What tribulations do globally active compliance IT companies have when kitting equally globally active financial firms out with the regulatory software that they need? Conventional wisdom tells us that business flows over borders with increasing ease, but how does that work in an area where rules are very country-specific and increasingly onerous?

What tribulations do globally active compliance IT companies have when kitting equally globally active financial firms out with the regulatory software that they need? Conventional wisdom tells us that business flows over borders with increasing ease, but how does that work in an area where rules are very country-specific and increasingly onerous? Piyush Pant, the vice president of strategic markets at the global IT firm of MetricStream, answers our questions.

We caught up with Piyush Pant at his offices in London. Before answering queries, he set the scene: “MetricStream deals with governance and compliance software. It's a GRC (integrated Governance, Risk and Compliance) market provider. We apply GRC software exclusively. Our HQ is in Silicon Valley. We have some of the largest financial institutions in the world. We cover risk-management and compliance.

“We don't do super-equivalence. We have to be close to what our customers are looking for. There's a range of projects. We have to adapt the right rules to fit their situation. We have a pipe – a source of contents we have called CRC intelligence. We collect different content about rules, then we curate it and feed it into the software and it's mapped onto internal workflows and 'due diligence' procedures.

“As regards imposing a global standard, it's not what most parties are looking for. That even goes for British firms that have to impose the 'super-equivalent' Bribery Act on the rest of the world. This is because these firms are trying to take small steps towards improving around multiple dimensions. Most companies are making a step-by-step journey. I'll give you an example of why. We saw in the past that it's not possible just to have a list of third parties you're dealing with. It sounds a simple task, but it's impossible. Their sourcing functions are often split up and so are many more of their components. So even this [step towards a consolidated list] involves significant effort and rationalisation. Multiple suppliers, moreover, have underlying dependencies. IBM, for example, has five or six divisions.”

We then asked Piyush about the trials and tribulations that a software firm of his size has in dealing with financial firms of world importance and the equally weighty compliance problems that they face.

Q1.MetricStreamprovides supply chain governance software, so how would you define a 'supply chain'? Is it the same as a 'value chain'?

A: It's a network of third-party relationships. If you look at guidance from the US Officer of the Comptroller of the Currency in the last 12 months, which covers all relationships, that's what we are looking at in the context of a financial services firm. In other sectors such as the retail sector, which we also cover, it's closer to the definition of a 'value chain'. [A value chain is a chain of activities that a firm performs in order to present a product or service to the consumer.]

Q2. Huge multinationals tend to fall into two categories – the 'matrix' model in which the firm has truly 'gone global' and there is no particular hub that dominates it, and the 'colonial' model in which it spreads its tentacles out from the home country but still has its HQ there. The policies we are discussing are largely for 'colonial'-style firms headquartered in the UK?

A: Yes, although we get involved in both. There are problems that exist regardless of which of the two models is in operation. With the 'matrix' model, a company might have its HQ in Switzerland but might want to move the management of its supply base to the UK, because that's where they're feeling more pressure, that's where the scale of supplier relationships is becoming more than they can handle and they usually realise this after an [eye-opening] 'event' or disaster. The other one is caused by regulation. In the first model, when the home regulator calls for disclosures about all third-party relationships, that'll lead to a firm-wide compliance or GRC effort. Let us look at two more examples.

(i) We once provided software to a 'matrix' firm that had its headquarters [which did not operate on the 'colonial' model] in Switzerland. The first wave of managing its supplier-base was driven out of [i.e. situated in] the UK, where it wanted to get a better view of that supplier-base. This was the area of its business that was 'feeling the pain' the most. It had a sourcing function that was unable to cope with the volume. The first step they took was to ensure that they could accurately model and 'get on board' all third-party relationships.

(ii) Then there is the firm that manages this centrally. We helped a US firm that had to comply with demands from the OCC and the Commodities and Futures Trading Commission for end-to-end visibility for supplier risk. In these cases there's a complete plan.

Q3: What do you mean by the term 'downstream supplier'?

A: Three or four years ago, the notion of the supplier stopped at pretty low levels. If someone supplied you with something, you were only interested in whether they were compliant. Now, for certain clients, we have multi-layering of suppliers. It could be supplier-to-supplier or one supplier could have multiple business units across the globe. Take HB or IBM. There's a business unit that supplies hardware, software, business services and everything in between but they're packaged up in all permutations and the arrangements vary country-by-country. So you can say that IBM is a [monolithic] provider of IT but, beneath the surface, it has a complex structure. Our software keeps track of that, using a flexible federated data model. Third-party relationships are very complex.

Q4: Internationally active compliance directors have a 'hierarchy of fear', with the US Office of Foreign Assets Control at the top and then the various regulators of their main jurisdictions on the next few rungs, then the more fearsome regulators in the countries in which they have a lighter presence, with regulators they largely ignore further down. What's your 'take' on this?

A: This is very much the way we see things as well. I like the way you've put it; it really is a 'hierarchy of fear'. I would add that there should also be a hierarchy of fear as regards suppliers. You have finite resources and you have to process more information in respect of segmentation. The latter is explicitly stated on our software. Segmentation, of course, comes when you have a number of suppliers you want to attract. From the point of view of risk, out of your network of supplier relationships, which demand the most scrutiny? Which demand the most frequent audits and the most questionnaires? The next level of suppliers is not so critical. By ranking them like this you are classifying them according to different levels of 'fear'. Our software helps people do this.

Q5: Every huge financial firm must have a treasury function. It must use hedge funds and it must be very hard for it to comply with all the different regulatory regimes that deal with hedge funds and the way they operate. Look at the Dodd-Frank Act in the US and the unbelievably onerous 'filing' requirements that the Securities and Exchange Commission has issued under that, and then contrast that with the European Union's Alternative Investment Fund Managers' Directive and all those ambiguous and self-contradictory depository requirements, independent asset-valuation rules and restrictions on delegation. How can you use hedge funds globally with all those conflicts?

A: It's a problem we do see, and in a context broader than hedge funds. It's driving most of the developments we're engaging with. The disparity between countries is important for all global firms. There's no solution. You have to be able to get your information about the different rules and regulations centrally. The approach we have taken is to centralise the provision of content and then release that GRC intelligence to software. We centralise the collection of that data.

Q6: Do you often notice the way in which British laws, rules, regulations, money and indeed regulators and compliance officers keep drifting eastwards, influencing the important global offshore centres and other places that have historic ties to Britain?

A: Yes, I do see that all the time. There's a tendency to replicate regulations from the prime mover, the UK. We have many customers based in the UK who have business elsewhere, especially in eastern parts. They can affect changes more easily because of the commonality [that exists between these countries]. But we are also seeing US developments being reflected right across the world. Nobody copies US laws the way they do with British – that's too detailed and the US is too unlike any other country for that – but US ideas suffuse their global approach to compliance. It's not surprising.

Q7: Lastly, what about the job of getting your software to talk to the 75 or so different systems that each globally active bank has? Many of those systems don't talk to one another! Surely this is a problem.

A: Yes. Of course, the number tends to vary. One of the core things we have done in our software is to integrate with multiple other software. Without those interfaces, it would be difficult to generate value. We have technology adapters [which allow applications of different IT platforms that are integrated by a message broker to communicate]. We can manage raw data in an SAP (Systems, Applications, Products) system [that provides users with a soft real-time business application, contains a user interface and is considered extremely flexible]. There are, of course, many different contexts.

Q8: With all those systems, the security concerns must be a nightmare!

A: Yes, well there are two scenarios. Companies are making our software part of their IT landscape. All the pieces, in other words, are contained within their existing IT boundaries. [This should pose no extra threat to security.] But we are also seeing that some of these solutions are being kept in the Cloud. In those cases we do see a very heavily increased security assessment before the company goes down that route. We never get a look at their confidential information; we have no access to their data.