Complying with data privacy laws on top of ensuring compliance with a broad range of regulations is having a severe impact on regulatory compliance and data teams. It is incumbent upon financial institutions to ensure that data protection is considered as part of any existing or new system design or implementation for initial and ongoing compliance. While there is no silver bullet to achieving this, there are a number of different strategies and tactics that can be used to comply with regulatory compliance obligations without impacting in-country data privacy rules. These include:
1. Consolidated, Delta-Based Operational Model & Solution
One approach is to create a federated or hub-and-spoke KYC operational model to circumvent data privacy restrictions. This involves establishing a small number of core KYC compliance units, based in key territories / continents, to fulfil the KYC service requirements of the surrounding jurisdictions, business units and product lines. This approach also involves centralizing all data and documentation into central (federated) repositories, helping to achieve a ‘single view of the client’ across all products, markets and relationships, enabling the institution to accurately measure the size of the risk posed by clients and to easily identify beneficial owners, associated entities and individuals.
In addition to achieving full cross-jurisdictional KYC compliance, this type of model permits institutions to provide a more consistent, localized KYC service and speed up the time it takes to onboard clients with the ability to re-use client data and documentation for multiple purposes. It also gives banks the ability to roll-up all regulatory and client data into an aggregated form to comply with new data aggregation regulations such as BCBS 239 etc. (Check out our case study on KYC Shared Services.)
2. Incorporating Advanced Security Models into Client Lifecycle Management Technology
New data privacy laws have the power to impose stringent and potentially damaging (both reputationally and financially) punitive measures – up to 4% of global annual revenues - on financial institutions in breach of data privacy laws. To ensure full compliance, organizations must have robust data protection policies in place, along with suitable training for employees and with technology and security solutions that limit data access to only authorized users.
From a systems software point of view, there are a number of features and functionality that come to bear here:
a) Role-Based Entitlements
Financial institutions must be able to prove a high standard of compliance with data protection and privacy regulations. Institutions should be capable of restricting access to viewing or editing a client’s data to only those system users with the appropriate permissions to ensure that data is protected and, therefore, not shared with or accessed by anyone outside of that particular jurisdiction.
b) Jurisdictional Restrictions
Different products added to a legal entity might have different associated jurisdictions, thereby, adding multiple regulatory requirements and combined privacy restrictions to that entity. Compliance software needs to be capable of managing this efficiently.
c) Data Masking & Hiding Sensitive Customer Data
Some regulations will require rolled-up or aggregate risk measurement and reporting e.g. BCBS 239. Data privacy rules can impact how financial institutions operating across multiple borders can comply with this regulation, scuppering any chance of being able to achieve a rolled-up view of the institution’s risk profile.
However, there is a way around this. Software solutions should be capable of masking or hiding sensitive customer information from unauthorized system users e.g. those accessing this data outside of the permissioned regional perimeter. This includes Personally Identifiable Information (PII) such as:
- Date of birth
- Source of wealth
- Tax Identification Number (TIN)
- Employment status etc.
The sensitive data functionality should include showing or hiding entire sections of a record to allow a set of grouped fields or data to be hidden completely from unauthorized users. This means that if a US-headquartered financial institution needs to perform risk data aggregation on all clients around the world, it can mask or hide sensitive information and perform a rolled-up or aggregate view of the risk profile, thereby allowing it comply with BCBS 239.
3. Integrating Explicit Client Consent into Client Lifecycle Management Processes
One of the bigger changes that EU GDPR will usher in for financial institutions revolves around the concept of client consent. This essentially means that the controller or processor (financial institution) must demonstrate proof of freely-given, valid, informed and explicit, unambiguous consent from the data subject in order to process the personal data of a data subject. Explicit consent will become mandatory – requiring banks to fundamentally rethink the way in which they collect and handle customer data.
4. Validating Access
One of the great things about streamlining client lifecycle operations with technology is that everything is fully auditable and validated. As an added bit of security, the software should request that users explicitly verify that they are accessing sensitive data and will be doing so for the purpose of completing KYC obligations.
5. Adopting a Global Community-Based Approach to Data Privacy Regulations
Data privacy and protection needs to be designed inside each regulatory compliance program and take into account the jurisdictional and in-country nuances required. Technology and operational models are one thing. The processes underpinning these require vision and refinement. By collaborating with industry-leading peers, financial institutions can leverage others’ experiences of what works and what doesn’t and adopt best practices in their organizations.
Download our whitepaper on KYC vs Data Protection - The Next Compliance Hurdle:
Dowload our whitepaper on KYC vs Data protection - the Next Compliance Hurdle, where Laura examines how financial institutions can manage local jurisdictional KYC obligations and deal with complex security and data privacy requirements across jurisdictions. She considers the global and cross- jurisdictional data protection laws (check out the Jurisdictional Use Cases at the end of this document) and how these can be categorized into common themes.