Case Study – Regulatory Reporting Health Check

Content: Market Pressure

Helping a Global Bank Respond to a Regulator’s Audit.

Following the 2008 global financial crisis, policymakers in the G-20 committed to reforming domestic and international rules governing the over-the-counter (OTC) derivatives markets. In response, regulators across the world like CFTC, ESMA, MAS, ASIC, etc have come up with various regulations like central clearing through central counterparties to reduce counterparty risk and reporting of all eligible transactions to trade repositories to increase transparency. Firms are expected to comply with complex regulations constantly and may be subject to severe financial penalties and reputational risk in case of any deficiencies observed by the regulators.

The Client

A Global Bank that is a Swaps Dealer responded to a regulator’s audit of its OTC Trade Reporting by engaging Risk Focus to perform a Regulatory Trade Reporting Health Check.

The Challenge

Ever since the enactment of Dodd Frank in the US and similar regulations like EMIR in Europe, regulators have continued to monitor the data quality of trade submissions and provided additional guidance to trade repositories like the DTCC’s Global Trade Repository (GTR) in a bid to make the submission data more useful for their oversight. For example, EMIR reporting for OTC derivatives began in February 2014. ESMA Level 1 validations were rolled out in December 2014 and subsequently ESMA Level 2 validations in November 2015 requiring trade repositories to strictly enforce them and reject any submissions made by firms that did not comply with these. Hence, firms need to continuously monitor any changes to the regulations and subsequent impact on the message submission specifications provided by the trade repositories to remain complaint.

Regulators and their enforcement arms regularly perform audits to measure compliance with these regulations, and are most interested in seeing evidence that firms are in control of their trade reporting operations. Firms that can prove that they can retrieve historical reports with little effort and have mechanisms to ensure the quality, accuracy, and completeness of their reports will fare better than firms that can’t. Those that are found to be remiss or to have inaccurately reported their trades to a repository have been both fined millions of dollars and exposed in the media.

Our Solution

Our client, a large Global Bank that is a Swaps Dealer, was being audited by one of the enforcement arms of a regulator. The bank engaged Risk Focus to perform Regulatory Health Check to identify gaps in its reporting obligations to CFTC and ESMA for their Interest Rates, Foreign Exchange and Commodities businesses. Within 6 weeks the Risk Focus team was able to perform a detailed review of the current workflow for various products and trade life cycle events as well as analysed several samples of the firm’s submissions to the trade repositories. Accomplishing this in such a compressed time frame was made possible by leveraging the regulatory reporting controls from RegTek Solutions, the software firm spun out of Risk Focus in 2017.  The team identified gaps in the firm’s current reporting workflow and data quality issues with the submissions. At the end of the engagement, the team provided high-level recommendations to the client on how to address deficiencies like under-reporting and over-reporting of certain events and erroneous/missing/incorrect reporting of certain fields to the regulators.

The high-level approach followed during the engagement is as follows:

– Review of current reporting workflow for various asset classes and products

– Identification of trade life cycle event reporting scenarios for each of the asset classes and products in scope

– Comprehensive analysis of a sample subset of the firm’s submissions to the trade repository by performing a manual  three-way comparison between the firm’s submissions, trade repository specifications and the regulations as well as using RegTek’s industry acclaimed tool Validate.Trade

– Documentation of gaps and issues identified during the analysis and providing recommendations to the client to effectively address the shortcomings


Based on the high-level recommendations provided by the Risk Focus team at the end of the regulatory health check engagement, the client is embarking on a remediation program that follows our suggestions, which includes putting in place a new layer of controls alongside their transaction reporting platform, essentially future-proofing them from changes in regulations going forward by implementing a foundational control framework.

The remediation program based on the Health check findings will include the following:

– Implementing a control framework (from RegTek Solutions) for daily reconciliation of trading activity against trade repository reporting activity, as well as monitoring errors in real time

– Addressing the gaps in existing reporting workflows

– Back-reporting of any under reported/mis-reported trades


“Tour of Cloud Computing” – In Depth Interview

The August 23 Jaxenter interview of Peter Meulbroek, Head of DevOps and Cloud Solutions at Risk Focus by journalist Gabriela Motroc entitled “A Tour of Cloud Computing” dives deeply into several key topics.

The interview is organized around the following themes:

Security – Discusses the new paradigm.

Benefits – Discusses key benefits like automation and the self-service nature of the cloud.

Preferred Tools and Technologies – Describes the various technologies that Risk Focus prefers for Configuration    Management, Orchestration, Packaging and Distribution, Data Masking, Containerization, and Monitoring.

The limitations of a Cloud-Neutral approach.

The article gives Meulbroek the platform to share the approach that Risk Focus brings to clients grappling with a Cloud Strategy. For instance, regarding Cloud-Neutral strategies, Meulbroek states “Cloud-neutral adds a large amount of complexity and risk to a migration, without really solving the issue”.

Regarding Security, he states “the old, obsolete paradigm for security — the perimeter defense — has gone the way of the curtain wall and needs to be replaced with defense in depth.  Nor is it enough to manage data security between applications. Data, at rest or in flight, needs to be protected at all levels within an application, and managing security for an application is largely managing access to decrypt narrowly-focused cohorts of data”

Read The Full Article Here

DevOps Culture & The Meaning of “However”

DevOps Culture & The Meaning of “However”

We’d love to embrace DevOps; however

As I prepare to embark on the next phase of a career focused on recognizing new trends and accelerating the adoption of emerging technologies, I harken back to 2013.  I had recently landed in Tel Aviv with my family for a 2 year stint and was having a discussion with an Israeli colleague about the cultural differences between the US and Israel. He was expressing his frustration from his time living in the US with the word “however”.   He explained that there is no equivalent in Hebrew for the word “however” when encountered – which happened quite frequently – as follows: “I’d really love to help you with your driver’s license application; however…” He quickly realized that no matter how he tried to negotiate, cajole or plea, in the US, “however” meant “no way”.

And this got me thinking to the challenges facing organizations going through Digital Transformation – the process of leveraging new processes, technology and data to improve productivity, increase financial performance and remain competitive. In discussions with clients,  I often hear “We’d love to embrace DevOps; however we are not properly organized or staffed to implement a DevOps Strategy we don’t know where to start our management wants to see quick results and DevOps sounds big and costly we can’t just throw everything into the cloud, we have to be mindful of compliance

 I’d argue there is a bigger HOWEVER at play which is that Digital Transformation is difficult and many initial attempts tend to fail; HOWEVER, not transforming is not an option.   According to IDC’s April 2018 report Designing Tomorrow ”73% of companies will either be out of business or marginalized if they don’t transform.”

So how to resolve these conflicting “howevers”.   The concerns expressed by organizations are valid and should not be brushed outside.   However, digital transformation can still occur while recognizing and acknowledging the challenges above.   And that is why I am so excited to join Risk Focus! Bringing a unique blend of a PLAYER/COACH model together with their years of experience in dealing with risk mitigation, Risk Focus is singularly focused on helping organizations deal with these challenges.

Our engagements begin with a listening workshop where we gather information on the client’s unique organizational challenges – structural, cultural, resources, regulatory/compliance and technology. We then align on a “quick win” project that allows our player/coaches to work directly with the  organization on a specific deliver that can be implemented using new processes and technologies including Infrastructure as Code, comprehensive CI/CD pipeline, Container solutions, and Cloud transformation. These quick win projects usually run 4-6 weeks and are intended to deliver the following objectives:

Facilitate organizational alignment around Dev/Ops

Initiate “on-the-job” hands-on training

Implement and adopt new technologies

Identify a backlog of follow-on projects and deliverables

Demonstrate a low-cost quick win as a Proof of Possible

 I am thrilled to be part of the Risk Focus team and look forward to working with you to enable your organization to address your cultural HOWEVERS!

Existing MiFID II Reporting Solutions Might Not Be Sufficient

In the recent Global Investor Group Article entitled “Firms may not pass ESMA’s MiFID II Reporting Audit – Expert”, the expert who is quoted is Risk Focus’ Lloyd Altman.

In the article, Altman is quoted as saying ““In some cases firms squeaked over the line to be compliant with reporting rules on January 3, but one of the outstanding questions is whether they would pass the health check that we carry out to help them prepare for or respond to the European Securities and Markets Authority’s (Esma) audit”.

The MiFID II regulation is explicit in RTS 22, Article 15, that firms must have controls in place to ensure accurate and complete reporting. Risk Focus provides Health Check services to identify problems and weaknesses in their MiFID II and G20 trade and transaction reporting controls.