At Apiax, we carry out a lot of primary research among financial institutions to get to the heart of their compliance pain points and ambitions. Very often we surface insights you won’t find elsewhere.
Regional differences are a particularly interesting lens to look through, and this has never been truer than with our recent Data Protection Study comparing APAC and Europe.
We set out to discover how financial institutions are coping with these incredibly complex data protection regulations and which factors are shaping their compliance strategies on data protection. What emerged was a very different picture east versus west.
Those well versed in this area will know that although all eyes have been on the tough regulations coming out of Europe, APAC is in many ways the far more challenging region. By virtue of the EU’s 2018 General Data Protection Regulation, at least 27 countries (plus the UK) have largely homogenous regimes. The situation across APAC is labyrinthine, to say the least, and this colours the compliance challenge and the solutions being adopted to a very great extent.
Conflicting, complex regimes in data protection regulations
Due to all the conflicting regimes across the region, a massive 70% of data protection professionals in APAC said transferring personal data to other jurisdictions was their biggest challenge (versus 27% in Europe). Yet this is as unavoidable as it is challenging considering how geared towards cross-border business—and how fiercely competitive—APAC’s hubs are.
It often surprises those in the west to learn just how fierce the region’s data protection regimes are too. On regulation and enforcement, Malaysia, Japan, New Zealand and Taiwan are deemed “robust” by legal experts, while Singapore, China, Hong Kong, Japan, Australia and South Korea are outright “heavy”. And, while the EU’s GDPR is at least largely stable (last year’s bombshell Schrems II ruling notwithstanding), APAC represents both complexity and constant change.
It is typical for APAC countries to lack a single comprehensive data protection law, leaving Data Protection Officers to puzzle out a mass of legal instruments for which updates come thick and fast. This year and next will have brought major changes for Japan, Singapore, Thailand and the Philippines, to name a few.
An innovation imperative for data protection regulations
Necessity being the mother of invention, these complexities have clearly opened minds to innovative solutions for compliant data protection regulations in APAC. Whereas in Europe institutions predominantly call on external legal counsel for legal opinions (46%) for instance, those in APAC look primarily to alternative types of content providers (36%). We can guess that when the questions come so thick and fast, constantly calling on lawyers can get very expensive.
As with other areas of compliance, keeping abreast of rules and updates is a big challenge, but disseminating them through the organisation is an even bigger one. This is very likely why institutions in APAC are ahead in obtaining regulatory information in digital format (40% against 33% in Europe) as opposed to static texts which are difficult to translate into usable guidance for the “lay” workforce, let alone readily understood rules.
Contrasts in data protection specialists headcount
Differences in regional hiring trends strongly correspond here. In APAC, 66% of participants reported that their data protection-related headcount has either remained the same or fallen over in the past year, and only a tiny 6% expect their team to grow next year. The picture is completely different in Europe, where 47% will be making data protection hires in the coming 12 months.
It is difficult to say whether APAC firms are hiring fewer data protection specialists because they are going digital to a greater extent, or if a lack of such professionals is forcing them to put more faith in technology. The reason could even be that they were better prepared and have hired more experts than the EU, slowing down hiring. Data protection expertise is certainly highly sought after, and expensive, the world over.
The median salary for data privacy professionals globally is US$123,000/S$163,000, if not very much higher if the individual is a lawyer too. Also, compensation levels are generally notoriously high in Hong Kong and Singapore (where our respondents were based).
Whichever way around things are playing out, the efficiency savings result will be the same for financial institutions at the digital vanguard. Profitability remains under increasing pressure and so these are naturally of utmost importance to both cohorts: efficiency is the top driver towards digital solutions for APAC institutions (58%), followed by cost control (25%), with 68% and 32% of respondents respectively saying the same in Europe.
Again, however, what is really interesting are the regional differences in evidence: despite the importance of operational efficiency, a full 17% of APAC respondents cited urgency for innovation and digitisation as their biggest motivator of all (against virtually none in Europe). In turn, this need for speed also explains why 25% of firms in APAC have avoided building their own solution and have turned to an external provider to digitise data protection requirements against just 8% in Europe.
The heat is on data protection regulations
The push and pull factors here are clear. While wealth management is a hotly contested sector all over the world, nowhere is the heat felt as much as in APAC. With disruptors all around, no firm can afford not to be fully leveraging client data to hyper customise services and market them with laser-like effectiveness.
Barring compliance concerns, there is no reason not to: 71% of HNWIs are willing to share personal data with their wealth manager in exchange for more personalised services – that’s a higher proportion than are willing to share with doctors, retailers, technology firms and media platforms.
At the same time, it is well accepted that with far less legacy system (and cultural) baggage to contend with, APAC institutions are far more open to bringing specialist providers in to help them gain an edge. They recognise there is no particular virtue, and almost certainly no financial gain, in building from scratch.
And the gains from centralising data protection regulations around an embedded compliance solution are arguably even greater than with any other area of regulation. Free from very real worries that activities are non-compliant and are opening them up to huge censure (and fines), firms can get on with making client data revenue generative – rather than a source of risk.
That is undoubtedly where financial institutions should be with compliant data protection regulations. And our research seems to strongly indicate that those in APAC are going to get there first.