19 August 2017
Stuart Clarke

Cybersecurity

Stuart Clarke - Nuix

1Posts 8,401Views 0Comments
Finextra community

Data Protection Act Issues

A place to discuss the DPA and other data storage issues.

Compliance: Overcome the data deficit

11 August 2017  |  8402 views  |  0

The technology requirements to analyse large data sets have never been more in demand in Financial Services. In 2017 financial institutions are creating vast swathes of data far beyond what we saw just a decade ago. However, it’s not just data volume that makes powerful data analysis such an important consideration, its regulation.

Financial Services is driven by regulation more than any other industry. Whilst businesses are driven by common aims, selling more, lowering costs and keeping customers, regulation is as big a driver of business direction for FS. Adhering to regulations is key to avoiding fines, but many businesses see it as a benchmark and choose to go far beyond this to ensure they are fully prepared. A failure to pass a PCI DSS compliance audit, for example, might rid a bank of its ability to process credit card information, leading to fines, lost revenue and reputation.

Digging for data

Modern regulations have become more focused on preparation and understanding of what data is held and where as well as the need to pull specific data quickly and upon customer request. The GDPR and the UK’s new data protection bill both focus on this aspect of data management and require certain functions be available to remain compliant.

Data breaches, whilst a major threat for organisations, also represent a regulatory threat for international banks. Data flows easily across borders and with strict penalties abroad, and even jail time in some cases, companies are learning the hard way that they must keep a check of where their data is stored.

The right skills for the job

These changes mean that regulatory reporting is now a part of many job functions. DPO (Data Protection Officer) and AMLRO (Anti-Money Laundering Reporting Officer) roles now involve frequent reporting alongside their everyday duties.

The issue that those in these jobs often struggle to process and analyse the vast amounts and varieties of data so they can determine risk and strategy. The role is seen by many as a kind of poisoned chalice. As Barclays Chief Data Officer, Usama Fayyad, put it in an interview last year, “There are lots of opportunities and dangers in a changing data landscape”. There is value in client data, but what use is that data if it can’t be located and analysed? Or even worse, it can’t be found quickly to meet the needs of a compliance or investigation?

For compliance purposes, the reality is that only small amounts of data need be pulled… until a catastrophe happens.

Under investigation

When an investigation is put upon an organisation, whether they have done wrong or not, the data in question can be difficult and expensive to find and produce in a timely manner. Other areas of the business may have similar requests, to find, classify, produce and protect data. In particular international banks will need to identify personally identifiable information (PII) flowing across borders. The GDPR ensures that a strict set of regulations apply across the EU. Britain, despite exiting the EU, will have its own Data Protection Bill in place that closely follows the GDPR, meaning British firms will also need to follow suit.

In general, banks have always lacked a joined-up approach to their unstructured data, new regulation means they’ll need to learn fast. Although it’s assumed that PII requests will make up most regulation requests, at this point, it’s hard to know whether other data like Payment Card Info (PCI) or Anti-Money Laundering (AML) will be more of a priority.

Currently, banks will have, at least, a high-level system for bulk data analytics to deal with this issue. Financial institutions know that effectively managing information for regulatory compliance requires three things. Watching where the business creates and stores dangerous or valuable information. Understanding the totality of the information in the variety of repositories that it exists, whether that be; IM, emails, SMS, trader turrets, network traffic, user behaviour or voice recordings. And, being able to search, classify, parse, cluster and secure all content according to each regulator’s criteria.

Being fit for purpose

The issue remains that the major problem is that in the majority of cases the solutions banks have won’t be fit for purpose. The technologies they are using to parse and analyse data are good within a finite window, that is, they specialise in working with specific data types or relationship types. Compliance projects will need to stitch these different types of data together more effectively.

Today’s regulations reflect the FCA and other bodies’ ongoing concerns with data quality, governance, controls and accountability over reporting. Banks must reach higher standards when submitting accurate data across far more regulatory reports, whilst maintaining high levels of preparedness and monitoring. The technology requirements to analyse large data sets has never been more in demand.

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)

Latest posts from Stuart

Compliance: Overcome the data deficit

11 August 2017  |  8402 views  |  0 comments | recomends Recommends 0 TagsSecurityRisk & regulationGroupData Protection Act Issues

Stuart's profile

job title Chief Technology Officer, Cybersecurity
location London
member since 2017
Summary profile See full profile »
Stuart is an internationally respected information security expert who is responsible for the overall security and intelligence strategy and delivery at Nuix.

Stuart's expertise

Member since 2017
0 posts0 comments
What Stuart reads
Stuart writes about
SecurityRisk & regulation
Stuart's blog archive
August 2017 (1)

Who's commenting on Stuart's posts