The Australian Prudential Regulation Authority (APRA) has identified deficiencies in how banks handle the data they possess and has put forth six recommendations to enhance data practices.
The recommendations stem from a multi-year pilot study initiated in 2019, involving selected banks in the 100 Critical Risk Data Elements (CRDE) Pilot. This initiative focused on 100 key data elements, including customer names, account numbers, and interest rates. Subsequent rounds of data risk prudential reviews were conducted to assess the implementation of data risk management frameworks by each bank.
APRA’s recent findings, released earlier this week, acknowledge some improvements in data practices due in part to APRA’s supervision focus. However, progress remains slow, and a significant gap persists between current and optimal practices in data risk management.
Despite ongoing efforts such as Prudential Practice Guides and prudential standards focusing on data risk, recent cyber events have underscored the importance of data storage, deletion, and security. APRA emphasizes the need for a thorough understanding of the data environment and data quality.
APRA’s recommendations for banks include:
- Establishing data governance with a unified data strategy.
- Clarifying roles and responsibilities for ownership of critical data elements and processes across the data lifecycle.
- Simplifying the technology and data architecture environment by improving platform solutions and decommissioning legacy assets.
- Identifying critical data elements and creating a consistent set of data controls.
- Establishing mechanisms to monitor data quality and promptly remediate errors based on business requirements.
- Integrating data management risk into risk management frameworks.
While APRA acknowledges improved data frameworks among participants since the pilot’s inception, it highlights the need for ongoing efforts to effectively embed data frameworks. APRA emphasizes that entities should focus on identifying critical data elements, remediating data issues, enhancing technology platforms, simplifying legacy architecture, and making data more accessible to effectively manage data risk. It encourages streamlining processes, increasing automation of controls, and improving data quality to meet the growing demand for data from customers, clients, and regulators.
APRA also mentions extending similar questionnaires to specific life insurers and superannuation companies in 2022 to better understand their risk practices following concerns about incorrect regulatory submissions.
