3 minute read
NAVIGATING THE COMPLEXITIES OF DATA SOVEREIGNTY IN THE FINANCIAL SERVICES INDUSTRY
from Journal - TEST
by PIMFA
Data laws and regulations vary globally, making it challenging for businesses to balance data governance with their strategic objectives. The United Nations Conference on Trade and Development (UNCTAD) reports that over 70% of countries have legislation in place for protecting data and privacy, and the acronyms for these data privacy laws, are becoming more and more recognisable. In most cases, firms also have the responsibility to comply with local data and privacy laws of the jurisdictions where their customers are located, increasing the pressure on these organisations.
In addition to data sovereignty and residency laws, financial services organisations must also comply with other relevant regulations and security standards. These laws reinforce the need for such firms to have robust support in meeting the various governance obligations for data storage, transfer and security, whether it is across multiple data centres, in the cloud or a combination of both.
Advertisement
Data Sovereignty Challenges In Business Communication
As for the cloud, it is the basis for many advances in the financial sector. Cloud-based tools, such as Microsoft 365, help organisations around the world to collaborate and communicate in real time, which facilitates innovation and improves efficiency. However, the increasing use of these services has led to a strong reliance on third-party service providers, which generates additional issues when it comes to data sovereignty laws. Financial institutions do not have direct control over how their data is being handled by these third-party providers and may experience unexpected compliance breaches as a result.
This is perfectly illustrated by of US Federal law that requires businesses to maintain detailed records of their electronic messages, which means having complete visibility and control over these communications. JP Morgan learned a compliance lesson the hard way when it was fined $200m (£164m) by the US Securities and Exchange Commission (SEC) and Commodities Futures Trading Commission (CFTC) for allowing employees to use unauthorised business communication applications, circumventing Federal record-keeping laws. Similarly, last week Morgan Stanley penalised some of its employees with hefty fines that ranged from a few thousand dollars to more than $1m (£820,000). The cause, according to Financial Times, was the misuse of digital messaging platforms like WhatsApp for sensitive information exchange.
According to the General Data Protection Regulation (GDPR) Fines and Data Breach Survey published in early January by DLA Piper, European data regulators issued a record €2.92bn (£2bn) in fines over the course of the previous year, signaling a striking 168% increase compared with the 2021 figures. This is a dangerous trend that could have a big impact on the financial performance of companies that refrain from taking decisive action. Legislation like the Digital Operational Resilience Act (DORA), adopted by the European Council in November 2022, is aimed at tackling the possible implication of this issue. The Act focuses on strengthening the IT security of financial organisations, such as banks, investment companies and insurance firms, ensuring resilience even in cases of severe operational disruptions caused by cyber attacks. DORA was designed specifically for third parties providing Information Communication Technologies (ICT) and other similar services to entities in the financial sector, to make sure they can effectively respond to and recover from ICT-related risks and disruptions.
WHAT CAN BE DONE TO ADDRESS THESE ISSUES?
Various international data privacy and residency regulations and the differences between them certainly pose serious security and data management difficulties, multiplying the risk of severe penalties and reputational damage. To address the current challenges, the financial services industry must approach data sovereignty policies in a proactive manner. This includes implementing robust security measures to protect against data breaches and carefully addressing the risks associated with cross border data transfer. By using data localisation, or in other words, storing and processing data within the geographic jurisdiction of its origin, organisations can ensure compliance and prevent data access by foreign law enforcement agencies.
A notable example of the latter is the 2013 legal dispute between Microsoft and the US Department of Justice (DoJ). The DoJ requested that Microsoft provide access to emails related to a narcotics case from an account hosted in Ireland. Microsoft refused, arguing that it would violate EU data localisation and protection laws. The initial ruling favoured the US Government, stating that American companies must comply with valid search warrants from US law enforcement agencies. In 2016 Microsoft appealed, and the court ruled in the company’s favor, supporting the idea that US search warrants do not extend to data stored abroad, but are considered valid in cases when it is stored in the US.
Along with data localisation, it is important to ensure continuous improvement and evolution of data governance frameworks. This involves establishing clear internal policies and leveraging encryption, as well as frameworks like zero trust, to protect information from unauthorised access, corruption or theft throughout its entire lifecycle. It also includes regular audits and reviews to ensure that the policies and procedures in place are being enforced efficiently and embraced by all stakeholders.
Data sovereignty is a critical issue not only for policymakers around the world but also for executives and Boards of Directors across various industries and regions. With the increasing globalisation of the financial services industry, information is crossing borders faster than ever before, making it challenging for organisations to ensure compliance and security at all times. Given the risk of reputational and financial damage in the case of non-compliance, companies must take a proactive approach to data sovereignty by adopting data localisation strategies, strengthening data governance and security frameworks, and working collaboratively to address global challenges. After all, it’s much more effective to view compliance and risk management as an incentive for much-needed security improvements, rather than just as an impediment.
