Understanding Data Management in the Face of Changing FSI Compliance Laws

As regional data regulations tighten and data management becomes more complex, keeping ahead of changing compliance requirements has never been more mission critical for financial services institutions (FSIs). With just over twelve months to go before the new policies come into effect, organisations must act now in order to review and close any compliance gaps or face the consequences. In our recent blog ‘The Top Two Misconceptions as FSI Compliance Requirements Tighten’ we explored the impact and common misconceptions around changing compliance laws. Now we’re digging deeper into data, and what data management and use means for FSIs in coming years.

The changing demands on FSIs

As we touched on in our previous blog, FSI organisations are increasingly looking at how they can adequately protect themselves against single-supplier failure, the results of which can shut down a business & put consumers at risk of significant losses. This means making sure you have more than one copy of your data housed in different locations along with the ability to easily move in and out of supplier arrangements.

Changing laws and regulations are requiring FSIs to increase their resilience and protect their operations and customers against misadventure or attack. Data is a huge focus for new and evolving regulations, and for good reason. Data management and future-forward vendor agreements can spell the difference between success or failure - against both heightened customer demands and tightening compliance requirements.

Changing regulatory environments

New country or region-specific prudential standards are already regulating how FSIs handle their data and these are only set to tighten further. For instance, data localisation laws and policies are becoming more prolific as governments aim to increase protections for citizens’ data by bringing decision making and access rights within jurisdictional boundaries. While this can increase security and individual protection, it can also inhibit data flow leading to disruption of innovation and productivity and make adherence to policies very difficult.

As an example, in Japan, in April 2022, the Amended Act on the Protection of Personal Information came into force. This regulation centres on requirements for cross-border data transfers, requiring a data exporter to provide data principals with certain information about the transfer, including the destination country and the safeguards in place at the data importer.

Within Australia, CPS 230, scheduled to take effect from 1 July 2025, will apply to all Australian Prudential Regulation Authority (APRA) regulated entities in financial organisations, where new requirements for risk management will be introduced.

Similarly, New Zealand passed its Privacy Act in 2020. This Act is regulated by The Office of the Privacy Commissioner (OPC) and introduced a new requirement on international data transfers. Essentially, the party transferring personal data across borders must ensure the recipient adheres to privacy laws with comparable safeguards, or the recipient is required to adequately protect the information. If these terms aren’t upheld, the party must disclose this information to the owner of the personal data.

Singapore has also passed its Personal Data Protection (Amendment) Act 2020, which restricts transfer of personal data outside of Singapore, unless appropriate safeguards to protect personal data are in place.

These changes, which are mirrored across many markets, have a similar focus: to ensure organisations are protecting against risk events, ensuring resiliency, and protecting all relevant entities and groups. This includes managing risks arising from service providers, which is where the all-important vendor relationship is shown up.

The impact of changing consumer demands on data management

These regulations coincide with changing consumer demands and expectations. From a consumer perspective, there is much greater awareness and demand around both mobility of service and security of data. High profile data breaches have made security top of mind, and the risk of data loss from a single supplier was cast into the spotlight with a weeklong outage for an Australian superannuation fund following the loss of their cloud account.

Quite rightly, consumers demand that their data is private and secure – a basic expectation that unfortunately is not always upheld. An absolute baseline for adhering to this is ensuring systems are up-to-date and well-maintained. In addition, consumers want always-on access and ease-of use.

Again, this is also not always the case. A global payments platform recently ran a maintenance update which knocked out global transactions for a day. The update was pushed out in the middle of the night in the United States where the company’s headquarters is, which would have seemed reasonable for the customers in this region. However, the move adversely impacted global customers. This kind of example begs the question, how can global companies now maintain the efficacy of systems and processes, not to mention adhere to new regulations and regional laws, while still ensuring consumers have an optimal experience?

Technology partners lead to success or struggle for FSIs

The right technology partners can help FSIs prepare for risk events, maintain data flow, and adhere to new compliance laws and regulations.

It is important to look for partners that offer flexibility to FSIs in terms of data storage, but also adhere to operational compliance in line with local, regional, and global market regulations. In this way, the customer retains peace of mind about where FSIs store their data. Another consideration, especially for FSIs operating across geographies, is selecting a partner that can deliver continual engineering support for multiple cloud environments and a ‘follow the sun’ approach to customer service.

An open source, multi-cloud data platform also addresses other challenges of our modern, data-heavy world with smart solutions that directly alleviate pain points. This includes cross-cloud deployments as mentioned above, as well as cross-region and cross-cloud migration and replication. There are many benefits of open source, cross-cloud deployments, including the ability to:

• Run FSI services on any major public cloud platform chosen by the business.
• Leverage cross-cluster migration and replication to distribute data and workloads to minimize geo latency, reduce costs, meet various regulatory requirements, and to provide greater resiliency through cross-region and cross-cloud disaster recovery.
• Eliminate vendor technology lock-in by leveraging widely-adopted technologies to better manage both risk and costs.
• Reduce the impact of vendor-specific skills shortages and resourcing risks by leveraging the same open source technologies across your multi-cloud environment.

The ability to deploy popular technologies once, like Apache Kafka, PostgreSQL, MySQL, and others, and use them in one or multiple clouds offers tremendous flexibility to FSIs. Also, FSIs no longer need to hire and maintain vendor-specific skill sets, nor manage the complexities of their mult-cloud implementations.

When it comes to open source, in 2023, Apache Kafka led the global big data processing industry as the top technology with a market share of 16.88%. In addition, as of November 2023, the most popular open source database management system (DBMS) in the world was MySQL, followed by PostgreSQL. These technologies can become all the more attainable when teaming up with a partner that is specialised in them.

Technology partners lead to success or struggle for FSIs

Netfonds, the German technology company, came to Aiven to support the growth of finfire, the company’s independent software platform for financial advisors, fund managers, and insurance brokers. Through a strong partnership, Aiven now plays an ongoing role in the delivery of finfire. Aiven for Apache Kafka ensures that real-time data moving through finfire is updated in each of the 60 Kafka topics and 60 different microservices in operation. This removes pressure from the internal team so they can drive greater business value and helps Netfonds to remain compliant according to data.

We needed a compliant vendor within the Google universe. Our compliance team really liked that, with Aiven, we continue to be flexible and agile, and have the ability to change cloud provider quickly if necessary. It’s also important that we can connect our Google resources — like our BigQuery data warehouse — to the Aiven platform, and they are able to communicate without boundaries. Aiven’s pre-built integrations bring real value to our team.
Nis Christian Carstensen, CTO at Netfonds

Aiven also works with Revenir, a London-based fintech that automates tax recovery through partnerships with banks, governments, and digital receipt companies. As a company in the financial sector, it was crucial that CTO, Brian Wagner, was able to balance data management with cybersecurity and remain compliant with national and international regulations. With its open source data platform, Aiven not only helped to balance these needs, but gave Revenir access to a collaborative community that continually seeks and develops innovative solutions to these challenges.

Meanwhile, Digital Asset Research (DAR), the high-growth start-up in the marketplace of digital assets, has teamed up with Aiven to enhance data transparency and quality for more than 200 million trades per day, ensuring 99.99% uptime for scalable data streaming, lowering costs by 10%, and improving performance by 10 times.

Aiven for Apache Kafka provides incredible resiliency which, given the importance of uptime to our business, is invaluable to us.
Michael Zimberg, Chief Technology Officer, Digital Asset Research

Ensuring your company is ready for 1 July 2025 when CPS230 comes into effect doesn’t have to be daunting or create additional workload and stress for your compliance and IT teams. However, it does need to be well planned to ensure there are no surprises that could leave your organisation vulnerable. Act now and make sure you choose the right technology partner who understands CPS230 and will deliver a robust, cross-cloud data management strategy that ensures total peace of mind and 24/7 compliance for your organisation.

Get in touch with Aiven to see how you can improve your compliance and risk management while also maximising your tech spend.