Customer Data: The New Compliance Frontier

Separately, the new EU General Data Protection Regime (GDPR) aims to provide uniform data protection regulation for individuals located in the EU when it comes into operation on 25 May 2018 (and extends to businesses outside the EU via its extraterritorial provisions). The extra-territorial nature of the regulation makes its implementation complex and penalties for non-compliance are significant.

2. Data Security and cybersecurity

In conjunction with more assertive data protection authorities, we are seeing increasing focus from governments and regulators on cybersecurity. In Australia, APRA recently released a draft prudential standard on Information Security Management (CPS 234). Globally, the HKMA Cybersecurity Fortification Initiative and the recent creation of the Singaporean based Financial Services Information Sharing and Analysis Centre (FS-ISAC) endeavour to facilitate the timely sharing of cyber threat information and enable a rapid and coordinated response to emerging cyber threats.

For organizations operating in, or connected with, more than one jurisdiction, there is a need to ensure compliance with a number of different jurisdictional approaches to cybersecurity law and regulation. This can present challenges:

• Volume and complexity;

• Extraterritorial application;

• Contradictory/overlapping requirements; and

• Implementation challenges across complex (and often legacy) IT environments.

3. Consumer Data Right (including Open Data)

Against the backdrop of increased protection and security required for customer data, governments have—somewhat paradoxically—turned their attention to comprehensive customer data access, sharing and portability rights.

The Australian Government’s announcement that it will introduce a Consumer Data Right (“CDR”) is one example. Banking will be the first sector to be designated under this new requirement followed by the telecommunications and utility sectors.

Open banking envisages customers securely sharing their customer data with other financial service entities who can use the data to offer alternatives (including Fintechs and non-banks). To this end, CDR will give third parties access to banking product data and transaction data that the customer requires:

‘By giving customers greater access to and control over their banking data, Open Banking has the potential to transform the way in which customers use and benefit from the banking system.’

Separately, the Australian government has announced a mandatory comprehensive credit reporting regime, to give lenders access to a deeper, richer set of data to better assess a borrower’s true credit position.

Hong Kong and Singapore are proposing similar open banking regimes, and the EU is currently implementing Payments Service Directive 2 (PDS2).

Developments around consumer data rights will transform the way that data is used and accessed and will necessitate a fundamental change to the way APAC governments, businesses and individuals handle data.

Positioning for Success

Data, cyber and privacy regulation will continue to evolve. Organizations that can effectively navigate these changes will have a significant competitive advantage. Success in solving the puzzle will vary for each organization, but there are three core themes:

• A compliant by design approach to new products and services, systems and third party relationships will position organizations strongly for both regulatory compliance and good customer outcomes.

• Building strong and trusted alliances between Compliance and Technology, Data Custodians, and other functions such as Legal, Operational Risk and Operations:

• Upskilling the Compliance function in two additional skill sets:

• Chief Privacy Officer capability-to set standards around privacy and the ethical use of data, provide advice and expertise and monitor compliance; and

• Capability to support the broad-based but specialist needs of the Technology, Data and Operations functions. This includes having regulatory compliance expertise in cybersecurity, outsourcing, the use of the cloud, and new prudential regulatory standards and guidance.