Automating processes

Automating processes for the benefit of compliance is a difficult sell in most organizations.
It costs money and compliance is not a revenue area. Compliance often finds
itself looking to risk management reports generated for different purposes in order
to track activities and transactions. Information may indeed be available but the
focus of the data architects was on different goals. A common hurdle is that
reconciliation are done manually to end reports and not to source input. This causes
the similar reconciliation to be preformed periodically and sometimes previous
corrections are omitted in later reports and have to be redone.

Risk management reports may utilize different standards of accuracy since those
reports are focused more on economic exposure as opposed to legal risks and
documentation risks. The reports will likely focus on end-of-day or reporting period
rather than providing equal focus with intraday trades and closed-out positions.
Obviously any computer report will not provide the reader with the context for the
decision nor whether sufficient disclosure occurred nor what suitability checks were
performed.

Given the variety of systems and derivative instruments available, there may not
be a ready ability to perform an electronic file transfer. The alternative is to work
with existing reports and often a rekeying the data into a spreadsheet format. If the
number of transactions are too cumbersome then a possible approach is to sample
typical transactions and test the thoroughness and timeliness of the supporting
documentation.

With the proliferation of databases, these are useful tools to help standardize
documentation and disclosure. A database can provide a sample of standardized
disclosures and consistent templates for term sheets. One should require that all
term sheets sent out be copied and retained by a compliance unit.
When compliance standards and controls are set too high, it can engender resistance,
avoidance, or a hesitation to do something profitable and in the best interests
of the shareholders. The following are several examples of processes or procedures
that were counterproductive.
An end-user established an elaborate approval process for the approval of foreign
exchange forwards. Only a couple of senior managers could authorize transactions.
Given the difficulty of getting a time slot to see the senior people and the elaborate
form, the employee simply waited until the forward exposure became a spot transaction.
He then executed in the market and avoided the approval process. The trader
was not held accountable for gains or losses on unhedged positions and so expediency
ruled.

In another case, a company allowed only its CEO to authorize the use of the
company’s guarantee. Given the inability to schedule time with the CEO and the
smaller relative size of the transaction that need a guarantee, the profitable opportunity
was allowed to be passed by.
In another situation, the SVP level in a company could approve expenditures up
to a limited dollar amount on IT systems, otherwise it went to the board for approval.
A derivatives monitoring system was needed. So the need was split into different
budget cycles. The result was two systems that did not provide a consistent valuation
and monitoring capabilities to the derivatives holdings.

In another case, an end-user in a highly regulated industry wanted to buy receiver
swaptions in order to hedge MBS prepayment risk in the event of lower rates. There
was no specific authorization or prohibition in the law as to the use of swaptions.
The in-house legal department refrained from going for regulatory approval since
derivatives were considered to have too high a profile and the company wanted to
avoid additional oversight requirements. So no hedges were ever done.

The highest comfort level possible is obtained by performing a compliance audit.
Although onerous and time-consuming, it’s the best approach. If practical, randomly
select several days a month where you review each transaction that occurred and
‘track through’ the process to ensure that all procedures were adequately followed.
Look more closely than simply verifying that all documents were signed. How
many revisions occurred (were they material), was there a delay in the sign-off
confirmations? Were intraday or overnight position limits breached? Did the market
trigger the violation or was it an active breach? How long did the breach languish?
Was the breach properly escalated? Did management reports contain all the required
information? Were exceptions properly noted? Is there a compliance calendar? Were
regulatory reports filed on time?
Each salesperson should be able to provide a listing of active clients and deactivate
old customers. Old authorizations or documentation that becomes stale should be
reviewed automatically. On an annual basis, a compliance staffer should review the
documentation file to ensure that it remains adequate and there are no omissions.
Companies are rarely blindsided by regulatory change, rather it is the failure to
adequately prepare to accommodate the change that is the problem.
Consistency in approach and effort is a critical standard for effective compliance
oversight. It is inconsistent controls that create the opportunity for problems to
occur, fester, and multiply. Critical to success is a good personal and working
relationship between the business side and compliance ‘crew’. If personality conflicts
occur or egos clash, then the each side may work at cross-purposes or simply revert
to a ‘help only if asked’ approach. Effectiveness only occurs with consistent teamwork
and trust.