Ofwat’s ‘DPC by Default’ for PR24: How water…
Data audits are a point of contention for businesses and auditors alike. Financial institutions believe they can harm businesses, while auditors believe that they expose significant risks. We look into how they can work together effectively to achieve compliance.
It is believed that audits, and the seemingly increased frequency of them, are crippling the ability to do business, creating reputational risk, and causing confusion in the marketplace amongst Investment Firms. Many will go as far as saying that audits are nothing short of a new revenue-generating weapon that Data Providers use to prop up weak product sales. However, looking at the reality of data, both in terms of global access and technology enabling redistribution, how audits are being used is less significant than what they expose.
Whether a consumer firm believes that audits are more frequent or more aggressive is a moot point. If the exposure exists, why wouldn’t a Data Provider exploit it? If a firm is prepared to enter into an agreement to follow the rules, with up to 150 Exchanges, Brokers, and other 3rd Party Data Vendors globally, then how should non-compliance be treated where controls/reporting are an after-thought? If a Data Provider is in a deteriorating net new sales environment, while a client has knowingly “under-reported” usage, one would expect a “right-sizing” exercise to occur. The point is that the grey area that has always existed between Investment Firms and Data Providers relating to rules, short-cuts, and margins has become too big. “How big?” in the context of what is reasonable for the relationship can be debated ad-infinitum. “How big?” in the context of an audit finding (where gaps and costs are quantified) puts Investment Firms in a weak position to defend themselves.
Strong governance becomes a critical theme for these firms to minimize their exposure. The amount people, processes, and technology that touch data within an organization is remarkable. Therefore, understanding how they interact, enable, store, and consume data (all elements of the Agreements firms readily sign), is paramount.
The question firms need to be asking is: how are we mitigating the inherent operational and compliance risks of our distributed third party-data enterprise environments where:
The fact of the matter is that chasing a global playground of trading and investment opportunities leads to more relationships, across more time zones, having more jurisdictions to understand. Individually, understanding the rules and the requirements are reasonably clear. Collectively, building and managing a system that satisfies the rules for all is a tall order. So, as it goes, more data feeds mean more rules to understand. More users having different usage requirements means more complex entitlement systems and more flexibility expected by people to pay for what they consume. Usage of real-time, delayed, and snapshot data requires more sophisticated tracking and reporting to exchange providers. Worth noting is that the restrictive terms and conditions that are accepted in Agreements have continuously increased over the last decade, and this is expected to increase.
The rules, their interpretation, and their complexities are overwhelming. Added to this are pressures to rapidly deliver solutions to business users (“the Agreement was signed two days ago!), and technology groups will inevitably make the following judgment mistakes:
a) Defer implementation of restrictive controls and reporting obligations,
b) Assume data is “available, therefore I can use it for free”.
These “shortcuts” are challenging for all firms as they represent where “unintentional” violations regularly occur. In a rush to build and gain a competitive technology advantage, technologists are rarely aware of the threats of compliance beach mistakes could have. And it is common for these issues to go undetected for lengthy periods of time, which reinforces the misconception that they are providing compliant Data Redistribution solutions.
A common misconception amongst firms is that they have purchased the data and associated rights to use and distribute without restriction. Instead of the word “Buy” a better analogy would be “Lease”. When a product is leased, the ownership remains with the Data Source. Subscriber can use the product as long as it is paid for and used according to the terms of the contractual agreement.
There is little doubt that Data Providers stand to gain from exposing the weak controls that persist. Controls that Investment Firms have been reluctant to establish (it’s expensive), and too casual in managing (relying on the “value of the relationship”), are the result of two significant miscalculations:
To be clear, we are not arguing that the financial services firms had it coming (or that Vendors are completely justified in beefing up their audit staff), we simply think both acted rationally in the context of the current environment. The pendulum has swung too far into a contentious state (audits and legal definitions to guide relationships), forcing firms to take a harder look at their environments and eliminate any “grey” by getting proper controls in place.
Many firms have made great strides in the last few years to get their business in order. Unfortunately, it’s often after they have exhausted enormous effort to respond to an unfavorable audit when millions of dollars in rulings are at stake (remember, audits can be applied retroactively and against the entire firm). So how could Financial Services firms miss this gap, especially in an overbearing regulatory environment? Is it complacency that requires firms to be pushed to that limit before acting? Is it outright disregard for the rules? We believe it’s neither, but rather a simple result of not being able to quantify and qualify the operational risk. They do not have the governance and processes to harmonize the People, Processes, and Technology that are so integral in measuring their exposure.
In an obscure and unwelcome way, Data Providers resolve the gap between the realities of a firm’s environment and the Agreements they accepted. Their approach is harsh, but they need to draw attention to the scale of the gap, which they will all politely point out is “the data client’s responsibility to undertake the necessary effort to mitigate breach of their contracts”. Debating anything else might get a reduced settlement, but it all comes back to the consumer fulfilling their obligation. No small task, but better to manage it on your own terms than in response to a lengthy, disruptive, and costly corrective exercise that often overshoots the reasonable controls you could have originally made.
An integral governance system is required to understand who the consumers are, what users require, how they access it, and from where it is sourced (to tie it all back into contractual commitments for reporting). Absent a credible system, a Data Provider can argue that the reporting is unreliable and controls insufficient – making all users on a network liable.
Sia Partners works with financial services firms to qualify and quantify the operational risk inherent in a distributed market data system. By studying your current environment against best practices required to sustain strong governance, we help firms realize the benefits of a suitable system of people, processes, and technology relative to their risk. The fundamental aspects of that system include:
Regardless of the reasons why audits have become so difficult, the onus is on the consumer firm to mitigate the risks of non-compliance for their distribution networks. It is in their best interest to have a firm grasp on how market data transcends the system to not just manage costs, but avoid the reputational risk of a large, unfavorable audit review. The “grey” exists. It’s a matter of understanding how big it is, and how relevant is it to the Data Provider with whom your relationship will be challenged.