How the regulatory environment is reshaping data governance
INSIGHT ARTICLE |
Data governance, like other forms of governance, often starts with a basic understanding of the assets and behaviors to be governed based on the risk to them absent controls when governance is not effectively applied. Data is no different than many other asset types, except it is more fungible, and more exposed to leakage, duplication and loss of control.
The cash in your pocket is under your physical control and you are relatively well aware of how much you have. For someone to take control of it, they must literally acquire it physically. That is not the case with data, where it can be accessed and duplicated without your knowledge and used in ways beyond your control if you don't control it yourself.
While that kind of risk is often considered cybersecurity, the truth is that if you don't know what data you have, where you have it and how it is controlled, then your risk for cyber and other data loss or negative impacts goes up substantially.
Data governance has evolved into a discipline that has special meaning in highly regulated industries, particularly financial services. Over 30 years ago, then-Citibank CEO Walter Wriston said that “Information about money is becoming almost as valuable as money itself.” Mr. Wriston and his bank not only pioneered ATMs, but also the ATM network and understood that the velocity of money was driving a velocity of data. He also understood that the data was sensitive and needed to be controlled and leveraged.
The federal government has evolved a series of standards, legislation and regulation to guide financial institutions to appropriately control their data. As consumers of that data, federal agencies and regulators are extremely sensitive to the quality, timeliness and integrity of institutional data. Examples include financial performance and condition filings with regulators, including the Securities and Exchange Commission, as well as anti-money laundering reports filed with the Financial Crimes Enforcement Network and other agencies.
The impact of effective data governance is often most apparent in the level of quality, or authority of data for regulatory and other purposes. The focus of financial institutions and other regulated industries has grown very intense around understanding what data they use and provide to others and how they control it. That is the nature of data governance today.
Effective data governance can greatly enhance the reputation and performance of financial institutions and enhance alignment to regulatory requirements. Therefore, it’s incumbent on financial institutions and their regulators to consistently define expectations for governed data in terms of the controls governance provides and the outcomes that are evident in the quality, timeliness and integrity of the data that is governed.
In addition, a key aspect of data governance is knowing which data requires or merits certain levels of governance-based controls. The term “critical data" is often used to identify enterprise data that requires merit-specific controls and monitoring.
Critical data is typically defined as including at a minimum, financial and other data required for regulatory reporting, customer and counterparty data used to report transaction conditions and balances to those parties, and the financial and risk data used to monitor and improve the institution’s performance. These critical data subjects, or domains, are generally the first targeted areas to receive mature and sustainable controls.
Controls are applied to critical data once it has been defined by a data steward, which their sponsoring data owners have ratified. The definition process creates a glossary of terms and definitions along with a physical data catalog to specify where those terms exist in various systems. Once that catalog is in place and is being maintained regularly, controls can be placed over data based on its location and the level of change it is subjected to.
For example, in a transactional processing system that manages checking account and cash balances, detective controls ensure transactions are recorded accurately and ensure that any data not captured in the transaction is required and captured prior to a transaction’s completion. These controls collectively ensure that transactions are fully and accurately recorded and can be reconciled at the end of the day or reporting to the balances they produce.
This is one simple example of good data governance. The combination of knowing and controlling your data produces consistently reliable and accurate results for regulators, customers, stakeholders and sponsors, and ensures transparency into the conditions and activities of the institution.
The importance of data governance is clear, as data that comes from all combined activities directly reflects the institution’s financial condition. Effective data governance includes both knowing and controlling data, and many mature methods can define, deploy and operate effective data controls. Ultimately, financial institutions must apply the same level of discipline and control over data as their customers apply to the money that they trust institutions with.