Financial services cannot ignore the growing importance of digital. But with digital transformation comes risk – not least the threat of regulatory breaches.
Here we explore how Compliance teams can help to reduce the liability inherent in digital transformation projects.
The growth of digital
Whether used as a back-office delivery mechanism or a communications channel, there is no ignoring the need to embed a digital approach in your strategy.
A recent report from Deloitte identifies four key drivers of this transformation:
- The exponentially growing use of smart devices
- Changing customer expectations and demographics
- Increased penetration of internet access, and faster access
- Technological innovations and a desire to harness advanced technologies
What is digital transformation?
As the Deloitte report points out, the concept means different things to different groups of people.
- From a strategic – board-level or company-wide – point of view, it means establishing a digital vision and strategy.
- From an operational perspective, it’s all about identifying those involved in delivering services and the tools needed to do so.
- And from a programme management angle, it’s focused on timely and cost-effective implementation.
For each of these groups and objectives, digital transformation brings different risks.
- Strategically, risks relate to creating the right selection process; setting priorities; and ensuring that disruption to service is minimised.
- Implementation risk involves putting in place a risk-based approach to technology, operations, vendors and issues around security and robustness.
- Programme management risk majors on implementing processes to ensure that any interdependencies or related business areas are captured in digital projects. It means creating a risk management framework for the business that can be used for future initiatives.
Beyond traditional risks
The move to digital brings with it threats that extend beyond the traditional regulatory breaches Compliance teams had to tackle.
Cybersecurity is one, with reviews of your current approach and security robustness an essential first step.
But is this enough?
As the report says, ‘it is critical to consider risk areas beyond traditional risk’.
It pinpoints social media as one of these new areas. This is something we’ve addressed before, asking how you can minimise risk in your social media strategy.
It also flags up customer profiling, which drives a better customer experience, but needs to be ‘aligned to protect privacy of customer data’ – something that’s even more crucial now that the GDPR is in full force.
Digital ‘resiliency’ is also singled out – as technology becomes more embedded and relied upon, it becomes more vital that systems and solutions can be relied upon.
Identifying and mitigating the risks of a digitised approach
The report identifies 10 headings under which digital risk can be categorised:
This encompasses the potential for losses due to technology failures or obsolete technologies. It means ensuring your chosen technologies are scalable, in case you want to expand their use, ensuring they’re compatible with existing systems and that they work in the way they should.
Firms need to protect their digital assets from unauthorised access/usage. Confidentiality needs to be assured.
Strategic risks can include external forces that require a change in the organisation’s direction. This may impact its investment in new technologies, and can also affect brand value and reputation.
Threats here might include any event that prevents or limits an organisation’s ability to deliver on its objectives. Key areas relate to data classification, data retention, data processing and data encryption.
The potential dangers of outsourcing to third parties are very real for regulated firms, more so than for others. The FCA has strict rules around approaches to outsourcing. You need to ensure that any vendors – in particular, but not only, those who handle your data or other confidential information – meet with FCA and other regulatory requirements.
Privacy risk comprises any liabilities arising from inappropriate handling of personal and sensitive personal data of customers/employees. Again, the strict data processing rules brought in by the GDPR will be a key consideration here.
This covers the digital environment’s ability ‘to enable investigation in the event of a fraud or security breach, including capturing of data evidences which is presentable in the court of law’. Whatever technologies you employ, they need to create an audit trail that’s acceptable to the FCA.
As well as the wider risks that digital transformation brings, the need to comply with legislation specific to the technology, your sector or otherwise, is essential. Our blog on How to innovate in a compliant way has lots of advice on this.
Increased dependence on technology means an increased threat of business interruption should it fail. Organisations need to consider areas like business continuity, IT/Network disaster recovery, cyber resiliency, and crisis management.
The Deloitte report – which you can read here has more detail on these risks, and advice on how they can be mitigated.
The march towards digitalisation is just one of the ongoing changes to the Compliance Manager’s landscape. Your working environment is constantly evolving; keeping up can be a challenge.
Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.