Compliance data requirements generated by EU Directives
Speech by David Kenmir, Chief Operating Officer, FSA
Compliance Europe Conference 2007
16 October 2007
I am delighted to be able to speak to you this morning.
Data requirements generated by EU Directives present us with the same challenges as they do you. Data gathering and analysis play an important part in enabling us to meet our statutory objectives of - maintaining confidence in and promoting public understanding of the financial system; securing the appropriate degree of protection for consumers; and reducing the extent to which it is possible for a business to be used for a purpose connected with financial crime.
The challenge for us is to collect only the data that we have a clear need for, in a way that is efficient for us and you, and then to carry out timely analysis of it. In your role as compliance professionals you have exactly the same challenge.
Key to our approach is our ongoing work to upgrade our IT function where we are making a significant investment over the next 3 years. This will help us meet our strategic aim of improving our business capability and effectiveness and make us easier to do business with.
Over the next 40 minutes, I will outline why we need the data we collect from you, the impact that EU Directives are having on our data requirements and how we are applying our Better Regulation agenda and principles based approach to our data reporting requirements. In conclusion I will set out how we approach data management as part of our IS strategy.
Whilst I am talking as the COO of the FSA today, I will also draw parallels with the challenges I think you face where I can.
Data reporting – one of our supervisory tools
EU Directives historically do not dictate to regulators, or compliance officers, what data they should collect from firms. The Financial Services and Markets Act (FSMA) doesn’t do so either. Both do however require regulators to take adequate steps to monitor firms, and of course that is effectively what many of you are employed to do within your organisations.
We have a number of supervisory tools we can use to monitor firms and they all play a part in identifying and mitigating risks to our statutory objectives. We use regulatory reporting to help monitor how firms comply with Directives and FSMA. It helps us to identify risks at a firm level and also enables us to identify risks across a group of firms or sector.
We only collect data where we are clear how that data will be used within our operating framework. The data we collect depends on the regulated activities a firm has permission to undertake.
For example, if a bank, fund manager or stockbroker also provides advice on retail investment products, then we collect the same information from them on their retail investment activities as we do from a financial adviser. If they do not actually give retail investment advice but have permission to do so, then we require them to confirm that position regularly by submitting a 'nil' return as that tells us that the risk to our statutory objectives from this permitted activity is also 'nil'.
With over 29,000 firms to regulate, this helps us focus our resources where the risks are greatest. It also enables us to deploy higher-cost supervisory tools, such as inspection visits, in a much more targeted way. In essence regulatory reporting helps us see the wood for the trees.
Back to top
Regulatory reporting is particularly useful for monitoring a firm’s financial position. Around 80% of the data we collect relates to the financial position of the firm. Apart from balance sheet and profit and loss data, firms also have to report that they are meeting the requisite levels of regulatory capital to support the prudential risks inherent in the types of business they undertake and the extent to which they manage those risks. I will come back to financial reporting later.
We also use regulatory reporting to help us identify and mitigate risks arising from the way a firm conducts its business.
For example, the RMAR [Retail Mediation Activities Return] seeks, amongst other things, data on firms' training and competence regime and client base. We separately collect data on the levels of complaints firms receive from consumers, and the areas of their business they relate to. We recently consulted on requiring retail investment advisers to tell us what type of advice they provide: for example, are they 'independent - whole of market with fee-only option', or 'single-tied' where they are limited to the products of one provider. [See CP07/17]
We also consulted on the benefits of making this information available to consumers, possibly through the FSA Register which already enables them to check whether a prospective adviser is authorised by us and in what capacity.
We also collect Product Sales Data comprising of transactional data on the sales of certain retail investments, pure protection products and regulated mortgage contracts whether made by the providers directly or via intermediaries.
This helps us identify any significant shifts in the range of products sold by a particular firm and the extent that a firm is an outlier amongst its peers. Coupled with alerts from the other data we receive, this may cause us to look more closely at specific firms. It also enables us to identify emerging market developments such as the rate of growth in the sale of certain retail products.
Before I move on to the impact of specific EU Directives, I’d like to say a few words about the implications of their implementation timetables.
Recent EU Directives have been significant drivers of changes in our data reporting requirements, and most of the reviews of these requirements have been planned to coincide with the changes the Directives necessitate. However, Directive timetables usually only allow 18 months to two years for implementation.
Our experience with the Markets in Financial Instruments Directive (MiFID), about which I shall say more later, was that within this timeframe Level 2 measures needed to be finalised; we had to consult with firms on how the Directive requirements translated to our Handbook; develop our supervisory strategy for the new requirements; revise our data reporting requirements; consult on changes; and adjust our own data collection and analysis systems to accommodate the revised data we will need from the first day the Directive becomes effective.
Such tight timeframes increase the risk that regulators are not fully ready to effectively monitor compliance with the Directives, and indeed some Member States will be late in implementing MiFID. It also puts added pressure on you as you not only have to prepare to meet the requirements of the Directive but also to prepare to provide revised data to us in short order with all the system developments implications that has for you.
We lobby hard through Government to influence the EU Commission to set more realistic implementation timetables that allow regulators time to prepare for how they will monitor the Directive requirements and firms to prepare for the changes the regulator makes. I recommend that you do the same through the appropriate channels.
We also support – as I'm sure you do too - full impact assessments being undertaken on both Level 1 and 2 measures to ensure that they are proportionate. Similar disciplines also need to be exercised in respect of Level 3 measures that affect market participants.
Impact of EU Directives on our data requirements
Supervisory convergence
A few words on supervisory convergence within Europe are also needed before I talk in more detail about specific Directives.
In early 2006, ECOFIN produced a report on supervisory convergence and how this would be taken forward. Some of you will know this as the Francq report. It requires annual reports, starting from this year, on the progress towards several goals, the most notable of which in this context is the work to deliver common formats for regulatory reporting, and to examine IT data sharing arrangements.
This push towards harmonised reporting could have an impact on our own desire to collect only the data we see as necessary to supervise a firm, and to a frequency and timescale we can justify. The biggest danger is that in the desire to harmonise reporting – whether in the level of detail collected, the format of that data, the frequency of reporting or even the submission times, inadequate attention is paid to assessing the impact of these requirements, and the associated burden on firms.
When taken alongside the Commission’s Better Regulation initiative to reduce regulatory burdens, this means that we have to be active in negotiations to ensure that our objectives are not compromised. This is a challenge, as not all regulatory authorities in Europe accept our risk-based and principles-based regulatory approach.
Capital Requirements Directive (CRD)
Which EU Directive has had the most impact on our data reporting requirements?
Given its impact on financial reporting, that has to be the Capital Requirements Directive (CRD). The CRD leads to a fundamental change in the way banks, building societies and investment firms subject to it calculate their regulatory capital and measure the risks that need to be covered. Approximately 2,000 of the firms we regulate are affected by it.
The risk-based approach introduced by the CRD gives firms greater flexibility, but is more sophisticated and so requires us to introduce additional monitoring and reporting requirements depending on the complexity of an individual firm's business. Apart from revising the capital adequacy data we receive from firms, we have also introduced new data items which provide us with the key elements of how firms assess their credit, operational and market risks.
The proportion of the future reporting burden for firms that can be directly attributable to monitoring compliance with the CRD is over 30% for banks and building societies and 80% for securities firms and investment management firms.
We used the implementation of the CRD as an opportunity to revise all our reporting requirements for these sectors. Overall, the net change in the amount of data we will collect in future represents a 45% reduction for banks, a 25% reduction for building societies and a 55% reduction for securities firms. Investment management firms on the other hand will see an average 410% increase reflecting the relatively light touch reporting burden on these firms in their previous regulatory regimes. This is in line with our approach under our better regulation agenda which I will cover later.
The new reporting under the CRD has already started with firms submitting transitional Key Data on capital adequacy from January this year. Full CRD capital adequacy reporting will be introduced from January 2008 with the full revised reporting regime replacing all 'old' reporting from June 2008. This new data will be collected in the first phase of the roll-out of our new strategic reporting system. [See Reporting from 2008].
The Committee of European Banking Supervisors (CEBS) put in place a common reporting (COREP) framework across the EU which also covered investment firms. The CEBS package is made up of core data and detailed requirements and each member state's regulator selects the amount of data they will collect.
We will be collecting 20% of the core data compared to an average of 83% across EU regulators and 5% of the detailed data compared to an average across EU regulators of 63%.
We continue to champion the continued flexibility for regulators within the CRD converged reporting framework. Nevertheless, there is already pressure for greater convergence which, without a substantial reduction in the COREP package, is likely to lead to an increase in the reporting burden for UK firms. Similar problems can be anticipated in the development of Solvency 2. I can assure you, however, that we are continuing to promote the idea that regulators should be able to justify the data they propose to collect through robust cost-benefit analysis.
MiFID
MiFID is a major part of the European Union's Financial Services Action Plan (FSAP), which is designed to create a single market in financial services. MiFID replaces the Investment Services Directive (ISD) which was previously the most significant EU legislation for investment intermediaries and financial markets.
MiFID also extends the coverage of the ISD, introducing new and more extensive requirements to which firms will have to adapt, in particular in relation to their conduct of business and internal organisation. It comes into effect on 1st November.
One of the main purposes of the ISD was to give a 'passport' to investment firms to enable them to provide investment services on a cross-border basis or establish a branch in another Member State. MiFID has the same basic purpose but it makes significant changes to the regulatory framework to reflect developments in financial services and markets since the ISD was developed. Firms affected include investment banks, portfolio managers, stockbrokers and broker dealers, corporate finance firms, many futures and options firms and some commodities firms.
The main area where MiFID impacts on what data we need from firms is in relation to transaction reporting of trades in the equity, bond and derivative markets.
The primary way we use these transaction reports is to detect and investigate suspected market abuse, insider trading, and market manipulation. For example, when we receive an allegation of market abuse or ourselves identify an issue, we need to identify the transactions in question and establish their nature, timing and parties involved. So the transaction reports are a key piece of the jigsaw in enabling us to determine whether there is, on the face of it, a case of market abuse which warrants further review and possibly enforcement action by us.
As with the Product Sales Data I mentioned earlier, transaction reports can also help our market surveillance efforts by providing other useful information such as rate of growth in the use of certain instruments.
MiFID transaction reporting requirements will shift the reporting emphasis to the competent authority of the home or host state of the firm and not to the competent authority of the regulated markets on which the instrument is traded. MiFID introduces more extensive transaction reporting requirements and impacts on the type of transactions that firms need to report, and the way in which they make such reports.
In July we published the Transaction Reporting User Pack which we developed in conjunction with firms and trade associations. It gives detailed instructions and guidelines to help firms prepare for transaction reporting to us under MiFID.
Following extensive consultation throughout 2006 and 2007, our programme for transposition of MiFID in the UK is formally complete, and the necessary amendments to our Handbook have been made. However, implementation of MiFID will also have a number of important administrative consequences for us and for firms. Some changes to firms’ permissions and passports will be necessary.
MiFID introduces a number of new notification requirements and, in relevant cases, the status of firms’ tied agents, approved persons and waivers from our rules will need to be reviewed and updated. Many of these changes will be applied to non-MiFID as well as MiFID firms. These changes are technical but important because they relate to each firm's ability, post 1 November 2007, to operate within the scope of their authorisation and in compliance with the relevant rules. These are significant matters which should be addressed as a priority by firms in their implementation plans, although it is obviously a bit late to start now!
In September we published an update to our MiFID Permissions and Notifications Guide first published in May. In line with our commitment to implement MiFID in the most cost-effective way, we are making full use of the transitional arrangements which will significantly reduce the administrative burden on firms by enabling us to make many of the amendments to firms’ permissions and passport notifications automatically using technology.
These guides also set out the dates by which firms may need to apply for a variation of permission (VOP), or to provide us with a notification or other application, ahead of 1 November 2007. Some of the deadlines by which we need to receive such applications in order to process them in time will have passed but others have not. So I urge you to read these guides and act as necessary.
Third EU Money Laundering Directive
The new Money Laundering Regulations 2007 will, once approved by Parliament, repeal and replace the current 2003 Money Laundering Regulations and bring the Third EU Money Laundering Directive (3MLD) into effect in the UK by the implementation deadline of 15 December 2007.
The new Regulations will result in us supervising some new types of businesses but we will only supervise these for anti-money laundering and counter terrorist financing purposes. These new businesses include leasing companies, trade finance houses and safe custody providers and it is a legal requirement for these businesses to be included on our register by 15 June 2008 if they wish to continue to carry on their current activities. We will accept registrations from applicant businesses from 15 November 2007.
There will be no change to the way we supervise the money laundering arrangements of firms authorised by us although many will be caught by 3MLD. But they will need to inform us by 15 January 2008 if they already act as a money service business, a trust and company service provider or are subject to the EU Payments Regulation. The EU Payments Regulation, also known as the Wire Transfers Regulation, requires that electronic transfers of funds are accompanied by complete information on the payer and will apply to institutions that initiate wire transfers, such as banks and money remitters.
Full details of what new businesses and existing authorised firms need to do to prepare for the Money Laundering Regulations 2007 are contained in our approach document published in September.
We are not the only regulatory authority in the UK that will monitor businesses' anti-money laundering procedures under the new Regulations. Our approach document includes a useful flow-chart which will help businesses to understand which body they will need to contact.
Again I urge you to read it so that you are able to meet your obligations under this new legislation.
Other than the initial registration requirements we are not proposing regular data reporting under the new Regulations. We will keep this under review and will consult on any proposed requirements.
Directives on the horizon
Looking ahead, the Payments Services Directive will bring most payment services within the scope of regulation with effect from November 2009.
These new requirements will affect not only banks but also a new class of regulated entities, 'payment institutions'. This will include money transmission businesses, bill payment firms, and credit card and mobile phone operators.
The Government is still considering how the Directive should be transposed into UK law and who will be the competent authority, or authorities. However, whatever the design of the new regime and whoever the competent authority, there will inevitably be new reporting requirements to monitor compliance with the conduct of business rules that will apply to all firms and with the prudential requirements that will apply to the larger ones.
Our preparations have already started in earnest for Solvency 2 which will have significant impact on both life and general insurers.
The draft Directive for Solvency 2 was published by the Commission in July. The timetable for implementation already looks challenging for us and firms, with the Level 1 text to be finalised in late 2008, advice on Level 2 text, including on supervisory reporting and public disclosure, being provided by CEIOPS – the Committee of European Insurance and Occupational Pensions Supervisors - in late 2009, and the Commission is intending that all the rules and guidance should be on the statute book 18 months before the regime is switched on.
The aim is to have the new framework up and running by the end of 2012. Work has already started at the FSA to determine the supervisory reporting that we consider justifiable, to input to discussions at CEIOPS, and discussions will be taking place with the industry and other interested parties over the next year or so. Needless to say, CEIOPS are already conscious of CEBS’ experience with the COREP package, and are keen to deliver a greater degree of convergence with the Solvency 2 package.
The industry therefore needs to input their thought process actively if we are to get a sensible and proportionate reporting regime.
Reporting within our Better Regulation agenda
Where does regulatory reporting fit within our Better Regulation agenda under which we are committed to promoting better regulation by ensuring that the overall benefits of our regulation outweigh the costs?
Firstly, our better regulatory approach has to be seen in context. We must after all continue to meet the statutory objectives set out in FSMA and ensure that European Directives are implemented. This means that there will be instances where the costs of regulation are increased – either because we are obliged to implement new legislative requirements, or because there will be an overall benefit as a result.
We apply our better regulatory approach to regulatory reporting by ceasing to collect data we no longer need, and by changing our data requirements where there is a gap in what we need to maintain its effectiveness as a supervisory tool.
I have already mentioned the reduced reporting for many firms as a result of our review of the reporting requirements for banks, building societies and investment firms subject to the CRD. A similar outcome was achieved from our review of non-CRD investment firms also conducted last year.
For securities and futures firms, the amount of data we collect will reduce on average by 77% in 2008, a greater reduction than was the case for such firms subject to CRD. For investment management firms the amount of data we collect will increase on average by 28%, significantly less of an increase than was the case for such firms subject to CRD.
All the figures I have quoted are extracted from a more detailed analysis of the impact of our changes to reporting for banks, building societies and investment firms which was published in February. [See addendum to PS07/1]
This month, the consultation period on the outcome of our review of the Complaints Return and the Retail Mediation Activities Return (RMAR) closed.
The Complaints Return is completed by most of our regulated firms and we proposed a net reduction of 80% in the amount of data collected. The RMAR is submitted by approximately 20,000 firms which act as mortgage, general insurance and retail investment intermediaries. We proposed a net 30% reduction in the amount of data collected.
Once we have analysed the responses we plan to implement the rule changes when we roll out the second phase of our new strategic reporting system with effect from October 2008.
Reporting within our more principles based approach to regulation
You may think that, on the face of it, reporting of regulatory data seems at odds with a principles based approach to regulation.
Principles based regulation generally translates into less prescriptive rules, whereas regulatory reporting translates into prescriptive rules about what, how often and by when the required data should be submitted. We have always said that our approach will contain a mix of principles and rules, partly to help us implement Directives and partly because there will be a compelling case for detailed rules sometimes, such as the standardised reporting needed to regulate many thousands of firms.
As mentioned regulatory reporting also helps us to reduce the burden of direct on-site supervision, while at the same time making sure that we can identify risks. The way in which we apply our principles based approach on reporting is to align the data we request, as far as possible, with the Management Information (MI) that firms use for their own internal monitoring purposes.
This warrants further explanation as some firms see the link between reporting and our principles based approach differently.
When we consulted on the reporting requirements under the CRD last year, a number of firms indicated that the time allowed in our proposals between the end of the reporting period and the deadline for submission of a given data item was too tight. These concerns came mainly from listed firms which, by their very nature, are large, complex and often have to collate data on activities spread over various UK and overseas subsidiaries. They felt the data reported to us is dependent on audited published accounts and we should be linking our data requirements more to what is published.
This highlighted a fundamental misunderstanding of our intentions.
As part of our approach to senior management responsibility, we expect firms to have suitably robust systems and controls in place appropriate to the size and complexity of the business they undertake. They should be able to provide us with the data we need on an unaudited management accounts basis.
Firms are expected to be able to monitor their compliance with our Principles and rules relating to having adequate financial resources, with sufficient certainty, on a daily basis. We expect that the data reported to us is based on that management information and should reflect senior management’s ‘best estimates’. Our reporting guidance does not require data to be audited, although firms need to have their profits audited before they can be counted as Tier One capital where applicable.
We do not expect that a subsequent audit will make a significant difference to the financial position of the firm as reported to us. The monitoring systems in place at a firm should not present a radically different picture on the extent to which it is meeting the prudential rules that apply, compared to the picture presented in the final figures.
If there is a material difference, senior management should be addressing the shortcomings in their monitoring systems so that the picture presented to them, and to us, is more accurate.
Some thoughts for you
Having talked extensively about the data challenges we face, I should say a few words about my perceptions of some of your challenges.
In general terms we do not prescribe the data we think compliance departments need to collect to perform their role. However, we published a Dear CEO letter in July aimed primarily at investment banks, but you might like to review this and consider how your organisation's compliance function matches up to the good practice we set out. These include tips on compliance monitoring, desk monitoring and trade surveillance.
A fortnight ago I shared a platform with a panel of distinguished lawyers. Somewhat to my surprise they started talking about the importance of data management and MI production in firms. Given that I agreed totally with their three key themes I thought I'd pass them on to you today.
Firstly: Does your firms' MI enable you, and your senior management to monitor your compliance with your regulatory requirements? For example, if you design a particular product for a particular type of customer, does your MI demonstrate that it reaches the relevant target client base? If not, how will you convince us that you meet our TCF requirements and our analysis of the relative responsibilities of providers and distributors?
Secondly: Is your IT security up to scratch? You have already heard about this from another speaker earlier today, so the only thing I will add is that we are concerned with the number of incidents we are hearing about that could lead to a loss of sensitive client and/or proprietary data; examples include lost memory stick, lost laptops and increased activity by criminals.
And finally: what are you doing about the increased threats from insiders? All our intelligence suggests that criminal gangs and others are keen to get their associates into your organisations so that they can steal your assets or your data from inside your IT firewalls.
Our approach to data management
In finishing off today, I thought I should share with you our approach to data management. Systems and technology are key enablers for us because they help maximise the value of our information and knowledge we have.
We hold huge volumes of information, much of which is the data that we collect from the firms we regulate. The challenge for us is to collect and use this information more efficiently and effectively.
Our vision for our IS Division is that it will be a best in class trusted business partner, delivering reliable, flexible and scaleable capability in an efficient and effective manner. Over the next 3 years we will make a significant investment in upgrading our information systems and technology infrastructure.
We have already made important steps towards our vision. Over the past year we have outsourced our IT infrastructure management to Fujitsu, and our application management to Xansa. This has enabled us to be more flexible in response to changing business needs and will improve our overall IT capability and effectiveness. In addition, we have entered into strategic alliances with three IT development partners – Capgemini, Tata Consultancy Services and Xansa. We are working with them on several major programmes, including our long-term strategic regulatory reporting platform.
We are replacing the existing system we use for market surveillance and market abuse detection. We are also enhancing the systems that automatically generate alerts and risk indicators to enable more timely and effective analysis of the data we collect.
The firms who provide us with their data should be reassured to hear that we will be making improvements in our IS security infrastructure to ensure that we are appropriately protected from both external and internal threats to the integrity and security of the data we collect and hold.
These developments, amongst others, will give our staff access to the information they need to do their jobs more effectively and to help them give you consistent and timely guidance in line with our principles based approach. Making information available to our people through a common system will also support our move to a more modern working environment, enabling our people to access information flexibly, in line with best practice in, for example, professional service firms and the largest firms we regulate.
In other words, we are seeking to emulate the best practices in data management that you aspire to.