Froniters in Finance

8/12/2019 Froniters in Finance

1/36

Frontiersin Finance

Governance strategies formanaging the data lifecycle:Knowing when to fold versushold and protectPage 12

Frontiers in FinanceFor decision-makersin financial servicesApril 2014

Cyber crime:Insurers in the firing linePage 6

Rebuilding and reinforcing riskdata infrastructurePage 16


2/36

in particular, to the dangers of inadequate ormisleading risk data systems. As a result, they arefocusing more on the machinery and processesbehind risk figures. The shortcomings of currentrisk analysis were harshly exposed by thefinancial crisis. Five years later, many weaknessesremain. Improved standardization, commondata models and better integrated systems areall essential. But the implications go further.Increasingly, a key principle is that whatever databanks and insurers rely on for critical businessdecisions needs to be the same as supplied toregulators for prudential oversight. Accordingly,the new focus on data is not simply a drive to

improve compliance and reporting. It is a processof redirecting internal management processesto better reflect regulators assessment ofbest practices. This is a fundamental change ofperspective.

Information technology is posing otherchallenges and presenting other opportunities.Case in point: cyber crime. As banks havebecome more sophisticated and effectiveat defending themselves against attacks,insurance companies are now a growingtarget and need to raise their game as a matterof urgency. Or a completely different area:payments systems. There is a rapidly increasingseries of initiatives in the payments sector,especially in mobile payments technology.Those propositions which provide real benefitwill truly transform consumer behavior.

The legacy of the financial crisis can be identifiedin virtually all of these areas. Strengtheningthe global financial system, identifying andcontrolling systemic risk, improving transparencyand reducing complexity have all been coreobjectives of the political and regulatoryresponse over the last 5 years. Improving thealignment between the data and informationsystems relied on by internal managementand external regulators is fundamental. Thiswill impose greater responsibility on CIOs,

their information systems and the models theycreate to underpin risk and capital calculations.We believe the articles in this issue should helpilluminate some of the directions for futuredevelopment.

As in every other business sector, financialservices companies are having to respond torapid and transformational developments indata, information and technology. In our industry,in which products and services are in effectintangible, these developments can present aparticular set of challenges and opportunities.These are so significant and wide-ranging thatthey impact directly on fundamental corporatestrategy. Data and information issues are nowcentral to the operating models of financialservices. In this issue of Frontiers in Finance, weexplore a number of important implications.

Jeremy Andersons Keynote article sets thescene by stressing the crucial importance ofdata and information management to the currentand future health of major financial institutions,both in terms of driving revenue and earningsgrowth and of ensuring secure and effectivecompliance with the ever-increasing complexityof regulatory demands. This centrality carriesrisks and an imperative to effective management,but similarly, offers major benefits in terms ofefficiency, client relationships and customer valuepropositions. The Chief Information Officer has agrowing strategic role to play.

Managing and taking best advantageof this new data environment requiresnew approaches to systems, processesand governance. For example, riskmanagement depends essentially on dataabout counterparties, markets and internaloperations. The governance of reference dataused for risk calculations has become a criticalissue. Here, as elsewhere, rapid and accuratedata collection needs to be complemented byensuring its accessibility in real time to relevantdecision-makers. New tools for data andanalytics (D&A) and business information cannow radically simplify and streamline the taskof extracting management data and creatingtimely and insightful reports. Other D&A toolsare transforming the audit process and, through

that, improving the management and reportingof financial services companies.

Regulators, too, have become more alert to theimportance of good data management and,

FOREWORD

Letter from the editors

Giles Williams

KPMG in the UK

Andrew Dickinson

KPMG in Australia

Jim Suglia

KPMG in the US

2014 KPMG International Cooperative (KPMG International). KPMG International provides no client ser vices and is a Swiss entity with which the independent member firms of the KPMG network are affiliated.


3/36

CONTENTS

FRONTIERS IN FINANCE APRIL 2014

FEATURES

06Cyber crime: Insurers in the firing line

As banks become more sophisticated andeffective at defending themselves againstattack, the focus of much cyber crimeis changing. Increasingly, insurancecompanies are becoming the target.The risks are very real and very serious.Insurers need to raise their game as amatter of urgency.

12Governance strategies for managingthe data lifecycle: Knowing when tofold versus hold and protectRegulatory risk management is anincreasingly critical challenge for

financial services firms. While creditand market risk have always featuredon senior managements agenda,external regulatory developments areplacing greater emphasis on effectiverisk management frameworks and alsoincreasing the focus on data retentionrequired for compliance.

16Rebuilding and reinforcing risk datainfrastructureOne of the main featcrisis was that it reveof banks risk data syThis had serious imp

managements abilitmanage risk and on rmaintain liquidity and

akingnewat is a

rts

r theWhile

stent, itoverall

anto

nal

is,riskle toisis.nancial

ures of the financialaled the inadequacystems and processes.acts both on

y to understand andegulators attempts tolimit contagion.

02Chairmans messageData, analytics and technology:Core strategic enablers

10Regulatory roundtable: Data and the CIOunder the microscopeIn our recurring feature, experts from KPMGsregulatory centers of excellence review currentdevelopments. Here, they explore the emergingfocus of regulators on data and technology and itsimplications.

20Seeing is believing: Visual analytics andmaking sense of dataFinancial organizations face ever-increasingdemands on performance against a

background of constant change. Effectiveresponses depend more and more on thecapacity for deep and rapid understanding ofbusiness operations and performance.

22Technology and payments:Beyond the hype?There is tremendous activity at the moment inthe payments sector driven by advances incommunications and associated technology.Financial services companies, paymentscompanies and new entrants alike are mmajor investments, launching innovativeinitiatives and jostling for leadership in whrapidly changing market.

26Better bank reporting: Aligning repowith shareholder valueBanks annual reports are groaning undeweight of new disclosure requirements.their financial statements have becomesignificantly more transparent and consiis becoming more difficult to discern themessage. Investors are presented withabundance of financial data but struggleidentify relevant information.

30Systemic risk: A limitation of traditiorisk management practicesIn the aftermath of the global financial crisquestions are being asked why traditionalmanagement methodologies seem unabprovide sufficient warning of the next crOver the last 40 years, many significant fior economic crises were not adequatelyforeseen and prevented.

PUBLICATIONS

32Updates from KPMG member firms,thought leadership and contacts.



4/36

CHAIRMANS MESSAGE

2/ Frontiers in Finance / April 2014



5/36

Jeremy AndersonChairman Global Financial Services

Financial institutions are increasingly reliant on data and informationtechnology as the foundation of efficient operation, regulatorycompliance and future growth and profitability. This pervasive datareliance carries risks as well as opportunities. The role of the chiefinformation officer (CIO) in helping navigate a path through thiscomplexity is now fundamental to institutional health and integrity.

Data, analyticsand technology:Core strategicenablersJeremy AndersonChairman Global Financial Services

It is hard to think of a time when the roleof the CIO has been more important tothe current and future health of a majorfinancial institution. In both offensive anddefensive strategy driving revenue and

earnings growth and ensuring secure andeffective compliance the contribution of theCIO and his or her team is increasingly crucial.

Across the boardThe role of data and information is nowintegral across the business, from back-office to marketing and sales and from riskmanagement to meeting stakeholder andregulators expectations

Cost and efficiency:It is very clear thatbanks balance sheets are being completelyreshaped by the major new regulatoryinitiatives which have followed in the wakeof the financial crisis. In some cases, theseare driving return on equity below the costof capital. As a result, and in order to returnto generating sustainable returns andacceptable levels of organic capital, bankshave no alternative but to become leaner,simpler and more cost-effective in theiroperations. As a key enabler of process andworkflow efficiencies, technology has a huge

role to play here.

Exploiting data: Mastering the massiveincrease in data flow and extracting thegreatest value from it is fundamental toorganizational health and success. Theimplications extend across the businessoperating model. At the front end, financialservices firms face real challenges inmanaging and making sense of the vastarray of information which can now be madeavailable about the attitudes, behaviour andneeds of clients, prospects and targets.Technologies such as data mining and dataanalytics are increasingly important as afoundation for effective marketing, sales andcross-selling.

Managing risk:The financial crisis andthe wide-ranging regulatory response haveplaced increased emphasis on the needfor effective management of risk in allcontexts: reputational risk, operating risk,regulatory risk. Companies now face thetwin challenges of sustaining improved riskmanagement and furnishing evidence of itseffectiveness to stakeholders: regulators,clients, shareholders. Collecting, analyzingand presenting the relevant data is nowindispensable to creating the foundation forstrong stakeholder relationships.

Customer relationships:Information

technology and data managementare fundamental to maintaining stable

April 2014 / Frontiers in Finance / 3



6/36

Similarly, when internal processes,business-to-business communication anddelivery of customer services all depend socritically on data and information technology (IT)

infrastructure, maintaining its integrity is a keyrequirement in sustaining institutional security.We see only too frequently that when criticaltechnology, such as a payments systems,fail, even for a few hours, the impact can bewidespread and immensely disruptive. Leaksand loss of sensitive customer data breach thetrust between institution and client and cancarry significant financial penalties. Significantreputational damage can occur if thesesituations are not well handled.

As systems become more global and moreinterdependent, they begin to resemble theorganizational and contractual connectednesswhich contributed so much to the creation of

the financial crisis. It may not be too fanciful tothink that the next major crisis may arise fromIT vulnerability unless defensive measures arecontinuously upgraded.

Here, where solutions often depend onmajor expenditure on IT and systems, it canbe hard to quantify the need and demonstratedesired returns on capital. In a low-margin,high-complexity environment, the desirablerisk-reward balance may not be immediatelyapparent. Nevertheless, investment toimprove data security, reduce complexity andenhance the customer proposition are crucial ifcompanies are not to be outflanked by braveror more farsighted competitors.

Seizing the benefitsIt is not all danger and defensiveness. The newtechnologies are the way of the future and ifproperly developed promise major improvementsin internal efficiency, external reporting and,perhaps most significantly, customer relationsand customer propositions. Whether it is furtherdevelopment of internet and mobile channelsor innovative new technologies for payments,there are major potential benefits as well asrisks. The role of the CIO is now to help definean institutions core strategy against this rapidlydeveloping background and guide investmentdecision-making on the basis of a clear view ofrisk and reward.

Technology, data and informationmanagement have been a core part offinancial services for many years. They havejust become more important still. Boards andexecutive management need to ensure theyare accorded the same priority as any othercritical success factor.

and responsive relationships withclients who are increasingly expectingcontinuous access to their financialservice providers on a range of online and

mobile platforms. Integrating the differentinterface technologies and groundingthem on consistent, high-quality data areessential elements in creating fast, agilecommunications and decision-making.Consumers do not want complexity, delaysor inconsistency. Companies that cannotimplement the necessary systems quicklyenough will find themselves squeezedout and facing further disintermediationby technical innovators, new entrants andnew technologies, like we are seeing inpayments or money transfer.

Day-to-day operations:Fundamentally,optimizing day-to-day operations means

maximizing the use of scarce resourcesand ensuring that people have the rightinformation to make optimal decisions atthe right time. This requires accurate andconsistent data, which can serve bothto underpin the operational health of thecompany and satisfy internal and externalrequirements.

The universal importance of good data andinformation management across the businessoperating model places a huge premium onthe ability to collect, aggregate and analyzedata to create a single view of the truth: onecomplete and internally consistent data andinformation resource which can satisfy all

needs. Regulators are increasingly focusingon risk data aggregation, such as in the BaselCommittees recent recommendations.1Whether it is a question of customer-facingoperations, internal systems and proceduresor external reporting, the winners will bethose who can bring together data in acoherent way to serve these multiple needsmost effectively.

Safeguarding the institutionThe exponential increase in the volume ofdata necessary to the operation of financialservices companies, together with institutionsincreasingly critical reliance on it, carry majordangers of their own. Companies are moreand more vulnerable to the loss or corruptionof mission critical data and at greater risk ofreputational damage and regulatory sanctionif they misuse it. Data and cyber security hasto move from being a peripheral and technicalspecialism to a central strategic concern.Proper data security has to become as much amatter of business-as-usual as securing safesor locking filing cabinets.

1 BCBS 239, Principles for effective risk data aggregation and risk reporting, BIS 2013.

The universal

importance of good data andinformation managementacross the businessoperating model places ahuge premium on the ability

to collect, aggregate andanalyze data to create asingle view of the truth:one complete and internallyconsistent data and

information resource whichcan satisfy all needs.

CHAIRMANS MESSAGE




7/36

A leading exampleOne of the leaders in the new data management environment is the Commonwealth Bankof Australia. In 2012, the bank introduced a new technology platform to enable what it

calls real-time banking making the customer experience faster, easier and more secure.The banks CIO, Michael Harte, explained: What people want [whether] at home or inthe office or traveling overseas, anytime, anywhere [is to have] real-time richness and beable to increasingly do that through an interface thats rich and mimics or re-presents theintimacy of what you once had [with] face-to-face banking and insurance and brokerage.2

These investments paid off to the extent that the bank is now introducing a range of newfunctions and improvements building on new technology and near field communication(NFC) payment solutions. Harte commented: We continue to invest in rich content and theback-end technology that enables us to deliver real-time value to our customers. Our strongplatformance and security layers are at the heart of all our technology and have spearheadedthe growth in consumer confidence in mobile banking services.3

2 CommBank CIO: Future of banking is real-time, personal, 24 August 2012.3 CommBank extends lead in mobile banking and payments space, 17 October 2013,

https://www.commbank.com.au/about-us/news/media-releases/2013/commbank-extends-lead-in-mobile-banking-and-payments-space.html.


https://www.commbank.com.au/about-us/news/media-releases/2013/commbank-extends-lead-in-mobile-banking-and-payments-space.html.https://www.commbank.com.au/about-us/news/media-releases/2013/commbank-extends-lead-in-mobile-banking-and-payments-space.html.


8/36

INSURANCE

FEATURE




9/36

Contacts (from left)Stephen BonnerJon DowieKevvie Fowler

Cyber crime:Insurers in thefiring line

As banks become moresophisticated and effective atdefending themselves againstattack, the focus of much cybercrime is changing. Increasingly,

insurance companies are becoming thetarget. The risks are very real and very serious.Insurers need to raise their game as a matter

of urgency.

The focus changesWhen asked exactly why he robbed banks,the infamous American criminal Willie Suttonis alleged to have replied, not unreasonably,Because thats where the money is. Inmore recent years, with the massive growthof the internet, online connectivity and remoteaccess, it has again been banks which haveborne the brunt of cyber crime. Not only isthe money there; banks also hold criticalinformation about all of their customers which,in the wrong hands, can be equally valuable.However, the focus of much cyber crime isnow changing rapidly, away from banks andonto insurers.

There are a number of reasons. Perhapsthe most significant and straightforward issimply that over the last 10 years or so, banksdefenses have become more sophisticatedand effective. The industry has appreciated thethreat and has taken measures to counteract it.Key steps have included implementing layersof technical protection as well as concertingefforts across the industry in what is, afterall, a challenge facing all banks to exchangeinformation and develop strong counter-measures together. It is clearly not possibleto prevent all attacks from succeeding and forobvious reasons, individual banks are reluctant

to publicize those attempts which do result

in loss. But overall, the banks have becomeincreasingly effective in repelling cyber crime.

Another key factor is that cyber criminalshave come to realize that banks are not theonly potentially lucrative targets. Certainly,banks are where the money is. But moneycan also be stolen from insurance companies.Furthermore, money is not the only valuable

commodity available; insurers need to protectpremium rating tables, claims and accidentand loss information. Almost equally valuableare customer details personal information,names, addresses, account details, passwords,health and lifestyle information, payment cardinformation, etc. which can either be parlayedinto cash or sold on to other criminal intereststhat will attempt the same thing.

In addition, insurers typically enjoy far lessclose and frequent interactions with theirclients than banks. Despite the hollowingout of the bank-client relationship in recentyears, it is still true that banks and their clientstypically transact business many times a weekor month. By contrast, insurers may interactwith their clients only when there is a claimor, in the case of life companies, when theclient retires or dies. This remoteness fromthe client means that insurers are much lesswell-placed to identify potentially fraudulentor criminal attacks. And although attemptsat insurance crime may still be less commonthat bank crime, the rewards for success canbe much greater. Compromising a bank cardor credit card may yield a few hundred dollars;a successful fraudulent insurance claim mayproduce an order of magnitude more. Nor issimple financial advantage the only motivation.As we shall see, insurers, along with manyother financial services companies, face

multiple challenges.

Stephen Bonner, KPMG in the UK

Jon Dowie, KPMG in the UK

Kevvie Fowler, KPMG in Canada




10/36

As insurers amass greater amounts ofcustomer data through new online channels,social media, telematics and web-basedclaims management systems, they become

even more attractive to cyber criminals. In2012, a major security breach of a US insureraffected 1.1 million policyholders and potentialcustomers. Hackers stole names, social securitynumbers, drivers license numbers and datesof birth. The insurer acted swiftly, offeringcredit monitoring and identity theft protectionfor those impacted, including US$1 million infree identity theft insurance coverage with nodeductible. In another case, a global insurer wasfined 2.2 million for failing to have adequatesystems and controls in place to prevent the lossof customers personal information.

Understanding the threat

In order to understand and protect against the threat, it is important to understand therange of sources.

Organized crime:It may be tempting tothink that the threat from cyber crime isrelatively limited and arises from opportunisticattempts to extract small amounts ofbenefit. But experience over recent yearshas demonstrated conclusively that highlyadvanced organized crime syndicates areincreasingly determined in their attacks onfinancial services companies and, recently,insurers in particular. These are sophisticatedand ruthless criminals. Their tools of choiceinclude malware and botnets that install

themselves on corporate networks, eithercompromising security and transmitting

critical data outside the company ortransforming local networks into slaves underthe control of the external criminals.

Organized criminal networks have also

begun to realize that it is not actually necessaryto steal anything. The mere threat of loss orof operational damage and disruption can beenough to extract a substantial ransom fromthe targeted organization. Once again, manycompanies are reluctant to reveal publiclywhen they have been hit. But many have paidup quietly.

Reverse engineering of the malwaredistributed by cyber criminal organizationscan reveal the kind of targets crime networksare focused on; increasingly over the lastyear or so, the evidence is that insurancecompanies are becoming targets.

The rapid growth of online insurance

purchasing offers greater opportunitiesto organized crime. It can be difficultfor customers, attracted by low prices,to distinguish legitimate insurers fromfraudulent ones. We are seeing a spate ofghost brokers being set up on the internetselling fake policies, taking premiums andleaving the policyholder without coverage.

Petty criminals:As the term suggests,petty criminals will target any and everyopportunity to compromise security andextract reward. They are comparativelyindiscriminate, both in their targets andin their methodology and often are justlooking for front-door vulnerabilities, suchas systems with missing patches and

mis-configurations that can be easilyexploited. There is a modernization trend

within the insurance industry currently andmany insurance providers are launchingportals that enable clients to self-managetheir policies. Petty criminals are aware of

this and are able to scan these portals usingspecial software to detect vulnerabilitiesfor exploitation. Ensuring front-doorvulnerabilities are not present on thesesystems is an easy way to force the criminalsto move on to the next target. Althoughthe quantum of risk may be less than isimplicated in organized crime, the threat and the disruption which it can cause even ifunsuccessful can be significant.

State sponsored cyber crime:There is nodoubt that certain states have developed,and maintain, sophisticated technologicalcapabilities designed either to extract cash ordata from vulnerable Western companies or,

more commonly, to sustain the capability tohold those organizations to ransom as part ofa more extensive coordinated attack.

There are fuzzy lines between traditionalelectronic espionage, commercial espionageand theft of data for commercial and strategicadvantage. There is evidence of states

ercial espionage duringers and acquisitions (M&A)

rance companies alongdustrial sectors in theble to all of these dangers.terrorists:Illegaley or data is not the onlyotivates cyber criminals.ists, terrorists and others

a wide variety of motives,ular, the desire to disrupt,

engaging in commcross-border mergtransactions. Insuwith many other inWest are vulnera

Hacktivists andextraction of monobjective which mSo-called hacktiv

may be driven byincluding, in partic

INSURANCE

FEATURE




11/36

1 Cyber Security Self-Assessment Guidance, OSFI Canada, 28 October 2013. http://www.osfi-bsif.gc.ca/Eng/Docs/cbrsk.pdf .2 Proofpoint Threat Insight: Are You Being Targeted, Part I: Industry, Poofpoint Inc.

http://www.proofpoint.com/threatinsight/posts/are-you-being-targeted-part-1-industry.php3 KPMG, UK Cyber Vulnerability Index 2013.4 KPMGs Cyber Maturity Assessment (CMA) provides an in-depth review of an organizations ability to protect its information assets and

its preparedness against cyber attack. cf KPMG Cyber Maturity Assessment: The cyber threat to your business, May 2013.

average

TechBu

s.Se

rvices

Fin

ance

Education

Retail

Health

care

Insurance

Manufacturing

Government

Entertainment

Percent of

messages

containing

malicious

URLs

damage or destroy companies operatingcapabilities. Here the threat is all the moredifficult to anticipate because it can be almostimpossible to predict. However, we have

seen that indirect action can be especiallyattractive to many of the types of groupsinvolved in these activities. For example,insurance companies that undertakebusiness with drug companies, animaltesting laboratories, defense companies andthe like may well find themselves the targetof cyber crime attacks from this direction.

How to respond?The first priority is, obviously, to recognize thenature of the contemporary threat. Historically,insurance companies have sought to defendthemselves against fraudulent claims bymobilizing resources to analyze broad patterns of

incidence and investigate individual instances ofparticular concern. But the threat today includesnot only the risk of financial loss, but also that ofdisruption to systems and processes that cancause both financial and reputational damage.The Canadian Office of the Superintendent ofFinancial Institutions (OSFI) recently releasedguidance on how financial services institutionscan self-assess their level of preparedness for,and protection against, cyber attacks.1Insurerscan also learn from the banking sectors success

in creating structures and processes to shareinformation about threats and best practices.

Second, it is a truism that insurers back-office technology and systems are a generation

or more behind those routinely employedby banks. There is a lack of connectivity andcoordination between different systemsand, therefore, less capability to identify andcounter attempts at penetration and diversion.Less automation, more manual interventionsand more breaks in the chain of informationprocessing increase the potential vulnerability.Where claims processing is outsourced,security can be more difficult to monitor;more effective supply-chain management isneeded. Recent research by Proofpoint Inc.shows that insurance companies currentlyface a higher number of email-based threatsto security than any other business sector.2In

fact, KPMGs 2012 Data Loss Barometerstatesthat the insurance sector states is at greatestrisk from social engineering attacks and systemand/or human error incidents. A separateKPMG research shows that financial servicescompanies are among those industries with themost vulnerable software.3Upgrading systems,although expensive, is a necessity.

Finally, and perhaps most importantly,insurers need to understand how to developa mature and effective response. The threat is

all too real. But it needs to be countered withintelligent and sophisticated action. This needsto look beyond pure technical preparednessagainst cyber attacks to take a rounded view

of people, process and technology in order tounderstand areas of vulnerability, identify andprioritize areas for remediation and demonstrateboth corporate and operational compliance,turning information risk to business advantage.In our experience, this means acting onsix key dimensions that together providea comprehensive and in-depth view of anorganizations cyber maturity:4

Leadership and governanceBoard demonstrating due diligence, ownershipand effective management of risk.

Information risk management

The approach to achieve comprehensive andeffective risk management of informationthroughout the organization and its delivery andsupply partners.

Operations and technologyThe level of control measures implemented toaddress identified risks and minimize the impactof compromise.

Human factorsThe level and integration of a security culture

ple,

ment

tyhment.

irount

that empowers and ensures the right peoskills, culture and knowledge.

Business continuity and crisis manage

Preparations for a security event and abilito prevent or minimize the impact througsuccessful crisis and stakeholder manage

Legal and complianceRegulatory and international certificationstandards as relevant.

The banking sector has shown that thethreat from cyber crime can be containedand countered. Insurers need to raise thegame urgently to ensure that they can mcomparable defenses.

The insurance industry faces a higher number of email-based threats

Source: www.proofpoint.com/threatinsights

MORE INFORMATION

Stephen BonnerKPMG in the UK

T: +44 20 7694 1644

E:[email protected]

Jon Dowie

KPMG in the UK

T: +44 20 7311 5295

E: [email protected]

Kevvie Fowler

KPMG in Canada

T: +1 416 777 3742E:[email protected]


http://www.osfi-bsif.gc.ca/Eng/Docs/cbrsk.pdfhttp://www.proofpoint.com/threatinsight/posts/are-you-being-targeted-part-1-industry.phphttp://www.proofpoint.com/threatinsight/posts/are-you-being-targeted-part-1-industry.phphttp://www.osfi-bsif.gc.ca/Eng/Docs/cbrsk.pdf


12/36

COE REGULATORY ROUNDTABLE

Giles Williams, KPMG in the UKPam Martin, KPMG in the USSimon Topping, KPMG in China

Regulatoryroundtable:Data and the CIO

under the microscope

In our recurring feature, experts fromKPMGs regulatory centers of excellencereview current developments. Here, theyexplore the emerging focus on data andtechnology and its implications.

Technology as a source of riskOver the last 10-15 years, banks reliance ontechnology has undergone a number of changesof emphasis. Initially, technology was used tostreamline and automate internal back-officeprocesses and make them more cost-effective.Then, technology gradually began to contributeto decision-making to automate various front-line processes and to create new opportunitiesranging from internet banking to algorithmictrading. Now, information technology is widelyused to mediate relationships with customersand counterparties and to communicateinstantly and across the globe.

The consequence of such extensive relianceon technology is that weaknesses in systemsand processes have become potentially muchmore serious, with more profound impacts.In individual institutions, failures can damage

confidence and threaten brand value. When

they lead to widespread contagion, systemicdisruption threatens. Reliance on technologybrings its own risks, as seen most vividly whensystems crash (the malfunctioning or non-functioning of a major banks automated tellermachine (ATM) network is both a massiveinconvenience to its customers and often amajor news story) or generate instability (somesharp movements in stock prices have beenattributed to flash trading and to automated andalgorithmic trading more generally).

The dangers are magnified when increasingcorporate and operational complexity meansthat few, if any, managers are any longerin a position to exercise judgment over thetotality of business operations. So does thepotential for systemic errors to be introducedand not be recognized. Technology risk hasbecome a major component of operational riskand is a growing focus of concern for seniormanagement and regulators alike.

There has been a significant regulatory focuson technology risk for decades. For example, theUS Federal Financial Institutions ExaminationCouncil (FFIEC) was created in the 1970s to

prescribe principles, standards and reporting

formats for the federal examination of financialinstitutions, including their risk managementsystems and risk data infrastructures, with astrong focus on technology risk management.Basel II required that banks begin to holdcapital against operational risk which includestechnology risk as a buffer against the impactof operational failures. However, quantifying thisrisk has proven difficult. Most banks have reliedon simpler standardized approaches ratherthan trying to construct models to calculatehow much capital they should hold againstoperational risk.

Historically, IT risk has tended to be managedin the chief technology officers silo (and withinthat, often in a sub-silo such as cyber security).In recent times, the focus has been redirectedto taking data risk out of its silos and integratingit into an enterprise-wide risk managementframework. Operational risk (including IT risk)must truly become the third leg of the risk stoolalongside credit risk and market risk. As a result,it is now increasingly understood that IT risk istoo important to be left solely to IT people. TheCIO has first to be an information technologist.

But the CIO also has a key role to play in




13/36

Contacts (from left)Giles WilliamsPam MartinSimon Topping

across the financial system and to quantifyits potential impact. Exposures could notbe easily be aggregated across trading andbank books, across geographies and acrosslegal entities. Risk management, governanceand the underlying data infrastructure wereunacceptably weak. Global systemic risk was,as a result, both obscure and under estimated.

More than 6 years after the crisis, manyof these weaknesses remain. The BaselCommittee published at the end of last yearthe results of a self-assessment by 30 globalsystematically important banks (G-SIBs) of theirprogress in meeting the committeesprinciplesfor effective risk data aggregation and riskreporting. The results show the lowest reportedcompliance rates for data architecture and ITinfrastructure, the accuracy and integrity of dataand the ability of banks to adapt to changingdemands for data analysis and reporting.Nearly half of the banks reported materialnon-compliance on these principles and thatthey are having to resort to extensive manualworkarounds. One-third of the banks reported

that they will be unable to comply fully with theprinciples by the 2016 deadline. A report of theSenior Supervisors Group in January 2014 ondata quality and management in 19 major US,Canadian and European banks reached the evenmore damning conclusion that:

...firms progress towards consistent,timely and accurate reporting of topcounterparty exposures fails to meetsupervisory expectations as well as industryself-identified best practices.

Weaknesses in systems and datamanagement have also hampered the ability ofboth banks and their supervisors to run stressand scenario tests. The experience of stress-testing has revealed the fact that systems andprocesses for aggregating and analyzing riskin large banks remain disturbingly inadequate.Ad hoc processes and manual interventionare still necessary to produce a summary ofpotential risks. In turn, poor or non-existent datamanagement infrastructure casts doubt on thereliability of the assessments that are produced.There is a long way to go before the industry canconvince regulators that it has the quality of datanecessary to satisfy their requirements.

ResponsesMany banks appreciate the need for remedial

action, but are understandably wary of the

informing the risk assessments of the chief riskofficer. It is also important that the businessline be an integral part of any technology relatedproject, as they are ultimately the end user.

Accordingly, regulators are increasinglyexamining how technology risk is beingincorporated into a banks overall riskmanagement framework.

The role of data and technology in riskmanagementRisk management is intimately dependent onissues of data: data integrity, completeness,relevance and accuracy. And even in thesmallest banks, good risk managementdepends on the IT architecture and systemsused to store and process data. But the manybanks with multiple aging IT systems or poorlyintegrated inherited systems from acquisitionsor mergers find it very difficult to aggregate andreport data to support risk management.

The shortcomings of current practice wereharshly exposed by the financial crisis. A keylesson was that large parts of the financialservices industry in the US and Europe

was unable to identify and aggregate risk

scale of the task. They face competingdemands for expenditure on IT and datasystems at a time when they are looking to cutcosts, not least to offset the increasing costs ofregulation and compliance.

Supervisors are increasingly stressingthe need for improvement and, at least forsystemically important banks, supervisors

have already increased the intensity of theirsupervision in areas such as banks IT systemsand data management. The question thenbecomes what actions supervisors are likelyto take to drive improvement. This variesacross countries, but in most countries, thesupervisory toolkit will include the abilityto require banks to take remedial action.And if this action is not forthcoming, thensupervisors can reflect this in their overallsupervisory assessment of a bank, withpossible consequences for the amount ofcapital that the bank has to hold against its risksor for the imposition of restrictions on businessexpansion. In some countries, the supervisorsmay go further into enforcement territory,

imposing fines on banks with inadequatesystems and taking actions against specificindividuals performing senior managementfunctions in the bank.

Risk management is intimately dependent on issues ofdata: data integrity, completeness, relevance and accuracy.And even in the smallest banks, good risk managementdepends on the IT architecture and systems used to storeand process data.

MORE INFORMATIONGiles WilliamsPartner, Financial ServicesRegulatory Center of ExcellenceEMA regionKPMG in the UKT: +44 20 7311 5354E: [email protected] MartinManaging Director, Financial ServicesRegulatory Center of ExcellenceAmericas RegionKPMG in the UST: +1 202 533 3070E: [email protected]

Simon ToppingPartner, Financial ServicesRegulatory Center of ExcellenceAsia Pacific (ASPAC) RegionKPMG ChinaT: +852 2826 7283

E: [email protected]




14/36

CAPITAL MARKETS

FEATURE

Governancestrategies formanaging the

data lifecycle:Knowing when tofold versus hold

and protect

R

egulatory risk management is anincreasingly critical challenge forfinancial services firms. Whilecredit and market risk have alwaysfeatured on senior managements

agenda, external regulatory developmentsare placing greater emphasis on effectiverisk management frameworks and alsoincreasing the focus on data retention requiredfor compliance. As a consequence, muchgreater attention now needs to be given to thefundamental data underlying these recordsand the risk associated with their retention.Experience shows that the quality and integrityof data can by no means be taken for granted.Getting it wrong could become very costly.

Focus on data governanceFinancial services firms are under mountingpressure to manage regulatory compliance andassociated risk more effectively. With the advent

of the new Basel III regime, as well as restrictionslaid down by national regulators like the Financial

Industry Regulatory Authority (FINRA) and theDodd-Frank Wall Street Reform and ConsumerProtection Actin the US, the process of correctlyidentifying as well as utilizing the right data forcontrolling risk has become a critical one.

To comply with regulatory requirements,firms will need to increase their governance inways which conform to the new compliancerequirements, improve the quality of dataand optimize accumulation of new risk data.Assessments of risk depend fundamentallyon data: data on counterparties, markets andinternal operations. Thus far, data quality issueshave been low on senior managementspriorities. The new emphasis on regulatoryrisk management means that the governanceof reference data utilized for holistic riskcalculations has become a critical issue.

Regulators are focusing more closelyon data, management and systems. Theyunderstand that managements ability to

control the business, and quantify and managerisk, depends on the quality of relevant data

available and they are, with some reason,becoming more concerned about the poorstandards of data management they areencountering. So while there is a regulatorypush for improvement on one side, it isbecause there is also major potential benefitto be secured on the other side in the form ofimproved business capability.

The challenge and the benefitsThe challenge is ever more acute. The volumeof relevant data is soaring exponentially andmuch of this is unstructured and unmanaged.At the same time, retention requirementsassociated with regulation and litigation arecompounding the problem. The potentialbusiness benefit from better data governanceand management is clear. Firms can achieveimproved risk management and reduceddata storage costs, as well as a substantialincrease in regulatory compliance, with more

effective data retention and quality assurancestrategies.

Atul Subbiah, KPMG in the USSandeep Kurne, KPMG in the US




15/36

Contacts (from left)Atul SubbiahSandeep Kurne

The collection, evaluation and retention ofdata, in particular records, can be particularlydifficult. However, it can be optimizedthrough strategic and effective data lifecyclegovernance: demonstration of authoritativesources; rational and defensible disposal ofredundant and out-of-date data; and improveddata quality standards. A successful datalifecycle governance program can helporganizations contain costs, retain the rightdata and address regulatory compliancerequirements. Equally important, it canincrease the business value of data by providinga sounder platform for decision-making.

When aggregated across hundreds orthousands of systems, applications anddatabases, individually small benefits can createsignificant benefits overall. The main areas ofpotential benefit include:

Eliminating redundancy:Very

commonly, multiple copies of reference

data are held at different points in theorganization; copies of transaction dataare duplicated in different environments;unrestricted end-user rights result inboth duplication and inconsistency.Rationalization of data and applicationswithin an overall data strategy can yieldsubstantial savings: KPMG analysissuggests typical benefits of US$500-1,000per application server and up to US$10,000per database. In addition, more effectivedata governance should yield improvedprocess and reporting accuracy, improveddata quality and improved management ofsupport resources and tools, all with clearbusiness benefits.

Minimizing over-retention:Typically,organizations hold onto data for too longas a result of retention limits not beingenforced, over protective interpretation oflegal requirements and over-engineered

business assurance systems. Streamlined

dispositions frameworks, workflowprocesses and assurance strategies cancut the cost of over-retention dramatically.Analysis by KPMG suggests potentialsavings in the range of 30-50 percent ofstorage costs. Collateral business benefitsinclude reduced expenditure in the contextof legal action, document discovery andassurance.

Key requirementsIn order to ensure the accuracy of informationprovided to internal risk and compliancemanagers and external regulators, an unerringfocus on data quality within the framework ofan overall data lifecycle management strategyis critical. The challenge is continuous: newrequirements emerge with each new productlaunch, acquisition or new regulation. So astrategic data lifecycle governance programwill help avoid the continuing risks of data

corruption and quality failure.




16/36

Key elements of the necessary approachinclude:

A pragmatic approach to tackling the

challenges and unnecessary costs associatedwith over-retention, legal holding requirementsand duplication. An evaluation of the currentdata store consumption and the business,legal and regulatory retention requirementscan help define quick wins; at the same time,it can help develop a strategic plan for tacklingproblem areas and maintaining optimal datastore utilization in compliance with legal andretention requirements.

Examining the existing legal, regulatory andbusiness requirements for data alongside thepeople, process and technology controls inplace will allow the identification of gaps in theperformance of different functions within the

organization. When these gaps are evaluatedagainst future goals, organizations can betterdefine a data lifecycle governance structureand policies for record management.

Data proling is a collection of key analyticaltechniques that allow an organization toevaluate how effectively their core datasources contribute to a sound understandingof the underlying metrics and characteristicsof the business. By analyzing the structure

and content of separate data collections andcomparing their outcomes, profiling canpoint out anomalies, deviations and variationswhich might suggest underlying data quality

problems.

Data quality assuranceImplementing an effective data governancestrategy is not a matter of mounting a one-off initiative. Sustainability of data qualityassurance requires a collaborative governanceprogram between business and technologywith a joint functional concentration on dataquality. Sustainability is a key component ofthe regulatory evaluations of an institutionsreference data management framework.

A data quality assurance system underpinsand reinforces the continuing value of a datagovernance strategy. An appropriate high-level

design outline will recognize the followingobjectives:

obtaining clarity and consistency on datadefinitions and data quality

identifying data ownership (both contentowners and distributors)

highlighting explicit dos and donts aboutthe data to be used, its authoritative sourceand timing

expressing, resolving, escalating andenforcing priorities based on agreed metrics

identifying data tools and processes torecord and manage issues, action items,

decisions and dependencies establishing clear communication channels

and decision making processes for earlyresolution of data quality issues.

An effective approach involves defining thebusiness rules, attributes, standards and dataflows and working in partnership with crossfunctional stakeholders including technology,risk, finance, legal and compliance.

ConclusionRegulatory risk management dependscritically on the value of the data underlyingproduced records, its analysis and evaluation.

Where data quality is inadequate, risk andcompliance management lacks a strongfoundation. Regulators are increasingly probingthe adequacy of companies systems for dataretention, aggregation and analysis. Responsibleoversight by senior management and boardsrequires that these issues are given appropriatepriority.

CAPITAL MARKETS

FEATURE




17/36

*Source: KPMG analysis, 2014

Figure 1: Savings and benefits of proper data governance*

Cost driver Characteristics Common siloed responses Savings opportunity Benefits

Redundancy

copies of referencedata across disparateenvironments

application rationalization approximately

US$500-1,000 perapp server

improved process andreporting accuracy

improved data quality centralization of support

resources rationalization of tools simplied data

ecosystem

copies of transactional data data rationalization approximately

US$5,000-10,000 perdatabase

data mart sprawl data strategy

unrestricted end-userentitlements

enterprise maintained accessmethods

Over-retention

unenforced retention limits disposition framework,contract and process

30-50 percent ofstorage costs

reduced e-discoveryfees reduced external legal

expenses reduced legal exposure reduced BAR costs

slow or non-existent releaseof legal holds

legal hold workow process

over-engineered backup,archive and recovery (BAR)keeping full copies of data forall production systems

BAR Strategy

Performance high-performance service-

level agreements (SLAs) onhistorical data that keep alldata hot

SLA review cheap and deep storage tier archieve aware query

management

reduced applicationstorage costs

Illustrative successesIn data governance engagements with clients, KPMG member firms have:

Defined a sustainable engagement modelbetween technology, legal, business riskand compliance functions.

Identified over 450 terabytes of duplicateand over-retained data eligible fordefensible disposition.

Achieved an annual run-rate cost reductionof US$2 million and additional storage costavoidance opportunity of US$20 million.

Addressed regulatory requirements foroperational risk through successfullydemonstrating an understanding of dataflows and adherence to firms record-keeping obligations for approximately35 core systems.

Developed a predictive financial model toproject potential multi-year cost savings forfirms 3,000 plus systems.

Successfully remediated reference dataquality issues related to Foreign AccountTax Compliance Act, account versusparty site address and legal entity.

Provided a holistic view of quality byissue as well as a focused indicator ofquality by data element.

Executed data quality rules in theInformatica Data Quality (IDQ)tool,enabling reuse of queries and rules forperiodic measurement and monitoring ofquality by rule.

MORE INFORMATIONAtul SubbiahPrincipalKPMG in the UST: +1 212 954 3136E: [email protected]

Sandeep KurneDirectorKPMG in the UST: +1 212 872 2197E: [email protected]




18/36

BANKING

Rebuildingandreinforcingrisk datainfrastructureSascha Chandler, KPMG in Australia

Marco Lenhardt, KPMG in Germany

Andr Lattemann, KPMG in Germany

Brian Hart, KPMG in the US

FEATURE




19/36

1 Basel Committee on Banking Supervision (BCBS), Revisions to the Basel II market risk framework, July 2009, BCBS158,www.bis.org/publ/bcbs158.pdf.

2 Basel Committee on Banking Supervision, Principles for effective risk data aggregation and risk reporting, BCBS239,www.bis.org/publ/bcbs239.pdf , January 2013

Contacts (from left)Sascha ChandlerMarco LenhardtAndr LattemannBrian Hart

One of the main features of thefinancial crisis was that it revealedthe inadequacy of banks risk

data systems and processes.This had serious impacts both

on managements ability to understand andmanage risk and on regulators attemptsto maintain liquidity and limit contagion.Regulators are now seeking to instill moreresponsible and effective practice. Banks needto review and improve their risk infrastructure.But there are benefits to be obtained whichshould outweigh the costs.

Over the years, management systemsin banks and other financial servicescompanies have hadto cope with increasingregulatory requirements,

new corporate structures,new products and operatingmodels. As with otherinfrastructure, systems forthe collection, aggregationand analysis of risk datahave typically developedin an incremental fashion,with different modules,incompatible data and arange of ad hoc processes.In many cases, thesesystems have becomeso unwieldy and unstablethat they are failing in theircore purpose. Relevant data is missing or

inadequately analyzed, often resulting in theformation of reconciliation industries withinthe organization as data is passed betweena multitude of systems across inconsistentintegration mechanisms. The extent to whichthese reconciliation industries have evolvedwithin organizations is often underestimatedand rarely quantified in terms of productivityloss. Risk data is being provided too late toinfluence the trading and operations whichshould depend on it. Responsible managementand supervision are both compromised whileoperating costs are inflated unnecessarily.

Increasing regulatory attentionRegulators have become increasinglyconcerned about the implications of theseinadequate or misleading risk data systems.Their shortcomings were exposed at theheight of the financial crisis when regulators

asked for up-to-date assessments of risk andexposures. Many institutions were unable toprovide the data required or found themselves

coordinating a massive manual and ad hocintervention to assemble the data demandedof their management teams and regulators.Major market participants could not extractthe necessary information quickly enough tounderstand the location and extent of risksand exposures. This was one major cause ofthe catastrophic collapse of confidence in theglobal financial system.

As a result, regulators are now focusingnot only on the results and outcomes ofrisk figures but also on the machinery and

processes behind them.In 2009, the BaselCommittee on Banking

Supervision (BCBS)issued supplementalPillar 2 (supervisoryreview process) guidancedesigned to enhancebanks ability to identifyand manage bank-widerisks;1and in 2013, thecommittee published a setof principles to strengthenrisk data aggregationcapabilities and internalrisk reporting practices,along with guidance ontheir implementation.2

The principles, which provide qualitative

and quantitative measures, cover four keyareas:

The importance of boards and seniormanagement exercising strong governanceover a banks risk data aggregation capabilities,risk reporting practices and IT capabilities.

The accuracy, integrity, completeness,timeliness and adaptability of aggregatedrisk data.

The accuracy, comprehensiveness, clarity,usefulness, frequency and distribution of riskmanagement reports, including to the boardand senior management.

The need for supervisors to review andevaluate a banks compliance with thefirst three sets of principles listed above,to take remedial action as necessaryand to cooperate across home and hostsupervisors.

Major marketparticipants could notextract the necessaryinformation quicklyenough to understandthe location andextent of risks andexposures.


http://www.bis.org/publ/bcbs158.pdfhttp://www.bis.org/publ/bcbs239.pdfhttp://www.bis.org/publ/bcbs239.pdfhttp://www.bis.org/publ/bcbs158.pdf


20/36

Key issuesWhere banks have undertaken systematicanalysis and testing of their current processes,the results have often been illuminating. Incertain cases, it has revealed that compiling acomprehensive group-wide set of risk figureshas been taking up to 60 days. The larger andmore complex a bank, the more likely it is thatrisk data is incomplete, inadequate or out-of-date, particularly on an aggregated and globallevel. Banks may have all of the information,but its often inefficiently stored, inconsistentlyformatted, poorly integrated and difficult tointerrogate. Senior management should beaware of the risk of flying blind, especially inextreme events, and of taking and implementingdecisions in the absence of reliable risk metrics.It is critical, therefore, that financial servicesfirms review the strength and effectiveness oftheir risk data architecture and systems.

There are four key issues which need to beaddressed:

Efficiency:very often, data resides in differentsilos, owned by different functions (markets,risk control, finance, back-office), all with

different attitudes and approaches to data

management. With multiple systems andincompatible data, risk professionals spendtoo much time and effort on data aggregation,reconciliation and analysis and too little time onapplying the results to risk management anddecision-making.

Flexibility:It is important to be able to reactquickly to market events in terms of preparingscenario analysis and reports which are not inthe standard setup. Similarly, the flexibility toreact rapidly to regulators requests for reportsand data without a huge amount of manualwork is also important.

Quality:With multiple, discrete systems, thequality of data is degraded by incompatibledefinitions, inconsistency, incompletenessand duplication. Very often, efforts in datacleansing are only partially successful. Withpoor quality data, the effectiveness of riskmanagement can be seriously compromised.

Ownership:Too often, ownership of riskdata is shuffled uneasily between the controlfunction and the IT function, with seniormanagement taking little direct responsibility.Without a clear structure of governance andownership there is no accountability and no

prime commitment to quality.

BANKING

Four issues banks need to consider whenreviewing their risk data architecture andsystems:

Efficiency

Quality Ownership

Flexibility




21/36

Improvements and benefitsThis review of common problems naturallyalso suggests the scope for improvement and

the value that can be obtained from effectiverisk data aggregation, storage and analysis.The ability to consolidate and synchronize allrelevant risk data can lay the foundation fora more overarching and consistent analysis,enabling better business management, betterrisk management and optimized operatingmodels. Leading banks appreciate the potentialbenefits and are working to strengthen thecontribution of effective risk management tobusiness judgment and corporate strategy.

High-quality and quality-assured risk datashould lead to improved decision-making,greater confidence and more stable strategy.With greater confidence in data validity, risk

IT architecture can be streamlined, leading toefficiencies in both routine operations and inmaintenance and development. In turn, thesebenefits offer improved ability to respondquickly and effectively to changes in corporatestrategy, operating environment or, indeed,regulatory demands. If regulators have greaterconfidence in a banks risk data and theaggregation machinery underlying it, the wholeregulatory compliance system can becomesimpler and less challenging.

Improved data aggregation can bringdirect economic benefits and reduced capitalrequirements. Currently, for example, asignificant proportion of a banks collateralcontracts are ineffectively captured and so

cannot contribute to risk-weighted capitalcalculations. More comprehensive andaccurate data aggregation methodologycan bring this into the equation.

Systems for transmitting and reportingrisk data need to be built into any improveddata aggregation framework since its value

is dependent on the ease and timelinesswith which senior management can take theresults into account. The same argument

applies to communication with regulators,who will value rapid and accurate regularreporting as well as a speedy response to adhoc requirements.

Achieving the benefits requires movestowards greater standardization, commondata models, integrated systems and, insome circumstances, consolidated datawarehouses. These initiatives need to bedefined and implemented in ways whichbalance costs and potential benefits. Butsince the results should include increasedconfidence, reduced potential for loss,efficiency gains and increased profits,significant effort and expenditure can often

be worthwhile.

ConclusionRisk data aggregation and reporting are tooimportant to be left to the risk function or moreseriously IT professionals. Regulators aredemanding better performance, but equally,senior executives and boards will derivesignificant benefits from improving their riskinfrastructure and processes. However, thisis not a simple or straightforward challenge.Success requires fundamental changes in theway core functions operate, with significantpotential consequences for organization andprocesses. Inevitably, this can be expensive.However, effective renovation of the risk IT

infrastructure is a strategic investment which notonly satisfies regulatory demands, but also leadsto competitive advantage.

Responsible governance, therefore, requiresthat these issues are given appropriate strategicattention at the highest levels.

Risk data aggregationand reporting are tooimportant to be left to therisk function or moreseriously IT professionals.Regulators are demandingbetter performance, butequally, senior executivesand boards will derivesignificant benefits

from improving theirrisk infrastructure andprocesses.

High-qualityand quality-assuredrisk data leads to:

GREATERCONFIDENCE

CORPORATESTRATEGY

IMPROVEDDECISION-MAKING

OPERATINGENVIRONMENT

STABLESTRATEGY

REGULATORYDEMANDS

As a result, risk IT infrastructurebecomes streamlinedand leads to a quicker responseto changes in:

MORE INFORMATIONSascha ChandlerDirector Financial Risk ManagementKPMG in AustraliaT: +61 2 9455 9596E: [email protected]

Marco LenhardtPartnerKPMG in GermanyT: +49 69 9587-3403E: [email protected]

Andr LattemannSenior ManagerKPMG in GermanyT: +49 69 9587 3988E: [email protected]

Brian J. HartPrincipalKPMG in the UST: +1 212 954 3093E: [email protected]




22/36

INVESTMENT MANAGEMENT AND BANKING

F


Seeing isbelieving:

VisualAnalyticsand makingsense of dataDai Duong, KPMG in the UK

Spencer Marley, KPMG in the UK

inancial organizations face ever- Understanding the needs decision-makers is also critical. Many seniorincreasing demands on performance All of these changes place a premium on agility: users of management information spendagainst a background of constant the ability to respond rapidly and effectively to an substantial periods of time away from theirchange. Effective responses depend unpredictable environment. Businesses can only desks, either traveling or in meetings. Globalmore and more on the capacity for act by having a more responsive and detailed companies operate across many different time

deep and rapid understanding of business understanding of the business. Information on zones. Solutions that offer constant mobileoperations and performance. Traditional costs and margins is needed at a much more access to crucial data are essential.information systems can sometimes granular level. The need to manage risk better in To meet the challenge, companies needsuffer under the strain of a rapidly changing an environment where change happens rapidly robust, flexible solutions that can be rapidlyenvironment. However, new technologies can also calls for more accurate and timely data. deployed in a matter of weeks or months,now deliver radically improved results. Current management information systems not years. An agile solution needs an agile

Everyone involved in the financial services often fail to measure up to the challenge. They approach to understand the underlying businessindustry is aware of the rapid and increasing do not aggregate the right data at the right issues. This requires locating relevant datapace of change affecting all aspects of the level quickly enough. Furthermore, they are and creating a data model, preparing analyticsbusiness environment. Of course, there are ineffective at gathering and reconciling data from and dashboards and facilitating sharing andmajor regulatory changes which have just been multiple sources. As finance, operations and collaboration across the organization.implemented. But there are also significant risk functions all have separate data systems,and continuous changes both strategic and forming a coherent overview between systems Understanding the technologyoperational following industry restructuring, is often impossible. While there are many existing technologiesnew business models and the attempt to Rapid and accurate data collection is only that seem to deliver business insights, few are

recover stability in a post-crisis world. part of the challenge, however. Ensuring agile in nature. The problem is threefold. First,its accessibility in real time to the relevant data is not usually accurate, timely or relevant



23/36

enough. Traditionally, finance, operationsand risk functions have all had separate datasystems, which make having a coherent

overview of the business difficult to achieve.Senior executives need to have availablereliable information on what happenedyesterday and not that from 2 months ago.Second, even if real-time data is available,users are not able to view the data in a form andat a level of detail that they require. Financialinstitutions typically collect key operating datain massive bespoke management informationsystems that generate static reports basedon a fixed schedule. This means businessesneed to spend more time conducting furtheranalyses, which slows down their response.Consequently, they may not receive the insightthey need to respond effectively. Finally, even

if such technology is available, it usually takestoo long to implement. Before going live, thetechnology may already be irrelevant. Given therate and magnitude of changes in the financialservices industry, companies need agile data,technology and implementation.

In recent years, however, majoradvances in computing power and softwaredevelopment have made a number of helpfulproducts commercially available. Theseproducts simplify and streamline the task ofextracting management data and build on thisdata to create insightful and timely informationand reports. Products such as QlikView1,Tableau2a Microsoft business intelligencestack3and TIBCO Spotfire4are revolutionizing

how companies can aggregate, analyze andreport their financial and operating data.

So how do these products work? They workby adding an analytical and visual overlay on topof existing systems. With these products, agiledata is now available, as many disparate datasources can be linked across the firm to presenta single version of the truth. Agile technology isnow available as large volumes of informationcan be stored into local memory so that userscan conduct rapid analysis on a preloaded set ofdata. Doing so using an intuitive visual front-end means anyone in the business can ask anyquestion they have whenever they want and getrelevant answers. Agile implementation is nowavailable since dashboards created by theseproducts builds on, rather than replaces, currentsystems. Implementation can happen in weeksand months rather than the years it would taketo develop a completely new managementinformation infrastructure. These solutions arealso scalable and can be implemented in shortertime phases if necessary. These tools can beused as an end-to-end solution for businessesthat are willing to invest in such technology or asa prototype for others that would like to try theseproducts out.

The potential benefitsNot only are these kinds of solutions cost-

effective to implement, but they save moneyon a continuing basis. They can dramaticallydecrease the time and effort spent onaggregating, reconciling and cleaning data from

disparate sources. With a single real-time viewof the truth, there is no need for debate aboutwhich numbers are valid. Management can thenfocus on genuinely valuable analysis instead.In delivering insightful analysis rapidly to keydecision-makers, wherever they are, these toolshelp improve business performance.

At KPMG member firms, we have leveragedsuch technology and applied visual analytics bothin our own internal operations and in deliveringeffective solutions to client requirements.

In effect, rapid development can be achievedwith pre-built modules that can be deployedwith limited customization; many tools canbe largely re-used as-is as building blocks forbespoke solutions; modular developmentsupports remixing and reassembly to meetchanging needs over time.

Characteristic Visual Analyticsapplicationshave included:

An investment management dashboard,which allow users to view overall assets undermanagement and readily slice and dice byasset class, region, fund type and currency;at a click analysis can drill down to fund level,client portfolio or fund manager performance.

A banking workforce analyticsdashboard, which looks holisticallyacross all workforce data (cost, capability,compliance, talent and engagement) aspart of a program to improve financial

performance, customer experience, riskand employee engagement. Now bankscan manage their workforce to enhanceemployee engagement and customer

experience while maximizing the financialperformance of the business. A management information tool, which

allows users to view the performance of abusiness at various levels by teams, functionsand across organization; this is linked directlyto multiple data sources and is accessible bythousands of users for better decision making.Now, management can easily ask and answertheir own questions using iPads in boardmeetings, without delays or reliance upona finance team to produce reams of staticportable document format (PDF) reports.

These new business discovery toolsallow senior executives faster access to

the important data underlying businessperformance presented in a genuinelyinsightful manner. The ability to recastinformation instantly from differentperspectives can reveal surprising and originalinsights, allowing the organization not onlyto respond to rapidly changing demandsbut also to identify opportunities for step-change improvements in performance. Withinsight and industry experience, these toolscan deliver dramatic impact for the businessrelative to both effort and cost.

Visual Analyticsput visualinformation into the hands of key

users, bringing together variousdata sources intuitively to createreports and dashboards. A singlegraphic can tell a story that may

otherwise be embedded in acomplex spreadsheet.

Visual Analytics



Contacts (from left)Dai DuongSpencer Marley

MORE INFORMATIONDai DuongDirectorKPMG in the UKT: +44 20 7311 6332E: [email protected]

Spencer MarleySenior ManagerKPMG in the UKT: +44 20 7311 5862E: [email protected]

1 Qliktech International AB http://www.qlik.com/2 Tableau Software Inc http://www.tableausoftware.com/3 Microsoft Corporation http://www.microsoft.com/en-us/default.aspx4 TIBCO Software Inc http://www.tibco.com/
http://www.qlik.com/http://www.tableausoftware.com/http://www.microsoft.com/en-us/default.aspxhttp://www.tibco.com/http://www.tibco.com/http://www.microsoft.com/en-us/default.aspxhttp://www.tableausoftware.com/http://www.qlik.com/


24/36

BANKING

Technologyand payments:Beyond the hype?Georges Pigeon, KPMG in Canada

Tim Johnson, KPMG in the US

Jeremy Welch, KPMG in the UK

There is tremendous activity at the moment in the payments sector driven byadvances in communications and associated technology. Financial servicescompanies, payments companies and new entrants alike are making majorinvestments, launching innovative new initiatives and jostling for leadership in whatis a rapidly changing market. However, it is far from clear that anyone has identifieda winning proposition that will be able to dominate the market. Providing real benefitto the consumer will be key to widespread adoption of new platforms.




25/36

Contacts (from left)Georges PigeonTim JohnsonJeremy Welch

payment processing companies and banksall face differing challenges and some maybe more exposed than others.

Given the potential for substantial marketdisruption, there are obvious attractions tomany classes of new entrants who might beable to develop a winning proposition.

One of the major enablers is technology.Two areas have proved especially significant.The first is near field communication (NFC).Earlier radio frequency identification (RFID)allowed enabled devices to operate ascontactless payment methods. Contactlesssmart cards have been in use in many partsof the world for over a decade. However, insome markets, adoption was initially limitedby unreliability and by the need for significant

capital investment by retailers. NFC extendsthe technology by allowing higher capacitytwo-way communication between devices.These can function as contactless paymentsystems as before, but can also form the basisfor more advanced and reliable systems.

The second key enabler is the platformof advanced technologies now availablein smartphones, tablets, other portabledevices and mobile communications. Apartfrom enabling remote communication withbanks, card companies, supplier bases, etc.global positioning (GPS) technologies canlocate consumers accurately and push muchmore relevant data and information to them.Together, NFC and mobile technologies

provide the foundation for significant furtheradvances in payments systems, which areattracting attention and investment from manydirections. Hardly a month passes without anew product or platform announcement, a newindustry partnership or a new entrant promisinga radically new approach.

Recent developmentsSome key recent developments include.

Barclays Pingitallows holders of anycurrent account in the UK to transfer andreceive money using any Android or iOSdevice. Small business operators andtraders can use Pingit to get paid instantlyby customers. Consumers can transfercash between friends and family members,split bills in restaurants and so on. Pingituses the UKs Faster Payments Service,introduced to radically reduce transfer andclearing delays, so payments are effectivelyinstantaneous as well as free. Barclays alsohopes to attract new customers for its widerbanking services.

New entrantssuch as Moven (fromMovencorp Inc. in the US) and Ontrees arealso competing directly with the banks byoffering a combination of mobile bankingand payments services via smartphone.Ontrees integrates data from customer

bank accounts and purchase transactions,

P

ayment services have historicallybeen a relatively stable sector of thefinancial services industry; at best,they are an after thought. Significantdevelopments and progressive

changes in the background and in back-officesystems have been implemented in recentyears; yet, there have been few really greatleaps forward with a major impact on theconsumer experience since payment cards(charge cards, credit cards, payment cards)began to supplant checks and become analternative to cash 50 years ago. However, allthat looks set to change.

The last 2 years have seen a growing numberof initiatives in the payments sector, especiallyin mobile payments technology. The range andvariety of current developments is extensive andpotentially quite confusing. What is less certainis which, if any, of this multitude of initiatives willhave the potential to penetrate mass markets

and truly transform consumer behavior.

Drivers of changeThere are drivers of change from manydirections:

Consumers have been progressively movingaway from the use of cash for decades.In advanced consumer societies in NorthAmerica, Western Europe/Scandinaviaand Asia, the use of checks has dwindledin favor of payment cards of various types.Payment by cash is now largely restrictedto small value retail purchases. Even here,the indications are that consumers wouldembrace simple-to-use, reliable, cash-freepayments methods with alacrity.

Merchants who use point-of-sale cardterminals typically pay fees of 2-5 percent ofgross sales value to credit card companies

and acquirers for credit card use and alower rate for debit card acceptance.Their judgment is that this is, at present,a necessary cost to bear in order to allowcustomers to pay them without incurring theadditional inconvenience of cash. From themerchants point of view, card acceptancehas some advantages in reducing cashneeds and the risks of crime, but 2-5 percentis a high cost to bear. The pressure exertedby Congress via the Dodd-Frank Act andthe remit of the Commodity Futures TradingCommission to oversee a reduction ininterchange and the cost of loyalty cardshas triggered a shift in this market. There isno doubt that cheaper payment alternatives

would find a widespread market. Small traders and craftsmen, for example

in the building trades, domestic servicesand those operating without a fixed homebase, have historically had few options forefficiently and cost effectively receivingpayment beyond cash or checks, each ofwhich has significant drawbacks. There ismassive pent-up demand here for moreefficient, streamlined and low-cost systemsthat provide reconciliation data that can beintegrated into their accounting software backto small businesses around the collection offunds. Tax authorities would also probablyfavor more traceable payment mechanismsfrom the perspective of reducing tax evasion.

Recognizing these pull factors and facedwith the threat of disintermediation by newtechnology-based start-ups that ignorethe wider banking relationship, banks andother financial services companies see bothmajor opportunity in introducing innovativepayment systems to satisfy the latentdemand and a clear threat if they dontinnovate to serve a sizeable and lucrativesmall and medium enterprises market.

Card companies, perhaps the marketparticipants most threatened bytransformational payments technologies,have stronger interests than many incontrolling the direction of innovation.

Payment networks, card-issuing companies




26/36

allowing a variety of analyses, servicesand presentations of financial information.Moven offers comparable benefits,combined with a payment infrastructure

based on both debit card and RFID. Point-of-saleis traditionally the world

of credit and debit card companies andacquirers. A number of retailers areintroducing or have introduced newpayment options based on mobile phoneapps and NFC, including Starbucks in theUS and Canada. In the UK, MasterCardrecently announced a partnership withWeve (owned by Vodafone, EverythingEverywhere (EE) and Telefnica UK (O2))to develop a comprehensive contactlessmobile payments system. However, theintroduction of contactless NFC terminalshas not been problem-free and there have

been complaints over reliability and security. Zapp:Also in the UK, VocaLink, whichalready operates Link, one of the largest ATMnetworks and provides the infrastructurefor clearing services for credit transfers andDirect Debit is launching Zapp, which willallow retail customers to pay for purchasesvia a mobile application loaded on theirsmartphones.

Systems targeted at small businessesand sole entrepreneursinclude SquareRegister from Square, Inc1in North Americaand iZettle, a Swedish company currentlyoperating in a number of European andLatin American territories. Both solutionsinvolve extending the range of existing

payment card technology with the useof a card reader; this plugs into the audiojack of a smartphone and allows it to readeither the magnetic stripe or the chip onthe payment card and communicate with apayment provider. In 2013, iZettle formeda partnership with Santander. Intuit, whomarket the QuickBooks accounts softwarefor small businesses in the UK and PayPal,eBays global payments services provider,have both introduced similar services.

eBay acquisition of Braintree:InSeptember 2013, eBay acquired thepayments provider Braintree, whoseVenmo app supports payments by tabletand smartphone for US$800 million.Braintree will operate within eBays PayPalbusiness, strengthening its capability inmobile systems. At the same time, theacquisition eliminates a rapidly growingcompetitor. As PayPal continues to exploreNFC, the company is developing a virtualwallet and the ability to support peer-to-pe

Documents

Froniters in Finance