This article originally appeared on the BeyeNETWORK
The views expressed in this paper are those of the authors and do not represent policies or positions of the Office of Federal Housing Enterprise Oversight (OFHEO) or other offices, agencies, or instrumentalities of the United States Government.
Just as W. Edwards Deming helped the automobile industry realize the value of building quality into the manufacturing process, companies are becoming more aware than ever of the value of quality data. Financial institutions working to mine their vast customer data stores in search of marketing and cross-selling opportunities have come to understand thatdata quality is an asset that can be used to improve profits. Federal regulators, on the other hand, have traditionally limited their interest in a regulated business’s data quality to their financial and regulatory filings. As attention to data quality has increased, regulators’ interests are shifting to a more comprehensive view of an institution’s data quality.1 This article’s intent is to explore this more complete view of data quality and begin to lay out a framework for evaluating data quality at regulated institutions.2 We start with a brief overview of the role of the financial regulator.
Safety and Soundness Regulators
There are over 100 agencies at the Federal level alone that have regulatory powers under law.3 The focus of this article will be on banking and financial regulators. As shown in Table 1, eight major federal financial regulators are charged with ensuring the “safety and soundness” of almost 17,000 institutions with nearly $19 trillion in assets and guarantees.
Table 1: Major Federal Financial Safety & Soundness Regulators
The Office of Federal Housing Enterprise Oversight (OFHEO), as with many other banking regulators, is charged with “ensuring the safety and soundness” of the regulated institutions. That is, its mission is to ensure that Freddie Mac and Fannie Mae, government-sponsored enterprises (GSEs) with nearly $5 trillion in mortgage assets and guarantees, are “among other things, adequately capitalized, and operating safely.” To this end, OFHEO has set forth “minimum supervisory requirements used by the agency in reviewing and ensuring the adequacy of policies and procedures of the Enterprise…”4
Although these minimum requirements cover many different areas, two are directly relevant to data quality and drive much of OFHEO’s data quality work.5 First, the Enterprises must “establish and implement policies and procedures to ensure that … data are… reliable, accurate and available at all times as needed for its business operations…”6 Second, the Enterprises are required to have policies and procedures for generating reports and documents that provide their Boards of Directors and managers with “all the relevant information of an appropriate level of detail as necessary” to oversee and manage the business.7
The following set of principles to guide an approach to data quality evaluation is proposed:
Build on Institution’s Work
Build on the data quality work already being done by the institution. By making use of existing reports, reviews, and internal and external audits, etc., we can avoid duplication of efforts, focus our very limited resources on issues directly impacting safety and soundness, and at the same time reduce the burden we impose on the institution. This, of course, does not relieve the examiner of the responsibility for testing and validating the reports we use to ensure that they can be relied upon, but it does help conserve resources.
In order to maximize the return on limited examination resources, our program needs to focus on the parts of the institution’s program that provide the greatest “bang for the buck.” That is, on areas where weaknesses can have a multiplicative effect on the institution’s overall data quality, such as in data management policies and procedures, master reference data, robustness of the data stewardship function, data quality metrics and reports, etc. Direct testing of data quality should be limited to elements critical to safety and soundness.
Define Data from Repositories to Management Reports
It is important that the quality of the data in a financial institution’s repositories be sufficient to allow safe and sound operation. But that is not enough. Data is followed from repositories through all manipulations and uses – management reports, inputs to and outputs from financial models, inputs to financial statements, etc. – to confirm that the data is“fit for all uses intended.”
Identify Issues, but Leave Approach to Issue Resolution up to the Institution
A data quality examination has no effect on safety and soundness if the findings are not acted upon by the institution. For example, if during an examination it is determined that employees have entered incorrect data elements into important management reports because metadata are not well developed, we will direct the institution to correct the problem. We will not, however, direct them to use a particular methodology, technology or approach.
Ensure Safety and Soundness, Don’t Manage the Business
The mission of the regulator is to ensure the safety and soundness of the regulated institution; it is not to run their business. That is, we…
…seek to identify the ends that proper operational and management policies and procedures are to achieve, while leaving the means to be devised by each Enterprise as it designs and implements its own policies and procedures.8
Therefore, our data quality focus is geared toward issues that impact the safe and sound operation of the institution. The concern is that data quality is at a level that limits the chance of a data error resulting in financial problems significant enough to threaten the institution’s solvency. Whether the institution is maximizing the value of its data asset or not is outside of our mission.
Treat All Institutions Equally
Different types of institutions may require different approaches to evaluating safety and soundness just as long as institutions are held to the same standards as their peers. For example, a fifty million dollar community bank differs considerably from a fifty billion dollar large bank. The evaluation of data quality programs will be consistent across examiners and similar types of institutions. From a regulatory perspective, reviewing data quality trends at a particular institution will only be meaningful if it is believed that the ratings are consistent across time. Thus, the program developed must be standardized, clear and simple enough to execute within the available time frame and yet sophisticated enough to capture critical data problems.
Federal safety and soundness regulators are only now beginning to look at data quality at regulated institutions in a more comprehensive and detailed manner. Having safety and soundness as the goal of the data quality review means that our data quality programs will differ from those adopted by the institutions themselves. In developing them, we need to contend with some very significant constraints and make sure that we are guided by the key principles outlined in this article. The effort is only now gathering strength, and we hope to engage all interested parties in a discussion that can help shape an approach to data quality education that satisfies these principles.
- The Basel II accord, for example, is very prescriptive about the manner in which data for capital models is to be obtained, cleansed, stored and used.
- Another area where financial regulators may be able to help financial institutions improve the quality of their data is by actively encouraging the adoption of industry data standards such as the mortgage industry’s MISMO (Mortgage Industry Standardization Maintenance Organization) initiative. (See www.mismo.org/.) This, however, is a topic for a future article.
- Federal Regulatory Directory, (12th edition, December 2005)
- Department of Housing and Urban Development, Office of Federal Housing Enterprise Oversight, “Safety and Soundness Regulation,” Federal Register, 67 (30 August 2002): 55693.
- Other data-related requirements which we are not reviewing in this article include data security, business continuity and regulatory reporting.
- “Safety and Soundness Regulation,” Federal Register, 55695.
- “Safety and Soundness Regulation,” Federal Register, 55694.