Information Governance Becomes a Credit Union Priority

As credit unions consider a growing number of data practices, compliance hazards, economic uncertainties and additional issues within the member banking environment, 2020 could signal a new era of information governance for the entire industry.

Credit unions can choose to make information governance (IG) a priority, experts said. “They have the opportunity to enter a new decade with their special member-owner philosophy – all while continuing to do what’s right for their institutions and members,” Maria Martinez-Carey, founder and principal of Alt + F0, an IG solutions provider dedicated to helping credit unions manage and leverage member data, said. “Information governance is at the heart of these principles and stands ready to help credit unions and their members going forward.”

IG can be described as an emerging “super discipline” that is now being applied to electronic document and records management, email, social media, cloud computing, mobile computing, and the management and output of information organization-wide, according to Robert F. Smallwood, who literally wrote the book (“Information Governance: Concepts, Strategies, and Best Practices”) about IG in 2014.

Research and advisory firm Gartner defined information governance as: “The specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information.”

Sovan Bin, CEO and founder of the Paris and San Francisco-based Odaseva, which offers Data Governance Cloud, a suite of data governance apps, explained, “Information governance is about making deliberate decisions about how your organization plans to holistically manage the business-critical information that it generates and ultimately relies upon for business-critical applications.”

IG, Bin noted, includes establishing an accountability framework that not only classifies the sensitivity and value of information, but also dictates the meticulousness of the data’s management and security. “Information governance also requires establishing the necessary policies, procedures and metrics to ensure appropriate behavior and storage throughout the data life cycle – from creation through archiving and deletion.”

Martinez-Carey said she perceives a strong relationship between data governance, the general management of the accessibility, accuracy, security and practicability of an organization’s data, and IG. “Information governance is the umbrella underneath data governance.”

According to Martinez-Carey, very few credit unions nationally – especially small- to medium-sized institutions – recognize and understand what information governance is and how it relates to their members. Credit unions will have to play catch up to other industries already applying information governance, she advised. “Anchored by the industry’s people helping people philosophy, credit unions will want to begin using information governance to their advantage as they face competition from fintechs, banks, and the scrutiny of data management and security by regulators and auditors.”

The Alt + F0 founder, who has spent more than 25 years in operations risk mangement, including time at a corporate credit union, said information governance goes beyond outmoded records-administration and holds the key to leveraging future membership growth, risk management, data asset-value and competition within financial services. “We’re at the very early stages of information governance capturing the attention of key decision makers within the credit union industry as we transition into a new year and a new decade,” Martinez-Carey said.

“The traditional ‘records management’ and ‘data management’ seen in our industry over the past several years won’t cut it for addressing credit unions’ increasingly sophisticated compliance needs, regulatory demands, and the urgency to retain members and innovate with the future,” said Martinez-Carey. She noted her company’s LOCK platform, an audit readiness application, is drawing interest from a handful of early credit union adopters including a California institution and a Midwest CUSO. She also said credit unions need to look at how third parties actually secure and manage information.

“When consumers select a credit union, they opt for a more customer-friendly model,” Bin said. He pointed out that in doing so, they entrust the institution with their personal information and financial details. For a credit union, the presence of member-sensitive information requires adherence to data privacy laws and regulations such as the Fair Credit Reporting Act, the California Consumer Privacy Act and even GDPR.

“The core tenant is that privacy is a fundamental right,” Bin said, adding under a regulation such as the CCPA, a member has the following rights:

Right to know: You must tell a consumer what personal information you collect before or as you collect it.

Right to correct: You must provide a consumer the ability to manipulate their data and set preferences on data use, including the ability to request deletion of personal information.

Right to object: You must give consumers control over their data’s processing including the ability to object to the sale of information to a third party.

“Financial institutions and credit unions should be concerned with information governance as it is a strategy for managing information throughout its lifecycle. Information governance is especially critical for financial institutions and credit unions due to the sensitive customer data that they are entrusted with securing and managing,” Chris Hertz, chief risk officer for cybersecurity firm DivvyCloud, which allows customers to automate governance of their cloud and container infrastructure, said.

Hertz added consumers trust financial organizations to maintain every detailed record about them, and information governance offers leverage in tandem with an automated security strategy. “Part of this trust requires these companies have strong security, and the lack of information governance means that financial institutions and credit unions are not adequately securing this data.”

He also suggested when an organization steps into the cloud, it must understand that its approach to information governance and security must change. “Data breaches occur because companies do not take information governance seriously, or because they lack the necessary supporting tools.”

Hertz continued, “The scale and scope of the problem with information governance manifests itself in our modern cloud era, and this challenge coupled with securing consumer data can be overwhelming for financial organizations and credit unions to manage unless they deploy automated software to mitigate this risk. The speed and rate of change in the cloud demands that organizations have a broad, holistic approach to information governance with the proper supporting technology.”

Privacy and security are other important aspects of information governance. Credit union leaders also must understand the intricacies of the information management, organizational and access teams that are in place at the credit union. Martinez-Carey suggested when credit unions utilize data extracted from members and send it to third-party solution providers, the financial institution should know if it has third-party vendor risk management in place as well as the data mapping and monitoring of the third party. In addition, following mergers and acquisitions (credit unions merging banks, banks merging credit unions or credit unions merging credit unions), certain documentations and information need preservation, as well as some kinds of audit holds for examiners.

Bin said: “With the increasing list of data privacy laws and regulations recently put into law, information governance is a subject that cannot be ignored.” He added financial organizations must not treat data privacy as a one-department task – instead they must work as a whole to make it part of the organization’s overall culture and break through organizational data silos to ensure compliance is part of the entire institution.

“The reactive, after the fact ‘we are sorry for what happened’ statement has become a too frequent chorus, providing the perfect climate for increasing data privacy regulation. In order to satisfy consumers as well as regulators, organizations must adopt a proactive approach to prevent data privacy lapses with information governance leading the way,” Bin said. He pointed out it is no surprise that beyond the financial and operational impact of data mismanagement, consumers want to transact with companies they trust. He suggested a good way to become a proactive, data-first organization is to examine the steps other credit unions and companies outside the financial industry have adopted.

Martinez-Carey said, “The traditional ‘records management’ and ‘data management’ seen in our industry over the past several years won’t cut it for addressing credit unions’ increasingly sophisticated compliance needs, regulatory demands, and the urgency to retain members and innovate with the future.” She continued, “A new era in banking stands in front of us that requires information governance for credit unions.”

She also noted, “I know that data is a big-ticket item as well as the buzzword, but let us understand what [members] really need. Let us understand, what is it that they are familiar with? Because a lot of credit unions, small as well as a medium-sized, may not have the bandwidth to put this together. We should be able to provide [information governance] holistically and for all types of asset sizes.” She added that requires having a lot of education, training awareness and other adequate tools in place so they may successfully manage and govern documents.