Seizing an opportunity to improve data relationships with third parties
Regulators are focusing on the data relationships financial services organizations have with third parties, including how well personal information is being managed. They are creating a layer of rules about third party risk, operational resilience, and cybersecurity that go above and beyond new data privacy laws such as the EU’s GDPR and California’s CCPA in their impact. And as with personal information regulations, the rulemaking has only just begun.
Financial services firms should also be looking closely at data, including sensitive personal information, within third party data relationships too – but not just to meet compliance goals. Approached in the right way, these new regulatory requirements can open the door for organizations to consider taking a more strategic approach to their data relationships with third parties. Data is the water that enables digital transformation to flourish and so ensuring an organization has a robust approach to managing its data, including personal data, within third party relationships can morph into a competitive advantage. For example, FinTech and RegTech companies are very interested in working with companies that have a strong framework for managing data, including personal data.
Exploring third party data relationship risk
There are several areas that the international financial services regulatory community is engaged in that touch on third party personal data relationships. First, regulators are talking a lot about “operational resilience.” For example, after an incident such as an IT failure, flood in a data center or a cyberattack, organizations need to be able to continue to function at a level that doesn’t cause harm to customers, the company, or the financial system. This means that third parties, particularly critical ones, need to be able to recover too. Data – especially personal data – must be kept safe and secure and be able to be used operationally after an incident. To achieve this, many relationships between financial firms and third parties will need to deepen into real partnerships.
1) Regulators are publishing prolifically on this topic. In December 2019, the UK Financial Conduct Authority (FCA) issued Building operational resilience: impact tolerances for important business services . In the EU, Digital Operational Resilience Framework for financial services: Making the EU financial sector more secure came out. In January, the US’s Office of Compliance Inspections and Examinations (OCIE), part of the US Securities and Exchange Commission (SEC), published Cybersecurity and Resiliency Observations. This follows revisions to the US Federal Reserve’s FFIEC Information Technology Examination Handbook in November 2019 to focus more on resilience.
2) Regulators are also looking more closely and explicitly at third party data relationships in their own right. For example, in December 2019, Outsourcing and Third Party Risk Management was launched by the Bank of England. This follows the EU’s European Banking Authority Guidelines on Outsourcing Arrangements, which came into force in 2019, and guidance on third party risk management from the US Office of the Comptroller of the Currency, which was updated in 2017.
Regulators are keen to protect data flows between financial firms and third parties throughout the whole relationship lifecycle — for example, firms are able to audit third parties for compliance with data relationships and privacy rules, and third parties are required to delete an organization’s personal information databases at the end of a relationship. Regulators are also looking more closely at how data, including personal data, is stored and shared in the Cloud. They are concerned that the concentration of data stored with a small number of Cloud providers could morph into systemic risk in the wake of a cyberattack, for example.
3) Regulators are worried about cybersecurity and the robustness of technology systems in general. For example, the UK’s Financial Conduct Authority (FCA) noted that IT failures at third-party suppliers are the second highest cause of disruptions to services, triggering 17% of incidents reported in October 2017 and September 2018. And the UK parliament held a series of hearings into a recent string of IT failures at banks in the country that pointed to the need for firms to invest more heavily in upgrading the technology they use, including the way they store and use data.
All of this work – on operational resilience, third party risk, and cybersecurity, is being fostered at the Basel Committee on Banking Supervision and Financial Stability Board levels, which means they are topics with forward momentum.
Discovering strategic benefits
To meet these new compliance requirements, firms will have to become better at managing their data relationships with third parties, particularly when it comes to personal information. However, putting in the effort to develop the right approach to these relationships can bear additional fruit.
Many financial firms are finding that to embrace digital transformation fully, they need to partner more with FinTech and RegTech companies. Others are realizing that they need to outsource critical services to specialist service providers.
For these companies, achieving Data Intelligence can transform the amount of value that these relationships are capable of delivering. In such a relationship, both the firm and the third party need to be able to:
- Trust the personal data they are working with.
- Automate key data governance processes around the data, such as data lineage and how data is being used.
- Collaborate around the data, whether that’s sharing it or creating analytics for the business.
These three key elements of Data Intelligence can dramatically change how financial firms and third parties manage their data relationships, including personal data.
In short, financial services firms need to look beyond the new compliance demands that are evolving around data, toward achieving Data Intelligence within their third party data relationships. By taking this approach, companies will be able to embrace the opportunities that can lead to true digital transformation and generate real shareholder value.