Lest they let a good crisis go to waste, as Rahm Emanuel would say, compliance software providers are pivoting off this summer's Libor crisis to sell products intended to help banks change controls, communicate policies to staff and ensure adherence to internal rules. In this scandal, several large banks have been accused of sending misleading information to regulators about their potential interbank borrowing costs.
The market response to the Libor crisis has mostly focused on the failings of bank culture and regulatory oversight. But firms such as Xactium and SAS are saying internal risk mitigation can become more agile via IT. Xactium is touting web-delivery of externally developed tech services, which that firm describes as a cloud service, while SAS says the use of what's commonly called "big data," or intelligence derived from the accrual and analysis of broader sources such as social networking and other external communications, can inform internal compliance.
Both GRC tech firms claim their software can enable responsive updates to internal communication, staff monitoring and controls to respond to regulations or an external compliance threat, or to instruct staff on how to avoid market manipulation tactics, which was likely the issue in the Libor scandal. In the Libor scandal, the London Interbank Offered Rate, the interest rate banks use to lend money to each other in the United Kingdom, was apparently manipulated by bankers to give the impression that the assets backing certain trades were of higher quality than they actually were.
The Libor scandal most directly impacts trading, but is of interest to retail banking because the trades impact the rates banks charge for auto loans, mortgages and student loans. If these rates are based on trades marked by illegal manipulation, loan pricing can be inaccurate-and the banks can be subject to potential legal action. For example, the $554 million-asset Community Bank & Trust of Sheboygan in Wisconsin is suing Bank of America (BAC), Citigroup (C) and JPMorgan Chase (JPM), accusing the larger banks of rate manipulation. And Bershire Bank, a $874 million-asset bank serving upstate New York and parts of New England, has also filed a similar suit, with Barclays included with BofA, Citigroup and JP Morgan as defendants.
Barclays has paid about $490 million to settle its part of the scandal, which is being investigated by regulators in the U.S. and the U.K. The fallout from the Libor scandal will continue for some time, and the GRC tech firms are hoping the skittishness over new regulatory actions will loosen IT wallets.
"We're getting a lot of interest in issues around policy and procedure management…one of the things we do is make sure that when [internal bank staff] acknowledge a procedure, they have to answer questions around that policy, as well as get feedback from the [bank]," says Andy Evans, CEO of Xactium. Xactium didn't provide details on its work with clients or direct work on market manipulation mitigation, though its site lists Barclays as a client, saying its enables Barclays to manage and share role and job information across 60,000 employees in its UK and Africa divisions.
Xactium builds, configures and delivers risk, policy and compliance management via Force.com's hosted architecture and infrastructure. Force.com is development venue from SalesForce.com (CRM) that allows Xactium and developers from other firms to use existing building blocks and Force.com's open API (application programming interface) to assemble, deliver and integrate customized applications such as GRC and customer relationship management for business clients.
Xactium's GRC suite includes a dashboard that allows risk managers to access information and actionable reports on risks and management strategies. For example, a dashboard view will include a link to a specific risk, such as "bribery," which will produce charts, graphs and content on bribery risks, impacts of risks, policies, new regulations, implementation of communication programs, results of audits, and follow-ups. There are also social tools for collaboration among different departments. Each risk is mapped to internal controls and rules, auditable action plans and links to specific incidents, indicators and processes within the bank.
"The policies and procedures to prevent [unethical and unlawful behaviors] aren't being communicated effectively by banks. We've built in social tools that allow people to discuss policies with each other and provide feedback, so the compliance is a more dynamic part of the organization rather than just a dry document that's sitting there doing nothing," Evans says. Evans also argues that by linking procedures to incidents, whistle-blowing also become easier, since the suspicious action can be linked directly to a corporate policy or standard.
Another firm that provides tech in the GRC space, SAS, says that using "big data," or the broader sourcing of data to include social networking and other communication, can help locate vulnerabilities. David Wallace, global financial services marketing manager of SAS, says the new version of its security intelligence uses in-memory text analytics to identify suspicious phrases in unstructured data, Phrases, such as "can you do me a solid?" can be a tip off of illegal activity, and are rampant in the Libor case. In many cases, the email chatter involved in the Libor case was quite incriminating, inlcuding rather blunt requests to fix rates as a favor between traders.
"[These analytical methods] can be employed to monitor and identify actions taken by bank staff that may be out of polity or contravene laws or regulations. These analysis methods are similar to those used for broker surveillance applications," Wallace says.
Mike Versace, a research director at IDC Financial Insights, says the banks will still be reliant on cultural methods to prevent the kind of employee misbehavior that caused the Libor scandal, since "GRC systems are content management platforms that maintain policies and internal controls and have heat maps for risk. But they aren't real time," he says.
Versace does say the use of "dig data" to locate actual activity, which is still early stage, can provide added protection. "The use cases are being defined as we speak, but the ability exists to collect context aware analysis of large data sets from a variety of sources," Versace says. He said that the capability, which is being introduced into the financial tech market, can be used to detect anomalies in workflows or transaction processing.