Using Master Data Management as Part of a Robust Compliance Program
Martin Samuel Nielsen discusses how leveraging master data management as part of your compliance arsenal will allow you to understand, manage and control information about your customers, products and more to safeguard how data is managed and maintained across your business.
As the world becomes more digital, the number of regulations designed to protect individuals, govern the products and services they purchase and monitor their related data “footprint” increases dramatically. According to an Ernst & Young survey, intensifying regulatory pressures are top of mind for business leaders, with 78 percent of respondents expressing increasing concern about data protection and data privacy compliance.
Organizations are faced with two unique challenges: first, to determine how they govern, use and protect data to comply with mandates such as the EU’s General Data Protection Regulation (GDPR); and second, how to manage the vast amounts of data needed to perform due diligence for mandates such as Know Your Customer (KYC). Whether your business sells B2B or B2C, the requirement for regulatory compliance is here to stay. In fact, it is likely to get more difficult as organizations struggle to understand the growing amounts of data found in their data lakes and other sources.
The True Impact of Regulatory Compliance
Today, organizations are amassing large volumes of critical business information about not only their customers and partners, but also their products and their individual components. Compliance comes in many forms and spans numerous industries. Furthermore, it is forcing organizations to understand and access their organizational data to comply with various overarching regulations, including those that are specific to their business or geographical region.
For instance, the number of regulations that require a company to have control over data has increased over the last couple of years and includes well-known directives such as the GDPR, the International Financial Reporting Standards (IFRS) and others.
KYC, in particular, is covered in many anti-money laundering acts across the globe and includes verifying the identity of your clients to assess risk during the due diligence process. To ensure compliance with these mandates – as well as other regulations, such as the FDA’s Unique Device Identification (UD law that requires a unique identifier to be assigned to medical devices and the Food Labelling and Education Act, etc. – organizations need to assemble sources of truth to ensure data is accurate. More importantly, they need to ensure the data is fit for purpose, meaning they can understand how the data will be used throughout the organization (and in what setting) to ensure conformance.
Yet many businesses maintain an IT ecosystem that is not well-suited to support regulatory compliance. This is because they rely on various legacy systems that cannot easily be retired, and they often have one system per line of business, resulting in duplicated data that resides across the IT landscape. Aside from the time it takes to onboard a customer, one of the biggest challenges to complying with regulations such as the Bank Secrecy Act and the related anti-money laundering (AML) rule is the ability to identify the client/customer across the enterprise. This is because institutions are often required to provide the same information about the customer repeatedly, making this approach unacceptable.
Taking the Reins on Risk: CDOs to the Rescue
In an attempt to support the needs of the CIO and the various data requirements from business users, organizations in regulated industries and beyond are adding a new seat to the C-level table in the form of a Chief Data Officer (CDO). CDOs are often defined as the person responsible for enterprise-wide governance and use of information as an asset via data processing, analysis, data mining, information trading and other means. They primarily have a business background rather than an IT background, as they focus on ensuring data quality and transparency for regulatory and risk management, as well as analytics reporting. In fact, according to a recent Gartner report[i], CDOs spend, on average, 27 percent of their time on risk management and compliance.
According to Gartner’s latest Magic Quadrant for Data Quality report, these CDOs realize the importance of data quality in reaching the goals laid out for them, which include not only compliance and risk mitigation, but increasingly growth, customer and product priorities. “To achieve CEOs’ business priorities in these categories, data and analytics leaders — including Chief Data Officers and CIOs — must ensure that the quality of their data about customers, employees, products, suppliers and assets is ‘fit for purpose’ and trusted by users. Without trusted data, efforts to achieve these objectives will be impeded, which will result in less value for shareholders, reduced competitiveness, rising operational costs, loss of customers to competitors and, potentially, fines for noncompliance with regulations.”[ii]
In reaction, C-level executives, with support from business users, began adopting new solutions, such as master data management (MDM), to better organize, understand and apply how data is being used today and how the business hopes to use it in the future. MDM also supports critical identity resolution, so organizations can identify their customer, products, individual components and geographies to ensure proper due diligence to assess risk and maintain compliance.
Due to privacy laws, Chief Information Security Officers (CISOs) such as myself are often the executive tasked with delivering these vital capabilities to our organization. If your organization employs a CISO, he or she likely owns the compliance task. If so, working closely with the CDO is an important best practice for the CISO.
Making the Best of Mandatory Compliance: Three Tips That Can Get You Started
Organizations can take one of two mindsets when it comes to keeping up with the neverending list of regulations: They can proceed with developing only the minimum level needed without fully committing, or they can view it as an opportunity to get their house in order and connect and deliver information to every point within the enterprise to drive value. To help you and your organization comply with today’s regulations, such as BCBS239 or Title 21 of the Code of Federal Regulations (CFR), as well as prepare for future ones, start by considering these three steps:
- Augment Current Approaches: Rather than take an all-or-nothing attitude toward compliance, consider current methods and look for ways to supplement existing technologies and approaches. Ask yourself, can we achieve compliance by adding new data quality and data management strategies?
- Audit Data: Identify where, why, how and by whom the data is being used. Ask yourself how the data is being consumed and in which context it is needed.
- Apply Data Governance: Data governance can help you define business accountability for your different types of data and establish proper data management policies. To do so, first determine the source of the data, as well as who can access it and who can change it. This will help you identify the business processes that rely on it and apply appropriate governance policies.
Improving regulatory compliance is a critical undertaking, but it’s part of a “high-risk/low-reward” organizational capability. As a result, it doesn’t often get the attention it deserves. Poor compliance can be extremely costly and potentially damaging to both your bottom line and brand reputation. MDM will not only help you get to the true identity of your customer, product, geography, etc.; it will also help you identify and understand all the relationships each has with other relevant parties and objects. These may include stakeholders, politically exposed persons and advisor relations, products and their components/ingredients, locations, services or policies, as well as assets and important documentation. It also provides a unified view of the counterparties across the various lines of business.
Leveraging MDM as part of your compliance arsenal will allow you to understand, manage and control critical information about your customers, products and more to safeguard how data is managed and maintained across your business. More importantly, it boosts the overall visibility and traceability of your data, which streamlines your compliance efforts and frees up additional resources to tackle additional business challenges.
[i] Source: Gartner. Assess the Impact of MDM Vendors’ Machine Learning, GDPR and Cloud Solutions, March 2018
[ii] Source: Gartner. Magic Quadrant for Data Quality Tools. October 2017