
13
An
aly
tic
En
gin
es
Typical Basel II Credit Risk Solution
Data Warehouse
c o n t a i n s
h a s i n v o l v e m e n t w i t h
i s r e l a t e d t o
i s p r o d u c t f o r
o f f e r s
i s o f f e r e d / s e r v i c e d b y
O R G A N I Z A T I O NO r g a n i z a t i o n P a r t y I d ( F K )O r g T y p e C d ( F K )P a r e n t O r g a n i z a t i o n P a r t y I d ( F K )
A C C O U N T P A R T Y
A c c o u n t P a r t y R o l e C d ( F K )A c c o u n t N u m ( F K )A c c o u n t M o d i f i e r N u m ( F K )P a r t y I d ( F K )A c c o u n t P a r t y S t a r t D tA c c o u n t P a r t y E n d D tA l l o c a t i o n P c tA c c o u n t P a r t y A m tA c c t C r n c y A c c t P a r t y A m t
B U S I N E S S
B u s i n e s s P a r t y I d ( F K )B u s i n e s s L e g a l C l a s s C d ( F K )D u n s I d ( F K )
P R O D U C TP r o d u c t I d
S c r i p t I d ( F K )P r o d u c t T y p e C d ( F K )P r o d u c t D e s cP r o d u c t N a m eP r o d u c t S t a r t D tP r o d u c t E n d D tH o s t P r o d I d
A G R E E M E N TA c c o u n t N u m
A c c o u n t M o d i f i e r N u mA p p l i c a t i o n I d ( F K )A c c t C a t e g C d ( F K )A c c o u n t S o u r c e C d ( F K )A c c o u n t T y p e C d ( F K )P a c k a g e P r o d u c t I d ( F K )P r o d u c t I d ( F K )F u n d S o u r c e T y p e C d ( F K )S t a t e m e n t C y c l e C d ( F K )S t a t e m e n t M a i l T y p e C d ( F K )C a m p a i g n S t r a t e g y I d ( F K )S t a t e m e n t A d d r e s s I d ( F K )A c c t S t a t u s T y p e C d ( F K )A c c t O b t a i n e d C d ( F K )A c c t S t a t u s R e a s o n C d ( F K )A c c o u n t O p e n D tA c c o u n t C l o s e D tC u r r e n t P r o d u c t S t a r t D tL a s t S t a t e m e n t D tA c c o u n t P r o c e s s i n g D tA c c o u n t S i g n e d D tC o n t r a c t N a m eC o n t r a c t E x p i r a t i o n D t
G L A c c o u n t N u m ( F K )
I N D I V I D U A LI n d i v i d u a l P a r t y I d ( F K )E t h n i c i t y C d ( F K )
H o u s e h o l d I d ( F K )G e n d e r T y p e C d ( F K )B i r t h D tD e a t h D tI n d i v i d u a l T y p e C d ( F K )
P i c t u r e O b j e c t I d ( F K )
P R O D U C T P A R T YP a r t y P r o d u c t R o l e C d ( F K )P a r t y I d ( F K )P r o d u c t I d ( F K )P r o d u c t P a r t y S t a r t D tP r o d u c t P a r t y E n d D t
P A R T Y
P a r t y I dP a r t y T y p e C d ( F K )
C r e a t i o n S o u r c e T y p e C d ( F K )P a r t y S t a r t D tP a r t y E n d D tL i f e c y c l e C d ( F K )P a r t y H o s t N u mP r o v i d e r I n dC u s t o m e r P r o s p e c t I n d
Risk Parameters –Estimation, Calibration
& Validation
Corporate and Commercial Banking Systems
• Risk Rating Systems
• Credit Approval Systems
• Credit Servicing Systems
• Collections and Workout Systems
• Trading Systems
• Trading Exposure Systems
Retail Banking Systems• Small Business
Credit• Credit Card
Products
• Mortgages
• Retail Portfolio Management
• Analytics and Decision Support
Trading Room Credit Risks• Facility
Apportionment• Ratings Systems
• Exposure Measurement
• Collateral Management and Valuation
• Securities Finance
Special Products• Securitization • Non-Traded
Equities
Users
Regulatory Reporting
Reference Data
Management
Stress Scenario
Development
Risk Model Development
Financial Reconciliation
Retail Pool Definition
Finance Systems
• Detailed GL Postings
• Costs
• Financial Hierarchies
• Revenue
ELDM•Risk •Treasury •Financial •Other
Regulatory Capital
Stress & Scenario Testing
14
How to address Basel II requirements?E.g. Loss History Database
• Customer or Facility data? > Lack of availability of data at
the right level
• Length of customer history may not be sufficient> Recoveries from “non-existent”
customers
• Data Management issues> Data Modeling> Metadata> History
15
An exampleReconciliation of Risk and Financial Information
• Simplistic> Process refinement> Tolerances> Tactical Information Management
improvement
• Advanced> Process Refinement plus> Improved Information Management
• Ensure that Risk and Financial numbers are generated from same underlying transactions> Quality> Completeness> Timeliness> Master Data (Customer, Internal
Hierarchy etc.)
• New level of accuracy is required• Financial processes and standards• Granular level of detail +
Aggregations• Multiple items to be reconcile (e.g.
max. and avail. authorization)• Risk data aggregation is not simple
additive aggregation
Approaches to Solution
16
Real-Time DW Architecture - Multi-Regulation Compliance
HistoricalData
Warehouse
OA
TS(E
TL)
Data Mart
ET
L
Data Mart
Sales TreasuryProgramTrading
Standardize & Integrate
ODSCleansed
Data
StagingData
Front Office SystemsTrading Arbitrage
OATS/ AML Interfaces AMLFiles
OATSFiles
Message Oriented Middleware
A Single Solution
Case Management System
Real-time Feeds
17
Addressing AML and Trading Compliance
• Large amounts of historical data to be held> Up to 3 years of daily data (upwards of 30 TB)> Most of this data is “cold” – used rarely by compliance
• Near-term data needs to be ingested frequently> Trading compliance needs
• Daily reporting on large amounts of data> E.g. 5 am reporting requirement for previous days trades
• Data Management issues> Reference data – securities master required for rapid trade
processing> Data Quality – compliance reports must be of high quality> Management of large amounts of data> Operational access to data – case management for AML
18
Compliance expenditureIs the cost worth it?
• Market for risk data architecture to be $1.8B annual spend in 2005 and growing to >$2.4B in 2010
• Multi-year window, does not end w/B2 complianceSource: Financial Insights: Risk Data Architecture Spending 2004-2009 (updated)
• Basel II worldwide spend upwards of $40 billion
• Canadian Bank spending between $75-250 million
• Compliance Spending To Reach $28 Billion By 2007• Sarbanes-Oxley spending will exceed $6 billion in 2006Source: AMR Research
• Tower Group estimates a 1 billion Euro cost for the whole marketfor MiFID, with a typical broker-dealer spending 22 million Euro each
• The Aite Group estimates that RegNMS-related spending will likely reach $544 million for IT costs alone.
19
Compliance costs“Spending” or “Investment”?
• Compliance costs are significant• They can be justified as “the cost of staying in
business”• But can compliance spending generate value?
• Compliance, if done right, can lead to better data infrastructure
• This infrastructure can support new business initiatives…
• Which could have never gotten funded to improve data infrastructure
20
Compliance Driven Up-Front Investment can drive cost-effective business value
Business Value
Customer Data
Portfolio Data
Transaction RiskAnalysis
Product RiskAnalysis
CustomerAnalytics
Portfolio RiskAnalysis
Risk-Adjusted Customer Analytics
Info
rmati
on
Valu
e (
Cost
)
TransactionData
Product Data
The Connected Enterprise
Marketing•Client/ Lifetime Value•CRM/Cross Selling
Finance•Activity Based Costing•Transfer Pricing
Improved Mgmt.
Investment in Data Management
•Performance Management (RAROC)
•Integrated Marketing (Risk & Performance)
+Product Data
TransactionData
Transaction Data
+Customer Data
TransactionData
Product Data
Customer Data
TransactionData
Product Data
+Portfolio Data
+ Integrated ERM Data
Increasing Sophistication in Data Management
AML
Basel II
21
LOCATION
A geographicalarea, physical orelectronic address.
A geographicalarea, physical orelectronic address.
PARTY
An individual or group of individuals.
An individual or group of individuals.
EVENT
Financial or non-financial eventwhich may involve contact with the customer.
Financial or non-financial eventwhich may involve contact with the customer.
INTERNAL ORGANIZATION
A unit of business withinthe financial institution
or insurance company.
A unit of business withinthe financial institution
or insurance company.
PRODUCT
Any marketable product or service including terms and conditions.
Any marketable product or service including terms and conditions.
CAMPAIGN
A strategy, plan orpromotional event for the purpose of acquiringretaining, or expandingusage by customers.
A strategy, plan orpromotional event for the purpose of acquiringretaining, or expandingusage by customers.
CHANNEL
The vehicle by which a customerinteracts with the Financial institution/ insurance company.
The vehicle by which a customerinteracts with the Financial institution/ insurance company.
The internal accountingof the business
The internal accountingof the business
FINANCE
Things belonging toParties that have value
Things belonging toParties that have value
ASSET
An arrangement between the customer and financialinstitution or insurancecompany for a product.
An arrangement between the customer and financialinstitution or insurancecompany for a product.
AGREEMENT
Start with the Logical Data Model
22
But don’t stop there… Addressing Data Management in a holistic manner
Data Quality
Managing the accuracy, timeliness,
completeness and usefulness of data.
Metadata
Comprehensive and consistent usage of data.
Privacy & Security
Control of access and usage of information for
legal, compliance and internal requirements.
Master Data Management
Underpinning risk reporting, including
customer data, hierarchies, grouping
Data Governance
Proper warehouse ownership and involvement
promoting leveraged use of data.
Data Stewardship
Corrective action and proactive visioning of
data completeness and quality.
23
Following through on Data Management
• Data Quality> GRC - a great motivator for data quality> Implement Data Quality metrics
• Reference Data Management> Implement a real solution – not a “spread-mart”
• Metadata Management> Progressively implement a complete solution> Capture… Access… Integrate!
• Backup data management efforts by a robust Data Governance organization> Educating senior executives on the Value of Data Management> Ensure funding and organizational culture supports data
management> Data Stewardship Processes
24
Data management – improved business valueBanking example
• Risk-based Pricing> Price for loans based on customer risk profile> Higher the risk, higher the price
• Risk-adjusted Performance Management> Business-unit and individual performance measured (and
compensated) according to risk-based measures> Aligns compensation to shareholder value
• Data Implications> Detailed data - customer and account level> High-level of data quality> Robust customer master and internal org hierarchy> Integrated data – including risk and financial data> Easy access to data by front end users
25
Risk-adjusted Performance Management example
Wholesale Portfolio Risk & ReturnRisk Adjusted Return & Economic Capital
0%
20%
40%
60%
80%
100%
120%
140%
160%
0 10 20 30 40 50 60 70 80 90 100
Risk Adjusted Return Percentile
Cu
mla
tive
% o
f T
ota
l
Risk Adjusted Return
Economic Capital
Problem Customers
Senior Management View
Line of Business View
Without robust data infrastructure, actionable communication cannot be guaranteed!
26
Measuring risk relative to rewardRisk measurement impacts pricing
0
1
2
3
4
5
6
7
1 2 3 4 5 6
Risk Grades
Pro
bab
ility
of
Def
ault
(%
)
Old
Risk based cost
New
Risk-adjusted price is important. If all customers get the same average price…
• Low-risk customers go elsewhere to get a lower price
• High-risk customers stay – they’re get a great deal at the expense of the bank
Result – the bank is left with the toxic waste!
27
The Results – improved performance
Defaults over time
As the portfolio becomes more rationally priced over time, net defaults over time go down (note – this is a business decision)
28
Extending AML to Fraud
• AML data needs - end-of-day• Extending to intra-day - opportunities for pro-active fraud detection
> Combined with extensive client & product demographic & historical data
• Example Fraud Application> Run business rules against the data, send out real-time alerts
• Analytics capabilities for AML can be reused for> Trend/Pattern analysis on historic data to devising Fraud Detection rules> Ad Hoc queries to verify specific live fraudulent activities
• Business Value> Improved Client Experience> Significant fraud mitigation and added opportunities for arrests and
recovery> Improved productivity of Fraud Analysts in time and efforts
• Result: Reduced costs which go right to the bottom-line
29
Opportunities in Securities Industry Compliance
• Consider data collected in support of OATS compliance> Order data, trade data, some market data, securities master
• Base compliance requirement> Real-time feed of data meets requirement> System uptime is important, but not overriding concern
• What happens when data environment is hardened?> Possible to add other information to environment (options prices,
market data etc.)> Now, it’s possible to Create and Execute Algorithmic Trading
Strategies
• Algorithmic strategies require rapid response time> Immense return possibilities (millions of $$ in short time span)> Seconds or minutes of downtime (at the wrong moment) can cost
millions
30
Why couldn’t we do all this anyway?Consider a sample business case
• Business value generation project> Capital Costs (Year 1) - $50 million (data infrastructure)> Total 10 year revenue - $180 million
• Business case results> NPV of Cash Flow: $8,559,519 > IRR: 12.2%> Discounted Payback: 7 Years 4 Months
• This project will not get funded!
31
Conclusion
• The huge cost of Compliance can be an opportunity to fix data architecture
• Improved data architecture can yield unexpected benefits that would never have otherwise been possible
• How to use compliance initiatives> Understand the business> Use the Data Model – seek opportunities to extend> Go beyond the data to fix data management as well
Fubon Project Training
Evaluating Enterprise Risk Information Management
33
Policies and Methodologies depend on Infrastructure
Methodologies
Policies
Infrastructure(People, Processes, Technology* Courtesy Dr. Robert
Mark, Black Diamond Risk Enterprises
But Policies and Methodologies are also affected by the ability of the infrastructure to support them
If infrastructure is weak – Policies & Methodologies will be adversely affected
34
Risk Policy and Methodology are Deeply Dependent on Data
• Policy Examples> Business Strategies> Risk Tolerance> Authorities> Disclosure (Transparency)
• Methodology Examples> Value at Risk (VaR)> Stress Tests and Scenario Modeling> Vetting, Validation, and Audit> Performance (Active Portfolio Management)
35
Why is information a challenge to Risk Management?
Tactical Management Strategic Management
Loan/Credit Monitoring
Loan Booking Finance RAROC
Business Management
Information
Treasury
Loan Work Out
……
Management
Risk
Finance
LOB
Poor Data
Quality
36
What is “Data Quality”
Business Technology
My reports aren’t getting done in time!
Why can’t I get two reports to reconcile??
We have great data quality processes, but the ETL processes aren’t getting done on time, and reference data is being wrongly coded.
37
Data Quality EvaluationReconciling Business vs. Technology Views
• Integration• Integrity• Completeness• Accessibility• Flexibility• Extensibility• Timeliness• Auditability
• Data Modeling• Metadata• Data Security• Master Data Management• Data Quality• Data Stewardship• Data Governance
Requirements Implementation
38
Implementation vs. RequirementsAn Example
• Metadata can adversely affect many requirements> Data Integration: “Facility” vs. “Account”> Data Integrity: Aggregating “Outstandings” (without fees) and
“Outstandings” (with fees)> Data Completeness: Imprecise definition of “Customer”> Auditability: Incomplete documentation of data lineage
39
Evaluating Enterprise Risk Information Management
Generate Raw Competency
Scores
Develop Information
Impact Matrix
Calculate Final Usability
Scores
Stakeholder Point of View
Input from Users of ERM Information
Output evaluation of ERIM usability
+ =
40
Raw Competency Scores
• Inherently subjective process
• Template-based maturity model for each business area to enhance objectivity
41
Senior Management Risk Functional Focus Matrix
42
Information Focus Perception Matrix
43
Information Characteristic Impact Matrix
44
Score by each ERM Policy and Methodology Component
45
Prioritizing Information Management Remediation
46
A Data Management ScorecardTranslating Business needs to Technology
47
To summarize the process
48
Incorporating Stakeholder Point of View
Assessment of company financial strengthRatings Agencies
Minimize cost and delivery uncertaintyTechnology
Maximize unit profitability based on senior management measures
Lines of Business
Maximize shareholder value and risk-adjusted stock growth
Senior Management
Stability of economic system (profit focus only till threshold)
Regulators
Goals and Points of viewStakeholder
Each stakeholder will assign different weights to the Information Characteristic Impact Matrix
49
Uses
• Prioritization/Business Case development for
infrastructure remediation
• Raise awareness of data as a corporate asset
• Infrastructure component of ratings agency and
supervisory evaluation