How banks can use the ServiceNow Platform for Compliance OperationsAnyone who has worked in a bank for even a short time understands how much compliance plays a role in virtually every activity in every part of the business.

Financial Regulators at the regional (e.g., NYDFS), country (e.g., FCA), and global level (e.g., BASEL III) establish an ever-growing set of rules, which are generally aimed at reducing systemic risk, encouraging common adoption of standards, protecting customers, and driving fair competition.

Virtually no one in any financial institution is exempt from some regulatory angle. For example:

• A branch teller must learn about anti-money laundering, anti-terrorist financing, know-your-customer rules before they sign up their first client

• The wealth management side needs to follow strict rules to appropriately align investment decisions to client risk profiles

• Asset managers need to follow strict rules around marketing their products

• Capital markets teams need to ensure IPOs are fairly executed

• Finance needs to follow rigorous accounting standards

• Procurement needs to monitor vendor risk

• Treasury needs to ensure capital adequacy requirements are met

• IT needs to document access permissions and system changes

• Payments departments need to ensure they are conforming to PCI rules

• HR needs to ensure trading licensing and attestation is up to date

• All departments need to manage customer data privacy

• And more (the list is ever-growing)

Sample benefits taken from a recent Business Value Assessment run on our internal implementation of Service GRC and compiled by our Head of Internal Audit.

1

Virtually no one in any financial institution is exempt from some regulatory angle.

Implementing one rule in support of one regulation in one country can be complicated enough. When the big global players must address many different layers of regulation for multiple authorities, and when the pace of regulatory change increases, this becomes a very complicated process to build for and can also be extremely costly in terms of fines incurred if compliance isn’t met.

As outlined in the example below, regulatory compliance expenses can be significant, especially for the larger financial institutions that are deemed to pose higher systemic risk. What’s particularly obvious about the cost model shown is how much of the expense is allocated to personnel—suggesting that there is still a very high degree of manual work associated with compliance delivery.

To address this issue, there are multiple niche compliance solutions and companies that can help automate the processes. In my own past at various financial institutions, I’ve been involved with custom builds, evaluations of off-the-shelf tools and assessments of emerging fintech solutions such as Outside Intelligence Quotient for KYC or Northern for PII categorization. While the niche tools can be very effective in targeting a specific area or rule, they don’t always address the problem of compliance responsibilities that are fragmented across the organization.

Over time, this fragmentation can lead to inconsistent and disconnected processes for risk assessment, testing, and reporting. To try and reduce this fragmentation, financial institutions are now more frequently looking at enterprise-wide platforms like ServiceNow that offer the fully integrated control framework required to effectively deliver on compliance. For those of you interested in learning more, I’ve outlined some examples and explanations of how the Now Platform™ can be used to help escalate and improve regulatory compliance automation.

2

The Now Platformcan be used to help escalate and improve regulatory compliance automation.

3

ServiceNow is a cloud-based service with ~8,600 employees and $2.6 billion in revenues (as of Q418).

ServiceNow basicsWhile we now have over 700 financial institutions on the Now Platform, it may not yet be well known in all parts of the bank. For those of you who may still be unfamiliar with the platform, I’ll start with some of the basics: ServiceNow is a cloud-based service with ~8,600 employees and $2.6 billion in revenues (as of Q418). It is a robust platform with a few key capabilities including:

• Flexible, easy-to-use intuitive interface that enables users to request a service or meet their needs through self-service

• Real-time status transparency of any request (similar to how you can track the status of a FedEx package or Uber)

• Automated prioritization and assignment of requests to people or tools that will fulfill the request

• Collaboration across a department or across an enterprise

• Workflow and automation to route requests and issues for faster, more effective, auditable resolution

On top of the Now Platform, you can run any number of applications, including HR, IT, customer service, compliance, etc. The routing and processing of IT tickets was the first very popular application for the Now Platform, which almost all of our banking customers are using today. Over time though, financial institutions and other companies are starting to quickly expand use cases into other areas, including more effective management of IT costs and services, back office management, and customer-facing service resolution.

ServiceNow as a platform lends itself to a large array of useful functions. As more and more customers begin using the platform for certain tasks (e.g., HR case management, security automation), the company develops out-of-the-box functionality to meet common needs and embeds that functionality into twice-yearly releases. Among the quickly evolving use cases being embedded in the platform is a governance, risk, and compliance (GRC) package.

Regulatory change management

Since “compliance” as a term means many different things to different people, I’ll start with the situation that I’m most familiar with—when a large regulator first issues a new or amended rule for financial institutions under their jurisdiction to follow:

• An FS regulator (e.g., Federal Reserve Board) will generally start this process by establishing the goal they want to meet—for example, protecting consumers by ensuring that banks under their jurisdiction do not encourage consumers to take on credit debt without knowing all the associated risks and responsibilities

• The regulator will then generally spell out the rules/provisions for meeting the goal (e.g., clearly stating how much interest will be incurred by a loan in terms of an annual percentage rate (APR)

• As soon as any new regulation is issued, the first step generally is to assess whether it applies to your bank or individual business line and consider whether the rule may be addressed through other regulations that are already in place. Generally, I’ve seen the Regulatory Affairs team take the first crack at this high-level assessment

• The next step is to look at what the operational requirements to support the rule might be. In looking at the truth in lending rule for example, some things are easier than others to police

Taking the TILA operational requirements as an example, #3—“To ensure that annual percentage rates and fees” are within tolerance is a relatively simple task (albeit potentially painful to the bottom line), as setting percentage rates will generally be a centralized process by Treasury. However, if we look at #7 in TILA—“Ensuring originator incentives meet requirements”—this is a more com-plicated process, as the originator may be a mortgage broker, a bank who has resold the loan, front-line branch staff etc. making it much harder to control.

From an internal perspective, translating the regulation to a set of operational requirements to follow, and understanding their impact is often quite com-plicated. Referred to as regulatory change management, this exercise will generally include process review, proposed governance, and depending on the level of sophistication and criticality, will calculate cost of controls implemented as well as regulatory impact reports with money tied to them.

After the upfront review, design, and planning phase is through the (often) very heavy technology build to implement the control begins, along with the control reports that auditors and regulators will want to see.

4

How the Now Platform technology supports compliance activities

For banking, like many other industries, there are many different sources of rules including all the different regulatory authorities. The ServiceNow GRC module starts with ingesting an unlimited amount of regulations and standards into the Unified Compliance Framework (UCF). As illustrated below, the UCF holds all rules in one central repository which allows drill-downs for the background to each rule, and the associated controls that need to be in place to ensure compliance.

The advantages of having controls or standards all accumulated in one central repository are many—not the least of which is the ability to link common controls to multiple regulations. The one-to-many implications of this can lead to enormous time savings in reporting and reduced risk of non-compliance. Having everything recorded in a single system provides a hub to assign and track work, both within compliance, and across business areas. It acts as a core repository for reference information on a specific regulation, holds knowledge articles, FAQs, etc.

5

For Sarbanes-Oxley (SOX) for example, the UCF will list out all internal policies, as well as controls organized by location and business unit responsible for delivering on those controls. The relationship between risk and compliance is clearly articulated such that if compliance goes down, risk rises and vice-versa.

GRC provides a REST-based plugin to integrate the GRC instance with UCF CCH. UCF CCH content is not included with the GRC subscription.

Compliance workflow design

With every new rule or regulatory update, there often needs to be a revision of the processes to ensure that new controls will meet the needs for risk mitigation or auditability. In many large financial institutions, designing the compliance processes is a very complicated exercise that stretches across many different entities and is subject to frequent changes. By leveraging the Now Platform Workflow Editor, a designer can utilize a drag-and-drop interface that automates multi-step processes across the platform. After proper approvals, the new process design can be loaded up into the platform which is then easily implemented, easy to communicate, and transparent to audit.

6

7

Reports can be scheduled or run on-demand to provide insight into control test attestations and coverage for risk, authority documents, and policy violations.

Monitoring and reporting

Once the controls are defined and implemented, the monitoring and control processes begin. In most large banks, this process is managed through control self-assessments to begin with, then risk and control self-assessment as they get more sophisticated, and eventually process and control risk self-assessment when they start biting off operational risk.

ServiceNow workflow automation supports this process by:

• Defining scheduled control tasks for control owners to complete

• Automating control testing based on control indicators, testing on ServiceNow data automatically in the background, on a schedule (daily, weekly, monthly, event based, etc.)

• Identifying compliance and non-compliance through exception reporting

• Leveraging performance analytics indicator thresholds to identify non-compliance

• Leveraging the ServiceNow ecosystem to automatically identify compliance of operational controls

• Enabling reporting compliance executive dashboards that offer custom displays by regulatory authority (e.g., PCI); by department, etc.

• Automating remediation efforts

Reports can be scheduled or run on-demand to provide insight into control test attestations and coverage for risk, authority documents, and policy violations. Attestations can be sorted, monitored, and reported on through executive dashboards built for this purpose.

Controls testing and auditing

After assigning policy statements by regulation and policies, and after controls are generated from these policy statements towards profiles (infrastructure, applications, processes, units, projects, people, etc.), setting up the attestation of those controls, identifying any gaps and generating remediation activities the testing and audit process begins.

Whether it’s an internal or external audit, what often needs to be produced is “proof” that the control structure is in place and working as planned. Often this can lead to a great deal of manual effort—at the end of which the auditors or regulators may still be wanting more evidence. With the Now Platform much of this manual work can be reduced as each stage of setting up and executing a control has been captured throughout the whole lifecycle.

Managing the audit process itself is also made easier by leveraging the audit engagement feature on the Now Platform and its workbench for managing the audit plan. Through this module, it enables internal auditors to quickly plan, scope, and execute audit activities, as well as schedule interviews, walkthroughs, and control test activities.

By including selected profiles in the scope of your audit engagement, you will automatically pull all risks, controls, and evidence collected along the period you audit and related to the scoped profiles.

Audit “issues” that have been identified are tracked and incorporated into a singleintegrated plan that can be shared and referenced throughout the organization.

8

System access by role

One of the most valuable capabilities of ServiceNow is the ability to avoid emails and phone calls and replace them with one central engagement portal that ensures a single source of truth and enables easy information sharing. At the same time, to support a process as sensitive as compliance there are different access levels defined that can easily be set up for different roles including compliance administrator, compliance manager, risk manager, audit manager, system admin-istrator, etc. Tasks can be assigned to the right person through a virtual task-board that enables workload management and simplified status tracking.

Out-of-the-box vs. Configuration

ServiceNow provides a robust platform that includes all the key building blocks for GRC management. In some cases, the company has seen enough consistency across an industry to develop pre-packaged solutions, while in other instances, clients are configuring solutions to meet their own specific needs.

Among the out-of-the-box solutions at the current time is IT risk management (the first big use case for ServiceNow), vendor risk management, corporate compliance and oversight, and audit management. Other use cases built on the platform include operational risk management, business continuity management planning, and enterprise legal management.

Because the GRC solutions are often put into place at financial institutions that are already using the Now Platform elsewhere, it makes it easier to get folks trained and certified on the GRC tools, versus other niche tools that may require dedicated admins/business analysts, specialized training, etc.

9

Virtual Task Board for Compliance

Since ServiceNow is a platform rather than a single tool, the number of use cases is expanding very quickly across the enterprise.

© 2019 ServiceNow, Inc. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company and product names may be trademarks of the respective companies with which they are associated.SN-SolutionBrief-ComplianceOperations-082019

servicenow.com

Business case

From a pricing perspective, the ServiceNow historical model is to charge by subscription fees based on the number of people using the system (in a fulfiller model). However, as the platform is increasingly being used for more enterprise-wide functions such as GRC, the pricing model is changing to focus more on the number of employees in the organization—which is good news for smaller, regional banks who sometimes have to pay full freight for systems originally built for larger, global organizations.

Implementation of the GRC modules for a bank can be quite fast according to Gartner. The “time to value is short with implementations sometimes taking just over two months.” From a benefits standpoint, return-on-investment from the GRC Suite is most directly found through levers that tackle the high degree of manual effort expended. Along with the time or money saved from process efficiency and automation is the cost avoidance that results from better risk reduction overall, as well as investment funds freed up through lower capital requirements and more.

Conclusion

Since ServiceNow offers a platform rather than a single tool, the number of use cases is expanding very quickly across the enterprise. Since its popularity generally began in IT departments that often already use it to manage IT Risk and Compliance, the basic ServiceNow foundation is often already in place in many financial institutions and already supported by knowledgeable, in-house ServiceNow experts.

To move additional compliance functions onto the platform is generally straight-forward and is supported by a growing number of SI Partners—many of whom are establishing or strengthening their ServiceNow GRC practices. Among the larger players who have set up specific ServiceNow GRC practices are Accenture, Deloitte, EY, Fruition, Grant Thornton, KPMG, and PWC. Also available to support is the ServiceNow professional services organization and the product support folks for the GRC module, together with the GRC Global Practice specialists.

About the authors

• Cliff Huntington, a former RSA executive, has global responsibility for GRC sales and strategy at ServiceNow

• Eric Le Martret, a former chief risk officer and GRC consultant, is now the senior advisory solution consultant for the ServiceNow EMEA GRC practice

• Julia Smith, a former financial services executive and transformation consultant, has global responsibility for helping financial institutions explore the possibilities of the platform through the ServiceNow Inspire practice.