In the wake of recent bank failures and enforcement actions, the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB), and other regulatory agencies have intensified their oversight of data management practices at large banking institutions. These institutions must consider how to respond to the new rules and practices. 

COMPLIANCE EXPECTATIONS ARE HIGHER THAN EVER

The federal banking agencies have imposed stricter guidelines for data governance practices that relate to the quality, integrity, and security of customer data. Examples include increased Customer Due Diligence (CDD) and Beneficial Ownership (BO) requirements;¹ consumer protection regulations such as those included in the Dodd-Frank Wall Street Reform and Consumer Protection Act (2010); increased risk management standards; and standards for capital and liquidity.²

GREATER EMPHASIS ON REPORTING 

Regulatory agencies consistently evaluate the reporting practices of large banks to assess the quality of report data and compliance with regulation. In recent years, bank regulators have expanded their transaction testing and rules conformance testing. And many banks have struggled to demonstrate front-to-back data quality and conformance with the new reporting rules. As a result, the number of MRAs (matters requiring attention) or MRIAs (matters requiring immediate attention) has increased significantly. 

FOCUS ON DATA PRIVACY

Regulatory agencies have implemented stricter data privacy regulations including the European Union’s General Data Protection Regulation (GDPR) in 2018 and the California Consumer Privacy Act (CCPA) in 2020. The GDPR mandates that institutions processing data must do so according to seven principles relating to protection and accountability,³ while the CCPA gives consumers greater control over personal information gathered by businesses.⁴ Failing to comply with such regulations and laws may lead to substantial fines and other punishments. Cybersecurity is another area of concern given the OCC recently developed and distributed the Cybersecurity Supervision Work Program for use by examiners.⁵

To avoid fines, financial institutions (Fis) must take proactive measures to meet enhanced data protection standards set by regulatory agencies. This approach also helps protect institutions from legal action, government investigations, reputational damage, and other repercussions. 

LEVERAGE A DATA MANAGEMENT FRAMEWORK

Financial institutions need to take proactive steps to construct and maintain a robust data governance framework, as well as preparing for regulatory examinations, to protect their organization from penalties from regulatory agencies. There are several best practices to take to help do this:

1. Data governance framework: This framework defines a structure and processes that govern data within an institution. It helps ensure that data is reliable, trustworthy, and readily available for effective reporting and decision-making.⁶ The framework also ensures that minimal controls are in place across all enterprise applications to achieve data integrity and quality. Data is therefore sustainable in the long run and readily available in its integral state for future requirements.
   
   It is imperative that FIs treat all enterprise applications and end-user computing files (EUCs) as assets especially those that support critical business processes. By increasing accountability, reliability, and sustainability, banks can ensure that data is complete, accurate, timely, and auditable. Effective data governance ensures data traceability from its origin in upstream systems to its use in reporting— including any transformations along the way. 
   
   
2. Policies and procedures: FIs must stay abreast of new regulations and changes to regulatory guidance. These should serve as the foundation for developing clear data governance policies and procedures that comply with regulations and effectively manage data risks. To ensure robust policies and procedures management, banks should actively involve stakeholders across the organization. 
   
   
3. Risk assessment and management: FIs should conduct risk assessments on a regular basis to identify areas of weakness or non-compliance. Risks can be identified by examining relevant regulations (e.g. CCPA, GDPR) followed by gap analysis to determine areas of vulnerability. Risk monitoring systems and reporting procedures should be established to ensure swift and effective resolution of any data risks.
   
   
4. Data program lead oversight: Data program leads at FIs should meet consistently, establish clear communication procedures, and assign responsibilities to staff who oversee the implementation of data governance policies and procedures. Data program leads should be briefed whenever changes to regulation are published.
   
   
5. Employee training and communication: Data governance is integral to the success of the bank and should be communicated at every level of the organization. Employees at various levels of the bank, from a Chief Data Officer (CDO) to a bank teller, are able to identify data risks; therefore, it is critical that all employees are aware of how they contribute to regulatory compliance and risk management. Regular training and communications regarding new policies and procedures are essential to maintain awareness of these responsibilities.
   
   
6. Embrace emerging technologies: Emerging technologies such as artificial intelligence (AI) can potentially automate some risk and compliance processes involving data analytics, risk management, and fraud detection. However, AI presents significant data privacy challenges that need to be addressed by data governance policy makers in FIs. As of December 2023, 17 US states have enacted bills intended to regulate the design, development, and use of AI.⁷
   
   As FIs come to terms with policies and procedures for AI, the OCC has advised them to “manage AI use in a safe, sound, and fair manner, commensurate with the materiality and complexity of the particular risk of the activity or business process(es) supported by AI usage.”8 The OCC also says that FIs need to “identify, measure, monitor, and control risks arising from AI use as they would for the use of any other technology.”⁸ In short, FIs must take the OCC guidelines seriously in order to mitigate data risk and avoid penalties imposed by regulatory agencies.
   
   
7. Partnering with third parties: Independent third parties can play a critical role in data governance—whether helping to deploy proactive measures or responding to an MRA. Consultancies provide essential expertise, as well as an industry-wide perspective that accelerates the integration of data governance frameworks for compliance and risk management. Their ability to benchmark across industry standards is especially useful for governance projects. 
   
   

Adopting these best practices enables FIs to comply with requirements, thereby shielding themselves from regulatory agency penalties while managing data risks enabled by a strong data governance framework.

CONCLUSION

In a world where data security threats are evolving daily, regulatory agencies will continually update regulations, expectations, and reporting requirements that relate to data risk and governance in financial institutions. To comply with ever-changing regulations, avoid MRAs / MRIAs, and penalties from regulatory bodies, institutions must take proactive steps to create and maintain robust data management systems. Financial institutions should consider partnering with third parties, such as consultancies like Capco, to take advantage of their expertise in the creation and audit of data governance systems.


References

¹ https://www.occ.treas.gov/news-issuances/bulletins/2018/bulletin-2018-12.html
²  https://www.occ.treas.gov/publications-and-resources/publications/comptrollers-handbook/files/corporate-risk-governance/pub-ch-corporate-risk.pdf
³ https://gdpr.eu/what-is-gdpr/
⁴ https://oag.ca.gov/privacy/ccpa
⁵  https://www.occ.treas.gov/news-issuances/bulletins/2023/bulletin-2023-22.html
⁶  https://www.capco.com/intelligence/capco-intelligence/managing-data-in-a-regulated-world
⁷ https://www.csg.org/2023/12/06/artificial-intelligence-in-the-states-emerging-legislation/
⁸ https://www.jdsupra.com/legalnews/occ-semiannual-risk-perspective-5952380/