The post-financial crisis era has marked a turning point for financial industry regulations. Nowadays, banks are expected to systematically maintain compliance standards and perform advanced analytics to deliver to regulators timely, accurate, and precise data for capital and liquidity reports. But what started off as primarily a US-focused initiative is gradually going global. So much so that the RegTech software industry is expected to turn into a US$118 billion dollar market by 2020.
Recent developments in Asia indicate that the international drive for stronger regulatory regimes is turning up the heat on the region, and the repercussions on the financial services industry are far reaching. Asia’s regulatory landscape has always presented somewhat of a conundrum. Regulatory compliance predominantly remains a country-specific matter, with each nation taking a different approach to data privacy and security standards and rules. Any institution looking to access and leverage new sources of information across the region is bound to face complex obstacles in the process.
While there does not seem to be any sign of a coordinated effort in the development of Asia-Pacific wide data privacy and security legislation, reforms in China and the Philippines do shed some light on the type of reviews and measures companies will need to conduct in order to successfully operate in a more heavily regulated space.
Last November, China issued its first comprehensive Network Security Law (or “Cybersecurity Law”), which established an overarching regulatory framework encompassing the construction, operation, maintenance and use of any network operator in the country. The ensuing rules and requirements will affect any internet user in China — be it an individual or body, domestic or international. Notable components include: i) stricter security standards for “critical information infrastructure” (CII) and operators of CIIs (CIIOs); ii) the need for personal information and critical data of CIIOs to remain in China, unless authorized otherwise by the Government; and iii) the verification of a user’s name and identity.
Some of those new standards, especially around CIIOs, are sure to give a boost to alternative cloud-based services, such as Amazon Web Services, which is already experiencing fast growth in the region. As for ID verification, while the law does not stipulate the ways by which authentication must occur, firms will need to move towards more advanced capabilities, such as facial recognition technology, to maintain operational efficiency and avoid onerous manual reviews.
Further south, the Philippines also recently finalized the implementing rules and regulations (IRRs) of the Data Privacy Act of 2012 — the first comprehensive data protection law designed to align the country with international data protection standards. The resulting IRRs establish stringent standards with regards to the protection of “personal information,” dramatically impacting financial institutions conducting business in or from the Philippines.
Key characteristics of the Act include: i) establishing data subject rights and requiring data subject consent as a prerequisite for any private sector data sharing; ii) setting specific security measures in the processing of personal information; iii) introducing a mandatory 72-hour data breach notification; iv) requiring the appointment of a data protection officer within any organization engaged in the processing of personal information; and v) instituting significant penalties in the event of a data breach.
As such laws and regulations continue to evolve, financial institutions will find it imperative to rely on technology providers with the knowledge and capability to help address intensifying regulatory reporting requirements and stay abreast of ongoing developments.
By Stefanie Schmidt, General Counsel & Chief of Staff