How data programs can boost business value

Data is the most valuable global asset. When used correctly, data can help organizations manage risk, provide customized end-user experiences and support the allocation of capital. As regulators increase their usage and understanding of data, regulation places increasing demands on the data capabilities of individual organizations.

FIs must adjust rapidly to this new data-led regulatory environment. Legacy systems must be updated, data controls enhanced, and data gaps remediated quickly and efficiently. This adaptation must be completed before market share is lost to more agile organizations that are already capitalizing on the power of data to grow their businesses.

Lorraine Waters, Former Chief Data Officer Financial Crime Risk, HSBC says, “Prevention is better than cure, all data strategies should focus effort on improving the preventive controls like data profiling at solution design stage, improved system controls to prevent data transformation issues and rigorous change controls.”

Any changes to data-related systems and processes need to be made while maintaining an effective financial crime control framework. Financial crime functions themselves have a clear interest in data improvement. Financial crime processes and controls rely on adequate and complete data, so poor quality or unusable data makes financial crime functions less effective.

Given the importance of data in identifying and managing financial crime risk amid the increasing volume of data-related financial crime regulation, financial crime teams are well equipped to drive a collaborative data transformation journey across the business.

Using a collaborative approach to data spanning business and financial crime functions will help FIs navigate this new data-led reality, while ensuring adequate risk management and promoting the customer-centric priorities of the wider business.

Financial crime is particularly tough to tackle due to its complexity and the sophistication of organized criminal activity. This challenge is increased by ever-changing customer behaviors, whether evolving organically or in response to unexpected global developments such as the COVID-19 pandemic.

Nevertheless, organizations can fight back using key financial crime compliance (FCC) processes such as Know Your Customer (KYC) and transaction monitoring (TM). These processes rely heavily on customer, account, product and transaction data being available and high quality. Data issues and poor design can limit an FI’s ability to detect suspicious activity, rendering FCC controls ineffective, and making investigation challenging or infeasible.

Data isn’t only vital for financial crime functions. Fls also need high-quality, complete and accurate data to compete with challenger and neo banks in the digital marketplace. These data-led organizations typically have less-complex systems (with fewer legacy issues) and the agility to adapt quickly to changes in market demand and the regulatory environment.

Given the role of data in both tackling financial crime and increasing competitive strength, “Know Your Data” (KYD) is now an important concept. It means understanding data in terms of its origins, its usage and its ultimate value. FIs must move quickly to undertake KYD initiatives and address existing data and system design issues. Those that don’t risk weakening their financial crime defenses, failing to keep up with regulatory demands and losing market share to more data-driven competitors.

Regulators are increasingly focused on data issues, with data-related regulation introduced in many jurisdictions. Regulations require that FIs have good quality, complete, usable data so that they can demonstrate their controls are adequate, detect and investigate financial crime and reduce adverse impacts on customers. Crucially, firms that wish to continue demonstrating acceptable compliance must quickly and effectively go above the demands of current regulation and consider the longer-term requirements.

The following examples from the US, European Union (EU) and UK demonstrate the widespread regulation-driven requirement to improve data usage:

• New York State Department of Financial Services Part 504 (DFS 504) requires that banks identify all relevant sources of data, validate the integrity, accuracy and quality of the data, and have adequate robust data extraction and loading processes when transferring data to automated systems.
• The EU Anti-Money Laundering Directive 5 (5AMLD) requires the establishment of central registries or data retrieval systems to ensure that financial intelligence units (FIU) have all the data they may request readily available.
• The UK Financial Conduct Authority (FCA) Data Strategy identified areas of initial focus including ways to use data differently, better interactions between FCA and FI data, and the requirement to establish adequate controls to demonstrate governance and ownership of data across the FCA.

The increasing sophistication of financial crime data-related regulation is resulting in significant additional costs for FIs. For example, many banks with branches in New York have spent millions of US dollars establishing multiple data lineage programs to satisfy the DFS 504 requirements.

While FIs work to comply with existing and upcoming regulation, regulators continue to increase their demands. The FCA’s data strategy outlines the intention to become the world’s first “data-driven regulator” and announces significant data analytics investment so that the FCA can become more responsive to industry risks and trends. Meanwhile, the UK’s transposition of the 5AMLD requires that firms have a mechanism to respond to law enforcement requests for customer information, demonstrating the need for good data access and data quality to be able to respond with accuracy, timeliness and acceptable compliance.

Information-sharing requirements are also increasing as cross-industry financial crime prevention initiatives continue to evolve. Following the success of the Joint Money Laundering Intelligence Taskforce (JMLIT), such solutions are due to be expanded and enhanced with continued participation expected from FIs. Global financial messaging provider SWIFT is working with the industry to increase and align existing data standards. FIs will be required to comply to continue benefitting from providers’ payment systems, using common data models and financial crime risk management processes where possible.

Regional and global FIs should continuously monitor regulators’ frequently changing approach to data: some jurisdictions are taking a more open approach to data-sharing, while others are more restrictive. Relevant local requirements should be clearly understood to avoid breaking any jurisdictional data usage or sharing regulations.

Case Study: A European bank and DFS 504

A large European bank with a branch in New York needed to certify the compliance of its TM controls against DFS504 requirements. To demonstrate compliance, it sought to verify the lineage of TM system data and ensure adequate metadata documentation. However, despite two years’ work and £3 million spent, the data could not be verified due to the unexpected complexity of disjointed source systems and upstream data processing. The work completed so far is considered wasted until the data can be properly understood. The problem could have been avoided by documenting lineage and metadata upfront throughout the design of systems and processes, and then ensuring ongoing maintenance of that documentation.

Data issues lead to financial crime controls with lower crime detection rates, an inaccurate understanding of customer risk, and hampered investigation processes and thoroughness – ultimately manifesting as increased costs and missed opportunities across the organization.

Many organizations are already experiencing significant increases in operational costs as a result of COVID-19. The reallocation of staff to support changing customer needs and the adjustment of working practices leads to lower efficiency as teams adjust. Data access, security and collaboration pressures must also be managed.

Data issues have an impact on many financial crime processes:

1. Risk assessments and risk ratings: Inaccurate or incomplete data can hinder risk assessments and lead to improper risk ratings. Poor risk ratings lead to a higher false negative rate, as high-risk populations are not subsequently targeted with appropriate additional controls.
2. Data capture and ongoing due diligence: Inadequate or incorrect KYC data affects onboarding, periodic customer due diligence (CDD) and enhanced due diligence (EDD). This can significantly impact customer experience, with customers often contacted for information they have previously provided.
3. Financial crime control alerts: Poor quality watchlist, customer or transaction data makes primary financial crime controls less effective. Many FIs are currently exploring the use of secondary analytics to try to improve control performance (e.g., the post-processing of alerts to enable faster and better-quality investigations). However, even these advanced capabilities are highly limited due to poor quality or unusable data. In some cases, solution design is as much of a problem as the data that feeds the system. Ineffective primary financial crime controls lead to large volumes of inadequate alerts or failure to produce alerts as required.
   
4. Investigations: Data quality or availability issues may prevent an investigator from building a complete and accurate picture of a customer's activity and risk. Issues can arise with both unstructured data (e.g., images) and structured data (e.g., date of birth). To overcome them, investigators commonly:
   • Place an over-reliance on potentially inaccurate or hard-to-verify data from external sources (where available) – many third-party sources would require additional data validation before use.
     
   • Resort to lengthy processes to source data from other areas of an FI, which could also be impacted by data usability or quality issues.
     
5. Remediation and managing ongoing incurred costs: Most data will require costly remediation exercises that are usually inefficient due to poor data understanding across the organization. Following remediation, most financial crime controls require a full upgrade with new detection logic and thresholds to make full use of the enhanced data. The extent of required changes is unknown if data lineage is poorly understood.

Data issues can compromise the operation and capability of the financial crime function and wider business, likely resulting in inflated costs and ineffective controls and investigations. Spending on upgrades and new technologies before resolving data issues may be wasteful due to the need to reconfigure and rework at a later date.

Case Study: Upgrading transaction monitoring controls

A large UK bank wanted to upgrade its TM system to improve effectiveness and efficiency. After investing £20 million over 18 months, the bank realized that the data could not be provided as previously planned to allow for system configuration and operationalization. This was due to difficulties encountered in upstream data change programs, which had a knock-on effect: numerous large-scale change programs were delayed, resulting in significant internal cost and delayed business and compliance benefits. Due to the uncertainty in the “data workstream”, the upgrade will not be possible. In this case, spending £2 million up front on data governance and documentation would have saved the bank at least £15 million across multiple programs.

As financial crime functions are not custodians of customer, account, product and transaction data, they have limited scope and authority to directly remediate data issues as they arise.

However, financial crime departments are best placed to lead the way toward “Knowing Your Data” within their organizations, provided they understand the importance of good quality data across the organization and adopt leading data management, documentation and governance techniques. The business case for improving data understanding and quality is clear, but financial crime teams need to work in harmony with the wider organization to secure stakeholder support, resources and funding.

Rohan Basu, Senior Manager, Financial Intelligence Unit, TSB Bank says, “Balancing innovative data-led thinking with proactive financial crime risk management can be tricky but is the key to success. It is about being bold and revolutionary in how to access, remediate, and use available data; but knowing where to prioritize efforts so that it’s fighting the immediate risks and relevant financial crime issues without placing over-reliance that data will solve everything on its own.”

Financial crime prevention teams can take the lead in improving the understanding, usage and remediation of data across an FI by adopting the following approach:

1. Knowledge and understanding

Financial crime leaders must understand the importance of data to their systems, processes, controls and teams. This includes the quantifiable impact that financial crime data has on their teams’ effectiveness and efficiency, as well as the wider business benefits. They can then become advocates for positive change, rather than agitators.

Financial crime teams should be able to articulate the importance of tackling financial crime to other business functions, explaining that data issues will impact a bank’s ability to meet regulatory requirements and can drive up operational costs.

In addition, financial crime teams need to understand the objectives and activities of data owners with respect to their data, including the challenges faced by each area of the business. They should create a cross-organization understanding of customer and product data attributes, their usage and governance.

2. Assessment and consequence management

The status of data should be assessed using carefully designed rules, controls and criteria. These techniques may form the basis of ongoing data controls to identify changes in data usage or volume as part of business as usual (BAU).

Data issues should then be identified, assessed and investigated in order to understand:

• The impact of the data issues on financial crime controls and wider systems and processes, which may include activities that are blocked due to poor documentation or governance.
• The potential upstream source or cause of the issues, where possible.

This activity should include both data relevant to financial crime controls and data previously identified as important to the business to create a full benefits case and data collaboration plan.

An effective assessment must also include consequence management – the process by which the consequence of fixing or not fixing data issues is identified – and explicitly outline the cost of slow resolution. This will allow a full understanding of:

• The expected benefits of meeting future regulation by completing timely resolution (and associated expected costs of non-compliance).
• The costs caused by data and design issues, including duplicated efforts, process inefficiencies, potentially wasted future spending and blocked processes.
• The expected return on investment for successful resolution, offsetting the cost of resolution with the expected benefits of business growth.

Data issues may relate to the population of data attributes, as well as other control areas such as metadata documentation (e.g., data dictionaries), data lineage (the flow of data through systems), data access, data validation (e.g., data validation checks) or wider data management and governance principles. Given the many potential causes of data issues, including the exacerbation by poor design, a holistic assessment of systems, processes and controls can be beneficial.

Understanding the full impact of data issue resolution is particularly crucial at the current time. The long-term economic impact of COVID-19 will likely mean that only change initiatives with the most robust business cases will be considered viable.

3. Collaborative prioritization and business case

Identified data issues should be prioritized by considering impact complexity and whether the data is captured internally or through a third-party feed. Data issue prioritization should consider the availability of the data, the impact on operational costs and other systems, and the potential regulatory and business benefits from successful resolution.

Using appropriate governance structures and processes, financial crime teams should then initiate discussions with data owners – based on a common understanding of priorities, costs and benefits for all potential data initiatives – to agree organization-wide data collaboration priorities. Having the support of the wider business is more important now than ever in the face of the strain imposed by COVID-19. Such support will make it possible to address issues quickly and efficiently, maximizing benefits and minimizing costs across the business.

With priorities for issue resolution established, a full and thorough business case for change must be developed and agreed with the wider business stakeholders. This business case must:

• Bring to life the business benefits of intelligent, targeted remediation of prioritized critical data elements.
• Demonstrate the future savings by acting now.
• Fully articulating the collaborative case for pooling resources to deliver long-term strategic change.
  

Example: Business-led prioritization

Some banks use simple scoring models to prioritize data attribute remediation by offsetting the business value of the data fix (e.g., enhanced customer experience) against the difficulty of remediation (e.g., cost of new technology rollout) or compliance benefit. These models provide easy methods of prioritization that can be flexed based on other relevant factors such as regulatory pressures and operational costs. It is important to involve the correct internal stakeholder groups and apply appropriate governance.

4. Collaborative remediation

With an agreed prioritization of data issues and approved business case for change, financial crime teams can collaborate with data owners to undertake issue resolution and design enhancement, while also managing the consequences of these data issues across downstream systems.

The approach to issue resolution will vary significantly, depending on the size and makeup of the organization. Consideration should be given to the differing requirements for remediation based on the underlying issue. For example, the enhancement of metadata or the documentation of lineage are likely to require different processes from those needed to augment poor-quality customer data attributes.

Some FIs are making use of advanced technology to validate the accuracy of unstructured and structured data. For example, in some jurisdictions, government data sources can be used to reconcile the accuracy of a passport or driver license provided for Identity and Verification (ID&V) purposes.

The most efficient issue resolution processes tend to use workflow management systems coordinated by centralized dedicated Chief Data Officer (CDO) teams.

5. Innovate and thrive

Successful resolution of prioritized data issues will leave an organization optimally placed to innovate and gain a competitive advantage over market incumbents, as well as challenger and neo banks. It will enable the FI to:

• Establish an ongoing data strategy unencumbered by legacy data issues.
• Develop market leading financial crime controls and processes that can use the full breadth of data to the maximum degree.
• Remain ahead of regulatory change, with quick and efficient reflexes.
• Respond quickly to new demands in the market to gain early market share.
• Participate as leaders in cross-industry detection and prevention initiatives.

By achieving these goals, FIs can not only meet future regulatory demands with minimal costs and maximum effect, but also continue to adapt and thrive in a competitive landscape.

To support the organizations in addressing data challenges in a financial crime context, and through collaboration with the wider organization, we have consolidated the key steps outlined above into the diagram below:

FIs must adjust rapidly to an evolving data-led regulatory environment but are encumbered by legacy data issues. As regulatory demands increase, the complexity, difficulty and cost of complying also increases.

Given the importance of identifying and managing financial crime risks alongside changing regulatory pressure, financial crime functions should now take steps to collaborate with business users to truly KYD. The goal is to create a strategic, benefits-driven, firm-wide collaboration approach for both data issues and issues with system design, solution design or change control. Taking proactive steps to create proper documentation, controls and change processes – by design up front – has the added benefit of avoiding the significantly higher cost of future change programs and remediation.

Failure to address underlying data issues and both system and data architecture design flaws will mean that existing change programs will not deliver expected business value and will likely exceed their original budgets. This must be avoided given the likely long-term economic impact of COVID-19, requiring firms to make the very best use of their resources.

To create a unified drive towards positive change, financial crime functions should work with the wider business to fully understand the extent of data and design issues faced, and the business benefits and reduced costs resulting from resolving these issues. They can then collaborate to create a prioritized collaboration plan for the most urgent issues that unlock the greatest value.

Data issue resolution can be completed for a fraction of the cost of existing change programs, with a significant return on investment across the organization, without hindering risk management and commercial focus.

With the financial services industry undergoing disruptive change, FIs should act now to become data-centric and tech-driven – so that they can adapt and thrive.

Questions to consider which will support successful data remediation initiatives:

• Are your existing change programs providing business or compliance benefits that outweigh their costs?
• Which data issues are preventing your data scientists from creating actionable intelligence? For example, the rapid identification of risks can inform the allocation of budget and the design of controls.
• What level of quality is there for critical data elements used by financial crime systems?
• What controls and processes are in place to track the resolution of your most pressing data issues? How are the remaining issues categorized?
• Which data issue, if removed, would result in the most significant increase in operational capacity and reduction in operating costs?
• Is your data the largest risk to future regulatory compliance? If not, what is, and would better use of your data help to mitigate the problem?
• How many of your in-flight transformation programs are currently blocked because of poor data quality or accessibility?
• Who should pay to address data issues that benefit the whole organization?
• How many new business markets could be entered by resolving financial crime data issues and reducing cost of control?