Implementing regulatory guidance is not a task that should (or even can) be taken lightly. The enormous volume generally demands a team of subject matter experts to wade through the content, put it into context, and create a plan that will move the organization forward. However, the next steps tend to be the hardest ones: Maneuvering through the organizational status quo to ensure a cultural mindset that embraces the regulatory releases, updates, revisions, rescissions, and differing interpretations of the guidance itself.
The EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) are examples of how the approach to handling client data is being transformed. Formality, an environment of forced compliance, penalties, and civil actions, are associated with privacy laws and consumer protections. Some organizations may be overwhelmed. Others are confident in their ability to meet the requirements. Common sense, transparent business practices, and understanding the flow of client data can drive that confidence.
A financial institution must fully understand the who/what/when/where/why and how its data is shared, and then “follow the data” to the end. But it does not stop there. In the current environment, data flows are constantly open to change. Outsourcing partners will themselves outsource to subservice providers and those subservice handshakes may continue well beyond a 4th, 5th, or even 6th party service provider. Determining if further analysis is required for each subservice organization, and performing the appropriate level of ongoing monitoring, is vital to control the risk exposure and meet regulatory obligations.
Management and Boards cannot afford to develop blind spots or only have partial awareness of data sharing practices. Outsourcing data flows must be an integral component of the third party risk management (TPRM) program. As new privacy laws and protections continue to evolve, and as organizations implement the requirements, knowing how far client data is shared beyond the organization will define the scope of risk exposure. Keeping that knowledge fresh and accessible will enable effective oversight and risk mitigation efforts.
Blinders can be useful tools — for horses. And apparently, they have even been introduced for humans in some open office plan environments. But they have no place in TPRM. Identifying, understanding, monitoring, and managing your data demands full vision from all directions and the ability to see beyond what is directly front and center. Fortrex can help your organization do just that. Contact us for more information on our Subservice Organization services.