This is the third post in a three-part series.
Experian® is not a doctor. We don’t even play one on TV. However, because of our unique business model and experience with a large number of data providers, we do know data governance. It is a part of our corporate DNA.
Our experiences across our many client relationships give us unique insight into client needs and appropriate best practices. Note the qualifier — appropriate. Just as every patient is different in his or her genetic predispositions and lifestyle influences, every institution is somewhat unique and does not have a similar business model or history. Nor does every institution have the same issues with data governance. Some institutions have stabile growth in a defined footprint and a history of conservative audit procedures. Others have grown quickly through aggressive acquisition marketing plans and unique channels and via institution acquisition/merger, leading to multiple receivable systems and data acquisition and retention platforms. Experian has provided valuable services to both environments many times throughout the years.
As the regulatory landscape has evolved, lenders/service providers demand a higher level of hands-on experience and regulatory-facing credibility. Most recently, lenders have required assistance on the issues driven by mandates coming from the Comprehensive Capital Analysis and Review (CCAR), Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) bulletins and guidelines.
Lenders are best served to begin their internal review of their data governance controls with a detailed individual attribute audit and documentation of findings. We have seen these reviews covering fewer than 200 attributes to as many as more than 1,000 attributes. Again, the lender/provider size, analytic sophistication and legacy growth and IT issues will influence this scope. The source and definition of the attribute and any calculation routines should be fully documented. The life cycle stage of attribute acquisition and usage also is identified, and the fair lending implication regarding the use of the attribute across the life cycle needs to be considered and documented.
As part of this comprehensive documentation, variances in intended definition and subsequent design and deployment are to be identified and corrective action guidance must be considered and documented for follow-up.
Simultaneously, an assessment of the current risk governance policies, processes and documentation typically is undertaken. A third party frequently is leveraged in this review to ensure an objective perspective is maintained. This initiative usually is a series of exploratory reviews and a process and procedures assessment with the appropriate management team, risk teams, attribute design and development personnel, and finally business and end-user teams, as necessary. From these interviews and the review of available attribute-level documentation, documents depicting findings and best practices gap analysis are produced to clarify the findings and provide a hierarchy of need to guide the organization’s next steps:
A more recent evolution in this data integrity ecosystem is the implication of leveraging a third party to house and manipulate data within client specifications.
When data is collected or processed in “the cloud,” consistent data definitions are needed to maintain data integrity and to limit operational costs related to data cleansing and cloud resource consumption. Maintaining the quality of customer personal data is a critical compliance and privacy principle. Another challenge is that of maintaining cloud-stored data in synchronization with on-premises copies of the same data. Delegation to a third party does not discharge the organization from managing risk and compliance or from having to prove compliance to the appropriate authorities.
In summary, a lender/service provider must ensure it has developed a rigorous data governance ecosystem for all internal and external processes supporting data acquisition, retention, manipulation and utilization:
A secure infrastructure includes both physical and system-level access and control. Systemic audit and reporting are a must for basic compliance standards.
If data becomes corrupted, alternative storage, backup or other mechanisms should be available to protect the information. Comprehensive documentation must be developed to reveal the event, the causes and the corrective actions.
Data persistence may have multiple meanings. It is imperative that the institution documents the data definition. Changes to the data must be documented and frequently will lead to the creation of a new data attribute meeting the newer definition to ensure that usage in models and analytics is communicated clearly. Issues of data persistence also include making backups and maintaining multiple archive copies.
Periodic audits must validate that data and usage conform to relevant laws, regulations, standards and industry best practices. Full audit details, files used and reports generated must be maintained for inspection.
Periodic reporting of audit results up to the board level is recommended.
Documentation of action plans and follow-up results is necessary to disclose implementation of adequate controls.
In the event of lost or stolen data, appropriate response plans and escalation paths should be in place for critical incidents.
Throughout this blog series, we have discussed the issues of risk and benefits from an institution’s data governance ecosystem. The external demands show no sign of abating. The regulators are not looking for areas to reduce their oversight. The institutional benefits of an effective data governance program are significant. Discover how a proven partner with rich experience in data governance, such as Experian, can provide the support your company needs to ensure a rigorous data governance ecosystem. Do more than comply. Succeed with an effective data governance program.