ComplianceOnline

Malaysia Guidelines on Data Management and MIS Framework – An Overview and Summary of Requirements

  • By: Staff Editor
  • Date: May 01, 2013
Webinar All Access Pass Subscription

 

Bank Negara Malaysia (BNM) has set out these Guidelines on Data Management and Management Information System (MIS) which outline high level guiding principles on sound data management and MIS practices that should be observed by financial institutions.
 
The Data Management and MIS framework should ensure:
  1. Proper allocation of resources.
  2. Effective planning and coordination across the organization.
  3. Alignment to the organizational strategic objectives.
  4. A corporate culture that reinforces the importance of data integrity.
 
Applicability
These Guidelines are applicable to all institutions licensed under the Banking and Financial Institutions Act 1989 (BAFIA), Islamic Banking Act 1983 (IBA), Insurance Act 1996 (IA) and Takaful Act 1984 (TA), hereinafter referred to as “financial institutions” (FIs).
 
SOUND DATA MANAGEMENT AND MIS PRACTICES
 
Guiding Principles
Principle 1: Financial institutions should develop and implement an effective data management and MIS framework that is aligned with the institution’s business and risk strategies.
 
  • A data management and MIS framework defines the operating framework for meeting an FI’s data and MIS requirements to support its strategic, operational and risk management functions.
  • A data management and MIS framework should set out policies, systems and procedures relating to data governance, data architecture and internal controls and reviews.
  • Responsibilities of the Board include:
  1. Maintaining effective oversight over the framework.
  2. Ensuring that the framework is aligned with the business and risk strategies of the institution.
  3. Providing direction to senior management on broad expectations of the framework.
  4. Approving strategic resource allocations towards Data management and MIS enhancement initiatives.
  • Responsibilities of the senior management include:
  1. Designing the data management and MIS framework.
  2. Advising the board on the key features of the framework.
  3. Reviewing the effectiveness of the data management and MIS framework.
  • Data management and MIS framework should undergo independent review by an external party or the internal audit function.
Principle 2: Financial institutions should establish a sound data governance structure that ensures the effective control of data quality.
  • Appropriate governance structures should be established to support a clear accountability framework for the effective implementation of the financial institution’s data management policies and standards.
  • The governance structures should be well integrated across business units, and between business units and the IT functions.
  • Functions responsible for data management should have a formal status at senior management level and appropriate authority to implement approved data management policies and standards in the organization.
  • Specific responsibilities of functions responsible for data management and MIS framework includes:
    • Identifying the institution’s data needs on an ongoing basis.
    • Ensuring that the institution’s data needs are effectively incorporated in documented data policies and procedures.
    • Translating data quality expectations set by the board into specific goals for significant data systems and owners.
    • Defining the metrics for measuring data quality.
    • Ensuring that data control functions are operating effectively to preserve the integrity of the institution’s data.
    • Monitoring trends.
    • Conducting regular reviews and assessments of its overall operation.
    • Recommending enhancements or corrective measures to senior management.
    • Providing continuous development support, including training, updated user guidelines or manuals, and technical support to users.
  • For larger and more complex institutions, dedicated data stewardship function should be established.  
  • Policies and procedures, including the appropriate approving authority, for effecting changes to data systems should be clearly defined.
  • The deployment of any alternative systems, not aligned to the institution’s approved data architecture, should be subject to specific authorization at an appropriate senior management level.
  • Senior management should establish effective oversight, review and reporting arrangements where data is managed by third party vendors under outsourcing arrangements.
Principle 3: A financial institution’s data management and MIS framework should be supported by a comprehensive data and systems architecture that is appropriate to the scale and complexity of the institution’s operations.
  • A comprehensive data and systems architecture should facilitate the proper integration of data and systems across the institution.
  • It should address the following elements:
    • Standards, guidelines and data definitions for development of systems, data repositories and interfaces, and controls over data flows.
    • Major types and sources of data necessary to support the organization and a description of the systems in place to capture such data.
    • The database technology employed to support the desired data architecture.
    • Administrative structures and protocols for processing and disseminating data throughout the organization.
    • Processes and systems for data repository management.
    • Appropriate data storage and back-up processes.
  • Financial institutions should ensure that the technology employed for its data systems can transmit and integrate data across multiple platforms and systems in an efficient manner.
Principle 4: Financial institutions should maintain adequate data quality at all times. Data quality should be assessed and monitored against the institution’s data policy statements and objectives on an ongoing basis.
  • FIs should ascertain measures and controls that ensure generation of accurate, complete, current, and consistent data.
  • Appropriate metrics should be defined for measuring data quality.
  • Processes should be established to support the effective monitoring of data quality on an ongoing basis. This includes:
    • Conduct of data quality assessments at regular intervals.
    • Roles assigned to perform the monitoring functions.
    • Timely reporting on the outcome of data quality assessments to senior management.
    • Scheduled data quality maintenance activities such as data cleansing and data validation.
  • Any systematic deterioration observed in data quality should be fully investigated by senior management.
  • The observations, findings and remedial actions proposed and taken to restore data quality should be reported to the board.
  • The board should promptly inform the BNM of any developments that may have a material bearing on the institution’s operations, risk profile or financial condition.
Principle 5: Financial institutions should maintain effective controls over data security and privacy to preserve a high level of systems and data integrity.
  • FIs should establish adequate preventive and detective controls to ensure that logical and physical access to systems and data is secure and only available to authorized personnel for specific purposes.
  • The controls should be commensurate with the criticality and sensitivity of the relevant systems and data handled.
  • Access rights to systems and data should be clearly defined, documented and segregated to prevent critical data or systems from being compromised.
  • Employees should not have concurrent access to data files residing in and computer facilities supporting both the production systems and backup systems.
  • Persons given access to backup files or system recovery resources should be limited and duly authorized to have access for specific purposes and a specified period only.
  • Any access should be documented and logged for audit purposes.
  • Access to critical data or systems by external parties must be properly authorized.
  • FIs should limit manual data manipulations or changes in the institution’s day-to-day operations to a minimum level.
  • Appropriate safeguards should be put in place to ensure that personal data is not misused or disclosed in a wrongful manner.
  • Financial institutions should obtain the MS ISO/IEC 27001:2007 Information Security Management Systems (ISMS) certification for critical systems, particularly the payment and settlement systems.
Principle 6: The operation of MIS functions should be effective and robust to enable timely access to critical data for decision-making, analysis and control purposes.
  • The MIS functions and processes should provide and disseminate up-to-date information to a wide range of users.
  • The MIS should efficiently and effectively transform data that is tailored to the needs of various users of information within the organization.
  • User requirements should be clearly defined at the outset of the system development stage, and regularly reviewed thereafter to inform subsequent system enhancements.
Implementation Requirements
  • The board should ensure that the principles in these Guidelines are observed on an on-going basis in line with the level of sophistication and the needs of the institution.
  • The board should ensure any deficiencies in the institution’s data management and MIS practices are addressed within a reasonable period.

Additional Resources

Read Malaysia's guidelines for data management and MIS frameworks in financial institutions in full here.

 

 

Best Sellers
You Recently Viewed
    Loading