Customer Data: The New Compliance Frontier

Jamie Kelly, Chief Compliance Officer, Westpac

Jamie Kelly, Chief Compliance Officer, Westpac

IT Compliance Trends

In financial services two areas are evolving extremely rapidly—IT/data and regulatory compliance.

Technology developments such as the digitization of payments systems, FinTech, blockchain, cryptocurrency, the cloud and open data continue to challenge business models, and the ingenuity and resilience of CIOs to support their business to execute transformation strategies.

In the world of regulatory change, customer, community and regulator expectations are evolving. Regulatory reform is complex and pervasive, and the need to manage ethical and conduct considerations is demanding new levels of capability and professionalism from the CCO, CIO and their teams.

The intersection of these two areas is fascinating, fast paced and strategically important.

Customer Data Compliance Trends

Three IT/data compliance trends concerning customer data require our sharp focus:

1. Data privacy.

2. Data security and cybersecurity.

3. Consumer Data Rights (including the trend to open data).

Underpinning all three developments is a common purpose—the idea that customers should:

• Have open access to their personal data (e.g. Consumer Data Right and open data).

• Have more control over how their personal data is being used or disclosed (e.g. GDPR through the enhanced consent regime).

• Have some comfort that their personal data will be protected and stored appropriately and commensurate to its sensitivity (e.g. GDPR, cybersecurity regulations, HKMA Cybersecurity Fortification Initiative, APRA’s draft prudential standard on Information Security Management).

• Be able to access their personal data and the data they have provided to the organization (e.g. Consumer Data Right and open data), and

• Be informed if their personal data has been compromised if there is a likely risk of serious harm (e.g. Mandatory Breach Notification pursuant to the Privacy Act) or if there is a high risk to the rights and freedoms of natural persons (e.g. GDPR).

1. Data Privacy

The approach to data privacy has historically varied significantly between geographies. In the past, the EU and EEA have led the way, while other jurisdictions such as the US have applied less regulation. However, in response to community concern around the collection, use, and storage of personal information, we are seeing jurisdictions implement more privacy regulation to provide individuals with the necessary protection. The focus on protecting personal information has been driven by an increased awareness of the huge volumes of personal data being created and stored with third parties.

In Australia, a significant amendment to privacy laws came into effect on 22 February 2018. Reporting entities under the Privacy Act moved from a voluntary to a mandatory data breach notification regime, with associated personnel and organizational fines for non-compliance. This signals a trend towards greater attention and enforcement of privacy rights.

The focus on protecting personal information has been driven by an increased awareness of the huge volumes of personal data being created and stored with third parties

Separately, the new EU General Data Protection Regime (GDPR) aims to provide uniform data protection regulation for individuals located in the EU when it comes into operation on 25 May 2018 (and extends to businesses outside the EU via its extraterritorial provisions). The extra-territorial nature of the regulation makes its implementation complex and penalties for non-compliance are significant.

2. Data Security and cybersecurity

In conjunction with more assertive data protection authorities, we are seeing increasing focus from governments and regulators on cybersecurity. In Australia, APRA recently released a draft prudential standard on Information Security Management (CPS 234). Globally, the HKMA Cybersecurity Fortification Initiative and the recent creation of the Singaporean based Financial Services Information Sharing and Analysis Centre (FS-ISAC) endeavour to facilitate the timely sharing of cyber threat information and enable a rapid and coordinated response to emerging cyber threats.

For organizations operating in, or connected with, more than one jurisdiction, there is a need to ensure compliance with a number of different jurisdictional approaches to cybersecurity law and regulation. This can present challenges:

• Volume and complexity;

• Extraterritorial application;

• Contradictory/overlapping requirements; and

• Implementation challenges across complex (and often legacy) IT environments.

3. Consumer Data Right (including Open Data)

Against the backdrop of increased protection and security required for customer data, governments have—somewhat paradoxically—turned their attention to comprehensive customer data access, sharing and portability rights.

The Australian Government’s announcement that it will introduce a Consumer Data Right (“CDR”) is one example. Banking will be the first sector to be designated under this new requirement followed by the telecommunications and utility sectors.

Open banking envisages customers securely sharing their customer data with other financial service entities who can use the data to offer alternatives (including Fintechs and non-banks). To this end, CDR will give third parties access to banking product data and transaction data that the customer requires:

‘By giving customers greater access to and control over their banking data, Open Banking has the potential to transform the way in which customers use and benefit from the banking system.’

Separately, the Australian government has announced a mandatory comprehensive credit reporting regime, to give lenders access to a deeper, richer set of data to better assess a borrower’s true credit position.

Hong Kong and Singapore are proposing similar open banking regimes, and the EU is currently implementing Payments Service Directive 2 (PDS2).

Developments around consumer data rights will transform the way that data is used and accessed and will necessitate a fundamental change to the way APAC governments, businesses and individuals handle data.

Positioning for Success

Data, cyber and privacy regulation will continue to evolve. Organizations that can effectively navigate these changes will have a significant competitive advantage. Success in solving the puzzle will vary for each organization, but there are three core themes:

• A compliant by design approach to new products and services, systems and third party relationships will position organizations strongly for both regulatory compliance and good customer outcomes.

• Building strong and trusted alliances between Compliance and Technology, Data Custodians, and other functions such as Legal, Operational Risk and Operations:

• Upskilling the Compliance function in two additional skill sets:

• Chief Privacy Officer capability-to set standards around privacy and the ethical use of data, provide advice and expertise and monitor compliance; and

• Capability to support the broad-based but specialist needs of the Technology, Data and Operations functions. This includes having regulatory compliance expertise in cybersecurity, outsourcing, the use of the cloud, and new prudential regulatory standards and guidance.