The first Australian bank or financial institution to crack the compliance and governance code could profit handsomely from the hard work.

Unisys predicts the first financial organization that can realistically tick all the boxes in relation to governance and compliance will be in a position to offer security as a "value-added" service to competitors in the banking industry.

Banks are fast-tracking their efforts to comply with the Sarbanes-Oxley Act's internal control reporting requirements by the July 15, 2006, deadline. Robert Dewar, Unisys financial services managing partner, said models have been designed showing how Australian banks and financial institutions can share infrastructure information and processes to not only meet compliance, but cover the costs of doing so.

"The discussion in boardrooms now is about the opportunity to utilize this very costly and expensive [compliance] infrastructure and set of capabilities that organizations are putting in place, and what is the opportunity to either create a new service offering or product," Dewar said.

"I think the key driver of 'utility security' is the large, legislative and compliance requirements around enterprise security and governance, [because] there are very serious and ongoing investments financial institutions have to make.

"As a result, some organizations could share infrastructure information and processes to achieve a shared utility thereby reducing the cost of meeting compliance.

"If a security utility is created that every one can participate in by sharing costs and information, then every one can benefit."

However, Hydrasight analyst Michael Warrilow disagreed.

Warrilow said every single security vendor is chasing the "holy grail" of compliance and not one has cracked it yet.

He said compliance, as a whole, creates nothing more for a bank or financial institution than an expensive "tick in the box". However, the smarter banks are using compliance legislation as a performance capability, rather than a cost centre.

"The road to compliance is the secret sauce that no bank will give away and the banks are cautious about letting any vendor know what they are doing," Warrilow said.

"What happens when security becomes a shared service is there is no competitive advantage from using appropriate security. Will a customer swap banks because they are Sarbanes-Oxley compliant?

"It is just the cost of doing business and banks want to drive costs down, but the smart ones will use compliance as a way to improve performance and use compliance as a performance capability rather than just see it as a cost."