As many of the sessions at XLoD Global - London made clear, solving the data problems faced by trade surveillance teams is bigger than anything surveillance teams can fix by themselves. The issues in the data, in-venue visibility and in-vendor connectivity are part of a much more fundamental problem of enterprise-wide data and technology fragmentation. That’s not news. What’s changed though is that regulators now also understand that they cannot continue to focus on critiquing trade surveillance calibration or other surveillance minutiae. They too need to focus on the wider data issues that impact both financial and non-financial risk management, regulatory reporting and business resilience.
It's clear that in the US and elsewhere, regulators want to dig deeper into banks’ data failings and that they are looking at everything from high-level governance frameworks and BCBS239 compliance all the way to the details of physical versus logical data lineage. They want surveillance to cover what it is supposed to. But they also want control environments in general to deliver forward-looking risk indicators that are useful to the business rather than acting as a backward-looking reporting function.
There’s nothing wrong with that ambition, banks should of course have the data to support their operations, risk management processes and regulatory reporting. But not all data is equal, and banks privately complain that regulators are demanding too much.
As one head of surveillance puts it, “I get it. It's very important. We have to be able to do that [produce the data]. The Fed is asking all the right questions, all the regulators are, but my God, it's a resource drain and maybe we are not devoting as much time as we could to core risk issues or to taking a step back and brainstorming about what the next big whammy might be coming around the corner, because we're so bogged down in all the data stuff.”
The ‘too much’ that regulators want is, according to banks, 100% completeness and accuracy in whatever data it is they have decided to look at. “Especially from the US regulators we are seeing a change,” says one EMEA surveillance head. “We use a proportionate system in that we're risk-based. So, when we used to say, ‘I've got 98% of my flow covered, that used to be all right, it's not anymore. And if you use the WhatsApp example as the start of this, it didn't matter how much data you were missing and how big a firm you were and what it was being used for, initially it was just a $200 million fine irrespective – basically a parking ticket and I think we are going to see the same in trade [surveillance].”
Another UK-based head of surveillance agrees: “We all have data quality reports with completeness checks and variation alerts. And we set thresholds around what we were prepared to tolerate as a deviation from the historical average or whatever, given the underlying risks to which that data related. But the regulators are asking for more than that now – it should be a hundred percent. Now, regulators don't consider budget. They're not supposed to, but unfortunately that's the real world.”
The regulatory pushback is that the idea of ‘risk-based’ cannot apply to core risk data. It’s fine to take a risk-based approach to the analysis of data, using different levels of control and calibration and analysis of those controls, but without the data, banks are flying blind and do not have the raw material with which to make true risk-based decisions. So, when banks want to, for example, accept a much lower set of data standards around a market like the secondary loan markets, where there is little trading activity, the answer is that they should have the same data standards as for any other market, and then, if they wish to monitor those markets less rigorously on a risk-weighted basis, then they can.
This sounds reasonable, but it ignores two things. First, there is a resource trade-off between a focus on data and other forms of risk-management, including surveillance. It must be true that there is more risk in some areas than others, and so as a matter of practicality it makes sense to direct finite resources to where risks are perceived to be highest – and that includes resources dedicated to data perfection.
Second, just because data is not available in the best possible form to a particular downstream risk function like surveillance does not mean it is missing, and, importantly, is not already being used to mitigate the risk that downstream function is monitoring. Banks have enormous operational risk control inventories that span all of their activities and ensure that core functions like trading, clearing and settlement can occur. And in financial functions there are vast numbers of controls and reconciliations that also provide evidence of both risk mitigation and data adequacy. The trouble is, banks have not tried to evaluate their control inventory in this way to make this argument.
That said, some institutions are beginning to push back against what they see as regulatory overreach. The most obvious example is JP Morgan’s Jamie Dimon, who, in the latest in a series of punchy comments around regulation, made it clear that he has had enough of what he describes as “an onslaught” of overlapping, ill-conceived rules. He's had enough and it’s time, he says, to “fight back,” saying, “I’ve had it with this shit” and he has made clear his willingness to fight back in the courts. It remains to be seen how his attitude has filtered down the organisation to departments like surveillance.
Interestingly, some legislators and regulators are starting to change sides too: UK chancellor (Finance Minister) Rachel Reeves in a recent speech promised a reboot of regulation governing Britain's "crown jewel" financial industry, which she said has shackled the City's prospects since the global financial crisis and stifled British economic growth.
"While it was right that successive governments made regulatory changes after the global financial crisis, to ensure that regulation kept pace with the global economy of the time, it's important we learn the lessons of the past," Reeves said. "These changes have resulted in a system which sought to eliminate risk taking. That has gone too far and, in places, it has had unintended consequences which we must now address."
Whether or not these small shoots of regulatory retreat will have any effect in broader compliance and surveillance teams remains to be seen. And whether the Trump administration will deliver its promised bonfire of regulations is also debateable. But as one speaker at XLoD Global said, “If you had told any of us that after 10 years we’d have spent the amount of money we have on all of this, no-one would have believed you. Can that continue? I’m not sure it can.”