As the waves of regulatory compliance have ebbed and flowed over the last few months, many institutions are breathing a somewhat misguided sigh of relief, especially where Dodd-Frank, EMIR and the Hong Kong Monetary Authority regulations are concerned. Hit squad contractor and consultant teams taken on to make sure firms were ‘Compliance day one’ ready, have largely been scaled back and for many firms the overall spend on regulatory based work has been reduced. In the midst of this though, the one piece of advice I would give to firms is… 'mind the gap'.

I say this because I'm sure that common questions being asked by senior executives within financial institutions globally are; 1) Just how compliant are we? 2) Do we have any gaps in our compliance with the regulation? 3) What new regulatory requirements are there (e.g. Collateral Reporting) and do we have the necessary skills in the team to meet them? Senior executives are understandably wary of the significant financial and reputational implications of not achieving compliance, or worse still not knowing whether they are compliant when (and it really is ‘when’ rather than ‘if’) the regulators send in the auditors. 

Firms will need to be able to trace back changes and spend on IT and operations relating to sections or articles of given regulations, so that they may evidence how these followed through to related impact analysis of the regulations, resulting business requirements, IT functional requirements, test scripts, IT change requests or operational / target operating model changes. They will need the ability to explain any gaps i.e. whether due to late changing regulations, lack of resources, misguided implementation of requirements or IT defects that were identified during testing. Furthermore, firms will need to be able to evidence their plans to remediate these gaps (assuming they are known). 

A further complication is that most firms will have gaps across a number of different regulations and will need to be able to evidence compliance and / or gap remediation plans for each of these regulations, across multiple business lines, asset classes and entities. Firms that offer delegated regulatory reporting services will need to be even more mindful of any regulatory gaps as these will have an impact not only on them but also potentially on their clients.

Only firms with the skilled personnel and specialist tools required to enforce, maintain and manage this detailed but necessary level of traceability will be able to give their senior executives peace of mind before the auditors arrive. Firms without these capabilities are advised to start minding (and managing) their gaps by building personnel capabilities and acquiring specialist traceability tools to prevent their gaps becoming chasms.