The USA Patiot Act. Sarbanes-Oxley. Basel II. Six Sigma. Whether your financial organization is working to comply with a government mandate or adopting a new standard to improve your business practices, keeping up with the avalanche of recent requirements can be a daunting task. To be successful, organizations must attain a solid understanding of each set of requirements, and then learn how to adapt their tools, methodologies, and knowledge base to implement the requirements and keep their organizations up to date.
Perhaps the greatest difficulty in complying with multiple standards and mandates has to do with the different purposes for each set of requirements and the different terminologies used to specify them. In complying with one mandate, organizations must avoid implementing new systems so rigid that they would make adopting a second or third set of requirements difficult or impossible. At the same time, compliance with multiple standards should not lead to inefficiencies across organizational processes.
As organizations grapple with these challenges, many are turning to software to help them comply with the law without adding staff. Systems designed for this purpose can help businesses identify common threads in their operating procedures, so each set of requirements can be implemented properly, and the mandated controls can become visible in the operational structure. IBM Rational offers financial organizations such a system. It is a solid, proven solution for adopting multiple standards -- whether your goal is to conform to the law or to improve your business practices.
In this article, we will first examine the costs associated with various modes of compliance and then turn to a few examples of the difficulties companies and organizations face in adjusting to these changes. We will conclude with a discussion of the solution provided by IBM Rational. The Appendix offers a snapshot of current mandates as well as emerging business standards for US-based organizations.
Consider the costs associated with meeting various mandates.
Between 2003 and 2005, financial institutions will spend an estimated $632 million on anti-money-laundering software and related hardware and services, according to Celent Communications, a consulting and research firm that specializes in financial services technology. In large part, this expenditure will relate to compliance mandates in the USA Patriot Act, which require businesses operating within US territorial borders to institute procedures to collect information on customers who open accounts -- at a minimum to verify their identity, track the verification documents, and ensure that customers are not on a terrorist list. 1
Boston-based AMR Research predicts that publicly traded Fortune 1000 companies will spend as much as $2.5 billion this year on compliance-related projects. Fifty-one out of sixty companies AMR surveyed say they will make moderate to major changes to their IT and application infrastructure in support of Sarbanes-Oxley.2 And large European banks will spend an estimated $124 million over the next five years to comply with Basel II, updated legislation based on the Basel Capital Accord established in 1998. 3 Because of the complexity and number of mandates, many firms have appointed executives and teams to manage their compliance efforts.
In general, many companies are wondering how they can scope out the work necessary to become compliant yet still manage all their other IT projects and deadlines. How long will compliance-related development take, and will they be able to meet the associated deadlines? Some of the compliance guidelines for legislated mandates are vague or insufficient, so interpreting them requires extra time. Think of knowing you must assemble and ride a bicycle, but being given no instructions on how to do it!
In addition, federal mandates are not the only requirements that financial organizations must comply with. New state and local regulations are being enacted and enforced as well -- including some that govern transitions to the federal mandates! 4
Auditing and bookkeeping issues
Auditing and bookkeeping challenges associated with new mandates represent another business hurdle. Auditors will be looking for documents on everything -- customer orders, shipments, electronic transactions, customer ID verification, and more. This means that some businesses must retool their accounting practices and retrain their accounting staff to:
- Validate that all mandate controls are incorporated into systems.
- Ensure that those controls are fully tested.
- Maintain an audit trail and documentation for system audits.
- Foster an agile development environment that can support new compliance mandates and supplements.
- Continuously validate compliance and the organization's ability to handle change.
- Assess overall project operations and budget controls.
A three-dimensional approach to compliance
Needless to say, the current environment of stringent regulations is forcing companies in all industries to rethink the way they manage data and business information across the enterprise. Progressive companies are now taking the opportunity to build systems that improve real-time business process efficiency and control -- beyond the scope of any specific regulatory compliance requirement.
What are the ingredients for successfully making these improvements? IBM Rational believes that successful compliance with one or more mandates requires careful attention to three dimensions of software project management: 1) requirements and testing; 2) change and assets; and 3) project status and documentation. And the IBM Software Development Platform offers products and functionality covering all of these dimensions (see Figure 1).
Tracking requirements for business transactions
Central to each of today's most critical regulations is clearly defined transaction processing. All transactions must be documented and tracked -- in other words, documents must be traceable -- throughout a given business system, so that the rigid controls specified by the mandates are evident. To ensure that new or upgraded systems support this need, software development teams must adopt their own rigorous methods for tracing business requirements throughout the system development process. This means they must collect the system requirements mapped to both business needs as well as to the new mandates. And as they embark on compliance projects, they must also establish a rigorous test plan that ensures all requirements are being met, and that the right process controls are ultimately put in place. The ability to map each and every requirement to a test case is essential in compliance verification.
The IBM Software Development Platform offers complete requirements tracking -- from requirements gathering to visual model association and mapping of each requirement to a test case. Supporting each phase of the development process, our integrated tools ensure that all team members stay in sync with each other while contributing their own specialty to each new version -- in other words, each build or "iteration"-- of the project code.
While it is essential that systems comply with new requirements for business processes, it is also necessary that the new processes themselves are made secure. Otherwise, unwarranted changes to these processes could lead to a breakdown of checkpoints and controls, and eventually to compliance violations. IBM Rational offers industry-leading tools for managing changes to software under development. Tools for configuration and defect tracking help teams guarantee code integrity throughout the development process.
The IBM Software Development Platform provides the ability to coordinate and track the activities of team members so that they are always working with the right set of assets across the project lifecycle, and accommodating all project information. This includes requirements, visual models, code, and test artifacts.
As project managers work to make their computing resources comply with today's complex regulations, they must maintain accurate project documentation and conduct periodic project assessments. Documentation provides details to auditors seeking to confirm compliance, especially regarding transaction processing. Project assessments give project managers accurate and objective project information to measure progress and quality and make critical project decisions based on that information.
The IBM Software Development Platform unifies project teams by providing common access to development assets, communication alerts, and workflow processes. A project dashboard component provides managers and team members with access to complete project information through a single Web site, and offers project matrix tracking based on access to all project artifacts. Tracking these same artifacts also allows teams to automate project documentation. This not only helps team members communicate and collaborate with one another, but also creates a record for audits conducted against all new implementations.
The IBM Software Development Platform offers a comprehensive solution for today's financial organizations to build, run, and manage business applications that will help them both to stay competitive and also conform to complex new requirements mandated by US federal regulations and other emerging standards in business computing. Offering the "build" components of this complete solution, IBM Rational delivers the essential tools, services, and experience to keep businesses ahead of the compliance curve.
New federally mandated regulations, as well as new operational standards for businesses, are compelling organizations throughout the United States to seek ways to comply effectively without compromising their efficiency. The following summaries offer a snapshot of current regulations these US-based organizations are addressing.
USA Patriot Act
Obstructing terrorism and verifying customer identification
Aimed primarily at banks, investment firms, insurance companies, and stock and commodities exchanges, regarded as the gatekeepers of US-based financial systems. Minimum compliance requires organizations to put in place procedures to collect information on customers when they open accounts; they must also verify their customers' identity and confirm that they are not on a suspected terrorist list. Records must be maintained for five years. Compliance deadline was October 1, 2003.
More information is available at http://www.epic.org/privacy/terrorism/usapatriot/
Health Insurance Portability and Accountability Act (HIPAA)
Integrity and confidentiality of health records
Adopts standards for the security of electronically based health information, to be implemented by health plans, health care clearinghouses, and certain health care providers. These institutions must guarantee that the integrity, confidentiality, and availability of electronic health information that they collect, maintain, use, and transmit is protected. The confidentiality of health information is threatened not only by the risk of improper access to stored information, but also by the risk of interception during electronic transmission of the information.
More information is available at http://www.hipaa.org/
Graham-Leach-Bliley Act (GLBA)
Security and confidentiality of customer records
Requires all financial institutions to disclose to consumers and customers their policies and practices for protecting the privacy of non-public personal information. Non-public personal information includes any personally identifiable information provided by a customer, resulting from transactions with the financial institution or obtained by a financial institution through providing products or services.
More information is available at http://www.ziplip.com/docs/support/ZipLipGLBAOverview.pdf
Sarbanes-Oxley (SOX)
Control over financial reporting and supporting proces
Designed "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws." Organized into eleven titles, section 404 requires management to file an internal control report with its annual report. The internal control report must articulate management's responsibilities to establish and maintain adequate internal control over financial reporting as well as management's conclusion on the effectiveness of these internal controls at year-end. The report must also state that the company's independent public accountant has attested to and reported on management's evaluation of internal control over financial reporting.
More information is available at http://www.aicpa.org/info/sarbanes_oxley_summary.htm
and http://www.sarbanes-oxley-forum.com
Basel Capital Accord and Basel II
Risk management and capital minimum requirement for financial institutions
Encourages the banking industry to use more sophisticated risk management methodology and tools. This accord was designed to strengthen lending through better assessment of the capital a bank is required to hold. The proposal is based on three mutually reinforcing pillars that allow banks and supervisors to evaluate properly the various risks that banks face, including: minimum capital requirements, which seek to refine the measurement framework set out in the original 1988 accord; supervisory review of an institution's capital adequacy and internal assessment process; and market discipline through effective disclosure to encourage safe and sound banking practices.
More information is available at http://www.ots.treas.gov/docs/2/25177.pdf
Six Sigma
Business improvement methodology for defect elimination
A methodology that uses data to measure and improve a company's operational performance by eliminating or preventing "defects" in process. "Sigma" is a statistical term that measures how far a given process deviates from perfection. The main concept behind Six Sigma is that if you can measure how many defects you have in a process, you can understand how to eliminate them systematically and get as close to "zero defects" as possible. At many organizations, Six Sigma represents a goal of perfection.
More information is available at http://software.isixsigma.com/
Capability Maturity Model (CMM) Integration (CMMI)
Five-level framework for increased productivity and predictability
Designed for guiding dramatic improvements in an organization's ability to increase productivity and quality, reduce costs and time to market, and enhance customer satisfaction. Developed by the Software Engineering Institute (SEI), CMM was the initial model for software process improvement. CMMI integrates systems and software engineering improvement, and has been introduced as the next generation solution to CMM. The main principles are: a) judging the maturity of an organization's software processes; b) identifying key practices required to increase the maturity of these processes; c) assessing and improving the software processes.
More information is available at: http://www.sei.cmu.edu/cmmi/
Insurance Application Architecture (IAA)
Framework of models supporting ACORD standards
Seeks to improve the quality and efficiency of analysis in development projects by providing a model for every usage (business analysis, product modeling, component -based development, data warehousing and integration). Separating the various development concerns while maintaining traceability, IAA is a framework based on the emergence of standards issued by ACORD, a non-profit organization concentrating on the Insurance industry. ACORD creates standards and serves as a resource for information about electronic commerce, EDI, and XML standards.
1 "From the Top Down: Getting Management on Board With Compliance" in http://www.wallstreetandtech.com
2InfoWorld, July 11, 2003.
3 "European Banks May Face Big Bill for Basel II" in InformationWeek, September 2, 2003.
4 "States look at costs of insurance mandates" in http://www.amednews.com, November 2002.
As a market manager at IBM Rational, Brenda Cammarano is responsible for the Enterprise Modernization solution within the Rational brand. Currently, she is developing a complete strategy to bring this solution to market that reflects a deep understanding of clients' needs and how IBM products can best work together to serve them. In this effort, she draws upon her experience as a former senior technical evangelist for the Rational Enterprise Suite, a programmer/analyst in object-oriented engineering, and a key player in product management and technical marketing organizations for several high-tech companies in the Greater Boston area.
Comments (Undergoing maintenance)
Table of contents
Local resources
My developerWorks community
Tags
Use the slider bar to see more or fewer tags.
Popular tags shows the top tags for this particular content zone (for example, Java technology, Linux, WebSphere).
My tags shows your tags for this particular content zone (for example, Java technology, Linux, WebSphere).
Popular article tags |
My article tagsSkip to tags list
Popular article tags |
My article tags
