The Lifecycle of Regulatory Change
Jan 10, 2008 4:00 AM PT
Financial services organizations that are unable to update and enforce internal policies and controls in line with regulatory change are exposing themselves to the risk of censure, investigation, loss of professional reputation and severe legal repercussions.
To understand why, it's first essential to get to grips with the process of regulatory change that begins with regulators identifying a risk in the financial system and invariably end with amendments to internal policy within individual financial services institutions.
In the UK, the Financial Services Authority, or FSA, is the independent public body that regulates the financial services industry. The FSA is accountable to the Treasury and thus to Parliament, but it operates independent of government and is funded entirely by the financial services firms it ultimately regulates through a wide range of rule-making, investigatory and enforcement powers.
In the U.S., self-regulatory organizations (SROs) exercise regulatory authority within each industry. In the financial services sector, the Securities and Exchange Commission has traditionally delegated authority to the National Association of Securities Dealers and national stock exchanges -- like the New York Stock Exchange -- to maintain industry standards and requirements.
On July 26, the SEC approved a merger of the NASD and NYSE regulatory bodies to create a new SRO: the Financial Industry Regulatory Authority. FINRA is now the consolidated successor to the NASD.
From an outsider's perspective, regulation might seem a very straightforward process at times. The FSA or other regulatory body simply decides that it wants to take a closer look at a particular area of the financial services world it isn't happy about and acts upon its hunch.
This might be because it is following a general agenda set by the treasury or because it simply doesn't like the way a particular market development is shaping up. Perhaps it just sees a change in the way the world market is operating in and decides unilaterally to make regulatory changes to ensure the industry keeps pace accordingly. However, of course, in reality they can't do this at all -- and for good reason.
Encouraging Market Efficiency
Regulators work for the benefit of the financial services organizations they represent and not against them. Their first priority is to encourage market efficiency through general good practice and only to regulate when other initiatives have failed to produce satisfactory results. Their aim is to promote business effectiveness and public understanding, build confidence in an orderly market, ensure protection and fair deals for consumers and reduce financial crime.
Much of this can be achieved through pragmatism and good faith by providing institutions with the flexibility to judge for themselves which practices require changing, tightening, securing or regulating. This approach engenders commitment and collective responsibility to maintaining healthy markets to those closest to the detail.
The lifecycle of regulatory change is a considered and collaborative process of consultation between the regulator and the industry. The cycle commonly begins with the regulator issuing a thought-piece to the industry in the form of a speech, or discussion, or perhaps a paper setting out a proposal or framework of ideas over how to fix a perceived problem. In the first instance, trade associations and senior management teams generally pick up on such proposals and feed back their responses to the regulator.
The regulator then takes these responses on board and formulates a more structured approach to the issue based upon measures it believes the industry might be able to tolerate. It proposes new rules and sets them out in a consultation piece, questioning firms over whether this would seem the right course to take. The ensuing consultation period could be very short or stretching into many months in order for the regulator to fulfill its legal obligation to consult the industry.
The industry must respond with individual institutions actively making their own points, or they will miss a unique opportunity to have their voice heard in the consultation process and will have no further part to play in resulting documents. Very often though, consultation will actually become a big issue internally with firms, and their internal compliance teams will be keen to discuss the various repercussions and costs associated with new obligations.
Never an Overnight Process
In the UK, the FSA always tries to take into account unforeseen public interest and market costs associated with any potential new rules, with similar concerns in the U.S. only differing as a result of further fragmentation of industry regulators and processes.
Once the consultation period is over, the regulator must compile and examine all responses before formulating final rules and policy. Good outlines are generally provided of key responses, both favorable and objections, as well as reactions and decisions of how best to move these responses forward. The resulting policy is then issued in a policy statement.
Sometimes regulators might install a further consultation window if for some reason a proposal creates particular consternation and uproar in the industry, requesting further responses to the proposal wither wholly or elementally. This isn't normal however, and is only required in exceptional circumstances for major issues of contention.
Once published, new rules become effective immediately, although a transition period is generally accepted to allow firms that need to respond to get themselves organized internally. As far as the wider industry outside of individual firms is concerned, this is the end of the regulatory lifecycle.
Regulators do not want to destabilize firms, so they usually ensure any change is gradual and manageable, although of course sometimes change is rapid by necessity in order to respond to market events. It's never an overnight process and occasionally as with EU directives such as MiFID (Markets in Financial Instruments Directive), such lifecycles can be over a year or more in the making.
Managing and Balancing Risk
The vast majority of proposals for regulatory change do become rules, allowing for a degree of delay during consultation, with the few exceptions usually progressing to rules after alteration and republishing. This is because proposals are issued through the consultative approach described and are never really issued blind. Regulators have a very good idea beforehand of where proposals will go, what route they will take and what shape they will arrive in as rules.
Whether these rules ultimately result in internal policy change within individual financial institutions is entirely dependent on the relevance and severity of rule and the reaction of those individual compliance teams. A firm's policies and procedures are very much internal documents, as are the processes by which they settle customer accounts, complete dealing tickets and so on. Of course overlaying this independent structure are rigid business rules which may mandate that firms consider the impact of certain rules.
It's a question of managing and balancing risk, not obsessive adaptation. Financial services directors are usually more interested that compliance teams are aware of regulatory maneuvering and are engaged in the process when deemed necessary.
End customers are very rarely interested in the regulatory lifecycle at all, unless of course their service provider becomes directly or indirectly implicated with fraudulent behavior. In general, compliance teams keep a watching brief, attempt to align their policies with the direction of the primary regulator and keep aware of the general shape and form of their policy manual in this light.
Of course, technology can play a significant role in this watching brief. The constantly changing global landscape of regulation makes assimilating all of the information published each day by regulators, commentators and the media a time and resource hungry business. Further overheads are then consumed understanding the relevance of new rules and whether and how they affect internal corporate policy.
Fortunately, intuitive database applications can now be deployed to analyze and contextualize regulatory information, providing a greater depth of insight for compliance teams seeking to stay on top of change, avoid any nasty surprises and apply relevant change across corporate policies as necessary. The application of intelligent and standardized taxonomies also takes the pain out of regulatory management by filtering irrelevant information and "noise" from the wider industry, reducing the volume of data and only delivering tailored information at a predetermined stage of the lifecycle, for example, only after the consultation work.
The lifecycle of regulatory change is precise and exacting by necessity. Even a simplistic oversight can help illustrate why the process of identify risks across the financial services industry early and introducing new rules to maintain stability and confidence in the market is such an essential process.
By taking full advantage of technology innovation, compliance teams within individual firms can ensure they are able to better analyze and understand the whole process. In this way they can in effect equip their firm with an early warning system that prioritizes emerging risks and provides an opportunity to develop efficient policy solutions that meet and diffuse risks before they even become an issue.
Paul Johns is chief marketing officer for compliance intelligence provider Complinet.