1/16/19 - Seizing the Day to Improve Data and Systems
Home > News & Insights > Insights & Publications

1/16/19 - Seizing the Day to Improve Data and Systems

The current deregulatory trend in the U.S. may lead certain financial institutions to de-emphasize investment in initiatives to improve risk management and regulatory compliance functions. However, improvements in data management and underlying technology systems can increase the effectiveness and efficiency of these functions and contribute to improved corporate governance and revenue generation. Regulatory agencies are continuing to focus on data and systems as key enablers of these functions, including, increasingly, specific focus on the level of investment. Concerns regarding data privacy, evidenced by new regulations and continuing supervisory focus, provide another impetus to strengthen corporate governance and oversight of data management, and to make the investments necessary to implement data-management objectives. History and recent experience have shown that a lack of focus and investment in data and systems could lead to negative or even catastrophic outcomes, while continued advances in data management capabilities and technology can facilitate the execution of initiatives that generate significant business value.

Data and Systems a Growing Priority

At the beginning of the financial crisis, circa 2007, many financial institutions had difficulty identifying, aggregating, and reporting financial risks. For certain institutions, a complete picture of risk to a given counterparty could take days or weeks to assemble, and the accuracy of the institutions’ risk information was often questionable. These challenges sparked new regulatory requirements and enforcement actions, including the Basel Committee on Banking Supervision’s standard number 239, which mandates risk-data aggregation and reporting principles. BCBS 239 was developed with industry consultation and published in January 2013. However, of the 30 global banks that were designated as systemically important in 2011 and 2012 and were required to adopt the principles by January 2016, only three banks have been assessed by their supervisors as achieving full compliance, eight fewer than were expected to be in full compliance by this time based on the prior year’s assessment.1 Nonetheless, application of the principles has become a regulatory expectation for data that supports numerous other regulatory compliance obligations beyond risk-data aggregation and reporting, such as anti-money-laundering compliance. This expectation includes transparency and oversight of data-related initiatives at the board and senior management levels, including regarding the adequacy of funding to execute planned improvements.

The BCBS’ most recent progress report on BCBS 239 adoption echoes the increased supervisory focus on data and systems that financial institutions face on matters of this nature, as well as the attendant additional costs to those institutions. The report states: “Some supervisors have raised their concerns with the banks about the slow implementation progress after the deadline of 2016 and informed them that their compliance with the Principles will be factored into the overall supervisory review and hence could potentially result in a higher Pillar II capital add-on.”

Some observers may believe that the industry has learned its lessons from the financial crisis, and that adopting the BCBS 239 principles has become more complex than expected for a number of seemingly valid reasons. They may also cite numerous examples of clarification and proposals to U.S. supervisory guidance that further tailor supervision and regulation, as well as the enactment of legislation such as the Economic Growth, Regulatory Relief, and Consumer Protection Act, which raised the asset threshold for enhanced prudential standards under the Dodd-Frank Act from $50 billion to $100 billion. While these observations have some merit, several other recent events point to increasing expectations among global regulators that institutions should manage data and systems effectively. In some cases, when the investments required to improve data and systems have not been completed in a timely manner, there have been serious repercussions.

One key recent example of the increased focus on data and systems can be seen in the New York Department of Financial Services Part 504 certification. Each institution regulated by the NYDFS is required to submit an annual board or senior-officer certification of compliance with requirements regarding, among other things, data used for transaction monitoring and filtering. For example, firms must 2:

  • Identify all sources of “relevant” data
  • Validate the integrity, accuracy, and quality of data
  • Confirm that data-extraction and loading processes ensure a complete and accurate transfer of data from source systems to automated monitoring and filtering systems
  • Conduct end-to-end testing, including reviews of governance, data mapping, data matching, and data input
  • Secure funding to design, implement, and maintain transaction-monitoring and filtering programs that comply with Part 504 requirements

Funding questions from supervisory agencies are certainly not limited to the NYDFS’ requirement for certification on AML compliance. Other agencies are increasingly focusing on an array of funding matters; for example, requiring funding to be explicitly enumerated as part of remediation plans submitted in response to enforcement actions.

Regulated institutions were required to provide their first annual certification of NYDFS Part 504 compliance by April 15, 2018. While BCBS 239 and NYDFS Part 504 provide clear examples of continued and increasing regulatory focus on data and systems, one does not need to look beyond the daily news to see why continued investment in data and systems is important. 

Recently, numerous examples of regulatory actions for AML noncompliance have received significant media attention. Regulatory focus on AML compliance has indeed increased of late, particularly among members of the European Union, where EU governments have reached a preliminary agreement to clamp down on money laundering by strengthening bank supervision. In several recent cases, decisions to forgo investments in data and systems have directly contributed to significant lapses in compliance and resulted in severe regulatory actions. Issued public actions also indicate a focus on financial institutions’ board and senior-management oversight of data and systems. Any EU bank that is hesitating to invest in data and systems to support AML compliance should strongly consider moving forward with these investments now, given the increasingly inclement regulatory climate.

There has also been extensive press coverage on a near-daily basis of investigations in the EU and elsewhere into how customer data has been governed, managed, and leveraged by social media companies, which is also making increasing societal and governmental concerns strikingly clear. The recent implementation of the General Data Protection Regulation3 in the EU, which has implications — including requirements — for enhanced customer-data controls for global businesses, and the California Consumer Privacy Act,4 which goes into effect on Jan. 1, 2020, further highlight regulators’ increased focus on data.

Supervisors are increasingly focusing on effective governance and timely improvements to the data and systems supporting not only the aforementioned areas of AML compliance and enterprise risk management, but also regulatory and financial reporting, capital planning, liquidity management, cybersecurity, and credit risk management, to name a few. In each of these areas, regulatory expectations regarding data and systems have been made clear through discussions with institutions or, in cases where expectations have not been met, enforcement actions. Such actions frequently highlight board and senior-management oversight and require information on planned remediation funding.

How We Can Help

Promontory, an IBM Company, understands the benefits that new, innovative uses of data and technology can have on efficiency and growth. Through our relationship with IBM, we’re able to identify and capitalize on new opportunities to leverage advanced data-analysis and artificial-intelligence capabilities. For example, we’ve seen how the same customer and transaction data and relationship-identification technology used for AML investigations can be leveraged to identify relationships with, and referrals to, prospective customers, not to mention new opportunities with existing customers. We’ve seen how data and technology used in the first line of defense by businesses to implement controls can, when maintained properly, be leveraged — rather than duplicated — for second-line-of-defense monitoring and testing. The third line of defense, internal audit, can also leverage data that is well maintained by the first and second lines to conduct audits in a manner efficient for all parties while reducing the number of audit findings arising from problems such as gaps in audit trails. Effectively managing data allows businesses to understand customer behavior more quickly and predictively market incremental products and services. Proactively identifying and ensuring the realization of the business benefits of data-management enhancements can provide the “carrot” for front-office business engagement and the necessary business ownership of data management improvements.

Supervisory agencies may also be envisioning the promise of advanced data analysis and technological capabilities. On Dec. 3, 2018, five U.S. federal agencies issued a joint statement5 encouraging depository institutions to explore innovative approaches to meet their Bank Secrecy Act and AML compliance obligations and further strengthen the financial system against illicit financial activity. “Private sector innovation, including new ways of using existing tools or adopting new technologies, can help banks identify and report money laundering, terrorist financing, and other illicit financial activity by enhancing the effectiveness and efficiency of banks,” the agencies stated. “These types of innovative approaches can maximize utilization of banks’ BSA/AML compliance resources.”

Advances in data management and technology allow us to envision a bright future for businesses who seize the opportunity. We would be pleased to further explain how we can help your firm bolster its data-management capabilities.

Contact Us

Manuel Schnaidman
Managing Director
mschnaidman@promontory.com
+1 212 542 6843

James Pastro
Director
jpastro@promontory.com
+1 212 542 6830


FOOTNOTES

1. “Progress in Adopting the Principles for Effective Risk Data Aggregation and Risk Reporting,” Basel Committee on Banking Supervision (June 2018).

2. “Part 504 Banking Division Transaction Monitoring and Filtering Program Requirements and Certifications,” New York Department of Financial Services (Jan. 1, 2017).

3. “Regulation of the European Parliament and of the Council on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation),” European Union (April 27, 2016).

4. “The California Consumer Privacy Act of 2018,” California Office of Legislative Counsel (June 28, 2018).

5. “Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing,” Office of the Comptroller of the Currency, Federal Reserve Board, Federal Deposit Insurance Corporation, National Credit Union Administration, and Financial Crimes Enforcement Network (Dec. 3, 2018).