Managing Data in a regulated world- How financial institutions can navigate data risks while ensuring compliance
Financial institutions are a major target of data breaches and deliberate attacks by cybercriminals. These data breaches can infringe upon the privacy of all stakeholders, often from unauthorized access to sensitive personally identifiable information (PII) data, such as social security numbers.
by Varun Putchala Principal Consultant at Capco, Glenn Kurban Partner at Capco
Financial institutions are a major target of data breaches and deliberate attacks by cybercriminals. These data breaches can infringe upon the privacy of all stakeholders, often from unauthorized access to sensitive personally identifiable information (PII) data, such as social security numbers. Roughly 147 million customers were potentially affected by the Equifax data breach in September 2017. Numerous recent violations have occurred in areas of security, integrity, and confidentiality. This trend prompted regulators to strengthen existing laws, rules, and regulations to ensure firms prevent breaches or at least contain the risk substantially when a breach occurs. With this increase in regulatory mandates and the unpredictable nature of “what comes next,” firms are struggling to manage their data in a compliant manner.
Regulatory compliance is an often-underserved area. Since data is increasingly treated as an asset that drives decision-making, financial institutions can no longer ignore regulatory compliance. They must now remain fully compliant with all applicable regulatory obligations. By adopting a data governance program coupled with a regulatory intelligence function, financial institutions can govern their data effectively. Most importantly, this approach ensures adherence to regulatory compliance in an ever-changing regulatory landscape. Financial institutions can leverage the guidance in this paper to enact effective programs from scratch or improve existing ones.
Data is growing exponentially, and the regulatory landscape continues evolving. As financial institutions strive to keep up with the pace of change, substantial gaps are forming resulting in non-compliance. Regulatory compliance is the adherence to laws, rules, and regulations (LRRs) that are created by government and industry regulatory authorities. Financial institutions must demonstrate full compliance with LRRs to ensure they are not met with regulatory fines.
Regulatory compliance can go unnoticed if it is not strictly enforced internally within the institution. A primary diagnostic of non-compliance is a data breach. These breaches expose the inadequate state of a compliance program in a public and often detrimental fashion. Regulatory examinations of the existing data management practices have revealed clear violations or at least the lack of a mature regulatory compliant data program.
The repercussion of Non-Compliance-
Regulatory compliance is emerging as a critical area, and institutions are left with no choice but to remain compliant with regulatory obligations. Regulations are created to ensure banks operate lawfully while protecting customers, stakeholders, employees, and the company itself. Institutions that cannot demonstrate compliance or those subject to violations may face any or all the following repercussions:
A. Monetary Penalties / Fines – Regulators are not hesitant to impose penalties on banks that do not meet regulatory obligations. Data acquired from the Bank Fines Report 2020 by Finbold.com indicates a total of $15.13 billion in aggregated fines in 2020. The United States accounts for the highest fines, at $11.11 billion or 73.4 percent of the issued fines.
B. Audits – Breaches are often the trigger points for an audit. It prompts regulators to investigate the bank’s functions, processes, and financials more regularly.
C. Reputational Damage – Non-compliance can negatively influence an institution’s public reputation. This can result in a loss of confidence among customers, resulting in a loss of market share and valuation in the case of a publicly traded company.
D. Cessation of Business – An increase in the frequency of violations can adversely affect the institution. They will ultimately be left with no choice but to cease business operations.
Enabling regulatory compliant data governance program-
Financial institutions can easily ensure their data supports regulatory compliance. This can be accomplished by building an effective data governance program alongside regulatory guidance.
A. An effective data governance program – Data management defines systems, processes, and standards that determine the way data is created, stored, consumed, and reported in an organization. Data governance is a function of data management; it is the strategy applied to govern its management and facilitate the sequence of a data lifecycle. This function involves documenting data types, ownership, and consumers, and assessing its fit for the desired purpose. It democratizes data and ensures it is trusted at its source and is readily available while establishing high levels of integrity, quality, consistency, accuracy, confidentiality, privacy, and security.
1. Data Classification and Catalog – The first essential step in data governance is classifying the organization’s data into structured and unstructured formats. It is necessary that this data is organized and managed in data catalogs. As part of this step, all data attributes need to be identified and mapped onto locations where they are physically stored. Simultaneously, banks can also establish their Authoritative Data Sources to ensure data is trusted at its source.
2. Fit for use and purpose – Organizations have long been using their enterprise information assets for inappropriate applications. Hence, their use must be periodically reviewed to determine the purpose and their utility for fulfilling the needs of consumers. The data residing in these information assets must be usable and achieve the intended purpose. This review can be accomplished as part of the firm’s recertification process when enterprise assets are verified and certified based othe n criticality/sensitivity of data residing within applications and EUCs.
3. Data Lineage - Documenting the journey of data from its source and to the destination (i.e., where it is consumed) is necessary for organizations to ensure traceability. This process illustrates the flow of data through applications and EUCs while undergoing various transformations along the way. All necessary interfaces that facilitate the flow of data must be documented, as well.
4. Minimum Controls – After the enterprise information assets and data residing within are documented, classified, and rated for risks; minimum controls need to be determined. A controls framework may be established for this purpose to document and organize the institution’s internal controls. These guidelines associate controls to the risks for a financial institution. As controls are applied, it is necessary that periodic gap assessments relative to the existing control environment are performed to ensure high levels of data integrity and quality.
B. Minimum Controls – After the enterprise information assets and data residing within are documented, classified, and rated for risks; minimum controls need to be determined. A controls framework may be established for this purpose to document and organize the institution’s internal controls. These guidelines associate controls to the risks for a financial institution. As controls are applied, it is necessary that periodic gap assessments relative to the existing control environment are performed to ensure high levels of data integrity and quality.
Capco’s center for Regulatory Intelligence- Risk management and compliance functions are overwhelmed by the velocity and volume of regulatory information, often missing key trends and context leading to missed compliance obligations that can be mapped. Capco’s Regulatory Intelligence Library and Regulatory Data Feed helps clients minimize risk by illuminating regulator expectations, identifying obligations, and defining the risks and controls. Capco supports institutions as they work to minimize risk, by proactively identifying legal and regulatory requirements and supervisory expectations and analyzing the impact of geopolitical events on their business. Our Center for Regulatory Intelligence (“CRI”) is a single source of comprehensive research and analysis from primary source documents, government surveillance, industry networks, and qualitative and quantitative data.
Conclusion- The business units for financial institutions own the data assets of the firm, and therefore play a critical role in defining the data governance strategy. We believe that prior to undertaking any data compliance discussions, financial institutions must ensure there is participation from all business, compliance, and IT units. Technologists are responsible for ensuring controls are effectively in place and tested on data assets. Compliance must ensure the controls are adequate and meet existing regulatory requirements. Institutions must realize that regulators are here to ensure a healthy and law-abiding financial ecosystem, and the landscape is ever-changing. To stay truly compliant, a financial institution must have a clearly defined data strategy, supplemented with a regulatory intelligence function. Adopting this approach, it can be both agile and adaptive in responding to continuously evolving regulatory needs and conditions. Stay tuned for more insights, guidelines, and best practices specific to a range of services within financial services, from Retail Banking and Capital Markets to Wealth and Investment Management.