Conflicting Data Requirements: Privacy vs Gatca

There has long been a realisation that the location of data and its storage has a cost and performance implication. But the location of data, particularly data deemed private and confidential, can also be constrained by its legal jurisdiction. Most international organisations are accustomed to managing the legal and regulatory requirements of both their jurisdiction of […]

Dave Levy

Our Blog

Our open views and news relating to financial services technology.

Conflicting Data Requirements: Privacy versus Gatca

October 16, 2014

There has long been a realisation that the location of data and its storage has a cost and performance implication. But the location of data, particularly data deemed private and confidential, can also be constrained by its legal jurisdiction. Most international organisations are accustomed to managing the legal and regulatory requirements of both their jurisdiction of incorporation and their jurisdictions of operation. The challenge in doing so is that those requirements can often conflict.

Within the financial services industry, one of the most obvious conflicts is over offshore banking, where local banking secrecy and data privacy laws conflict with other jurisdictions’ requirements for tax or regulatory reporting transparency. However, there are significant developments underway looking to drive supranational harmonisation in both conflicting forces (privacy and transparency).

In the transparency corner is a heavyweight international agreement dubbed ‘Gatca’, with reference to it being a ‘Global’ equivalent of the US Financial Accounting Tax Compliance Act (FATCA). Gatca is making significant progress, and according to the OECD, which is charged with driving forward necessary technical and implementation standards, already has 65 jurisdictions [1] committed to its implementation (including many traditional offshore tax havens). The OECD has already finalised a standard for the automatic exchange of financial information and plans for early adopters to be live in 2017.

In the privacy corner is the new European Data Protection Regulation, which is looking to drive harmonisation of data privacy rules across Europe. The regulation, expected to be finalised before the end of the year, is set to include a number of reforms designed both to strengthen individuals’ rights while also cutting red tape for firms (allowing them to harmonise data protection practices and deal with a single national data protection authority when operating across Europe). Interestingly, the reforms also include a new directive that clarifies data protection rules as they apply to domestic and cross-border data transfer in support of judicial and criminal matters—potentially reducing the conflict with Gatca.

Neither of these initiatives are close to being implemented, and there is still potential for legislative challenges to their authority. However, should they proceed as planned, they could have significant implications for financial institutions (and their IT architectures)—particularly when seen in conjunction with the underlying technology trend for increased uptake of cloud services.

In essence, they underline the fact that compliance strategies (and corresponding financial IT architectures to meet those strategies) need both a privacy and transparency dimension.

From a privacy perspective, factors to consider include:

  • Whether contracts with cloud and co-lo providers offer location guarantees.
  • Encryption and networking security capabilities to ensure data on the wire is adequately protected.
  • Encryption key custody agreements, which can serve as a potential threat to confidentiality if the service provider has a master key or can build trapdoors.
  • Access layers and firewalls to defend against attacks and unauthorised access.
  • Password and credential custody.
  • Disk encryption, particularly when using Software-as-a-Service or application hosting solutions, at which point the same wire encryption technology and key custody issues need to be solved.
  • Storage media and protection for application logs, particularly if transactional stores require protection with encryption.
  • New KYC and CRM requirements that may demand consent and/or personal privacy agreements with clients to be collected and recorded, combined with a duty of accuracy and appropriate retention policies on data controllers. These systems need to be more interactive and agile than previously.

From a transparency perspective, factors to consider include:

  • New requirements for KYC and CRM, placing further demands on the quality and accuracy of client reference data.
  • A growing raft of regulatory reporting obligations across jurisdictions (such as Dodd Frank, EMIR, MiFID II etc.), necessitating near real-time reporting capabilities across a range of asset classes.
  • The need to aggregate data from multiple sources, transform that data into appropriate reporting formats and deliver it via relevant protocols and/or APIs.

Although the forces of privacy and transparency would seem to be diametrically opposed, efforts at harmonising regulations across borders may help to dampen the conflict. Ultimately, the need to secure private data from unauthorised access, while also providing data securely in response to legitimate requests from authorities, are two fundamental requirements that are not going away.

The key challenge facing many global financial institutions is how to satisfy both sets of requirements using common architectural principles, and potentially, a strategic solution for data aggregation, transformation and publication.

[1] Jurisdictions committed to adopting Automatic Exchange of Information: Andorra, Anguilla, Argentina, Australia, Austria, Belgium, Bermuda, Brazil, British Virgin Islands, Bulgaria, Canada, Cayman Islands, Chile, People’s Republic of China, Colombia, Costa Rica, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Faroe Islands, Finland, France, Germany, Gibraltar, Greece, Guernsey, Hungary, Iceland, India, Indonesia, Ireland, Isle of Man, Israel, Italy, Japan, Jersey, Korea, Latvia, Liechtenstein, Lithuania, Luxembourg, Malaysia, Malta, Mexico, Montserrat, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Russian Federation, Saudi Arabia, Singapore, Slovak Republic, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, Turks & Caicos Islands, United Kingdom, and United States, and the European Union.

Author

Dave Levy

Associate Partner, London