Data Quality, Compliance, and Risk for Financial Institutions

Data Quality, Compliance, and Risk for Financial Institutions W H I T E PA P E R This document contains Confidential, Proprietary and Trade Secret Information (“Confidential Information”) of Informatica Corporation and may not be copied, distributed, duplicated, or otherwise reproduced in any manner without the prior written consent of Informatica. While every attempt has been made to ensure that the information in this document is accurate and complete, some typographical errors or technical inaccuracies may exist. Informatica does not accept responsibility for any kind of loss resulting from the use of information contained in this document. The information contained in this document is subject to change without notice. The incorporation of the product attributes discussed in these materials into any release or upgrade of any Informatica software product—as well as the timing of any such release or upgrade—is at the sole discretion of Informatica. Protected by one or more of the following U.S. Patents: 6,032,158; 5,794,246; 6,014,670; 6,339,775; 6,044,374; 6,208,990; 6,208,990; 6,850,947; 6,895,471; or by the following pending U.S. Patents: 09/644,280; 10/966,046; 10/727,700. This edition published November 2006 White Paper Table of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 The Compliance Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Sarbanes-Oxley. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Anti-money Laundering and the USA PATRIOT Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Basel II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Data Quality, Benefits Beyond Compliance . . . . . . . . . . . . . . . . . . . . . . . . . 5 Risk Data Quality: Where to Start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Informatica Data Quality Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Informatica Data Explorer: Key Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Informatica Data Quality: Key Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Conclusion: Responding to the New Regulations . . . . . . . . . . . . . . . . . . . . 9 Data Quality, Compliance and Risk for Financial Institutions 1 Introduction Risk management has long been high on the agenda for financial institutions. However, the increasing array of mandates and regulations that have emerged in recent years is causing banks, asset managers, and insurance companies to look at risk and compliance in a new light. Where once it might have made sense to manage different types of risk such as market risk, credit risk and operational risk as entirely separate initiatives, financial institutions are now taking a more comprehensive view of risk and are moving towards bringing it together under a single enterprise risk framework. Risk managers frequently cite a lack of clean, quality data as the biggest inhibitor to achieving their risk management and compliance goals. Poor data quality is endemic in most large organizations. Generally speaking, financial institutions accept this as a day-to-day operational challenge and devise both simple and complex work-arounds to compensate for the data’s shortcomings. But, to effectively manage risk, the financial institution needs to be able to easily integrate data from different business units, areas, and geographies, and provide consolidated reports and query functions on that data. Risk and compliance bring sharp focus to the requirement for consistent data definitions across the business and streamlined processes for capturing and reporting on high quality data. The universe of data that has relevance to an institution’s regulatory compliance and analysis of risk is growing all the time. More data from more source systems is being used to drive risk and compliance engines. Risk data needs to be enterprise-wide and tied into all aspects of customer, commercial, financial, and operational data, at the lowest level of detail, to enable necessary statistical analysis to be undertaken. And this data is not static. Information about instruments, counter parties, and market events is constantly changing and those changes need to be reflected accurately throughout the risk management infrastructure. Throughout the process, data is transformed via risk methodologies into usable information that, in turn, creates more data that needs to be managed, measured, and monitored. To achieve this, Chief Risk Officers rely on technology, people, and processes. More than anything, however, they need access to a solid foundation of clean, accurate, standardized, and timely data. Banks, insurance companies, and other financial firms that invest in improving data quality for risk management and compliance should not just view it as a cost. The availability of high quality data on customers, products, and assets will pay dividends throughout the organization if leveraged appropriately, enabling financial institutions to improve customer service, gain operational efficiencies, and more efficiently manage assets. 2 White Paper The Compliance Challenge Basel II is perhaps the highest-profile of the regulatory requirements currently facing financial institutions, but others are equally pressing. For example, all public companies traded in the United States must comply with the Sarbanes-Oxley Act (US). Other initiatives such as the USA PATRIOT Act71 and anti-money laundering directives have similarly broad data quality requirements. The globally expanding array of regulations effectively moves data quality out of the ‘it-would-be- nice-to-fix’ status into an issue that must be addressed. Sarbanes-Oxley Sarbanes-Oxley is composed of several regulatory provisions, the most important stating that an organization must submit regular assessments of its internal financial audit controls to the Securities and Exchange Commission (SEC). Any executive who submits inaccurate or misleading information to the SEC could face a million dollar fine and up to twenty years in prison. It is notable that the stiff legal penalties of Sarbanes-Oxley apply also to corporate officers who make inaccurate audit declarations in good faith. Financial institutions are in the vanguard of institutional conformance with Sarbanes-Oxley, and many have already advanced in compliance. However, the data challenges facing some financial service providers are still considerable and will remain so while the Act is in force. As with Basel II, organizations face the hurdles of profiling, cleansing, and aggregating vast amounts of data. Like Basel II, compliance with Sarbanes-Oxley is only possible if the data underlying the corporate audit is reliable. This represents an opportunity to improve business practices and data quality across the enterprise. “Spending on Sarbanes-Oxley is an up-front investment in making the processes of the company better,” says Iain Macdonald, group vice-president and group controller, British Petroleum. “BP has come together from multiple heritages, so it has a lot of different business processes in the group. Sarbanes-Oxley forces us to be extremely systematic about looking at those processes.”2 Anti-money Laundering and the USA PATRIOT Act The USA PATRIOT Act is a wide-ranging response to the threat of terrorist attack that faces the United States in the aftermath of September 11, 2001. Title 3 of the Act relates specifically to anti-money laundering (AML) and anti-terrorist financing initiatives. Again, there are stringent penalties for organizations that fail to live up to the regulations. On November 30, 2004, Federal Regulators imposed a $24 million penalty against Bank of New York for AML violations, and specified that the bank would also have to submit to independent monitoring of its AML compliance program. 1 Full title: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001. 2 From “Making Compliance Pay” by Clive Davidson. Risk magazine, May 2004. Data Quality, Compliance and Risk for Financial Institutions 3 Figure 1: Informatica Data Quality Workbench showing an Anti-money laundering plan Of particular interest to financial institutions are Sections 314 and 319 of the Patriot Act. Section 314 calls for cooperation and information sharing between law enforcement agencies, financial institutions, and regulatory bodies concerning terrorist or money-laundering suspects. Section 319 calls on a financial institution to provide full details for any account it holds within 120 hours (five calendar days) of receiving a request from a federal banking agency.