Data
Data quality, governance, and lifecycle management are the potential "soft underbelly" for heightened risk and compliance standards
Data governance
Regulators are continuing to look broadly at the strength of firms鈥� data risk management and聽 governance, including policies, procedures, and accountability, data outputs (e.g., reporting, models,聽 metrics), and third-party risks. Scrutiny will focus on firms鈥� understanding and identification of risks聽 around the ways data is collected, used, shared, and/or monetized, as well as how it is protected from聽 misuse. Anticipate data governance supervisory themes to include:
- Scope: An expanded scope of regulatory scrutiny will include reporting and other key data outputs聽 (e.g., models, risk metrics, and compliance reports pertaining to fair lending, consumer protection,聽 and financial crimes).
- Traceability: Demonstrable ability to trace and report on the relationship between data outputs and聽 business processes, systems of record, and systems of origin.
- Heightened Standards: Increasing scrutiny of effective data risk management and compliance聽 program standards across business lines and key functions, and with clear roles, responsibilities, and聽 accountabilities for board, management and across 1st, 2nd, and 3rd lines.
- Classification: Data classifications, tiering, and risk ratings based on the level of sensitivity, integrity,聽 and availability, as well as the value and criticality of the data to the firm.
- Third-Party Data: Understanding of data sourced from, or shared with, third parties, as well as data聽 risk management and governance requirements embedded into third-party service agreements.
Data risk and controls
Regulators will assess firms鈥� processes to define, identify, measure, monitor, manage and聽 report on data risks, including those posed by third parties, at all levels of the enterprise.
In 2024 firms should look for continuing regulatory focus on the following capabilities:
- Data Risk: Data risk defined through the risk taxonomy (e.g., data protection, data integrity,聽 and data resiliency) and metrics and processes to identify, measure, manage, and monitor聽 risk established at both the line-of-business and enterprise levels.
- Data Controls: Standardized data controls established around access and authorization, use,聽 privacy and security, and sharing with third-parties or other data aggregators. These controls聽 should align to the data risk taxonomy and show sustainability through a regular and robust聽 control testing function.
- Reporting: Holistic reporting on data risk and controls at the line-of-business, regional/聽 country, and enterprise levels.
Data lifecycle management
Through guidance, policy statements, supervision, and enforcement actions, regulators have聽 expressed expectations for firms to demonstrate cohesive and comprehensive strategies for聽 managing and overseeing systems, data, and controls throughout the data lifecycle, including聽 procedures for every step of the data lifecycle鈥攆rom collection or acquisition, processing, and聽 safeguarding to retention, possible migration, and end-of-life processes or disposal.
Expect regulatory examinations to consider:
- Data collection: Prioritization of effective risk management and oversight of information聽 systems, data, controls, and procedures, including when data is:
- Initially captured and processed, especially if the data is sensitive consumer information (e.g.,聽 biometric, genetics or health, demographic) or manipulated or altered (e.g., conversion from聽 structured to unstructured forms).
- Acquired from, shared with, or sold to new data sources, including external third-parties or聽 data aggregators.
- Migrated to new internal systems from old systems (e.g., legacy or decommissioned) or to聽 external (third-party) systems (e.g., cloud, part of an M&A transaction).
- Data Retention and Disposal: Scrutiny of data retention and recordkeeping, including聽 collection, storage, retention, and disposal practices under existing data retention, privacy, and聽 risk management regulations and guidance. Continuing supervision and enforcement focus on data associated with decommissioned systems/IT assets (e.g., end-of-life practices) and聽 recordkeeping associated with unauthorized channels or devices (e.g., SEC Regulation S-P)聽 will continue.
What to Watch
Amongst all things 鈥榙ata鈥�, key regulatory actions to watch will include:
- Data Safeguarding, Retention, & Disposal: Examination and enforcement around practices聽 for safeguarding and securing data, as well as retaining and disposing of it under existing聽 regulations (e.g., SEC Regulation S-P).
- Data Risk Management: Intensifying scrutiny of data risk management processes across聽 business lines and functions, including data classification and traceability, internal governance聽 processes, and external, third-party oversight (e.g., Interagency TPRM Guidance)
- Data Reporting Requirements: Increasing expectations around data reporting capabilities,聽 particularly around newly proposed/finalized rules (e.g., SEC cybersecurity and incident聽 disclosures, Basel III capital requirements, CFPB 1071 small business lending data).
Call to Action鈥�
- Clearly define data scope expectations: Clearly define the scope covered by data聽 governance and ensure that it is expanding beyond the traditional scope of prudential聽 regulatory reports.
- Adjust risk taxonomy to consolidate data risks: Ensure the data risk taxonomy addresses聽 data protection, data integrity, and data resiliency and that data owners understand the聽 expectation to own and mitigate those risks.
- Be explicit on standardized data controls: Ensure that there are standardized data聽 controls aligned to the data risks and there is clear guidance for the lines of businesses聽 and functions on what minimum control requirements apply to what scope and how to聽 operationalize the controls.
- Continuous monitoring and improvement: Drive ongoing monitoring and assessment of聽 your organization鈥檚 holistic data risk to ensure effectiveness of the controls and to address聽 potential risks.
Dive into our thinking:
Ten Key Regulatory Challenges of 2024
Download PDFExplore more
Regulatory Insights
A source for updates and perspectives on regulatory activity and issues
Read moreMeet our team
