Financial institutions

Managing Data in a Regulated World – How Financial Institutions Can Manage Data Risk While Ensuring Compliance

Financial institutions are a major target for data breaches and deliberate attacks by cybercriminals. These data breaches can compromise the privacy of all stakeholders, often due to unauthorized access to sensitive Personally Identifiable Information (PII) data, such as Social Security numbers. Approximately 147 million customers were potentially impacted by the Equifax data breach in September 2017. Many recent breaches have occurred in the areas of security, integrity, and privacy. This trend has prompted regulators to strengthen existing laws, rules and regulations to ensure that companies prevent breaches or at least significantly limit the risk when a breach occurs. With this increase in regulatory mandates and the unpredictable nature of “what comes next”, companies are struggling to manage their data in a compliant manner.

Regulatory compliance is an often underserved area. As data is increasingly treated as an asset that guides decision-making, financial institutions can no longer ignore regulatory compliance. They must now remain fully compliant with all applicable regulatory obligations. By adopting a data governance program coupled with a regulatory watch function, financial institutions can effectively govern their data. Most importantly, this approach ensures regulatory compliance is met in an ever-changing regulatory landscape. Financial institutions can take advantage of the guidance in this document to build effective programs from scratch or improve existing ones.

General point of view-

Data is growing exponentially and the regulatory landscape continues to evolve. As financial institutions struggle to keep pace with change, significant gaps are forming, leading to non-compliance. Regulatory compliance is the adherence to laws, rules and regulations (LRRs) created by government and industry regulatory authorities. Financial institutions must demonstrate full compliance with the LRRs to ensure they are not inflicted with regulatory fines.

Regulatory compliance can go unnoticed if it is not strictly enforced internally within the institution. A first diagnosis of non-compliance is a data breach. These violations expose the inadequate state of a compliance program in a public and often damaging way. Regulatory reviews of existing data management practices have revealed clear violations or at least the lack of a mature, regulatory-compliant data program.

The impact of non-compliance-

Regulatory compliance is becoming a critical area, and institutions have no choice but to stay compliant with regulatory obligations. Regulations are created to ensure that banks operate legally while protecting customers, stakeholders, employees and the business itself. Institutions that cannot demonstrate compliance or those that are subject to violations may face any or all of the following repercussions:

  1. Financial penalties / fines – Regulators do not hesitate to impose sanctions on banks that do not comply with regulatory obligations. Data acquired from the Bank Fines Report 2020 by Finbold.com indicates a total of $15.13 billion in aggregate fines in 2020. The United States accounts for the highest fines, at $11.11 billion or 73.4% of the fines imposed.
  2. Audits – Violations are often the triggers for an audit. This prompts regulators to more regularly investigate the bank’s functions, processes and finances.
  3. Damage to reputation – Non-compliance can have a negative impact on an institution’s public reputation. This can lead to a loss of trust among customers, resulting in a loss of market share and valuation in the case of a publicly traded company.
  4. Termination of activity – An increase in the frequency of offenses can harm the establishment. In the end, they will have no choice but to cease their commercial activities.

Enabling a Regulatory Compliant Data Governance Program –

Financial institutions can easily ensure that their data complies with regulations. This can be accomplished by creating an effective data governance program alongside regulatory guidelines.

  1. An effective data governance program – Data management defines the systems, processes, and standards that determine how data is created, stored, consumed, and reported in an organization. Data governance is a function of data management; it is the strategy applied to govern its management and facilitate the sequencing of a data life cycle. This function involves documenting data types, ownership, and consumers, and evaluating their suitability for the desired purpose. It democratizes data and ensures that it is trusted at its source and readily available while establishing high levels of integrity, quality, consistency, accuracy, privacy, confidentiality and security.
  1. Data classification and catalog – The essential first step in data governance is to classify the organization’s data into structured and unstructured formats. This data needs to be organized and managed in data catalogs. As part of this step, all data attributes must be identified and mapped to the locations where they are physically stored. Simultaneously, banks can also establish their authoritative data sources to ensure that data is trusted at its source.
  2. Fit for purpose and use – Organizations have a long history of using their corporate information assets for inappropriate applications. Therefore, their use should be reviewed periodically to determine purpose and usefulness in meeting consumer needs. The data residing in these information assets must be usable and serve the intended purpose. This review can be performed as part of the company’s recertification process when company assets are verified and certified against the criticality/sensitivity of data residing in applications and EUCs.
  3. Data lineage – Documenting the journey of data from its source to its destination (ie where it is consumed) is necessary for organizations to ensure traceability. This process illustrates the flow of data through applications and EUCs while undergoing various transformations along the way. Any necessary interfaces that facilitate data flow should also be documented.
  4. Minimal controls – Once the company’s information assets and the data residing therein are documented, classified and risk-assessed; minimum controls must be determined. A control framework can be established for this purpose to document and organize the institution’s internal controls. These guidelines relate controls to risks for a financial institution. As controls are applied, it is necessary that periodic assessments of deviations from the existing control environment be performed to ensure high levels of data integrity and quality.
  1. Minimal controls – Once the company’s information assets and the data residing therein are documented, classified and risk-assessed; minimum controls must be determined. A control framework can be established for this purpose to document and organize the institution’s internal controls. These guidelines relate controls to risks for a financial institution. As controls are applied, it is necessary that periodic assessments of deviations from the existing control environment be performed to ensure high levels of data integrity and quality.

Capco’s Center for Regulatory Intelligence- Risk management and compliance functions are overwhelmed by the speed and volume of regulatory information, often missing key trends and context leading to missed compliance obligations that can be mapped. Capco’s regulatory intelligence library and regulatory data feed helps clients minimize risk by illuminating regulators’ expectations, identifying obligations, and defining risks and controls. Capco supports institutions in their efforts to minimize risk, by proactively identifying legal and regulatory requirements and oversight expectations and analyzing the impact of geopolitical events on their business. Our Regulatory Intelligence Center (“RIC”) is a single source of comprehensive research and analysis using primary source documents, government oversight, industry networks, and qualitative and quantitative data.

Conclusion- Financial institution business units own the company’s data assets and therefore play a critical role in defining the data governance strategy. We believe that before engaging in data compliance discussions, financial institutions should ensure that all business, compliance and IT units are involved. Technologists are responsible for ensuring that controls are effectively in place and tested on data assets. Compliance should ensure controls are adequate and meet existing regulatory requirements. Institutions need to realize that regulators are there to ensure a healthy and law-abiding financial ecosystem, and that the landscape is constantly changing. To remain truly compliant, a financial institution must have a clearly defined data strategy, complemented by a regulatory watch function. By taking this approach, it can be both agile and adaptive to meet ever-changing regulatory needs and conditions. Stay tuned for more information, guidance and best practices specific to a range of services within financial services, from retail banking and capital markets to wealth and investment management.

By- Varun Putchala Senior Consultant at Capco, Glenn Kurban Partner at Capco