Compliance Matters recently interviewed Lubor Ptacek, the Canadian software giant's vice president of product marketing, about information governance and compliance. Of particular interest is his equivocal answer at the end, when considering the security that cloud vendors offer.

1. Do financial institutions' compliance officers concern themselves with information governance, or is it usually some other department?

One of the major findings from our recent survey of 211 members of the Association for Information and Image Management (AIIM) revealed that 56% of surveyed organisations do not having a Chief Compliance Officer (CCO). This is surprising, given that information governance is definitely something that a compliance officer should be concerned with, especially within a financial institution. For example, unstructured data, such as an Excel spreadsheet that is used for the completion of a deal, is valuable information that has to be kept unaltered for auditing purposes. As a result, it ought to be protected and someone should assume responsibility for this. In most organisations, either the legal department or a Chief Compliance Officer (CCO) manages governance, risk and compliance activities. However, information governance does also concern other departments, such as records management and IT, so they must be involved too.

2. What rules do various financial regulators impose? Can you name some of those rules? (I expect that the FCA ones would be in SYSC, for example, and that they would be quite vague.) Do you know of any in the pipeline?

When it comes to the regulations imposed, there is a lack of consistency and transparency. For example, in the US the Dodd-Frank Act and Consumer Financial Protection Bureau have created multiple and varying rules around information governance. Meanwhile, in the UK, the Prudential Regulatory Authority and Financial Conduct Authority are responsible for managing compliance with the rules surrounding stress testing, Solvency II and client money. Despite the discrepancies that exist between geographic borders and bodies, these regulations all fundamentally require organisations to have a complete set of data on hand to support the accurate calculation of risk or exposure.

3. What fines have financial regulators around the world imposed for bad information governance? Do you know of any more in the pipeline?

In the UK, Financial Conduct Authority has published a list of the regulatory fines that it has imposed, which totals over £800 million for 2014 alone. However, this is not all due to poor information governance and our survey revealed that the prospect of a financial charge for non-compliance is not what keeps business leaders up at night. Rather, it is the fear of damage to their companies brands, images and reputations. Reputational risk is twice as big a spur for compliance (according to 44% of respondents) as avoiding fines and penalties (20%). Some 32% of firms in the survey consider “being a good corporate citizen” to be the prime motivation behind GRC. This behaviour can be seen in the groundswell of companies making efforts to ensure that their rules and processes support their corporate social responsibility (CSR) objectives.

In addition, keeping policies and procedures up to date is listed as a bigger challenge (40%) than keeping up with new and changing regulations (26%). This is easy to understand if you consider that most organisations are a patchwork of acquired and adopted policies. Nearly a fifth – 19% - say that their biggest challenge is to do the paperwork to demonstrate compliance. The survey found only 9 % respondents are confident that their policies are up-to-date. That's not a number anyone should feel comfortable with.

5. How do you define (a) digital governance and (b) data governance?

Data governance (or information governance) is defined as a way to reduce the risks associated with data – including compliance risks, security risks, and litigation risks – while adding value to data by making it more usable. Incorporating capabilities, such as records management for classification and retention, workflow to automate policy development processes, dashboard views and reporting into the policy life-cycle can help provide the controls and rigour needed to manage these regulated documents. “Digital governance” expands the definition of data governance beyond the information itself to all the experiences, transactions, and business processes the data is used for.

6. Is the storage of data in the cloud more secure from hackers/crackers than the storage of data on your computer?

Security levels when storing data depend highly on the vendor. Cloud vendors running large-scale operations have the advantage of economies of scale, which also means that they can invest more into their security measures – from software to physical security (including background checks, employee training, and even armed guards for their data centres). Often, cloud vendors also have more at stake – if their 'solution' is not secure, they can lose their entire business. At the same time, the cloud vendors usually represent a bigger and more lucrative target than the average company.