1
Is Government Regulation Perceived to be a Barrier to
IT Innovation in the Finance Sector?
Author: Edward Kelly
Student#: 1553371
MBA (Information Systems)
Dublin Business School/ Liverpool John Moore’s University
September 2012
2
Table of Contents
List of Tables and Illustrations …………………………………………………………………………………………. 5
Acknowledgements
…………………………………………………………………………………………………………. 6
Abstract …………………………………………………………………………………………………………………………. 7
Introduction
……………………………………………………………………………………………………………………. 9
Background and Definition
…………………………………………………………………………………………… 9
Aim and Objectives……………………………………………………………………………………………………. 10
Approach
………………………………………………………………………………………………………………….. 11
Organisation
……………………………………………………………………………………………………………… 11
Scope and Limitations of Research
………………………………………………………………………………. 12
Major Contributions of the Study ………………………………………………………………………………… 12
Literature Review………………………………………………………………………………………………………….. 14
Common Facilitators/Sources and Barriers to Innovation
……………………………………………….. 14
The Difficulties in Measuring Innovation Within the Banking Sector
………………………………. 15
Sarbanes-Oxley (SOx) ……………………………………………………………………………………………….. 17
MiFID ……………………………………………………………………………………………………………………… 19
The European Data Protection Directive ………………………………………………………………………. 21
The Dodd-Frank Act ………………………………………………………………………………………………….. 22
The EU Cookie Directive
……………………………………………………………………………………………. 26
The Bank Secrecy Act (BSA) ……………………………………………………………………………………… 27
Basel I, II & III………………………………………………………………………………………………………….. 29
Research Methodology and Methods……………………………………………………………………………….. 32
Research Philosophy
………………………………………………………………………………………………….. 34
Positivism
……………………………………………………………………………………………………………… 34
Interpretivism
………………………………………………………………………………………………………… 35
Realism ………………………………………………………………………………………………………………… 35
Research Approach ……………………………………………………………………………………………………. 35
Deductive ……………………………………………………………………………………………………………… 36
Inductive ………………………………………………………………………………………………………………. 36
Research Strategy………………………………………………………………………………………………………. 37
Research Choice………………………………………………………………………………………………………… 38
3
Mono Method………………………………………………………………………………………………………… 38
Multiple Methods
…………………………………………………………………………………………………… 38
Mixed Methods ……………………………………………………………………………………………………… 39
Time Horizons ………………………………………………………………………………………………………….. 39
Data Collection and Analysis………………………………………………………………………………………. 39
Primary Data Collection …………………………………………………………………………………………….. 40
Ethical Issues ……………………………………………………………………………………………………………. 41
Data Analysis and Findings ……………………………………………………………………………………………. 43
What challenges do IT in the finance sector face in order to meet with compliance
requirements?
……………………………………………………………………………………………………………. 44
The complexity and lack of clarity of regulatory legislation ………………………………………… 44
Data quality, integrity and classification …………………………………………………………………… 47
How do meeting compliance requirements effect IT’s overall operating budget?
………………. 49
How do meeting compliance requirements effect IT’s manpower resources and ability to
support emerging projects? …………………………………………………………………………………………. 51
How do IT and financial organisations as a whole benefit as a result of regulatory compliance?
………………………………………………………………………………………………………………………………… 53
How do IT and financial organisations as a whole suffer as a result of regulatory compliance?
………………………………………………………………………………………………………………………………… 56
What level of support is there available to IT in financial organisations to understand and
enact complex regulatory requirements? ………………………………………………………………………. 58
What level of support is available to compliance/operational risk to understand the
technological aspects of various regulations?
………………………………………………………………… 60
What aspects of the current compliance/regulatory structure could be changed to facilitate IT
innovation in the finance sector, without of course impacting the integrity of these laws? ….. 61
Tighter management of regulations within organisations and a more compliance friendly
culture ………………………………………………………………………………………………………………….. 61
A consultative section within regulatory bodies to act as a point of contact for industry
technology issues …………………………………………………………………………………………………… 62
A more refined, globalised regulatory structure …………………………………………………………. 63
Conclusions
………………………………………………………………………………………………………………. 65
Recommendations for Future Research ……………………………………………………………………………. 70
Self-Reflection on Own Learning and Performance
…………………………………………………………… 71
4
Rationale for Undertaking MBA (Information Systems) ………………………………………………… 71
Key Skill Areas Developed During MBA …………………………………………………………………….. 74
Interpersonal Skills ………………………………………………………………………………………………… 74
Critical Skills ………………………………………………………………………………………………………… 75
Personal Management Skills
……………………………………………………………………………………. 75
Research and Investigative Skills …………………………………………………………………………….. 76
Development of Learning Style …………………………………………………………………………………… 76
Conclusion ……………………………………………………………………………………………………………….. 79
Bibliography ………………………………………………………………………………………………………………… 81
Appendix I …………………………………………………………………………………………………………………… 86
Interview 1: ………………………………………………………………………………………………………………. 86
Interview 2: ………………………………………………………………………………………………………………. 97
Interview 3: …………………………………………………………………………………………………………….. 105
Interview 4: …………………………………………………………………………………………………………….. 113
Interview 5: …………………………………………………………………………………………………………….. 120
Interview 6: …………………………………………………………………………………………………………….. 128
5
List of Tables and Illustrations
Information Growth and Storage Costs
p. 23
Framework for Managing Operational Risk
p. 30
The Research Onion
p. 34
Deductive Versus Inductive Research Approaches
p. 37
Personal SWOT
p. 72
Skill Sets
p. 73
Results of Learning Styles Questionnaire
p. 78
6
Acknowledgements
There is no amount of thanks that can repay the patience and support of my wife Jean and my
son Brian who gave up 2 years of evenings and weekends to get me to the finish line of this
master’s degree.
I also owe a debt to the lecturers of Dublin business school who provided me with the critical
tools to not only complete this dissertation but to advance in my career as well.
Finally particular thanks must go to Patrick O’Callaghan who supervised this dissertation and
provided invaluable advice and guidance.
7
Abstract
The intention of this dissertation was to explore the financial regulatory environment and analyze
whether or not it creates a suitable ecosystem for the fostering of IT innovation. The literature
suggested that IT experienced a great deal difficulty in delivering innovative solutions to
business requirements with a large proportion of their budgetary and manpower resources tied up
in meeting regulatory requirements and dealing with a variety of auditors both internal and
external. Furthermore the literature indicated that the high level of complexity of regulations as
well as their ambiguity and sometimes conflicting requirements meant that for IT dealing with
regulations in a coherent and efficient manner was difficult. All of this seemed to leave IT with
very little room to deliver solutions in an innovative manner. On the other hand the literature also
suggested that there was some benefit and competitive edge for financial organizations to meet
regulations faster or better than competitors.
The research however paints a less clear cut picture. It suggests that the budgetary and manpower
constraints alluded to in the literature may not me as pronounced or crippling as they might
seem. While there is a great cost to the business for regulatory compliance this cost lies with the
business line which needs to enact the regulation not with IT. While IT might enact the solution
they bill out the cost internally to the relevant business line. The question is also posed in the
research as to whether there is a requirement for IT to innovate at all. While there is certainly a
requirement for them to support innovative solutions developed by the business for customers
the regulatory environment is not conducive to non-standard or boutique solutions which have
the potential to increase operational risk and in turn regulatory scrutiny. Having said this much of
the research does support the conclusions made in the literature with IT having difficulty
8
understanding complex regulatory requirements and a lack of support from both internal and
external sources to do so.
While there is certainly a requirement for innovation in the finance sector as in any other
industry the environment is quite hostile to change or heterogeneity of any kind. This leaves IT
with a very challenging task.
9
Introduction
Without continual growth and progress, such words as improvement, achievement, and success
have no meaning.
— Benjamin Franklin
Background and Definition
Innovation is a central part or any organisations strategy and its drive towards competitive
advantage. Johnson, Whittington & Scholes (2011: p.28) refer to it as a key dimension in
strategic management. Some go so far as to suggest that the process of strategy formation itself is
an ‘innovation process’ (De Wit & Meyer, 2004: pp. 120 – 121). One section of business which
is almost considered to be synonymous with innovation is IT. If you look at Porters value chain it
can be seen that technology development is a support function that has linkages to all of the
primary value adding activities (Johnson et al., 2011: p.98). Whether the innovation within an
organisation is R&D/product based or process based IT will play a vital role in driving it.
In terms of supporting R&D innovation IT can supply many tools to aid in the design and testing
of new products. For example Computer Aided Design (CAD) has given companies the ability to
create virtual prototypes for testing, speeding up the R&D phase for many products and allowing
more precise technical designs down to the nanometre scale.
In terms of supporting business processes innovation IT can help organisations to create robust
processes by amalgamating all of the data in a company in a coherent manner and help to make
processes common across large global organisations by supplying common platforms with global
communication (Callon, 1996: p. 119).
10
These are of course idealised views of how IT can drive innovation. There are many cautionary
tales in the business world showing how innovative IT solutions have gone so far as to bring
companies to bankruptcy (Davenport, 1998) so it stands to reason that such a highly risk averse
sector as banking would be cautious when it comes to innovation. Furthermore Johnson et al.
(2011: p. 36) suggest that any organisation with a great deal of rules and regulations will
inevitably generate less innovation. While they were referring to organisations which had
imposed their own bureaucracy this idea can be easily translated to the rigid rules structure
enforced on banks by industry rules and regulations.
Aim and Objectives
The goal of the dissertation, titled: ‘Is Government Regulation Perceived to be a Barrier to IT
Innovation in the Banking Sector’ will be to look at the stringent regulatory framework in which
organisations in the banking sector operate and identify how these regulations might facilitate or
impede ITs ability to add value through innovation to these firms. After analysing the key
arguments for and against IT’s ability to innovate and still support a finance organisations
compliance structure in the literature review the key objective of the primary research within the
dissertation will be to understand if these theories stand up in the real world. It is important to
understand if the stakeholders in this argument – IT and compliance/operational risk managers
feel the operational constraints caused by government regulation alluded to in the theory, and if
they think that the suggested solutions to these constraints are actionable and could in fact exist
in the wild.
As most major financial institutions act on the global stage they can be subject to regulations
imposed in a variety of states regardless of where their parent company operates. Because of this
the regulations examined in this document will not be narrowed to those of any specific country.
11
The following regulations will be reviewed:
The Sarbanes-Oxley Act
The Markets in Financial Instruments Directive
The European Data Protection Directive
The Dodd-Frank Act
The EU Cookie Directive
The Banking Secrecy Act
The Basel Accord
Approach
Each of the regulations above will be analysed in terms of how they impact IT’s ability to
innovate. This will build a picture of the challenges facing IT in the finance sector caused by
regulatory requirements. The analysis of these regulations will be used to develop a picture of the
current hypotheses surrounding the subject and its prevalent theories. This information will then
be used to build a research framework centred on interrogating the aforementioned theories and
hypotheses as they are perceived by senior IT and compliance professionals in the finance sector.
Organisation
The content of this dissertation will be presented in as clear cut a fashion as possible. The
literature review and data analysis will be clearly demarcated with one following clearly on from
the other.
12
Scope and Limitations of Research
There are several variables which will limit the usefulness of the dissertations research.
Firstly limited availability of research subjects prevents the use of quantitative research, because
of this to a large degree the results of the research is subjective to the interviewees. The author
has endeavoured to get a balanced cross-section of stake holders to balance the argument but a
larger group of subjects would have been preferable in order to weed out individual bias.
Secondly, as will become clear later in this document the subject of government regulation is
quite a polarising issue in the finance sector. This means that getting an accurate and honest
answer out of interview participants may be difficult. Furthermore because the research is about
the subject’s perceptions answers will be difficult to verify. While the author has gone some way
to mitigating this by guaranteeing interviewee anonymity it is still something readers should be
aware of when reviewing the dissertation.
Finally there is limited time and resources available to the author. This has forced some
compromises to be made in terms of how research is carried out.
Despite these limitations the author hopes to create a useful piece of research opening the door
for others to further analyse a complex and often politically charged subject which has a great
deal of impact on the finance sector and is of great concern to all banks from the board level
downwards.
Major Contributions of the Study
The linchpin of this dissertation is the findings of NESTA a former UK government body which
provide a yardstick against which innovation in financial organisations can be measured. As will
be expanded upon later in this document the traditional methods for measuring innovation would
13
show banking as quite a low innovation sector. Without the framework provided by NESTA it
would not be possible to quantify government regulations impact on IT innovation in banking as
there would be no clear measure of the sectors innovation output.
Recent work by Joe Tidd and John Bessant on the broad subject of organisational innovation as
well as major contributors to the field such as Joseph Schumpeter while not regularly referenced
in this document contributed greatly to the authors understanding of innovation, its impact on
organisations and its key influence in the continued prosperity of any firm.
14
Literature Review
Common Facilitators/Sources and Barriers to Innovation
Before focusing on IT in the finance sector there are facilitators and barriers to innovation which
are common across a variety of sectors. It will be useful to identify these and later discuss how
government regulation affects them for better or worse.
Common barriers to innovation include: financial aversion to risk taking, lack of organisational
expertise, risk aversion, business infrastructure/administration (bureaucracy) and poor
communications (Nečadová & Scholleová, 2011). Many of these barriers have become more
pronounced during the current economic downturn particularly in the finance sector. Companies
are more inclined to ‘sit’ on capital rather than invest it in projects which may not guarantee a
return. Also companies that may have been risk takers in the past but have been ‘burned’ by an
economic downturn tend to work to avoid being damaged again. Having seen the failures and
bankruptcies of competitors they focus on avoiding the same fate (Yorton, 2006).
Tidd and Bessant (2009, p. 131) suggest that the influences that stifle innovation come from the
organisations environmental factors and perpetuate a culture lacking in innovation. They list
some of these factors as: dominance of restrictive vertical relationships, poor lateral
communications, top-down dictates and formal restricted vehicles for change. All of these are
common aspects of a large banks organisational environment. Organisational hierarchy is usually
large and complex with major decisions always managed from the top of the house. Different
business lines are usually siloed and unwilling or in some cases (because of regulatory
requirements such as Chinese Wall rules) unable to share information. And finally change is
always managed in a very formal and restrictive manner.
15
Overcoming these barriers and facilitating innovation would require a huge cultural shift within
any established financial organisation.
This leads on to the question of whether companies as large and unwieldy as today’s major
financial institutions can enact that kind of change. Hannan and Freeman (1984) in their
structural inertia theory suggest that there are a variety of factors (both internal and external) that
affect a firm’s ability to enact change. The primary contributors to structural inertia are a firms
size and age. As a firm develops over time and increases in size it becomes further
institutionalised, formalised and inflexible. Because of this more mature companies tend to have
difficulty enacting change particularly when this change needs to happen quickly in times of
environmental turbulence such as that of the recent banking crises.
The Difficulties in Measuring Innovation Within the Banking Sector
In order to clearly identify what would be a barrier to IT innovation in the banking sector it will
be important to identify what kind of innovation is carried out by IT in that sector.
Most major studies geared towards measuring innovation such as the Frascati Manual (OECD a,
2002) and the Oslo Manual (OECD b, 2005) often take R&D inputs and outputs to as a metric
for innovation. The Frascati manual defines R&D as work towards creating and using
knowledge to ‘devise new applications’ (OECD a, 2002: p. 30). This suggests two things, first
that R&D is intentional work towards the resolution of a clear goal and second that something
measurable will be created from it whether that is knowledge or a new product, process or
service.
Using this metric when looking at innovation in the banking sector would however be
problematic. The National Endowment for Science, Technology and the Arts (NESTA)
16
(formerly an independent non-departmental government body in the UK but now functioning as
registered charity with endowments from the UK national lottery following the dissolution of a
variety of quasi autonomous non-government organisations (QUANGOs) and advisory bodies
due to UK governmental budgetary restraints in April 2012) reported the R&D spend in the UK
banking sector for 2005/2006 to be £705m GBP which is an R&D intensity of just 0.9%. They in
fact suggest that the only reason this figure was picked up at all was because of new European
reporting standards that required a more clear disclosure of R&D spend in annual accounts rather
than any validity in the Frascati Manuals metrics (NESTA, 2007).
Despite these apparent low indicators for innovation the banking sector is known to be profitable
(Lloyds banking group posted a pre-tax profit of £2,212m GBP in 2010 (Lloyds Banking Group,
2010)) and if as stated earlier innovation is a key driver of competitive advantage then there must
be innovation carried out in the banking sector which the established metrics are not capturing.
NESTA (2007) suggests that much of the ‘hidden’ innovation that occurs in the banking sector is
based around innovation in back office processes such as cash transfers and loan management,
this process innovation is however usually supported by technology. Often this technology is
developed by external vendors so while it might be supporting an innovative process and the
bank would certainly have spent a great deal of money purchasing and implementing it, the
spend would not be considered an R&D or innovation input by the Frascati Manuals standards.
This short falling in the Frascati Manuals framework is also noted by Miles (2007) who suggests
that a great deal of innovation occurs outside its definition of R&D.
This suggests that IT in the banking sector is not overtly innovative in and of itself but rather acts
as a foundation on which innovative processes can be laid; it is not an initiator but a facilitator.
With this in mind in the following sections the impact of government regulation on IT innovation
17
in the banking sector will be analysed based on how these regulations affect the ability of IT to
provide platforms which can facilitate process innovation in a speedy and efficient (in terms of
both cost and quality) manner. In particular their effect on IT budgets and resources will be
analysed.
Sarbanes-Oxley (SOx)
The SOx act was enacted in 2002 following a series of corporate scandals in the U.S. to address
deficiencies in financial reporting and to hold senior executives ‘individually responsible’ for a
company’s financial records (Comprehensive Consulting Solutions, 2005). In the 10 years since
it has been enacted SOx has left people in both the academic and professional world divided in
regards to its effectiveness. Some suggest that SOx has a ‘chilling effect on risk taking’ lowering
spend across the board particularly on R&D (The Economist, 2007) others however suggest it
significantly improves financial reporting relevance and reliability (Singer & You, 2011) and
that while some consider it an obstacle to their business it is in fact an opportunity
(Comprehensive Consulting Solutions, 2005).
Both of sides of the argument make valid points. On one side Mazzucato and Tancioni (2008)
suggest that there is a link between innovation (R&D intensity) and ‘volatility’ of market returns.
It could be suggested that a mature sector such as banking which would equate any kind of
volatility with risk would have seen an even greater effect on risk taking than other sectors as a
result of SOx legislation. This kind of reduction in R&D spend would mean less money going to
a banks IT budget for the purposes of innovation. Furthermore limiting their IT units ability to
innovate would restrict their ability to contribute real value to the firm. This would relegate IT to
a cost centre for the organisation leading to ever tighter budget constraints as banks would be
more inclined to allocate funds to business units that are clearly delivering value. This could
18
potentially leave IT with very little room to accommodate the bank in developing new and
innovative processes as they would be focused exclusively on ‘keeping the lights on’. On the
other hand it could be argued that the budgets for these kinds of innovation should not be in the
hands of the IT department but rather the business units they support, the funds being made
available to IT on a project to project basis.
On the other side of the argument SOx’s internal control requirements act as a framework which
can be used to let IT show a clear picture of the quality of their system controls to auditors both
internal and external thus supporting the financial reporting framework of the organisation. It
enforces what could be considered to be best practices across (among others) business continuity
management, logical access control, project management and functional requirements
(Comprehensive Consulting Solutions, 2005). However while this is appealing it leads to two
potential issues. Firstly, a great deal of an IT departments resources can be taken up both
carrying out their own regular reviews/testing of the controls and with audits carried out by both
internal and external bodies. A bank for example could potentially expect an audit from an
internal body, a company appointed external body such as KPMG and a government body such
as the central bank all in a single year. Some even go so far as to call SOx ‘a blank cheque for
auditing firms’ (Cocheo, 2005). Secondly, while SOx creates a good control framework it also
gives IT departments the opportunity to create a false picture as they would know exactly what to
expect auditors to focus on (Comprehensive Consulting Solutions, 2005).
While even the authors of the SOx act have their doubts as to its effectiveness with Michael
Oxley saying of its fast track into law “Frankly, I would have written it differently” and there are
mixed reports as to whether it helps or hinders a firm. It is certainly clear that while SOx has led
to a reduction in R&D spend and in IT budgets particularly in the banking sector it has also
19
created a solid framework for IT risk controls and has given non-technical auditors a clear way to
evaluate technical controls. However the other side of the argument is that there is a question
mark over whether R&D budgets should be in the hands of the IT department considering the
manner in which they support innovation within a bank rather than directly initiating it, there is
also the question over whether the risk control framework is open to exploitation and whether it
creates a great deal more work for already stretched IT departments requiring work to often be
duplicated or repeated for audits originating from different sources. Furthermore if Sox is
examined in terms of how it impacts the common facilitators and barriers to innovation and an
organisations ability to enact change it is clear that in the banking sector more so than others it
compounds an already restrictive environment increasing risk aversion and bureaucracy further
increasing an already ‘glacial’ sectors structural inertia.
MiFID
The Markets in Financial Instruments Directive (MiFID) enacted in 2007 is a European
legislation governing organisations who undertake the buying and selling of shares, bonds,
derivatives and other financial instruments (Kemp, 2007). Much like SOx while MiFID does not
seem to impact IT on its surface, as a key support function within the banking value chain MiFID
has a great deal of implications for IT.
MiFID requires transparency in trading of stocks outside of the stock exchange. This leads to
requirements for IT to gather and store much more data from their trading applications and retain
it for an extended period of time. This could lead to IT in companies coming under MiFIDs
scope having to store up to four times more data and in the cases of organisations depending on
legacy IT architecture upgrades and changes to core systems would be required (Bartram, 2006).
20
Getting banking systems compliant with MiFID puts further strain on already stretched IT
departments, this is further compounded by the reluctance of organisations to allocate resources
to something that does not generate profit (Allen, 2007). Even more difficulty is caused by IT
having to deal with complex regulatory frameworks outside of their area of expertise which even
experts refer to as a ‘legislative labyrinth’ (Kemp, 2007). Furthermore at the time of its
implementation there were very few guidelines available for MiFID’s implementation (Bartram,
2006) leaving even compliance professionals in the dark.
Much like SOx the impediment of MiFID to IT innovation is one of resource allocation.
Expanded data retention requirements means IT must spend more of its budget on enterprise
storage solutions. SOx’s business continuity requirements mean that this data storage will have
to be replicated at multiple locations with various redundant systems all of which comes out of
the IT departments resources which could otherwise be used to support innovation across the
organisation. In fact according to 2008 figures spending $2,500 USD on a server usually meant
an additional $8,300 to $15,400 on facility costs such as power and space not to mention other
factors such as security, backup, redundancy, administration, technology lifecycles, changing
software and hardware and the effects of mergers (Sergeant & Sergeant, 2010). Also the data
transparency requirements of MiFID means that IT departments would need to use their budgets
upgrading trading systems where no new functionality is added from a usability standpoint and
no extra value is added to the company in terms of revenue generation.
It has however been suggested that compliance with MiFID can lead to competitive advantage in
banks that are not just MiFID compliant but are ‘pro-MiFID’. Buliard (2008) suggests that in
organisations that implement MiFID consistently and thoroughly (giving IT the necessary
resources to upgrade and optimise systems in the process) the customer information that MiFID
21
requires banks to hold helps asset managers to build better customer profiles and in turn better
tailor services and allocate resources to these customers.
The European Data Protection Directive
The banking industry in particular holds and processes great deal of customer personal data and
so they more than others need to be mindful of data protection laws in countries that they do
business in. The European Data Protection Directive regulates the maintenance and movement of
personal data in the EU. While it could be suggested that secure personal data would be a
qualifier for customers, (i.e. a fundamental expectation for the banks services and so vital to
maintain) there are nuances to the legislation which can be costly for a banks IT department. If
we take the securing of customer personal data as a given the key aspect of the European Data
Protection Directive is its requirements around where data is located and where processing takes
place. The directive only allows personal data to be managed in countries it considers to have an
equivalent level of data protection to the EU which usually means 1st world or developed
countries (Bennet & Raab, 1997). This leads to two major issues for IT in banking. First it limits
where they can locate data processing centres forcing them to developed countries with more
expensive facility, utility and manpower costs putting yet more strain on IT budgets. It also
limits how they can innovate. In terms of adopting distributed or cloud computing for example a
bank could not make its customer data vulnerable to compromise by developing any kind of
public or community cloud (NIST, 2011) but would rather have to go down the route of a private
cloud which would be prohibitively expensive and difficult to justify to the business.
While data protection legislation clearly impacts ITs ability to innovate in a similar fashion to the
other regulations covered the consequences of not complying causes far more harm than the
potential innovation lost. Reputational loss could be huge with surveys suggesting brand damage
22
could be between $184m to $330m (Ponemon Institute, 2011). Furthermore fines can be
extremely high with the UK FSA fining Zurich Insurance £2.27m in 2010 for a data breach in
which 46,000 customers’ personal data was ‘lost’ during a data transfer despite the fact there was
no indication the data actually fell into an external parties hands (FSA, 2010).
The Dodd-Frank Act
The Dodd-Frank Act; signed into law by U.S. president Barack Obama in 2010 implementing
financial regulatory reform in response to the recent recession is without doubt one of the
broadest and most far reaching change to U.S. financial regulation since the great depression.
The act has increased the funding, scope of power and authority of financial regulators as well as
creating a variety of new regulatory bodies significantly increasing the number and granularity of
regulatory objectives the U.S. financial sector is subject to (The Harvard Law School Reform on
Corporate Governance and Financial Regulation, 2010). This act has had a profound and long
lasting impact on many aspects of the finance sector, particularly information technology and
data management.
With increased regulatory reporting requirements will always come a demand for a greater
amount of data to be maintained, an increased requirement in creating reports from this data
(both batch and ad-hoc) and greater scrutiny of the quality, accuracy and uniformity of data
across various business lines. Furthermore Costanzo (2011) suggests that as the regulatory
burden increases compliance officers will begin to look more and more to information
technology as a solution for generating reports that they no longer have the people resources to
generate manually.
Tim Ryan, CEO of the Securities Industry and Financial Markets Association (SIFMA) has said
that Dodd-Frank will bring ‘massive changes in terms of technology’ and that ‘virtually every
23
new regulation brought about by the Dodd-Frank Act is going to require new technology
solutions’ (Steinert-Threlkeld, 2011). Implementing this kind of change while improving the
quality and accessibility of data that might not be 100% reliable or accurate (the Risk
Management Association of Philadelphia’s 2009 survey on data quality indicated that 56.8% of
firms in the financial services industry felt their data quality was average or worse (Credit Today,
2010)) would be a daunting task for any CIO.
The impact to innovation that Dodd-Frank is going to have will come from several sources. First
is data storage costs, as mentioned previously the requirement to replicate an increased amount
of data across multiple locations will inevitably impact an IT departments budget. Many
organisations do not understand this until the cost becomes so inflated that it begins to become
unacceptable (Bone, 2011). While the costs of data storage has significantly decreased in recent
years the sheer amount of data collected and retained has skyrocketed. In fact Tallon (2010)
suggests that 25% of non-discretionary IT spending goes towards information management and
infrastructure costs which has the knock-on effect of restricting ITs ability to become involved in
innovative projects (Tallon, 2010).
Information Growth and Storage Costs. Tallon (2010).
24
Another obstacle to IT is the sheer size and complexity of Dodd-Frank. The act itself spans 848
pages and mandates 387 rules from 20 different federal agencies (Costanzo, 2011) as noted by
Jonathan Macey of Yale Law School ‘Laws classically provide people with rules. Dodd-Frank is
not directed at people. It is an outline directed at bureaucrats and it instructs them to make still
more regulations and create more bureaucracies’. Even guidance on the rules outlined in Dodd-
Frank (which can sometimes amount to almost 300 pages for 11 pages of rules) are described as
‘unintelligible any way you read it’ even by pro Dodd-Frank bankers (The Economist, 2012).
Much like MiFID the question must be asked: How can IT be expected to understand Dodd-
Franks requirements and implement the required solutions when those who should be experts on
the subject have difficulty understanding it? This means IT will need to expend man hours
understanding the requirements of the act possibly also having to spend money on consultants
and so on as well. In some cases sections of the Dodd-Frank act have yet to be defined or
clarified leaving organisations in the dark about requirements. For example banks with $10
billion or more in assets will come under the scope of the Office of Financial Reporting (OFR),
an agency that will gather information from banks for analysis with the intent of monitoring the
financial stability of the finance sector. The OFR however has yet to define its reporting
requirements (Costanzo, 2011) meaning that while it would be wise for IT to work on improving
its data management which as mentioned previously may not be of a very high calibre it will be
difficult to secure funds outside of its own budget to meet requirements which have yet to be
specified.
Finally it must be considered how Dodd-Frank will impact on the abilities of banks already
creaking under regulatory pressure to broadly facilitate innovation and enact change. Much like
SOx, Dodd-Frank creates further bureaucracy and aversion to risk taking. It also further restricts
25
the organisational and strategic structure of banks contributing even more to structural inertia.
Furthermore it puts a great deal of authority in the hands of regulators outside of the business.
While Dodd-Frank is considered by many to be a cure to the imprudent lending, fraud and
regulatory oversight failure which lead to the 2008 banking crisis (Docking, 2012) it cannot be
denied that it has also added to the challenges to innovation already faced in the finance sector.
It must be considered however if there is an opportunity to be found in the implementation of
such a far reaching set of new regulations. Can implementation of Dodd-Frank’s rules in a faster
and more efficient manner lead to competitive advantage? CIOs and technology officers already
working closely with Risk and Compliance will find themselves with a head start. Particularly in
banks that have a more proactive, strategic approach to compliance integrated into the business
(Constanzo, 2011). It could be also be suggested that the profile and importance of Dodd-Frank
has raised the visibility of risk management right up to senior management and board level. CIOs
should be capitalising on this to give proposed projects legitimacy and to consider how they can
find innovative solutions to enact new and reworked processes required by Dodd-Frank. Rather
than being an obstacle to innovation, thoughtfully managed implementation of regulation could
in fact spawn IT innovation. Bone (2011) for example suggests that setting up automation for the
Security and Exchange Commission’s (SEC) new whistle-blower requirements coming out of
Dodd-Frank could assist in a quick and easily managed resolution of investigations reducing
regulatory and reputational risk. Bone goes on to suggest that rather than looking at Dodd-Frank
in its daunting entirety, if CIOs break it down into manageable risk based projects the change the
act requires would be much more controllable. It could also be suggested that breaking down the
acts requirements into individual projects there is greater scope for identifying opportunities for