4 great ways to get ahead in 2017…. De-risk your business

Simon Scheurer
Simon Scheurer
December 16, 2016


2017 will be the year that financial services firms abandon high-risk legacy systems. Do it now, to get ahead.

A senior executive of one of the world’s largest investment management firms recently said to a colleague of mine:

“Our digital business is fully compliant. I’m not sure how we do it, but I’m certain we have controls in place. We wouldn’t have executed our digital transformation project without having compliance covered.”

Are you sure? I don’t think so…

In this particular case, I know that they are not compliant. I know the system they use to track digital activity, and it is neither secure nor compliant in a financial services environment. It is based on aging technology that was designed for retail and e-commerce, and it costs a lot to maintain. This senior exec is continuing to invest heavily (and increasingly) in this system, under the misplaced belief that it will deliver financial services compliance, and protect his digital business from regulatory sanctions. It won’t.

If you think your digital business is compliant, the odds are not in your favor, unless you have implemented a next generation technology solution within the last three years, with security and compliance as specific goals.

Has your legacy platform become your burning platform, without you even noticing?

I often wonder, why are senior executives fooled into thinking they are compliant, when their digital business is more exposed to risk than ever before? And who’s fooling who? In the vast majority of cases, it is the incumbent technology provider who insists that their solution is compliant, when it’s not. Senior execs (most notably Legal and Chief Compliance Officers) cannot leave compliance to chance.

Our recently published White Paper Think you have digital compliance covered? Think Again. highlights why you must review your compliance status and act now to fill the gaps, before the regulator knocks on your door

You are legally obliged to have a regulatory risk management and compliance solution that ensures compliant record-keeping across all digital channels. (SEC17a-4, Department of Labor fiduciary ruling, MIFID-II, and FFSA, to name just a few). You must also maintain a digital audit trail that can span multiple desks, offices and systems. MiFID-II requires a full record of all data related to a transaction or order in a banking environment. The starting point of any such transaction is usually a digital channel – be it a client-facing platform, or an internal one used by client advisors. Governing these channels, and properly recording all transaction initialization, is key to gaining a complete picture, and become MIFID-II compliant.

Legacy systems deployed to provide online customer experience analytics, in an e-commerce or retail environment, do not meet the stringent regulatory requirements of financial services.

In financial services, anything less than 100% capture of all digital activity is not compliant. Your business is at risk if you cannot provide indisputable evidence to a regulator or legal official of every digidotal act. Penalties range from a substantial fine, to jail.

Legacy systems cannot be compliant if they depend on log file analysis or man-in-the-middle attacks (TCP-IP sniffing), which cannot replay an exact replica of all digital activity.

Industry regulators are growing tired of firms that go part-way on compliance. If you cannot produce indisputable evidence when asked to do so, your business (and your bosses) are at risk.

How can you tell if your digital business is high-risk?

To check whether you would withstand the scrutiny of the regulator, these are the questions to ask. If your IT team is unable to answer a resounding “yes” to all of them, your business needs de-risking.

  1. Can you record 100% of all digital activity, 24/7, including every user’s digital journey, and the personalized web experience or custom content displayed to them?
  2. Can you play back any digital interaction, with any individual, with just one click?
  3. Can you see exactly what the customer saw, without any requirement for log file analysis, or reconstruction of back-end system data?
  4. Will you still be able to retrieve and re-create any digital interaction, instantly, for as long as the regulator requires it (3 to 10 years in most cases)?
  5. Can your compliance team view these records, without asking IT for help?

If you answered “no” or were uncertain about the answers to any of the above, now is the time to review your own compliance status – before it’s too late.

Get our free white paper Think you have digital compliance covered? Think again. 

Twitter @Simon_Scheurer

Simon Scheurer on LinkedIn

Let us update you

We promise not to spam you, or give your contact details to anyone else. We will simply update you from time to time, when we have relevant news to share.