Why regulatory reporting continues to be an Achilles’ heel for FIs?

In response to the 2008 global financial crisis (GFC), financial institutions (FIs) perforce had to undertake numerous corrective actions for restoring their credibility. Transforming their regulatory reporting practices was one such remedial action undertaken by FIs. Unfortunately, in spite of their earnest efforts over the past several years in this regard, for many FIs, their regulatory reporting function continues to be an Achilles’ heel. While there could be several reasons for this, following are some of the key ones:

1) Regulatory onslaught: Since the GFC, across the globe, regulators quite rightly have undertaken a more rigorous data-driven approach to supervision. As a result, their regulatory reporting related expectations from FIs have increased manifold. Regulators’ heightened expectations on various aspects of FIs’ reporting – including scope; volume; complexity; granularity and levels of disclosure; quality, accuracy and completeness; frequency and timeliness; demand for ad-hoc reporting; and traceability and auditability – have however overwhelmed many FIs. 

Today, FIs need to submit hundreds of regulatory reports - both at the solo entity and at consolidated levels –   to large number of regulatory agencies. For example, for just the U.S. Federal Reserve, concerned FIs need to file multiple reports related to call reports, FFIEC 101, stress testing etc. The number and complexity of reporting further increase significantly for the global FIs that are required to file reports in multiple jurisdictions. Reporting requirements vary widely across jurisdictions and in many instances within the same jurisdiction as well. Refer exhibit at the end of this article for few examples of regulatory reports that concerned FIs have to submit today.

Almost all aspects of an FI’s business now come under the purview of regulatory reporting. So, in order to fulfil their reporting obligations, FIs today are required to collect, validate, reconcile and synthesize data from numerous functional areas across their enterprise – including planning, accounting, risk management, capital management, financial management, liquidity & treasury management, and multiple lines-of-businesses (LoBs). Reports related to Basel, CCAR and FR Y-14 regulatory mandates, for example, require the concerned FIs to source data from finance (costs, provisions, forecasts, revenues), risk (capital indicators), and the various LoBs. FIs are now required to report all types of material risks (not just market or credit risks); and which need to be quantified, aggregated, and comprehensively reported. In addition, many of the regulatory reports (e.g., FR Y-14Q/Ms) require the reporting of both financial (detailed instrument/transaction level data) as well as non-financial data.

Also, most regulatory reporting mandates are still template-driven. Furnishing reports in such rigid pre-defined templates create huge operational overhead for FIs. Further, many regulators use outmoded reporting portals and methods for seeking regulatory filings – where FIs have to fill out the forms manually, face limitations related to file size, or submit reports as in free-text paper forms (e.g. pdf).

The number of regulatory reporting formats and standards too have increased manifold; and there is lack of international compatibility and consistency in this regard. While in recent years, there has been increased adoption of eXtensible Business Reporting Language (XBRL), many regulators continue to define the data reporting requirements depending upon their own preferences and systems. Various reporting mandates – for example FATCA, EMIR, MiFID II/MiFIR, FINREP, COREP - require FIs to file reports using different formats and standards (e.g. XML, XBRL, FTP, CSV, Excel, ASCII, FpML etc.)

Regulatory scrutiny of FIs’ reporting accuracy has also intensified. For instance, regulators have started reviewing in detail the lending institutions’ loan documents in order to determine the accuracy of their loans related reporting. Regulators have also been cross-validating the data in FIs’ multiple regulatory reports submissions to unearth any discrepancy. Today, FIs are expected to conduct comprehensive review of the data that they report, establish ongoing transaction-testing and data-monitoring programs, and have robust data/reporting governance and control framework in place. Federal Reserve, for example, has been seeking evidence from FIs regarding the robustness of their data reconciliation and data quality control processes.

Vast majority of FIs are unable to effectively cope with such heightened regulatory scrutiny and expectations. Many FIs continue to remain engrossed in playing catch-up vis-à-vis the new reporting mandates; and are unable to spare time and resources for the implementation of optimal strategic reporting solution. 

2) Process deficiencies: For good number of FIs, robust end-to-end data management and reporting processes are still lacking. In response to each new or enhanced regulatory reporting requirements, these FIs have been simply adding yet another layer of ad-hoc reporting process or workaround. This has resulted in further fragmentation of their reporting infrastructure. Unsurprisingly then, these FIs fail to provide complete audit trail of data to the regulators when scrutinized. Robust documentation on reporting policy, process, procedures, data workflow, manual adjustment scenarios and exceptions etc. also continue to remain a weak spot for many FIs. As a result, their reporting teams fail to get a clear view of the source data systems and the associated data sourcing processes.

For large number of FIs, their reporting workflow continue to require high levels of manual interventions. This has resulted in large reporting staff requirements, cost escalations, and increased risk of erroneous reporting. Most of these FIs’ regulatory reporting staff have to spend majority of their time in executing repetitive manual tasks - related to data sourcing, extraction, cleansing, aggregation, classification, reconciliations, adjustments, submission etc. For example, the reporting staff have to manually append data with the supplementary information into the reporting tools. Similarly, significant manual data adjustments (reclassification, post-closing related etc.) prior to report submission is also needed.

The challenge for many FIs get further exacerbated by the fact that their numerous reporting teams across the enterprise operate in silos and don’t collaborate with each other. These teams have adopted a fragmented approach, with each functional group employing their own database and tools for reports generation. These functional groups’ myopic solely report-focused (as opposed to data-focused) attitude has resulted in generation of overlapping, duplicative and incomplete reports.

Another process deficiency relates to transaction testing. Even though, in recent years, regulators have been conducting transaction testing as part of their regulatory reporting examination, most FIs have yet to implement robust in-house transaction testing programs.

3) Data shortcomings: Many FIs continue to store their data in assortment of databases – with each database having its own fragmented architecture, model, standard and format. The databases are owned by respective functional departments (risk, compliance, finance, accounting, LoBs etc.) that have adopted their own non-standard data management approaches. There is absence of a central data repository or data warehouse to support the FI’s regulatory reporting function. Firms are therefore unable to leverage the common data and analytics pertaining to multiple reporting mandates. 

Industry data standard – related to taxonomy, universal identifier, standard codes etc. - are seldom used.  Many FIs have yet to implement integrated data taxonomy and dictionary (such as those required by BCBS 239). The lack of data standardization and harmonized data concept definitions, and the poor data integration capability, along with the surfeit of required manual interventions creates significant data challenges for FIs - related to aggregation, quality, integrity, accuracy, consistency, adequacy, granularity and auditability. Compounding the challenge is the fact that, in many cases such as those related to wholesale payments, the definitions and meaning of key concepts vary widely across the globe amongst regulators and the other ecosystem stakeholders.

4) Technology constraints: Many FIs’ data management and regulatory reporting processes are not underpinned by optimal automation. Their reporting solutions lack end-to-end automated workflow for data extraction, transformation, aggregation, classification, reconciliation & remediation, and submission. The required associated tools for dashboarding; for ad-hoc analysis & reporting; and for enabling additional data drill-down and robust analytics are also missing. These FIs tend to be heavily reliant on tactical tools such as Excel spreadsheet and EUCs for data collection and verification. Spreadsheet based solution however need continual manual re-inputting of data and/or re-calculation of valuations and ratios.

Good number of FIs today still continue to be heavily reliant on their labyrinth of outdated siloed legacy systems. Majority of these systems were built using disparate technologies and have been passed on through the FIs’ numerous mergers and acquisitions. Further, the continually and fast evolving regulatory reporting landscape has led to many FIs taking a short-sighted view of somehow just meeting the regulatory reporting timelines. So in place of strategic integrated reporting architecture and end-to-end solution, these FIs have adopted assortment of tactical solutions.

Within such FIs, different LoBs use their own siloed, fragmented and incompatible reporting solutions. Plethora of calculation engines that are based on non-standard methodologies are used. The surfeit of disparate non-integrated reporting components and point solutions in such firms are exclusively used for individual reports generation within the specific LoBs. So for example, such firms’ data analytics and reporting solutions for risk management and capital management functions are not integration. Similarly, the reporting solutions for the operational risk management (ORM) and the enterprise performance management (EPM) functions work in silos.

The lack of robust integrated end-to-end reporting solution accentuates the data integrity issues for FIs. It creates the need for significant additional manual intervention by the reporting teams – towards consolidating, reconciling and incorporating data in reports that require inputs from multiple functions. This in turn leads to costly, inefficient, inconsistent and error-prone reporting.

Today, in large number of FIs, the reporting teams spend majority of their efforts on numerous tedious report preparation activities. Consequently, they are left with very limited time for conducting thorough reports review and variance analysis, and in providing commentaries. As per an Ernst & Young study, none of the surveyed banks’ regulatory reporting departments were meeting the Federal Reserve’s recommendation that they spend 80% of their time towards analytics/reviews of the reports and only 20% towards report preparation.

5) Governance issues: Significant number of FIs today lack robust governance framework and control mechanism for their data management and regulatory reporting operations. While FIs have leveraged established SOX frameworks for enabling control standards for monitoring of their financial data reporting, such level of control rigor on their non-financial data is missing in most FIs.

Formal regulatory reporting oversight committee has yet to be instituted in many FIs. In many other FIs, reporting related roles and responsibilities of the various concerned groups (reporting teams, risk management, compliance management, finance, LoBs etc.) are not clearly demarcated. Similarly, in many FIs, the reporting related escalation processes are not streamlined, and there is lack of robust cross-functional reports review mechanism. Clear accountability and ownership of the data management and reporting processes is also missing in many firms. For example, risk data ownership keeps getting shifted between the IT & control functions – with senior management and business heads taking very less direct responsibility. 

Even for the FIs that have put in place certain levels of governance and controls, enterprise-wide harmonization is missing. Instead, these FIs rely on their multiple isolated governance and controls mechanisms.