The explosion of digital channels has created a digital labyrinth for financial institutions when it comes to data retention, consumer privacy, data mapping and storage. There are two major drivers of the “rat’s nest” of confusion around data retention policies, says Mohammad Nasar, a principal in the financial services consulting group at Crowe. The first is that there are numerous federal and state regulations governing both data retention and consumer privacy; the second is data sprawl.
Data retention and consumer privacy are two sides of the same risk that banks need to manage, especially as executives think about incorporating more data into their decision-making and personalization efforts. They need to know where that data is located and its classification, and what may need to be deleted or retained.
Federal banking regulators and agencies like the Financial Crimes Enforcement Network have become increasingly interested in how banks manage their data, comply with anti-money laundering provisions and their general cybersecurity posture, says Mark Wuchte, who leads the financial services risk advisory team at Baker Tilly. He attributes this to recent breaches and cybersecurity vulnerabilities at banks and third-party vendors, which then leads regulators to ask other institutions about who owns and controls different data sources and where this information is housed.
Banks also tend to hoard data, says Shikhar Singh, chief technology officer and executive vice president at Fargo, North Dakota-based Choice Financial Group, which has $5.6 billion in assets. He says figuring out what data needs to be retained and what can be deleted is one of the risks that Choice proactively addresses as part of its data analytics initiatives.
That can be a tricky task for banks: There are competing regulations around what information they need to retain and what they would be expected to delete. On the retention side, there are different timelines for different types of data. For example, information that was part of a screening for the Office of Foreign Assets Control needs to be retained for a decade, but screenings as part of the Bank Secrecy Act or anti-money laundering only need to be kept for half that time. Tax accounting that may be audited or subpoenaed needs to be kept for seven years, generally.
Banks also need to identify what data would need to be deleted to comply with consumer privacy laws. The U.S. doesn’t have a national consumer privacy law; privacy is governed partially through certain pieces of legislation — like the Health Insurance Portability and Accountability Act, or HIPAA, or the Gramm-Leach-Bliley Act — or through state privacy laws.
Complicating this is that banks have widened their potential geographies through digital channels and services. Before, a bank may have attracted customers from the same state it operated in and kept its data and servers mostly on premises, creating some consistency around where its data was domiciled, or stored, and what customer privacy laws it followed. Now, a bank in Florida may use cloud-hosted on servers located in Virginia to store California’s customer data for a New York-based fintech.
“Things have changed significantly,” Wuchte says. “There are a ton of things happening now that are transforming the way that the industry focuses, what they’re looking at and how they go about their day-to-day business.”
He adds that while most federal data retention laws are older, privacy laws in 20 states create an uneven and challenging operating environment for U.S. banks. One common aspect of these privacy regulations is a consumer’s right to be deleted by an enterprise that has their data. But before a bank deletes a customer’s record, it needs to figure out what data is exempt and must be retained under data retention laws.
“‘How long I keep something’ is now getting complicated as certain regulations may maintain minimum requirements, but the trend of privacy regulations is to limit what data is kept,” Nasar says. “From a business standpoint, keeping data may improve an organization’s capabilities to have robust training sets for modeling purposes, but that same data also increases the risk of exposure.”
The second problem, Nasar says, is data sprawl. Even if it was clear to every financial institution what rules they needed to follow and what data needed to be deleted or saved, they would still need to know where all that data is stored. Customer data could be located in different systems across a bank: digital account opening software, deposit operations, credit and the core’s general ledger.
“It’s no longer in your IT service center, where it’s physically housed in one place. It’s no longer your physical records and documents that you’re retaining in some storage facility,” Nasar says. “It’s everywhere.”
While this problem may seem insurmountable, banks can address it through a combination of enterprise risk management, governance and technology. Nasar says banks can use data classification tools that leverage artificial intelligence to help them understand the overall state of their data and where data is located. These tools can also assist in areas that aren’t traditional data repositories — including customer information in Word documents, spreadsheets or emails — and could classify the information as either subject to privacy laws or exempt from them. As banks pursue data analytics initiatives, mapping and classifying where different data lives in an institution can help executives get a handle on their sprawl.
Wuchte recommends that banks do a comprehensive data inventory audit to identify where the bank stores information, what policies it needs to comply with and what information is subject to those policies. They should also include these items in their third-party risk and vendor management policies and oversight. He says in general, this task is easier for banks that are smaller and are located in fewer states, and harder for banks that are larger and have operations in more locations. He also emphasizes that banks proactively train employees on their policies and processes, especially as they explore how technology and data analytics can help them gain efficiencies.
“I do think that the digitization of everything is making things exciting … but a lot of times, banks don’t fully understand where the data lives,” he says. “If they have information that’s coming across multiple platforms, it makes it difficult to track and to enforce consistent retention policies because they don’t know where it is.”
Previous