UK watchdogs run into security fears

In 2019, the Bank of England, working closely with the Financial Conduct Authority, committed to overhauling its clapped-out data policy, admitting that technology and analytics had changed since its adoption in 2013. In early 2020, the central bank put out a discussion paper with some ideas on how it might transform the way it collects data from financial firms; among these multiple suggestions was one that would see the BoE shifting from a “push” to a “pull” model of data collection.

Currently, firms “push” data to the BoE, in that they generate and send reports. Under a “pull” model, the bank could query data held at firms and generate reports on demand. “This could improve speed and flexibility of reporting while reducing the marginal cost to firms of responding to new questions,” the 2020 paper states.

The paper gave examples of pull models from Rwanda and Austria. Rwanda’s central bank, for example, distributes reporting templates to institutions, then pulls data based on these templates from firms’ core systems into its own data warehouse, performing transformations on them to meet reporting requirements.

Responses to the discussion paper were due by April 2020. After mulling over the 60 responses, in February the BoE laid out its plan for data collection in 2021 and beyond. Judging by what it says in the new plan, the bank has encountered a lot of pushback against the “pull” model.

Respondents seem to have balked at the idea of the regulators having access to their systems and storing their data, the BoE says in the document. While firms agreed that there might be benefits in reducing reporting costs, “many firms disagreed strongly with any suggestion that it might result in the bank being able to pull data in real time, expressing unease about the regulator or central bank having direct access to their systems. In addition, firms had questions on the governance and security implications of a pull model, such as the mechanics of data verification, pulling and storing large volumes of data securely, and accountability in the event of a security breach,” the bank says.

This reminds me of the resistance the US Securities and Exchange Commission’s Consolidated Audit Trail has faced from broker-dealers, whose trade association is currently engaged in a bitter debate with the exchanges that are running the Cat over whether the exchanges should be able to bulk download data that includes sensitive personally identifying information on customers. As my colleague Tony Malakian wrote recently, the Cat without PII is not an improvement on other databases that already exist, but data security is expensive and difficult to achieve. Perhaps the BoE will not want to get into these kinds of debates?

The 2021 plan doesn’t say if the BoE has abandoned the pull idea entirely, however. That’s not really the tone of this new plan, which is not prescriptive—rather, it’s setting out the building blocks for collaboration with the industry. The bank sees its modernization unfolding in an iterative way, starting with limited use cases for the first three years, then gradually scaling to other activities. The BoE has settled on three themes that will form the basis of the plan: adopting common, open standards that identify and describe data consistently; modernizing the reporting instructions sent to firms (including writing them as computer code); and integrating reporting across domains.

The new plan lays out some alternatives to the pull model. These include using alternative data sources—such as from intermediaries like financial market infrastructures, rather than directly from banks. “This could result in fewer ‘sources of truth’ and a higher quality of data,” the plan says. The bank could also align its data collection methods more closely with the data’s intended purpose; that is, if the data wasn’t needed in real time, it needn’t be collected that way.

The pull model is just one aspect of a wide-ranging transformation plan, and there will be evolutions as this progresses. I’m curious, for example, about the potential implications of writing regulation as code, which has been recommended as a piece of this reform. But it’s a sign of a broader issue that will become a theme over the years as regulators look to harness the power of data: can they safeguard precious industry information?