Regulatory reporting operating model – A new paradigm
Heightened regulatory expectations for regulatory reporting requires institutions to focus on preparing high-quality reports. One key element of this focus should be a governance structure that enforces accountability, measures data quality, mitigates reporting and operational risks, and allocates resources to address data and financial reporting challenges.
An “optimized” regulatory operating model involves managing and measuring regulatory reporting risk as a firm-wide activity. As such, the regulatory reporting operating model should follow a centralized framework, where corporate finance, risk, and business line executives create an equal partnership. Current regulatory expectations reflect that the historical operating models, such as projects with little accountability at the business line, are too often ineffective. That is, the historical model cannot support the demand for high quality, fit-for-purpose data at a granular level with ever increasing complexity.
There are three basic components needed in any regulatory reporting framework:
Tone from the top – executive management support
Executive-level support is essential in defining and managing the data and report production processes. This requires the commitment of senior management to define and assign data owners and report owners, as well as ensure the implementation of the appropriate internal controls for providing fit-for-purpose data. Part of this executive-level support recognizes the use of regulatory reporting data and its impact from a public and private perspective from the regulators’ perspectives.
The first step in accomplishing data ownership throughout the firm is for senior management to mandate a central inventory of data across business lines (e.g., financial, risk, and legal entity). Deloitte’s experience shows that many firms have failed to maintain complete inventories due, in part, to a lack of ongoing senior management support across the firm. When such support is lacking, business lines decide that these data activities are not a priority and return to their “day jobs.” Simply put, without a governance structure that consists of corporate and business line executives empowered to enforce change, an effective firm-wide governance structure cannot be implemented. In this case, regulatory reporting governance needs to be tightly integrated with data governance.
The new operating model focuses first on the underlying data and regulatory reporting as an output, supported by good data management and governance practices. The objective is to have one set of data that can be used many times. As such, the regulatory reporting framework should be integrated with firm-wide data governance practices and data offices.
Creating an accountable organization
Data quality is almost always dependent on the data’s source. The data life cycle begins as soon as the data enters a firm through the execution of a transaction, contract, or accounting entry (e.g., loan agreements and trade confirmations).
An effective accountability framework has two specific components:
Effective accountability polices require ongoing support from senior management. Specifically, without management support across the business lines, accountability policies typically fail. Strong accountability policies create incentives for business lines to adhere to data quality standards. Therefore, when data quality standards are not met, an action needs to be taken to ensure that the root cause for the data quality issues is remediated, and that sustainable data stewardship programs are in place at the data owner level. This can be accomplished by capital or transfer pricing charge to the business area.
While charges to the business line are effective, senior management and board reporting—where senior management continuously monitors performance of the business line and corporate function—can have a meaningful impact. Regardless of the incentive construct, executing on an accountability policy requires the development of metrics that are measurable and actionable (e.g., manual adjustments, number of transformation, and number of identified data errors). These should be monitored at the business line level and the aggregated level. At the aggregated level, holistic reviews of consolidated (i.e., firm-wide) data issue logs should be performed to identify systemic data issues that may have a firm-wide impact.
As the adage goes, “you do not know what you do not know.” The same applies for data owners. Unless data owners understand the impact and technical requirements for the data they own, they cannot be expected to maintain the data at the required level of data quality. To mitigate this risk, awareness training should be conducted. This training, conducted for business line executives and their staff, explains the data they are providing and what impact this data has on the firm. For example, an explanation on how the data is used to calculate risk based capital or the impact this data has on compliance reporting (e.g., Federal Reserve Regulation W – (23A), and Regulation Y – equity investments in nonfinancial companies / merchant banking). Additionally, this training should outline the governance process for questions about data requirements, interpretations, and where data issues should be reported. The leading practice is for executives in material business lines to regularly go through awareness training.
Complementing data awareness training is technical training. Technical training is conducted for all staff that are involved in the production life cycle of regulatory data. Participation in training is mandatory and tracked at the center by the report owner. The training is geared toward the type of data that the data owner is responsible for (e.g., loan data, and derivative data). The training focuses on the data definitions for the attributes for the applicable data, with specific attention to critical data elements. These training programs should be conducted on regular intervals, including updates to requirements. Additionally, knowledge assessments should occur, for example passing tests before completing training requirements.
Third line of defense
Internal Audit plays a critical role in assuring accountability for firm wide data quality. It is a leading practice for internal audit to include in its scope for business line audits, reviews of data operations, quality assurance procedures, and independent transaction testing of regulatory reporting data. By doing so, firms can reinforce the culture of maintaining high quality at the source data. The Internal Audit function should leverage critical data elements identification, risk assessments, and materiality polices in determining the scope of the work, as well as understanding if the business line is focusing resources and programs aligned with the risk and impact of the data they own. Of course, Internal Audit should continue its reviews of the data at an aggregate level with finance and risk. This dual approach can help achieve data quality throughout the data life cycle.
Adopting a governance model that takes a firm-wide approach and creates equal partnership with data owners and data producers is a significant step in building a data-centric organization that supports high-quality regulatory reports that meet regulatory expectations.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see http://www.deloitte.com/about to learn more about our global network of member firms.
Copyright © 2018 Deloitte Development LLC. All rights reserved.