On 31 March 2022, APRA released its Discussion Paper on the Direction for Data Collections which sets out APRA's changing approach to data collection, the rationale for these changes and an outline of the implementation roadmap. Although these changes are expected to lead to longer term benefits in terms of consistent data requests, standardisation of data collections, and a reduced need for ad hoc data requests, this transition will also be a significant undertaking and, in many cases, require substantial short to medium term investments in data, regulatory reporting and analysis capabilities.
In our view, although there are substantial benefits to be realised from implementation of the roadmap, the reforms cannot be achieved quickly or easily. Many Financial Services Institutions (FSIs) will face challenges in moving beyond legacy solutions and data limitations. Many of the changes required will be cultural as well as technical, with sustained investment needed over a period of time to make the improvements necessary. We see the challenges manifesting in several ways:
Poor data and technology infrastructure
Some FSIs struggle with collating all the data necessary for regulatory reporting, particularly where the data differs from that used in management or financial reporting. This can be the result of several factors, including historic under-investment in regulatory reporting and/or adoption of tactical solutions that are never actually replaced by strategic systems upgrades.
Inconsistent governance and ineffective controls
Governance of regulatory reporting is often separate from the governance of financial reporting, and the control framework can be designed and held to a different, often lower, standard.
Lack of resourcing and inconsistent or inappropriate regulatory interpretations
Regulatory reporting is complicated. Reporting standards and guidelines run to dozens of documents. The requirements can regularly change, and in many FSIs, the pool of individuals with deep knowledge of both the regulatory requirements and how to complete reports given data and systems constraints is shallow.
In our view, whilst the practical requirements and expectations in the industry roadmaps will be worked through with FSIs over time, the rollout of the Data Collections Roadmap should be accompanied by the codification of CPG 235 – Managing data risk as a prudential standard (CPS 235) in a similar timeframe. This will support the consistent and sustained investment in underlying data and reporting capability required to deliver on the roadmap.
Below we have set out the five key areas where we expect capability uplift to be required to deliver high quality regulatory data collections:
1. A robust governance structure
The Financial Services industry’s journey toward richer and deeper data collections is already underway. The first step of this transformative journey is cultural change and disciplined end-to-end change management that aligns to a strategic architecture and regulatory data strategy. That is, acceptance that regulatory and financial reporting is an enterprise-wide activity, with accountability by senior management across business lines and corporate functions such as finance, operations, and risk. This differs from the traditional approach where source data is managed in siloes in each business line.
2. Data and technology infrastructure investments
Strategic transformation of data and reporting infrastructure are major investments that have long runways. In our experience, the level of effort needed often ranges from three to five years. The scale and cost of infrastructure investment is driven by the size and complexity of each FSI, taking into account legacy of system integration, history of mergers and acquisitions and implementation of “regulatory reporting software” compared to other automation capabilities.
As APRA transitions to digital submissions of data collections with APRA Connect, a greater level of standardisation in how data is collected, represented, what it means and the relationships between data elements will be required. This includes commonly agreed definitions for all data elements across the data collections as well as the establishment of common data models that are defined and agreed with industry. For example, if collecting data on customers, then a definition of what a customer entity is would be necessary. Similarly for other concepts such as products, services, and arrangements.
3. Data quality and assurance
An effective data quality and assurance program that is risk-based and integrated with accountability frameworks is typically built on five components:
4. Change management
The complexity and rate of change to regulatory reporting makes change management a critical competency for regulatory and financial reporting organisations within FSIs. Regulatory change processes should evaluate changes across regulatory agencies and legal entities, including financial, risk, product/transaction, and market information. In addition to external factors, internal activities from new product development, system implementation, changes to the legal entity structure, and internal policy changes must be incorporated into the change management process.
5. Human capital
Typically, FSIs are realising that the skillsets historically used to prepare regulatory reports are no longer enough as the industry pivots to richer and deeper data collections. In our experience, buying these skills is not always a realistic option as the high demand for skilled people in this area in the current economic environment is not matched by supply leading to a shortage of suitably competent resources. This presents opportunities to re-focus data and regulatory reporting teams and ensure second and third-line functions have the skills and resources to challenge regulatory reporting functions, processes, interpretations, and outputs.
1. Does your regulatory data strategy and technology architecture set you up to maximise the business benefits expected to be realised over the longer term as a result of the pivot to richer and deeper regulatory data collections?
2. Is your data risk management framework and approach fit-for-purpose? How will it support timely investment in the critical capabilities required such as change management, strategic data sourcing and building trust in source data?
3. How to reimagine the regulatory reporting operating model across the first, second and third lines to refocus accountabilities and respond to the need for new types of skills and capabilities?