Banks need to be cognisant of how the data they provide to regulators is being used, says Herbert Smith Freehills in its 2019 Global Bank Review.
It is clear that banking regulators globally are becoming increasingly more demanding about the volume and type of data provided to them, more sophisticated in their use of that data, and more willing to share that data with other regulators, both inside and outside their national borders.
With over 200 regulators in the global banking sector, the powers, approach and priorities of these regulators vary significantly from country to country.
However, one common theme which permeates is their hunger for data about the firms and individuals they regulate. This focus on data has already had a significant impact on certain types of enforcement actions, and is likely to significantly affect regulatory reporting mechanisms in the future.
Given this, it is crucial that banks and their employees are cognisant of the ways in which regulators are using their data.
Demand for data
Unsurprisingly given our era of big data, regulators have in recent years started asking for ever increasing volumes of data. In particular, regulators’ demand for data has been steadily increasing not only in the context of potential or ongoing enforcement action, but also as part of their ongoing “business as usual” supervisory activities.
For example, the UK Financial Conduct Authority (FCA) has recently estimated that it receives over 500,000 regulatory submissions annually through its data collection platform, across 120,000 users and 52,000 firms, while both the Dodd-Frank Act in the US and MiFID II across the EU have significantly increased reporting obligations for firms.
Importantly, this “business as usual” data increasingly includes data about the actions of individuals, as banks globally have seen regulators demand the disclosure of an increasing volume of information regarding individual employees who might be potential “rolling bad apples”.
The Australian Government, for example, appears set to implement by mid-2020 the Banking Royal Commission’s recommendation that licensed firms be required to report “serious compliance concerns” regarding individual financial advisers to the Australian Securities and Investments Commission (ASIC) on a quarterly basis.
This follows the US example, where broker dealers must upload to the US Financial Industry Regulatory Authority’s BrokerCheck database (amongst other things) all customer complaints and firm disciplinary events.
Similarly, in Hong Kong, the Securities and Futures Commission (SFC) now requires the disclosure of all internal investigations of licensed individuals where those investigations take place within six months prior to, or at any time after, an individual’s departure from a firm.
The SFC has also recently announced the launch of a key risk indicator (KRI) platform to collect and analyse data from 22 global financial institutions which are considered as systemically important.
The surveys cover areas such as conduct risk (for example, the number of instances of certain types of non-compliance, client complaints, internal whistleblowing incidents, internal alerts, disciplinary actions and regulatory involvement need to be disclosed).
The first submission of data is required by 31 January 2020 for the reporting period ending 31 December 2019.
Regulators’ use of their compulsory information gathering powers in the context of possible enforcement action is often shrouded in secrecy, which can complicate efforts to monitor trends in the use of such powers.
However, the information which is publicly reported suggests not only that there has been a general increase in the use of such powers, but also the volume of data being produced in response to their use.
The SFC, for example, has in 2019 reported a nearly 20% increase year on year in the number of compulsory requests for information issued to intermediaries regarding their clients’ transactions.
Further, ASIC Commissioner Cathie Armour has commented publicly that one ASIC investigation of market misconduct involved the review of over 75 million documents and 2.7 million hours of voice recordings.
Use of data
Banking regulators’ increasing demands for reams of data regarding the activities of regulated firms raises two key questions. First, is this data actually useful to regulators? And if so – how do they actually make use of it?
The answers to these questions vary significantly across jurisdictions and the contexts in which regulators are seeking to put data to use.
In the context of enforcement, for example, it is clear that taking a data-driven approach has transformed the prosecution of insider dealing offences.
Historically, it has been easy to predict the catalysts for insider trading investigations – namely, unusual spikes in the prices of securities shortly prior to the disclosure of material non-public information. However, these sorts of “security based” investigations are generally reactive, in that they rely on (for example) large movements in a market being observed.
In recent years, the US Securities and Exchange Commission’s Market Abuse Unit has pioneered a “trader based” approach, under which regulators instead start by analysing market data gathered through surveillance to identify potentially suspicious traders, and patterns of similar trades between groups of traders over a period of time.
Once relationships between groups of traders have been identified, regulators will then seek to identify potentially shared sources of inside information which may link the traders.
This change in approach, which has been emulated by the SFC and ASIC, has allowed for the identification of insider trading cases which may otherwise have gone undetected due to their comparatively small size.
The jury is still out in relation to the use of data in a number of other areas, with regulators such as the European Securities and Markets Authority (ESMA) noting that efforts to grapple efficiently with data through the use of data analytics is often thwarted by poorly designed report formats and non-machine-readable data.
Given this, a number of regulators globally have begun to explore “regtech” and “suptech” solutions, including machine learning and natural language processing, to improve data analysis, while others such as the FCA and Bank of England are exploring ways to automate regulatory reporting processes and streamline the accessibility of data.
Finally, it is worth noting that while demands for, and the use of, data by regulators is often conceptualised within national borders, regulators are increasingly interconnected through memoranda of understanding and cooperation arrangements which allow for information sharing. During 2018/19, for example, the FCA received approximately 1000 requests for information from overseas counterparts in relation to active investigations. In recent years, these requests have come from more than 60 countries.
Similarly, in 2017/2018 ASIC made 393 requests to international regulators, and received 495 requests, which represented a 19% increase in outgoing requests and 22% increase in incoming requests compared to just two years earlier.
As such, firms should be conscious that the information disclosed to one regulator may well be disclosed to other regulators around the globe, and ensure that a consistent approach to disclosure is taken where appropriate, particularly in the context of self-reports of misconduct.
This article was first published in Herbert Smith Freehills’ 2019 Global Bank Review: The Data Game, which explores the rapid growth of data as one of the most significant developments in the banking sector.
This article was authored by Herbert Smith Freehills partners Hannah Cassidy, Tania Gray and Ruth Overington, and associate Emily Rumble.