Managing Technology and Data Risks in Financial Operations

4. How the exploitation of data can be reconciled with consumers’ privacy expectations, as well as restrictions on the transmittal and storage of data out of jurisdiction for sovereignty and other reasons.

There is evidence of this in the Asia-Pacific region with regulators. The Monetary Authority of Singapore has revamped its regulations for technology-related issues including its guidance on outsourcing, technology risk management, and business continuity planning. The Hong Kong Monetary Authority is increasingly looking at firms’ management of change, as well as the implementation of regulatory compliance in new technology systems. The Hong Kong Securities and Futures Commission is conducting a thematic review of how firms approach data risk. The international standard-setting body for the capital markets, the International Organization of Securities Commissions (IOSCO), is also acutely focused on these issues according to its Chairman, Ashley Alder, who spoke at the recent Asia Securities Industry and Financial Markets Association (ASIFMA) conference in Hong Kong in late May.

How firms approach the management of their technology and data risks is no longer a material but a subsidiary concern of financial firms, left to their chief technology officer to decide how to address. It is now a key concern of the board, CEOs, COOs and risk and compliance officers as well as chief cybersecurity and chief data officers. However, too often, the related issues of operational resilience, cybersecurity, data, privacy, and outsourcing or third-party risk management are still treated separately. This threatens to allow the development of siloed single-issue focused processes that do not sufficiently communicate with one other and/or that conflict. In turn, this can mean financial firms miss or underestimate cumulative risks or risks arising from interaction among these issues.

Firms need to develop an integrated approach to these risk pillars that consider matters from all these perspectives from the start and that brings together different perspectives from business, technology, data, privacy, risk and compliance disciplines. They need to consider business processes not just from the perspective of the stability and goals of the firm itself but also from the perspective of end-users of the firm’s services, such as consumers, market participants, and a firm’s commercial counterparties. Regulators are beginning to demand this with the rise of operational resilience as a separate focus of regulatory concern in the US, UK, European Union, and Hong Kong and Singapore, among other markets.

Firms that do adopt an integrated approach to these issues will be better placed to capitalize on the opportunities that technology and data offer and also be better placed to navigate the new risks and increasing regulatory expectations that accompany them.

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.

See More: Top Capital Market Tech Solution Companies