Heightened focus on privacy and intersection with records, data and security is forcing new ways of working for records managers and the data office
For Records Managers who have worked eight years or more in financial services, the world has become a dramatically different place. Until the start of the decade, records and data were governed primarily by all of the rules and regulations that enable financial institutions to do business – Companies Acts, Finance Acts, Tax Acts, and the like.
Since 2010, there has been a torrid influx of new and updated regulatory regimes relating to Privacy, Cybersecurity, Data Protection and AML, to name just a few. Some global, some regional and some local, totalling more than 53,000 annually. The bigger the financial institution, the bigger the regulatory challenge.
Nothing could have prepared us for the seismic shockwave of 2018, caused by the intersection of records, data, security and privacy regulations, which has required Records Managers across the planet to rethink their current compliance processes. Never before have financial institutions had to govern records and data in such a granular and interconnected way.
Consider the lifecycle of a record, or any other type of information asset (a contract, an email, a voice recording, a client consent, an application for example). One regulation might stipulate a records retention schedule of seven years, while a conflicting privacy regulation may require data contained within that asset to be destroyed after just three years – or whenever a customer exercises the right to be forgotten, as afforded by GDPR. Add to that the reformation of information security regulations, which require each information asset (and the data contained within it) to be protected in transit, not only when it is languishing in an archive, and the scale of the challenge is clear to see.
And there's more. Who knew there would come a time when Records Managers could run into more trouble with Regulators for retaining records, rather than disposing of them as soon as their retention obligation was met? The "keep it just in case" strategy is no longer an option, which has set nerves jangling with Legal. Under new rules, records and data can only be retained for elongated periods if it can be proved that they are required for a specific, ongoing litigation or regulatory purpose.
Given this increase in complexity and conflicting regulations, it is unfathomable to believe that old ways of working can be effective. Compliance cannot be kept under control by people yielding spreadsheets. Instead, many of the world's largest financial institutions are now finding new ways of working, utilizing technology to help de-risk compliance and cut costs. They have discovered that regulatory technology ("RegTech") can automatically monitor compliance status and ensure that the right action is taken at the right time. And AI-driven tech-tools are being deployed to automate the regulatory change process and deliver deep regulatory insights, which support a more pro-active compliance workforce. Indeed, they have realized that there is no other way to keep pace with billions of global rules and regulations, understand the impact on their business, and manage compliance at scale.
Nicola Cowburn, Chief Marketing Officer, CUBE