As part of the ongoing CBDF research project on data localization, this post examines a report issued in December, 2020 by the International Regulatory Strategy Group (IRSG) entitled, “How the Trend Towards Data Localization is Impacting the Financial Services Sector.” This report provides the most comprehensive analysis we have seen about the nature of data flows in the financial services sector. After reviewing global laws and regulations which limit or prevent cross-border data flows impacting the financial services sector, the IRSG report concludes that data localization poses an ineffective tool to support legitimate goals of data security, data privacy, regulatory oversight, support for local markets, and choice for customers.
Key Findings in the IRSG Report
The report offers a number of key findings regarding the negative consequences of data localization. In particular:
- Localization often does not increase security. In some cases, localization may encourage financial institutions to de-centralize security operations and/or shift resources away from information security, which can result in decreased information security. Data localization requirements can lead to data being hosted in “less sophisticated and often therefore more vulnerable local environments” (p. 5).
- Localization can lead to reduced regulatory insight. Effective modern regulatory oversight of financial institutions requires regulators to have a “full picture of the regulated activity when financial products and services are transacted across borders” (p. 6). Hard data localization requirements can obstruct such regulatory oversight. At worst, data localization efforts are actually counter-productive in light of regulatory goals (pp. 14, 62).
- Compliance with localization requirements can increase business costs leading to reduced local investment. Data localization requirements increases compliance costs (through, e.g., requiring investment in additional local infrastructure or expensive legal advising for compliance with complex rules). These increased costs may both reduce foreign investment and raise the cost on local entrepreneurs or innovators in the financial services sector (pp. 6, 10).
- Compliance with localization requirements can increase costs (and reduce services) for consumers. Where businesses do decide to make investments required to comply with data localization regimes, the result may be increased costs passed along to consumers or reduced customer services (as individuals find difficulty accessing “opportunities external to their region”) (pp. 6, 55).
Impact of Data Localization Laws on the Financial Services Industry
The report highlights that data localization requirements impacting financial institutions can arise in a number of ways, including:
- restrictive interpretations of existing law requiring recipient countries to have identical data protection laws as transferring countries (the report authors reference recent legal interpretations from some EU institutions) (p. 13);
- requiring individuals to consent to data transfers given practical and/or legal difficulty of obtaining effective consent (e.g., South Korea) (p. 27);
- outright, per se prohibitions on transferring data (citing examples from India, China and Indonesia) (pp. 30 – 33);
- requirements to maintain local copies of data (with examples from India, Russia) (pp. 35 – 36); and
- outsourcing restrictions (with examples from Turkey, Luxembourg, and others) (pp. 38 – 40).
The report makes clear that data localization requirements, however they arise, can have significant impacts on cross-border data flows essential to provide financial services or ensure appropriate supervision of financial institutions. The report assesses how increased data localization could impact data flows which may be practically or legally necessary to support key activities of financial institutions. These data flows include:
- “Know Your Customer” rules and financial crime legislation (p. 26);
- Customer ability to access financial products and services (across jurisdictions) (p. 26);
- Anti-money laundering efforts (p. 29);
- Prevention of financial fraud and cybercrime (pp. 29, 34);
- Credit risk management (p. 34);
- Payments processing (p. 44);
- Money transfer / customer funds access (p. 47);
- Insurance underwriting and claims handling (p. 56);
- Subcontracting to service providers (p. 28); and
- Disaster recovery (p. 40).
The IRSG report makes numerous recommendations that would put in place measures to ensure data is protected and secure but would also allow businesses to share data across borders. Instead of data localization, the IRSG report advocates for mutually recognized data protection principles across jurisdictions which are not based on requiring strictly identical data protection standards. To address the need for regulatory oversight, the report also recommends that regulators focus on access rules (i.e., the regulatory ability to access data) rather than data localization rules (pp. 7, 57-61). The report suggests increased cooperation at the international level (such as focusing on “equivalent” standards for data protection rather than “identical” standards) as well as the use of clauses in trade agreements to remove the barriers created by data localization requirements (pp. 7, 59-61). The IRSG report asserts that these alternative approaches can support legitimate regulatory goals without the negative impacts on consumers or data flows required for the functioning of a global financial economy.
These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.