Managing Technology and Data Risks in Financial Operations

Eugène Goyne, Asia-Pacific Financial Services Regulatory Lead, EY

Eugène Goyne, Asia-Pacific Financial Services Regulatory Lead, EY

Ever since the invention of the abacus, finance has been an industry that has used technology and data. What has changed is that finance is now critically dependent on these. Some of the greatest opportunities and correspondent risks to the industry are posed by technology and data-related issues.

Many of the top opportunities are offered by technology: intense mining of customer and big data to create new business opportunities, realizing the efficiencies offered by cloud technology, artificial intelligence, machine learning, and robotic process automation. This culminates perhaps in operation of totally virtual business models, such as virtual/neo banks. Equally, many of the top risks manifesting of concern to financial firms’ management are posed by technology, including the availability of data, the integrity of data, data destruction and recoverability, cybersecurity, privacy and sovereignty restrictions on the use of data, disruption due to new technology-focused entrants and IT obsolescence. These technology and data risks are compounded when financial firms outsource these functions to third parties, and the resulting vulnerability of financial firms on the technology and data related risks of these third parties.

Whatever gives rise to risks in the financial system attracts the attention of regulators. So regulators, too, are acutely focused on the impact of data and technology, including addressing:

1. How to regulate new industry entrants often from unregulated technology industries.

2. How to manage a new ecosystem where the stability of a financial firm is dependent on technology.

3. The availability, quality and use of data within a firm, both technically and from an ethical perspective

Firms that do adopt an integrated approach to these issues will be better placed to capitalize on the opportunities that technology and data offer

4. How the exploitation of data can be reconciled with consumers’ privacy expectations, as well as restrictions on the transmittal and storage of data out of jurisdiction for sovereignty and other reasons.

There is evidence of this in the Asia-Pacific region with regulators. The Monetary Authority of Singapore has revamped its regulations for technology-related issues including its guidance on outsourcing, technology risk management, and business continuity planning. The Hong Kong Monetary Authority is increasingly looking at firms’ management of change, as well as the implementation of regulatory compliance in new technology systems. The Hong Kong Securities and Futures Commission is conducting a thematic review of how firms approach data risk. The international standard-setting body for the capital markets, the International Organization of Securities Commissions (IOSCO), is also acutely focused on these issues according to its Chairman, Ashley Alder, who spoke at the recent Asia Securities Industry and Financial Markets Association (ASIFMA) conference in Hong Kong in late May.

How firms approach the management of their technology and data risks is no longer a material but a subsidiary concern of financial firms, left to their chief technology officer to decide how to address. It is now a key concern of the board, CEOs, COOs and risk and compliance officers as well as chief cybersecurity and chief data officers. However, too often, the related issues of operational resilience, cybersecurity, data, privacy, and outsourcing or third-party risk management are still treated separately. This threatens to allow the development of siloed single-issue focused processes that do not sufficiently communicate with one other and/or that conflict. In turn, this can mean financial firms miss or underestimate cumulative risks or risks arising from interaction among these issues.

Firms need to develop an integrated approach to these risk pillars that consider matters from all these perspectives from the start and that brings together different perspectives from business, technology, data, privacy, risk and compliance disciplines. They need to consider business processes not just from the perspective of the stability and goals of the firm itself but also from the perspective of end-users of the firm’s services, such as consumers, market participants, and a firm’s commercial counterparties. Regulators are beginning to demand this with the rise of operational resilience as a separate focus of regulatory concern in the US, UK, European Union, and Hong Kong and Singapore, among other markets.

Firms that do adopt an integrated approach to these issues will be better placed to capitalize on the opportunities that technology and data offer and also be better placed to navigate the new risks and increasing regulatory expectations that accompany them.

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.

See More: Top Capital Market Tech Solution Companies