Financial institutions (FIs) are finding themselves navigating an increasingly fragmented landscape of data protection regimes, not only in relation to their home jurisdictions vis-à-vis other markets but also between other markets they operate within across Asia – a region that is especially prone to market fragmentation at the best of times given its significant diversity.
The result is a ‘transnational data governance problem’, referring to the fragmentation of international data flows and related governance frameworks due to evolving divergences between major economies, heightened by technological and geopolitical competition.
With the rise in such divergent approaches, an uncertain and constantly shifting regulatory climate is affecting FIs operating across borders in the interconnected global digital economy, throwing a spanner not only into their external market activities, but also into their inner operations and processes, ranging from customer data and risk management to regulatory compliance.
Stuck in the crossfire: increased regulatory burden for the financial sector
Data flows across firms and between intra-group branches are a fundamental building block for the capital markets, where banks responsibly collect, use, process, transfer, dispose of and share financial data, including personal data, in the ordinary course of business. Financial regulation dictates this be done in a safe and responsible manner. The ability to share data between operations is essential to the efficiency, security, and resilience of these organisations, in addition to know you customer (KYC)/anti-money laundering (AML) compliance, monitoring for counter-terrorism financing and fraudulent transactions. Over many years, modern FIs have become accustomed to managing these critical uses of data sensitively and securely, in line with tightly defined financial regulation and international requirements aimed at the protection of clients, and more importantly, in maintaining the integrity and stability of the broader financial system.
Financial regulators ensure that financial services institutions and markets are efficient, stable, secure and serve the best interests of both users of the financial system and the broader economy. Yet, we see some policymaking working in the opposite direction – restricting data flows, decoupling standards from international norms, and introducing regulatory fragmentation that hinders investment flows, operational efficiency, and the financial system’s integrity more broadly. This fragmented approach between regulators and policymakers within the same jurisdictions has been a growing concern of the financial industry for a number of years, and continues to be a high priority for the Asia Securities Industry and Financial Markets Association (ASIFMA) and its members.
The financial services industry, already subject to stringent rules on information security, is increasingly being caught in the crossfire between policymakers and concerns with other sectors, often emerging, which are not subject to the high standards on client data and privacy with which banks must already comply. In some jurisdictions, such as India, policy targeting e-commerce and social media is grouping all industries together, resulting in perverse outcomes from a financial system perspective. This not only adds to the regulatory burden on globally operating FIs, but also discourages the entry and continued operation of foreign FIs within jurisdictions that take such a broad-brush approach, particularly where these requirements disaggregate their ability to call on internal global expertise and centralised infrastructure, risk and control functions. It also confuses those using onshore data partners, sometimes the intended beneficiary of policymaking to keep data within borders.
To mitigate such coordination problems, a lead financial regulator is best placed to coordinate with national privacy authorities (as well as among other financial regulators if there are multiple) to ensure consistency and legal certainty, and reduce the likelihood of regulatory arbitrage. The lead coordinating agency can also ensure regulations applicable to the financial sector prevail over conflicting data requirements. Further, with a better understanding of existing regulations with which FIs must already comply, a lead financial regulator can minimise duplication and inconsistency between data and financial stability requirements.
See also: In-house counsel identify cyber, data as biggest threats
Is data really the new oil?
Increasingly more nationalised approaches to data, privacy, cybersecurity, and technology continue to inform regulation in some APAC jurisdictions, at a time when capital markets and FIs need to operate in an increasingly interconnected global economy. Against such a backdrop, we see an interplay between geopolitics, law, and national economic agendas tying national security agendas with data protection, and calls to ringfence data flowing across a country’s borders. From an economic development perspective, we also hear governments and policymakers calling for treatment of data as the ‘new oil’.
While compelling in consumer marketing, the ‘data-as-oil’ analogy is, at its core, erroneous and problematic for policymaking. The finite nature of oil, in contrast to the inexhaustible replicative capacity of ‘data’, renders this metaphor as ill-suited from the get-go. In fact, treating data like a one-off consumable – stockpiled behind national borders – reduces its usefulness and value which, frankly, relies more on how it is used, moved around, reconfigured, and combined to innovate new uses and efficiencies in an increasingly interconnected world that runs on data flows, not data stores.
See also: Concerns with UK plans to diverge from EU GDPR
Plurilateral approach to resolving cross-border data challenges
In contrast to approaches taken elsewhere, we can observe positive developments taking place in some APAC jurisdictions such as Singapore, Japan, and Australia. The US-Japan Digital Trade Agreement of October 2019 ensured that data can be transferred across borders, by all suppliers, including financial service suppliers. Singapore’s joint statement with the US, and agreements with the UK and Australia on financial services data connectivity, are also forward thinking, allowing financial services firms to transfer data across borders while opposing data localisation requirements, provided that financial supervisors can access required information on request. This represents thoughtful inter-governmental collaboration geared to the current operation model of modern financial systems.
Although not a silver bullet, a plurilateral framework – coalitions of jurisdictions based on sector-specific areas created with the intent of having more consistent legal and regulatory treatment for sector-specific matters – may be a way forward. A plurilateral framework recognises and legitimises the existence of multiple data governance regimes, yet acknowledges common principles for managing and supervising secure cross-border data flows critical for the financial system,. Such a framework could help minimise fragmentation, supporting cross-border flows of data, international economic trade, and increasingly become an enabler of emerging areas of finance, such as green and transition finance. Notwithstanding, it is also critical that conventional trade agreements not exclude financial services, given the important role capital markets play in fostering economic development and integration.
There also needs to be stronger global coordination on standards and approaches, in line with international developments. As a general principle, international standards with respect to cross-border data transfers should be taken into account when designing cross-border data controls to facilitate the secure flow of data. Existing international fora provide a solid starting ground for alignment and coordination on data driven policies and oversight for financial services, while not limiting further collaboration. Global standard setting bodies, such as FSB and IOSCO, have released statements supporting cross-border data flows, and have launched exercises to further understand how existing national and regional data frameworks interact with and affect cross-border data flows.
Other notable international efforts include the Osaka Declaration on Digital Economy, which seeks to standardise rules in global data flows, with better protection for personal information, intellectual property and cybersecurity; international best practices such as BCBS 239 and ISO/IEC 27701 (2019) which could also pave the path forward to harmonising and strengthening data standards; and the Financial Services Sector Coordinating Council’s standardised Cybersecurity Profile which offers a common approach to cybersecurity and assessment.
Meanwhile in Asia, APEC’s Privacy Framework provides a set of principles and implementation guidelines to establish efficient privacy protections that mitigate barriers to information flows in Asia Pacific under the Cross-Border Privacy Rules System (CBPR), and most recently, ASEAN released a set of Contractual Clauses for Cross Border Data Flows.
See also: Data silos must be broken down in digitisation of capital markets
Lessons learned
Free flow of data is key in the creation of competitive digital economies, ensuring a more secure financial system, effective risk management, and the facilitation of global participation in innovation and entrepreneurship. To achieve efficiencies while catering for the needs of society and commerce, modern FIs deploy state-of-the-art processes to consolidate their infrastructure globally and achieve operational scale and resilience, while maintaining secure and robust protocols and systems to meet the stringent needs of financial regulators.
Rulemaking on a cross-sectoral basis, however, can undermine such arrangements – often requiring discrete technological builds in specific jurisdictions, segregating local systems from global hubs – which is a long way back from how the modern global financial system has evolved. This creates significant, often counterproductive, friction in financial markets and exposes market participants and end users to increased cybersecurity risk by creating additional interfaces, and therefore vulnerabilities in the system.
At the same time, regulators rightfully want FIs to think more strategically and holistically about operational resilience, particularly in light of lessons from Covid-19. Ironically, it was often cross-border systems and data connectivity that enabled key staff within many FIs to work from home (and abroad in some cases) throughout the pandemic so far, which, in large part, helped keep markets open and properly functioning, ultimately preserving the stability of the financial system throughout the last two years.