Data, money, and regulation

The innovation dilemma

By Cornelia Lévy-Bencheton
January 5, 2016
(source: O'Reilly Media)


Big Data and the data science revolution have spawned new technologies and analytical approaches—descriptive, predictive, and prescriptive—that can change the course of banking.

We now have technologies that let us make sense out of large volumes of data, structured and unstructured, even in real time, that allow integration from multiple, disparate sources to create a complete view of the business, a customer, a product, or an account. Ubiquitous computing and the digital age have ushered in progress that has not only enabled us to build things better and faster for less money but have transformed the way we live and work so that we can live and work better.

Learn faster. Dig deeper. See farther.

Join the O'Reilly online learning platform. Get a free trial today and find answers on the fly, or master something new and useful.

Learn more

One wonders why the banking sector doesn’t seem to catch on. Or catch up. Rather, this industry continues to struggle with issues of business efficiency, reliability, and modernization. On the first page front and center of banking activity we continue to read news of rules, regulations, and reform. Rarely do we hear about invention, brilliance, or transformation.

In this report, we look behind the scenes of banking industry megatrends and discuss the following:

  • Why banks need to create a data-driven culture and leverage big data technologies and data science matching the customer experience delivered elsewhere.
  • How staying competitive is a challenge that must be addressed through innovation within and through FINTECH, startups, and accelerators without.
  • Why, with disruption and disintermediation rampant, spending that emphasizes compliance rather than technology is chronic and regressive.

Through studying the three landmark banking laws of this, our 21st Century—Sarbanes-Oxley, Dodd-Frank, and Basel III—we pick out ways these regulations are working for and/or against the public they purport to serve. In a well-meaning attempt to correct problems, have these reforms taken the industry away from a path of renovation and renewal?

Have regulators put the industry into a straitjacket that impedes innovation and hijacks the financial sector into endless bouts of rulemaking and report filing? Has regulatory overreach killed opportunity? If the regulators have missed the mark, how does the industry find needed refreshment? Conversely, are bankers missing an opportunity to build value on the data they are now required to gather? Where we go from here is the key question.

Big Money, Greed, and Risk Taking

Since the Enlightenment, banking has been one of the pillars of society. It is the basis for trade and commerce. Consumers look to banks to provide both the borrowing and investment options to help them plan for their future, budget their spending, and achieve other important life goals. Businesses rely on banks for investment capital to start and grow. However, recent events have cast banking in a poor light—as an industry trying to exploit consumers rather than help them.

In today’s popular culture, banking and bankers have a bad name and a tarnished image that creates a rationale to keep them in check. Nowhere is this attitude better represented than in the remarks of Gordon Gekko, played by Michael Douglas in the 1987 film Wall Street directed by Oliver Stone, where Gekko asserts: “…greed, for lack of a better word, is good. Greed is right, greed works. Greed clarifies, cuts through, and captures the essence of the evolutionary spirit.

Reinforcing the deadly sin of greed is the evil of reckless gambling evident in the scandal-filled blockbuster hit The Wolf of Wall Street, a 2013 film directed by Martin Scorsese. Jordon Belfort’s (Leonardo DiCaprio) hedonistic lifestyle leads him to make a huge fortune defrauding investors and making rash, illegal investments.

Tension has always accompanied large sums of money. Even during the early days of commercial lending in the Italian Renaissance, there was tension. Back then, the Catholic Church forbade lending. People were asking questions like: Are bankers the devils? Why are their bonuses so big? Are they making illegitimate profits or are they just good folks doing a job?

Back then, bankers found a path to redemption. Clever Florentine merchants got around the restrictions of the Church and turned the city into a buzzing laboratory of thriving international trade, creating a legacy of new vocabulary and inventing a panoply of new financial instruments—and bankrolling the Italian Renaissance to boot.

We are not asking today’s bankers to finance a new renaissance. However, we wonder if today’s regulators—in the belief that greed and unscrupulous risk taking are the foundation of our recent financial crises—aren’t clamping down too hard on the industry to the detriment of consumers and to the industry’s ability to regenerate and transform itself.

Regulation Nation

SOX: The Importance of Accounting

And regulation there is. While death and taxes may be the only certain truths, if you work in the financial services sector, there is another truth to contend with: the inevitability of rules, regulations, and red tape. (And if you happen to be too big to fail, you may escape death and taxes, but most certainly not regulation.)

Even during the period of “deregulation” in the ‘90s, there had been regulation. The ground rules of our current financial system were put in place after the Great Depression with the formation of the Securities and Exchange Commission of 1934 and the U.S. Banking Act of 1933, commonly referred to as the Glass-Steagall Act. These remained in place until 1999 when, under pressure from lobbyists, Congress tore down the structural wall separating banking from securities and repealed Glass-Steagall through passage of the Financial Modernization Act (known as Gramm-Leach-Bliley). It was the era of the dot-coms, when enthusiastic expansion everywhere else made creation of powerful megabanks seem like a good thing to do.

The bubble burst when high-profile scandals at Enron, WorldCom, Tyco, Global Crossing, and ImClone ignited public outrage because of financial losses. Enter the landmark Sarbanes-Oxley Act of 2002. Anyone working in financial services remembers the endless internal meetings for SOX Compliance not only impacting the financial side of business but IT departments as well, charged as we all were with accounting for and storing a corporation’s electronic records (they must be stored for five years) such that they can be tracked and produced for audit. The industry experienced a vast overhaul of its procedures for documentation and internal controls and arrived at a collective understanding of the investment needed for systems and records. The public needed reassurance that the situation was under control, that white collar crime would be punished, and so government regulators and corporate governance practitioners stepped in to put an end to duplicitous corporate and accounting practices, fraud and corruption, ensure justice for wrongdoers, and protect the interests of workers and shareholders. SOX was intended to set things right once and for all.

When President George W. Bush signed H.R. 3763 (SOX) into law in 2002, he stated that it included: “the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt. The era of low standards and false profits is over; no boardroom in America is above or beyond the law.”

And yet 2008 happened.

Dodd-Frank: The Birth of an Industry Within

As the ink is drying on the causes and history of the financial crisis of 2008, several competing narratives of fault have emerged. The general consensus is that declining prices in the housing market, coupled with a reset of adjustable rate mortgages, triggered loan defaults. The resulting loss of liquidity in the financial markets fueled widespread losses, failures, extensive layoffs, and displaced personnel. There were many foreclosures and bankruptcies. Panic ensued. Financial instruments like mortgage-backed securities fell sharply in value. Other assets, like credit default swaps, which were packaged and sold on the secondary markets, infiltrated the entire worldwide financial system, contaminating it with toxic values, everything being interconnected as it is. When iconic names like Bear Sterns and Lehman Brothers disappeared, we seemed headed toward systemic collapse. The public had not seen or experienced such turmoil in the financial markets since the Great Depression, and there were calls for reform and more regulation to which regulators responded with various emergency measures.

Rightly so.

The Dodd-Frank Wall Street Reform and Consumer Protection Act, or Dodd-Frank, signed into federal law by President Barack Obama in 2010 is the joint response of financial and government regulators to the 2008 crisis. It is the biggest, most comprehensive piece of legislation enacted since the U.S. Banking Act of 1933 and the Great Depression. Named for the then Senate Banking Committee Chairman, Chris Dodd, and the House Financial Services Committee Chairman, Barney Frank, the act made changes in the American regulatory environment that affect all federal regulatory agencies and almost every part of the nation’s financial services industry. Its stated aim included promoting the country’s financial stability, improving accountability and transparency, and ending “too big to fail.” In signing the legislation, President Obama stated:

“For years, our financial sector was governed by antiquated and poorly enforced rules that allowed some to game the system and take risks that endangered the entire economy….Soon after taking office, I proposed a set of reforms to empower consumers and investors, to bring the shadowy deals that caused this crisis into the light of day, and to put a stop to taxpayer bailouts once and for all. Today, those reforms will become the law of the land.”

As with most financial reforms, SOX included, critics attacked the law, some arguing it was not enough to prevent another financial crisis and others arguing that it went too far in unduly restricting financial institutions. And of course, we should not forget special interest groups that happily jump into the legislative feeding frenzy to influence outcomes when there are regulations about to be made.

Reenter greed and gambling. While it is convenient to blame these human foibles for the woes of 2008, a competing narrative would argue that the government had been deeply involved in the entire intricate spaghetti system all along. In Hidden in Plain Sight, published earlier this year, Peter J. Wallison makes the case for risky loans made by Fannie Mae and Freddie Mac as being a major factor leading to the crisis. Another point of view is that federal involvement is even more insidious and extends back to the Community Reinvestment Act in 1977 with President Carter and the National Partners in Home Ownership, starting in 1994 under President Clinton. A lawsuit brought by S&P (the ratings agency itself not without blame in the tangled affair) even suggests that existing laws, properly enforced, could have dealt with the 2008 crisis. Others purport that Dodd-Frank has not only served to slow the recovery from the recession but also doesn’t even address the issues that provided the excuse for its creation.

One unintended consequence of Dodd-Frank is the greater preponderance of bank compliance officers throughout the industry. Along with massive layoffs in the banking industry, Dodd-Frank created an entire new industry within an industry around compliance. One seasoned banking and compliance consultant, who asked that quotes not be attributed by name in this highly regulated, privacy-conscious industry, repeated a common observation that “If 10,000 bankers were fired, there were 10,000 compliance officers hired.”

Deborah Kaye, an attorney at The Cadwalader Cabinet, with 30 years of experience in banking and compliance, explains how an entire “cottage industry of specialized compliance officers has grown up around the Volker Rule,” which prohibits banks from proprietary trading and restricts investments in hedge funds.

In a recent article in the American Banker, “Why Volcker Rule Compliance Is a Fool’s Errand,” Maya Rodriguez Valladares, a well-known compliance specialist, explains her point of view that the Volker Rule is impossible for banks to comply with in a timely and accurate way given its complexity:

“I have discussed the rule at length with a wide range of information technology professionals, auditors, compliance officers, and risk managers at banks, along with regulators and lawyers who are all involved in implementation of the rule or its enforcement. Unfortunately, nine months of hearing their first-hand accounts has further convinced me of the insurmountable difficulties of complying with and enforcing this rule.”

Basel III—Slowly Shifting to a Data Mindset

The third piece of 21st Century financial legislation impacting the health and safety of our financial system is Basel III, itself part of a trilogy of banking agreements developed by the Bank of International Settlements in Basel, Switzerland (Basel I dates to 1988 and Basel II to 2004). Basel III, agreed upon in 2010–2011, is significant because it introduces a global framework into bank capital adequacy, stress testing, and market liquidity risk and was developed as a result of the 2008 worldwide financial crisis. Basel III principles apply to SIBs (“Systemically Important Banks”) and to SIFIs (“Systemically Important Financial Institutions”), those whose activities impact the global banking system, of which there are currently about 30 banks participating on a voluntary basis (and many other banks which have also incorporated Basel principles into their regulatory framework).

For purposes of an update here, we refer to the results of a recent Basel Committee survey on Progress in Adopting the Principles for Effective Risk Data Aggregation and Risk Reporting completed in January 2015 by the Basel Committee on Banking Supervision.

The following figure summarizes expected progress toward the January 2016 deadline to implement the recommendations of the Committee, mainly with respect to capital ratio requirements and asset and liability management:

Regulators have identified data as a priority, in keeping with trends across industries. In interpreting the previous figure, a key element is the average rating trend line (in purple) for the Basel Principles where scores range from 2.43 to 3.33. What is particularly striking is the lowest score for Principe 2 (P2), or “Data Architecture and IT Infrastructure,” which Basel defines as “data taxonomies, adequate controls through the lifecycle of data and overall assessment and expected date of completion.” P2 was deemed an essential requirement for the completed schedule due in January of 2016 for all banks. Meantime, and remarkably, P2 has the lowest score of all.

Here we have the basic building block of regulatory reporting and stress testing—financial data itself—appearing as the weakest score in the compliance report card.  How can the public (or even the regulators) feel confident if data is not accurate, timely, pristine, and complete? Doesn’t this compromise the integrity of these reports? How can they calculate important stress metrics such as expected losses, loss severities, liquidity, net income, and regulatory capital without good data? Not to mention understanding customer data and targeting their needs.

Relationships between regulators, banks, and consumers appear to be a choke point with the juggling of competing and conflicting imperatives in a catch-22. Later in the same survey, the banks were asked to evaluate their readiness to address another crisis. They all provided assurance that they would be able to do so. And their responses were accepted.

Readiness: A Jerry-Rigged, Patchwork Operation

Not ready. Arriving at the threshold of the 21st Century, the financial services industry was a jerry-rigged patchwork of inelegant, kludged systems and incompatible, outdated technologies seriously needing overhaul. And it still is. Between 1980 and today, the number of FDIC-insured commercial banks has declined from over 15,000 to about 5,800. The fact of bank consolidations and mergers is significant and very relevant to this conversation. To a great extent, we are in the state we are in because of inability to keep pace and aggregate merger activity with the skills and technologies available.

Deutsche Bank provides an unfortunate but not atypical example. Barry Elias in an article in NewsmaxFinance last year described Deutsche (which is a SIFI) as a microcosm of our global financial woes. In 2010, the firm launched STRIDE (the Strategic Reporting and Information Delivering System), designed to consolidate more than 1,000 information technology systems into one—an attempt to enhance the reliability of its financial reporting, but, per the Feds and Mr. Elias, “Despite this effort, the Federal Reserve Bank of New York has concluded Deutsche Bank’s operations management systems remain unsatisfactory, and the goals of STRIDE have not adequately addressed the issues of concern, including oversight, auditing, reporting, and technology.”

Not only are multiple disparate and incompatible bank systems not “in compliance,” they often do not facilitate communication between the front, the back, and the middle office and are not in sync with each other. Layered over that, there are manual processes. Flawed data systems are crippling not just compliance but business efficiency at Deutsche.

Big data has not yet joined the conversation. Data that is dark and dirty is also dangerous. It is the geological fault line for financial catastrophe, not to mention steep fines and possible imprisonment. While data is the least common denominator and building block for the reports that regulators require, bad data is dangerous because of the cascading ripple effect that wrong or missing data can have as it gushes through the system. There are traders who still input data by hand into Excel spreadsheets and then email the spreadsheets around between and among departments and sometimes around the globe for further manipulation. There is little wonder that risk managers and IT professionals are challenged to report the processes for collecting data, calculating ratios, and defining inputs for reports.

Another senior regulatory and compliance specialist, who also asked not to be quoted by name, describes this problematic situation:

“Better numbers, better data and data collection are definitely needed. For example, I still see corporate names that were merged out of existence years ago. When a merger happens, sometimes there is not enough time or resources to standardize data so everything is thrown into a table to be dealt with later. For example, you’ll still see multiple names for the same entity. A new person might not know that City Bank, City Bank of New York, First National City Bank, Citi NA, Citibank, Citi North America and Citigroup all refer to the same entity. And then there are all the subsidiaries to reconcile.”

In addition to data mapping, there are also issues around process:

“With resource constraints due to cost-cutting measures, there is barely enough time to complete reports in the first place let alone automate them or even document the processes. Consider manual processes and workarounds and what happens to a report due to the regulators when certain discrete calculations, done by hand/excel, are incomplete or wrong or missing altogether because the person doing the calculations is out on vacation.”

In summary, “to be compliant, banks need to know first and foremost, which regs require their response.” But there are issues with the regulators as well. Deborah Kaye, at The Cadwalader Cabinet, elaborates:

“It’s important to keep track of the details. The back end keeps everything moving.” She further explains. “The regulators struggled to understand during the crisis—on a real time basis—how the back end fit with the front end, and had to do this on a real time basis, which is always difficult to do for all involved. Many of them came from academic or straight regulatory backgrounds, but they worked closely with industry to understand what information was capable of being produced and what was not. Understanding from a technological point of view what is on a ‘wish list’ vs. what is capable of being produced and in what time frames is a key component to effective regulation for all constituents. Everyone has come a long way.”

The Light Side of the Moon

If the devil is in the details, we are in hell. Banks are facing the four Vs of big data (Volume, Variety, Velocity, and Veracity) with their associated costs and resources. The regulators have insisted on more data—and more detailed data at that—with more scenarios along with greater reporting frequency. As Deenar Toraskar, a well-recognized technical expert in market risk and big data solutions architecture, and a principal at Think Reactive, explains:

“A few years ago banks did stress testing once or twice a year on a one or two stress scenarios basis. These days the regulators mandate weekly stress testing on numerous scenarios. In addition, calculations have to be made for the entire portfolio of the bank not just that particular trading desk.”

With increased regulation, focus and business emphasis has changed. “Banks have exited some businesses altogether (those with a high cost of capital, e.g., proprietary trading, securitization, and increasingly commodities,” says Deenar, “while the need to invest substantially in risk management systems has increased.” It’s easy to see a new focus of resources and how market risk and risk management have moved from “a back-office function to a corner office function. Risk management was traditionally relegated to the middle or back office—analyzed between the closing and opening bell. Risk was a night-time operation—an afterthought—post-trading, post-execution, and secondary to performance.” All that has changed.

The regulators have found a nifty way around being transparent and accountable so that they are neither. Rules are rarely—if ever—specific. The way this works is that the regulators issue proposed rules and ask for comments during a predetermined period. As Deborah Kaye points out:

“In prior times, meetings with regulators regarding proposals were not all public, and there was frequently a dialogue that occurred in a more conversational situation. This was criticized as being too cozy, but as a participant from those conversations, the questions and answers were typically quite candid across both sides of the table. So they are now “on the record” to avoid any suspicions of impropriety, which can sometimes feel chilling, depending on the rule, the environment in which it is being proposed, and other factors.”

When “rules” are issued, they are issued as “guidance” relieving anyone from the burden of blame should anything go “wrong” but also not providing the specifics for efficient implementation. This naturally slows down work at all levels. All the power is left up to the regulators’ discretion about when and what and if to enforce any of the guidance.

Then there is the matter of cost. Resources are scarce: time, money, and human capital. The effort to understand and comply with these regulations is simply staggering. And no one wants to make a mistake that could result in penalties. A seasoned banking and compliance consultant explains the dilemma: “It’s all about risk and reward and the efficient frontier in banking. To make higher returns, to make a competitive profit, you have to take risks. When you take a risk, that’s when the system rewards; the greater the risk, the higher the reward. In trying to manage the risk out of the banking business, the regulators have also curtailed rewards very significantly.” And that is one of the reasons why there is less and less loan activity. “Making loans means taking risks that have, in many cases, simply become too risky for banks under current rules and risk based capital charges.” Risks are simply too risky.

The neatest attempt to sum up the costs involved in compliance implementation is in the Dodd-Frank Burden Tracker (see below for the latest version in 2015, in contrast to when this writer worked on it in 2012).

Table 1-1. The Dodd-Frank Burden Tracker1
The Dodd-Frank Act of 2010 mandated 400 rules and involved numerous federal agencies and created new ones: Dodd Frank + 2: in 2012 Dodd-Frank + 5: in 2015
Number of rules written: 185 224
Number of pages consumed: 5,320 7,365
Hours2 every year for private sector job-creators to comply with number of rules written: 24,035,801 24,180,856

If the Panama Canal took 20 million man hours to build and, with about half of it written as of 2015, Dodd-Frank already takes over 24 million man hours every year to implement, what is the likelihood that when fully implemented it will have any relevance at all? Of course, by then—if it is not repealed in the meantime—what is the opportunity cost of having an industry spending time interpreting the intentions of regulators and stalled in such a quagmire?

No contest about the need for regulation. But implementation has left a lot to be desired. Shouldn’t the top priority be an emphasis on better data, better hygiene, and collection procedures? This would seem fundamental for reliable information, report building, and mandated stress tests. Bad data itself is an operational risk, one of those risks the banks are trying to manage (market risk, interest rate risk, default risk, event risk, et al). Otherwise, we are looking at a house of cards.

Fast forward. The digital revolution is maturing and time is passing the industry by in its current form. These regulations have gone too far. They are reactive, not proactive, punitive and coercive rather than supportive or corrective, and static, not dynamic. Enacted in the present for a transgression that occurred in the past, they are focused in the past and not forward looking. It is impossible for them to keep pace with simultaneously changing consumer needs and preferences, or progressing technologies.

What we should be worried about is how to leverage emerging digital business models, modernizing traditional channels and modeling what is happening in other industries. That is what will help us leapfrog over legacy systems, siloed business units, and compartmentalized thinking to progress into the modern era. There are new business challenges and opportunities facing the industry. And new data that needs to be integrated into existing information sets to make banking organizations more agile and effective if they are to stand a prayer of staying relevant.

1Created by the U.S. House of Representatives to help the public keep track of the new government red tape involved with Dodd-Frank Act:

2Representative Randy Neugebauer offered: “It will take over 24 million man hours to comply with Dodd-Frank rules per year. It took only 20 million to build the Panama Canal.”

Post topics: Data Fintech