Banks are starting to gain real business value from investments into better data governance and architecture, say Irene Liu, David Yakowitz and Catherine Lee at PwC.
Imagine this. In 2025, the Monetary Authority of Singapore (MAS) will grant amnesty to all banks in Singapore on regulatory reporting, if these banks give the regulator full access to their databases of transactional and client confidential data. Sounds scary, doesn’t it?
While no bank we’ve spoken to has agreed to this radical move, we think that banks, whether small, medium-sized or large ones, need to be ready for the changes in regulatory reporting. It might also be good to consider if regulatory reporting is even needed in the future.
In July 2019, we were part of a panel that discussed how small and medium-sized banks can better address technology and regulatory challenges in this fast-changing landscape, with reference to the revised MAS 610 reporting standards that will come into effect on 1 October next year.
MAS 610 represents a significant increase in the granularity of the data required for reporting, increasing the number of data points from the current 4,000 to 300,000.
Emerging trends in the industry
As we have observed, regulators around the world are becoming more specific in what they are asking for. The MAS has taken a leaf from the European Central Bank (ECB), asking for the data elements at an atomic and data transactional level in a data model, for instance.
What the ECB is doing goes beyond just issuing banks notices or making revisions. It will issue banks a notice in a machine-readable format that can be layered upon their data warehouses to extract the data directly.
It effectively cuts away the need for the interpretation of information because it tells the regulator exactly what the data represents. This approach also eliminates the expertise that needs to reside within the bank, leaving it to MAS to determine what data it needs.
These are some other key trends in the industry we have noted in the last few years:
Alignment of regulatory and internal drivers
- What regulators are demanding is actually what banks want
- Beyond mandatory compliance, banks are building true business cases
Significant enhancement of key capabilities
- Data governance foundation
- Data standards
- Data quality
- Master and reference data
- Information architecture
Formal data authority and ownership
- Formal CDO (chief data officer) appointments
- Chartered governance bodies
- Risk / Finance alignment & design authorities
- Business ownership of data
Significant strategic investment
- Data infrastructure & architecture
- Cloud solutions
- Aggregation, reporting and analytics
Enhanced data control frameworks
- End to end controls
- Integrity / reconciliation
- Independent Attestation
- Reduction in the use of EUCs (end user controls)
- Structured training
- Tone from the top communications
- Meaningful incentives
Regulators in Asia and globally are not only focusing on what data should be provided but also the processes and infrastructure that support regulatory submissions. This includes the adoption of data governance throughout the enterprise to enhance the controls, processes and quality of the data throughout its entire lifecycle from collection to aggregation, transformation and calculation.
The growing scrutiny over data is evident across multiple regulators in Southeast Asia. One has taken the lead to enforce BCBS 239 requirements on its list of D-SIBs. Another has issued a similar guideline for banks to adopt (although not enforced), and yet another has just formally issued a questionnaire to enquire on the state of data governance maturity in certain significantly important banks.
A change in solution approaches
The changes by regulatory bodies and trends observed over the years illustrate the need for banks to find more effective solutions. In our conversations with different banks, some have asked if the MAS 610 requirement will be removed.
In our opinion, it is unlikely that the regulator will take away this requirement. What banks should be focusing on, instead, is the need to look at practical, strategic solutions rather than relying on manual solutions.
Traditionally, a lot of the smaller and medium-sized banks would execute more manual processes leveraging Microsoft Excel, which may have been effective in the past. Now, because of time and increased regulatory pressure, it will not be wise to use manual solutions that are prone to human error and control risks.
Under pressure, banks will have tasks that are done in a manual fashion, which will put a lot of pressure on their regulatory teams. What banks should do is to get the right individuals to produce the data accurately at one point in time, while also ensuring that aggregation and transformation processes are carried out smoothly.
The move to cloud
During the July session, a short poll was conducted to find out if participants representing small and medium-sized banks planned to run some of their regulatory reporting processes on cloud-based infrastructure in the coming two years. The majority of respondents indicated that they would not do so, citing data security as a major reason.
In Singapore, this reluctance to move to cloud can be attributed to conservatism where some banks might be playing it cautious due to a lack of confidence in cybersecurity practices to keep up with the rapid expansion of cloud services. Considering that many organisations around the world are embracing the move to cloud, and since Singapore is one of the top financial hubs globally, banks will need to embrace the adoption of cloud services. At the same time, they will need to improve their capabilities to mitigate cybersecurity risks.
In August this year, the Association of Banks in Singapore (ABS) announced updated guidelines for banks on using cloud services. These new guidelines, revised quite substantially since they were first published in June 2016, outline best practice recommendations to allow for the safe adoption of cloud outsourcing.
As such, small and medium-sized banks can look here to understand best practices in vendor management, guidance for due diligence assessments, and key controls that need to be implemented. They can then assess which of these can be pragmatically adopted, taking into account their risk appetite, resource constraints and commercial ambitions.
Elsewhere in Southeast Asia, we are noticing that banks we work with in Vietnam are moving away from reactive approaches and instead moving towards preventive measures. These banks chose to go on a digital journey, though the move is not due to a regulatory push as a main driver.
As part of their digital journey, they see the benefits of having proper data governance in place to enhance their overall infrastructure and provide better access to more accurate and timely information – which will ultimately prove to be a key driver for any digital initiatives. As this is rooted by a need within organisations to be competitive, the scope is normally more comprehensive, the solutions are more strategic and the drive is much more passionate.
Besides concerns of data security, we note that one factor influencing banks in the decision to go digital is cost.
As with all small and medium enterprises, smaller banks are struggling to build up financial muscle. During the discussion, another question posed to the audience was on whether smaller banks will use a grant from MAS to make additional investments in technology, if such a grant was available. Unsurprisingly, most participants said yes. Perhaps then, what this indicates is the need for a stronger financial push from MAS in the digital journey.
But, does digital have to be an expensive journey if we look at it from a long-term lens?
To be clear, not all banks are hindered by short-term costs, and some banks do recognise that making technological investments is necessary for regulatory compliance, as it can produce business benefits in a few areas.
These benefits include lower operational costs, enhanced transparency around internal business processes, reduction in staff allocated to reconciliation of multiple data sources, and the ability to leverage valuable information for management reporting which leads to better strategic decision-making.
Looking regionally for inspiration
As small and medium-sized banks continue to look for ways to meet regulatory standards, it will be wise to look beyond Singapore. We would advise on collaborating with counterparts across the region in terms of the types of data required at different levels. Beyond that, it will also be crucial to take a view from the customer lens.
Banks need to look at the entire spectrum of the end-to-end data, in terms of the movement of the data from the beginning of a transaction all the way through to regulatory reporting. If they are able to streamline the whole process, the benefit will be an increased ability to perform quicker customer analytics, allowing banks to respond to customer needs even quicker.
Some of the global banks shared with us that as a result of streamlined data flow over a more harmonious architecture, they have been able to assess credit card applications and approvals in less than three minutes.
One of the local Singapore banks actually reduced their loan application process from 14 days to three days. In another case in Australia, through data sharing, a bank and its service provider have both been mutually able to obtain further insights on customer buying behaviour, allowing for more targeted marketing campaigns.
Data governance is not just about policies. It is not just assigning someone to be responsible for the collection and use of the data. In fact, it is about a culture of collecting the right data the first time around, using the least resources and bearing minimal risks.
Whether driven by regulatory mandate or by internal business needs, banks are starting to demonstrate the real business value of investment in better data governance and architecture in the form of cost savings, capital optimisation, and digital enablement.
Irene Liu is PwC Southeast Asia Risk and Regulatory Consulting Partner; David Yakowitz is Managing Director, PwC Global Data Subject Matter Expert; and Catherine Lee is Director, PwC Southeast Asia Regional BCBS 239 and Data Governance Driver.