Effective data management amid shifting regulations in financial services

By Michael Coates (pictured), Solution Architect, Aiven ANZ

It’s no secret that the financial services sector has continued to dominate headlines in the past twelve months, but not always for the right reasons. In fact, managing operational risk within financial services continues to be significantly challenging due to several factors including accelerated digital transformation, increased cyber threats, explosion of data volumes and adoption of Generative AI.

According to the Australian Information Commissioner (OAIC), the finance services sector was one of the top reporters of data breaches in 2023, representing 10% of all data breach notifications. Not only that, IBM’s Cost of a Data Breach Report also found that the average cost of a single data breach within Australia was US$2.7 million. Not to mention the incalculable cost in terms of eroding the organisation’s reputation and goodwill with their customers.

It’s therefore not surprising that industry regulators are taking steps to reduce risk exposure within financial services institutions (FSIs).  The clock is now ticking and with just over twelve months to go before the new APRA-regulated CPS230 policies come into effect and organisations will need to ensure they close any compliance gaps or face the consequences.

The impact of changing consumer demands on data management

These regulatory changes also coincide with increasing consumer demands and expectations. From a consumer perspective, there is much greater awareness and demand around both mobility of service and security of data. Recent high profile data breaches have also made security more top of mind than ever before.

One such breach was with a major telco in Australia at the end of 2022. The breach impacted ten million people, a third of the population, with information stolen by the hackers including names, birthdates, home addresses, phone numbers, email contacts, and passport and drivers licence numbers. The breach even led to the company agreeing to pay for replacements of compromised passports.

Rising consumer data literacy, and their resulting perception of data management, are becoming a key point of difference in consumers’ minds when choosing who to trust with their financial assets.  At a minimum, consumers expect that their data is private and secure – a basic expectation that unfortunately is not always upheld.

Understanding what best practice looks like in a changing regulatory landscape

We are often asked to advise on what best practice looks like through a CPS230 lens as organisations start taking the steps required to future proof their risk and compliance strategies.  While each organisation has its own set of challenges to factor in, there are three key areas of common ground to consider.

• Cohesiveness between compliance and risk vs security – the security team will set mandates around the organisation’s risk appetite and put prevention, detection and response policies in place; but the ones who actually implement the policies are the IT team – a separate team altogether – so, there is this division of responsibility and collaboration between groups is essential.
• Data sovereignty considerations – from a security perspective this means considering where does your data live? Is it running in the service provider’s environment, or is it running in yours? How much control do you have over the data? Can you lock the service provider out of it if needed?
• Avoid vendor lock-in – operational risks aren’t just breaches of data because of financial crime; they can also be risks related to escalating costs associated with technology disruptions where critical data becomes inaccessible.

Choosing the right technology partners improves operational resilience

There is much to consider when thinking about who to trust with your data. Strong data management can spell the difference between success or failure. As highlighted in a recent Forrester report, choosing the right managed services partner can help FSIs save significantly on reducing risk events.  Furthermore, having the ability to scale up existing in-house skillsets is also a key consideration as talent pools remain stretched.

It is important to look for partners that offer flexibility in terms of data storage but also understand and adhere to operational compliance in line with APRA regulations.

We are working with Revenir, a London-based fintech that automates tax recovery through partnerships with banks, governments and digital receipt companies. As a company in the financial sector, it was crucial that CTO, Brian Wagner, was able to balance data management with cybersecurity and remaining compliant with national and international regulations. With our open-source data platform, we were able to help Revenir balance these needs while also giving them access to a collaborative community that was continually seeking and developing innovative solutions to these challenges.

An open source, multi-cloud data platform also contends with other challenges of our modern, data-heavy world with smart solutions that directly alleviate pain points. This includes cross cloud deployments – mentioned above, cross-cluster migration and replication, and the ability to leverage open source.

In summary, when selecting your technology partner, ensure that they can:

• Provide automatic updates to ensure your software remains up-to-date
• Offer non-vendor specific technologies so you can use what makes the most sense to your organisation
• Ensure data management is simplified, adheres to sovereignty laws, and is secure
• Provide around-the-clock support that isn’t region-specific
• Reduce downtime through integration of services
• Deliver flexibility of data storage to maintain compliance

The devil is in the details. Closing the gap to achieving CPS230 compliancy

While the clock is ticking, ensuring your company is ready for 1 July 2025 when CPS230 comes into effect doesn’t have to be daunting or create more pressure for over stretched employees.

Outsourcing is definitely part of the solution, but remember you need to be ruthless in terms of prioritisation. There needs to be a clear roadmap, so you know where their gaps are and then drive to close those gaps. This is especially challenging for smaller organisations that may not have the security teams or the knowledge in house. However, it’s ultimately up to each organisation to manage their security and compliance risks. Even when outsourcing, you need to ensure that the service provider is doing their job properly. Outsourcing can help, but it’s not the complete solution.

Companies need to remain vigilant and proactive in managing their security. Now is the time to take action while also ensuring you have the right technology partner, who understands CPS230, for the journey ahead.