By Robert Audet, Jonathan Shiery, Donald Heckman Jr.
Financial institutions (FIs) face unprecedented challenges and a volatile economy—effectively managing data is paramount to success. The recent Office of the Comptroller of the Currency (OCC) enforcement actions show the increasing regulatory scrutiny on data governance, and shed light on the lackluster data controls. Deficiencies in data quality and third-party data management were penalized with $460 million in OCC fines in October 2020. In addition, the Consumer Financial Protection Bureau (CFPB) identified data-mapping errors as a root cause for a Regulation Z violation, resulting in inaccurate billing. Mature and comprehensive data management capabilities can pave the way for advanced analytics, help to reduce data risks, and minimize the likelihood of regulatory findings and penalties.
FIs have invested significant resources to manage their data assets. Many have made impressive progress, but as recent regulatory enforcements have shown, there is still work to be done as technology and data usage accelerates in a digital world.
Data is vulnerable at each stage of the data life cycle. The complexity of data management and risk of security and privacy breaches increase with each new data source, each new individual helping to manage data, or an external data provider not adequately vetted. As data leaders, chief data officers (CDOs) and chief information security officers (CISOs) should identify and act upon the early warning signs of fractures in the data life cycle, some of which include:
Guidehouse offers some insightful perspectives to help data leaders such as CDOs and CISOs navigate these challenges.
Understand the Handoffs
Governance programs are critical to the success of data management, whether an organization is starting its data management journey or has a relatively mature governance program. The CDO and CISO should lead or strongly influence data governance processes. Still, there is an overarching question of where these roles fit within the enterprise, and oftentimes confusion is generated over roles and responsibilities at key points across the data life cycle. This confusion often creates issues with handoffs between different functional areas (e.g., CDO to CISO) resulting in inefficiencies, rework, delays, and even missed important activities. For example, the OCC recently imposed a $60 million penalty for failure to exercise proper oversight of a third party hired to purge data from decommissioned systems. This lack of oversight was likely attributed to confusion of roles and responsibilities or gaps in the governance process.
CDOs, CISOs, and chief information officers should identify and analyze current-state processes and procedures that support the data life cycle to ensure that handoffs between different roles and functional areas, accountability, and responsibilities are clear and understood. More importantly, appropriate controls that identify process bottlenecks, gaps, and role clarity issues should be in place. Improving these issues can help reduce the data risks due to process and procedure misfires.
Develop outcome metrics and reporting to enable risk-informed decision-making for frontline stakeholders and senior executives. For example, CDOs should design data control metrics to measure and manage data quality controls' effectiveness, the life cycle of data quality issue management, and cybersecurity and privacy risks across the data life cycle.
Fill the data governance voids
While many FIs likely have a data governance program, a more critical review of these capabilities should occur to identify potential data governance voids, such as:
To address these challenges, organizations should have a robust data governance program that effectively eliminates data issues at these life cycle stages:
Creation/Collection—There needs to be an operating model that avoids the capture of “dirty” data (e.g., inaccurate, incomplete, inconsistent, or untimely data). Operational risks arise as end users leverage self-service capabilities to pull data sets into their silos and use them as input for their specific business analysis and decision-making, e.g., regulatory reporting and billing statement. Checks should be in place to ensure that data (structured or unstructured) are reliable and complete at the point of origin.
Synthesis—The combination of existing data sources into new data points should also have safeguards so that newly derived values are free of ambiguity and do not create a privacy issue.
Usage—Once ready for use, data will be accessed and consumed using various data reporting and analytical tools, as well as exchanged internally and published to external parties. Protecting the confidentiality of data via encryption and other tooling is paramount to a holistic security strategy.
Archival—Many organizations fail to effectively apply the proper safeguards from the enterprise-level security policies and procedures during this stage. If third parties are a component of offsite backup and restoration exercises, they need to understand their responsibilities to enforce the enterprise-level security policies and controls necessary to protect the data.
Purging—A data destruction strategy lets the enterprise remove data from servers, while remaining compliant. Ensuring storage media erasure or taking steps to make information unreadable or indecipherable (by reformatting, for instance) and should not be overlooked.
For FIs to effectively manage their data assets, CDOs and CISOs should work in tandem to create a risk-based, proactive, and collaborative approach to managing data across the data life cycle. Here are some steps to start to more effectively manage your data as assets:
Special thanks to contributing authors: Savannah Xiao, Stephen Singham and Lwanga Phillip.
Complexity demands a trusted guide with the unique expertise and cross-sector versatility to deliver unwavering success. We work with organizations across regulated commercial and public sectors to catalyze transformation and pioneer new directions for the future.