Sarbanes-Oxley Act and Basel 2 take pace on financial services and IT structures

Financial software: Made-to-measure solutions banks are spending more on IT to remain competitive


Financial services software is big business. In 2005, European banks’ IT expenditure will total more than €50bn, almost 20 percent of which will go on external software, according to IT research and consulting firm Celent Communications. IT costs in the US securities industry will reach $26bn this year, of which external software accounts for a quarter. And the market is accelerating in expenditure.

And in the world of finance technology, getting a custom-built financial software package is also all the rage. Satellite firms offering advanced functionality and customised solutions on top of existing large-scale systems have always been around. But as companies have focused more and more on increasing efficiency of all systems, improving integration of disparate systems and consequently pulling value out of all business processes, so has interest in these custom solutions grown.
One of the biggest developments in the role of the finance function in recent years is an increasing focus on developing and managing new technology aimed at increasing process efficiency across the financial supply chain. With limited IT budgets, these executives are tasked with the need to show a convincing return-on-investment (ROI), often over a short timescale. But as the technological desires of large-cap companies have grown, so has the gap grown between what big-name system suppliers offer and what those companies are looking for.

That is where the small but specialised solution provider comes in. The financial technology market has seen a huge surge in interest in the offerings of smaller firms that aim to make existing enterprise applications better—not necessarily by changing those systems but through add-ons and custom functionality to turn those enterprise apps into the solutions that finance executives dream of.

Sanjay Srivastava, chief operating officer of specialist IT firm Aceva, says the development of external firms dedicated to providing custom add-ons to major systems is a natural progression. “This has occurred in most other industries, so it makes sense for it to happen in the financial technology market. The breadth of functionality that the big banks and system suppliers are trying to achieve is simply not possible.”

Srivastava says that within the enterprise space most enterprise resource planning (ERP) software began by focusing on the physical supply chain. “The reality is that ERPs have done a good job on the physical supply chain, but when you turn around and look at the financial supply chain, there are large gaps between what users need and what ERPs provide,” he says. Consequently, companies can end up with multiple ERPs managing different functionality across different parts of the organization. This works for the physical supply chain, but for the financial supply chain it does not stand up. Thus, having a custom or at least a highly customizable packaged solution can fill the gaps left by the big names.

This is particularly relevant for large-cap corporations that have active M&A programs. With many new purchases this generally means many new systems that must somehow come together. This can either happen by rolling out head-company systems to subsidiaries, or it can mean developing complicated in-house solutions to get the various systems to speak with each other. Either way it involves a long, highly complicated and generally expensive procedure.

Honeywell hosts most of the major ERP platforms across their various business units, says Sue Sadler, Honeywell’s director of cash management. “With many acquisitions under our belt we naturally had numerous systems across our organisation,” she notes. The biggest problem, she explains, was that the information they needed to make good customer decisions resided in different databases that did not speak to each other. “We knew what was causing difficulties in our invoicing, but we could not fix them without a huge process involving many different system suppliers,” she says.

Honeywell set out to find a solution and discovered that Aceva could provide true customization with all systems. “They could pull together all our systems—shipping, manufacturing, forecasting and so on—into one system and give us all the information in one screen,” Sadler says. “We are able to have a whole information trail as well,” she adds. “We can look up about 150 different things on an invoice and fix it by ourselves before an invoice is generated.”

According to Stephen Blythe, founder of Blytheco, which offers custom add-ons to Best Software’s accounting systems, the size of the organization dictates whether a custom solution is appropriate. Smaller companies tend to want a pre-packaged solution, but the larger the corporate the more likely that they will want some form of customisation. A mid-size company, for example, will likely want a package that out of the box handles 98 percent of the functionality that they are looking for. “But they want this to follow their workflow needs; they do not want to change the business to suit this piece of software,” he says. For a large-cap company the package must mold to the business, he says: “Clearly, after that there will be much customisation that needs to be done to meet their business model.”

Getting that type of customization from the big system suppliers is possible but is generally a colossal task. “Every time we wanted to do something group-wide, it was a huge undertaking, and no one system could talk to everything,” says Sadler. “This is really what drove us to look at Aceva.” By choosing an outside firm that could work across the various systems, it made for a relatively painless implementation, she explains.

Software offers compliance solutions
The financial sector should be familiar with change by now. In addition to coping with general upheaval in the world economy such as globalisation and increased competition, the sector has faced its own specific changes, too. The spread of electronic networks has changed the financial markets fundamentally with the disappearance of most “open outcry” trading. Elsewhere, advances in technology have also created new markets and enabled new ways of operating – at the price of more investment and upheaval.

The swing back to tighter regulation of the international finance sector adds yet more pain. In November, the first impact of the Sarbanes-Oxley Act, which aims to enforce better corporate governance and accountability, will hit the larger US public companies. The act will primarily affect US-based companies and international companies that trade in the US. But it seems likely that other parts of the world will follow the US lead and introduce similar codes of practice. The UK, for example, is known to be reviewing the issue following recommendations of the Higgs Report.

While many of the international companies most affected are financial sector businesses such as international banks and insurance companies, the Sarbanes-Oxley Act is not specific to the financial sector. The Basel 2 accord is, by contrast, specifically aimed at the financial sector and defines a framework for risk management and capital “adequacy”.

It is no surprise that the combination of new regulations and technological change have led some to compare the current scramble for compliance with the run up to year 2000. The rush has inevitably been accompanied by a similar degree of vendor hype: “The drive to comply has not been helped by vendors hyping up the issue. You have good consultants and bad consultants. The bad ones sell their time based on the apparent mess they say they have to deal with,” says Peyman Mestchian, director of risk management practice at SAS Institute, the software developer.

While some organisations might panic and adopt a scatter-gun approach – dealing with each new regulation as it comes into force – the prevailing wisdom is to stand back and look at the regulations as a whole. “The analogy is with enterprise resource planning (ERP) in manufacturing during the 1990s. Projects failed because of the lack of an overall strategy. You really have to put compliance on one side and work out a business case, which includes benefits as well as obligations,” Mr Mestchian says.

This “holistic” approach is supported by the fact that, while the various regulations aim to achieve different ends, there are common areas, especially in the data required. “Most of the smart organisations are looking at the regulations altogether. There are, for example, overlaps in the data required for Sarbanes-Oxley, Basel 2 and the International Accounting Standard (IAS),” says Paul Cartwright, managing partner of risk and regulatory management at consultants Accenture.

Barclays Bank recognised this early on and put in place a formal Integrated Regulatory Programme (IRP) to tackle regulatory issues in one go. Brendon Kirby, Barclays’ programme director, says the bank wanted to take a consistent approach and look for potential gains at the same time.

“We had discussions a few years ago which led us to take a consolidated approach to regulation. You can see regulation as a nuisance – but if you can go the extra step you can get real benefits. I see it as a sort of regulatory aikido where you turn a liability to advantage.”

He adds that the approach has not only justified itself, it has put the bank in a good position to meet its obligations: “The work we have done over the last few years has given us a good feel for Basel 2 and we have realised we are pretty close. I was personally quite surprised because when we looked at the detail we found it was incremental changes and only about 10 per cent of the work we expected.”

More importantly, Barclays sees opportunities to use the data gathered for risk management to drive through improvements in business operations. “In the key area of non-financial risk under Basel 2, for example, we can see ways to leverage the data for other purposes,” says Mr Kirby.

Andrew Barnes, global marketing director at KVS, a data archive specialist, echoes this: “It is not only compliance that needs data. If you are putting in systems to make it easier to get at records for compliance, then you might as well go further and get some benefit.”

Jeffrey Rodek, chief executive of Hyperion, the US business process management (BPM) specialist, also advocates the holistic approach and says the drive to compliance gives companies new ways to improve their performance. “Compliance and external pressures on financial organisations are certainly challenging, but they can all be dealt with. BPM can provide the framework to drive compliance – but it can also bring benefits.”

Rodek says companies should not be satisfied with meeting the minimum requirements of the regulations; they should strive for the best. “The point of the regulations is to restore trust in business and the markets. Companies should not invest only to comply – they should go beyond this and get an insight into their business so they can run it well.”

Jean Louis Bravade, managing director of financial services for Europe, Middle East and Africa at EDS, says the result should be good for the industry.

“By and large, financial organisations are not at the leading edge of industrial-strength systems. The need to comply is forcing them to review their IT infrastructure, their controls and their workflow. The direction that is being set is definitely a good one.”

By the end of 2004, the success or otherwise of large US companies’ efforts to comply with the Sarbanes-Oxley Act will be revealed. The Basel 2 accord is still three years away – but the requirement for historic data means that for many, the work should have already begun.

It looks as if some banks have yet to get this message. A recent survey by PA Consulting Group of the world’s top banks showed that progress towards complying with the accord is mixed.

“While 81 percent have clear objectives, only 39 percent have committed budgets to compliance,” says Eddie Niestat, PA’s head of risk management and capital strategy. “If we have any faith in the timetable for Basel, for some elements it is already too late.”

What customers say
John Dakin, group head of information security, UK investment bank
“Data integration is a continuing challenge. There is frustration that arises from knowing that the data you need is there, but to get it out of different systems is difficult. We have found part of the answer in tools that can capture the data to assess risk, such as Citicus’s early lifecycle tool.”
Chris Crate, group compliance director, UK-based financial services company.

“You can put in the processes and tools to assist people. You can introduce a system to police what they do. But it is the change to the culture that takes the time. Compliance requires a permanent process of education so people know what they are meant to do.”

The new regulations explained
Sarbanes-Oxley Act

Introduced in the US following several high-profile financial scandals, the act aims to improve corporate governance and make directors liable for the data they publish on company performance. Section 409 is especially tough and requires that companies “must disclose information on material changes in the financial condition or operations of the issuer on a rapid and current basis.” Large companies were to comply by November 2004.

Basel 2 accord
An agreement by the international banking community to introduce formal risk management techniques for financial institutions. Companies who opt for the “advanced” model of risk management will be required to keep less capital in reserve to meet their liabilities (capital adequacy) than those who opt for the basic minimum approach. Basel 2 is due to come into force in 2006/7 although regulatory deadlines have traditionally been flexible.

Risk Based Capital Directive (RBCD)
This is the European version of the Basel 2 accord. It incorporates the earlier European Capital Adequacy requirements.

International Accounting Standards (IAS)
These are new regulations defining how companies should report their assets and liabilities which came into force at the end of 2004.