August 2013 Data Governance for Financial Institutions Regulatory Compliance Requires More Than Just Technology A White Paper by Raj Chaudhary, Michael Del Giudice, Tapan P. Shah, and Christopher J. Sifter Audit Tax Advisory Risk Performance
Financial institutions today face changing regulatory requirements. They also have new ways of generating data and regularly add new data sources. As a result, they typically encounter a variety of data quality, accessibility, and security challenges. Although regulatory requirements drive many of these concerns and technology is an important part of the solution, focusing on compliance and software alone will not address the issue adequately. Banks and other financial institutions need a comprehensive data governance structure and a well-planned and wellexecuted strategy for implementing it.
Data Governance for Financial Institutions: Regulatory Compliance Requires More Than Just Technology As banks and other financial institutions work to comply with today s rapidly changing regulatory requirements, the limitations of their existing data management processes and systems become more and more apparent. While the initial reaction to this situation is to focus on technology solutions, software alone cannot overcome the shortcomings and achieve the needed results. In addition to implementing new systems and processes, a financial institution must take action on the foundational element of how its data is managed and governed. Effective data governance the collection, management, protection, and delivery of data requires an enterprisewide commitment that addresses the institution s organizational structure, management systems, and process controls in addition to specific technology tools and solutions. With proper planning and careful execution, a data governance initiative can help management to move beyond focusing on compliance alone and to begin opening new opportunities for operational improvements that add genuine, long-term value to the entire organization. Trends The need for effective data governance is driven by the following current trends: Complex and evolving regulatory requirements New uses and business requirements for existing data New demands stemming from changes in banking technology Risk, security, and privacy concerns Each of these trends has significant effects on how financial institutions approach their data governance. Complex and Evolving Regulatory Requirements Among the many new regulatory compliance challenges, those stemming from the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) have probably attracted the most widespread attention. Dodd-Frank introduced several new regulatory agencies, each with its own new set of priorities, standards, and enforcement mechanisms that directly affect how institutions access, manage, and report data. For example, Dodd-Frank established the Office of Financial Research (OFR) to identify not only the potential risk of institutional failure but also the effect such a failure would have on the industry as a whole and the broader economy. This significant departure from regulators traditional role requires the collection of additional data in order to track many complex counterparty relationships among various institutions. At a more fundamental level, the Federal Reserve s Comprehensive Capital Analysis and Review (CCAR) stress tests are imposing further data management demands on a growing number of institutions. In some cases, banks are required to report historical data going back several years in order to identify patterns and trends. This requirement adds another layer of complexity to the data management and accessibility challenges. www.crowehorwath.com 3
Crowe Horwath LLP In addition to these new demands, banks must also remain focused on compliance with other data-intensive reporting requirements, including those related to antimoney-laundering (AML) regulations, the Bank Secrecy Act (BSA), and the USA PATRIOT Act. As with Dodd-Frank, effective BSA/AML compliance depends not only on robust IT system capabilities but, to a greater degree, on sound data management. 1 The global regulatory standards on bank capital adequacy and liquidity agreed to by the members of the Basel Committee on Banking Supervision commonly referred to as Basel III also present data-related challenges. In this regard, the U.S. Office of the Comptroller of the Currency and the Federal Reserve System recently adopted a final rule that revises their key regulatory capital definitions and establishes new capital requirements and leverage ratios. In order to comply with these new requirements, banks management teams must be able to quickly access and analyze large amounts of accurate IT-generated data from both internal and third-party sources. New Uses and Business Requirements for Existing Data As institutions upgrade their data management capabilities to meet various regulatory requirements, flexibility and quick response are priorities. In addition, however, many institutions now recognize that their data management strategies are also falling short in terms of accuracy, reliability, and security. The investment required to make data and information systems more effective can be sizable, leading many executives to look for ways of getting additional benefits from the investment. The goal is to turn the compliance effort, which is viewed as a cost center, into an initiative that produces additional benefits to the organization. As a result, banks and other institutions are finding new ways to use the large amounts of data that reside in their systems to monitor organization performance, improve customer service, or target their marketing efforts more precisely, for example. Customer segmentation, customer relationship management, direct marketing, and product pricing decisions often benefit from the ability to access and analyze data in new ways. This expanded use of data complicates the data management strategy, however, as management now requires more granular detail, greater accessibility, new storage platforms capable of handling big data, and more powerful and responsive analytics systems. At the same time, organic growth and renewed merger and acquisition (M&A) activity add further complexity, as formerly disparate systems must be integrated. 4
Data Governance for Financial Institutions: Regulatory Compliance Requires More Than Just Technology Management teams are growing more reliant on the ability to immediately access and quickly sort through massive amounts of data to find the information they need. New Demands Stemming From Changes in Banking Technology Another complicating factor in financial institution data management is the array of new products and services expected by today s consumers. Mobile and online banking technology, social networking applications, and expansion into new geographic markets make it necessary to deploy increasingly broad and sophisticated technology solutions. Institutions also must collect and manage additional data attributes to meet regulatory compliance requirements for these new products and services. On a broader scale, data management in general is also changing rapidly. For example, in the past storage capacity was typically a limiting factor. Today, however, storage is considerably less costly, and network capacity and bandwidth are significantly more robust. Moreover, greatly expanded storage is only one aspect of the changing data management picture. Equally dramatic advances are being made that streamline access, simplify complex data issues, and control the magnitude of the overall effort through the application of well-chosen technology. These changes have important implications for data governance. For example, to keep storage costs under control, early data-capture strategies focused on identifying and storing only the information essential to carrying out a transaction. Now, with data storage costs dramatically lower, the goal is to capture and maintain as much information as possible about a transaction. The challenges that grow out of this shift in approach relate primarily to questions of access and speed, with management teams growing more reliant on the ability to immediately access and quickly sort through massive amounts of data to find the information they need. Risk, Security, and Privacy Concerns Data security and the privacy of personal financial information are also areas of significant regulatory concern. Compliance with the notification requirements and other policies required by the Gramm-Leach-Bliley Act are directly affected by a financial institution s data management systems. State and international privacy and security requirements also apply to many institutions. Privacy and data security also matter from a customer relations and marketing perspective. Identity theft and the protection of personal information are of increasing concern to consumers of financial services. To support the higher standards expected by customers and regulators alike, an institution s data governance structure must directly address the quality, integrity, and accessibility of data. www.crowehorwath.com 5
Crowe Horwath LLP Gaps Most institutions recognize the need for improving data access, quality, and security. Many also recognize that they have important data shortcomings, such as concerns about data quality, accuracy, access, or availability. What they are missing, however, is a clear strategy for addressing these concerns. While the initial reaction to data issues is to seek a technology solution, in most instances simply installing additional software will do little to address the underlying cause of the problem. Another common reaction appointing a task force and assigning responsibility for fixing data problems often leads to less than satisfactory results if it is not accompanied by a well-structured and carefully considered strategy to provide direction to the effort. Without a clear data governance structure, every new regulation or compliance requirement prompts a one-off reaction in the form of a specific new data management project. The result is a significant duplication of effort, since each new project must begin from the bottom and move upward. In many instances, the same data issues are addressed by several compliance projects often simultaneously as various task forces rush to meet their individual compliance deadlines. Beyond the immediate waste and duplication this approach causes, even greater data issues will arise in the future because the various pieced-together solutions remain disconnected from each other and from the institution s overall data management strategy. Eventually, the numerous one-off solutions lead to a situation in which the institution houses many individual, disparate sources of data with no clear, single, reliable source of critical information or source of truth. Moreover, as each new tool or software solution is layered on top of existing system elements, the data system grows increasingly complex, cumbersome, and difficult to manage. 6
Data Governance for Financial Institutions: Regulatory Compliance Requires More Than Just Technology Challenges When designing, developing, and implementing comprehensive data governance structures, financial institutions can expect to encounter a number of recurring challenges, including the following: Changing regulatory requirements. One critical area of uncertainty is the question of how far back institutions might be required to search as they compile historical data and transactional histories. To comply with the new data requirements, banks often find it necessary to hire temporary workers to manually transcribe, digitize, or reformat historical data that has been stored in paper files, as image files, or in outdated electronic formats. Data quality. Data quality is always a concern for the users of institutional information, who must make sure they have the right data, that it is recorded consistently, and that it is error-free. This challenge is complicated in many instances by the fact that the original source of critical data may be a third party, operating under a completely different set of data quality criteria. Another data quality concern is that it is sometimes difficult to identify who within the bank is responsible for data quality improvement initiatives. A large number of stakeholders, with ambiguous data-related roles and responsibilities. Those with an interest in a financial institution s data governance structure include not only the IT and compliance departments but also the various lines of business, many of which might have conflicting priorities. In addition, there is often a lack of clarity about the differing responsibilities of the data owners that is, the business or systems personnel who are responsible for entering and maintaining certain data and the data stewards, who are responsible for the movement, management, and standardization of the data. www.crowehorwath.com 7
Crowe Horwath LLP Lack of trust and confidence on the part of data users. One direct result of data quality problems is a lack of confidence in the accuracy and availability of data on the part of the business users who need information to perform their duties. This matters because the typical response to this lack of confidence is for individuals to develop their own minisystems that give them access to information when they need it a practice that opens a variety of new issues. Eventually, these freestanding data sources and single-user spreadsheets become primary sources but because they are outside the organization s data governance structure, they are not kept current by any automated processes, are not widely accessible, are backed up sporadically, and are usually extremely vulnerable to security breaches. Data silos and multiple sources of data. One of the most common data-related challenges banks face is a lack of integration among the various data systems and subsystems. As noted, information that is compiled for regulatory and compliance purposes can often be valuable for marketing and strategic planning purposes as well. But with the data stored in disconnected systems, departments with common interests often duplicate each other s efforts while producing information that is consistent in neither quality nor format throughout the entire organization. Staffs are often stretched thin, with critical resources focused on day-to-day operations. As a result, long-term data projects often are postponed repeatedly, with every new regulatory requirement or operational challenge necessarily taking precedence. System integration challenges. Introducing new data management capabilities into existing systems often poses system integration challenges. These challenges become increasingly difficult to address as legacy systems age and new systems grow more complex. This issue is often exacerbated by M&A activities, which introduce even more diversity into the organization s IT universe. Tactical, reactionary data projects. Financial institution staffs are often stretched thin, with critical resources focused primarily on the day-to-day operation of the business. As a result, long-term data projects often are postponed repeatedly, with every new regulatory requirement or unexpected operational challenge necessarily taking precedence. 8
Data Governance for Financial Institutions: Regulatory Compliance Requires More Than Just Technology Solutions Just as there is no universally accepted definition of the term data governance, there is also no single, one-size-fits-all approach to developing and implementing effective data governance in financial institutions. However, based on experience with various financial institutions, we can offer some fundamental observations. It is helpful to visualize the data governance structure as a comprehensive framework that rests on four pillars: the collection, management, protection, and delivery of critical data. These four components form the foundation for an effective data governance approach. 1. Collection Quality and Standards The first step to implementing data governance is establishing enterprisewide standards for the way various pieces of data are collected, entered, and stored in the financial institution s systems. Typical questions to be answered include: What standards should we have in place for data collection? Which data should be collected through a list of predefined fields rather than with free-form text? How do we make sure data is collected in one field only rather than collecting the same thing in numerous places, which allows inconsistencies to enter the system? How do we assure the quality of data that is collected? One particularly challenging question is: How do we make sure the same information is always entered into the system in the same way? For example, the data governance structure should define how city, state, and country names are entered and make sure that abbreviations or numerical codes are used consistently throughout the enterprise. The institution could be exposed to higher levels of risk if counterparty relationships are not recognized because of seemingly minor inconsistencies in spelling, abbreviations, or coding. This occurrence leads to institutions deploying fuzzy matching rules, which bring their own systematic and operational issues. Documentation is critical to this phase. Not only must the data governance structure document how data was sourced and collected, it also must document why and in what format the data was collected. 2. Management Integration, Architecture, and Systems The management element of data governance addresses the questions of who owns the data, who is accountable for maintaining it, and how is the data going to be integrated or used? As noted before, there is often confusion about the roles of data owners the people who enter, retrieve, and use the data and the roles of data stewards or custodians the people responsible for moving, cleaning, and standardizing the data. Data stewards are not necessarily accountable for making sure the data being managed serves business needs, but they are the ones responsible for solving data-related technical problems. www.crowehorwath.com 9
Crowe Horwath LLP The organizational structure, roles, review, and oversight responsibilities of the various personnel involved are defined during the management phase of data governance, and so are the process and technology elements that is, the policies, procedures, and management processes used to define controls of the business system along with the software tools and systems used to manage the data. Here again, documentation and standardization are essential. 3. Protection Identification, Classification, and Access Control It is important to recognize that data privacy and security are not solely the responsibility of the IT department. Although IT plays a major role in helping to develop, select, and implement appropriate solutions, all stakeholders share responsibility for the overall success of the effort. To defend against the various threats and comply with the growing body of state and federal laws and regulations, every financial institution needs to develop an enterprisewide data privacy-protection program, and it must accomplish four specific goals: Identify and document what data the organization has and where it is stored. Classify the data based on its sensitivity. Protect the data by defining control standards for data at various stages of its use. Respond in the event of a security breach. Prioritization is critical in this part of the data governance effort. An effective program will focus on protecting the highest-value information, particularly customer-identifiable information such as customer names and taxpayer identification numbers, as opposed to low-risk data fields. One data protection trend in recent years is a shift in thinking about the nature of security threats. In many instances, financial institutions have evolved from a breach avoidance mindset to a breach protection approach. In other words, rather than relying on security protocols to safeguard the entire data structure against any sort of intrusion, many organizations now assume the worst: They recognize that their data security protections will eventually be breached and implement controls to minimize the likelihood that an attacker will be able to extract data once inside the organization. 4. Delivery Reporting, Analytics, and Aggregation Finally, the data governance structure must define how data is dispersed and delivered to the appropriate users. This includes defining how data is extracted from the system and entered into the various reports that must be filed for compliance, and how data is disseminated to provide inputs into performance dashboards and other reporting systems. 10
Data Governance for Financial Institutions: Regulatory Compliance Requires More Than Just Technology Key components of this element include integrating and creating reports and analytics in other words, taking data that has been cleansed and aggregating it for use elsewhere. The various integrations, reports, websites, portals, and dashboards must be documented in detail, with their specific input requirements spelled out accurately, so that data users will have confidence in both the quality of the data and their ability to access it. This is essential in order to avoid the temptation to develop individual, stand-alone databases that are outside the data structure and control of the financial institution. It is also important to note that data reporting goes beyond providing access to data to the decision makers who use the information. The reporting component must also address those who are responsible for maintaining data quality and the overall health of the data governance process. In many instances, the ultimate users of data and those responsible for data quality and governance represent two distinct parts of the organization; the reporting system must address all of the relevant audiences. Conclusion A comprehensive and effective data management strategy, which defines how data is sourced and made available throughout the organization, can be of great value. It enables a financial institution to respond to new regulatory requests in the context of a controlled and efficiently managed initiative. But the benefits of effective data governance extend beyond regulatory compliance alone. Strong data governance results in reliable access to accurate data, which improves business intelligence and supports customer retention and new business opportunities. In addition to streamlining the collection, management, protection, and delivery of data for regulatory and reporting purposes, an effective data governance initiative can play a vital role in a financial institution s performance improvement as well as its strategic planning. Reliable access to accurate data also results in better business intelligence, helping to retain existing customers and support new business opportunities. By using data to spur operational improvements and enhance strategic initiatives, a financial institution can begin to recoup some of the costs it incurs in data management. www.crowehorwath.com 11
1 For a more detailed discussion of regulatory compliance and the associated data requirements, see the other white papers in this series: Gregory B. Hahn and Tapan P. Shah, Using IT to Respond to Regulatory Challenges: How Financial Institutions Can Use Technology to Go Beyond Compliance, September 2012, http://www.crowehorwath.com/contentdetails.aspx?id=5048; and Brookton N. Behm, Gregory W. LeMond, and Tapan P. Shah, AML System Design and Implementation: Aligning Regulatory, Business, and Technological Requirements, February 2013, http://www.crowehorwath.com/contentdetails.aspx?id=5814 Contact Information Raj Chaudhary, CGEIT, CRISC, is a principal with Crowe Horwath LLP in the Chicago office. He can be reached at 312.899.7008 or raj.chaudhary@crowehorwath.com. Mike Del Giudice, CISSP, CRISC, is with Crowe in the Chicago office. He can be reached at 630.575.4359 or mike.delgiudice@crowehorwath.com. Tapan Shah, CAMS, PMP, is with Crowe in the Chicago office. He can be reached at 630.586.5113 or tapan.shah@crowehorwath.com. Chris Sifter, PMP, is with Crowe in the Chicago office. He can be reached at 312.857.7363 or chris.sifter@crowehorwath.com. www.crowehorwath.com When printed by Crowe Horwath LLP, this piece is printed on Mohawk Color Copy Premium, which is manufactured entirely with Green-e certified wind-generated electricity. Crowe Horwath LLP is an independent member of Crowe Horwath International, a Swiss verein. Each member firm of Crowe Horwath International is a separate and independent legal entity. Crowe Horwath LLP and its affiliates are not responsible or liable for any acts or omissions of Crowe Horwath International or any other member of Crowe Horwath International and specifically disclaim any and all responsibility or liability for acts or omissions of Crowe Horwath International or any other Crowe Horwath International member. Accountancy services in Kansas and North Carolina are rendered by Crowe Chizek LLP, which is not a member of Crowe Horwath International. This material is for informational purposes only and should not be construed as financial or legal advice. Please seek guidance specific to your organization from qualified advisers in your jurisdiction. 2013 Crowe Horwath LLP RISK13904