The financial services industry — inclusive of insurance — is the second-most regulated industry on the planet, claiming some 128,000 broad regulatory restrictions to operate in a compliant manner.
That’s largely due to the sensitivity of the data at rest and in transit within the financial services sector, as it carries with it information attached to people and their property, along with businesses and their bottom lines.
Simply stated, financial services data can quite literally contain the keys to a kingdom. Add to that the fact that financial gains are the number 1 motivation for cybercriminals and hackers and you understand just how important it is to protect this data.
What are the challenges to managing FinServ data?
The more heavily regulated the industry, the bigger the repercussions can be if the data is compromised. While many in the FinServ industry have been early adopters of data governance technology, the ever-evolving landscape of that digital information requires constant upkeep and updating.
Some of the challenges to ensuring the data is protected begins with the industry itself, as it diverges across a multitude of avenues:
- General banking: Both consumer and commercial banking establishments are the central location for people and businesses to manage the use of their money, from deposits of funds to personal payments or large business purchases. A lack of data governance in this industry segment can bring daily operations to a grinding halt.
- Insurance: Whether it's healthcare, automotive, property, or any other tangible asset that requires protection, the data being used to create these accounts is as granular as they come. With one insurance carrier, a person could be handing over their medical history, vehicle identification number, and small business financials. That’s a massive amount of sensitive data for a company to manage and secure.
- Mortgage companies: It’s long been said that the American Dream — purchasing a home to call your own — is the biggest investment one will ever make. In order to get there, however, borrowers are handing over their most sensitive financial information in exchange for a mortgage, from annual salary documentation to tax returns and bank account information. Here, pieces of the data governance management process, like identifying redundant, obsolete, or trivial (ROT) data and monitoring the data lifecycle are critical to ensuring risk reduction.
- Investment companies: Another sub-industry with its own nuances, investment companies and funds have both consumer and commercial information flying through their data bases, which can have a heavy bearing on the various markets as a whole. Data is moving in two directions, as investment companies are both buying and selling in a loop.
A common issue within the industry is that many organizations allow for specific lines of business internally to control their own budget and often leverage their own data platforms and analytics tools, which results in fragmented digital information across the enterprise. That, in turn, leads to a much wider threat landscape and far more difficult governance program to adhere to.
Building a data governance program requires step-by-step guidance. Learn more here.
What are the financial services regulations?
You’ve discovered your data and classified it, but depending on what your organization does within the financial services industry, it may be subject to a variety of different regulations.
Here are three that need to be understood as their wide-reaching protocols will likely have an impact on your data governance model:
- GLBA: The Gramm-Leach-Bliley Act (GLBA) requires financial services companies to have an infosec program that provides visibility into what data you have and where it lives, access control over data with customer information in it that only allows authorized use, encryption for customer information, and retention policies to keep customer data no longer than two years (unless there’s a legitimate business reason to keep it longer).
- SOX: The Sarbanes-Oxley Act (SOX) requires the accuracy of financial reports from companies, improve financial disclosures, and deter accounting errors and fraudulent practices in corporations.
- PCI: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all organizations that process, store, or transmit payment card account information maintain a secure environment. PCI DSS compliance is mandatory for all merchants and service providers, whether you process one or one thousand credit card transactions.
Do you have a data governance solution in place?
The first step in properly governing all this data is to know what it is, classifying it, and exacting its location. This is the data discovery process and it’s the foundation to any data governance program. You can’t manage what you can’t see.
A core pillar of effective data governance is the ability to set guidelines on data use and quality that facilitate ease of communication and education across the business and technical users. A company’s ability to perform a real-time search of a data catalog promotes trust and data literacy among the business while also allowing users to provide quality feedback. Data stewards can then manage business feedback as well as any access requests to desired data sets. When data is appropriately managed, better cross-functional collaboration can take place as stakeholders are working from a single source of truth.
Forward-thinking companies want to make the most of data to become insight-driven, trusted organizations. A strong data governance strategy means that businesses have good data and that they are also smart consumers of this data. This requires a holistic approach to data policies, data quality, risk management, and business processes to create data literacy. The more data literate your organization is, the better you can use data-led insights to improve your operations and provide customers with the services and experiences they want.
Learn more about OneTrust Data Discovery tools and Data Governance by requesting a demo.