achieving audit-ready financial services regulatory ...the scope of bcbs 239 is vast across all risk...
TRANSCRIPT
Achieving Audit-Ready Financial Services Regulatory Compliance with Big Data Analytics and GovernanceAggregation, Tracking, Access Management, and Reporting for Financial Services
INTRODUCTIONDatameer.com
PAGE 2
As big data continues to proliferate, and the need for various teams within an organization to access and analyze that data is becoming increasingly important, complying with long-standing enterprise operating standards and industry regulations is becoming incredibly difficult. Moreover, Hadoop, the dominant big data technology, does not natively offer the strong data governance capabilities, like the ability to audit additions and changes to data, trace your data’s lineage and sharing, assign role-based access to data, or perform impact analysis, which are all vital functionalities if big data technology is to become a standard part of the enterprise technology toolkit. Big data should not mean you have to choose between service for your users and being compliant. Financial services institutions are challenged by a constant churn of regulatory compliance requirements.
In recent history, none have had as broad of an impact on data analysis as BCBS 239, Principles for Effective Risk Data Aggregation and Risk Reporting (RDARR).
BCBS 239 (RDARR) COMPLIANCE
Will You Be Ready? Many organizations have already begun to prepare for the key risk data compliance regulation that goes into effect January 1, 2016. Global – Systemically Important Banks (G-SIBs) and Tier 1, non-G-SIB banks must be ready for an audit of their compliance with the Basel regulation BCBS 239. Domestic-Systemically Important Banks (D-SIBs) are also subject to mandated compliance deadlines shortly thereafter, or within three years of being identified and mandated. However, many
financial institutions are implementing ad-hoc solutions that will only address the required mandates in the short term.
Long term solutions require implementing new processes and technologies to meet the 11 principles defined in BCBS 239 that are relevant to financial services institutions. These principles cover 3 key themes: Overarching Governance and Infrastructure, Risk Data Aggregation Capabilities, and Risk Reporting Practices as follows:
The Fast Path to BCBS 239 (RDARR) Compliance
Overarching Governance and Infrastructure
1. Governance2. Data Architecture and IT Infrastructure
Risk Data Aggregation Capabilities
3. Accuracy and Integrity4. Completeness5. Timeliness6. Adaptability
Risk Reporting Practices
7. Accuracy8. Comprehensiveness9. Clarity and Usefulness10. Frequency11. Distribution
Note that principles 12-14 are related to regulatory supervisory review, tools, and cooperation, and have not been included above.
PAGE 3
Datameer.com
The scope of BCBS 239 is vast across all risk data types and functions. BCBS 239 mandates that bank risk reports “include, but not be limited to, the following information: capital adequacy, regulatory capital, capital and liquidity ratio projections, credit risk, market risk, operational risk, liquidity risk, stress testing results, inter- and intra-risk concentrations, and funding positions and plans.” Each type of risk data and associated metrics has different characteristics of size, shape, and frequency of change and are managed by different teams. A key challenge is applying consistent enterprise-wide governance across these different applications and systems, processes and business rules, and ensuring compliance with processes and reporting. Traditional IT infrastructure and reporting tools were not designed for this kind of environment and won’t deliver the capabilities to address BCBS 239 requirements as described below.
Governance and Compliance Challenges
DATA GOVERNANCE CHALLENGESDatameer.com
PAGE 4
Compliance consistency across data silos BCBS 239 requires enterprise-wide solutions rather than departmental initiatives to enforce consistent policies for risk data. Data silos exist not just in the traditional sense of application data marts throughout your enterprise, but if you move data into ETL systems and stand- alone BI tools, you’re creating even more copies of data. Over time, the governance of your data becomes compartmentalized, and it’s hard to know where in your organization you are not compliant.
Tracking data source across enterpriseData is used by multiple analysts across multiple business units; each abiding by their own rules and needs. Tracking risk reporting is very complicated and tedious, even for the global consulting firms assisting banks with compliance. Many organizations today manually track data lineage, how data is used and transformed from one source to the next, to generate risk reporting. Disconnected silos of business rules and multiple copies of the data will make it very difficult to answer the crucial question auditors will ask: “Where did that number come from?” Banks need audit trails for every risk data transformation.
Data access permissionsPolicing who has authorization to make transformations and being able to track them is critical for risk reporting accuracy but a challenging task across an enterprise with thousands of users and millions of calculations. When a problem arises with a risk assessment, how do you perform root cause analysis and determine the source of the problem?
Multiple reporting formats and toolsHaving data silos in your enterprise also means having multiple reporting tools that give you an incomplete view of metrics you need to track. Different levels of the organization require different views and reports of risk data. Can you tailor reports to the right executive or analyst in a timely manner and run ad hoc analysis as issues arise to manage potential crisis situations?
Responding to rapidly changing conditionsA bank should be able to generate aggregate risk data to meet a broad range of ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet management queries. Having a single source of truth will allow Financial Institutions to respond to changing conditions quickly.
DATA GOVERNANCE CHALLENGES
1
2
3
4
5
PAGE 5
Datameer.com
Achieving BCBS 239 compliance requires an enterprise-wide approach to managing risk data. To address implementation complexities, key IT infrastructure capabilities supporting your risk data enterprise-wide can help.
Compliance Requirements
COMPLIANCE REQUIREMENTSDatameer.com
PAGE 6
ComplianceRequirement
Sing
le S
ourc
e of
Tru
th
Ente
rpris
e-w
ide
Dat
a G
over
nanc
e
Trac
king
Dat
a Li
neag
e
Auto
mat
ion
for
Dat
a Q
ualit
y
Trac
king
& A
uditi
ng
Single source of truth If you can bring together and integrate all relevant data from the various data silos across your business, you can generate comprehensive risk reports and analysis faster and more accurately. “Single source of truth” allows you to trust your data so you can manage potential crises before they happen or react quickly when they do.
Enterprise-wide data governance If you can apply consistent policies that govern risk data aggregation, transformation, and reporting across a wide variety of data sets managed by a large number internal IT and business teams, you can exhibit the controls, accountability, and transparency mandated by regulators.
Tracking data lineageTo understand and trust the risk data you work with, you need the ability to track the source of data inputs into that risk data, the output calculations, and pipeline of both upstream and downstream as that data is used throughout the enterprise — to know who had access, who transformed it, when and where.
Automation for data qualityIf you can define the rules of data extraction, transformations and calculations, and automate the process, you can reduce the need for multiple human touches, which reduces the risk of data inaccuracies and data loss. This helps ensure higher data quality, which gives you confidence in the accuracy of the risk reports you generate and submit to regulators.
Comprehensive tracking and auditingAuditing for BCBS 239 compliance will begin for the first time in January 2016, and enterprises need to be prepared for the ultimate metrics that will be assigned to determine compliance. A comprehensive log system that captures every data element, transformation, and profile will best help the enterprise prepare for any audit.
COMPLIANCE REQUIREMENTS
1
2
3
4
5
PAGE 7
Datameer.com
Datameer has full governance capabilities to help you generate complete, accurate, audit-ready data aggregation and risk reporting, as mandated by BCBS 239 – even as your organization increases legal entity complexity and data fragmentation. Hadoop alone does not natively offer data governance capabilities so you can use it to track changes in data or control access to data in a granular fashion easily. With Datameer, your organization can easily aggregate data relevant to risk exposure and identify concentrations of risk quickly and accurately at a bank group level –across lines of business and between legal entities or within any hierarchical subset of data. As a result, you can report on risk data, and show clear, accurate data lineage for all of the data and calculations used in your reports. This means that you don’t have to choose between self-service big data analytics and a robust, governable data architecture.
Datameer: Fast-Tracking Compliance and BCBS 239 Readiness
FAST-TR ACKING COMPLIANCE AND BCBS 239 RE ADINESSDatameer.com
PAGE 8
Enterprise-wide governance to achieve single source of truth
Datameer provides a one-stop-shop for getting all your internal and external data into Hadoop with pre-built data connectors for all common structured and unstructured data sources. With “schema-on-read” capabilities, Datameer allows users to store the data first and transform it later as required for analysis. Every analysis is building a view on the “single source of truth” residing in Hadoop, with the raw, underlying data is always left untouched.
Instantly see lineage of any data
Datameer workbooks created by users are connected directly to the underlying Hadoop data store. As people work, the software automatically creates and maintains the full lineage of all data and calculations. Nothing is lost – and you always have a complete history of every change. Data lineage functions include the tracking of actions and data within workbooks and across workbooks. Datameer also makes data lineage information available through industry-standard REST API Web Services calls. As a result, lineage information is readily available to other applications and programs for processing and incorporation. This eliminates the need to have someone manually go into workbooks to retrieve and consolidate the lineage information.
Datameer uses an intuitive, spreadsheet-based user interface, wizards, and drag-and-drop analytical tools to make big data integration, preparation, analysis, visualization and reporting simple for everyone — even business users.
FAST-TR ACKING COMPLIANCE AND BCBS 239 RE ADINESS
1
2
PAGE 9
Datameer.com
Ensure data quality with automation and access control
Datameer has two key features to ensure data quality; 1) Defining the rules of data extraction, transformations and calculation, and automating the updates of this process to minimizing human error, and 2) ensuring authorized access to data transformations.
Datameer provides rule-based data loading and de-nullification / defaulting, and push-button data profiling with Flipside. Flipside shows a profile of the data in your workbook that includes the data type, count, max, min, uniqueness, mean of data so the analyst can understand the shape and quality of data being used at every step of the analytics process.
Datameer provides access controls on all objects managed within the tool, allowing users and administrators to carefully govern who can make changes to which objects, preventing changes to sensitive logic and ensuring that only those data elements which are appropriate are shared with the users in the correct groups. Groups and Roles within Datameer can be imported from Active Directory, LDAP or SAML SSO systems ensuring consistent data access controls with the organization
Figure 2: Datameer’s cross-artifact lineage functions provide a graphical representation of data lineage.
Datameer.com
PAGE 10
FAST-TR ACKING COMPLIANCE AND BCBS 239 RE ADINESS
3
Real-time audit readiness
In Datameer, all relevant user and system events, including data creation and modification, job executions, authentication and authorization actions, and data downloads are automatically and transparently logged. This includes information about groups and roles, their assignments, artifact sharing, logins and failed login attempts, password updates, enabling and disabling of specific users and more. These logs can be analyzed in Datameer itself, or by an external system. This audit capability can be tied back into metadata and source control systems such as Apache Atlas, and Git. This is tremendously important when dealing with many groups accessing and analyzing the many subsets and supersets of risk data in scope.
Please see Appendix for a detailed mapping of how Datameer can help you be compliant with the policies in BCBS 239.
Govern Hadoop Using Datameer
Using Datameer, you can govern the data you have in Hadoop. It’s easy to:
• Manage data access by user and data source• Maintain and enforce centralized policies across enterprise• Ensure analysis is based on valid and high quality data• Track data lineage through every step from end to end• Discover how changes to data will affect other analytic assets in the workflow• Meet internal and external compliance/regulatory requirements• Find root causes and address risky data
FAST-TR ACKING COMPLIANCE AND BCBS 239 RE ADINESS
4
PAGE 11
Datameer.com
Multiple groups within the Compliance Unit at a global bank in North America are using Datameer to meet regulatory compliance requirements of their risk data. The solution was initially driven by the RDARR compliance group, which had an upcoming deadline of January 2016 to meet RDARR compliance requirements on risk data aggregation and reporting. The Risk Analysis group was also involved. Analysts in this group provide analysis of risk data to the rest of the bank, such as the trading groups, the credit risk and market risk groups, as well as providing reports back to the compliance groups.
Use Case from a Global Bank in North America
USE CASEDatameer.com
Before Datameer, the global bank was tracking risk analysis with a very manual process. There were many analysts calculating risk in a lot of different spreadsheets and applications. The managing director of the bank states, “We estimate we had over 2 million variants of the same risk data in spreadsheets scattered around the bank.” With the deadline of RDARR requirements looming, the bank did not have a rigorous process in place and was initially planning to meet the new requirements by adding people
to keep track and play the role of internal auditors. Since the results of the RDARR audits will be made public (as of January 2017), the risks of non-compliance were significant not only in terms of fines, but public trust in the bank’s ability to operate. This was not a risk the bank wanted to take.
To address the challenges of meeting RDARR compliance, the global bank needed a solution to meet the audit requirements without impacting the risk analysts’ ability to do their job. With Datameer, the bank had the unique ability to meet the requirements of both groups.
PAGE 12
With Datameer, I am more confident in our ability to answer ‘where did that number come from?’ I can sleep easier at night and my whole team can sleep easier now that we are better prepared for the RDARR audit come January (2016).”
Using Datameer as its RDARR platform, the global bank had the ability to bring in all of their risk data into Hadoop (as their data store). Datameer, an end-to-end analytic platform that includes data ingestion, analysis, and visualization, began tracking data lineage as soon as data was ingested and all the way through any data transformations, calculations, to the final dashboard and reporting output. Datameer’s comprehensive audit capability tracked which analyst made
what change to which spreadsheet, as well as the original sources of data that fed the spreadsheets. Auditors can view these records and assess compliance in real-time or use them to troubleshoot any risk calculations that come into question. Datameer made compliance transparent to the risk analysts without restricting their actions. Analysts can continue to perform their work and serve their internal Credit and Market Risk Groups in a familiar Excel-like user interface.
The global bank was able to install and deploy Datameer within a matter of days. While RDARR regulation specified principles of compliance, it left the specifics of “how” to meet those requirements up to the bank to execute and prove. The Compliance Managing Director states, “With Datameer, I am more confident in our ability to answer ‘where did that number come from?’ I can sleep easier at night and my whole team can sleep easier now that we are better prepared for the RDARR audit come January (2016).”
USE CASE
PAGE 13
Datameer.com
Datameer is the only end-to-end analytics application purpose-built for the Hadoop platform, designed to make big data analytics self-service for everyone. Hundreds of customers, including CIOs, CMOs, CTOs, doctors, scientists, law enforcement officials, and even Olympic athletes all rely on Datameer to help them get from raw data to insights faster than ever. Datameer combines Hadoop’s unlimited storage and compute power with a common spreadsheet interface and powerful analytics, quickly transforming businesses into agile, data-driven organizations.
To learn more, please visit www.datameer.com
About Datameer
ABOUT DATAMEERDatameer.com
PAGE 14
APPENDIX
BCBS 239 Principles
Appendix: BCBS 239 Compliance Requirements with Datameer
Alignment of Datameer Functions
I. Overarching Governance and Infrastructure
Principle 1: Governance A bank’s risk data aggregation capabilities and risk reporting practices should be subject to strong governance arrangements consistent with other principles and guidance established by the Basel Committee.
Principle 2: Data Architecture and IT InfrastructureA bank should design, build and maintain data architecture and IT infrastructure which fully supports its risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis, while still meeting the other Principles.
Datameer’s enterprise-level security enables banks to implement strong, well-defined risk data aggregation and risk reporting processes giving senior management oversight and validation capabilities.
Datameer’s big data scalability on Hadoop means even huge risk analytics or aggregation workloads during times of stress or crisis are easily accomplished.
Datameer’s schema-on-read allows banks to place all their data in a big data lake, where a single source of truth is stored to avoid data silos that makes lineage and audits difficult. Non-IT risk analysts can perform self-service analysis to deliver critical risk reports in a fraction of the time required to deliver with traditional BI reporting processes.
II. Risk Data Aggregation Capabilities
Principle 3: Accuracy and IntegrityA bank should be able to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimize the probability of errors.
Principle 4: CompletenessA bank should be able to capture and aggregate all material risk data across the banking group. Data should be available by business line, legal entity, asset type, industry, region and other groupings, as relevant for the risk in question, that permit identifying and reporting risk exposures, concentrations and emerging risks.
Datameer automates the entire workflow from ingestion to aggregation to reporting without manual intervention. Datameer additionally provides enterprise class access control and auditing to ensure established reporting workflows cannot be changed after approval.
Datameer enables efficient, self-service ingestion of a wide variety of data types via native data connectors allowing analysts to encapsulate the complete picture without siloed risk analyses.
A single destination for data coming from multiple sources means risk analyses can be reused across datasets and not just in silos. A schema-on-read approach means development of complete risk analyses removes IT roadblocks from data delivery and modeling which accelerates processes.
PAGE 15
Datameer.com
BCBS 239 Principles Alignment of Datameer Functions
Principle 5: Timeliness A bank should be able to generate aggregate and up-to-date risk data in a timely manner while also meeting the principles relating to accuracy and integrity, completeness and adaptability. The precise timing will depend upon the nature and potential volatility of the risk being measured as well as its criticality to the overall risk profile of the bank. The precise timing will also depend on the bank-specific frequency requirements for risk management reporting, under both normal and stress/crisis situations, set based on the characteristics and overall risk profile of the bank.
Principle 6: Adaptability A bank should be able to generate aggregate risk data to meet a broad range of on-demand, ad hoc risk management reporting requests, including requests during stress/crisis situations, requests due to changing internal needs and requests to meet supervisory queries.
Datameer’s Hadoop-based architecture means that data scale is no impediment to speed of delivery even in crisis.
The volatility of data is a primary challenge with the timeliness of reporting. As data changes shape, more brittle reporting solutions require IT and BI investment to intervene. Datameer’s business-user friendly end-to-end data ingestion, aggregation and analysis means that those responsible for the quality and speed of the reporting can adjust analysis quickly as needed.
Datameer’s business-user targeted interface is purpose-built for ad hoc reporting by semi- and non-technical users while remaining powerful enough to address complex business requirements.
Datameer’s visualization and data profiling at every step of the reporting process mean that users arrive at correct reporting with faster iteration and less process overhead compared to traditional IT driven BI projects.
III. Risk Reporting Practices
Principle 7: Accuracy Risk management reports should accurately and precisely convey aggregated risk data and reflect risk in an exact manner. Reports should be reconciled and validated.
Principle 8: Comprehensiveness Risk management reports should cover all material risk areas within the organization. The depth and scope of these reports should be consistent with the size and complexity of the bank’s operations and risk profile, as well as the requirements of the recipients.
Datameer reports run directly against the underlying data in Hadoop, so there’s no need to create additional data silos just for risk reporting, perform data transformations, or apply rules – all of which can introduce inaccuracies.
Datameer data lineage capabilities make it simple to enable reporting on how numbers were calculated and what changes and transformations they have undergone while allowing administrators to audit changes to those flows.
Datameer’s end-to-end approach to big data analysis ensures that its governance covers the entire data life cycle and provides the comprehensive auditing required. Data lineage can be tracked end to end from data source to workbook regardless of the complexity in the bank’s operations.
APPENDIXDatameer.com
PAGE 16
BCBS 239 Principles Alignment of Datameer Functions
Principle 9: Clarity and Usefulness Risk management reports should communicate information in a clear and concise manner. Reports should be easy to understand yet comprehensive enough to facilitate informed decision-making. Reports should include meaningful information tailored to the needs of the recipients.
Principle 10: Frequency The board and senior management (or other recipients as appropriate) should set the frequency of risk management report production and distribution. Frequency requirements should reflect the needs of the recipients, the nature of the risk reported, and the speed, at which the risk can change, as well as the importance of reports in contributing to sound risk management and effective and efficient decision-making across the bank. The frequency of reports should be increased during times of stress/crisis.
Principle 11: Distribution Risk management reports should be distributed to the relevant parties while ensuring confidentiality is maintained.
Datameer’s Infographic visualization provides a blank canvas for the user to place charts and graphs and other visuals freely and to annotate at will to clearly tell the story in the data, using the most current underlying data as it is refreshed.
Any analyses can also be exported and integrated into external tools and subsidiary systems that may be used via fully automated export functionality to a wide array of downstream systems (See Principle 11 below)
Datameer provides scheduling and automation tools to ensure that all reports as well as underlying data management task frequency can be adjusted to provide data with the correct cadence without IT involvement.
The massively-parallel scalable nature of Datameer’s architecture on Hadoop means that frequency demands during crisis can be managed with commodity hardware or appliances.
Datameer’s Infographic reporting capabilities mean that reports created in Datameer can be easily created and shared while keeping the data live, and that access controls are preserved, preventing unwarranted distribution of privileged information.
APPENDIX
Note that principles 12-14 are related to regulatory supervisory review, tools, and cooperation, and have not been included above.
PAGE 17
Datameer.com
©2016 Datameer, Inc. All rights reserved. Datameer is a trademark of Datameer, Inc. Hadoop and the Hadoop elephant logo are trademarks of the Apache Software Foundation. Other names may be trademarks of their respective owners.
FREE TRIAL
datameer.com/free-trial T WIT TER
@Datameer L INKEDIN
linkedin.com/company/datameer
SAN FRANCISCO
1550 Bryant Street, Suite 490
San Francisco, CA 94103 USA
Tel: +1 415 817 9558
Fax: +1 415 814 1243
NEW YORK
9 East 19th Street, 5th floor
New York, NY 10003 USA
Tel: +1 646 586 5526
HALLE
Datameer GmbH
Große Ulrichstraße 7 – 9
06108 Halle (Saale), Germany
Tel: +49 345 2795030