Data Governance in Financial Services is Make-or-Break for Compliance

Posted by at 01:00h

One decade after the 2007 economic crisis, financial services firms are still grappling with the regulatory aftermath. Data governance is a critical practice for all corporations to ensure compliance with complex regulatory reforms.

Regulators worldwide have imposed new rules and strengthened old ones. Enterprises that want to keep their houses in order are under pressure to understand and comply with those rules – and it hasn’t been easy. The industry has adapted accordingly.

For example, a stricter regulatory environment has led to the introduction of new organizational roles, such as the Chief Data Officer (CDO) and the Data Protection Officer (DPO). It’s also resulted in new data management technologies to help businesses understand their data assets and have better control of the data they collect and report to regulators.

Which regulations have the biggest impact on managing your data governance programs? Here are five regulations – some new, some established – that have the most consequential implications for data governance within the financial services industry.

  1. Basel Committee on Banking Supervision (BASEL III and BASEL IV)

The Basel Committee rolled out BASEL III, its third set of regulator frameworks around capital and liquidity, in 2010, and is in the process of drafting an updated Basel IV which will likely require higher capital requirements and increased financial disclosure. Basel III and IV share similar goals to Dodd-Frank in that they seek to ensure banks have enough capital on hand to survive significant financial losses, although they differ in the amounts required. The rules establish numerous rules such as Capital-to-Assets Ratio (CAR), Liquidity Coverage Ratio (LCR) and Net Stable Funding Ratio (NSFR) requirements. To meet those requirements, financial service firms again must step up their data reporting and risk management capabilities.

  1. Comprehensive Capital Analysis and Review (CCAR)

Spurred by the financial crisis, under the auspices of the Federal Reserve, CCAR mandates certain comprehensive reporting be conducted annually. Effectively, CCAR requires banks to conduct “stress tests” that prove they can “weather the storm” if they were to face the same type of financial challenges experienced during the Great Recession. Banks are then required to report the findings of those tests to regulators.

  1. Dodd-Frank Wall Street Reform and Consumer Protection Act

Signed into federal law in 2010, the Dodd-Frank act is a complex piece of legislation passed as a direct response to the financial crisis. Its purpose was to promote “the financial stability of the United States by improving accountability and transparency in the financial system,” according to the law’s text. Practically speaking, the law implemented standards to limit risk-taking, increase data transparency and improve the efficiency with which data is aggregated and reported to regulators. According to Davis Polk, around 72 percent of the 390 proposed rules in Dodd-Frank have been met with finalized rules. Rules have not been proposed to meet 21 percent of the law’s requirements, underscoring that even seven years later, the regulation’s full impact remains uncertain.

  1. General Data Protection Regulation (GDPR)

When GDPR comes into effect on 28 May 2018, it will impose new penalties for companies that run afoul of its cross-border data transfer requirements: fines of up to €20 million ($23.5 million) or 4 percent of the company’s total annual worldwide revenue, whichever is higher. That’s just one way in which GDPR seeks to strengthen data protection for EU residents. It puts a greater onus on financial services firms to understand the data they collect and transmit. Importantly, it also impacts banks outside of Europe – any bank with customers in Europe must also comply. Under the regulation, bank customers will need to provide explicit consent for data collection, banks will need to disclose data breaches within 72 hours, and banks will need to wipe customers’ personal data after a prescribed period of time.

  1. USA Patriot Act

An older and wide-ranging law focused heavily on preventing terrorism, the Patriot Act also includes specific regulatory burdens on financial services companies to prevent money laundering, and to report and classify international transactions. Specifically, “suspicious transactions” need to be reported to regulators, and banks must identify individuals opening new accounts who meet certain criteria, i.e., owning or controlling 25 percent or more of a legal entity.


Several of these regulations overlap in terms in their substance and reporting requirements – for example, Basel III and Dodd-Frank both seek to increase bank capital and liquidity requirements, even if the method may vary. Each regulation shares the same overall impact, in that they impose significant burden on organizations in how they analyze and report their risk exposure.

The burden flows down to the IT department, which must find ways to collect, aggregate and understand sensitive corporate data. Speed is important – companies have a limited amount of time to find, understand and report the required information. Even so, they cannot sacrifice data quality, because mistakes in reporting can lead to costly re-work or even expensive compliance penalties.

In the arena of post-financial crisis regulations, the goal for financial services firms should be to find ways to comply with regulations while incurring the least cost and disruption to their business. Compliance doesn’t have to be an obstacle to business growth or success.

Businesses that monetize compliance data are able to make the most of information that they otherwise might not collect. These financial services find new ways segment their customer base, price their financial instruments, differentiate clients by risk profile, and stay ahead of the competition. Ultimately, a smarter approach to data governance turns the burden of compliance into a revenue-driving opportunity.