White PaperIBM Global Business Services Financial Services

Compliance uncompromisedA corporate regulatory governance perspective for globally integrated enterprises

2 Compliance uncompromised

Governments around the world have been increasing their budgetary allocation to regulatory bodies so that regulators can stay focused on interpreting existing regulatory acts in light of unfolding global developments and replacing existing regulations with new ones to address these developments. Governments are also investing in tracking and ensuring companies’ compliance to these regulations. Companies, on their part, have been reacting to government actions by keeping pace with the development, as reflected by increased spending on their regulatory and legal requirements.

In a global study of the C-suites by IBM in 2011 and 2012, CEOs, CMOs and CIOs stated that regulatory concerns is one of the top five external forces affecting their organizations.1,2, 3 Corroborating this study, in a Gartner — Forbes Board of Directors survey, close to 50% stated that their investment on legal and compliance will increase in the 2012 fiscal year, compared to the year before.4 Though the senior executives indicated their focus through an increased allocation, they also ranked those issues that are directly linked to their business – innovation, retention, market share, and profits, for example — as more critical to their business than those that are related to regulatory changes or compliance.5 The only exception to this trend is from those who are accountable for and directly affected by the regulatory compliance — the chief compliance / regulatory / legal / privacy officer on board. Therefore, it is critical as to how this paradox of increased investment on regulatory compliance on one hand and ‘report to me anything but regulatory compliance’ on the other is managed.

While this position is understandable and makes business sense, global operations of companies can be exposed to financial

scrutiny and subsequent investigations by regulators. The complexity and interpretation of what acts or clauses apply to which global operation is compounded not only by the nature of their global operation but also by the global IT sourcing strategy. In addition, as financial scams or money laundering offences — perceived or real — surface, interpretation of existing compliance regulations become subjective and the companies, having delegated their regulatory function to providers as a part of a global IT sourcing strategy, might have acted in a reactive, catch-up manner. This results in pooling skills and more spending effort than what they had hoped for, had a proactive compliance governance mechanism been in place.

The global IT strategy that companies have adopted focuses on return on investment. Financial analysis of various kinds helps companies and service providers identify business that can be sourced within and outside of the country. However, this strategy, which focuses on financial savings, does not consider managing regulatory requirements as a part of the scope. Where it remains on the agenda of the stakeholders is usually during execution, but it is restricted to compliance activities through the familiar audit cycle: audit planning, education, auditing, reporting compliance, and follow-up actions to close audit findings.

Given the nature of business, companies in financial services are the ones affected most by the regulations. Most of the financial services are global both by operations and by IT sourcing, resulting in further regulatory scrutiny. In addition, companies in other sectors are taking IT to the end users as a business model that necessitates financial regulations — for example, the use of mobile devices for banking by customers who may not have access to ATMs.

IBM Global Business Services 3

As regulatory governance is managed through IT services that are likely supplied by the providers, companies have often had the challenge of identifying and separating regulatory tasks that should remain within their site and those that can be done by providers at their global sites. While it may not be much of a challenge if the provider services are delivered within the same geography, due diligence is required if the services are provided from a different geography. For example, for companies in the European Union, regulators expect customer centric data reside within the Union. This requirement may put the sourcing strategy that the companies have had — one driven by the desire to optimize cost, leverage global talent and bank on provider’s experience of handling companies from the same industry — at odds with the regulator’s requirements.

An approach that addresses these conflicting requirements and still justifies a board’s increased allocation for regulatory governance involves a three-pronged strategy; a strategy that:

• Invests in an integrated IT approach• Leverages emerging technologies• Continues a focus on the basics

Complexity of compliance management is more pronounced for companies whose sourcing strategy is global and therefore can contradict regulator’s guidelines for global business, some of that are implicit. An integrated IT approach that also leverages emerging technologies, without losing sight of basics can address the requirements.

The complexity of managing complianceThough spending on governance, risk and compliance (GRC) has increased — the representation of a chief compliance officer on a board reflects that — regulatory compliance still gets the attention of management (and more so of the press) for the wrong reasons. The increase in allocation is to ensure that the compliance management function is not compromised for lack of investment. However, a board expects its GRC team to optimize the return on investment. It is in this context that the GRC has to have a robust regulatory framework that goes beyond audits, and maps risks to investments, and eventually reduces the company’s exposure to regulatory investigations. Both companies and service providers have matured systems, dashboards and metrics that manage regulatory governance. However, they alone do not seem to have guaranteed compliance. Even the audit reviews by third parties seem to have played by the book, resulting in confirming compliance to ‘as is’ thereby exposing the companies to likely changes that are necessitated by technological advances or happenings in the market place.

In a sourcing scenario, even if the companies and providers have a well established governance mechanism, companies tend to empower the provider and the provider’s management delegates it to their teams. These actions are often justified in those contracts where the provider is accountable for services end to end. However, in the case of regulatory compliance, the scenario is complex, as regulators have kept the onus of compliance with the company and implicitly expects them to take ownership for the compliance.

4 Compliance uncompromised

Case study: Compliance from a sourcing strategy perspective

A multinational bank headquartered in Australia has sourcing relationships with a few providers. These providers offer application services to the bank, some within and others from outside of the continent. The bank has a clear and long term sourcing strategy with these providers that optimizes IT investment.

The bank is governed by regulations of the Australian Prudential Regulation Authority (APRA). APRA, funded largely by the banks, insurance and other financial institutions, oversees them through the regulatory standards that it has established. In addition, through Prudential Standard CPS 231, it established the framework for outsourcing. The framework included guidelines for creating an outsourcing policy; a monitoring process; a legally binding agreement with the providers; and consulting with the APRA before and after entering into an outsourcing agreement with the provider/s.

The bank’s sourcing strategy with one of the providers was based on a ‘resource management’ type of delivery model. Also called staff augmentation, the bank provided management direction to the provider’s employees that worked on its project from an overseas location. It decided to move up in the delivery

model pyramid by relinquishing management oversight to the provider so the provider could deliver end-to-end services. Also called managed services, it meant the majority of the work products would now be delivered outside of Australia. From the regulator’s perspective, it meant ‘material business activities’ would now be delivered outside of Australia and therefore CPS 231 provisions would apply. It also meant the regulator would visit the provider’s work location and do a physical audit, in addition to reviewing internal compliance framework and reports before authorizing the bank’s move from staff augmentation to managed services.

The bank and the provider worked on this additional regulatory requirement. While the bank provided insight on APRA guidelines to the provider, the provider shared previous experience gained when other regulators visited the provider’s location for a similar purpose. They identified together a list of controls that formed the basis for training, (mock) auditing and evidence gathering for the eventual APRA audit.

Given the stakes for the bank and the provider, both ensured an adequate management oversight, pulled in subject matter experts, and trained the team that were eventually providing the managed services. The provider’s demonstrated capabilities to the regulator paved the way for confirmation of managed services by the provider.

IBM Global Business Services 5

Invest in an integrated IT approachGlobal IT, global services and global application of regulatory standards means companies are looking to IT providers to help them manage the challenge. While companies and providers can manage the first two through governance, controls and metrics, it is the compliance where they have to work with the regulator who is both a stakeholder and customer. Regulators have only been introducing more controls, if the frequency of amendments to such acts by governments around the world and the legal recourse they have opted for could be any indication. The Dodd-Frank Act of 2010 is in fact about 8 times more voluminous than the Sarbanes-Oxley Act of 2002.6 Software vendors have to develop compliance tools that comply with new standards; industry bodies have to upgrade their standards to be in line with regulatory acts; and companies have to be aware of how these utilities can help them ensure regulatory compliance. While what we call an integrated IT approach can help optimize value of investment, we still have to be conscious of the fact that governments have not yet been able to work together to develop an integrated framework that would reduce ambiguity and duplication of the effort by global companies and providers alike. Nonetheless, software vendors continue to upgrade their products, and through mapping features to controls, attempt to keep it current and applicable to global operations.

Then what are the components of an integrated IT approach that are to industry standards and are offered by a majority of providers? What scenarios do they address and what benefits do they provide?

• Business analytics: A repository management tool that enables audit traceability. With minimal customization, business analytics tools — backed by big data — can manage documents,

changes, evidences and event logs. The ability to scan unusual or suspicious transactions in real time ensures compliance with regulatory norms and reduces the effort spent on surveillance.

• Information lifecycle management: An information infrastructure framework built around the compliance lifecycle that enables data integrity and automated accessibility. The framework — aided by business analytics — manages costs associated with records keeping, the infrastructure for storage, and the retrieval of applicable best practices from the repository.7

• Enterprise risk management: An integrated risk management tool that tracks all the risks in real time so the risks can be isolated, reported, and re-assigned, if required. Tracking enterprise-wide risks that are related to compliance, legal or ethics enables companies to confirm their risk mitigation strategy and provides transparency in their compliance reporting to regulators.

Companies like to see providers use an integrated, knowledge-packed tool, providers wish to see an integrated regulatory framework, and the governments wish to see a rigor by both companies and providers in applying thought and adhering to regulatory standards set by them. An integrated IT approach is expected to help stakeholders address these interests.

Providers and software vendors, as a part of an integrated IT approach, can develop tools that automate the regulatory compliance, thereby optimizing a company’s investment in GRC functions.

6 Compliance uncompromised

Case study: Invest in integrated regulatory framework

For a leading bank in Singapore that has its IT services delivered from different countries — China, Hong Kong, India and Singapore—managing ongoing compliance requirements in the multi-vendor environment was a challenge. While the bank had its operations in some of these countries, IT services were delivered from a country that did not have its banking operations. This meant, while customer’s end user data were exported to a country that did not have its banking operations, its IT operations were governed by multiple regulatory framework as the bank’s operations were delivered from different countries, with each having its own regulatory standards to comply with. This also meant the bank needed a robust compliance framework that could guarantee data integrity and security—irrespective of the countries where the customer’s end users were located.

The provider, together with the bank, worked on areas that were critical to develop the robust framework. The framework was then developed into the form of a catalog that included identifying and developing controls related to accessing data and the production environment, change and staff management, and data security and privacy. The provider was able to develop the broad framework, given the experience gained in the remote servicing of their own internal but global IT services in areas that were relevant to the company’s operations, such as compliance assurance, audits and measurements and information security management.

The developed framework helped measure the effectiveness of the compliance program. It ensured compliance with banking regulations of different geographic regulators. The framework is agile enough to quickly and seamlessly integrate any new mandates introduced by the company or regulators, enabling a long term currency of the framework.

Leverage emerging technologiesThough regulators ensure that the regulations keep pace with technologies that have already matured and have industry frameworks in place, it is likely that amendments to the regulations that cover emerging technologies would be in a ‘catching up with’ mode. However, the IT industry cannot be in the same mode and is required to foresee the impact of the likely revisions by reviewing technology in the context of regulatory compliance. This calls for an understanding of regulatory challenges of emerging technologies at the same time as absorbing them in the company’s services. Cloud computing, social media, enterprise mobility and big data are a few of the emerging technologies that have relevance to and impact on regulatory controls.

Cloud computing: Though companies desire to move a majority of their IT landscape over to cloud, the actual number of applications that embrace cloud will be less due to concerns over data security and a potential regulatory exposure. This complexity manifests both in choosing a public or a private cloud from a data security perspective and in segregating business critical and non-business critical applications and then mapping those to the right cloud environment. Focus for the companies are in isolating regulatory-specific tasks — access management, data protection, and customer response — and then understanding how the cloud manages them differently. As some of the regulators specify that the data location should be within the geography — EU Data Protection Directive is one example — servers that store the data are required to be located within but also on a private cloud.

IBM Global Business Services 7

Social media: Social media has brought companies, regulatory bodies and providers into the same open platform though more likely in their individual capacity. These individuals also represent their organization when they post a requirement out and get responses. While social media certainly helps the larger community in that process of sharing and learning, the very act of knowledge sharing by individuals may expose the companies they represent from an audit perspective. Thankfully, several companies, including IBM, have designed frameworks for how and what can be shared without compromising on the security and confidentiality.8 There is also a list of their social networking policies at the internet site socialmediagovernance.com.9 Companies can then encourage the use of social media, for example, as a reference medium for the interpretation of various regulatory acts, and educate their employees not to use it to divulge their company’s regulatory challenges that could expose them or bring undue attention from their competition or regulators.

Enterprise mobility: Now more than ever, companies are attracted to untapped business in growth markets. Gartner estimates that by 2016, China and India, the two major growth markets, will grow mobile services penetration to 72% and 119% respectively.10 Companies also know that the appropriate and cost effective approach to tap these markets lie in developing applications that are easily accessible through handheld devices like tablets and smart phones. While IT has developed applications around it, these applications are also vulnerable to data security issues that are critical to regulatory compliance. Providers have to ensure that compliance with regulations is not compromised, given the regulations are likely to evolve with the applications of these emerging technologies. Which regulations

the companies have to comply with can be another challenge if we have to recognize that a majority of the companies are from developed economies, where regulations are likely to cover mobility issues, while their operations and consumers are likely in the growth markets that are unlikely to have a mobility framework covered in their regulatory acts. Even in those developed economies, regulators may not yet understand the mobility over cloud — a potential business model for companies that is also prone to data security and compromise issues. An option companies — including those from healthcare, insurance and telecommunications — can bank on is the integrated IT approach that was referred to earlier. As individual customers hate too many access control provisions, but at the same time do not like their accounts to be compromised, the integrated approach can minimize the disruption to operations.11

Big data: Data and its security as related to an individual’s privacy are fundamental to regulatory compliance that is mandated by governments worldwide. Its significance is more pronounced when the data is managed by providers or captive centers located in a different geography. Providers who have their own internal data managed from a different geography are better equipped to manage company’s data as well, for they have not only been data processors — the primary role of providers — but also data controllers, the role these providers are expected to play for their internal data. Big data can analyze data available within a provider’s organization (as a data controller) and that the provider has gathered due to servicing several other clients, can quickly identify global fraudulent transactions real time, thereby managing provisions made for the money laundering fines.

8 Compliance uncompromised

From a sourcing perspective, companies look to providers to help them comply with potential regulatory requirements as and when these technologies get covered under the regulations. They expect the providers to draw from their experience of managing technologies for other clients; share exposure to growth market companies; prepare a roadmap for compliance; and reverse the application support location, should the regulations dictate so.

While companies embrace emerging technologies— cloud computing, social media, enterprise mobility and big data— to remain competitive, a look at how they impact regulatory compliance is critical to remain in business.

Figure 1: The company is accountable for regulatory services irrespective of the type of contracted services

Company Provider

Contracted services

Staff augmentation services

Accountable Responsible

Managed services Responsible Accountable

Regulatory services

Staff augmentation services

Accountable Responsible

Managed services

Continue to focus on the basicsWhile it is necessary to focus on tools and emerging technologies to address potential non-compliance situations, companies should also ensure the fundamentals of governance in GRC are not forgotten. Since regulations keep the onus of accountability with the company, it is required that the company has dedicated subject matter experts who can periodically review provider’s regulatory processes. Even when the sourcing relationship with a provider moves up — for example, from staff augmentation to managed services — the accountability from regulatory perspective still remains with the company (Figure 1). For the company, focusing on repeatable processes developed in collaboration with the provider can mean freed up investments. Following are a few of those key activities:

IBM Global Business Services 9

• Ensure each compliance report is reviewed, approved and the Responsible Accountable Consulted Informed (RACI) matrix is updated. The RACI matrix ensures that delegation and ownership — particularly from a sourcing perspective — is inline with what the regulations recommended. A few companies have ensured that the report is a regular feature on the C-suite dashboard, even if there are no significant items to report. Providers can act as whistle blowers, similar to code hackers, so the likely compromise to laws that the formal audits may not notice gets reported to the C-suite frequently through the dashboard, thereby optimizing investment in provider’s services.

• Ensure that there is knowledge sharing between IT and finance, legal and infrastructure, as all of them have to talk to and interpret in the same language. When it comes to compliance, there cannot be ambiguities: business controls, for example, should mean the same to all, even if the means of achieving it are left to the right teams.

• Put the right effort every time. Companies may go overboard in their internal or mock audit in preparation of an external regulatory audit. This is a risk averse strategy, resulting in more than the required investment on an internal audit. Alternatively, it may have failed in identifying gaps, due to internal systems not being updated to reflect the changes in the regulatory standards, resulting in less effective use of internal audits: a risk absorption strategy. While it is difficult to justify which one of the two is better, the approach should be in line with the larger risk strategy that the company has and that has been reported to the GRC team through the enterprise risk management system.

• Plan and budget for contingency if the company has a risk absorption strategy, so if internal audits fail, external audits can quickly be introduced. When there was an electrical power outage for over eight hours, impacting 40% of India’s population as the states drew more than what they were supposed to, the Government recommended an independent audit of transmission grids by a third party.

Companies look to providers to bring the experience that they gained in managing regulatory compliance for other clients. For those companies whose services are multinational, providers can bring their knowledge of regulatory acts of different countries on board (Figure 2). Providers are also equipped to update companies on the regulatory changes — for example, insurance providers need to comply with Solvency II from 1st of January 2013; from a sourcing perspective, the act will continue to detail out the RACI for the overseas provider. For providers, it could mean owning, committing and delivering a company’s operations to standards — current and future — and reviewing the scope in the context of regulatory developments.

Company

Regulator

Company/s (Other) Regulator/s (Other)

Provider

Indirect benefit: Provider’s knowledge

from their interlock with different regulators, different companies

Direct benefit: Provider’s knowledge

from their interlock with same regulator, different companies

(Other companies of the provider for the same regulator or for

different regulators)

(Other regulators that the provider interacts with)

Figure 2: The provider can bring direct and indirect benefits to the company-regulator equation

10 Compliance uncompromised

Investment in governance, risk and compliance is difficult to justify. Though this investment is likely to continue to increase, teams can maximize the return on investment by focusing on fundamentals — metrics, evidences, checks and balances, administered through clear roles and responsibilities matrix.

Case study: Managing regulatory exposure

A few global banks with headquarters in the United Kingdom were accused of money laundering by New York’s banking regulator, the Department of Financial Services. These banks, on their part, confirmed their compliance with U.S. Federal law. Banks are likely to face a challenge by the state’s law that says that the transactions, though legal under federal law, violate state law. State regulators are contemplating serving notices to the banks as to why licenses to operate in New York should not be revoked. While banks are contesting that their dealings comply with former and current federal laws and the federal government agrees to it, banks have also set aside money to cover the potential settlements fines.

The Department of Financial Services, in its detailed investigation report, submitted that some of these banks also spoke of exposures related to IT operations that it claimed impacted the legality of the financial transactions. These were found to be the reasons behind deficient money laundering controls, thereby violating the provisions of the U.S. Office of Foreign Assets Control. Some of these banks have their back-end operations managed through their captive centers located overseas.

The regulator, while on a visit to the banks’ captive for auditing, found out that while there are good documented control systems in place, it lacked the control as reflected in

the ineffective governance by the headquarters over the captive center. The regulator felt that delegating activities to the captive resulted in lack of control and accountability. In speaking to the captive center’s team, the regulator also felt that the team was inadequately trained or staffed, leading to an ineffective appreciation of the current regulatory references; for example, under what circumstances a transaction between entities from two different countries can be considered lawful. The regulator also claimed that the due diligence of the captive’s processes by the headquarters was not in line with the state’s laws and therefore the internal audit was not effective in conforming to regulatory standards.

The banks then put in place a monitoring procedure that was established with clear responsibility and accountability matrix between them and their captive centers. They put an effective training and governance plan in place. The banks also implemented an additional monitoring mechanism to review and ensure compliance with the government’s audit findings. In addition, a due diligence mechanism inline with regulator’s expectations and with adequate controls was put in place. One of the banks also strengthened its Anti-Money Laundering Compliance Department with governance teams drawn from both the headquarters and the captive. This resulted in an estimated 99.9% of transactions complying with regulatory requirements.

Where do we go from here?Companies have been increasing their allocation to regulatory compliance without the C-suite diluting investment in those business issues that affect their bottom line. This has resulted in a situation where those who manage regulatory compliance — providers included — have to ensure compliance with regulatory standards, all the time and every time. The recent investigation by regulators on the financial controls established by the banks is an indication that investment alone, without a regulatory governance framework involving providers, does not yield the desired result.

IBM Global Business Services 11

Though it looks like a paradox — companies like to invest more in regulatory requirements but do not have that as one of their top business priorities — market developments or an adverse coverage continue to keep the issue alive on the board’s agenda. How do we then avoid the trap and maximize the value of investment? Should the companies keep the investment at a bare minimum but at the sight of an impending challenge, pull resources from various channels, set-up a task force and work on a war footing? Should a dedicated team, reporting to the board through a chief compliance officer, whose primary function is to scan the market, review developments and suggest a proactive action plan that the company would then invest in implementation? While these may exhibit risks at extremes, a middle course would be to keep the GRC strategy in line with that of the company’s broader IT strategy and then fine tune it depending on market reality or dynamics. Interlocking with the provider should go beyond the contractually obligated services — investing in training the provider on country-specific regulatory requirement is one such example.

As companies focus on investing in big data management, strengthening provider governance from a GRC perspective, and bracing up to comply with enhancements to regulatory standards that are partly driven by evolving technologies, a scenario that the stakeholders are likely to face relates to ‘green’ management. While environmental concerns and global trends have made companies voluntarily disclose their contribution to green, a likely scenario would be the release of new regulatory standards mandating compliance with the environment. While compliance itself should not be difficult either from

an investment or effort perspective, any exposure in this area would mean negative coverage in social media from those environment-conscious citizens who also happened to be the end customers of banking, insurance and finance companies.

It would be near impossible to keep pace with the vast majority of regulatory standards and its enhancements, considering that each geography and industry probably has one or more.12 This is a challenge particularly for conglomerates who operate from more than one geography and for those who have a complex outsourcing strategy: complexity either due to sourcing from a blend of in-house, provider and captive, or complexity due to services ranging from within the country to multiple sourcing locations across continents. Providers who not only deliver what they are contractually obligated to but also manage complex governance through a robust provider management framework, can let companies focus on their core business and ensure what the companies wanted in the first place — ‘report to me anything but regulatory compliance.’

About the authorSomayaji KVL is the IBM Global Business Services Community Leader for Transition and Transformation services. He has been providing engagement services to clients around the world and from across industries. As one of the founders of the competency, Somayaji has extensive experience in developing offerings that are intellectual property based and tailored to clients’ unique engagement and delivery requirements. He can be contacted at somayaji@in.ibm.com.

GBW03193-USEN-00

Please Recycle

© Copyright IBM Corporation 2012

IBM Global Services Route 100 Somers, NY 10589 U.S.A.

Produced in the United States of America December 2012 All Rights Reserved

IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Webat “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml

Other company, product and service names may be trademarks or service marks of others.

References in this publication to IBM products and services do not imply that IBM intends to make them available in all countries in which IBM operates.

References 1 “The Essential CIO — Insights from the Global Chief

Information Officer Study,” IBM Corporation, May 2011.

2 “From Stretched to Strengthened — Insights from the Global Chief Information Officer Study,” IBM Corporation, October 2011.

3 “Leading Through Connections — Insights from the Global Chief Executive Officer Study,” IBM Corporation, May 2012.

4 French Caldwell, “How the Board Views Governance, Risk Management and Compliance Issues,” Gartner-Forbes 2012 Board of Directors Survey G00235702, July 2012.

5 Ibid

6 Bjørn Pettersen, “Potholes on the road to compliance - Six common pitfalls of enterprise regulatory compliance initiatives,” GBW03174-USEN-01, IBM Corporation, April 2012.

7 “Compliance information lifecycle management for financial services,” Solution Brief from IBM Sales and Distribution, IIS03007-USEN-00, IBM Corporation, May 2010.

8 Barbara Giamanco and Kent Gregoire, “Tweet Me, Friend Me, Make Me Buy,” Harvard Business Review South Asia. July – August 2012.

9 Chris Boudreaux, “Social Media Governance Empowerment with Accountability,” (http://www.socialmediagovernance.com/policies.php)

10 Gartner Press Release, (http://www.gartner.com/it/page.jsp?id=1963915)

11 Anand Raju, “Impact of Regulatory Compliance in Leveraging Mobile Solutions to Enterprises” (http://ezinearticles.com/?Impact-of-Regulatory-Compliance-in-Leveraging-Mobile-Solutions-to-Enterprises&id=7196659), July 25, 2012

12 Examples of regulations include: for US, Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standard (PCI DSS), Gramm-Leach-Bliley Act (GLBA), Dodd-Frank Wall Street Reform and Consumer Protection Act, Federal Information Security Management Act (FISMA); for UK, Data Protection Act and Freedom of Information Act, Bribery Act; for Australia, AS 3806 Compliance Programs; for European Union, EU Data Protection Directive, Solvency II Directive 2009/138/EC; for Singapore, Monetary Authority of Singapore Act and Basel III at the global level.