finance
monthly
Personal Finance. Money. Investing.
Updated at 15:45
Contribute
Premium
Awards

A greater proportion of IT decision-makers in the financial/banking sector see key financial services regulations as a driver of innovation (34%) than regard them as a barrier to it (24%).

More than a third (34%) of IT decision-makers across the UK financial sector regard key financial services regulations such as PSD2 and FRTB as a driver of innovation within financial services organisations, while fewer than a quarter (24%) see them as a barrier to it. That is according to survey of IT decision-makers across a range of financial and banking sector organisations, including retail and investment banking, asset management, hedge funds and clearing houses.

The survey, commissioned by software vendor, InterSystems, also found that just 20% of these decision-makers believe their organisation is very well prepared for the roll-out of the new regulations.

Graeme Dillane, financial services manager, InterSystems said: “Historically, firms have responded in a piecemeal fashion by putting in place new siloed applications to meet the needs of each new ruling. The latest round of regulations raises the stakes by effectively demanding businesses break down their data silos, better integrate their data enterprise-wide, and analyse it in real time in the context of new event and transactional data. All of that makes it vital that organisations innovate now.”

To lay the foundations for innovation, firms need automated systems. Currently, however, automation levels are low. Just 21% of the sample said they had fully automated the processes they had put in place to meet regulatory and compliance demands. 33% said they had not automated them at all.

More positively, the survey indicates that IT decision-makers across this sector are aware of what needs to be done to change this. Nearly two thirds (66%) said that they expect innovative technology will have an important role to play in ensuring regulatory compliance for financial services businesses over the next five years.

“It’s clear that financial services businesses increasingly understand just how crucial it is to actively innovate in order to address the challenges presented by the latest industry regulations,” says Dillane, “and the good news is that we are starting to see evidence on the ground that they are seeking out new solutions to help ensure their compliance.”

(Source: InterSystems)

The European funds industry still has major concerns over Brexit and the fear and uncertainty that comes with it, according to new research with European fund managers.

More than half of respondents (55%) say that Brexit continues to be one of the biggest issues facing the funds industry in 2018. However, the study, conducted by online board portal provider eShare with delegates at the recent FundForum International event in Berlin, also revealed the funds industry was generally optimistic about  prospects for the industry in 2018 and beyond - 82% believe that the funds market is generally buoyant despite political and economic affairs.

“The fund management industry has faced much pressure over the past few years, with new regulation intended to improve transparency adding many layers of complexity to governance and compliance programs,” said Camilla Braithwaite, Head of Communications, eShare. “But confidence amongst European fund managers remains high despite this, with Brexit the only main concern for many. However, with the major decisions over Brexit and its impact on financial services still to be made, fund managers are proceeding as normal until they know more and the industry is thriving because of it.”

The new regulations, such as GDPR and MiFID II, have undoubtedly affected the industry though, with fund managers increasingly aware of the risks that come with non-compliance. 84% of those surveyed felt that their organisation could improve the operations surrounding risk management and decision-making.

With fund managers facing tough decisions about compliance, investments and many other factors, the ability to be transparent about such matters was one of the most important things identified by survey respondents. 97% said that demonstrating transparency into decision-making is increasingly important for the industry.

As the pressure grows on fund managers to be compliant and well-governed, so the need for transparency increases too. 84% of respondents said that technology is the future for improving governance standards within the funds industry.

“Transparency is essential in modern fund management and demonstrating this is right at the top of the agenda for most fund managers, keen to reassure clients and regulators alike,” continued Camilla Braithwaite. “Technology can play a significant role in this, showing how decisions were reached and supporting governance and compliance requirements. The industry has woken up to the potential of technology to help in this way, and the research would suggest that the mood within fund management is positive.”

(Source: eShare)

With the new IFRS 15/ASC 606 compliance regulations now in place, CFOs need revenue recognition solutions that can handle complex, multi-element arrangements and fast changing product offerings. CFOs can no longer survive in fast paced business environments with a revenue recognition process where you kick off in the morning and sit around waiting for the answer. Real-time revenue recognition reporting is today’s reality. Rajiv Chopra, expert at Aptitude Software explains for Finance Monthly.

I am amazed that in 2018, and with this backdrop, so many CFOs are still not utilizing advances in accounting technology and are overly reliant on manual solutions. Over 75% of prospective clients I am speaking to are still managing revenue recognition accounting with home-grown “band-aid” systems that are reliant on manpower, excel and internal “spaghetti IT” solutions.

These manual solutions, in which the C-suite place their trust, are high risk. There is a high dependency on a select few individuals who are working under intense pressure for sustained periods of time, levels of staff turnover are high, and teams suffer from ‘Excelitus’ and burn out from the boredom of repetitive tasks. The real value of the finance team - providing management with data insights and analysis, is lost.

For example, we saw an $8bn dollar company operating in 160 countries, running 60 plus inventory spreadsheets just to track their sales. It would take 3.5 hours to open these spreadsheets – you can imagine the stress levels when they needed to close the books! Another company was doing 6 million transactions in a quarter, with 19,000 products and running 20 different revenue management systems, just to know where their revenue was. The level of financial risk was frightening with so many opportunities for misses and mistakes.

The question to CFOs and Chief Accounting Officers is why? You’re not saving money when your staff are waiting around for slow systems, correcting errors that shouldn’t be there and spending time on low value, repetitive processes. When we pose this question to CFOs and CAOs, one of the most common answers given is habit. Yet when pressed, they often admit that concerns over cost is often the real reason behind their hesitancy to adopt new technologies and automated solutions.

While the cost of revenue recognition solutions will always depend on the specific profile of an organization, a recent survey from PWC shows that the majority of companies (58% public / 84% non-public) have spent or will spend less than $500,000 complying with the new revenue recognition standards, with implementation costs going up in step with an increased contract volume and complexity (PWC 2018 accounting change survey).

There are several areas where organizations can look to build return on investment, but I believe the human cost of manual revenue recognition is significant and often undervalued by many companies. You just have to look at the high levels of staff turnover in finance teams, also consider the stress levels as they try to close the books manually and deliver substantiated reporting. In their study on the financial impact of staff turnover, Oxford Economics estimates that it costs over $39,000 just to replace a finance employee when you consider the loss of productivity, agency fees, HR and management time.

At our recent RevConnect conference, the benefits of new revenue recognition technologies were described as ‘night and day’ by David Peterson, Revenue Accounting Manager from Ivanti. He explained how, by moving from a spreadsheet-based solution to an automated revenue recognition solution, they had reduced their close from 5 to 3 days, giving his team time to do more analysis and deliver more insights to the business.

Using automation also means finance teams can leave behind all the rote tasks of data download and copy and paste and focus on data insights and analysis. New technologies also encourage innovation and attract technology-savvy talent. A recent survey from the Association of Accounting Technicians revealed that 75% of finance professionals found that using accounting technology has either made their job easier or freed up time for them to concentrate on adding value to the business.

The benefits for CFOs who have embraced new revenue recognition technologies are extensive. Crucially, they have much happier and fulfilled finance teams. They can also take back control of their environment which can result in increased output, better critical decision making, and more business opportunities.

I encourage all CFOs to stop playing catch up, be proactive and reduce the manual processing of revenue recognition. Empower your team to add value to your business, grow as contributing team members and move away from hours of manual tasks that don’t have a place in the modern CFO office. When speaking about his organization’s move to an automated revenue recognition solution, Mark Flournoy, CAO, at Intuit summarized the change perfectly: “We (finance) are actually now in service to enable the rest of the business.”

With one in three bank staff now employed in compliance, and financial institutions groaning under the pressure of an ever-increasing regulatory burden, 2018 is set to be the year that RegTech rides to the rescue, stripping out huge cost from banks’ processes.

In the same way that nimble start-ups introduced FinTech to the financial sector, the stage is now set for the same tech-savvy entrepreneurs to apply the latest technology to help tame the regulation beast. 

The challenge is even more pressing now, with the arrival of an alphabet soup of blockbuster regulation including GDPR, MiFID II and PSD2, which will stress institutions like never before.

What is RegTech?

Deloitte has set high expectations for RegTech, describing it as the use of technology to provide ‘nimble, configurable, easy to integrate, reliable, secure and cost-effective’ regulatory solutions.

At its heart is the ability of ‘bots’ to automate complex processes and mimic human activity. And RegTech start-ups are already using robotic process automation to translate complex regulation into API code using machine learning and AI.

The holy grail of RegTech, however, is to strip out huge layers of cost and dramatically lower risk by developing and applying complex rules across all business processes in real-time, automating what can otherwise be an expensive and highly labour-intensive job. Simply put, RegTech promises to do the job faster, cheaper and without human error.

Behavioural analytics

Just like its FinTech cousin, RegTech is already being used for a surprisingly wide range of applications, for example banks are using behavioural analytics to monitor employees, looking for unusual behaviour patterns that may be a tell-tale sign of misconduct.

Brexit will also present a golden opportunity for agile RegTech start-ups whose tech solutions can adapt and transform quickly according to the new regulatory landscape, while traditional institutions struggle with the pace of change.

Unlike FinTech however, which has largely been focused on B2C solutions, RegTech start-ups have to work much more closely with traditional financial institutions. That’s because capital markets are a highly complex, regulated area, where institutions are cash-rich and where access to funding is critical if vendors want to disrupt.

Bespoke solutions

Traditional institutions are also more likely to need solutions that are specifically tailored to the challenges they face, rather than the one-size fits many approach developed by FinTechs. For example, they rely on many different data systems, and this torrent of data often makes it difficult to compile reports to deadline for regulators – a perfect challenge for a RegTech start-up.

RegTech could well be the cavalry, riding in to save the investment management industry from the increasing amount of data being produced that financial regulators want access to. A significant amount of this data is unstructured, making it difficult to process, which adds a greater level of complexity. The flow and complexity of this data is only going to increase, and with it the challenge for banks.

Financial institutions are increasingly pulling out all the stops to crunch data and meet the regulator’s next deadline and in this high-pressure environment teams are not necessarily developing the strategic overview needed to streamline their IT architecture in order to reduce operational risk.

Compliance at speed

RegTech promises to automate these processes, making sense of complex interconnected compliance rules at speed, making compliance more cost effective, while reducing the chance of human error.

It also promises to dispense with the current time lag between a period end, the collection of data by the institution and assessment by the regulator – a process that is always backwards looking.

Under the RegTech model, powered by data analytics and AI, information is in real-time and self-correcting to ensure the regulatory process remains dynamic and relevant.

The scale of the advantages promised by RegTech, are such that banks successfully harnessing its power will strip out huge amounts of cost from their processes, which can then be invested in business-critical innovation, giving early adopters a clear competitive advantage over the rest of the market.

-

John Cooke, Managing Director

Black Pepper Software

E-commerce has experienced exponential global growth over the last decade. A wider array of markets has encouraged greater competition and provided more opportunities for online merchants to reap the rewards. However, staying ahead of the competition in such a climate is easier said than done and, if not approached properly, going global can put merchants at risk of falling behind. With this in mind Finance Monthly hears from Ralf Ohlhausen, Business Development Director at PPRO Group, who sets out ten simple steps to help make a success of going global.

1. Assess cross-border market opportunities

Consider the barriers to trade in the regions that interest you, making sure the benefits of doing business in the area outweigh the costs of meeting market needs and expectations. Also, don’t dismiss high-growth markets, such as Vietnam and Poland, which might be relevant for your business, but not the regions that spring to mind when looking for new sales opportunities and cross-border expansion.

2. Know your market and audience

This is important not only in terms of what you sell and to who, but also in terms of the most relevant payment preferences. Online casinos do not accept credit card payments due to the fraud potential, while travel websites need to offer customers the option to pay via credit card due to the high value of the transaction. Sale conversions are linked to the provision of appropriate payment methods – and payment behaviour varies by demographic, just as purchasing behaviour does. In many cultures, younger people are more likely to use non-traditional payment methods, but if your target audience is primarily older, this may not be relevant. Do your research by considering all important marketing segments before you begin to trade.

3. Plan your marketing strategy

If you are new to a region, you need to raise your profile and gain customer trust to convert browsers into buyers. Consider your target market carefully. For example, a German national buying furniture online would rather not pay for a new sofa in advance, but wait for delivery and then pay directly from their account. Think about the behaviour of your target customer and which marketing strategies will resonate most successfully with them. If this is out of your remit, then working with a local marketing partner will provide the necessary knowledge to attract and retain business in the region, supporting long term growth.

4. Plan your market entry

The best marketing plan in the world will fail if not supported by a well thought through market entry strategy. Consider the best way to set-up shop in a new region, as it will differ depending upon your business model and regional knowledge. Do you need to use a partner to begin with, to sell via an online market place, auction site or through an established local vendor? If so, for how long? Or can you go it alone from the start?

5. Consider your market share and positioning

Your current market/s may be crowded or dominated by one or two big names. If you enter an emerging market with a carefully tailored and localised offering, you could grab a large slice of that niche before others do.

6. Review payment methods

When it comes to payment options, decide how much risk you are happy with. Some payment methods may be convenient for customers, but carry a greater burden of chargeback/refund risk or other cost to the vendor. Such risk can often be mitigated, for example by offering less riskier forms of payment, such as SEPA direct debits, for goods below a certain value or to trusted customers. So-called ‘push payments’, which are proactively sent by the client, are less risky in terms of chargeback but their use must be balanced with local preferences. Examples of push payments include giropay in Germany and iDEAL in the Netherlands.

7. Personalise your e-commerce offering for local needs

Make sure customers are only offered the products and payment methods relevant to their location, in a regionally-appropriate format. There are several ways of doing this, including local versions of websites and identification of site visitors by location (e.g. according to their IP address), which then dictates the pages and payment options available. You should offer each visitor at least three, or ideally around six, of the most popular payment options in their location, to maximise your chances of making a sale.

8. Do not leave it too late

Online retailers wanting to take a share of emerging markets need to act now, while the trend towards internationalisation is in its infancy and market niches are free.

9. Compliance matters

As a business, you must comply with a multitude of legal, financial and customs regulations of the markets you trade in. It is therefore crucial to keep abreast of and respond to any regulatory changes in a timely fashion. This generally demands external expertise, particularly as the penalties for non-compliance can be extremely tough.

10. Consider third-party support

When making a foray into a new market or region, it is important to keep on top of commercial and regulatory barriers and implement the best alternative payment methods. This is fundamental to the success of your business expansion. However, very few retailers have sufficient expertise in-house to manage all of these matters optimally, so finding a partner who can support you on your global journey can be the key to success.

While the prospect of ‘going global’ is still new for some, it’s vital for merchants to break into new regions quickly, armed with the best strategy and proposition to seize the opportunities, before the competition swoops in. Only by taking this approach can merchants win new customers and multiply their bottom line, building new revenue streams and expand into new regions. Global success is only a few steps away, and now is the time to go for it.

Overwhelmed by demanding new regulations, leading financial institutions are relying on video to manage the flow of critical information to employees. Below Paul Herdman, Vice President of Qumu EMEA, explains how finance teams and compliance officers can make the most of enterprise videos.

With worldwide financial institutions finally beginning to recover from Brexit, and derivatives markets still adjusting to the rollout of MiFID I, the next communication crisis for this turbulent industry is already looming. As political and regulatory regimes continue to extend their influence, firms doing business across the EU must now preparing for implementation of the revised Markets in Financial Instruments Directive (MiFID II)—which reaches beyond banking to impact trading as well—while US-based financial institutions are busy figuring out how to comply with GDPR (the EU’s General Data Protection Regulation).

With both regulations including organisations and their global subsidiaries, greater market transparency in the financial industry is becoming a worldwide mandate. These new directives will have a huge impact on regulated firms in 2018 and beyond and will require financial institutions to upgrade their processes, their compliance operations and most importantly their communication technologies.

A 2017 Thomson Reuters survey revealed the average annual cost of compliance for global financial organisations is $119M per organisation. Additionally, 73% of communication professionals reported that communicating company news to employees is a serious challenge and 37% reported internal silos as the number one challenge for internal communications.

As these companies respond to increasing demands of regulators to meet new directives, many are proactively focusing on developing robust communication programmes. And the centrepiece of these new programmes is, in many cases, an enterprise video platform. Live or on demand, IT executives know that video communication can be fully automated, easily searchable and consumed on any device—making it the perfect communication solution in highly regulated environments. In fact, if managed well, video communication can translate into shorter time-to-compliance, and save financial services firms hundreds, or even thousands, of dollars per year per employee.

But how?

Enterprise video to the rescue

There are many ways using an enterprise video platform can help financial institutions meet compliance directives:

Timely communication: when workforces are dispersed, video messages can be easily created and instantly distributed to employees as regulations change.

Opportunities for feedback: key stakeholders can submit feedback and questions to the executive team, which can be captured and tracked for future resolution, or to identify gaps in the current process.

Timely collaboration: financial institutions can create private communication channels where key team members can share knowledge, insights and outcomes related to their discipline or functional responsibility.

Strategy alignment: video is a great way to present a consistent story across the organisation—before the message is taken externally and any room for misalignment is eliminated.

Increased readiness: video polls can be used to gauge readiness on a specific topic or portion of a new regulation, reinforcing mission-critical compliance procedures.

Documented audit trail: with marketing teams playing a key role in the new directives, automated workflows for approvals and audit trails are key for financial promotions and marketing collateral compliance.

Configurable security: executives can share knowledge quickly across the organisation, privately to specific groups of key stakeholders or to larger audiences with no content restrictions.

Reporting and analytics: a video content management system can provide advanced analytics on content review, meeting attendance and overall engagement with the company message.

In conclusion – broaden your reach

Technology investments in enterprise video are key to mitigating regulatory risk. Not only do they provide a platform to communicate how regulatory changes will impact activity, but they allow financial institutions to quickly adapt to evolving rollouts, and ensure that all financial activities, including trades, remain in compliance. With the right enterprise video platform in place, many global financial institutions have been prepared well in advance for MiFID II and GDPR to happen. Is your company ready?

If you are interested in any small scale company video production in the UK, businesses can reach out to Tell Your Story UK here.

Darren Craig is an Associate Partner within Northdoor plc- an IT Consultancy specialising in Data Solutions. Founded in 1989, Northdoor has created a consultancy-led engagement model for clients looking to start their GDPR programme. In their experience, the company has found that companies are very confused about the legislation and need advice around the processes involved in meeting GDPR legislative requirements. The Northdoor Rapid Response programme allows clients to quickly define their strategy, clarify their existing position around data and data security and create a clear roadmap to allow them to progress towards meeting their GDPR target. Once the roadmap has been defined, Northdoor has a combination of consultancy services and a series of solutions to detect, encrypt and secure client data to ensure that their environment meets their needs. Here Darren tells Finance Monthly more about the GDPR-related services that Northdoor offers and the challenges that UK businesses are faced with less than 6 months before the looming deadline.

 

With the European Union General Data Protection Regulation coming into effect in May 2018, in your opinion, what are UK companies doing in terms of preparing for GDPR?

I think that so far, many companies have spent a lot of time educating themselves and building their awareness of what GDPR is. We’re finally beginning to see companies that are starting to implement programmes of work. However, there's still a large percentage of companies that we talk to every day that haven't even started their formal programmes yet and don't expect to start one until January next year.

 

Do you think that this will give them enough time? 

It depends on the size of the company, but I think that there will be a lot of British companies that won’t manage to be fully compliant by 25th May 2018.

 

Why do you think so many businesses in the UK have yet to initiate a GDPR compliance programme? 

I think it's a mixture of reasons. One of them is connected to the lack of marketing in relation to GDPR that the Information Commissioner’s Office (ICO) has done. I’m under the impression that a lot of companies think that GDPR is just another version of the Data Protection Act, which is not the case. It is in fact a very significant change, when compared to what the Data Protection Act expects them to do.

 

What are the first steps towards GDPR compliance? 

The first step is understanding the gaps within your business. It is fundamental for businesses to accept that data protection is not just an IT issue - it's a cross-business challenge that requires all departments to come on board as part of the GDRP project and identify the data protection gaps they have between their current processes.

 

What does a typical GDPR compliance project entail?

As mentioned, the project itself starts off with a gap analysis where companies identify the gaps they have. This is then followed by a discovery exercise in order to identify all the personal data information that the business currently processes. The third stage of the project is then taking that data and mapping it back to a process within the business. Finally, companies have to carry out a Privacy Impact Assessment (PIA) against the process - only then they fully understand the amount of work that they need to do in order to become GDPR compliant.

 

When assessing compliance, what areas do you find businesses commonly struggle with?

The most common challenge relates to marketing. Traditionally, companies use marketing data from lots of different sources, but under GDPR, they will require explicit consent to be able to use this information going forward.

The other challenging area is HR - the requirements are for Human Resources to make sure that they have the right legal basis in place to process their employee information.

The third area where we see companies struggle is third-party supply chains. Under the Data Protection Act, the supply chain wasn't liable, however, under GDPR, the supply chain and the owner of the data are equally liable. Thus, there's a legal requirement for every company to ensure that the third-party supply chains that they work with are also fully compliant.

 

Can you tell us more about the work you’re doing in the field of GDPR?

The work we're primarily doing at the moment is advisory work where - helping companies understand how much work they need to do around GDPR compliance and establish their project plan.

 

Why should companies choose Northdoor to help them with their GDPR compliance projects?

Northdoor is not a company that's just jumped on the GDPR band wagon – we have been a business for over 28 years and our key priority is to advise clients and help them manage their information assets effectively. We not only advise them in relation to compliance of data, but we also help them secure their data and get value from it. We manage the whole lifecycle of information assets throughout the business and this has always been our core focus.

 

For more information, please go to: https://www.northdoor.co.uk, email: info@northdoor.co.uk or call 0207 448 8500.

 

The rationale behind the regulation

The General Data Protection Regulation (GDPR), referred to by some as ‘the’ biggest change to European privacy laws in the last two decades, is causing commotion across the globe as businesses rush to become compliant by May 2018 or risk facing heavy sanctions.

Finalised in April 2016 the new regulation, which will replace the Data Protection Directive 95/46/EC, has the goal to better protect an individual’s personal data. For clarification purposes that could be any form of information leading to a person’s identification including but not limited to their name, email address, ID number, location data, income and bank details, health information and IP address.

 

So why a greater focus on the data subject?

Not so dissimilar to the rules of the road, a poignant comparison made by David Lewis, GRC Manager at cyber security specialists Imperva, a person visiting a website should be protected. When browsing online it is expected that our personal information is secure and makes it to its end destination safely too.

Unfortunately, as recounted in the press all too often of late, the risk of a visitor’s data being breached has increased exponentially.

In November of this year, details surrounding a breach suffered by Uber in 2016 surfaced. According to the company, 57 million people have been affected as a result of the cyber-attack. A month prior, detailed card payment information of approximately 60 000 Pizza Hut customers among other user data was thought to have been exposed to hackers. A month prior Deloitte was involved in a cyber-attack for which the real fall out has yet to be defined but is said to have compromised Deloitte's global email server. In July 2017, it became clear that Bupa’s data breach had impacted half a million customers.  In 2016, Android malware compromised over a million Google accounts. In 2013, Yahoo also disclosed a breach affecting up to 3 billion of its email users.

In response to the drop in user trust and confidence which inevitably negatively impacts businesses and the economy, governments are increasing regulatory safeguards.  Unlike the Directive, the GDPR will provide a single set of rules for all companies handling, storing, sharing and processing EU related personal data. Organisations will have to implement new measures to meet the requirements of the regulation and be extremely careful how they acquire, collect, use and store the data of their clients, customers and employees.

The implementation of a single regulation is thought to facilitate business processes in the long run and incentivise organisations to consolidate and streamline data in one place from the offset, where it can quickly be anonymised. The significant reduction in organisational costs, the potential for innovation and the building of greater rapport with customers as well as the decrease in brand and reputational damage associated with avoidable breaches are also argued to be among the benefits of the new regulation.

  

Cloud services and the GDPR

 The rules of the GDPR apply irrespective of whether data is stored in the cloud or on paper. The former in particular presents several challenges with regards to compliance.

On the one hand, according to Elastica’s Shadow Data Threat Report, as little as one percent of cloud providers’ internal processes are compliant with the new legislation. Less than three percent enforce secure password policies to meet the requirements of the GDPR. This has in part got to do with the Directive’s emphasis on the controller rather than the processor, leaving many a provider unaccountable for the role they play in data privacy and security. Aside from the scenario where direct contractual obligations are enforced on behalf of the controller, processors are not held liable for loss or exposure of information. Where regulation isn’t an issue cloud service providers can limit their focus to ease of use and navigation of their platforms and services.

On the other hand and according to the most recent Netskope Cloud Report, EU firms are unaware of how many cloud applications their organisations are actually using, which on average is believed to be over 600 software programs.

Under the new regulation, the rules will be far more stringent, the threat of fines as high as 20 million EUR or four percent of a companies’ annual revenue (whichever is highest) real, and the sharing of liability binding between both processor and controller. Cloud providers as well as users must enforce a series of technical and organisational procedures to guarantee the level of security required. According to Dr. Rois Ni Thuama, Head of Cyber Governance at OnDMARC the fines are not necessarily the biggest threat to a business’s bank account. The data subject’s right to sue following a breach, whatever the implications, is far more concerning.

“What we are seeing now is a clear division between a growing number of companies that say ‘wait, this GDPR thing is real’, and those who still don’t understand you cannot simply move data around the cloud without addressing data privacy. Privacy regulation is becoming mainstream in IT, in the same way that drug licensing became so for the pharmaceutical industry. It’s either make it clear that you comply, or forget about selling to serious customers,” says Bostjan Makarovic Founder of Aphaia, a GDPR-focused consultancy.

The attitudes of controllers and processors will need to change drastically especially when it comes to negotiating agreements. Strict provisions on the scope of duties of the controller and processor will need to be defined and implemented. Annabel Jones, UK Director at ADP commented: “contractual due diligence will be even more important as businesses seek to partner up with companies that can show data is processed lawfully”. An increase in third party due diligence and a greater focus on insurance policies will most likely also be discernable.

 

Steps to compliance

When selecting a provider, cloud using organisations need to ensure they choose vendors that are, in the first instance, able to tell their clients where the data they process and store is located. According to the GDRP data transfer to a third party outside the EU that does not have adequate data protection standards is only allowed under certain circumstances. Currently only 11 countries meet such standards.

It is equally important that companies are made aware of any third parties involved in the processing of the data. According to Trustwave’s Global Security Report, approximately 63% of data breaches involve third parties who are often considered a company’s biggest area of risk exposure. As a result they will be the first to be investigated by regulators. If the latter are involved at some stage of the process, measures need to be taken to ensure that they too are compliant.

Security should be a top priority for providers who ought to be able to explain the various measures adopted to protect data from modification, unsanctioned processing or loss. All data centers must be compliant with the latest ISO certifications, the storage and transmission of documents should be carried out exclusively via SSL connection with AES 256-bit encryption. Regular penetration tests should be carried out to assess data security. Two-factor authentication, data deletion, trash retrieval and access controls are just some of the ways data owners can have autonomy on how and whether their data is kept.  

 

About Drooms:

Drooms, Europe’s leading virtual data room provider, works with 25,000 companies around the world including leading consultancy firms, law firms, global real estate companies and corporations such as Morgan Stanley, JLL, JP Morgan, CBRE, and UBS. Over 10,000 complex transactions amounting to a total of over EUR 300 billion have been handled by the software specialist.

 

Website: https://drooms.com

 

 

With MiFID II looming, finance businesses across the UK will be reviewing their practices to ensure the way they work complies with the new regulations. Here, Alex Tebbs, Founder at VIA, explains what the regulations mean for the way we communicate as businesses, and how your business can comply come January 2018.

MiFID II is a targeted regulation update that aims to improve transparency and better protect both providers and customers of the finance sector.

In that sense, it exists to make things better for everyone; but with the January deadline looming and uncertainty still rife around the impact of Brexit on the update, many in the finance industry are still considering the best way to achieve compliance in their business.

It’s a regulation update made up of many facets, one being the requirement for businesses to record their communications in any instance where that conversation results in, or intended to result in, a transaction. Those communications must be retained - and be accessible when called upon - for five years after the event.

Creating a post-MiFID communications plan

In many ways, the communication requirements of MiFID II make a lot of sense. By recording our conversations, we can be sure that we are serving our customers in the best way, and that they are protected from any potential misunderstandings or misdemeanors.

But in today’s multi-device, multi-location business landscape, compliance isn’t so simple. While once we would have communicated on one device (likely a landline) and from one office, the reality of business today is that we often use multiple devices (and even encourage colleagues to bring their own devices) and operate across multiple locations, including remote working from home, offices in different countries and communications on the move.

This presents a challenge for finance professionals. How do we achieve compliance in this complex communications landscape?

The best place to start is with a review of your existing communications plan as a business. You’ll need to work out what platforms and devices are used to communicate, and make a record of all of those, as they will need to be included in your recording strategy. Be aware that this mightn’t be as straightforward as it sounds, and it’s likely to take time to uncover all the comms platforms in use.

The next step is then to work out how best to record those communications. On a landline, this would require hardware such as a microphone plugged into the handset. There are various apps that make it possible to record calls on a smartphone or via clients like Skype.

An alternative to this somewhat clunky process is to invest in a unified communications platform. This brings all your communication tools - smartphones, landlines, Skype, instant messaging, text - onto one platform which can be easily controlled from one portal, making recording and keeping those conversations a much easier, quicker process.

However you choose to manage your communications, one thing is clear; you will need to be able to both record, and keep, those conversations from January when MiFID II comes into play.

Security considerations in communications

It certainly won’t have passed by your attention that another sizeable regulation update is taking place in 2018; namely, GDPR, an update to data protection rules.

With GDPR putting renewed emphasis on security - and with MiFID’s requirements for comms recording - security should be placed firmly atop the agenda of financial firms.

There are various options on how we achieve security in communications. The most universally relevant and powerful is that of end-to-end encryption; with the main risk of unsecured comms being that communications could be intercepted en route, end-to-end encryption removes this risk by making the information, even when intercepted, entirely useless.

For those businesses using a unified communications platform, encryption and many other security considerations are included as standard, with large investments being made by those companies into stress testing their platforms and removing any vulnerabilities as soon as they are considered as a potential risk factor. For those using separate communications channels, a strict security testing strategy will need to be in place to ensure all communications are safe and private.

In terms of retaining those recorded conversations, security is a concern once again. Secure servers and storage areas are a must; consider also who has access to these recordings, and ensure they have a signed agreement in place that complies with data protection rules, and that your business’ data protection processes are up to date - especially as GDPR hits in May 2018.

MiFID II and the communications landscape

There is much left unknown about how MiFID II will affect finance businesses in the long run, and it’s likely that the implementation of its regulations will uncover complexities that need to be clarified as we move into the new year.

With that said, the communications element is prescriptive; finance professionals must record and maintain a record of all communications, regardless of device, platform or location. Is your business ready?

With just six months until GDPR hits Europe hard, Finance Monthly has heard from Nigel Edwards, SVP of Insurance Europe & Head of UK at EXL Service, on the threat GDPR poses to emerging technologies, fintech, regtech and so forth.

For insurers, the General Data Protection Regulation (GDPR) promises to be a difficult hurdle to overcome without the right strategic approach and expertise. Businesses in the insurance industry are some of the most vulnerable to being caught wrong-footed by the incoming GDPR rules because of the data rich environment they naturally operate in. The widespread use of third party administrators means that data flows can be difficult to control in a way that keeps firms compliant with the new regulation. Another question that is high up on the agenda for industry decision-makers is the effect that GDPR will have on future technology adoption.

In recent years, the insurance sector has undergone an unparalleled degree of technological disruption. Telematics technology, for example, has dramatically changed how insurers price policies by gathering data on individuals’ driving habits and behaviour. The use of social media analytics is making the claims process more straight forward and the use of technologies such as geo-location is creating better conditions for underwriters to evaluate pools of risk. One thing that these technologies have in common is their reliance on large amounts of collected customer data to function effectively. Will these techniques be hamstrung by the demands placed on companies under the GDPR regime?

Assessing the data ecosystem

For the most part, GDPR will not force insurers to curtail technology adoption, so long as precautionary steps are taken to better manage the data inputs and outputs on which new technologies rely. All of the existing InsurTech solutions that are on the market or close to arriving will remain options for brokers and underwriters to incorporate into their strategic spend - but only if the underlying infrastructure is in place to enable the rigorous management of client data.

Perhaps one of the most onerous demands placed on businesses due to GDPR is the so-called ‘right to be forgotten,’ which will grant EU residents the right in some places to request a full removal of their personal details from any company’s systems. For many insurance firms, of which a large proportion will have been trading since the start of the age of digitisation, large caches of over 30 years’ worth of client data have been accumulated. This is data which may not be in a single standardised format and spread across siloes in multiple locations – posing a considerable challenge when it comes to compliance to right to be forgotten guidelines.

Aligning with a long-term strategy

For new technologies to remain viable, steps must be taken to ensure that the core infrastructure upon which data is stored and transferred is responsive to frequent requests for deletion or transfer. This may result in the overhaul of legacy IT systems which are not fit for purpose and a more selective retention of customer information, as opposed to a policy which swallows up large pools of data indiscriminately.

Whilst this may entail some capital outlay, the decision to update legacy systems should be taken in the context of a new stance towards regulatory compliance. The GDPR is just one regulatory hurdle that must be overcome by insurers next year, but it can serve as a starting block for a more agile approach to data handling – especially for firms who have historically neglected the task. In the long term, laying the foundations for new technology adoption will not only facilitate better business agility but also a more intuitive approach when interacting with clients and their data.

Research from leading information security company Clearswift has shown that the education sector is rivaling technology for the top spot when it comes to GDPR preparedness.

The research surveyed 600 senior business decision makers and 1,200 employees across the UK, US, Germany and Australia. When asked whether firms currently have all of the necessary processes in place to be compliant the top five performing sectors included technology and telecommunications (32%), education (31%), IT (29%), business services (29%) and finance (29%).

The survey has also revealed, of all the sectors, healthcare is the least likely to be ready for the upcoming GDPR, with only 17% of private and public sector bodies claiming to have the processes in place to comply with the legislation. Following closely behind is the retail sector with a mere 18% of the industry ready for GDPR, and marketing at 19% and legal at 21%.

Overall, the research has shown that only a quarter (26%) of businesses are currently ready for General Data Protection Regulation (GDPR). However, with the deadline fast approaching, a further 44% are putting processes in place and expect to be ready in time for May next year, when the legislation comes into force.

Dr Guy Bunker, SVP of Products at Clearswift, said: “With 64% of UK businesses currently making moves towards GDPR compliance, the outlook is not as bleak as previously thought.

“It is clear that the regulation has grabbed the attention of businesses, but what is important is that their focus is in the right place. Those viewing GDPR as an opportunity will be in the best position to not only comply, but evolve their organisations, enhance their security posture and achieve business growth.

“Educating employees about how to safeguard critical information, introducing data protection guidelines and instilling a culture of data consciousness in the workplace will not only bring organisations closer to compliance but help reduce the chances of a data breach.”

Although the majority of businesses may not currently be ready for GDPR, employers have begun to identifying the departments within their organisations where data protection is needed most. The most common departments to have budget allocated for spend on GDPR are finance and IT (31%). This is particularly relevant as most businesses believe their critical data predominantly lies in the finance department (55%), suggesting that finance will be under the spotlight in the coming months as organisations look at how they can prepare for GDPR.

When looking at the size of an organisation, 46% of the businesses that reported they are ready for GDPR had between 500 – 999 employees. Compared with larger corporations of 5000 or more employees, only 19% reported they are ready, suggesting that bigger is not necessarily better.  Smaller enterprises are leading the way over their larger counterparts in putting processes and technology in place ahead of May 2018.

While many organisations are expecting to be ready for GDPR, our research has shown that a typical company-wide IT project takes around six months to roll-out, meaning those that aren’t ready now are running out of time to introduce new technology which could help them comply with the legislation.

Dr Bunker added: "The key focuses for GDPR compliance are educating employees and understanding where your data lies. However, organisations that are still looking at how they can prepare should focus on security solutions that can be integrated within existing infrastructures, such as Data Loss Prevention (DLP) tools and content inspection software, which are the biggest priorities in preventing data loss and can be used to demonstrate compliance with GDPR legislation. This can save time and costs by adding these to existing security investments instead of the removing old technology and replacing it with completely new solutions.”

(Source: Clearswift)

Bermuda has won world approval of its tax information exchange practices with other jurisdictions.

A global body said this week that those practices comply with international standards.

Premier and Minister of Finance the Hon. David Burt JP MP responded to the announcement by thanking Bermuda government officials who have worked hard to make this a reality.

The Global Forum on Transparency and Exchange of Information for Tax Purposes (the Global Forum) said that Bermuda was among the countries screened under a new and enhanced peer review process aimed at assessing compliance with international standards for the exchange of information on request between tax authorities.

Bermuda, Canada, Australia, Cayman Islands, Germany and Qatar were deemed to be “largely compliant”.

The new round of peer reviews – launched in mid-2016 – followed a six-year process during which the Global Forum assessed the legal and regulatory framework for information exchange (Phase 1) as well as the actual practices and procedures (Phase 2) in 119 jurisdictions worldwide.

Today’s result means that Bermuda maintains the rating obtained through Phase 1 as a jurisdiction largely compliant.

Premier Burt said, “This is tremendous news and excellent for Bermuda. My thanks to all involved in securing this important outcome.

“This result is a testament to the hard work of the team in the Ministry of Finance.

“It is good news for local industry, boosting confidence in Bermuda as an international business centre.”

The 144-member Global Forum is a leading international body for ensuring the implementation of the internationally agreed standards of transparency and tax information exchange.

The Global Forum’s new peer review process combines the Phase 1 and Phase 2 elements into a single undertaking, with new focus on an assessment of the availability of, and access by, tax authorities to beneficial ownership information of all legal entities and arrangements, in line with the Financial Action Task Force international standard.

Global Forum members are working together to monitor and review implementation of the international standard for the automatic exchange of financial account information, under the Common Reporting Standard (CRS), which will start in September 2017. The monitoring and review process is intended to ensure the effective and timely delivery of commitments made, the confidentiality of information exchanged and to identify areas where support is needed.

The Global Forum is the continuation of a forum which was created in the early 2000s in the context of the OECD’s work to address the risks to tax compliance posed by non-cooperative jurisdictions. The original members of the Global Forum consisted of OECD countries and jurisdictions that had agreed to implement transparency and exchange of information for tax purposes. The Global Forum was restructured in September 2009 in response to the G20 call to strengthen implementation of these standards.

(Source: The Government of Bermuda)

About Finance Monthly

Universal Media logo
Finance Monthly is a comprehensive website tailored for individuals seeking insights into the world of consumer finance and money management. It offers news, commentary, and in-depth analysis on topics crucial to personal financial management and decision-making. Whether you're interested in budgeting, investing, or understanding market trends, Finance Monthly provides valuable information to help you navigate the financial aspects of everyday life.

Follow Finance Monthly

© 2024 Finance Monthly - All Rights Reserved.
News Illustration

Get our free weekly FM email

Subscribe to Finance Monthly and Get the Latest Finance News, Opinion and Insight Direct to you every week.
chevron-right-circle