In January 2020, the Federal Government released plans to extend the Banking Executive Accountability Regime (BEAR) to other APRA regulated entities. The extended regulatory regime is called the Financial Accountability Regime (FAR) and will apply to insurance firms and registered superannuation entities (RSE) in addition to banks. Assessing internal information governance is an integral part of preparing for the impending Financial Accountability Regime.
Information Governance – Getting Your Data House in Order
If you are an insurance company or an RSE now is the time to prepare your organisation for the commencement of the FAR.
Organisations will need to be able to demonstrate they have taken proactive steps towards compliance, in order to meet the threshold of ‘reasonable steps.’
Reviewing your existing information governance framework is fundamental in order to get your organisation’s data compliant for the incoming regulatory obligations.
Some essential steps to ensure the successful review, analysis, and evolution of your information governance framework include:
1) Multi-functional representation
The obligations under the FAR will extend across multiple functions within your organisation. In the example cited by Treasury, ‘accountable persons’ in an insurance company may come from departments including:
- claims management
- internal and external dispute resolution
- breach reporting
- customer remediation
- setting staff and partner incentives
The information governance review must have stakeholder representation from across all functions, not just legal or IT.
2) Understand your data
It is important to understand your existing data and data creation methods. This may involve a data audit or data mapping of your organisation’s data.
- Who is the custodian of the data (IT, Legal, HR, Customer Service etc.)?
- Where is the data stored? In a physical location, outsourced vendor, cloud, archival warehouse?
- When was this data created? Is this data still relevant? Does the data still exist?
- What is the format of the data (word, excel, pdf, paper, back up tapes, data archives)? What systems generate the data (CRMs, messenger services, transactional data, legacy systems)?
- Why is this data necessary? What is the operational value?
3) Identify the regulatory requirements
Your data management strategy and information governance framework will be driven by the new obligations created under the FAR.
What are the regulatory obligations related to this data or the information it records? Does the data have a regulated retention/destruction period?
The Banking Royal Commission had a significant focus on non-financial risks. The regulators will use the extension of regulatory oversight to enhance consumer protections.
Are you currently monitoring internal and external communications for indications of misconduct?
Could you quickly and efficiently provide the regulators all the data related to sales, complaints, or claims in response to a regulatory notice?
4) Indexing and a centralised repository
Disparate and unstructured data held across multiple software platforms is difficult to navigate and review.
Compliance under the FAR will require organisations to demonstrate that they understand exactly what data they have, where it is stored, and can produce it quickly.
Collecting, processing, and indexing data can provide you with the foundations of a searchable database using key metrics such as custodian, date of creation, and document categorization.
Indexed data stored in a central repository is easily searched, analysed and produced to internal audit teams, your lawyers, and the regulators.
During the process of data mapping and identifying regulatory requirements, priority areas should become clear.
In what areas is your organisation most at risk of a potential breach of compliance?
For example, if your audit reveals de–centralised communications data across multiple customer-facing departments, prioritise a centralised repository to collect, analyse, and understand those communications.
If you are holding large volumes of archived data that is never accessed develop and implement a defensible deletion policy.
6) Team training
In order to remain compliant with the new obligations under the FAR, you will need more than policies, software, and databases. Ongoing compliance will involve the ‘buy-in’ of your team.
The employees in your organisation need to clearly understand what is required of them and why.
Your team will require not just onboarding to new systems, processes, and procedures but also regular training to remain compliant.
7) Continual monitoring
Once you have your data house in order you should:
- Understand your existing data
- Identify the channels and custodians that create new data
- Understand the regulatory requirements
- Store your documents in a searchable central repository
- Identify key data at risk of regulatory breach
- Have internal stakeholder and team buy-in
With your house in order it is time to define methods to continually monitor your compliance.
For example, if all internal and external communication data is regularly collected, organised, and analysed the risk of misconduct and other non-financial risks will dramatically reduce.
Your organisation is well placed to move from reactive to proactive compliance and demonstrate that accountable persons have taken all the ‘reasonable steps’ necessary to remain compliant.
7) Measure results
Define metrics and organisational goals related to your updated information governance framework and compliance.
Ensuring compliance with the new regulatory obligations created by the FAR may be the primary driver to improving your data management but there may be several other benefits:
- Enhanced data security
- Securing sensitive, confidential or personal information
- Reducing data volumes, technology, and administrative costs
- Increased team productivity
- Mitigating the risk of litigation
Defining metrics and benchmarks for these goals will enable you to measure the success of the implementation of your updated information governance framework.
You can gain insight into key performance indicators such as:
- Reduced overheads related to compliance and governance
- Lower data volumes and IT storage costs
- Fewer irrelevant documents collected in response to a regulatory notice
- Decreased incidence of a potential data breach
For more help
icourts offers tailored consulting on information governance to get your organisation’s data prepared for all existing and impending regulatory requirements.
Our team of analysts can be deployed on a one-off project basis or as part of an ongoing managed service. We help our clients prepare data to respond to a Notice to Produce. We also work embedded in our clients’ compliance teams providing specialist technical support.
We provide the full spectrum of regulatory and compliance technology including:
- Forensic data collection
- Data mapping, processing, and indexing
- Data storage in a central document repository
- Data hosting in a searchable database which can be accessed by your team as required
- Continuous monitoring of communications using machine learning and data analytics
- Cognitive AI platforms to proactively monitor in ‘real-time’ on live data
icourts can assist at every stage of your compliance programme from collecting your data, to responding to a Notice to Produce from the regulators and assisting compliance teams to identify and manage potential risks before they become breaches.
For more information contact us today.