A roll call of top-tier financial services firms that have been on the receiving end of hefty enforcement fines since 2008 reads like a “Who’s Who” of the banking and insurance sectors.
Damage to their reputations and lost revenues may take many years to repair.
Some are more diligent than others in complying with Regulator demands. In many cases, despite best efforts, regulatory breaches occur through ignorance rather than malpractice. But with the “ignorance is not an excuse” mantra now adopted by most supervisory agents, any financial institution that fails to capture complete regulatory intelligence is as culpable as its peers in the know, who fail to execute correct policy, procedures and controls, to ensure regulatory compliance.
Information governance has been hit especially hard, largely due to heightened focus on privacy and security around record-keeping. In recent years, vastly increased volumes of regulation, the heady pace of regulatory change, and the complex inter-plays between regulations and jurisdictions have given rise to some of the biggest penalties ever imposed – hundreds of millions of dollars, and the threat of €20m or 4% of annual global turnover in the case of GDPR.
So, how do information governors to get on the wrong side of the regulator?
- Having incomplete regulatory intelligence. The global financial services regulatory universe is extensive. Since 2008 there have been 50,000 new regulations and every year sees more than 53,000 amendments. With most financial services firms still relying on internal or outsourced manpower to capture regulatory data, it is no great surprise to know that the vast majority has pockets of ignorance that will not be excused by the regulator.
- Not knowing which regulations relate to your business. If you don’t know which regulations are active, and the intersecting obligations they carry, how can you reflect their requirements accurately in your policies, compliance procedures and controls? And even if you do have complete regulatory data, how do you know which regulations apply to your own business taxonomy? Relying on people to look for relevance, across all lines of business and jurisdictions, is unreliable.
- Being unable to pinpoint non-compliance, at record level. Let’s assume you know which regulations apply to your business taxonomy; now you need to know exactly which policies, procedures, controls and records represent compliance risk. Accomplishing this task with people-centric processes, in a timely or accurate way, is no mean feat. And being unable to remediate compliance risk at record level will not satisfy the Regulator.
- Compromising privacy and security when transferring records cross-border. Never-before has records management required such granular attention to detail when moving records containing personal data from one jurisdiction to another. Those who fail to exercise due care and attention around regional requirements will fall foul of the Regulator.
- Getting retention wrong. The privacy lens has turned retention upside-down. In the past, great efforts were made to ensure that records were not destroyed too early. In many cases, they were retained way beyond the regulatory requirement (a practice favored by Legal) in case they were needed to support compliance or litigation cases in the future. Today, failure to destroy documents, records and data as soon as the regulatory obligation has expired, and with no other plausible reason to do so, is highly culpable.
- Failing to assess the impact of regulatory change, and react quickly. With 53,000 regulatory updates annually, every financial institution attempting to manage impact assessments manually is unable to respond in a timely manner. The time lag between the change being issued and compliance being redressed can be significant – if a regulatory investigation is launched in the meantime, you will be in breach.
- Lacking a defensible audit trail. Regulation is not an exact science, and Regulators are not out to get you. But if you are unable to explain exactly what actions were taken, and why, your defense is severely compromised.
All of these hurdles can be overcome with Regulatory Technology (RegTech). The newly launched ‘RegTech for Information Governance’ independent research report from Burnmark includes expert interviews on the challenges faced, and how to overcome them.