For one global financial institution it has just cost them $400m in fines, with a cease and desist order on top for good measure.
Quite simply, the regulator lost patience with the organisation for repeatedly failing to clean up its act.
The US Treasury’s Office of the Comptroller of the Currency (OCC) highlighted:
- a failure to implement an enterprise–wide risk management and compliance risk management program
- a lack of internal controls
- no data governance program
With these systems lacking, there was no ability to measure, quantify, monitor, manage or report risks that the organisation was facing.
Along with the senior management team, the regulator also pointed the finger at the Board for not providing the right oversight and mandating the timely actions to correct “the serious and longstanding deficiencies”.
Ironically, the lack of control and reporting was highlighted as a reason for the Board not having the right oversight and insight in the first instance.
A somewhat circular argument, but the point is clear; the failings were highlighted, and no one took responsibility to resolve the issues in a timely manner.
The bank in question has stated its remorse at not meeting the regulator’s demands over an extended period and pledged to spend $1Bn over the next year to fix the deficiencies.
This highlights that having an issue is one thing but failing to proactively address it is significantly worse.
The regulator was patient with the organisation, allowing time for it to show progress or a resolution plan, but with nothing forthcoming, it was forced to act.
Financial institutions are under increasing regulatory scrutiny across the breadth of their organisation.
Being able to identify where risk is, why it exists and showing a roadmap to dealing with it is increasingly a fundamental part of how they should do business.
From our perspective, data governance is a broad term with many elements to be fulfilled to tick the ‘compliance box’. For us, having insight into the scale of the data challenge is the first step to compliance.
Our experience, or more accurately our customers’ experience, is that gaining insight provides visibility of the risk level, which in turn, allows for policies to be created to manage the risk, which in turn, leads to accurate auditing and reporting.
All of this combined allows regular risk reporting and mitigation – which keeps the Board, shareholders, customers and, in this case especially, the regulator happy.