LIBOR Transition - Preparation in the Face of Adversity
LIBOR TRANSITION IN CONTEXT
What is it? FCA will no longer seek require banks to submit quotes to the London Interbank Offered Rate (LIBOR) – LIBOR will be unsupported by regulators come 2021, and therefore, unreliable
Requirement: Firms need to transition away from LIBOR to alternative overnight risk-free rates (RFRs)
Challenge: Updating the risk and valuation processes to reflect RFR benchmarks and then reviewing the millions of legacy contracts to remove references to IBOR
Implementation timeline: Expected in Q4 2021
HOW LIBOR MAY IMPACT YOUR BUSINESS
Front office: New issuance and trading products to support capital, funding, liquidity, pricing, hedging
Finance & Treasury: Balance sheet valuation and accounting, asset, liability and liquidity management
Risk Management: New margin, exposure, counterparty risk models, VaR, time series, stress and sensitivities
Client outreach: Identification of in-scope contracts, client outreach and repapering to renegotiate current exposure
Change management: F2B data and platform changes to support all of the above
WHAT YOU NEED TO DO
Plug in to the relevant RFR and trade association working groups, understand internal advocacy positions vs. discussion outcomes
Assess, quantify and report LIBOR exposure across jurisdictions, businesses and products
Remediate data quality and align product taxonomies to ensure integrity of LIBOR exposure reporting
Evaluate potential changes to risk and valuation models; differences in accounting treatment under an alternative RFR regime
Define list of in-scope contracts and their repapering approach; prepare for client outreach
“[Firms should be] moving to contracts which do not rely on LIBOR and will not switch references rates at an unpredictable time”
Andrew Bailey, CEO,
Financial Conduct Authority (FCA)
“Identification of areas of no-regret spending is critical in this initial phase of delivery so as to give a head start to implementation”
Rajen Madan, CEO,
Leading Point FM
BENCHMARK TRANSITION KEY FACTS
- Market Exposure - Total IBOR market exposure >$370TN 80% represented by USD LIBOR & EURIBOR
- Tenor - The 3-month tenor by volume is the most widely referenced rate in all currencies (followed by the 6-month tenor)
- Derivatives - OTC and exchange traded derivatives represent > $300TN (80%) of products referencing IBORs
- Syndicated Loans - 97% of syndicated loans in the US market, with outstanding volume of approximately $3.4TN, reference USD LIBOR. 90% of syndicated loans in the euro market, with outstanding volume of approximately $535BN, reference EURIBOR
- Floating Rate Notes (FRNs) - 84% of FRNs inthe US market, with outstanding volume of approximately $1.5TN, reference USD LIBOR. 70% of FRNs in the euro market,with outstanding volume of approximately $2.6TN, reference EURIBOR
- Business Loans - 30%-50% of business loans in the US market, with outstanding volume of approximately $2.9TN, reference USD LIBOR. 60% of business loans in the euro market, with outstanding volume of approximately $5.8TN, reference EURIBOR
*(“IBOR Global Benchmark Survey 2018 Transition Roadmap”, ISDA, AFME, ICMA, SIFMA, SIFMA AM, February 2018)
Data Innovation, Uncovered
Leading Point Financial Markets recently partnered with selected tech companies to present innovative solutions to a panel of SMEs and an audience of FS senior execs and practitioners across 5 use-cases Leading Point is helping financial institutions with. The panel undertook a detailed discussion on the solutions’ feasibility within these use-cases, and their potential for firms, followed by a lively debate between Panellists and Attendees.
EXECUTIVE SUMMARY
“There is an opportunity to connect multiple innovation solutions to solve different, but related, business problems”
- 80% of data is relatively untapped in organisations. The more familiar the datasets, the better data can be used
- On average, an estimated £84 million (expected to be a gross underestimation) is wasted each year from increasing risk and delivery from policies and regulations
- Staying innovative, while staying true to privacy data is a fine line. Solutions exist in the marketplace to help
- Is there effective alignment between business and IT? Panellists insisted there is a significantly big gap, but using business architecture can be a successful bridge between the business and IT, by driving the right kinds of change
- There is a huge opportunity to blend these solutions to provide even more business benefits
CLIENT DATA LIFECYCLE (TAMR)
- Tamr uses machine learning to combine, consolidate and classify disparate data sources with potential to improve customer segmentation analytics
- To achieve the objective of a 360-degree view of the customer requires merging external datasets with internal in a appropriate and efficient manner, for example integrating ‘Politically Exposed Persons’ lists or sanctions ‘blacklists’
- Knowing what ‘good’ looks like is a key challenge. This requires defining your comfort level, in terms of precision and probability based approaches, versus the amount of resource required to achieve those levels
- Another challenge is convincing Compliance that machines are more accurate than individuals
- To convince the regulators, it is important to demonstrate that you are taking a ‘joined up’ approach across customers, transactions, etc. and the rationale behind that approach
LEGAL DOCS TO DATA (iManage)
- iManage locates, categorises & creates value from all your contractual content
- Firms hold a vast amount of legal information in unstructured formats - Classifying 30,000,000 litigation documents manually would take 27 years
- However, analysing this unstructured data and converting it to structured digital data allows firms to conduct analysis and repapering exercises with much more efficiency
- It is possible to a) codify regulations & obligations b) compare them as they change and c) link them to company policies & contracts – this enables complete traceability
- For example, you can use AI to identify parties, dates, clauses & conclusions held within ISDA contract forms, reports, loan application contracts, accounts and opinion pieces
DATA GOVERNANCE (Io-Tahoe)
- Io-Tahoe LLC is a provider of ‘smart’ data discovery solutions that go beyond traditional metadata and leverages machine learning and AI to look at implied critical and often unknown relationships within the data itself
- Io-Tahoe interrogates any structured/semi-structured data (both schema and underlying data) and identifies and classifies related data elements to determine their business criticality
- Pockets of previously-hidden sensitive data can be uncovered enabling better compliance to data protection regulations, such as GDPR
- Any and all data analysis is performed on copies of the data held wherever the information security teams of the client firms deems it safe
- Once data elements are understood, they can be defined & managed and used to drive data governance management processes
FINANCIAL CRIME (Ayasdi)
- Ayasdi augments the AML process with intelligent segmentation, typologies and alert triage. Their topological data analysis capabilities provide a formalised and repeatable way of applying hundreds of combinations of different machine learning algorithms to a data set to find out the relationships within that data
- For example, Ayasdi was used reason-based elements in predictive models to track, analyse and predict complaint patterns. over the next day, month and year.
- As a result, the transaction and customer data provided by a call centre was used effectively to reduce future complaints and generate business value
- Using Ayasdi, a major FS firm was able to achieve more than a 25% reduction in false positives and achieved savings of tens of millions of dollars - but there is still a lot more that can be done
DATA MONETISATION (Privitar)
- Privitar’s software solution allows the safe use of sensitive information enabling organisations to extract maximum data utility and economic benefit
- The sharp increase in data volume and usage in FS today has brought two competing dynamics: Data protection regulation aimed at protecting people from the misuse of their data and the absorption of data into tools/technologies such as machine learning
- However, as more data is made available, the harder it is to protect the privacy of the individual through data linkage
- Privitar’s tools are capable of removing a large amount of risk from this tricky area, and allow people to exchange data much more freely by anonymisation
- Privitar allows for open data for innovation and collaboration, whilst also acting in the best interest of customers’ privacy
SURVEY RESULTS
- Encouragingly, over 97% of participants who responded confirmed the five use cases presented were relevant to their respective organisations
- Nearly 50% of all participants who responded stated they would consider using the tech solutions presented
- 70% of responders believe their firms would be likely to adopt one of the solutions
- Only 10% of participants who responded believed the solutions were not relevant to their respective firms
- Approximately 30% of responders thought they would face difficulties in taking on a new solution
Innovation is Not Perfect. Accept and Embrace It
Thushan Kumaraswamy
Partner at Leading Point Financial Markets
It was my pleasure to attend Societe Generale's breakfast event on 9 November 2018 called "Implementing New Technologies" in Spitalfields, London on behalf of Leading Point Financial Markets. The event comprised of presentations about the FinTech innovation landscape and the use of Robotics Process Automation (RPA) in SocGen, followed by a panel discussion, hosted by Susanne Chishti, Founder of FinTech Circle.
Since there was so much good content and thinking at this event, I thought I would share my views on the event and how it ties to our propositions at Leading Point Financial Markets.
Do not ignore FinTech companies that are not 100% ready
There are thousands of FinTech (and RegTech, LegalTech, WealthTech, InsureTech, XYZTech!) companies just in the UK, let alone globally. Many of these are in different stages of their evolution.
Source: The Startup Lifecycle
Financial services firms, especially larger firms, often resist adopting innovative technologies from companies who don't have a long record of existing clients. In such a fast-moving environment as FinTechs, this can mean losing out on the potential business benefits at a time when competition is squeezing margins and ever-increasing regulatory pressures are driving up costs.
Imagine being able to run a pilot or proof-of-concept for a small area of the business, with an identified strategy of goals and specific objectives, to demonstrate to the senior management team how such a new technology could be used to deliver real business benefits. This kind of pilot can be run in an agile fashion, but require business and IT teams are fully on-board and involved with the project. Since the scope is small, the resource commitment is also smaller than a normal implementation.
There is a significant opportunity for financial services firms who are willing to start these small-scale projects with innovation companies who might not be 100% ready (in the Validating or Scaling phases above) alongside implementation partners who know the technology, have the domain knowledge and understand operating models.
Don't automate a bad process
Robotics Process Automation (RPA) as a concept is easy enough to understand; computer programs (the "robots" or "bots"), using a set of pre-defined rules replicate what humans would do using computer systems in a repetitive fashion. For example, daily copying of client names from an Excel sheet to a CRM (Customer Relationship Management) system. This basic automation can free up the human workers to do more valuable work.
Source: Robots Join The Team
This is all good stuff. However, before jumping straight to implementing RPA solutions, it is worth considering what the business process is actually doing. Is this Excel-to-CRM method the best way of getting client details into the CRM system? Is it possible to improve the process first? As part of an RPA implementation, you should be looking at process improvement strategies first, then automating what is left. This way, you save on the number of bots you would need and increase the efficiency of the process as a bonus. Process experts can document existing processes and identify opportunities for improvement prior to any RPA technology implementation.
How does a bot change a password when accessing a core system?
There are some potential gotchas when using bots, like the above question, which can cause problems during day-to-day running. If a bot uses a specific login to access a core system and that login has a password expiry, what happens then? Is the bot expected to define a new password? Should a human get involved? Also, consider licences on existing software platforms; are there any clauses that prevent the use of bots? There may not be right now, but it is not difficult to foresee software companies bringing in new clauses to control the potential uptick of system usage through bots.
Panel Discussion: Selecting and Implementing New Technologies
- Susanne Chishti, Founder of FinTech Circle (Host)
- Anthony Woolley, Head of Innovation, Societe Generale
- Vasu Vasudevan, Digital Enablement Capbility Lead, Schroders
- Richard Archer, Director, EY
- Keith Phillips, Executive Director, The Investment Association and Velocity
The first question was about trends in innovation. The guests talked about the bleed of innovation between FinTechs, RegTechs, LegalTechs, but also into manufacturing and other industry sectors. The biggest topics being:
- Artifical Intelligence (AI) and Machine Learning (ML)
- Big Data
- Cloud
- Distributed Ledger Technology (DLT) / Blockchain
- Social & Mobile
- Robotics & Automation
As mentioned above, the twin drivers of competition shrinking margins and regulatory compliance increasing costs are forcing companies to come up with new ways of thinking. This may not come naturally to the larger, older financial services firms. They may have pockets of innovation but sometimes struggle to create a company-wide innovation culture.
The importance of customer-centricity was raised to a question on technological advancements. Building a single view of client will enable improved service to clients and increased revenue growth using data analysis across large cross-referenced data sets to be more specific with marketing and cross-selling.
An interesting question about how to bridge the gap between legacy platforms and new innovations was put to the panel next. It was noted that capacity is required to do this. How do companies get that capacity? By using technologies like RPA to free up people to generate this real value for the business.
Another technique is to use APIs (Application Programming Interfaces) as wrappers around your legacy platforms to make them easier to connect to other, more modern, applications. Using APIs turns your legacy platforms into building blocks that be linked together. A COBOL API can let other systems use the data held in the COBOL system, without the need for expensive COBOL programmers.
Source: Intro to APIs
This brings additional data protection concerns though, as customer data held in these legacy platforms may not have up-to-date data security and data protection applied to them and exposing the data through APIs could potentially increase risk of data loss.
A concern raised by the panel was about the use of RPA as a concrete sticking plaster rather than as a purely temporary fix for the use of legacy technology. The temptation is there once an RPA solution is doing its work, to leave it there rather than address the legacy platform.
The panel were asked about their top three technologies. The answers covered:
- Data aggregation, clustering & consolidation
- AI and ML
- Blockchain
- Data analytics (behavioural analysis for active asset management)
- Digital passports (recording clients' digital identities)
- Intelligent automation (robotics)
- Unstructured to structured data
- Document intelligence (text mining)
- RPA
- Collaboration tools in investment operations
- Natural language processing (voice recognition)
- Cloud (along with data and APIs)
Source: Top 30 Emerging Technologies
One important factor for digital was considering how people interacted with their devices. Many people of a certain age feel comfortable using on-screen keyboards and touch gestures. Some younger people prefer voice interactions through assistants like Alexa, Siri or Google and that audience is only going to grow.
A vital question was put to the panel about how to implement new technologies. FinTechs often feel like they are in a zoo. Potential clients come to see what they can do, have some meetings, but then don't connect again. There are some activities that can improve the relationship-building on both sides for FinTechs trying to scale-up or break into financial services; along with the obvious (but not always followed) things like respecting each other and being collaborative, there is a need to not destroy the start-up's spirit. Go in to the relationship with the understanding that the technology partner is young and may need some support and guidance.
The idea of changing the culture of the financial services firms was discussed. It was believed that this needed both top-down leadership & funding and also bottom-up drive. An internal innovation fund was set up that enabled small teams working on-the-ground to prepare a business case and pitch over six months to present. Over 70 of these teams took up the challenge, with some generating real business benefits. But, it is more than those end success stories that matter; it is the change in mindset across the company that demonstrates that innovating is part of business-as-usual for everyone in the firm, not just a select few tucked away in an innovation lab.
Other key factors were having both business and IT teams engaged and willing to work together as partners, being able to run projects in an agile (or Agile) fashion and accepting projects that "fail fast", but test and learn quickly. It was interesting to see how business architecture could help in these situations by mapping commonalities across the business using capability models and describing roadmaps aligned to customer journeys.
Source: Practical Business Design
One of the major blockers to building an innovation culture was the procurement process in many large financial services firms. These bureaucratic processes can take over eight months to allow a start-up to being implementing a solution, which can destroy the innovation impetus. A fast-track procurement process, enabling implementation of new technologies, perhaps in some protected sandbox environment, taking eight weeks would be a massive enabler. It feels like there is work required to develop streamlined procurement processes, specifically for innovation technologies.
An audience member asked how many start-ups typically fail. In any typical innovation portfolio, an angel investor may have invested in ten start-up companies. Five of these will likely go bust. Three may remain as the "living dead", where they plod along, just existing as a private company, without any hope of getting a return on the investment. The other two may become "superstars", where they go public with a bang and these two pay off the investment in the other eight start-ups.
I believe that, with more help in providing a consistent analysis of these start-ups on behalf of private equity firms and venture capitalists, the ratio of failures:living dead:superstars could be improved.
This was a very interesting panel discussion and my thanks go to Societe Generale for running the event, the guest speakers on the panel & presenting and to Susanne Chishti for hosting. The themes of technological innovations and the challenges of implementing them in financial services were very familiar to what I have seen in my own experience, but these challenges are not insurmountable with the right support.
If you don't use these new innovations in your business, for example in the field of anti-financial crime, where do you think the criminals are going to go when your competitors
do use them?
Final thought: You cannot wait for the perfect innovation. By the time that happens, your competition may be far ahead of you. You would be better off using what innovation can offer now, but work together with the technology companies to complete that picture for your business.
The right partner can help intersect the old world with the new.
#innovation #event #socgen #data #technology #startup #scaleup #financialservices #ai #ml #rpa #robotics #blockchain #bigdata #cloud #fintech #regtech #legaltech #wealthtech #insuretech #implementingnewtechnologies #leadingpointfinancialmarkets #leadingpointfm #lpfm
Reducing anti-financial crime risk through op model transformation at a tier 1 investment bank
“Leading Point have proven to be valued partners providing subject matter expertise and transformation delivery with sustained and consistent performance whilst becoming central to the Financial Crime Risk Management Transformation. They have been effective in providing advisory and practical implementation skills with an integrated approach bringing expertise in financial services and GRC (Governance, Risk and Compliance) functional and Fintech/Regtech technology domains."
Head of Anti-Financial Crime Design Authority @ Tier 1 Investment Bank
Accelerating growth-at-scale at a treasury blockchain FinTech with our delivery leadership
“Leading Point has been invaluable in helping us deliver high quality client outcomes in the enterprise blockchain space and creating a scalable delivery model for us with increased productivity.”
COO @ FinTech
How will the FCA business plan impact organisations over the next two years?
Leading Point of View
How will the FCA business plan impact organisations over the next two years?
Introduction
The FCA has recently issued its business plan (1) and focus for the upcoming four quarters. Kicking off with some stats – a mix of sobering and positive, the paper gives a clear outline of its proposed, cross-sector, regulatory oversight. One of the greatest challenges for the industry at present is the implementation of MiFID II provisions.
The FCA makes the point that this will facilitate the introduction of ‘major reforms to improve resilience and strengthen integrity and competition in wholesale markets’. Furthermore, work around market abuse will be enhanced. We highlight notable elements of the business plan and their implications for organisations, below.
Cybersecurity
Across all financial sectors lies the risk of cyber-attacks. With the impending implementation and governance of the General Data Protection Regulation, and potential fines of up to 4% of company revenue, organisations’ technological and operational resilience must be second to none. The FCA deems these qualities pivotal pieces of the cyber security jigsaw; it aims to police cyber capabilities and monitor financial crime and all major outages
during the upcoming year.
Senior Managers and Certification Regime
Whilst 2015/2016 saw banks and insurers bring about the operational changes borne out of SMCR, during 2017/2018, the FCA plans to oversee the resulting culture and governance of this significant shift in responsibility. Currently under consultation is the extension, to be implemented by 2018, of SMCR to all firms covered by FSMA. This would cement the prevailing accountability of senior managers’ individual areas of business within the industry.
Customer Engagement & Competition
The theme driving the most recent directives and regulations is placing the ball in the customers’ court. The dramatically changing financial landscape is being molded by the General Data Protection Regulation, the Payment Services Directive 2, to name but a few. The Open API world further allows the customer to have greater choice and engagement with their banking decisions. The FCA is likely to zero in on firms’ development in digitisation and automation and stewardship of customer data with a critical eye, to ensure there is no abuse.
Buy-side | Asset Management
MiFID II implications are beginning to take shape, however there is much to be done. The FCA recognises MiFID II as post-crisis regulation; it is driving reforms that will promote cross-sector market integrity and competition,
and consumer protection. Firms’ annual budgets will now, more than ever, be targeted towards improving IT systems and infrastructure, develop data capabilities, and ensure operational risk is kept at bay.
Leading Point Financial Markets brings compelling value at the intersection of Data, Governance & Compliance, and Digital and Operating Model Change initiatives. If you would like to further consider any of these impacts on your organisation, please contact saskia.blake@leadingptconsulting.com or rajen.madan@leadingptconsulting.com.
(1) https://www.fca.org.uk/publications/corporate-documents/our-business-plan-2017-18
Rules of Data
On 24 October, it was reported that the Financial Conduct Authority launched an investigation into the US credit checking company Equifax; almost 700,000 Britons had their personal data misappropriated between mid-May and July this year. The FCA gave evidence on this matter to the Treasury Select Committee on 31 October because of the significant public interest. The FCA has the power to fine Equifax, or strip it of its right to operate in the UK, if it is found to have been negligent with its customers’ data. With European Union governments formally stating that cyber-attacks can be an ‘act of war,’ data protection cannot be taken seriously enough. The Equifax data breach is by no means a solitary data breach – several large organisations such as Dun & Bradstreet, Verifone, Whole Foods, Deloitte, DocuSign, Yahoo! are already part of the mix.
The Government is aligning domestic data legislation with the European Union in an effort at continuity, despite our plans to leave the EU. The Data Protection Bill, is proof that the Government seeks to keep the UK au courant with the newest data law of EU provenance.
The number of internet users is now close to 4 billion. Businesses continue to move their products and services online in order to service their customers. Data continues to grow exponentially and will persist in its travel far and wide – enabled by technology proliferation. The EU’s General Data Protection Regulation (‘GDPR’) has been precipitated by acute necessity. Companies need to review and revise their approach to privacy, security and governance of their data. A holistic, data protection framework is needed that is centred on the customer and encompasses their interactions, experience, sentiment, along with those of advocacy groups, shareholders, and regulators. This is a non trivial exercise and requires interventions at the mindset, policy, information governance & security and process levels, along with enabling technology.
Businesses are heading in the right direction with GDPR, but there is still a long way to go. Implementing this change with the right spirit is fundamental to building trust with customers and partners. Leading Point’s experience helping organisations with these requirements suggests that while significant compliance hurdles exist, a risk-based approach that focuses on five core areas, will be instrumental to success.
1. Give your customers control over their data – a mindset change
Bearing in mind the territorial scope of the GDPR – across the current 28 EU member states, plus, anyone dealing with the EU, most teams within organisations will benefit from the ethos behind the Regulation. A mindset shift from owning your customers’ data to stewarding your customers’ data is required. Give your customers control over their data. Any legal or natural person processing data must believe in the spirit of this sea change – the need
to assume responsibility for stewarding your customers’ data and to provide them with confidence in your processes. GDPR expands on the list of ‘rights’ each data subject is afforded: the right to be informed, the right to
access data records, the right to data erasure, to name a few. Tone at the top matters immensely.
2. Achieve Data Protection by Design
Which department is leading your organisation’s GDPR compliance efforts? A cross-functional team will help in deploying a holistic data protection framework. To start with, the focus must be on classification of the data, its
supply chain and its governance. Therefore, leveraging existing data management initiatives to embed data privacy requirements can really help in ‘data protection by design’. In practical terms, companies need a clear picture on: ‘what types of data do they hold on their customers;’ ‘which types of data is sensitive and requires enhanced security levels;’ ‘who has access to customers’ sensitive data;’ ‘where is this data processed and distributed;’ ‘how does it flow;’ ‘what is its quality;’ and ‘are their checks and controls in place around its flow and access’? The rules are more stringent now, as companies establish the depth of customer data – their interactions, experiences, sentiments – what impressions are left in an organisation’s data stores. The definition of personal data and its inherent breadth has been redefined – ‘Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.’ And so the notion of data minimisation is born. We believe that while there are increasing numbers of quick-fix GDPR solutions in the market, achieving data protection goals is less about technology, and more about energising the organisation into becoming 100% data aware.
Building trust in your data will allow for effective process and controls for data protection, security and governance.
3. The Art of the Process
Focus must be on the ‘process’ exercise – visibility of customer journeys – which processes interact with customer data and the ensuing data lifecycle. Knowing which functions have client-facing processes and ensuring these are
adapted is called for. Threading through specific processes for data collection, data storage, data sharing, access requests and breaches is the focus. Having a command of what happens to personal data, who is involved in gathering it, and responding to Subject Access Requests is important, not least because you will have only a month to respond and cannot routinely charge the current £10. What steps to take in the event of a data breach, how to manage contracts which hold personal data: these are all explicit in the Regulation. For all data processors, we must double down on education and training – on policies, on data governance, on processes and new rules of data. This means highlighting a consistent approach to the different scenarios. Surely the best protection is a body of staff that is wholly informed?
4. Integrating data protection with a risk-based approach
By taking an inventory of obligations to customers via existing contracts and business agreements, organisations can start to manage their stated responsibilities linked to customer data and its management and use. This is a
quick-win.
Data classification and governance exercises will highlight the sensitivity, breadth and depth of data, the access and use of the data held. Data flow will highlight the data processors and third-parties and internal functions involved. Data quality will highlight where data management controls are required to be shored up. In turn, this will flag up priority remediation exercises on customer data.
The aforementioned ‘process’ exercise will highlight key customer-facing process changes, or a requirement to deploy specific data processes referenced by GDPR. Organisations can road-test these processes against the required process turn-around times. For example, data breaches must be reported within 72 hours, and as mentioned above, data subject access requests – one month. Involve your customer services team actively with data protection and security breach scenarios – this will build memory and promote mindset change.
The overarching governance in an organisation will be a key cog in the data protection ecosystem; the Regulation has duly led to the genesis of the Data Protection Officer. Enabling these responsibilities with existing data management governance responsibilities, and appointing data champions, can be an effective approach. Data protection is indisputably everyone’s responsibility, so the emphasis must be on organisational cooperation.
5. Cascading to Third Parties & a Cloud
Third party contracts and the framework that dictates how these are established, must wholeheartedly reflect any changes to the requisite data protection and security obligations. A compliance policy which standardises how third party contracts are established can also be a useful instrument. Data transference should be shored up with model contractual clauses, which allow all parties to clearly realise their responsibilities. We are alive to the persistent risk of cyber attacks, so it is crucial to remember that your data on the cloud is a business issue, as well as an IT issue. Are you fully apprised of where your business stores its data; on the premises, in the cloud, or both? The increasing trend to shift data and infrastructure to a public or private cloud no doubt presents an economic benefit and technology road map for some organisations. But make no mistake, organisations are accountable for their customer data content, its usage, and their security policy for cloud-based storage. Measures such as encryption, pseudonymisation and anonymisation will help, and should be employed as a matter of course, as well as remaining open to select technologies that help underpin cyber defence.
To conclude
When implementing change, evidence-based decision making shouldn’t be the only strategy; knowing which cogs in an organisation interlink cohesively in practice will greatly assist in a robust framework that threads through to
a mindset shift, policy, data, process and third parties. To reinforce an earlier perspective, data is only growing. So are data breaches and cyberattacks. The garnering of our data to feed algorithms and ‘machine learning’, borne
out of the Silicon Valley revolution, is leading to inevitable change in our lives, but we must strive for a democratic jurisdiction for our data. Organisations must give customers control of their data and the confidence in their data
management processes. Rather than penalty-based scaremongering, think of this as an opportunity to build your brand, to send a robust message to your customers and partners, demonstrating care and respect of their data.
To close, a soundbite from the Information Commissioner’s Office: ‘Data protection challenges arise not only from the volume of the data but from the ways in which it is generated, the propensity to find new uses for it, the complexity of the processing and the possibility of unexpected consequences for individuals.’
Leading Point Financial Markets brings compelling value in the intersection of Data, Compliance, Governance and Operating Model Change initiatives.