Stuart Clarke, CTO, Cybersecurity, Nuix
From board level down, financial services are concerned with the same fundamentals as any other business; sell more, lower costs and respond to regulation. The latter of these is what really drives financial services, however. Currently, the most assured way to secure budget for a project is to align it to a regulatory matter or initiative because not doing so spells nothing but disaster. A failure to pass a PCI DSS compliance audit for example, might rid a bank of its ability to process credit card information, leading to both lost revenue and reputation.
This is the reason that risk and compliance functions are bigger in banks than in any other industry. The pressures are enormous. Not only does the danger of fines and penalties hover over banks who fail a compliance audit, the FCA have, can and will fine them not only if they are breached, but even if they fail to demonstrate that they are taking regulation seriously.
The considerable threat of data breaches means that international banks face much stricter regulatory penalties abroad, even jail time in some cases. Data flows easily, and even with the looming threat of the GDPR, companies are learning the hard way that they can't make every outpost their 'mini US or UK HQ'.
Regulations are increasingly honing in on the need to retrieve specific data quickly. And the compliance functions in financial services are growing to reflect this. From DPOs (Data Protection Officers) to AMLROs (Anti-Money Laundering Reporting Officers) regulatory reporting now forms a part of many job functions.
The trouble is the people in these roles struggle to process and analyse vast amounts and varieties of data so they can determine risk and strategy. The role is seen by many as a kind of poisoned chalice. As Barclays Chief Data Officer, Usama Fayyad, put it in an interview last year, "There are lots of opportunities and dangers in a changing data landscape". There is value in client data, but what use is that data if it can't be located and analysed? Or even worse, found quickly to meet the needs of an compliance or investigation?
The reality is, it's only a relatively small amount of data that is ever audited or examined for compliance purposes – until a catastrophe happens. This can result from inaccessibility, lack of resources, or lack of urgency.
I was recently working with an international bank that was feeling the sting of an AML investigation. Although it had done nothing wrong, the data in question was difficult and expensive to find and produce in a timely manner. A number of other areas in the business needed similar solutions to find, classify, produce, and protect data. Particularly, the bank's European counterpart was struggling with how to identify personally identifiable information (PII) flowing to the US and impacted by GDPR.
This reflects the fact that, in general, banks have never taken a holistic approach to identifying the impact of its unstructured data. The most obvious culprit for regulation requests will likely be PII stores, but is that data more important than PCI or AML data? For many financial services companies, they won't know until disaster strikes and it is too late.
Banks should have, at least, a high-level solution already for bulk data analytics to deal with this issue. They know that effectively managing information for regulatory compliance means a number of things. It means watching the business to see where dangerous or valuable information is created and stored. It means understanding the totality of the information in the variety of repositories and formats that it exists: IM, emails, SMS, trader turrets, network traffic, user behavior, and even voice recordings. It means being able to search, classify, parse, cluster, and secure all content according to each regulator's criteria.
But the major problem is that in the vast majority of cases, the solutions banks have won't be fit for purpose. The current landscape of technologies that can parse and analyse data are good within a finite window. They tend to specialise in working with certain data types or relationship types. This means that while a lot of compliance projects will start with good intentions, they will fail unless they can better stitch different types of data together.
The requirements demanded from today's regulation environment reflect the FCA and other bodies' ongoing concerns with data quality, governance, controls, and accountability over reporting. Banks face heightened standards for submitting accurate data reports across an increasing number of regulatory reports, and in addition are expected to meet high standards around report preparedness and monitoring.
The technology requirement to analyse large data sets and determine their accuracy has never been more in demand. If financial services want to stay ahead of the game, they need the ability to bring in real-time feeds from all different parts of the business, ideally all in one platform.