Financial services organisations need to comply with a whole raft of regulations ranging from the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) compliance to “Basel” BCBS, as well as general data privacy regulations, such as GDPR and PCI DSS.
Holding and managing large amounts of personal and sensitive data while adhering to all these regulations is a huge ongoing challenge, with potential fines looming from the FCA and ICO for any company that fails to comply with data management policies or neglects to protect sensitive personal data adequately.
The statistics show that data governance in financial services is a particular challenge with data breaches being an issue for the majority of financial organisations:
- Cybersecurity is the highest risk for financial institutions, according to a Bank of England survey in 2022
- 54% of UK finance and insurance companies identified breaches or attacks in the last 12 months (Cyber Security Breaches Survey 2022).
While companies are doing their utmost to reduce data breaches and attacks, data governance in financial services is still an issue:
- Six in ten (57%) of senior executives in the UK financial services sector say their organisation is at risk of a data breach because data is so poorly managed.
- In its 2020/21 Annual Report the ICO reported that human error was the leading cause of data breaches in the financial sector, accounting for 45% of all incidents of data breaches.
A thorough understanding of all the sensitive data the organisation controls as well as where it is held is the first step to protecting and managing threats both from the inside and outside of the organisation. Having sound data governance policies in place for managing data are a pre-requisite for meeting financial services compliance rules and data privacy regulations, such as GDPR ROPA.
With so many regulations and sensitive data spread across a wide range of platforms and systems, compliance teams are finding it hard to keep up, with large numbers of projects and limited or lacking resources to handle the manual processes that are still often used to manage data.
In this article, we will take a look at the financial services compliance demands of FCA Systems and Controls (SYSC) and GDPR ROPA, that financial services companies face, together with some ways in which these practical challenges can be resolved and data managed more easily.
Data Governance in Financial Services – Meeting GDPR ROPA and FCA requirements
We are not able to cover all of the regulations that a financial institution might meet in this short article, but there are two key financial services compliance rules that most, if not all, financial services companies need to adhere to: GDPR ROPA and Financial Conduct Authority (FCA) Systems and Controls (SYSC) rules:
- GDPR ROPA – What is a ROPA?
ROPA stands for “Record of Processing Activities” and a good place to start in understanding what ROPA entails is with the ICO’s own definition :“It’s a legal requirement to document your processing activities. Taking stock of what information you have, where it is and what you do with it makes it much easier for you to improve your information governance and comply with other aspects of data protection law (such as creating a privacy notice and keeping personal data secure).”
Under GDPR, organisations are required to maintain a ROPA document to demonstrate their compliance with data protection regulations. The ROPA document should include:
- The name and contact details of the organisation, as well as its representative and data protection officer (if applicable)
- The purposes of data processing, including the legal basis for each processing activity
- The types of personal data that are processed, including categories of data subjects
- Details of any third parties who receive personal data, including the reasons for sharing the data and any safeguards in place to protect it
- Information about data retention periods and how personal data is securely disposed of when no longer required
- A description of the technical and organisational measures in place to protect personal data from unauthorised access or accidental loss or destruction.
The ROPA document needs to be regularly reviewed and updated to reflect any changes to an organisation’s data processing activities. It is an important tool for demonstrating accountability and transparency under GDPR.
- What is FCA SYSC?
The Financial Conduct Authority (FCA) Systems and Controls (SYSC) rules require companies to have robust data management policies in place to effectively manage and protect data, including:
- Data Governance framework to manage data.
- Data Classification – based on sensitivity and criticality and appropriate controls for each category of data.
- Data Protection measures to protect data from unauthorised access, disclosure or alteration.
- Data Retention and Disposal policies based on legal, regulatory and business needs.
- Data Privacy, complying with the relevant data protection regulations, such as GDPR, by implementing appropriate data privacy policies and procedures. This includes obtaining consent for the collection and processing of personal data and ensuring that individuals have the right to access, correct and delete their personal data.
Knowing what sensitive data you have, where it is held and how it should be classified is a key component of meeting financial services compliance rules outlined by both the GDPR ROPA and FCA SYSC guidelines, but with constantly increasing amounts of data, there are also some major challenges.
Key data management challenges financial services companies face
To ensure the GDPR ROPA and FCA SYSC guidelines are met, financial services companies need to contend with some key challenges:
Data silos – Financial institutions hold massive amounts of sensitive data, and need to track data which is held everywhere:
- Data is held across different business systems and applications.
- Data needs to be tracked in employee documents, emails and collaboration software.
- Data is stored on-premise and in the cloud.
- Data is also shared with third parties.
Data quality and integrity – With data scattered around in different applications, across the business on different endpoints and in emails, it can easily become inaccurate. So, how can you ensure that it is both consistent and secure? There are 5 quick best practices we recommend in order to maintain data integrity:
- Validate data – create validation rules and validate your data on input
- Process data – cleanse data by searching for old data and duplicates
- Maintain data – check data on an ongoing basis against your validation rules
- Protect data – implement security controls such as user authentication
- Employee training – develop a culture of data integrity with data entry and compliance training to ensure consistency
Data security – A whole topic in itself and not one we can cover here in detail, but data governance policies need to be put in place to manage access to sensitive information, protect data and enforce data privacy rules across the organisation.
Employee data awareness – As part of ROPA, employees need to be aware of the processes involved in handling personal data and kept up to date.
Manual processes and stretched resources – It is time-consuming for data analysts and compliance managers to pull data from different applications and generate reports, especially if they need to rely on manual processes, and often it is not possible to scale to meet the growth of data with a lack of skilled people available in this area of expertise.
To overcome these challenges and meet regulatory compliance, there are tools to help you “Take stock of what information you have, where it is and what you do with it” to fulfil ROPA as required by the ICO and other requirements. In the next section, we take a look at how an international bank achieved this using data discovery tools to assist.
How an international bank sped up compliance and reduced costs with automated data discovery
An international bank had large amounts of sensitive personal information that it needed to protect to comply with FCA, PRA and GDPR. The bank had a growing number of business applications they needed to monitor and were struggling to find a solution for managing sensitive data in Atlassian (Confluence, Jira, Bitbucket) collaboration software
The bank selected SecurEnvoy Data Discovery to scan over 2 terabytes of data, an amount that is continually increasing, and report on all the sensitive data that is being stored in their on-premise and cloud solutions. SecurEnvoy Data Discovery reports on type of sensitive data being stored, where it is held and alerts to any data that is out of line with compliance regulations.
The result was a 93.3% per year cost saving using automated data discovery versus manual data scanning. In addition, the cost of running the team was reduced and staff were put on to other digital security tasks. The team were able to quickly respond to audits and the solution improved data compliance and ensured that employees were continuously made aware of transactions involving sensitive data.
Benefits of using SecurEnvoy Data Discovery to discover sensitive data to ensure financial services compliance by meeting ROPA and FCA requirements
SecurEnvoy Data Discovery, the tool used by the international bank, provides both data discovery and classification functionality and removes the need for manual processes. It enables you to discover the data you have so that risk can be evaluated. Rules can be created to discover and report on sensitive data to meet the needs of regulatory compliance.
Some key advantages include:
- Automated data discovery:
- Accelerates the process of discovering and analysing the sensitive data you have (minutes rather than hours) and speeds up the audit process for regulatory compliance.
- Provides automated search for Personally Identifiable Information (PII), Payment Card Information (PCI) and health records to comply with HIPAA, GDPR, PCI, etc.
- Bespoke rule sets and complex queries using Compound Search can also be handled by the tool.
- Speeding up DSARs, ensuring that they are fulfilled in time to meet GDPR requirements. Find out more in the “7 Steps to speed up the DSAR process” article >
- Real-time data alerts ensure that your company is adhering to data compliance regulations and help end-users to remediate any issues with sensitive data that are discovered. End-users can remediate themselves without relying on help from the data security team.
- Reporting tools enable you to evaluate the organisation’s risk profile showing instances of sensitive data detection and resolution. Management reports are available in pdf and user-friendly dashboards via an intuitive management console.
- Flexible deployment both in the cloud and on-premise. SecurEnvoy Data Discovery covers data on a wide range of endpoints, servers and applications.
SecurEnvoy Data Discovery helps data governance in financial services by enabling more reliable data across the business to meet regulatory compliance requirements, keeps staff continuously updated and aware of data protection issues and reduces reliance on specialist staff and data management costs.
What to read next...
Collaboration and compliance in Atlassian – how data discovery tools protect sensitive data and IP in a dynamic work environment
The number of organisations using collaboration tools worldwide is steadily growing, and it is easy to see why. Collaboration tools provide a highly f...