CEB TOWERGROUP | Capital Markets

TRANSLATING COMPLIANCE SPENDING INTO

STRATEGIC INVESTMENT
REGULATIONS HAVE PUMMELED PROFITABILITY FOR SELL-SIDE BANKS

15%

loss in ROE

Systemically important banks have

lost 15 percentage points off ROE
and have struggled to gain back
ground. Macroprudential regulation,
designed to reduce systemic risk,
had the inevitable consequence of
pummeling the bottom line.

Return on Equity (ROE) and Tier-1 Capital Ratio of Systemically Important Banks
Average of 14 banks, 2004-2013
ROE

20%

Tier-1 Capital Ratio

10%
0%
-10%
2004

2005

2006

2007

2008

2009

2010

2011

2012

2013

Source: Bloomberg

UNCERTAINTY STILL REMAINS OVER 40% OF DODD-FRANK RULES

155

Dodd-Frank Progress Report of Required Rules Finalized

Rulemaking Progress as of March 31, 2015

rules undecided

60% Finalized

Almost five years after Dodd-Frank

was introduced, only 60% of the rules
had been implemented in practice,
leaving 155 rules still to be decided.
This continued uncertainty requires
prolonged investment to mitigate the
risk burden.

Remaining rules

Finalized rules
235

155

Source: Davis Polk, Dodd-Frank Progress Report, March 2015

GAINS IN EFFICIENCY HAVE FAILED TO KEEP PACE WITH REVENUE

70%

Global Asset Management Efficiency Ratio vs. Revenue

efficiency loss

While the average global revenue

earned by asset management firms
continues to reach all-time new highs
($415M as of 2013), the efficiency
ratio, measured by revenue per
employee, is only 30% the size of its
2007 peak.

$500

$4,000
$3,000

$400

$2,000
$1,000

$300

$0
$200

-$1,000
-$2,000

$100

-$3,000
-$4,000

$0
2004

2005

2006

2007

Revenue per Employee ($)

2008

2009

2010

2011

2012

2013

Average Global Revenue ($ millions)

Source: S&P Capital IQ Research Insight

2015 CEB.

i.

www.executiveboard.com

CEB TOWERGROUP | Capital Markets

FUNDED BUT ON THE FENCE: OUTDATED VIEWS ON OUTSOURCING

In a recent poll of capital markets executives, CEB found a revealing contradiction in their perceptions about
outsourcing. Although executives indicated a high intention to increase spending on all types of outsourcing, they
rated it as a relatively low-value activity. These reluctant spenders see outsourcing as a rote task that doesnt
bring the same level of business value as other technologies or services.
Most capital markets firms still underestimate the gains that sourcing partnerships can bring in mitigating
uncertainty and regulatory risk. These firms are resting on antiquated perceptions that the primary role of
outsourcing is to take commoditized, low value tasks and export them to a third-party firm. Leading firms are
expanding their approach to sourcing and identifying partnerships that will create differentiating value.
100

Value Shortfall Perception Index

Technologies and Services Indexed by Highest Spending Increases with Lowest Ratings of Value

100

50
35
30
17

16

15

12

0
Application
Information
Business Process Social Networking
Development &
Technologies
Technology
Outsourcing
Maintenance
Outsourcing (ITO)
(BPO)
(ADM)

Derivatives
Systems

Order Routing &

Messaging
Networks

Rest of
technologies
(average)

Source: CEB 2015 FSI Survey

Percentage of Firms Either Adopting or Replacing Sourcing Platforms by 2019

45%

Investing in
sourcing

Nearly half of surveyed capital

markets executives plan to adopt or
replace their existing outsourcing
services by 2019. The firms that will
benefit the most from these
investments are expanding the
partnerships beyond traditional lowvalue activities.

2015 CEB.

Application
Maintenance &
Development

Business
Process
Outsourcing

Information
Technology
Outsourcing

45%

45%

44%

N = 1,266
Source: CEB 2015 Global FSI Survey

ii.

www.executiveboard.com

Withstanding the Regulatory Spotlight

Reducing the Risk Burden in Risk and Compliance Management
Gert Raeves
Senior Research Director
Capital Markets

Compliments of Cognizant Technology Solutions

Atit Amin
Senior Analyst
Capital Markets

June 2015

CEB TowerGroup Key Findings

Given the barrage of new regulatory standards, firms are spending large portions of their technology
budget on implementing and operating risk management and compliance functions. CEB projects that
global spending on risk management and compliance technology will hit nearly $45B with North America
and Europe expecting a 20% and 16% compound annual growth rates, respectively, through 2018

To reduce these costs, leading organizations are undertaking transformative business-led initiatives that
promote a flexible technology infrastructure and leverage outsourced service delivery solutions.

Some of these initiatives include leveraging data utilities, converging market and reference data and
outsourcing risk functions including KYC and list management.

Centralized data management will also be crucial to the success of these initiatives; however almost 70%
of capital markets firms either do not have a data management strategy or have not invested in it.

Additionally, moving to a business-led, vendor enabled model will also allow firms to further identify
opportunities for innovation and expanded capabilities which will be critical for continued profitability.

Executive Summary
In years past, risk management was traditionally dominated by financial and hazard risks, such as complying
with new regulation and managing against a lack of liquidity. Now that those risks can be transferred through
hedging and insurance, they have taken a backseat to strategic, operational, and reputational risks that
business leaders must proactively identify and manage. These business risks, if not managed correctly, can
dramatically affect an enterprises financial results, brand, and even ability to operate, thereby having a severe
negative impact on shareholders, customers, and employees. Additionally, the operating costs to manage risk
and compliance functions has dramatically increased and cutting costs will require a substantive shift across
business, IT and vendor teams.
Within the context of new regulatory requirements, capital markets firms cannot afford to practice risk
management the old fashioned way. Serving the sophisticated needs of future risk management principles will
require a broader change in the perception of risk technology. Instead of viewing it as a nice to have, highly
effective risk governance models position risk technology as business critical and a function that delivers
2015 CEB All rights reserved.
May not be reproduced by any means without express permission.

competitive advantage. As a result, CEB TowerGroup believes that risk management and compliance
technologies, built upon a flexible delivery model that promotes context-based innovation, speed-to-market,
and an agile workforce, is the best means of integrating the discovery, measurement, monitoring, and
management of firm-wide risk.

Withstanding the Regulatory Spotlight

Since the 2008 financial crisis, financial institutions have faced unprecedented regulatory challenges, resulting
in increased efforts at implementing risk management and compliance solutions. Four years after the DoddFrank Act became law, most firms still expect further spending increases as new rules take effect. As of
December 2014, only 231 of the collective 398 rulemaking requirements have been finalized according to
Davis-Polk research, leaving almost 42% of requirements still to be decided. As a consequence, more than
60% of surveyed capital markets firms expect to increase their Dodd-Frank expenditures during the next 12
months, signaling the breadth and depth of changes that are scheduled to come (Exhibit 1).

Exhibit 1: Dodd-Frank Progress Report (Top); Asset Managers Increasing IT Spending Per Regulation in 2015
(Bottom)
Rulemaking Progress as of December 1, 2014 (Top); Percentage of Capital Markets Firms Answering Increase in
Spend, Excluding Answers of Unsure, 2014 (Bottom)
Sources: Davis Polk, Dodd-Frank Progress Report, December 2014 (Top); CEB 2014 FSI Survey (Bottom).

To illustrate, an additional list of new regulatory safeguards that financial institutions are planning for include:

Data Reporting: Changes to reporting of census information, fund investment in derivatives, liquidity
and valuation of holdings, securities lending, and separately managed accounts.
Portfolio Composition Risk and Controls: Mutual funds and ETFs may require a board risk
management program for liquidity and derivatives. Risk management requirements may include
2015 CEB All rights reserved.
May not be reproduced by any means without express permission.

updated liquidity standards, disclosures of liquidity risk, or measures to limit the leverage created by a
funds use of derivatives.
Dismantling Plans: Investment advisors will need to submit plans for a major disruption to their
business.
Stress Testing: The SEC may conduct annual stress tests on large funds and investment advisers,
similar to those conducted by the Federal Reserve on commercial banks.

Given this barrage of existing and new regulation, firms are increasing their spending on compliance
technologies as the post-crisis regulatory landscape shifts market structure and necessitate new governance
and reporting procedures. Per CEB estimates, capital markets firms have already incurred more than $20
billion in compliance costs since 2009, not counting additional layers of litigation costs and legal settlements. In
our opinion, the largest sources of compliance costs emanate from regulations that have altered, and in some
cases, created new market structure in both the equities and derivatives markets across the United States and
Europe.
For example, as the trading of OTC derivatives trading moves onto exchange-like venues, traders will have
much greater insight and access to information and trade data. With better tools and resources at their
disposal, traders will also have to respond faster to price volatility, and make efficient, informed investment
decisions. The shift from manual, human-based trading to screen-based execution raises the importance of
possessing real-time, streaming information and data flows, and up-to-the-second pricing, risk, and valuation.
As such, an optimal trading environment will require firms to have interoperable systems that can not only
integrate data through trading, risk and pricing but also incorporate the cost of centralized clearing and
settlement so portfolio managers and traders can assess the fully loaded cost of a derivative instrument. This
shift will require considerable enhancements to disparate systems, streamlined processes to ensure
processing time is not impacted and require more cross-team communication.
Moreover, regulation and compliance costs are rising for Change the Bank (CtB) initiatives and teams as they
prepare systems to comply with new standards and processes. The regulation will also impact Run the Bank
(RtB) teams as they ramp up to manage and support these more complex compliance and risk management
functions going forward. CEB projections indicate that global spending on risk management and compliance
technology will hit nearly $45B with North America and Europe expecting a 20% and 16% compound annual
growth rates, respectively, through 2018 (Exhibit 2). Furthermore, according to the Bureau of Labor Statistics,
compliance officer employment in the finance and insurance industry within North America is expected to rise
11% nationwide from 2012 2022.

2015 CEB All rights reserved.

May not be reproduced by any means without express permission.

Exhibit 2: Global Technology Spending on Risk Management and Compliance (Top); Global Technology
Spending on Risk Management and Compliance (Bottom)
By Region, Share of Cumulative Expenditure as of 2014 (Top); In Millions of USD 2008(P) 2018(P) (Bottom)
Source: CEB Analysis

And while the up-front technology investment will be significant and unavoidable, the project impact of some
regulation should diminish with technologies that can reduce costs and enhance control. Firms should examine
post-implementation cost-cutting and process improvement opportunities as part of compliance technology
enhancements to make the most of required changes. This can be achieved by implementing management
principles that enable technology and business teams to maximize returns, centralize and streamline risk data
management and reporting and outsource non-core risk and compliance functions all to reduce cost.

Implement a Flexible, Business Led Risk Management Organization

Digitization defined as how enterprises exploit all sources of data and technology to enable new capabilities
and a more efficient value chain will become increasingly important to risk and compliance functions as
effective implementation can dramatically reduce cost and streamline processes. To capitalize on these gains,
risk and compliance IT teams will need to implement a flexible technology infrastructure that promotes the
enduring strengths of business, technology, and vendors.
Pejoratively nicknamed shadow IT and even rogue IT, business-led IT has provoked executives to try and
stamp it out with increasingly rigorous governance processes that channel technology-related spending
through Corporate IT. Nevertheless, CEB research believes that the rise of business-led IT is inevitable and
beneficial. Because information enables an increasing amount of business outcomes, more than 70% of
business leaders are now willing to run their own technology projects. We believe that the rise of business-led
IT is inevitable and when implemented correctly, can reduce spend and be more beneficial to the organization
than just improving IT delivery. These benefits include a rapid test and learn cycle which allows business
2015 CEB All rights reserved.
May not be reproduced by any means without express permission.

teams to experiment with new capabilities earlier in the lifecycle and thereby reduce costly testing cycles.
Additionally, as regulatory costs rise for IT teams, business-led risk and compliance provides an additional
40% of technology investment.
However, not all business-led IT spending is healthy; when poorly managed, it can drive up costs, risks, and
create data silos. Risks of business-led IT includes underestimating operational stability needs, weak vendor
management, and immature, duplicative siloed solutions. To reduce these risks, leading firms are playing to
the comparative advantages of the organization (Exhibit 3). In this ideal paradigm, business teams drive
innovation as they have the best insight into clients, products and competitors. Additionally, this model offers
flexibility as business teams are better able to control resources and make trade-offs between opportunities.
This shift also plays to the strengths of vendors and IT teams by outsourcing deep, technical expertise to
service providers and freeing up internal IT teams to focus on building skills that will have lasting value to the
business. In this new paradigm, vendors provide subject matter expertise (SME) at a reduced cost and provide
efficient, scalable operations that are often unfeasible with an internal IT team. As firms move towards
outsourcing SME, IT teams can then focus on enduring skills such as bolstering service management, offering
a cross-enterprise perspective and consulting the business as they lead innovation initiatives.

Exhibit 3: Strengths of Technology Projects Led by IT, Vendors, and Business Line Leaders
Illustrative
Source: CEB Analysis

Centralize and Streamline Risk Data Management and Reporting

Due to increased cost pressures, divisions between market and reference data are also converging. While the
two types of data are historically purchased and processed separately, the separation should be eliminated, as
risk and finance functions begin to straddle the front-and-back office divide. This approach would ensure that
2015 CEB All rights reserved.
May not be reproduced by any means without express permission.

financial data is consistent throughout the business and reduce the cost of managing the divisions in silos.
According to CEBs Data Management Survey, 71% of business leaders are planning to converge market and
reference data in the coming years. This is particularly notable for risk management teams given the negative
impact inaccurate data can have on risk analytics and compliance. As firms break asset-class and business
line silos, a one-data approach will improve risk and compliance management, service, and cut costs (Exhibit
4). Firms that have already moved to a one data approach have seen improvements in risk analytics, data
consistency, as well as trade processing and reporting. In fact, three leading G-SIBs in North America
partnered with Cognizant to comply effectively with the BCBS 239 regulation related to risk data aggregation
and reporting. Post-implementation, the firms realized rationalization of enterprise risk data, developed data
traceability, lineage, and aggregation, created glossaries and process maps for gap analysis, and ensured
transparency and automation of regulatory reports for Basel and Fed exams.

Exhibit 4: Convergence of Historically Distinct Investment Analytics Technology (Top), Five Areas of Asset Class
Convergence that Offer the Highest ROI Potential (Bottom)
Illustrative
Sources: CEB Analysis

Additionally, Dodd-Frank requires firms to re-examine their standards, particularly around counterparties,
contracts and underlying securities. Yet, many firms report low standardization maturity, which amplifies the
challenges of Dodd Frank implementation and the ongoing maintenance of data standardization. Given this
challenge, leading firms are moving towards an outsourced security master model to ensure data
standardization and reduce overall maintenance cost. For example, Bank Vontobellisted on the SIX Swiss
Exchangeoperates in 21 international locations and manages a total of CHF 150 billion in client assets,
turned a data management initiative into a new revenue source by creating an outsource service. Their existing
systems reliance on specialists, along with new regulatory requirements and a multi-data provider model,
drove the urgency for change. To simplify their processes, reduce cost, and gain revenue, the firm outsourced
their security master services. The benefits of the project included an internal data management and BPO
2015 CEB All rights reserved.
May not be reproduced by any means without express permission.

strategy in a single platform which provided scalability to onboard more customers with different levels of
services as well as quality and efficiency improvements.
Institutions also display low maturity in risk data aggregation and reporting of several important types of risk
data. According to the CEB 2014 FSI Survey, almost 70% of firms either do not have a data management
strategy or have not invested in it. Low standardization maturity will amplify the challenges of Dodd-Frank
implementation, as it requires firms to reexamine their standards, particularly around counterparties, contracts,
and underlying securities. Furthermore, Basel III introduces several new principles that risk and compliance
teams will need to be prepared for including, but not limited to:

Governance: Risk aggregation capabilities should be subject to strong governance arrangements.

Data Architecture and IT Infrastructure: IT infrastructure should support risk reporting practices
during times of normalcy and stress.
Timeliness and Comprehensiveness: Reporting will require up-to-date risk data in a timely manner
and will be expected to cover a broad range of on-demand, ad hoc risk management and reporting
requests.
Frequency and Distribution: Board and Senior Management should set the frequency of risk
management report production and risk reports should preserve confidentiality.

These principles are notable as they are ambitious and cover a broad set of risk aggregation and reporting
capabilities, shift focus towards data accuracy, completeness and timeliness, and require several IT-specific
capabilities, such as real-time and ad hoc reporting. It will be important for RtB teams to consider these factors
as they prepare their risk management and compliance functions for the future state. Building these
capabilities in-house can be costly and difficult to maintain therefore outsourcing opportunities should be
considered to scale for increased regulation and reduce operating costs.

Leverage Outsourcing, Utilities, and Partnerships to Cut Costs

To rein in costs while maintaining the integrity and efficiency of daily operations, many corporations are
responding by turning to outsourcing service providers and utility models. In March 2002, American Express
signed a $4 billion deal with IBM to outsource its IT infrastructure in an effort to improve flexibility of costs and
capacity in light of extreme volatility. By moving toward an outsourced model, they were able to cut
infrastructure costs by 50% and IT staff by 33%.1
The trend will be similar among other financial institutions as their compliance-related costs continue to grow.
JP Morgan, for instance, recently announced that it had grown its compliance IT spend by 27% since 2011 in
order to meet demands.2 Banks without necessary controls have in some cases received strong penalties from
regulators. HSBC was forced to a pay a $1.9 billion in anti-money laundering fine in last year.3 As more
regulation is unveiled and the demand for processing speed grows, the push towards partnering, leveraging
utilities and outsourcing will become critical, particularly in anti-money laundering (AML) and know your
customer (KYC) technologies, as it can reduce operating costs and enable the agility required to handle the
changing demands.
To mitigate risk and combat rising costs, financial institutions are also engaging in strategic partnerships to
centralize commoditized risk and compliance activities. For example, a group of the worlds biggest banks have
1

Benefits of IT Outsourcing Contracts, CEB CIO Leadership Council, August 2008.

2015 CEB All rights reserved.
May not be reproduced by any means without express permission.

2
3

JPMorgan Ramps Up Compliance and Controls IT Spending, Finextra, September 18, 2013.
HSBC to Pay Record US Penalty, Wall Street Journal, December 11, 2012.

joined forces with SWIFT to develop and use a centralized due-diligence system designed to reduce the
burden of compliance and the rising regulatory costs associated with it. Bank of America Merrill Lynch, Citi,
Commerzbank, JPMorgan, Socit Gnrale and Standard Chartered are among the group to have signed an
agreement to jointly launch SWIFTs KYC registry, which is a type of secure electronic repository for the
masses of information required by banks as part of their due-diligence process on corporate clients all over the
world.4
The KYC registry offers a powerful if rare public example of how banks are working together to resolve
problems brought about by the regulatory onslaught. Under the agreement, the banks will participate in a
SWIFT-led working group to agree on the registrys processes, as well as the documentation and information
necessary to fulfill KYC requirements across multiple jurisdictions. In addition, the banks are to start populating
the registry with their own KYC data (Exhibit 5).

Exhibit 5: Sample of Recent Industry Data Utilities

Illustrative
Sources: Clarient, Euroclear, Markit, CEB Reference Data Review, SWIFT.

Similarly, banks are also outsourcing the storage of compliance data to help reduce costs through a shared IT
platform. Barclays, Credit Suisse, Goldman Sachs and JP Morgan Chase signed a memorandum of
understanding (MOU) with post-trade services group the Depository Trust & Clearing Corporation (DTCC), with
the aim of creating a shared repository for client reference data.5 The DTCC said the jointly developed data
platform will enable banks, broker dealers, asset managers and hedge funds to store information including
regulatory compliance data in a central library. Likewise, Cognizant has also worked with its clients to create
similar internal utilities or shared service models for reconciliation and reference data processing.

2015 CEB All rights reserved.

May not be reproduced by any means without express permission.

4
5

Major Banks Sign Up for SWIFTs KYC Registry, Bank Systems & Technology, March 4, 2014.
Banks to Develop Shared IT Platform for Compliance Data Outsourcing, ComputerworldUK, October 4, 2013.

Manage Sourcing Strategically to Gain Maximum Value

While industry utilities and outsourcing can be valuable for protecting data, cutting cost, and streamlining
processes, firms will need to closely evaluate which risk and compliance functions lend well to an outsourced
model and then prevent value erosion across the sourcing lifecycle. The first step is to validate the suitability of
sourcing. This can be achieved be evaluating the criticality of a function (defined as an activity that would pose
an immediate threat to the organization) against core value (defined as an activity that contributes to the firms
competitive advantage). Activities viewed as core and mission critical, such as risk modeling, analytics and
decisioning, should always remain in-house and on-site; whereas activities that are highly commoditized, such
as list maintenance, reporting and data management, are better candidates for outsourcing (Exhibit 6).

Exhibit 6: Business Process Outsourcing Suitability Screen

Illustrative
Source: CEB Analysis.

The next step is to prevent execution risk that threatens a firms ability to gain maximum value from an
outsourced model. Firms often migrate to outsourcing services as an unsustainable short term solution to a
long term problem. To reduce value leakage, capital markets firms need to develop a sustainable outsourcing
plan that avoids the follow common failure paths across the sourcing lifecycle:

Strategic Misalignment: Sourcing strategy is not linked to long-term strategies and financial
objectives.
Unfavorable Terms: Lack of initial cost transparency leads to suboptimal contract terms.
Measures that (Dont) Matter: Choosing a vendor based on performance targets and SLAs that fail to
reflect the end-user experience.
2015 CEB All rights reserved.
May not be reproduced by any means without express permission.

Out of Sync Teams: Coordination is poor between external providers and in-house staff.
New Role, Old Skills: Retained staff lack sourcing management skills.
Static Performance: Inflexible contract terms limit the ability to adapt to evolving business strategy.
No Innovation: Organizations are unable to create incentives for vendor led innovations.

Conclusions
In part due to an accelerating confluence of new-to-world risk factors, risk management is only going to get
more difficult. There is a right way and a wrong way to respond. The best way to implement prudent risk
management principles without introducing unnecessary organizational drag is to have IT, risk, vendor and
business teams work together in delivering a flexible delivery model that promotes context-based innovation,
speed-to-market, and competitive advantage. The ability to manage risks must become an essential leadership
competencyon par with (and integral to) executing a strategy, launching a new product, and leading an
effective team. Risk management is not a discrete activity for business units to conduct separately from
strategy, business processes, and talent management; done properly, it is deeply embedded into all three of
those important activitiesnot slowing them down or adding more cost burden, but actually improving them.

Cognizant Technology Solutions commissioned CEB TowerGroup to conduct independent research and
analysis of compliance and risk management trends in capital markets. The content of this report is the product
of CEB TowerGroup and is based on independent, unbiased research not tied to any vendor product or
solution. Although every effort has been taken to verify the accuracy of this information, neither CEB
TowerGroup nor the sponsor of this report can accept any responsibility or liability for reliance by any person
on this research or any of the information, opinions, or conclusions set out in the report.

2015 CEB All rights reserved.

May not be reproduced by any means without express permission.

10