For banks, compliance is about to move to the next level – the enterprise. ember ec3 Inc., a Toronto-based firm, has released .HeatShield 2.0 to provide an integrated and comprehensive risk and compliance application. Four major banks are working with ember to pilot .HeatShield. One bank with a multi-state presence agreed to talk about the problems a bank faces in compliance, and what it wants from a vendor to meet the demands of an alphabet-soup-world of rules and regulations, including those of such regulators as the Office of the Comptroller of the Currency (OCC), the Federal Reserve and the Office of Foreign Asset Control (OFAC).
“We are looking for a way to better measure and quantify where the significant risks are in our organization as it relates to a variety of compliance topics,” said the banker. “We need to look at it from an enterprise basis and respond with an effective management program.”
Like other large banks, this one has a lot of compliance policies and procedures. Now the challenge is to monitor the execution of those controls to make sure they are in place and operating effectively.
“We have self-testing programs, internal audits and regulatory examinations that give us results. We want to take all this data in and understand how it affects the profile of risks we are building so we can make the right decision on how effectively we are managing those risks,” the banker said.
ember, he said, is developing a solution that will let the bank map all its compliance requirements across the enterprise to give it a way to evaluate its processes and risk categories.
Over the last three years, firms have been rushing to put point solutions in place for compliance, said Curly Lippa, vice president of sales and marketing at ember. The result was multiple silo solutions in different departments.
“So when the chief compliance officer reports to the board, he has trouble responding to their questions about where is our risk, are we getting better or worse, and what are we going to do about it,” Lippa said. Ninety-five percent of firms were using Excel, email, and fax as their compliance tools, he added.
“You need to pull all these pieces together and do it in a flexible way because one thing we know about regulations is that they are always changing,” said Lippa.
For the banker, regulations present a huge array of often overlapping requirements that have to be mapped if the bank wants to deal with them effectively. For example, an account opening process is important for Sarbanes-Oxley, Bank Secrecy/Patriot Act, and safety and soundness requirements.
“We need to validate that those controls are in place to ensure compliance with the more significant laws,” he said. “We have a lot of overlap with similar end-to-end processes in loans and depository accounts that we need to look at in financial reporting and compliance. We are trying to develop a single environment so we can measure for Basel II, so we will get to the operational risk as well.”
The bank is moving to a focus on process, said the banker. “Let’s understand the process and then we can identify what is significant for financial reporting, for compliance, for an operational safety and soundness perspective. We are trying to do this in a strategic, coordinated fashion so we don’t have a one-off solution for Sarbanes-Oxley, and another for operational risk.”
The bank is using ember to identify the risks within the bank.
“The challenge is that we have so many different groups, including Internal Audit, performing evaluations, that we have information about risks and control effectiveness but now we need to bring it all together so we can have a comprehensive viewpoint,” he said.
The bank has also been using an earlier version of software from Protiviti for self-assessments, but it lacked the more comprehensive view of risk which ember offers. Both compliance solutions are built on Microsoft .NET and Microsoft SQL Server.
“The missing piece is mapping in where compliance risks reside,” said the banker, who is in a proof-of-concept stage with ember. “We need a program infrastructure to define compliance risk, understand where those risks are being managed, evaluate the effectiveness of the control, and have a way to continually update it,” he said. Protiviti didn’t have that in its prior versions, but a new release offers functionality to compete with ember, he added.
On the technical side, a financial institution can get crushed under the weight of multiple point solutions, he said.
Lippa said that ember has developed an application that can meet 80 to 85 percent of a bank’s requirements.
“We built on .NET. Microsoft was the way to go for integration because 90 percent of corporate data is accessed through Microsoft tools such as Word and Excel," he said. With Web Services and XML, ember can integrate to a bank’s compliance solutions.
One of the banks in the current round of pilots wanted a link to every regulation, said Lippa, but the others are linked to macro categories.
“Account opening has a whole slew of regulations, and now our tool connects to a category, which I think is a much more sustainable approach,” said Lippa.
www.ember.ca