MyComplianceOffice is a global compliance solutions provider. CEO Brian Fahey talks to us about compliance spending, how regulations can hamstring fintech start-ups, and the constraints of building compliance software at large firms.
Compliance, cybersecurity and information risk are fast-changing realms. How has your approach to them changed in the last year or two? Could you give any specific examples?
Every time we sell to another large firm, they ask for more than what we did for the previous large firm. Expectations change every three to six months among large firms. We sold to a firm three years ago – a [household name] financial services firm – and it put us through the wringer in terms of cybersecurity. We agreed to make some changes to accommodate some of their demands, but we’re actually going through another product sale with them now, and there’s another range of new things we have to do for them, even though they were [already] pushing the envelope back then.
Fintech companies operate on lean budgets, yet feel the need for compliance and risk management more keenly. How are they handling the budgetary onus of compliance?
The new fintechs have been rudely surprised by what they have to do from a client’s perspective. I don’t think they understand that financial products around the world are defined by regulations. So what they can and can’t do is individually defined. They look at it from a technology perspective – “Oh, all I need to do is build a product that will benefit end customers or corporations.” What they tend to run afoul of is when you can only structure or sell a product in [a certain] way – when you need [certain] licensing to sell that financial product. I do think that’s been the biggest impediment to the business of the fintech firms I have spoken and dealt with. There are still a lot of products in the US that are driven by those laws – post-1929 legislations.
As to the second part of your question, most fintech firms are too small – we don’t really sell our solutions to them. But I do talk to them at conferences, where we often tend to be put in with them. We do get a lot of bitcoin and cryptocurrency work – that’s an area that has been growing for us. Technology people starting by creating better products with technology, finding themselves running afoul of regulators in terms of what their products are and how they can sell them – we have one or two of the big names [as clients]. In terms of interpreting whether [cryptocurrencies are] defined as securities, the FCC has said, “Yes, there is an exposure here,” so you do need to be a broker-dealer for example in the US to be able to sell those, and once you’re a broker-dealer you have a whole different set of compliance requirements.
There are many solution-providers in the market offering integrated solutions to compliance and risk issues. What makes MyComplianceOffice stand out?
Well, our little tagline is “Compliance built better”. It’s a very problem-driven approach around operational efficiencies and the value of bringing these things together. It comes from our own background of having worked at large companies, trying to deliver solutions. Because budgets were always in reaction to a regulatory event, whether that be a legislative change or a major fine in the industry, the whole industry in terms of compliance tech – distinct from risk technology or other governance technology – has always been very choppy in terms of allocation of budget. A board or senior management will allocate a budget, often including technology, and as soon as that money is spent and some intermediate solution has been created, no more money gets allocated. Larger firms in particular have lots of different individual compliance technology products. Whereas the reality is – from the point of view of technology workflow, document management and assurance capabilities – it’s kind of much the same functionality [that’s needed].
We originally created… a generic solution and then built around it for specific needs. We deliver low costs and low risk because of that integrated platform. We believe very strongly that to lower costs in your compliance management, and lower risks, you need an integrated system with the functions working together – particularly in conflict-of-interest compliance scenarios, which is where a lot of our work is.
What new products and services has MCO rolled out most recently, and what’s in the pipeline?
In the context of global conflicts of interest in financial services, where we have third-party-risk managers… we look at the “triumvirate” between what the firm is doing, what the employees are doing, and what the third party is doing. This is where conflicts can arise, between these three entities. So we’ve extended our monitoring of firms’ transactions, with an investment banking or deal review solution. Part of that is also tracking of insider information – MNPI (material non-public information). There have been rules in the EU around this sort of thing – when you’ve got exposure to MNPI in investment banking and research, the real issue is, are there conflicts in how the employees use it? Even if you are dealing with a related entity – say, if you have a major corporation like IBM, but in another part of the world it’s got a company called ABC Ltd, wherein there might be an employee who is brought over the wall into IBM.
The reality is that you need to know about these things, and firms don’t always know. One division doesn’t necessarily know what the other division is doing. In large financial services firms – our primary target – that’s a big problem. So we’ve been building out the modules to have a more complete solution there, and integrate our datasets. We have integrated global company masters, as well as global security masters, and integrate those so we can present data comparisons around “this company’s related to that company”, and what the employees are doing in relation to all those entities.
That’s partially built; there are also enhancements to the deal review management side. The other element we’re building is a very different approach to policies and procedures. A very traditional compliance approach in the industry is to develop policies in documents. But documents are very difficult to work with in a technical context. So we have a different approach that we will be releasing in the second half of 2019. That’ll be brand new.
You spent over half a decade at asset manager Fidelity Investments. What have you brought to your current job from your time there?
Before Fidelity, I was at other large firms. What I brought out of all of that was the difficulty of building systems for large firms when you’re part of that firm – because of budgets, constraints and changing priorities. There’s lots of funding allocated around technology, particularly at somewhere like Fidelity, but their return from it can be very poor and very inconsistent. You can have some very good technologists working at these large firms, but they don’t get the bandwidth, time or budget to be able to [build] superior integrated systems, for the reasons I outlined earlier.
The second lesson is how critical data and operational effectiveness are in delivery of a solution. The reality is that in a [transaction] process, [the parties] go through extensive analysis around functionality. Not enough attention is spent on how operationally effective it is, how the data plays a key role in the effect of this on the platform. It’s unfortunate, but it’s all about, “Do you have this button over here?” or “Have you got this workflow there?” The strengths of really effective solutions tend to be [based on how to incorporate] datasets.