by Vangelis Tsianaxis, Director of Consulting, IPC
Is the trend of easing data privacy rules globally and reducing complexity being changed by recent events? Events such as the United States’ (US) decision to reverse data privacy provisions for non-US citizens or unlawful permanent residents of the US*. Could restrictions on communications data sharing across jurisdictions impact the efficiency and effectiveness of risk management and regulatory compliance activities?
In recent years, the financial community has seen opposing trends globally in this area, such as the European Union (EU) data-sharing agreement with the US on one side (in question now), and Russia banning the sharing and storage of data outside the country on the other hand. The impact on the financial markets of Britain leaving the EU is also remaining to be defined.
Decisions to restrict communications data sharing increase the complexity financial market players have to deal with when retaining and accessing records across jurisdictions. Invariably, risk and compliance operational processes, such as regulatory reporting and transaction and trade surveillance, depend on access to good data across several jurisdictions. Limiting access to the data due to data privacy concerns could:
- Increase the complexity of maintaining oversight of the processes this data supports
- Affect the operational cost of maintaining and accessing the data itself
- Make it more risky to break data-sharing restrictions, due to the complexity of controls required in the operational and technology environment.
For trading across the EU and US, any reversal of current arrangements would likely have an impact on how firms collect, maintain and access communications data records. It could mean additional infrastructure costs to keep data physically in separate jurisdictions. It would also likely require firms to revisit their current data privacy policies and use data in existing operational processes, such as enabling market transparency and monitoring market manipulation.
Many global firms carry out surveillance activities using a regional hub model, where a hub located in one country carries out the surveillance activities of a region. Such activities may have to be carried out in-country at an additional cost.
What You Can Do Today to Make a Difference
So, what can you do today to manage the impact of any changes?
- Review your current data privacy arrangements for communications data sharing across internal and external parties involved in trading activities of your business.
- Ensure that you have oversight and control of the data storage equipment’s physical locations and who and how they can be accessed.
- Assume all technology projects for your voice and ecomms infrastructure are also data projects. Data migrations will likely be involved in any technology change.
- Involve your data privacy officers at the beginning of any project – there is no prize for avoiding the matter and it could bring entire programs to a halt (I have seen it on several occasions).
- Ensure that the appropriate reviews and approvals for data privacy are obtained as early as possible internally and with the regulators, where relevant, to enable data sharing.
- Do not assume that data privacy affects only external/client data. Employee data is often affected by data privacy rules.
- Maintain a level of flexibility in the infrastructure design to respond to sudden changes, driven by political risk or other unexpected events.
- Review your archiving arrangements and the level of flexibility they provide across all communications data. Integrate data sources to manage data segregation effectively!
- Once you are done with all of the above, start again! This should be “business as usual.”
Ultimately, firms that anticipate and respond to the risk generated by data storage and sharing changes will have a competitive advantage.