MIFID II External Reporting: Control Framework Implementation

By Shashi Prabhu and Marcus Cambray, Sapient Consulting

Now that Markets in Financial Instruments Directive (MiFID) II is in effect, it’s time to examine operational processes and controls to validate compliance. Past regulatory regimes highlight that a failure to implement the appropriate processes and controls at a regulation’s inception leads to higher costs, with some banks even spending between $10 to $25 million. These costs take the form of large regulatory fines or major remediation programs that are required to address undetected issues by the inferior initial process.

A control framework is based on three pillars: reducing compliance risk, mitigating operational risk and improving operational efficiency. Control implementation within that framework depends on a firm’s underlying reporting architecture, data standardization and the quality of the reference and source data. It’s important to recognize that a control framework is never “complete.” Rather, the quality of the output should be consistently challenged and improved through a multi-stage continuous improvement process.

A successful framework will deliver timely, accurate and transparent reporting at all levels of the organization, including operations, front and middle office, client onboarding, compliance and senior management.

Understanding Business Architecture to Identity Controls

Control implementation, such as exception management or reconciliation, is often an afterthought. During the course of a project, teams regularly make business design decisions on data filtering throughout the reporting journey, the location within the architecture of data enrichment mechanisms and assumptions around data quality or systems outside of the firm’s purview. Reviewing the decisions and assumptions made during the project’s lifecycle is critical to understand and reveal the true risks that must be addressed in the operational processes and controls.

The standard Process-Risk-Control (PRC) framework is the most optimal way to define the regulatory control framework. This includes understanding the business architecture, mapping out business processes, identifying risks and ratings based on its impact, defining the control objective definition and designing and implementing the controls (taking into consideration technology and the human element).

The following four-step PRC process serves as a guideline to define and design the right controls within the appropriate control environment:

* Step 1: Identify control drivers, such as transaction reporting, post-trade reporting and commodity position reporting.

* Step 2: Examine the risks arising from the underlying processes and business architecture, and prioritize them based on the likelihood of occurrence and impact.

* Step 3: Define control objectives based on the firm’s risk appetite.

* Step 4: Design and implement the controls, define roles and responsibilities, establish a governance framework and manage reporting.

 

Outside of establishing the appropriate framework based on risk, it’s important to take a pragmatic approach to implementation timelines. Continuous improvement is the only way to achieve efficient and sustainable operations. This approach enables firms to design a framework with a long-term view in mind with a near immediate delivery of relevant functionality.

Operations, compliance and technology professionals must bring their respective expertise to the framework. Technology architecture groups should assess the need for changes in data structures, feeds and processing capacity. They can also identify any significant technical gaps.

By initiating a two- to three-week assessment, firms can develop a comprehensive view of their risks, control requirements and the desired target-state while remaining within time and budget constraints.

Exception Management and Reconciliation

With any regulatory control framework, exception management and reconciliation will serve as the framework’s cornerstones.

From an industry best practice standpoint, an exception management process, completeness reconciliation, accuracy reconciliation and data quality checks are the essential controls. Here are some examples of what should be contained within each of these controls:

Exception Management

* Failures in data enrichment

* Rejections at an approved reporting mechanism (ARM) or approved publication arrangement (APA) or Financial Conduct Authority (FCA)

* Rejections at the exchanges

Multi-Way Completeness Reconciliation

* Independent eligibility rules for transaction and post-trade reporting

* Aggregation and reporting rules for commodity positions

* Post-trade timeliness verification

Multi-way Accuracy Reconciliation

* Trade data, reference data, entity data reconciliation for transaction and post-trade reporting between source systems to ARM/APA to FCA/exchanges

* Commodity position data reconciliation between source and ARM/APA and exchanges

Data Quality Checks

* Counterparty data

* Personally identifiable information (PII)

* The International Securities Identification Number (ISIN) information

* Key enrichment and transformation fields

These processes and controls are not trivial to implement, and as a consequence, appropriate budgeting and resourcing for exception management and reconciliation are needed for planning. Firms should expect to see a large number of breaks identified through the exception management and reconciliation processes in the first six months after the MiFID II deadline.

Resources are required to not only identify the breaks, but to investigate and identify the root-cause to resolve the issues. Performing periodic data quality checks should also form an important part of the control framework to identify inaccuracies and enable frequent reconciliation.

It is difficult to over-emphasize training and cross-functional collaboration. Reconciliation is a significant challenge. Compliance groups in their role as second line of defense should ensure that the controls implemented are adequate and are in line with the firm’s overall risk appetite.

Critical Success Factors

To bring together the successful elements of a MiFID II external reporting control framework, the following must be considered:

* Understand Business Design and Associated Risks

MiFID II requirements are complex. While firms are past the compliance deadline, there is much work to be done to improve the underlying processes that enable reporting. Understanding the risks arising from suboptimal implementation is essential. Further, the risk of deprioritizing Day 2 activities that are important in achieving sustainable operations should not be underestimated.

* Align Control Requirements to Risks

The risks inherent to the people, process and systems need to be analyzed for likelihood and impact, and control objectives need to be designed considering the bank’s risk appetite.

* Implement Effective Challenge Process and Governance

Controls must be designed with an independent challenge process mentality. Independent quality assurance and control processes with an appropriate governance framework are required to ensure full compliance, improve reporting processes and achieve the desired level of transparency.

* Deliver Training and Foster Cross-Functional Collaboration

Change management is always a challenge with regulatory programs. Groups and teams taking on Business as Usual (BaU) processes are typically less familiar and not well trained on the intricacies of regulatory requirements. Targeted training, along with conscious cross-functional collaboration, can significantly mitigate the risk of BaU transition and regulatory non-compliance.

* Use Flexible and Customizable Tools

Standing up operational processes and controls should be done immediately before a backlog of issues start to accumulate for remediation. At the same time, a long-term view is required while following the mantra of continuous improvement. Flexible technology capable of delivering the immediate processes without sacrificing long-term goals must be adopted and implemented.

* Provide Key Measures and Metrics

It is equally important to know how well the underlying processes and controls are functioning and what areas need improvement. Key performance indicators (KPIs) such as the percentage of non-compliant clients, percentage of under- or over-reported transactions, percentage accuracy match and other associated metrics play an important role in providing that view to operational groups and to senior management.

Conclusion

In summary, adequate controls must be operational before the non-compliance backlogs build up. The designed controls should reduce compliance and operational risk in a way that is sustainable. Controls should be closely related to the business design and reporting process, both of which need to be reviewed through the lens of MiFID II.

Firms must have a continuous improvement mentality, and start with something lighter that becomes more sophisticated over time. Finally, metrics will have to be produced so that the measures drive action and create feedback to the underlying business processes for continuous improvement.

Shashi Prabhu is a director – risk and regulatory response, and Marcus Cambray is a senior manager – risk and regulatory response, at Sapient Consulting.