By Philip Dutton, CEO and Co-founder of Solidatus
It may have started ‘Dear [Chief Executive Officer]’ and ended ‘Yours sincerely’ but the tone in swathes of a letter from the Bank of England’s Prudential Regulation Authority (PRA) to UK-based banks felt more in keeping with a note from an angry headteacher to the parents of a wayward pupil.
Delivered earlier this year, the seven-page document (PDF) contained instructions on a wide range of topics including credit risk, operational risk and resilience, model risk, and financial risks arising from climate change. And the message was loud clear: banks need to get their houses in order.
As CEO and Co-founder of Solidatus, these subjects are closely aligned with my areas of interest.
But, along with a few paragraphs on data, the section that really caught my eye focused on risk management and governance, something that, when done right, mitigates the risk of fines and creates money-making or money-saving opportunities – but we’ll come the specifics at the end.
Part of a wider discussion on financial resilience in the letter, it’s something the issue has been bubbling under as an unresolved going concern ever since the global financial crisis of 2007 and 2008.
And that’s the thing: while these frustrations were aired by the Bank of England, this is a worldwide systemic problem. Yet despite warnings from regulators, banks continue to fall short on data governance regulations, the Bank of England’s intervention simply being the latest piece of criticism of their approach to risk management, data governance and production controls for regulatory reporting.
Effective governance ensures that data is consistent and trustworthy and doesn’t get misused. It should be a priority for any organisation dealing with wide-ranging information across multiple systems, particularly in regulated industries. But it’s a disturbing reality that most banks have inadequate standards, resulting in weaker security infrastructure, poor decision-making and lack of compliance.
So why are most banks so reluctant to invest in improving their data governance standards, preferring to take a more reactive approach and waiting until they’re pulled up by regulators?
In this article, I go on to suggest answers to this question, setting them in the context of the top data governance challenges banks face, what needs to happen to improve data governance in banks, and whether the PRA’s letter is likely to have any impact.
Data governance challenges
The root cause of these problems is that most banks’ governance practices over the years haven’t kept up with the pace of change in technology, the proliferation of data or the number of systems used to hold this data and the ever-increasing set of regulations that create obligations.
Rewind 25 years or so, and a small tech stack with IBM at its foundations would be simple to manage, the flow of data between systems being sufficiently limited to keep track of without tearing your hair out. But those days are behind us, and now there’s a tendency for banks to have their heads in the sand rather than face and respond to the new reality.
This careless attitude could cripple their businesses, either through fines or simply because the data you need to make informed decisions is getting lost in the clutter.
This governance-centred section of the Bank of England’s letter focuses on counterparty risk management, chastising banks that “despite regular messaging from the PRA on the subject, these events [Russia’s invasion of Ukraine and volatility in the nickel and long-dated gilt markets] demonstrated that firms continue to unintentionally accrue large and concentrated exposures to single counterparties, without fully understanding the risks that could arise”. But the problem stretches far beyond this into general business negligence.
At its core, poor data governance presents multiple challenges, including:
• Lack of visibility into your full landscape of data sources, usage patterns and/or control gaps;
• Your suite of tools and platforms not meeting your needs across internal and external stakeholder groups, meaning they’re not future-proofed for an evolving regulatory landscape;
• Implementation of change programmes being slow and hampering strategic business objectives;
• Badly thought-through or non-existent integration of compliance into business processes and controls, with linkage to regulatory obligations; and
• Limited insight into regulator expectations and interpretation of requirements.
The goal is to drive operational efficiencies and risk mitigation. But how?
Improving your data governance
Governance is a multifaceted discipline. It boils down to better embedded practices and processes, but these must be combined with the right software solutions, ones that allow you to truly manage the infinite complexity through operational blueprints of active metadata. Leveraging your existing data and systems captured across your bank in context to provide insights from the past to create action plans in the present to achieve the desired future state.
Relying on Excel is negligent and relying on 1st or 2nd generation data governance platforms is no longer acceptable.
Ultimately, it’s taking the first step of data discovery. To do that, you need to:
• Automate the capture of lineage and understand the connections between processes, data, controls and reports to applicable regulatory obligations;
• Connect existing catalog information, such as asset inventories, data dictionaries, processes, risks, controls, and other enterprise taxonomies and/or hierarchies;
• Trace internal risk appetite framework(s) to policies and standards to external regulatory requirements; and
• Link self-assessments, internal audit and external examiner results.
And that means using more versatile software.
What will the impact be?
You might be seeing the light, but I’m left asking: will the Bank of England’s letter have a significant impact across the sector?
Well, yes and no. The letter itself doesn’t explicitly lay out what the consequences of non-compliance are. It also only has official oversight in the UK.
To counter that, though, the law is already well known, even if not reiterated here. If you’re not complying, it’s more likely a question of when, not if, the regulators will come knocking. Furthermore, the Bank “will continue to work closely with our regulatory counterparts on these topics”; the UK isn’t an outlier here.
And this is before we look at the sheer increased efficiency of smart data governance. With the right software used well, your efficiency savings can be immense. 90%+ cost savings aren’t unheard of when it comes to mapping and monitoring your data and systems, with the resulting data discoveries you make creating huge opportunities not just to save money but to make money.
So, whether this letter itself has any impact is moot; the world is moving towards an imperative to improve governance regardless.
When better governance also gives you a competitive advantage and improves data discovery, why wait to get your house in order?