Data
Data quality, governance, and lifecycle management are the potential "soft underbelly" for heightened risk and compliance standards
Data governance
Regulators are continuing to look broadly at the strength of firms’ data risk management and governance, including policies, procedures, and accountability, data outputs (e.g., reporting, models, metrics), and third-party risks. Scrutiny will focus on firms’ understanding and identification of risks around the ways data is collected, used, shared, and/or monetized, as well as how it is protected from misuse. Anticipate data governance supervisory themes to include:
- Scope: An expanded scope of regulatory scrutiny will include reporting and other key data outputs (e.g., models, risk metrics, and compliance reports pertaining to fair lending, consumer protection, and financial crimes).
- Traceability: Demonstrable ability to trace and report on the relationship between data outputs and business processes, systems of record, and systems of origin.
- Heightened Standards: Increasing scrutiny of effective data risk management and compliance program standards across business lines and key functions, and with clear roles, responsibilities, and accountabilities for board, management and across 1st, 2nd, and 3rd lines.
- Classification: Data classifications, tiering, and risk ratings based on the level of sensitivity, integrity, and availability, as well as the value and criticality of the data to the firm.
- Third-Party Data: Understanding of data sourced from, or shared with, third parties, as well as data risk management and governance requirements embedded into third-party service agreements.
Data risk and controls
Regulators will assess firms’ processes to define, identify, measure, monitor, manage and report on data risks, including those posed by third parties, at all levels of the enterprise.
In 2024 firms should look for continuing regulatory focus on the following capabilities:
- Data Risk: Data risk defined through the risk taxonomy (e.g., data protection, data integrity, and data resiliency) and metrics and processes to identify, measure, manage, and monitor risk established at both the line-of-business and enterprise levels.
- Data Controls: Standardized data controls established around access and authorization, use, privacy and security, and sharing with third-parties or other data aggregators. These controls should align to the data risk taxonomy and show sustainability through a regular and robust control testing function.
- Reporting: Holistic reporting on data risk and controls at the line-of-business, regional/ country, and enterprise levels.
Data lifecycle management
Through guidance, policy statements, supervision, and enforcement actions, regulators have expressed expectations for firms to demonstrate cohesive and comprehensive strategies for managing and overseeing systems, data, and controls throughout the data lifecycle, including procedures for every step of the data lifecycle—from collection or acquisition, processing, and safeguarding to retention, possible migration, and end-of-life processes or disposal.
Expect regulatory examinations to consider:
- Data collection: Prioritization of effective risk management and oversight of information systems, data, controls, and procedures, including when data is:
- Initially captured and processed, especially if the data is sensitive consumer information (e.g., biometric, genetics or health, demographic) or manipulated or altered (e.g., conversion from structured to unstructured forms).
- Acquired from, shared with, or sold to new data sources, including external third-parties or data aggregators.
- Migrated to new internal systems from old systems (e.g., legacy or decommissioned) or to external (third-party) systems (e.g., cloud, part of an M&A transaction).
- Data Retention and Disposal: Scrutiny of data retention and recordkeeping, including collection, storage, retention, and disposal practices under existing data retention, privacy, and risk management regulations and guidance. Continuing supervision and enforcement focus on data associated with decommissioned systems/IT assets (e.g., end-of-life practices) and recordkeeping associated with unauthorized channels or devices (e.g., SEC Regulation S-P) will continue.
What to Watch
Amongst all things ‘data’, key regulatory actions to watch will include:
- Data Safeguarding, Retention, & Disposal: Examination and enforcement around practices for safeguarding and securing data, as well as retaining and disposing of it under existing regulations (e.g., SEC Regulation S-P).
- Data Risk Management: Intensifying scrutiny of data risk management processes across business lines and functions, including data classification and traceability, internal governance processes, and external, third-party oversight (e.g., Interagency TPRM Guidance)
- Data Reporting Requirements: Increasing expectations around data reporting capabilities, particularly around newly proposed/finalized rules (e.g., SEC cybersecurity and incident disclosures, Basel III capital requirements, CFPB 1071 small business lending data).
Call to Action…
- Clearly define data scope expectations: Clearly define the scope covered by data governance and ensure that it is expanding beyond the traditional scope of prudential regulatory reports.
- Adjust risk taxonomy to consolidate data risks: Ensure the data risk taxonomy addresses data protection, data integrity, and data resiliency and that data owners understand the expectation to own and mitigate those risks.
- Be explicit on standardized data controls: Ensure that there are standardized data controls aligned to the data risks and there is clear guidance for the lines of businesses and functions on what minimum control requirements apply to what scope and how to operationalize the controls.
- Continuous monitoring and improvement: Drive ongoing monitoring and assessment of your organization’s holistic data risk to ensure effectiveness of the controls and to address potential risks.
Dive into our thinking:
Ten Key Regulatory Challenges of 2024
Download PDFExplore more
Regulatory Insights
A source for updates and perspectives on regulatory activity and issues
Read moreMeet our team
