Big Data in Small Banks — Maintaining Effective Data Management in Community Banks
by Carla Thomas, Senior Examiner, Supervision + Credit, Federal Reserve Bank of San Francisco
Because of the widespread adoption of digital banking services, the amount of data that community banks are able to collect is quickly expanding. According to the National Institute of Standards and Technology (NIST), the growth of data is outpacing the abilities of current scientific and technical advances to analyze the data.1 This exponential growth of data produces larger and more varied pools of data, also known as big data.2 While this data explosion can give banks new opportunities to combine and use data to support their business strategies and operations, banks can encounter significant challenges in managing and analyzing the large volume of data.3
Banks, large and small, are starting to fully recognize the advantages and capabilities of effectively capturing, managing, and using data. In fact, of 300 senior executive bankers surveyed in 2021 and 2022, many indicated that data analysis and business intelligence rank as increasingly top priorities in new or replacement system application capabilities.4 As banks continue to amass large amounts of data, it is becoming increasingly important for bankers to understand the need for appropriate data governance processes and to establish the foundations of sound data management practices in order to fully reap the benefits as well as control the risks involved.
What Makes “Big Data” Big? Look for the Four V’s
Sources: NIST Special Publication 1500-1r2, available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1r2.pdf (Four V’s); www.internetlivestats.com/google-search-statistics/ (Google statistics)
A Bank’s Most Valuable Asset
Community banks have long used data to assist in decision-making. Critical risk management functions such as loan loss reserve methodologies, capital and liquidity planning, interest rate risk sensitivity modeling, money laundering detection, and fraud monitoring rely on data to measure, monitor, and control a bank’s risks. However, as technology evolves with the development of tools such as artificial intelligence and machine learning, the opportunities for banks to benefit from advanced analytics have grown considerably. From risk management to targeted marketing, data can shape a bank’s strategies and business plans, reflecting the type of information and the story derived from the data.
External data from sources such as industry trends, peer metrics, and economic indicators can help bankers identify current and potential risk exposures on a macro level. Further, banks have a seemingly endless pool of internal data, which allows management to draw more institutional-specific conclusions about risks and understand customer behavior. Key sources of internal data include transactions involving payment cards, loans, and deposits. This information can assist management in pinpointing areas of heightened risk. Additionally, historical financial data may help predict future performance as well as identify areas in which improvements are needed in a bank’s control framework to better plan for challenges ahead.
Remove the Rubbish
Of course, a bank’s management information systems and reporting functions are only as good as the quality of the input — the principle of “garbage in, garbage out.” The key to ensuring that data are useful and reliable is the adequacy of a bank’s data management processes. Data management is the development and execution of policies, standards, and procedures to acquire, validate, store, protect, and process data.5 In other words, effective data management ensures that data are accurate, accessible, secure, and timely to meet user needs.
The way in which a bank builds a data management program can vary depending on its size, complexity, strategic goals, and available resources. For some banks, a first step may be to modify current practices to capture more data within unused data fields or expand the data points collected. Enriching data based on changing risks and industry conditions allows management to fully utilize the analytical capabilities of its existing systems. Other banks may opt to invest more resources in complex third-party services such as modernized core systems, data aggregators, cloud service providers, or advanced customer relationship management systems. Regardless of the approach, the keystone of data management is a continual assurance that information gathered is correct, relevant, available, and protected.
Data Governance Rules
As the business of banking becomes increasingly data driven, the management and oversight of data are no longer buried within information technology (IT) departments at community banks. Moreover, the availability of data is taking center stage in executive-level strategic discussions and decision-making. Bank directors and senior management are placing greater emphasis on the need for an effective data management framework through data governance, or a set of processes for formally managing data assets across all of a bank’s activities and operations. Data governance establishes authority, management, and decision-making parameters related to the data that a bank produces or manages. Additionally, data governance involves the process for setting and executing the business and IT priorities for managing data.6 Effective data governance allows bank management to make sound strategic decisions, maintain compliance with applicable laws and regulations, improve data security, and streamline planning processes.
Typically, data governance starts with establishing a data management hierarchy. Corresponding policies and procedures are typically developed to assign roles and responsibilities, outline the purpose and objectives for data use, and describe regulatory requirements and industry standards. Data governance practices can be applied to a wide range of activities and business lines within a bank and include the full “life cycle” of data, that is, from initial gathering of data, through usage and analysis, to retention or destruction.
Risks to Consider
While improved data utilization can provide a variety of benefits to a bank, its directors and senior management should also evaluate the following risks while ensuring that sound risk management processes and controls are in place before implementing new data strategies.
Establishing new data systems may be especially challenging if the existing infrastructure is outdated or the new system is incompatible with existing systems. Data pools obtained through mergers and acquisitions can also be difficult to access, integrate, and manage with prevailing frameworks. As data become more accessible and available, the risk of data breaches and cyberattacks increases, resulting in a greater need for robust information technology systems.
There are many complex regulatory requirements related to data handling and privacy, established to protect customers, consumers, and businesses. Bankers need to be fully aware of applicable state and federal laws and regulations, including the Gramm–Leach–Bliley Act, the Fair Credit Reporting Act, Section 1033 of the Dodd–Frank Wall Street Reform and Consumer Protection Act, state laws (for example, the California Consumer Privacy Act), and the Electronic Fund Transfer Regulation (12 C.F.R. part 1005).
Failure to comply with applicable regulations or industry standards could lead to a heightened risk of litigation for a bank. Lawsuits and data breaches can result in negative public sentiment that can damage a bank’s reputation and potentially lead to other financial risks.
Many community banks will opt to manage data through third-party relationships. Therefore, management should comprehensively assess the risks involved with each vendor and establish policies and procedures related to due diligence, onboarding, contract provisions, business continuity and contingency planning, and ongoing oversight.
The Road Ahead
The banking industry continues to evolve. As customers demand a more tailored banking experience, data analysis allows banks to grow and stay competitive by understanding their customers’ needs and preferences. The access to and management of high-quality data can be the driving force that facilitates growth at community banks by maintaining strong customer relationships and modernizing products and services. Whether the goal is to gain operational efficiencies, improve risk management processes, or make better strategic decisions, robust data management and governance processes are key to a bank being able to fully leverage its data.
“Community Bank Access to Innovation Through Partnerships,” Federal Reserve System paper, September 2021: www.federalreserve.gov/publications/files/community-bank-access-to-innovation-through-partnerships-202109.pdf
FFIEC IT Information Security Booklet: https://ithandbook.ffiec.gov/it-booklets/information-security.aspx
NIST Big Data Public Working Group: https://bigdatawg.nist.gov/home.php
“The Importance of Third-Party Vendor Risk Management Programs,” Community Banking Connections, First Issue 2017: www.cbcfrs.org/Articles/2017/I1/third-party
“Use of Artificial Intelligence and Machine Learning (AI/ML) at Supervised Financial Institutions,” Ask the Regulators webinar, December 16, 2020: https://bsr.stlouisfed.org/askthefed/Home/DisplayCall/295
- 1 See NIST Special Publication 1500-1r2, NIST Big Data Interoperability Framework: Volume 1, Definitions, available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1r2.pdf.
- 2 See the FFIEC IT Examination Handbook Infobase, Architecture, Infrastructure, and Operations Booklet, available at https://ithandbook.ffiec.gov/it-booklets/architecture-infrastructure-and-operations/iii-common-aio-risk-management-topics/iiia-data-governance-and-data-management.
- 3 See NIST Special Publication 1500-1r2, NIST Big Data Interoperability Framework: Volume 1, Definitions, available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-1r2.pdf.
- 4 Cornerstone Advisors, What’s Going On in Banking 2023: Fighting the Headwinds, Riding the Tailwinds, available at www.crnrstone.com/whats-going-on-in-banking-2023.
- 5 See FFIEC IT Examination Handbook Infobase, Architecture, Infrastructure, and Operations Booklet, available at https://ithandbook.ffiec.gov/it-booklets/architecture-infrastructure-and-operations/iii-common-aio-risk-management-topics/iiia-data-governance-and-data-management.
- 6 See FFIEC IT Examination Handbook Infobase, Architecture, Infrastructure, and Operations Booklet, available at https://ithandbook.ffiec.gov/it-booklets/architecture-infrastructure-and-operations/iii-common-aio-risk-management-topics/iiia-data-governance-and-data-management.