The Australian Prudential Regulation Authority (APRA) has found gaps in how banks manage data they hold and offered six recommendations in support of better data practices.
Its suggestions follow the findings from a multi-year pilot study kicking off in 2019 with a selection of banks to gain insights into the status of data risk management among the financial institutions.
APRA wrote to selected banks partake in an exercise known as the 100 Critical Risk Data Elements (CRDE) Pilot, identifying 100 key data elements, such as customer name, account number and interest rate.
This was then followed up with rounds of data risk prudential reviews to see how each bank implemented their data risk management frameworks.
Released earlier this week, APRA found “recent improvements in data practices driven in part by APRA’s supervision focus, however progress is slow and the gap between current and better practice in data risk management remains wide”.
Its focus on data risk has been rising over the years, through its Prudential Practice Guides such as CPG 235 that deals with managing data risk, and data “featuring as a key risk type” in the prudential standards, CPS 234 Information Security and CPS 230 Operational Resilience.
While APRA is usually focus on reporting data risk management maturity and data security control effectiveness, it said that “recent cyber events leading to customer data leakages and entity data breaches in the industry have highlighted the importance of data storage, deletion, and security, all of which require a sound understanding of the data environment and quality of data.”
“Data is key to many, if not all, the decisions an entity must make and as such is the “crown jewels” for most entities.
“The protection of an entity’s crown jewels should be a high priority for directors and executives alike,” the financial prudential regulator said.
APRA recommended banks:
- Establish data governance with a unified data strategy.
- Provide clarity on roles and responsibilities for ownership of critical data elements and processes across the data lifecycle.
- Simplify the technology and data architecture environment through improved platform solutions and by decommissioning legacy assets.
- Identify critical data elements and create a consistent set of data controls.
- Establish mechanisms to monitor data quality and timely remediation of errors based on business requirements.
- Integrate data management risk into risk management frameworks.
“APRA has observed that the data frameworks of the participants are now more developed since the beginning of the 100 CRDE Pilot in 2019," it said.
“To drive industry-wide uplift of data practices, APRA intends to continue its focus on data risk management through CPS 230.
“Data risk is a key consideration under operational risk more broadly for boards and senior leadership, and inherent in understanding critical operations and processes end-to-end.”
However, despite the boost in data management, APRA said “observed that there is still a journey ahead for entities to effectively embed data frameworks”.
APRA noted data practices aren’t consistently integrated nor have “entities haven’t consistently made the connection between enhancing data practices and better decision-making”.
Those in the pilot struggled to “quantify data inaccuracies” in various reports, improvements don’t take all aspects of its business end-users into account, and solutions aren’t always fit for purpose,
“Enabling the availability of data across a business helps increase transparency, manage risks and improve efficiency, but it needs to be consistent and accurate to be used effectively – this can be achieved through the implementation of controls, such as those outlined in CPG 235.
“Despite all the progress made by the select banks included in this pilot, gaps remain in data practices which impacts resiliency of the industry."
APRA said if data risk is to be effectively managed, “entities should focus on identifying critical data elements, remediating data issues, enhancing technology platforms, simplifying legacy architecture, and making data more accessible.”
“In fact, it’s in the best interest of entities to streamline processes, increase automation of manual controls, and improve data quality, because in a world where demand for data from customers, clients, and regulators is only increasing, entities can’t afford to be left behind,” APRA said.
APRA also said similar questionnaires from its pilot were sent to particular life insurers and superannuation companies in 2022 “to better understand their risk practices following concerns surrounding incorrect regulatory submissions.”