Nathan Snyder, Partner at Brickendon Consulting, discusses the regulations coming into force for data governance.
Data is everywhere and so are regulations, so it is not surprising that the two are having a large impact on each other. While it is possible to have data without regulation and regulation without data, it’s unlikely to find one without the other in today’s highly-regulated data-orientated financial environment. Whichever piece of financial regulation you take, be it Dodd-Frank, CCAR, Basel III or MiFID II, they are all inherently data centric.
Dodd-Frank was brought in to ensure transparency in record keeping and prevent a repeat of the financial meltdowns; CCAR relates to data quality, lineage and overall data management; MiFID II attempts to regulate data collection for commodity derivatives firms; while Basel II and III concern themselves respectively with quantifying operational, credit and market risk data, and capital requirements stress testing, market liquidity risk and the use of data to run ratios.
Then there’s tax regulation, such as the Foreign Account Tax Compliance Act (FATCA) and Common Reporting Standards (CRS), which relate to the sharing of data; Solvency II, which is similar to Basel, but is concerned specifically with EU insurance companies and the issue of capital requirements to reduce the risk of insolvency. There’s also European Market Infrastructure Regulation (EMIR), which relates to OTC derivatives, regulatory reporting and risk management and is heavily dependent on counterparty and trade data.
International Financial Reporting Standards (IFRS) is designed as a common global language for business affairs to ensure standards are maintained in accounting and financial data across international boundaries. Anti-money laundering (AML) and Know Your Customer (KYC) regulations both relate to data systems management, data quality and overall data management.
Add to that data privacy, with the EU Data Protection Regulation (GDPR) in the European Union, Personally Identifiable Information (PII) and Gramm-Leach-Bliley Act (GLBA) for credit related PII in the US, and similar versions of the same laws in other countries, it leaves no doubt as to the strong relationship between data and regulation.
However, despite the importance of all the above-mentioned data-related legislation, BCBS 239 is key. Focused on risk data aggregation (RDA – to improve data sharing and finely tune risk management) and reporting, data quality, lineage, aggregation and infrastructure, BCBS 239 is the one case where instead of answering a specific question, organisations are being asked to prove that data governance has practical application. In short, if you get BCBS 239 right, then all the other data governance should fall into place.
Effective ownership of data
Being able to demonstrate effective ownership and stewardship of data elements is key to both BCBS 239 and data governance. Similarly, BCBS 239 shines a light on the need for clear data ontology and evidence of control. The opportunity this affords for Chief Data Officers to demonstrate the value of the architecture and control they have put in place is enormous. It is also a valuable vehicle for allocating funding to enhance data governance processes.
Unfortunately getting BCBS 239 right is not as simple as it sounds. There are significant challenges in implementing the legislation with respect to delivery of the programme itself and the associated technical aspects. There are also a variety of challenges in the interpretation of the requirements and attestation due to the ambiguous nature of the regulations and each bank’s structure and BCBS 239 programme.
BCBS 239 also presents challenges in capturing the business outcomes of data governance processes and requires a culture of data compliance across all infrastructure, both legacy and strategic. Many of these challenges are also significant opportunities to expand the remit and benefits of data governance controls and processes.
So why do we care, and what are the benefits of a strong data governance framework beyond meeting reporting requirements? Firstly, regulators want to know that banks are caring for information in a proper manner so the people who need it, have it, and have confidence in it. Secondly, a defined data governance regime gives regulators faith that banks have systems in place for collecting, storing, maintaining and gathering the correct information.
In addition, a clear data governance structure reduces the need for a one-off reactionary data management project every time a new regulation or compliance requirement comes up. Strong data governance also includes human resources that can create and implement strategies and process to maintain data integrity. Moreover, strong data governance enables an organisation to respond to new and updated regulations by having flexible processes and procedures in place.
Effective data governance policy
However, like any process or way of working, for a data governance policy to be effective it needs to be embedded into the culture of the business. Processes and systems for updating data need to be thoroughly explained and the importance of maintaining its accuracy emphasised continuously.
Effective data governance is reliant on data integrity, uniformity and correctness. To get there, organisations must start with a firm understanding of their data flow and lineage. Without this thorough understanding of where the data has come from, it is difficult for an organization to vouch for the quality of its data and for the data to be useful in a regulatory context.
Regulation is a significant enabler of data governance and a fantastic opportunity to spread the benefits of good data control throughout an organisation.