Why do financial firms still get data laws wrong?

Nine out of ten financial services firms struggle to comply with data privacy laws. However, this has presented RegTech companies with new opportunities.

Data privacy is in the public spotlight. Highly publicised affairs like the Cambridge Analytica scandal have put the question of how big tech companies handle data at the forefront of the public conscious. However, it’s not just social media giants that must deal with growing data concerns. Financial services firms are also subject to these laws. The problem is that they kinda suck at it.

In September 2019, over a year after the EU enforced the new General Data Protection Regulation (GDPR), it was revealed that financial services firms had been slammed with more fines than any other industry. Of the 68 fines issued in the year since the law sprung into action, 11 of them had been left at the doors of financial services firms. Professional services firms came second with seven fines levied at them, followed by the public sector with five fines.

This is hardly an issue confined to Europe. Despite having spent on average $77m on becoming compliant, 90% of financial service firms around the world are not compliant with GDPR, the California Consumer Privacy Act (CCPA) and other data privacy regulations, according to research from IT company Tanium.

This inability to understand the laws and fill the compliance gaps in their own organisations spell out big problems for financial service firms.

“Data management cuts to the heart of any regulated entities ability to identify and understand their risks, before they can understand what controls are required to appropriately mitigate and manage these identified risks,” Anthony Quinn, founder and CEO of Arctic Intelligence, the financial crime risk and compliance tech startup, told RegTech Analyst. “Many organisations struggle with data on many levels and encompasses issues that can range from having missing, inaccurate or poorly maintained data, to issues with the ability to protect customer data, data sovereignty and tracking their customers ability to opt-in or out of data sharing laws.”

Although, he adds that these issues may be understandable, if not forgivable. “Many complex organisations operate hundreds of products and services that are offered through multiple channels to millions of customers across hundreds of millions of accounts and potentially billions of transactions, which becomes for many a huge and often seemingly insurmountable challenge,” Quinn said. “[This] is probably one of the reasons large financial institutions are looking to audit their risk and compliance management aspects relating to data [with companies like]Arctic Intelligence [as] our platforms can be used to conduct data risk assessments, as well as, many other types of risk assessment.”

Another reason for why many financial services firm are struggling is because they are weighed down by outdated legacy systems that just can’t cope with the influx of new data laws.“Many companies have technology and processes in place that predate any data protection or privacy laws,” Annie Eser, account executive at Ascent, the automated regulatory monitoring tool startup, tells RegTech Analyst. “So pivoting those existing systems to accommodate these laws can be challenging. Additionally, each jurisdiction has different ways of handling data and different regulations overseeing that process. This fractured regulatory landscape complicates which regulation companies need to follow and how much they need to comply with, especially for companies operating on a global scale.”

Thomas Russell is the founder and CEO of Dublin-headquartered RegTech company Think Evolve Solve, which is behind the Gather 360 SaaS tool that empowers businesses to more easily assimilate and format data. He tells RegTech that a core issue to why many firms struggle to comply with these new pieces of legislation is that they fail to understand the laws, keep up to date with changes and transforming this into business logic. “[This] is the key bottleneck – providing, preparing, maintaining the data flow to solutions so that they can be setup and continue to operate,” Russell says. “This is where we see increasing interest by RegTechs in data tools that can power their systems and technologies – ready-to-implement tools that don’t require IT or development resources.”

Eser agrees that the situation has presented RegTech entrepreneurs with new opportunities. “The power of RegTech is its ability to automate some of the most tedious and error-prone aspects of regulatory compliance,” she says. “At Ascent, we’ve built a platform of solutions that couple emerging technologies with human domain expertise in order to automatically identify which obligations apply to a company. Working with a Global Top 50 Bank, Ascent helped identify the bank’s GDPR obligations at a 99% cost reduction and with 30% time savings in manual regulatory change triage across the firm.”

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst


The following investor(s) were tagged in this article.