Regulatory hurdles
Compliance Watch 2003, a survey conducted by ABA Banking Journal, Bankers Systems Inc and the American Bankers Association (ABA) Compliance Executive Committee, reveals that financial institutions are spending substantial funds on compliance - notably for the staff necessary to meet the regulatory requirements.

Financial institutions are bearing the burden of complying with the laws and regulations laid down by the authorities from time to time. The Compliance Watch 2003 survey also reports that all the respondents from 1,800 banks, thrifts and holding companies from 49 states and Washington DC said that the Bank Secrecy Act/OFAC/ Anti-Money Laundering requirements were the most expensive regulations to implement.

Privacy Laws and Truth in Lending were ranked second and third, while the Community Reinvestment Act was ranked the most costly to implement in bank categories over $1 billion and the Fair Credit Reporting Act was ranked No 1 among credit-card banks.

Some of the most important and prominent regulations so far are:

Bank Secrecy Act, 1970
The Bank Secrecy Act was enacted on October 1970 to fight money laundering and other financial-related crimes conducted through financial institutions, by laying down some guidelines for the institutions to follow. Though the Act was initially targeted only at the banks, it later on broadened its focus to include other industries under the financial services sector.

The Act has been modified several times during the last 30 years to cover non-banks, depository institutions, casinos, Indian casinos, card rooms, money transmitters, traveller's check issuers, and sellers and redeemers. Some of the Bank Secrecy Act's compliance requirements include:
1. File Currency Transaction Report (CTR) for each deposit, withdrawal, exchange of currency more than $10,000 in cash
2. CTR must be filed and completed with the government within 15 days of the transaction in currency
3. File a CTR if smaller cash transaction report on a single day by the same person amounts to more than $10,000
4. File a CMIR (Currency or Monetary Instrument Report) for international transportation of currency and/or monetary instruments in excess of $10,000
5. File a SAR (Suspicious Activity Report) for any suspicious transaction relevant to a possible violation of law or regulation
6. Maintain records of all taxpayer identification numbers (SSN or EIN) for all account holders
7. Keep records of all individuals who buy checks, money orders and traveller's checks of amount $3,000 to $10,000
8. Maintain data documenting of both the sender and receiver of funds

Fallouts:
1. Civil money penalty of $50,000 for negligent activities
2. $1,500 per report for record-keeping violations such as filing an incorrect CTR
3. Civil penalties of up to $1,000 per day for non-compliance
4. Fine of $250,000 or imprisonment for five years for wilful violation of the structuring provisions

Gramm-Leach-Bliley Act, 1999
The Gramm-Leach-Bliley Act (GLBA) was signed on 12 November 1999 for protection of non-public personal information. According to the GLBA, the security of customers' information was given paramount importance to ensure confidentiality of customers' data.

The Act also has safeguards for adequate protection against any reasonable anticipated threats or hazards to the security and integrity of such data and unauthorised access to use of such data that would result in substantial harm or inconvenience to any customer.

Also known as Financial Services Modernization Act, GLBA requires banks and financial institutions to ensure that customer information is protected from cyber criminals and to provide detailed security policies to customers and regulators. This is the first law to mandate security policy in the electronic environment. This act recognises that privacy policies are meaningless without security policies.

The GLBA is applicable to banks, mortgage brokers, mortgage lenders, credit unions, insurance companies, real estate agents, appraisers, thrifts, securities firms, financial planners and credit card companies. Some of GLBA's compliance requirements include:
1. Adopt and disclose privacy policies
2. Create 'opt-out' choice for consumers while sharing their information with third parties for marketing purposes
3. Abstain from obtaining or disclosing an individual's financial information under false pretences
4. Involve the board of directors to promulgate, approve, implement and review information security programmes
5. Assess internal and external threats that might threaten customer information
6. Ensure sufficient and sound strategies to manage and control identified risks
7. Train employees on information security programmes
8. Test security programs regularly for any internal/external hazards
9. Establish appropriate oversight of relationships with outsourcing vendors
10. Adjust information security practices continuously to keep up with the latest industry trends
11. Report to board/committee annually on the status of security programmes

Fallouts:
For non-compliance with administrative, technical and physical safeguard requirements, the organisation is subjected to:
1. Civil penalty of not more than $10,000 or fines up to $1 million
2. Termination of FDIC (Federal Deposit Insurance Act) insurance
3. Removal or permanent termination of members of the management board
4. Imprisonment for five to 10 years

USA Patriot Act, 2001
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot) Act was passed on 23 October 2001 to trace and limit the financial resources fuelling terrorist activities. Money laundering is estimated to be the world's largest businesses, at $1 trillion annually with 50 per cent of the funds passing through the US at some point of time.

The USA Patriot Act was enacted to detect and restrict illegal financial transactions that are affecting the financial community worldwide. The Act was passed with the message, 'know your customers' to all financial institutions for a safe and secured business environment.

Financial institutions such as banks and credit unions, securities dealers, investment bankers, commodity traders, money transfer agents and non-financial institutions are mandated to abide by the Act. Some of the US Patriot Act compliance requirements include:
1. Examine data of all the customers from sources, both internal and external to the organisation
2. Determine the customer's behavioural patterns that might affect business and national security
3. Appoint a compliance officer to lead the anti money-laundering (AML) programmes
4. Create internal AML policies and procedures and institute training programmes
5. Create an independent audit process to test internal procedures
6. Establish minimum procedures to identify verifications when new customers open accounts
7. Crosscheck accountholder names against all government lists of known or suspected terrorist organisations
8. Record owner of account, originator of a transaction, person who approved the transaction and any other individual involved in approving an account

Fallouts:
The risks of non-compliance can be both monetary and personal. Apart from possible regulatory fines up to $1 million, there can be criminal charges against officers for rules violations. The organisation can also have negative corporate publicity for failure to comply, which again might damage their corporate image in the industry. Tower Group reports that to comply with the law or to risk fines of $1 million, US brokerages will spend $700 million through to 2005.

Sarbanes-Oxley Act, 2002
The Sarbanes-Oxley Act was enacted on 30 July 2002 to lay down guidelines affecting reporting, accounting, disclosure and other corporate governance policies. In other words, it focuses heavily on the internal control policies of an organisation. The Act governs not only all the publicly traded firms that list their stock on any US-based financial exchange, but also any firm, irrespective of their place of origin as long as they trade their stocks in the US.

A recent survey by one of the top law firm of the US, Foley & Lardner, said annual compliance cost will go up to $2.5 million, compared to about $1.3 million before Sarbanes-Oxley was implemented.

Considered as the most stringent corporate governance policy so far, the intention of the Act is to help restore public trust in US business and corporate reporting. Some of the Sarbanes-Oxley Act's compliance requirements include:
1. Disclose all financial and non-financial reports
2. Public certification of financial reports and internal controls by the CEO and CFO
3. Update investors with all the latest changes inside the organisation, both financial and non-financial
4. Report company securities trading within two business days
5. CEOs, CFOs must certify that they are responsible for establishing and maintaining disclosure controls and procedures
6. Engage independent and pre-eminent legal counsel and a registered public accounting firm
7. Elect a professionally competent board of directors that is truly independent - psychologically as well as legally
8. Attract and retain a loyal foundation of shareholders

Fallouts:
The SOA has criminal penalties for those who destroy records, commit securities fraud and fail to report fraud, whereas it has provided protection for the whistleblowers. Failure to maintain all audits or review papers for at least 5 years may result in jail terms of 10 years.

Penalties may again go up to 20 years for destroying documents in a federal or bankruptcy investigation while penalty for securities fraud is 25 years. A CEO or CFO found to have knowingly certified non-complying financials can be fined up to $1 million and imprisoned for 10 years.

The Basel Capital Accord (Basel II)
The Basel Committee initiated the process of Basel Accord II by submitting the proposal in April 2003, which will require banks to set aside approximately 20-per cent capital for operational risk for the first time. The Basel Committee intends to finalise Basel II by the fourth quarter of 2003, allowing implementation of the new framework by the end of 2006.

The accord also requires banks around the world to integrate structured and unstructured information from multiple repositories, maintain five to six years of historical information, and to make that information easily accessible. It affects all banks and other financial institutions including bankers, custodians, fund managers and brokers. Basel II provides for a framework based on three 'mutually reinforcing pillars' implying that each of the three 'pillars' or areas described in Basel II is of equal importance. The three 'pillars' are:
Minimum capital requirements: The minimum capital requirement is still set at 8 per cent of risk-weighted assets. A revised credit risk measurement has been proposed and a measure for operational risk is also included in Basel II. However market risk remains unchanged.
Supervisory review: The supervisors need to ensure that each financial institution adopts effective internal processes in order to assess the adequacy of its capital based on a comprehensive evaluation of its risks. Supervisors will intervene if the risk of a bank is greater than the capital it holds.
Market discipline: It aims to improve market discipline through enhanced disclosure by financial houses. This will include the method a bank adopts to calculate its capital adequacy and its risk assessment.

The email effect
The 2003 E-mail Rules, Policies and Practices Survey conducted by American Management Association, the ePolicy Institute and Clearswift reveals that 66 per cent of US companies lack email retention policies.

Now, as corporate email has garnered support as legally admissible evidence, it plays an important and crucial role in the corporate ladder. The Securities Exchange Commission (SEC) and National Associations of Securities Dealers (NASD) have given strict instructions to manage, archive and retrieve e-mail communication. Recently, NASD has passed a ruling that Instant Messaging (IM) records must be retained for three years, the Sarbanes-Oxley Act has also extended the need for record retention to include email related to financial audits.

The Gramm-Leach-Bliley Act, too, has already mandated strict requirement to safeguard security and privacy of non-public customer data. The GLBA has laid down regulations for protection against virus infection, network failure, data corruption, and privacy of customer information transmitted across open networks.

In a high-profile action taken against the top five Wall Street firms for failing to preserve internal email, the SEC, NASD and the New York Stock Exchange had imposed a fine of $1.65 million each and were asked to review their internal record-keeping procedures.

Tuning in technology
The financial services industry has been complying with numerous rules and regulations from time to time. But to comply with all the requirements of each Act, the industry has bowed down to technology.

The US financial institutions will spend a total of $695 million on software and hardware through 2005 to comply with the USA Patriot Act, according to projections by Celent Communications.

Complying with both Basel II and the Patriot Act, the financial institutions will have to integrate systems and platforms, so as to collect and share the customers' data stored in multiple systems. This huge integration across the enterprise will end up in huge investment in technology, so as to make the systems interact with each other.

TowerGroup reports that smaller institutions are spending $100,000 on highly sophisticated anti-money laundering software whereas larger ones are spending up to $30 million.

Though the financial services firms are facing tough challenges of finding the right solution to comply with the regulations, vendors are coming up with open systems architectures to ease their problem. Now, firms have a wide choice to choose among the best solution available in the market.

Another new technology wave - Web services that has been regarded as the best technology for system integration - is holding lots of promises. Open-ended and platform independent, Web services is believed to have the capability to make systems interact and update automatically.

Though investment in technology is proving to be a real headache in terms of cost, financial firms are plunging into the costly game as an insurance against negative press and public fallout.

Conclusion
So, the coming years will be exhausting for financial organisations as they will not only have to comply with the regulations mentioned above but also with other challenges such as Straight Through Processing/T+1 settlement. Globalisation, expanding growth in trading volumes, increasing competition for customers, protection against fraud and terrorist activities, and the race to project a clean image has changed the whole scenario of regulatory compliance. After all, it's always better to comply than to pay.