Irene Liu and Catherine Lee discuss the applicability of MAS’ Guidelines on Individual Accountability and Conduct on data governance.
In regulating financial institutions, global regulators have taken the stance to enhance their supervisory regime by issuing notice1 after notice, and requesting increasing granularity as well as frequency of data sets. This is with the aim of ensuring market stability at a macro level and safeguarding of customer interests at a micro level. At the heart of these regulations, the intention is to mandate financial institutions to set a culture of ethical business practices with tone from the top and observed by all of its employees. This would improve market conduct and reduce risks significantly.
On 10 September 2020, the MAS published the Guidelines on Individual Accountability and Conduct2 (“Guidelines”).
“The Monetary Authority of Singapore (MAS) has been focusing on culture and conduct in FIs to achieve two key outcomes: (i) ethical business practices that safeguard customers’ interests and ensure fair treatment; and (ii) prudent risk-taking behaviour and robust risk management that support FIs’ safety and soundness.”
The 5 desired outcomes of these Guidelines are:
The relevance of the IAC Guidelines to the Chief Data Officer (CDO) function
The CDO function is a named core management function in the Guidelines. Given the current day and age where financial institutions are embarking on digitalisation initiatives such as, enhancing the use of data analytics to improve customer acquisition, enforcing governance over data privacy and security and ethical use of customer data, it is unlikely that any financial institution can explain away the data function to be a non-core management function. Yet, in a global survey conducted by the Enterprise Data Management Council in 20203, only 60% of the financial institutions have a chief data executive or equivalent role. This ratio is expected to be less in Asia given the nascency of the topic in the region.
In the event a CDO (or its equivalent) has not yet been appointed within the financial institution, it will be necessary to appoint an appropriate Senior Manager to oversee the associated responsibilities, such as establishing and implementing the data policies, systems, and processes on its governance, use, and analysis of data.
How can the Guidelines be applied to Data Governance?
With respect to Data Governance functions, there are 5 clear outcomes to be satisfied:
Outcome 1: Senior Managers are clearly identified
- The person holding on to the data role must be formally appointed and the role has to be communicated within the organisation through formal announcements or reflected in a company organisation chart. In some instances, we see newly set up CDO functions doing an internal roadshow to introduce themselves and their roles to various business units within the organisation.
- The CDO role and responsibilities should be clearly defined and formally accepted by the appointed person, either at the point of internal appointment, or through formal HR channels during candidate interview and selection. The role and associated responsibilities will need to be kept up to date as the role evolves in maturity, and have clearly defined Key Performance Metrics (KPIs). Given the critical importance of the CDO function, a succession plan also needs to be in place. These should be made available for inspection by MAS if required.
For smaller organisations that do not see a need to appoint an independent CDO role, it is common for the same individual to take multiple concurrent roles, but this should not negate the strategic importance of accountability associated with each role.
Outcome 2: Senior Managers are fit and proper and held responsible for the areas and the employees they are in charge of
- The appointed Senior Manager is fit and proper with the needful qualifications, experience and training in data to discharge the responsibilities of the role. The initial qualifications of the CDOs would have been mainly in technology, or governance and controls. However, in the last few years, various data governance training and certification programs have arisen and uplifted the industry’s specialist data governance competency as a whole. Some published job descriptions have required these certifications as a minimal qualification. Participation in data industry associations might also be prima facie evidence of data competencies.
- As a Senior Manager in a financial institution with responsibilities over its core functions, due diligence and screening should be performed on the candidate, for example, with their former employers to ensure that there are no outstanding investigations on their conduct or on the discharge of duties.
- The appointed CDO should be given authority over the functions in their charge that are supported by direct reporting lines, for example, over data policies, quality reporting and analytics. There may be instances of shared reporting lines, such as on data architecture, which may typically be shared between Technology and Data, or on data quality where the data owner typically has a direct reporting line to the business. However, the CDO should have an input into the performance evaluation on the performance of those with shared reporting lines, so that their responsibility over the said functions is both in function and in form.
Outcome 3: The FI’s governance framework supports the Senior Managers in performing their roles
The relevant Data Governance frameworks and policies should cover the relevant data ownership assignment, data quality, data documentation, data dictionary and more. A Data Governance Committee may be set up to support the CDO in the execution of their duties. This Committee is a forum for escalation of data issues, support of the budget for remediation activities, tracking of remediation plans and outcomes, and maintaining oversight of all data transformation projects. The CDO will remain overall accountable for the purposes of these Guidelines. Additional frameworks that will help to evidence the internal organisational framework to support the CDO might include clear KPIs, for example, in measuring and reducing data quality issues, formal performance evaluation, progress of data initiatives and incentive schemes to to motivate the right behaviour and outcomes; lacking which proper escalation schemes and consequence management are in place.
Outcome 4: MRPs are fit and proper and subject to effective risk governance, standards of proper conduct and appropriate incentive structures
Material risk personnel (MRPs) could include stakeholders such as data policy owners, data owners and system owners who support the CDO to ensure the right quality of data, uphold standards of conduct in data governance, attend regular training and are evaluated and incentivised to promote the right behaviour. The regular training and evaluations could take place in the form of annual data update training and certification evaluations which they will have to pass before they can continue in that role.
Outcome 5: The FI has a framework that promotes and sustains among all employees the desired conduct
Other data stakeholders that manage data across the lifecycle but are not designated as senior managers or MRP also exercise due care and diligence in their attitude towards data to ensure the highest degree of integrity in the management and use of data. To do this, relevant checks and controls will need to be enforced, for example, over real-time system alerts on the unauthorised alteration or extraction of data, and that incidents are escalated and resolved satisfactorily. This Outcome will also have a natural overlap with the Principles to Promote Fairness, Ethics, Accountability and Transparency in the use of Artificial Intelligence and Data Analytics in Singapore’s Financial Sector. Compliance with the principles will prove compliance in part with the requirements in Outcome 5.
What are some key considerations to take note of?
The principles set forth in the IAC Guidelines are direct.
Availability of Talent Pool
We discussed earlier that it might be tough for any financial institution to convince a regulator that data is not a critical function. A surprising majority of the CDOs3 (62%) have only been appointed 3 years or less, mainly on the back of regulatory demands such as BCBS 239. With the institution of the IAC Guidelines, we anticipate an even stronger demand for data professionals in the financial industry. To be qualified Senior Managers and MRPs, it requires a level of knowledge, strategic mindset and practical experience. This scarce pool of talent is currently also being headhunted to join other industries such as healthcare and government where demand for data talent has also been rising. We foresee this to give rise to an educational system of certified data professional courses and a heavier reliance on a contingent pool of resources such as consultants to overcome this immediate shortage of talents.
What this personal liability would mean for individuals
In the past, only the financial institutions were subjected to such liabilities and executives were absolved of such liabilities. Under the new Guidelines, the CDO will be subject to personal liabilities, and depending on the severity of the penalty, this may even affect their future ability to undertake another senior role within the industry. Yet there is no means of hedging these risks through any liability insurance. Given the risks at stake, considerations by the individuals in undertaking the CDO role would include : adequacy of remuneration to compensate for the risks, the reputation and maturity of the financial institution, the remit and authority given to the CDO to influence and implement changes, and even the risk appetite of the individual themselves.
The right reporting structure of the CDO
It is important to relook at how financial institutions should perceive data. In a number of financial institutions in Southeast Asia, the CDO role reports into another more established C-suite role such as the CFO, CIO and CRO. In fact, only 8% of the CDOs report to the CEO as compared to the 31% in the other industries3. Additionally, different financial institutions have different job responsibilities for the CDO. Beyond the divergence in the reporting lines, the job scope differs as well. This includes data analytics, data architecture, technology innovation and data ethics. As such, the size of the data governance team ranges from tens of people to hundreds. The critical question is what is the CDO responsible for? As newly established functions, there might exist some ambiguity and some CDO functions may still not have the right authority and influence over areas where they are responsible for.
CDOs should use this opportunity to seek the right mandate over the KPIs and performance evaluation of each area and people who should be reporting to them.
Incentivising the right behaviour
The Guidelines require banks to incentivise employees to speak up against poor behaviour that leads to poor outcomes. How this can be executed in a practical sense is a challenge. Do employees really feel secure to raise a challenge when faced with questionable management instructions or peer conduct? How does a financial institution promote psychological safety4 in speaking up / whistleblowing and that these individuals are protected from retaliation? Will there be counter-balance of volunteering suggestions where such practices / culture may be improved and yet be at risk of being penalised for the poor outcomes? How may such a moral dilemma be resolved?
What remains of paramount importance is the tone from the top and at the start of the staff’s journey with the financial institution. The type of candidates selected and use of psychometric tests to ensure alignment with the organisation’s values. At the point of onboarding, to instil the organisation’s visions and values, and continue espousing these throughout the messages from top leaders.
How can the EDM Council’s DCAM framework help?
In terms of measuring real improvements and alignment to a framework, financial institutions should consider using the Data Management Capability Assessment Model (DCAM) which is the industry standard framework for Data Management.
This framework allows companies to perform a self-assessment in terms of its state of maturity. In respect of the setup of the data governance office, for example, there are a series of questions and artifacts necessary for each component. Some relevant components extracted from the DCAM framework relevant to the IAC Guidelines are as follows:
Section 2.3.1: The Office of Data Management (ODM) has been created
Section 2.3.2: The Office of Data Management (ODM) has an executive owner
Section 2.3.3: The ODM is funded and staffed by individuals with the required skill sets
The above sample questions and artifacts allow a financial institution to consider what is really required as a baseline and what best practices may look like under the “enhanced” scoring. This benchmarking scoring mechanism is often used as a basis for measurement of internal improvements year on year, how they measure up to industry peers and also highlights key areas to focus on.
On top of the DCAM framework, there are also other complementing tools in the market that specifically support such conduct regime by systemising and digitising the end-to-end process chain, from inputs to review and approval.
Data management is still a nascent topic in this part of the world, and being recognised as a core management function under the Guidelines lends weight to the rising importance of data as a prerequisite to digital initiatives, open banking and cross-industry and cross-border data sharing. Now, what the industry will need to do is to continue building on the recognition to ensure continuous improvements beyond the initial compliance.
Irene Liu and Catherine Lee are members of the EDM Council’s Women Data Professionals APAC Advisory Board.
1 RegPac Revolution, RegTech & Regulatory Reporting: Part 3: Harmonising Challenges with Technology (https://www.regpac.com/single-post/regtech-regulatory-reporting-part-3-harmonising-challenges-with-technology)
3 EDM Council, 2020 Global Data Management Benchmark Report, pg 22
4 Starling, “Culture & Conduct Risk in the Banking Sector, May 2021” (pg 9)