Posted: 29 Jun. 2022 10 min. read

APRA’s Data Collections Roadmap

Where regulatory reporting meets business data strategy. Are you ready?

On 31 March 2022, APRA released its Discussion Paper on the Direction for Data Collections which sets out APRA's changing approach to data collection, the rationale for these changes and an outline of the implementation roadmap.  Although these changes are expected to lead to longer term benefits in terms of consistent data requests, standardisation of data collections, and a reduced need for ad hoc data requests, this transition will also be a significant undertaking and, in many cases, require substantial short to medium term investments in data, regulatory reporting and analysis capabilities.

Common data collection challenges across the Financial Services industry

In our view, although there are substantial benefits to be realised from implementation of the roadmap, the reforms cannot be achieved quickly or easily. Many Financial Services Institutions (FSIs) will face challenges in moving beyond legacy solutions and data limitations. Many of the changes required will be cultural as well as technical, with sustained investment needed over a period of time to make the improvements necessary. We see the challenges manifesting in several ways:

Poor data and technology infrastructure

Some FSIs struggle with collating all the data necessary for regulatory reporting, particularly where the data differs from that used in management or financial reporting.  This can be the result of several factors, including historic under-investment in regulatory reporting and/or adoption of tactical solutions that are never actually replaced by strategic systems upgrades.

Inconsistent governance and ineffective controls

Governance of regulatory reporting is often separate from the governance of financial reporting, and the control framework can be designed and held to a different, often lower, standard. 

Lack of resourcing and inconsistent or inappropriate regulatory interpretations

Regulatory reporting is complicated.  Reporting standards and guidelines run to dozens of documents. The requirements can regularly change, and in many FSIs, the pool of individuals with deep knowledge of both the regulatory requirements and how to complete reports given data and systems constraints is shallow.

Cross-industry considerations for responding to the Data Collections Roadmap

In our view, whilst the practical requirements and expectations in the industry roadmaps will be worked through with FSIs over time, the rollout of the Data Collections Roadmap should be accompanied by the codification of CPG 235 – Managing data risk as a prudential standard (CPS 235) in a similar timeframe.  This will support the consistent and sustained investment in underlying data and reporting capability required to deliver on the roadmap.

Below we have set out the five key areas where we expect capability uplift to be required to deliver high quality regulatory data collections:

1.  A robust governance structure

The Financial Services industry’s journey toward richer and deeper data collections is already underway. The first step of this transformative journey is cultural change and disciplined end-to-end change management that aligns to a strategic architecture and regulatory data strategy. That is, acceptance that regulatory and financial reporting is an enterprise-wide activity, with accountability by senior management across business lines and corporate functions such as finance, operations, and risk. This differs from the traditional approach where source data is managed in siloes in each business line.

2.  Data and technology infrastructure investments

Strategic transformation of data and reporting infrastructure are major investments that have long runways. In our experience, the level of effort needed often ranges from three to five years. The scale and cost of infrastructure investment is driven by the size and complexity of each FSI, taking into account legacy of system integration, history of mergers and acquisitions and implementation of “regulatory reporting software” compared to other automation capabilities.

As APRA transitions to digital submissions of data collections with APRA Connect, a greater level of standardisation in how data is collected, represented, what it means and the relationships between data elements will be required.  This includes commonly agreed definitions for all data elements across the data collections as well as the establishment of common data models that are defined and agreed with industry.  For example, if collecting data on customers, then a definition of what a customer entity is would be necessary. Similarly for other concepts such as products, services, and arrangements.

3.  Data quality and assurance

An effective data quality and assurance program that is risk-based and integrated with accountability frameworks is typically built on five components:

  • Qualitative business rules which establish expectations for required levels of data quality
  • Reconciliations and controls across the end-to-end reporting value chain
  • Source data and/or transaction testing
  • Quantitative analysis of variations and anomalies
  • A connection into established issue management and funding processes

4.  Change management

The complexity and rate of change to regulatory reporting makes change management a critical competency for regulatory and financial reporting organisations within FSIs. Regulatory change processes should evaluate changes across regulatory agencies and legal entities, including financial, risk, product/transaction, and market information. In addition to external factors, internal activities from new product development, system implementation, changes to the legal entity structure, and internal policy changes must be incorporated into the change management process.

5.  Human capital

Typically, FSIs are realising that the skillsets historically used to prepare regulatory reports are no longer enough as the industry pivots to richer and deeper data collections. In our experience, buying these skills is not always a realistic option as the high demand for skilled people in this area in the current economic environment is not matched by supply leading to a shortage of suitably competent resources. This presents opportunities to re-focus data and regulatory reporting teams and ensure second and third-line functions have the skills and resources to challenge regulatory reporting functions, processes, interpretations, and outputs.

Key questions for your organisation

1. Does your regulatory data strategy and technology architecture set you up to maximise the business benefits expected to be realised over the longer term as a result of the pivot to richer and deeper regulatory data collections?

2. Is your data risk management framework and approach fit-for-purpose?  How will it support timely investment in the critical capabilities required such as change management, strategic data sourcing and building trust in source data?

3. How to reimagine the regulatory reporting operating model across the first, second and third lines to refocus accountabilities and respond to the need for new types of skills and capabilities?

More about our authors

Chris Topple

Chris Topple

Principal, Risk Advisory

Chris is a Principal in the Deloitte Risk Advisory team with more than 15 years’ experience leading data-driven risk and regulatory strategy, enablement and assurance programs across financial services. Chris has worked with clients across Australia, New Zealand, Europe and the United Kingdom in a range of scenarios including large scale business transformation, risk and regulatory change, due diligence, mergers and separations. Chris is passionate about enabling business and customer outcomes as the result of the convergence of data, people and technology. His focus areas include data strategy, management and governance, risk data and analytics, digital risk, data regulation and risk and regulatory reporting.  

Mike Szalinski

Mike Szalinski

Principal, Data Risk and Technology

Mike is a leader in Risk Technology with over 20 years of consulting and IT delivery experience within top tier businesses. He has led transformations in response to emerging needs using Agile, Cloud platforms and DevOps and has a strong industry grounding in banking, telco and retail. Mike is a Principal in Risk Advisory, specialising in Data Risk and the application of technology to improve Risk outcomes. His focus is to help businesses to transform their Risk Management functions by: Supporting organisations towards cloud adoption Improving their data-driven decision making Making greater/better use of data management, data governance, analytics, reporting and operations Supporting organisations towards more efficient and streamlined use of technology to enable sustainable compliance

Simon Crisp

Simon Crisp

Partner, Risk Advisory

Simon is a Partner in Deloitte’s Data Risk and Compliance Analytics team and specialist data and automation leader. Simon has over 20 years’ experience both in operational and consulting data and analytics roles. Simon has an innovative style and is passionate about leveraging data insights and analytics to help businesses and risk functions to drive maximum from their data and to enable effective decision-making. Focus areas include; data and analytics strategy, digital risk, big data, robotic and cognitive process automation (RPA), cognitive engagement, CoE design and operating model development, information management, data governance and business intelligence.