Global harmonisation and progressive thinking are needed to support data connectivity between markets, says Matthew Chan at ASIFMA.
Digitisation of financial services and cross-border data usage are the fundamental building blocks necessary for global and regional capital market development in the coming decade. Yet, in some markets we see governments and regulators working in the opposite direction, requiring data localisation and introducing data-related policy fragmentation that significantly hinders international investment flows.
This has been a growing concern of the financial industry for a number of years, and it continues to be a priority issue for the Asian Securities Industry and Financial Markets Association (ASIFMA). In fact, earlier this month, we launched a Jurisdictional Comparison of key data-protection regulation across Asia’s markets.
Working with leading consultants and law firms in this complex area, our intent was to compare the variety of approaches taken by thirteen Asia Pacific jurisdictions, mapping them against each other as well as against the EU’s General Data Protection Regulation (EU GDPR), which is so often used as a frame of reference in policymaking in this area.
The size and scope of the document is itself testament to the overwhelming complexity of data regulations across the region – a landscape that continues to shift, with new iterations and requirements being introduced each month.
In certain key markets, the difference in approach is substantial. This creates complexity, particularly for the majority of financial institutions which operate and serve clients in more than one jurisdiction. Additionally, within jurisdictions such as China, India and Indonesia, we see complex and multifaceted requirements at times involving multiple rules and regulators, which can be perplexing for even the most sophisticated of international firms.
While the EU GDPR targets personal data, our analysis highlights how a number of jurisdictions in this region seek to regulate additional categories well beyond this. China’s Cyber Security Law and its proposed Data Security Law, for instance, seek to regulate the use and protection of ‘important’ data, without providing a clear definition of what such a designation means in practice.
The India Personal Data Protection Bill designates ‘critical’ personal data, which is subject to potential localisation, and deems all financial data as automatically sensitive. More recently, India’s Ministry of Electronics and Information Technology has proposed a non-personal data protection authority. Meanwhile, Indonesia’s Government Regulation No. 71 of 2019 references ‘strategic’ data with similar discretion for additional measures regulating this new category.
Such definitions matter when authorities have such discretion to restrict cross-border transfers of ‘important’, ‘critical’ and ‘strategic’ data, and when such categories could, under current trajectories, be extended to non-personal data.
Undoubtedly, there is a clear need for governments to respond to the rapid digitisation of commerce and consumer-facing technologies; however, extending cross-sector, once-size-fits-all rulemaking at rapid pace to an already regulated industry such as financial services has unintended consequences.
Today, modern financial institutions consolidate their infrastructure typically into a single global operating model to achieve efficiency and flexibility. This model incorporates robust information security standards designed to satisfy multiple financial regulators.
Rulemaking on a cross-sectoral basis, however, can undermine such arrangements. In particular, we are seeing data localisation policies that require discrete technological builds in specific jurisdictions, segregating local systems from global hubs. These are often designed with social media and e-ecommerce in mind, sectors that are not as regulated as financial services.
In addition to creating operational friction in financial markets, this also exposes market participants to cybersecurity risk by creating additional entry points and interfaces that each create additional vulnerabilities to malign actors. Such requirements also create barriers to entry for institutions, as they need to establish entirely new infrastructure for each new market they enter.
At the same time, regulators rightfully want financial institutions to think more strategically and holistically about operational resilience, particularly in light of lessons from Covid-19; yet, within many financial institutions, it was often cross-border systems and data connectivity that enabled key staff to work from home, and abroad in some cases, minimising disruption to financial markets during the pandemic.
Unfortunately, data localisation requirements also extend to the use of cloud services, which have seen a widespread increase in global adoption especially during the current Covid-19 situation.
The Hong Kong SFC (Securities and Futures Commission), for example, recently issued a circular requiring licensed corporations that use a non-Hong Kong cloud provider either to obtain an undertaking from that provider that they will provide the SFC with the licensed corporation’s data on their systems on request, or to keep copies of the data in Hong Kong. As it is increasingly unlikely that many cloud service providers will sign the undertaking, the circular is a de facto data localisation requirement.
Arguments for localising data for supervisory access or on national sovereignty grounds are often rooted in a perception of data as a physical commodity (‘data is the new oil’ they may even say as though it collects in reserves under the ground), accessed by physical means. In reality, data is not a physical thing.
In financial services, data is an enabler, allowing the system to function – so key regulatory and legal issues should not centre on where and in what jurisdiction data is located, but whether individual legal systems have adapted to digitised assets and whether jurisdictions can cooperate effectively to ensure robust cybersecurity hygiene and regulatory access when needed.
This has historically been a strength of financial service regulators compared to any other sector. In terms of its data policies, while Hong Kong could otherwise be seen as one of the more progressive jurisdictions in relation to cross-border data mobility and connectivity, it continues to treat data as a physical asset.
On this front, Singapore’s recent joint statement with the US, and agreements with the UK and Australia on financial services data connectivity are extremely forward thinking, allowing financial services firms to transfer data across borders, and opposing data localisation requirements, provided financial supervisors can access required information on request. This represents thoughtful policymaking and inter-governmental collaboration geared to how a modern financial system works.
ASIFMA calls for greater harmonisation and progressive thinking in relation to supporting data connectivity between markets. Information security and data protection in financial services is a global issue best addressed collectively rather than individually through reflexive localisation requirements.
Notably, financial services are already well regulated with pre-existing international institutions such as the Financial Stability Board (FSB) and established regulatory cooperation arrangements in place. This creates both flexibility and potential for bespoke solutions, attuned to an industry which is by necessity more international than others, enabling capital to flow between economies to where it is needed most.
Data connectivity is also important for innovation, such as in the development of artificial intelligence, and day-to-day risk management tools for fraud detection, transaction monitoring, and KYC compliance.
We recommend coordination on standards and approaches, in line with international developments. The Osaka Declaration on Digital Economy seeks to standardise rules in global data flows, with better protections for personal information, intellectual property and cybersecurity. At last count, it had 78 members of the World Trade Organisation as signatories.
Similar initiatives exist at the APEC and ASEAN level. Further adoption and alignment to international best practices such as BCBS 239 and ISO/IEC 27701 (2019) could also pave the path forward to harmonising and strengthening data standards. On cybersecurity, the Financial Services Sector Coordinating Council has led development of a standardised Cybersecurity Profile, offering a common approach to cybersecurity and assessment.
Meanwhile, regionally, APEC’s Privacy Framework provides a set of principles and implementation guidelines to establish efficient privacy protections that mitigate barriers to information flows in Asia Pacific under the Cross-Border Privacy Rules system (CBPR). ASEAN is also designing a data transfer mechanism which will seek to permit cross-border flows within its ten country grouping as part of its Framework on Digital Data Governance.
Fault lines created by variations in data regulation serve as an inhibitor to the region’s capital markets, fragmenting markets and liquidity at time when the region can least afford to deal with them.
Matthew Chan GAICD is Head of Policy and Regulatory Affairs for ASIFMA.