What image is conjured up when you hear the term “cybercriminal”? A Guy Fawkes mask partially concealed underneath a black hoodie to the accompaniment of sinister music? Whilst this image provides an excellent trope for Saturday night TV, it does not reflect the reality of cybercrime.
At our second RegTech Capital Markets Conference, we held a roundtable discussion on what was scarier for financial institutions: cybercriminals or poor data controls? The participants were drawn from a crowd of over 250 senior executives, which provided a platform to discern between illusion and reality surrounding cybersecurity.
Participants at the discussion saw these issues as two sides of the same coin, but they initially decided that it was cybercriminals that were scarier than poor data controls on the basis that the problems posed by poor data controls are technologically solvable and within the remit of financial institutions, but the problems posed by cybercriminals are infinite and constantly mutating.
By the end of our discussion, however, our participants changed their mind and concluded that poor data controls were scarier than cybercriminals. What lessons can be drawn from this discussion? Fear surrounding cybercriminals is primarily derived from the unknown, but firms having poor data controls carry far more consequences.
The security of data is a major concern from the perspective of a client. Clients must ultimately trust firms with their personal data. If a firm does not comply with these regulations, then the firm faces a risk to their reputation and clients are consequently unlikely to entrust them with their personal data.
Compliance with data security regulations can therefore give firms a competitive advantage, because this compliance assists with establishing trust between the firm and the client. Whilst some may perceive these regulations as punitive, they can be looked upon as an opportunity for innovation and increased interconnectivity.
Navigating out of the regulatory spaghetti junction
Complying with these new regulations is difficult due to the sheer scale of new obligations. On data protection alone, MiFID II is currently set to take effect from 3 January 2018, PSD2 from 13 January 2018, and GDPR from 25 May 2018. Firms that fail to prepare for the regulatory onslaught coming in 2018 will be overwhelmed. It is not only the sheer scale of the regulation that poses a problem, but also the fact that these regulations overlap and can contradict each other.
What are the pertinent obligations from the main regulations? A concise description of each is necessary:
- MiFID II: all conversations relating to a deal must be captured, including exchanges over mobile phone and face-to-face meetings, strict requirements on the mechanisms for storing data, all recordings of personal data must be held for five years, security mechanisms to guarantee the security and authentication of transferring data.
- GDPR: personal data must not be kept longer than necessary and recording and storing employees’ personal conversations are prohibited. Security actions must be adopted that are appropriate to the risk, including the pseudonymisation and encryption of personal data, ensuring the continuous confidentiality and integrity of processing systems, ability to restore personal data due to an incident and a process of regularly testing organisation and technical security measures
- PSD2: aims to create a unified payment services sector by creating new rules on access to payment accounts, provisions for liability, transparency requirements and customer authentication measures.
- FinCEN: The Bank Secrecy Act requires suspicious or potentially suspicious activity that involves amounts aggregated to $5,000 or more to be reported. FinCEN recently advised financial institutions to include all cyber-related information when filing a SAR, such as IP address, device identifiers and timestamps, and encourages this information to be shared between financial institutions and regulators.
- Benchmark Regulations: administrators must keep records of all input data, methodologies to determine benchmarks, reasoning for judgments, the rationale for discarding records, identities of submitters and natural persons and telephone conversations or electronic communications with regards to the benchmark. These must be kept for at least five years, apart from records of telephone conversations or electronic communication, which will be held for three years.
The obligations do overlap but also contradict each other. The principles of GDPR can conflict with specific obligations. For instance, MiFID II requires that all conversations that are related to a transaction must be captured and held for five years, which includes exchanges over mobile phones and face-to-face meetings. GDPR, however, runs counter to this requirement by demanding that personal information must not be kept longer than necessary and prohibits recording and storing employees’ personal conversations. When does a personal conversation become a business conversation?
RegTech solutions to bolster data security
The sheer volume and the overlapping nature of the aforementioned obligations have the potential to engulf old legacy systems, siloed approaches to compliance and those that refuse to collaborate. But these regulations also offer the opportunity for financial services providers and vendors to innovate and facilitate compliance.
What types of regulatory technology can firms leverage to assist compliance with data regulations?
- Use cloud-based technology to map how data flows from one business entity to another
- Use AI to classify data to identify which data is risky so that it can be mapped and protected
- Strong authentication of data to be able to identify anybody that performs a transaction
- Encryption of data so that it is stored for the right amount of time with the right security credentials
- Backup controls using a third-party cloud-based server to include third-party assurance of backup.
There is a gap between firms and vendors offering these services both in terms of feedback and a common space for discussion. Through collaboration, solutions can be achieved in a better, cheaper and safer manner.
In this pursuit, JWG will be launching our Data & Security Special Interest Group (SIG). This SIG will discuss data security and privacy relating to record keeping requirements across a wide range of regulations as well as the associated technology risk and risk data requirements.
Our first three meetings will focus on:
- 11 May 2017 – Data security: confidential data, data authentication, backup controls and accidental disclosure
- 13 June 2017 – Intrusions and system recovery: detection mechanism, external attacks, technology disaster recovery and brute force attacks
- 11 July 2017 – Organisational requirements: outsourcing, ringfencing and functional requirements.
If you would like further information about this group, or would like to participate, please contact us at firstname.lastname@example.org. In addition, to learn about the latest developments in financial regulation and receive our in-depth analysis, you can subscribe to our newsletter or follow us on Twitter and LinkedIn.