Financial services organizations capture and retain vast amounts of digital data. The proliferation of electronic records over the past several years has created opportunities and potential benefits for compliance departments, facilitating more accurate and timely reviews of records and making it easier to identify potential issues. However, the flow of data in our increasingly global business environment also comes with challenges related to disparate privacy and cyber security regulations across international borders.
A recent Institute of International Finance (IIF) paper explored the potential risks of data localization for financial services organizations and proposed alternatives to the regulatory regimes in place today around the world. This blog post provides a high-level overview of the challenges and considerations facing today’s compliance professionals.
Understanding Data Localization
“Data localization” refers to the physical storage of data inside the borders of the country where the data was created. Some countries’ laws embrace data localization, restricting the flow of data across borders in an attempt to secure information. In theory, data localization helps ensure customers’ data stays within boundaries of those customers’ countries, limiting the risks traditionally associated with cyber security or even national security threats.
In practice, however, data localization can also be burdensome for financial services firms around the world. For companies that operate in multiple jurisdictions, the firm’s IT infrastructure and compliance program must both understand the requirements in each locality and be prepared to comply with those requirements. Restrictions can unduly hamper the ability of firms to use certain service providers for data storage or processing. For those in the European Union, GDPR became a major focus for businesses worldwide as it applies to any global business that handles the data of EU citizens and residents.
Types of Data Localization Restrictions and Risks
There are three main categories of data localization restrictions, as outlined in the IIF’s paper:
- Local-only storage, transmission, and processing limits companies, restricting them to service providers inside the country itself;
- Local data copy restrictions may allow financial services firms to store, transmit, and/or process electronic data using providers outside the country’s borders, but mandate that firms also maintain copies of data locally; and
- Conditional restrictions place specific requirements on firms and on the destination/recipient countries where data will be accessed, stored, or processed.
While data localization restrictions target customers’ and companies’ nonpublic information, they may also restrict companies from sharing information about cyber attacks or other potential information security breaches.
Another risk for compliance professionals is that data localization laws could restrict their ability to monitor activity in a country with restrictions, or to obtain information necessary to fully investigate potential compliance rule violations.
Facilitating Data Flow for Financial Services Firms
International cooperation is key in ensuring firms’ compliance departments have access to the data they need to conduct surveillance and oversight. Trade agreements between countries are an important step in achieving the cooperation needed. In its paper, the IIF proposes financial services regulators also enter into agreements to share appropriate data for regulatory purposes.
Financial services executives, compliance officers, and IT departments must be cognizant of the challenges their firms face today. Those challenges depend largely on where the firm conducts business and where its clients and prospects reside. Choosing RegTech partners who understand data localization and its challenges can help ensure firms operate within the rules.
While data localization may not be top of mind for many compliance professionals today, it’s a topic that is likely to continue to garner attention as companies and nations grapple with protecting information without stifling business growth, while meeting regulatory demands.